Security+
Study Guide
© 2003 certificationsuccess.com
Compiled By:Kiran Gupta
kirang@nda.vsnl.net.in
www.v-netonline.com
1
© 2003 certificationsuccess.com
Your Free Certification Portal
General Security Concepts ........................................................................................................................5
COMMON THREATS ..........................................................................................................................5
Access Control...........................................................................................................................................7
Logical access controls ..........................................................................................................................7
Common Logical access controls implemented by Operating system’s are .........................................7
Physical Access Controls ......................................................................................................................8
Authentication ...........................................................................................................................................8
Kerberos ................................................................................................................................................8
Digital certificates .................................................................................................................................8
Challenge Handshake Authentication Protocol (CHAP). .....................................................................9
Tokens ...................................................................................................................................................9
Biometrics..............................................................................................................................................9
Attacks .......................................................................................................................................................9
Denial of Service Attack (DoS)...........................................................................................................10
Back Door............................................................................................................................................10
Spoofing ..............................................................................................................................................10
Man in the middle................................................................................................................................10
Birthday...............................................................................................................................................10
Social Engineering...............................................................................................................................11
Password Guessing ..............................................................................................................................11
Prevention from Attacks ..........................................................................................................................11
Patching ...............................................................................................................................................11
Virus Detection....................................................................................................................................11
Firewalls ..............................................................................................................................................12
Password Crackers...............................................................................................................................12
Encryption ...........................................................................................................................................12
Vulnerability Scanners ........................................................................................................................12
Configuring Hosts for Security ...........................................................................................................12
War Dialing .........................................................................................................................................12
Security Advisories .............................................................................................................................12
Intrusion Detection..............................................................................................................................13
Network Discovery Tools and Port Scanners......................................................................................13
Incident Response Handling ................................................................................................................13
Security Policies ..................................................................................................................................13
Denial of Service Testing (for firewalls and Web servers) .................................................................13
Auditing ...................................................................................................................................................13
Internal Controls Audit ........................................................................................................................14
Security Checklists ..............................................................................................................................14
Penetration Testing ..............................................................................................................................14
Monitoring Types ................................................................................................................................14
Review of System Logs .......................................................................................................................14
Automated Tools .................................................................................................................................14
Configuration Management/Managing Change ..................................................................................14
Trade Literature/Publications/Electronic News ..................................................................................14
Periodic Re-accreditation ....................................................................................................................14
2
© 2003 certificationsuccess.com
Your Free Certification Portal
Remote Access ........................................................................................................................................14
Secure Your Wireless Network ...........................................................................................................15
802.1x Authentication .........................................................................................................................16
Virtual private network (VPN) connections ........................................................................................16
Point-to-Point Tunneling Protocol (PPTP)..........................................................................................17
Layer Two Tunneling Protocol (L2TP)...............................................................................................17
Remote Authentication Dial-In-User Service (RADIUS) ...................................................................18
IP Security (IPSec) ..............................................................................................................................18
TACACS .............................................................................................................................................18
XTACACS ..........................................................................................................................................18
TACACS+ ...........................................................................................................................................18
Email........................................................................................................................................................19
S/MIME...............................................................................................................................................19
HOAXES .............................................................................................................................................20
Web..........................................................................................................................................................20
SSL/TLS ..............................................................................................................................................20
Vulnerabilities .........................................................................................................................................21
Vulnerable CGI programs ...................................................................................................................21
Web server attacks...............................................................................................................................22
Web browser attacks............................................................................................................................22
Global file sharing ...............................................................................................................................23
User IDs, especially root/administrator with no passwords or weak passwords.................................23
IMAP and POP buffer overflow vulnerabilities or incorrect configuration........................................23
Default SNMP community strings set to ‘public’ and ‘private.’.........................................................23
File Transfer ............................................................................................................................................24
Active FTP ...........................................................................................................................................24
Passive FTP .........................................................................................................................................25
IP spoofing...............................................................................................................................................26
TCP sequence number prediction............................................................................................................26
DNS poisoning through sequence prediction..........................................................................................26
Packet sniffing .........................................................................................................................................26
Virtual LANs...........................................................................................................................................27
Benefits of VLANs..............................................................................................................................27
Basic models of VLAN .......................................................................................................................28
Network Address Translation (NAT) ......................................................................................................29
Internet Connection Sharing & NAT ..................................................................................................30
Network intrusion detection system (NIDS) ...........................................................................................30
Network intrusion detection systems (NIDS)......................................................................................30
System integrity verifiers (SIV) ..........................................................................................................31
Log file monitors (LFM) .....................................................................................................................31
Physical Intrusion................................................................................................................................31
System Intrusion..................................................................................................................................31
Remote Intrusion.................................................................................................................................31
How are intrusions detected ................................................................................................................31
Honeypots ............................................................................................................................................32
Hardening ................................................................................................................................................34
Security through Obscurity..................................................................................................................35
3
© 2003 certificationsuccess.com
Your Free Certification Portal
Hardening Requires Making Choices..................................................................................................35
CRYPTOGRAPHY.................................................................................................................................35
Basic Cryptographic Technologies......................................................................................................35
Key Escrow .........................................................................................................................................37
Uses of Cryptography..........................................................................................................................37
Electronic Signature ............................................................................................................................38
PKI...........................................................................................................................................................38
Creation of a certificate .......................................................................................................................38
Certificate Enrollment .........................................................................................................................38
Physical Security.....................................................................................................................................38
Physical Access Controls ....................................................................................................................39
Fire Safety Factors...............................................................................................................................39
Failure of Supporting Utilities .............................................................................................................40
Structural Collapse ..............................................................................................................................41
Plumbing Leaks ...................................................................................................................................41
Interception of Data .............................................................................................................................41
Mobile and Portable Systems ..............................................................................................................42
Interdependencies ................................................................................................................................43
Cost Considerations .............................................................................................................................43
CONTINGENCIES AND DISASTERS .................................................................................................43
Forensics ..................................................................................................................................................44
Computer Time and Date Settings ......................................................................................................44
Hard Disk Partitions ............................................................................................................................44
Operating System and Version............................................................................................................45
Data and Operating System Integrity..................................................................................................45
Computer Virus Evaluation.................................................................................................................45
File Catalog .........................................................................................................................................45
Software Licensing ..............................................................................................................................45
Retentio n of Software, Input Files and Output Files ...........................................................................46
COMPUTER SECURITY RISK MANAGEMENT...............................................................................46
Risk Assessment ..................................................................................................................................46
Risk Mitigation....................................................................................................................................48
AWARENESS, TRAINING, AND EDUCATION ................................................................................48
4
© 2003 certificationsuccess.com
Your Free Certification Portal
General Security Concepts
COMMON THREATS
Computer systems are vulnerable to many threats that can inflict various types of damage resulting in
significant losses. This damage can range from errors harming database integrity to fires destroying
entire computer centers. Losses can stem, for example, from the actions of supposedly trusted
employees defrauding a system, from outside hackers, or from careless data entry clerks. Precision in
estimating computer security-related losses is not possible because many losses are never discovered,
and others are "swept under the carpet" to avoid unfavorable publicity. The effect of various threats
varies considerably: some affect the confidentiality or integrity of data while others affect the
availability of a system.
Errors and Omissions
Errors and omissions are an important threat to data and system integrity. These errors are caused not
only by data entry clerks processing hundreds of transactions per day, but also by all types of users
who create and edit data. Many programs, especially those designed by users for personal computers,
lack quality control measures. However, even the most sophisticated programs cannot detect all types
of input errors or omissions. A sound awareness and training program can help an organization reduce
the number and severity of errors and omissions. Users, data entry clerks, system operators, and
programmers frequently make errors that contribute directly or indirectly to security problems. In some
cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In
other cases, the errors make the system vulnerable.
Fraud and Theft
Computer systems can be exploited for both fraud and theft both by "automating" traditional methods
of fraud and by using new methods. For example, individuals may use a computer to skim small
amounts of money from a large number of financial accounts, assuming that small discrepancies may
not be investigated. Financial systems are not the only ones at risk. Systems that control access to any
resource are targets (e.g., time and attendance systems, inventory systems, school grading systems, and
long-distance telephone systems). Computer fraud and theft can be committed by insiders or outsiders.
Insiders i.e., authorized users of a system, are responsible for the majority of fraud.
Employee Sabotage
Employees are most familiar with their employer's computers and applications, including knowing
what actions might cause the most damage, mischief, or sabotage. The downsizing of organizations in
both the public and private sectors has created a group of individuals with organizational knowledge,
who may retain potential system access if system accounts are not deleted in a timely manner. The
5
© 2003 certificationsuccess.com
Your Free Certification Portal
number of incidents of employee sabotage is believed to be much smaller than the instances of theft,
but the cost of such incidents can be quite high.
Hackers and crackers
The term malicious hackers, sometimes called crackers, refers to those who break into computers
without authorization. They can include both outsiders and insiders. Given below is a brief difference
between a hacker and a cracker.
A hacker is a person intensely interested in the arcane and recondite workings of any computer
operating system. Most often, hackers are programmers. As such, hackers obtain advanced knowledge
of operating systems and programming languages. They may know of holes within systems and the
reasons for such holes. Hackers constantly seek further knowledge, freely share what they have
discovered, and never, ever intentionally damage data.
A cracker is a person who breaks into or otherwise violates the system integrity of remote machines,
with malicious intent. Crackers, having gained unauthorized access, destroy vital data, deny legitimate
users service, or basically cause problems for their targets.
Industrial Espionage
Industrial espionage is the act of gathering proprietary data from private companies or the government
for the purpose of aiding another company/companies. Industrial espionage can be perpetrated either
by companies seeking to improve their competitive advantage or by governments seeking to aid their
domestic industries. Foreign industrial espionage carried out by a government is often referred to as
economic espionage. Since information is processed and stored on computer systems, computer
security can help protect against such threats; it can do little, however, to reduce the threat of
authorized employees selling that information.
Malicious Code
Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other uninvited software.
Malicious Software: A Few Key Terms
Virus
A code segment that replicates by attaching copies of itself to existing executables. The new copy of
the virus is executed when a user executes the new host program. The virus may include an additional
"payload" that triggers when specific conditions are met. For example, some viruses display a text
string on a particular date. There are many types of viruses, including variants, overwriting, resident,
stealth, and polymorphic.
Trojan Horse
A program that performs a desired task, but that also includes unexpected (and undesirable) functions.
For example consider an editing program for a multiuser system, this program could be modified to
randomly delete one of the users' files each time they perform a useful function (editing), but the
deletions are unexpected and definitely undesired!
Worm
6
© 2003 certificationsuccess.com
Your Free Certification Portal
A self-replicating program that is self-contained and does not require a host program. The program
creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly use
network services to propagate to other host systems.
Access Control
Access is the ability to do something with a computer resource (e.g., use, change, or view). Access
control is the means by which the ability is explicitly enabled or restricted in some way (usually
through physical and system-based controls).
Logical access controls
Computer-based access controls are called logical access controls. Logical access controls can
prescribe not only who or what is to have access to a specific system resource but also the type of
access that is permitted. These controls may be built into the operating system, may be incorporated
into applications programs or major utilities (e.g., database management systems or communications
systems), or may be implemented through add-on security packages. Logical access controls may be
implemented internally on the computer system being protected or may be implemented through
external devices.
Logical access controls can help protect
1. Operating systems and other system software from unauthorized modification or manipulation
(and thereby help ensure the system's integrity and availability).
2. The integrity and availability of information by restricting the number of users and processes
with access.
3. Confidential information from being disclosed to unauthorized individuals.
Common Logical access controls implemented by Operating system’s are
Message Authentication Code (MAC) – An algorithm that insures the quality of a block of data,
MAC is computed as a keyed hash over the document using a shared secret which could potentially
have been arranged in a number of ways, e.g. manual arrangement or Kerberos. This technique
requires neither the use of public key cryptography nor encryption.
Discretionary access control (DAC) - DAC involves being able to completely control which files and
resources a user may access at a given time. For example, perhaps only a small portion of your staff
needs to access Microsoft Excel. In the Windows NT security model, you can deny access to all other
users who are unauthorized to use Excel. In DAC, there are different levels of control. For example,
some operating systems or utilities offer only moderate control (perhaps one system might allow an
administrator to block user access to directories or partitions). This type of control is not really suitable
in large networks, where one or more directories may hold applications or resources that other
programs need in order to execute.
Role Based Access Control (RBAC) – RBAC is able to completely control which files and resources
a user may access at a given time based on their role in the organization. RBAC is based on the
separation of duties, administration and access in the organization. A role brings together a collection
7
© 2003 certificationsuccess.com
Your Free Certification Portal
of users and a collection of permissions. These collections will vary with time. The use of roles can be
a very effective way of providing access control. The process of defining roles should be based on a
thorough analysis of how an organization operates and should include input from a wide spectrum of
users in an organization.
Physical Access Controls
Physical access controls restrict the entry and exit of personnel (and often equipment and media) from
an area, such as an office building, suite, data center, or room containing a LAN server. The controls
over physical access to the elements of a system can include controlled areas, barriers that isolate each
area, entry points in the barriers, and screening measures at each of the entry points. In addition, staff
members who work in a restricted area serve an important role in providing physical security, as they
can be trained to challenge people they do not recognize. Physical access controls should address not
only the area containing system hardware, but also locations of wiring used to connect elements of the
system, the electric power service, the air conditioning and heating plant, telephone and data lines,
backup media and source documents, and any other elements that require system's operation. This
means that all the areas in the building(s) that contain system elements must be identified.
Authentication
Authentication is the process of ensuring that the people on both ends of the connection are, in fact,
who they say they are. This applies not only to the entit y trying to access a service but also to the entity
providing the service.
Kerberos
Kerberos is another authentication solution, which is designed to provide a single sign-on to a
heterogeneous environment. Kerberos allows mutual authentication and encrypted communication
between users and services. Unlike security tokens, however, Kerberos relies on each user to
remember and maintain a unique password.
When a user authenticates to a local operating system, a local agent sends an authentication
request to the Kerberos server. The server responds by sending the encrypted credentials for the user
attempting to authenticate to the system. The local agent then tries to decrypt the credentials using the
user-supplied password. If the correct password has been supplied, the user is validated and given
authentication tickets, which allow the user to access other Kerberos authenticated services. The user is
also given a set of cipher keys that can be used to encrypt all data sessions.
Once the user is validated, no authentication is required for any other Kerberos-aware servers
and applications. The tickets issued by the Kerberos server provide the credentials required to access
additional network resources. This means that while the users should remember their passwords, they
only need one password to access all systems on the network to which they have been granted access.
Digital certificates
Digital certificates are electronic credentials that are used to represent an entity on the network. The
entity can be a user, a computer, or a network device. Possession of a certificate and its associated
public and private keys provides authentication and encryption services. A private key can be used to
create a unique digital signature. This signature can then be verified later with a public key in order to
ensure that the signature is authentic. This process provides a very strong method of authenticating a
user’s identity. A Digital Certificate server provides a central point of management for multiple public
8
© 2003 certificationsuccess.com
Your Free Certification Portal
keys. This prevents every user from having to maintain and manage copies of every other users public
cipher key.
Challenge Handshake Authentication Protocol (CHAP).
CHAP sends the password and a challenge from the server through a hashing algorithm. The recipient
identifies the user, obtains the password from the directory, and performs the same hashing algorithm
against the challenge and password. If the results match, the user is authenticated.
CHAP authentication requires that the user's password be stored in plaintext or in reversibly encrypted
format at the domain controller for comparison purposes. When this attribute is set, the storage of the
plaintext password format doesn't take place until the user changes the password after the attribute is
enabled.
Tokens
Tokens are used for storing the information in human unreadable form. Special reader/writer devices
control the writing and reading of data to and from the tokens. The most common type of token is a
magnetic strip card, in which a thin stripe of magnetic material is affixed to the surface of a card (e.g.,
as on the back of credit cards). A common application of tokens for authentication to computer
systems is the automatic teller machine (ATM) card. This uses a combination of something the user
possesses (the card) with something the user knows (the PIN).
Biometrics
Biometric authentication technologies use the unique characteristics (or attributes) of an individual to
authenticate that person's identity. These include physiological and behavioral attributes
Physiological attributes
•
Fingerprints
•
Hand geometry,
•
Retina patterns
Behavioral attributes
•
Voice patterns
•
Hand-written signatures
Biometric authentication technologies based upon these attributes have been developed for computer
log- in applications. Biometric authentication is technically complex and expensive, and user
acceptance can be difficult. However, efforts are being made to make the technology reliable, less
costly, and user-friendly. Biometric systems can provide an increased level of secur ity for computer
systems, but the technology is less mature than that of memory tokens or smart tokens. Imperfections
in biometric authentication devices arise from technical difficulties in measuring and profiling physical
attributes as well as from the somewhat variable nature of physical attributes. These may change,
depending on various conditions. For example, a person's speech pattern may change under stressful
conditions or when suffering from a sore throat or cold. Due to their relatively high cost, biometric
systems are typically used with other authentication means in environments requiring high security.
Attacks
9
© 2003 certificationsuccess.com
Your Free Certification Portal
Attacks on a computer system or computer network are of various forms like
Denial of Service Attack (DoS) - The Denial of Service (DoS) attack does not involve an intruder
gaining access. Instead, the cracker undertakes remote procedures that render a portion (or sometimes
all) of a target inoperable. The techniques employed in such an attack are simple, because connections
over the Internet are initiated via a procedure called the three-part handshake. In this process, the
requesting machine sends a packet requesting connection. The target machine responds with an
acknowledgment. The requesting machine then returns its own acknowledgment and a connection is
established. In this attack, the requesting (cracker's) machine sends a series of connection requests but
fails to acknowledge the target's response. Since the target never receives that acknowledgment, it
waits. If this process is repeated many times, it renders the target's ports useless because the target is
still waiting for the response. These connection requests are dealt with sequentially. Eventually, the
target will abandon waiting for each such acknowledgment. Nevertheless, if it receives tens or even
Hundreds of these requests, the port will remain engaged until it has processed and discarded each
request.
Back Door - A back door is some hidden method through which an attacker can later return to the
affected machine and gain control over it. Back doors circumvent normal system protection and allow
attackers unauthorized access in the future.
Spoofing - A spoofing attack involves nothing more than forging one's source address. It is the act of
using one machine to impersonate another. To understand how this occurs, you must know a bit about
authentication. Every user has encountered some form of authentication. This encounter most often
occurs while connecting to a network. On the Internet, application- level authentication routines are
minority. Authentication routines occur continuously and these are totally invisible to the user. The
difference between these routines and application- level authentication routines is fundamental. In
application- level authentication, a machine challenges the user; a machine requests that the user
identifies him. In contrast, non-application- level authentication routines occur between machines. One
machine demands some form of identification from another. Until this identification is produced and
validated, no transactions occur between the machines engaged in the challenge-response dialog. Such
machine-to- machine dialogs always occur automatically (that is, they occur without human
intervention). In the IP spoofing attack, the cracker attempts to capitalize on the automated nature of
the dialog between machines. Thus, the IP spoofing attack is an extraordinary method of gaining
access because in it, the cracker never uses a username or password.
Man in the middle – In this type of attack an attacker is sitting on a network segment between a
server and client and has been quietly monitoring the session. This has given the attacker the time to
learn what port and sequence numbers are being used to carry on the conversion. After that attacker
crashes the client by sending wild ping or ICMP flood attack, so that client cannot respond to traffic
sent by the server. Now that the client is out of the way the attacker is free to communicate the server
as if he were the client.
A good authentication should also verify that the source remains constant and has not been
replaced by another system. This can be achieved by exchanging a secret during the course of the
communication session.
Birthday - A birthday attack is a name used to refer to a class of brute- force attacks. It gets its name
from the surprising result that the probability that two or more people in a group of 23 share the same
10
© 2003 certificationsuccess.com
Your Free Certification Portal
birthday is greater than ½. This result is called a birthday paradox. If some function, when supplied
with a random input, returns one of “k” equally- likely values, then by repeatedly evaluating the
function for different inputs, we expect to obtain the same output after about 1.2k1/2. For the above
birthday paradox, replace k with 365. Birthday attacks are often used to find collisions of hash
functions.
Social Engineering – is the term used for giving away passwords. Users may share their
passwords. They may give their password to a co-worker in order to share files. In addition, people can
be tricked into divulging their passwords.
Password Guessing - A password guesser or password cracker is any program that can decrypt
passwords or otherwise disable password protection. A password cracker need not decrypt anything, in
fact, most of them don't. Password Guessing are of many types like
Brute Force - Many so-called password crackers are nothing but brute- force engines--programs that
try word after word, often at high speeds. These rely on the theory that eventually, you will encounter
the right word or phrase. This theory has been proven to be sound, primarily due to the factor of human
laziness. Humans simply do not take care to create strong passwords.
Dictionary – In dictionary attacks a dictionary of words is prepared and then this dictionary is used in
guessing the Password. Dictionary-based attack is *very* effective. Moreover, if you know the
"structure" of the password (for example, the characters at some positions), then you can create your
own dictionary based on the rules you have.
Prevention from Attacks
Protecting one’s networks from computer attacks is an ongoing and non-trivial task; however, some
simple security measures will stop the majority of network penetration attempts. For example, a wellconfigured firewall and an installed base of virus checkers will stop most computer attacks. Here, we
present a list of 14 different security measures that, if implemented, will help secure a network.
Patching
Companies often release software patches in order to fix coding errors. If unfixed, these errors often
allow an attacker to penetrate a computer system. Systems administrators should protect their most
important systems by constantly applying the most recent patches. However, it is difficult to patch all
hosts in a network because patches are released at a very fast pace. First focus on patching the most
important hosts and then implement the other security solutions mentioned below. Patches usually
must be obtained from software vendors.
Virus Detection
Virus-checking programs are indispensable to any network secur ity solution. Virus checkers monitor
computers and look for malicious code. One problem with virus checkers is that one must install them
on all computers for maximum effectiveness. It is time-consuming to install the software and requires
updating monthly for maximum effectiveness. Users can be trained to perform these updates but they
can not be relied upon. In addition to the normal virus checking on each computer, we recommend that
organizations scan e-mail attachments at the e- mail server. This way, the majority of viruses are
stopped before ever reaching the users.
11
© 2003 certificationsuccess.com
Your Free Certification Portal
Firewalls
Firewalls are the single most important security solution for protecting one’s network. Firewalls police
the network traffic that enters and leaves a network. The firewall may out rightly disallow some traffic
or may perform some sort of verification on other traffic. A well-configured firewall will stop the
majority of publicly available computer attacks.
Password Crackers
Hackers often use little-known vulnerabilities in computers to steal encrypted password files. They
then use password-cracking programs that can discover weak passwords within encrypted password
files. Once a weak password is discovered, the attacker can enter the computer as a normal user and
use a variety of tricks to gain complete control of your computer and your network. While used by
intruders, such programs are invisible to systems administrators. Systems administrators should run
password-cracking programs on their encrypted password files regularly to discover weak passwords.
Encryption
Attackers often break into networks by listening to network traffic at strategic locations and by parsing
out clear text usernames and passwords. Thus, remote password-protected connections should be
encrypted. This is especially true for remote connections over the Internet and connections to the most
critical servers. A variety of commercial and free products are available to encrypt TCP/IP traffic.
Vulnerability Scanners
Vulnerability scanners are programs that scan a network looking for computers that are vulnerable to
attacks. The scanners have a large database of vulnerabilities that they use to probe computers in order
to determine the vulnerable ones. Both commercial and free vulnerability scanners exist.
Configuring Hosts for Security
Computers with newly installed operating systems are often vulnerable to attack. The reason is that an
operating system’s installation programs generally enable all available networking features. This
allows an attacker to explore many avenues of attack into one’s computer. All unneeded network
services should be turned off.
War Dialing
Users often bypass a site’s network security scheme by allowing their computers to receive incoming
telephone calls. The user enables a modem upon leaving work and then is able to dial in from home
and use the corporate network. Attackers use war dialing programs to call a large number of telephone
numbers looking for those computers receptive to telephone calls. Since users set up these computers
themselves, they are often insecure and provide attackers a backdoor into one’s network. System
administrators should regularly use war dialers to discover these back doors. Both commercial and free
war dialers are readily available.
Security Advisories
Security advisories are warnings issued by incident response teams and vendors about recently
discovered computer vulnerabilities. Advisories usually cover only the most important threats and thus
are low-volume and high- utility reading. They describe in general terms the threat and give very
specific solutions on how to plug the vulnerability.
12
© 2003 certificationsuccess.com
Your Free Certification Portal
Intrusion Detection
Intrusion detection systems detect computer attacks. They can be used outside of a network’s firewall
to see what kinds of attacks are being launched at a network. They can be used behind a network’s
firewall to discover attacks that penetrate the firewall. They can be used within a network to monitor
insider attacks. Intrusion detection tools come with many different capabilities and functionality.
Network Discovery Tools and Port Scanners
Network discovery tools and port scanners map out networks and identify the services running on each
host. Attackers use these tools to find vulnerable hosts and network services. System administrators
use these tools to monitor what host and network services are connected to their network. Weak or
improperly configured services and hosts can be found and patched.
Incident Response Handling
Every network, no matter how secure, has some security events (even if just false alarms). Staff must
know beforehand how to handle these events. Important points that must be resolved are: when should
one call law enforcement? , when one should call an emergency response team? , when should network
connections be serviced? , and what is the recovery plan if an important server is compromised?
Security Policies
The strength of a network security scheme is only as strong as the weakest entry point. If different sites
within an organization have different security policies, one site can be compromised by the insecurity
of another. Organizations should write a security policy defining the level of protection that they
expect to be uniformly implemented. The most important aspect of a policy is creating a uniform
mandate on what traffic is allowed through the organization's firewalls. The policy should also define
how and where security tools (e.g., intrusion detection or vulnerability scanners) should be used in the
network. To obtain uniform security, the policy should define secure default configurations for
different types of hosts.
Denial of Service Testing (for firewalls and Web servers)
Denial-of-service (DOS) attacks are very common on the Internet. Malicious attackers shut down Web
sites, reboot computers, or clog up networks with junk packets. DoS attacks can be very serious,
especially when the attacker is clever enough to launch an ongoing, untraceable attack. Sites serious
about security can launch these same attacks against themselves to determine how much damage can
be done. We suggest that only very experienced systems administrators or vulnerability analysis
consultants perform this type of analysis.
Auditing
Auditing is the review and analysis of management, operational, and technical controls. The auditor
can obtain valuable information about activity on a computer system from the audit trail. Audit trails
improve the audit ability of the computer system. Audits can be self-administered or independent
(either internal or external). Both types can provide excellent information about technical, procedural,
managerial, or other aspects of security. The essential difference between a self-audit and an
independent audit is objectivity. Reviews done by system management staff, often called selfaudits/assessments, have an inherent conflict of interest. The system management staff may have little
13
© 2003 certificationsuccess.com
Your Free Certification Portal
incentive to say that the computer system was poorly designed or is sloppily operated. On the other
hand, they may be motivated by a strong desire to improve the security of the system. In addition, they
are knowledgeable about the system and may be able to find hidden problems.
There are two types of automated tools:
(1) Active tools, which find vulnerabilities by trying to exploit them.
(2) Passive tests, which only examine the system and infer the existence of problems from the state of
the system.
Automated tools can be used to help find a variety of threats and vulnerabilities, such as improper
access controls or access control configurations, weak passwords, lack of integrity of the system
software, or not using all relevant software updates and patches. These tools are often very successful
at finding vulnerabilities and are sometimes used by hackers to break into systems. Not taking
advantage of these tools puts system administrators at a disadvantage.
Internal Controls Audit. An auditor can review controls in place and determine whether they are
effective. The auditor will often analyze both computer and non-computer-based controls.
Security Checklists. Checklists can be developed, whic h include national or organizational security
policies and practices (often referred to as baselines).
Penetration Testing : Penetration testing can use many methods to attempt a system break-in. In
addition to using active automated tools as described above, penetration testing can be done
"manually." For many systems a lack of internal controls on applications are common vulnerabilities
that penetration testing can target. Penetration testing is a very powerful technique. It should preferably
be conducted with the knowledge and consent of system management.
Monitoring Types. There are many types and methods of monitoring a system or user. Some
methods are deemed more socially acceptable and some are illegal. It is wise to check with legal
council.
Review of System Logs. A periodic review of system- generated logs can detect security problems,
including attempts to exceed access authority or gain system access during unusual hours.
Automated Tools. Several types of automated tools monitor a system for security problems. Some
examples are virus scanners, check summing, password crackers, integrity verification programs,
intrusion detectors, and system performance monitoring.
Configuration Management/Managing Change. From a security point of view, configuration
management provides assurance that the system in operation is the correct version (configuration) of
the system and that any changes to be made are reviewed for security implications.
Trade Literature/Publications/Electronic News. In addition to monitoring the system, it is
useful to monitor external sources for information.
Periodic Re-accreditation . Periodically, it is useful to formally reexamine the security of a system
from a wider perspective. The analysis, which leads to re-accreditation, should address such questions
as: Is the security still sufficient? Are major changes needed? The re-accreditation should address highlevel security and management concerns as well as the implementation of the security.
Remote Access
14
© 2003 certificationsuccess.com
Your Free Certification Portal
Secure Your Wireless Network
Unlike wired networks, wireless networks can reach beyond the walls of buildings. In many
deployments, wired network security depends on the physical security of the networks behind locked
doors of the buildings. You need to pass through the building security to get access to the network. On
the other hand, wireless networks can be monitored and attacked from outside the walls of buildings.
To mitigate security risks, many wireless networks provide ways to encrypt transmissions. You can use
simple static encryption (WEP) network keys or more advanced techniques that generate and rotate the
WEP keys to provide privacy. Since its inception, 802.11 has provided some basic security
mechanisms to make this enhanced freedom less of a potential threat. For example, 802.11 access
points (or sets of access points) can be configured with a service set identifier (SSID). This SSID must
also be known by the NIC in order to associate with the AP and thus proceed with data transmission
and reception on the network. This is very weak security based on the following:
•
The SSID is well known by all NICs and APs.
•
The SSID is sent through the air in the clear (even beaconed by the AP)
•
•
Whether the association is allowed if the SSID is not known can be controlled by the
NIC/Driver locally
No encryption is provided through this scheme
While there may be other problems with this scheme, it is evident that this is enough to stop none, or
probably only the casual hackers.
Additional security is provided through the 802.11 specifications through the Wired Equivalent
Privacy (WEP) algorithm. WEP provides 802.11 with authentication and encryption services. The
WEP algorithm defines the use of a 40-bit secret key for authentication and encryption and many IEEE
802.11 implementations also allow 104-bit secret keys. This algorithm provides mostly protection
against eavesdropping and physical security attributes comparable to a wired network.
A principal limitation to this security mechanism is that the standard does not define a key
management protocol for distribution of the keys. This presumes that the secret, shared keys are
delivered to the IEEE 802.11 wireless station via a secure channel independent of IEEE 802.11. This
becomes even more challenging when a large number of stations are involved such as on a corporate
campus.
To provide a better mechanism for access control and security the inclusion of a key management
protocol in the specification is required. For the most advanced protection, one should use 802.1X
industry standard as defined by IEEE. It provides for individual authentication and privacy by being
able to generate and plug- in WEP keys. Furthermore, these WEP keys can be generated per user and
rotated often based on the policy.
15
© 2003 certificationsuccess.com
Your Free Certification Portal
802.1x Authentication
IEEE 802.1x is a standard for port-based network access control that provides authenticated network
access to 802.11 wireless networks and wired Ethernet networks. Port-based network access control
uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate
devices that are attached to a LAN port and to prevent access to that port in cases where the
authentication process fails.
During a port-based network access control interaction, a LAN port adopts one of two roles:
authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it
allows user access to the services that can be accessed through that port. In the role of supplicant, a
LAN port requests access to the services that can be accessed through the authenticator's port. An
authentication server, which can either be a separate entity or co- located with the authenticator, checks
the supplicant's credentials on behalf of the authenticator. The authentication server then responds to
the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.
The authenticator's port-based network access control defines two logical access points to the LAN,
through one physical LAN port. The first logical access point, the uncontrolled port, allows data
exchange between the authenticator and other computers on the LAN, regardless of the computer's
authorization state. The second logical access point, the controlled port, allows data exchange between
an authenticated LAN user and the authenticator.
IEEE 802.1x uses standard security protocols, such as Remote Authentication Dial-In User Service
(RADIUS), to provide centralized user identification, authentication, dynamic key management, and
accounting.
Virtual private network (VPN) connections
With the Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP), you can
securely access resources on a network by connecting to a remote access server running
Windows 2000 through the Internet or other networks. The use of both private and public networks to
create a network connection is called a virtual private network (VPN). The following table describes
the advantages of using VPN connections.
Advantage
Example
The Internet is used as a connection instead of a long-distance telephone number or 1Cost advantages 800 service. Because an ISP maintains communications hardware such as modems
and ISDN adapters, your network requires less hardware to purchase and manage.
You can make a local call to the telephone company or Internet service provider
(ISP), which then connects you to a remote access server running Windows 2000 and
Outsourcing
your corporate network. It is the telephone company or ISP that manages the modems
dial-up
and telephone lines required for dial- up access. Because the ISP supports complex
networks
communications hardware configurations, a network administrator is free to centrally
manage user accounts at the remote access server.
The connection over the Internet is encrypted and secure. New authentication and
Enhanced
encryption protocols are enforced by the remote access server. Sensitive data is
security
hidden from Internet users, but made securely accessible to appropriate users through
16
© 2003 certificationsuccess.com
Your Free Certification Portal
a VPN.
Network
Since the most common network protocols (including TCP/IP, IPX, and NetBEUI)
protocol
are supported, you can remotely run any application dependent upon these particular
support
network protocols.
Since the VPN is enc rypted, the addresses you specify are protected, and the Internet
IP
address only sees the external IP address. For organizations with nonconforming internal IP
security
addresses, the repercussions of this are substantial, as no administrative costs are
associated with having to change IP addresses for remote access via the Internet.
There are two ways to create a VPN connection: By dialing an ISP, or by connecting directly to the
Internet, as shown in the following examples.
In the first example, the VPN connection first makes a call to an ISP. After the connection is
established, the connection then makes another call to the RAS that establishes the PPTP or L2TP
tunnel. After authentication, you can access the corporate network
In the second example, a user who is already connected to the Internet uses a VPN connection to dial
the number for the remote access server. Examples of this type of user include a person whose
computer is connected to a local area network, a cable modem user, or a subscriber of a service such as
ADSL, where IP connectivity is established immediately after the user's computer is turned on. The
PPTP or L2TP driver makes a tunnel through the Internet and connects to the PPTP-enabled or L2TPenabled RAS. After authentication, the user can access the corporate network
Point-to-Point Tunneling Protocol (PPTP)
You can access a private network through the Internet or other public network by using a virtual
private network (VPN) connection with the PPTP. It enables the secure transfer of data from a remote
computer to a private server by creating a VPN across TCP/IP-based data networks. PPTP supports ondemand, multi protocol, virtual private networking over public networks, such as the Internet.
Developed as an extension of the Point-to-Point Protocol (PPP), PPTP adds a new level of enhanced
security and multi protocol communications over the Internet. Specifically, by using the new
Extensible Authentication Protocol (EAP), data transfer through a PPTP-enabled VPN is as secure as
within a single LAN at a corporate site. PPTP tunnels or encapsulates IP, IPX, or NetBEUI protocols
inside PPP datagram. This means that you can remotely run applications that are dependent upon
particular network protocols. The tunnel server performs all security checks and validations, and
enables data encryption, which makes it much safer to send information over unsecured networks. You
can also use PPTP in private LAN-to-LAN networking.
PPTP does not require a dial- up connection. It does, however, require IP connectivity between your
computer and the server. If you are directly attached to an IP LAN and can reach a server, then you can
establish a PPTP tunnel across the LAN. If, however, you are creating a tunnel over the Internet, and
your normal Internet access is a dial- up connection to an ISP, you must dial up your Internet
connection before you can establish the tunnel.
Layer Two Tunneling Protocol (L2TP)
An industry standard Internet tunneling protocol. Unlike Point-to-Point Tunneling Protocol (PPTP),
L2TP does not require IP connectivity between the client workstation and the server. L2TP requires
only that the tunnel medium provides packet-oriented point-to-point connectivity. The protocol can be
17
© 2003 certificationsuccess.com
Your Free Certification Portal
used over media such as ATM, Frame Relay, and X.25. L2TP provides the same functionality as
PPTP, based on Layer 2 Forwarding (L2F) and PPTP specifications, L2TP allows clients to set up
tunnels across intervening networks.
Remote Authentication Dial-In-User Service (RADIUS)
A security authentication protocol based on clients and servers and widely used by Internet service
providers (ISPs) on non-Microsoft remote servers. RADIUS is the most popular means of
authenticating and authorizing dial- up and tunneled network users today. RADIUS allows single signon capabilities to remote users by allowing them to authenticate with the domain account and
password. Single sign-on allows access to all resources on a network with a single user account and
password, rather than having to provide different account/password combinations for connecting to the
ISP and to the corporate network through a VPN connection. This single user account and password
can be used at any remote access serve r or network device that's configured as a RADIUS client to the
IAS server.
IP Security (IPSec)
IP Security is public/private key encryption algorithm that uses a Diffie-Hellman exchange in order to
perform authentication and establish session keys. IPSec also uses a 40-bit DES algorithm in order to
encrypt the data stream. IPSec has been implemented at the session layer, so it does not require direct
application support.
TACACS
TACACS is an industry standard protocol specification defined by RFC 1492, that forwards username
and password information to a centralized server. The centralized server can either be a TACACS
database or a database like the UNIX password file with TACACS protocol support. For example, the
UNIX server with TACACS passes requests to the UNIX database and sends the “accept” or “reject”
message back to the access server.
XTACACS
XTACACS defines the extensions that Cisco added to the TACACS protocol to support new and
advanced features.
TACACS+
TACACS+ allows a separate access server (the TACACS+ server) to provide the services of
authentication, authorization, and accounting independently. Each service can be tied into its own
database or can use the other services available on that server or on the network. The overall design
goal of TACACS+ is to define a standard method for managing dissimilar Network Access Servers
(NASs) from a single set of management services such as a database. A NAS provides connections to a
single user, to a network, or sub network, and interconnected networks.
TACACS+ has three major components
1. The protocol support within the access servers and routers
2. The protocol specification
3. The centralized security database.
18
© 2003 certificationsuccess.com
Your Free Certification Portal
Email
S/MIME
Security services can be added to each communication link along a path, or it can be wrapped around
the data being sent, so that it is independent of the communication mechanism. This latter approach is
often called "end-to-end" security and it has become a very important topic for users.
The two basic features of this type of security are
Privacy: Only the intended recipient can read the message.
Authentication: The recipient can be assured of the identity of the sender.
The technical capabilities of these functions have been known for many years, but they have only been
applied to Internet mail recently.
These services typically include authentication of the originator and privacy for the data. They can also
provide a signed receipt from the recipient. At the core of these capabilities is the use of public key
technology and large-scale use of public keys requires a method of certifying that a given key belongs
to a given user.
Although they offer similar services to users, the two protocols have very different formats. Further,
and more important to corporate users, they have different formats for their certificates. This means
that not only can users of one protocol not communicate with the users of the other, they also cannot
share authentication certificates. The difference between the two protocols is similar to the differences
between GIF and JPEG files. They both do basically the same thing for end users, but their formats are
very different.
S/MIME was originally developed by RSA Data Security, Inc. It is based on the PKCS #7 data format
for the messages, and the X.509v3 format for certificates. PKCS #7, in turn, is based on the ASN.1
DER format for data.
PGP/MIME is based on PGP, which was developed by many individuals, some of whom have now
joined together as PGP, Inc. The message and certificate formats were created from scratch, and use
simple binary encoding. OpenPGP is also based on PGP.
Differences and Commonalities between S/MIME v3 and PGP
S/MIME v3 and PGP are both protocols for adding authentication and privacy to messages. However,
they differ in many ways, and are not designed to be interoperable. Some cryptography algorithms are
same between the two protocols, but others differ. The following chart is a comparison of many
relevant features of the two protocols, showing where they differ and where they are the same.
Mandatory features
S/MIME v3
OpenPGP
Message format
Binary, based on CMS
Binary, based on previous PGP
Certificate format
Binary, based on X.509v3
Binary, based on previous PGP
Symmetric encryption
algorithm
TripleDES (DES EDE3 CBC)
TripleDES (DES EDE3
Eccentric CFB)
19
© 2003 certificationsuccess.com
Your Free Certification Portal
Signature algorithm
Diffie-Hellman (X9.42) with DSS ElGamal with DSS
Hash algorithm
SHA-1
SHA-1
MIME encapsulation of signed Choice of multipart/signed or
data
CMS format
Multipart/signed with ASCII
armor
MIME encapsulation of
encrypted data
Multipart/encrypted
Application/pkcs7- mime
HOAXES
These hoaxes usually arrive in the form of an email. Please disregard the hoax emails - they contain
bogus warnings usually intent only on frightening or misleading users. The best course of action is to
merely delete these hoax emails.
Web
SSL/TLS
SSL/TLS is the encryption system used by 'http' web pages. It is generally considered to be the most
secure method for sending sensitive information across the internet, and is the basis of all ECommerce
security systems used today.
The SSL Protocol
The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the transport and routing of
data over the Internet. Other protocols, such as the Hyper Text Transport Protocol (HTTP),
Lightweight Directory Access Protocol (LDAP), or Internet Messaging Access Protocol (IMAP), run
"on top of" TCP/IP in the sense that they all use TCP/IP to support typical application tasks such as
displaying web pages or running email servers.
SSL runs above TCP/IP and be low high-level application protocols
The SSL protocol runs above TCP/IP and below higher- level protocols such as HTTP or IMAP. It uses
TCP/IP on behalf of the higher- level protocols, and in the process allows an SSL-enabled server to
authenticate itself to an SSL-enabled client. This allows the client to authenticate itself to the server,
and allows both machines to establish an encrypted connection.
These capabilities address fundamental concerns about communication over the Internet and other
TCP/IP networks:
20
© 2003 certificationsuccess.com
Your Free Certification Portal
•
•
•
SSL server authentication allows a user to confirm a server's identity. SSL-enabled client
software can use standard techniques of public-key cryptography to check that a server's
certificate and public ID are valid and have been issued by a certificate authority (CA) listed in
the client's list of trusted CAs. This confirmation might be important if the user, for example, is
sending a credit card number over the network and wants to check the receiving server's
identity.
SSL client authentication allows a server to confirm a user's identity. Using the same
techniques as those used for server authentication, SSL-enabled server software can check that
a client's certificate and public ID are valid and have been issued by a certificate authority (CA)
listed in the server's list of trusted CAs. This confirmation might be important if the server, for
example, is a bank sending confidential financ ial information to a customer and wants to check
the recipient's identity.
An encrypted SSL connection requires all information sent between a client and a server to be
encrypted by the sending software and decrypted by the receiving software, thus provid ing a
high degree of confidentiality. Confidentiality is important for both parties to any private
transaction. In addition, all data sent over an encrypted SSL connection is protected with a
mechanism for detecting tampering--that is, for automatically determining whether the data has
been altered in transit.
The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake
protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake
protocol involves using the SSL record protocol to exchange a series of messages between an SSLenabled server and an SSL-enabled client when they first establish an SSL connection. This exchange
of messages is designed to facilitate the following actions:
•
•
•
•
Authenticate the server to the client.
Allow the client and server to select the cryptographic algorithms, or ciphers, that they both
support.
Optionally authenticate the client to the server.
Use public-key encryption techniques to generate shared secrets.
Vulnerabilities
Vulnerable CGI programs
Most web servers support Common Gateway Interface (CGI) programs to provide interactivity in web
pages, such as data collection and verification. Many web servers come with sample CGI programs
installed by default. Unfortunately, many CGI programmers fail to consider ways in which their
programs may be misused or subverted to execute malicious commands. Vulnerable CGI programs
present a particularly attractive target to intruders because they are relatively easy to locate, and they
operate with the privileges and power of the web server software itself. Intruders are known to have
exploited vulnerable CGI programs to vandalize web pages, steal credit card information, and set up
back doors to enable future intrusions, even if the CGI programs are secured. As a general rule, sample
programs should always be removed from production systems.
21
© 2003 certificationsuccess.com
Your Free Certification Portal
Web server attacks
Beyond the execution of CGI programs, web servers have other possible holes. A large number of web
servers have holes whereby a file name can include a series of "../" in the path name to move within the
file system, getting any file. Another common bug is buffer overflow in the request field or in one of
the other HTTP fields.
Web servers often have bugs related to their interaction with the underlying operating system. An old
hole in Microsoft IIS has been dealing with the fact that files have two names, a long filename and a
short 8.3 hashed equivalent that could sometimes be accessed bypassing permissions. NTFS (the new
file system) has a feature called "alternate data streams" that is similar to the Macintosh data and
resource forks.
Servers have problems with URLs, example, the "death by a thousand slashes" problem. The older
versions of Apache web servers would cause huge CPU loads as it tried to process each directory in a
thousand slash URL.
Web browser attacks
It seems that all of Microsoft's and Netscape's web browsers have security holes (though, of course, the
latest ones never have any that we know about yet). This includes URL, HTTP, HTML, JavaScript,
Frames, Java, and ActiveX attacks.
URL fields can cause a buffer overflow condition, either as it is parsed in the HTTP header, or as it is
displayed on the screen, or processed in some form (such as saved in the cache history). Also, an old
bug with Internet Explorer allowed interaction with a bug whereby the browser would execute .LNK or
.URL commands.
HTTP headers can be used to exploit bugs because some fields are passed to functions that expect
only certain information.
HTML can be often exploited, such as the MIME-type overflow in Netscape Communicator's
<EMBED> command.
JavaScript is a perennial favorite, and usually tries to exploit the "file upload" function by generating
a filename and automatically hiding the "SUBMIT" button.
Frames are often used as part of a JavaScript or Java hack (for example, hiding web-pages in 1px by
1px sized screens), but they present special problems. For example, I can include a link to a
trustworthy site that uses frames, then replace some of those frames with web pages from my own site,
and they will appear to you to be part of that remote site.
Java has a robust security model, but that model has proven to have the occasional bug (though
compared to everything else, it has proven to be one of the most secure elements of the whole system).
Moreover, its robust security may be its undoing: Normal Java applets have no access to the local
system, but sometimes they would be more useful if they did have local access.
ActiveX is even more dangerous than Java as it works purely from a trust model and runs native code.
You can even inadvertently catch a virus that was accidentally imbedded in some vendor's code.
22
© 2003 certificationsuccess.com
Your Free Certification Portal
Global file sharing
These services allow file sharing over networks. When improperly configured, they can expose critical
system files or give full file system access to any hostile party connected to the network. Many
computer owners and administrators use these services to make their file systems readable and
writeable in an effort to improve the convenience of data access.
When file sharing is enabled on Windows machines they become vulnerable to both information theft
and certain types of quick-moving viruses. A virus called the 911 Worm uses file shares on Windows
95 and 98 systems to propagate and causes the victim’s computer to dial 911 on its modem. Macintosh
computers are also vulnerable to file sharing exploits.
The same NetBIOS mechanisms that permit Windows File Sharing may also be used to enumerate
sensitive system information from NT systems. User and Group information (usernames, last logon
dates, password policy, RAS information), system information, and certain Registry keys may be
accessed via a "null session" connection to the NetBIOS Session Service. This information is typically
used to mount a password guessing or brute force password attack against the NT target.
User IDs, especially root/administrator with no passwords or weak passwords
Some systems come with "demo" or "guest" accounts with no passwords or with widely-known default
passwords. Service workers often leave maintenance accounts with no passwords, and some database
management systems install administration accounts with default passwords. In addition, busy system
administrators often select system passwords that are easily guessable ("love," "money," "wizard" are
common) or just use a blank password. Default passwords provide effortless access for attackers.
Many attackers try default passwords and then try to guess passwords before resorting to more
sophisticated methods. Compromised user accounts get the attackers inside the firewall and inside the
target machine. Once inside, most attackers can use easily-accessible resources to gain root or
administrator access.
IMAP and POP buffer overflow vulnerabilities or incorrect configuration
IMAP and POP are popular remote access mail protocols, allowing users to access their e- mail
accounts from internal and external networks. The "open access" nature of these services makes them
especially vulnerable to exploitation because openings are frequently left in firewalls to allow for
external e-mail access. Attackers who exploit flaws in IMAP or POP often gain instant root- level
control.
Default SNMP community strings set to ‘public’ and ‘private.’
The Simple Network Management Protocol (SNMP) is widely used by network administrators to
monitor and administer all types of network-connected devices ranging from routers to printers to
computers. SNMP uses an unencrypted "community string" as its only aut hentication mechanism.
Lack of encryption is bad enough, but the default community string used by the vast majority of SNMP
devices is "public". A few clever network equipment vendors change the string to "private". Attackers
can use this vulnerability in SNMP to reconfigure or shut down devices remotely. Sniffed SNMP
traffic can reveal a great deal about the structure of your network, as well as the systems and devices
attached to it. Intruders use such information to pick targets and plan attacks.
23
© 2003 certificationsuccess.com
Your Free Certification Portal
File Transfer
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual
service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port).
Traditionally these are port 21 for the command port and port 20 for the data port. The confusion
begins however, when we find that depending on the mode, the data port is not always on port 20.
Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP
server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP
command PORT N+1 to the FTP server. The server will then connect back to the client's specified data
port from its local data port, which is port 20. From the server-side firewall's standpoint, to support
active mode FTP the following communication channels need to be opened:
•
•
•
•
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
When drawn out, the connection appears as follows:
In step 1, the client's command port contacts the server's command port and sends the command PORT
1027. The server then sends an ACK back to the client's command port in step 2. In step 3 the server
initiates a connection on its local data port to the data port the client specified earlier. Finally, the client
sends an ACK back as shown in step 4.
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make
the actual connection to the data port of the server it simply tells the server what port it is listening on
and the server connects back to the specified port on the client. From the client side firewall this
24
© 2003 certificationsuccess.com
Your Free Certification Portal
appears to be an outside system initiating a connection to an internal client ,something that is usually
blocked.
Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for
FTP connections was developed. This was known as passive mode, or PASV, after the command used
by the client to tell the server it is in passive mode. In passive mode FTP the client initiates both
connections to the server, solving the problem of firewalls filtering the incoming data port connection
to the client from the server. When opening an FTP connection, the client opens two random
unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead
of then issuing a PORT command and allowing the server to connect back to its data port, the client will
issue the PASV command. The result of this is that the server then opens a random unprivileged port (P
> 1024) and sends the PORT P command back to the client. The client then initiates the connection from
port N+1 to port P on the server to transfer data. From the server-side firewall's standpoint, to support
passive mode FTP the following communication channels need to be opened:
•
•
•
•
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port
specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data
port)
When drawn, a passive mode FTP connection looks like this:
In step 1, the client contacts the server on the command port and issues the PASV command. The server
then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data
connection. In step 3 the client initiates the data connection from its data port to the specified server
data port. Finally, the server sends back an ACK in step 4 to the client's data port.
25
© 2003 certificationsuccess.com
Your Free Certification Portal
While passive mode FTP solves many of the problems from the client side, it opens up a whole range
of problems on the server side. The biggest issue is the need to allow any remote connection to high
numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD
allow the administrator to specify a range of ports which the FTP server will use. The second issue
involves supporting and troubleshooting clients which do (or do not) support passive mode. As an
example, the command line FTP utility provided with Solaris does not support passive mode,
necessitating a third-party FTP client, such as ncftp. With the massive popularity of the World Wide
Web, many people prefer to use their web browser as an FTP client. Most browsers only support
passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the
servers and firewalls are configured to support.
IP spoofing
There is a range of attacks that take advantage of the ability to forge (or 'spoof') your IP address. While
a source address is sent along with every IP packet, it isn't actually used for routing. This means an
intruder can pretend to be you when talking to a server. The intruder never sees the response packets
(although your machine does, but throws them away because they don't match any requests you've
sent). The intruder won't get data back this way, but can still send commands to the server pretending
to be you.
TCP sequence number prediction
In the startup of a TCP connection, you must choose a sequence number for your end, and the server
must choose a sequence number for its end. Older TCP stacks choose predictable sequence numbers,
allowing intruders to create TCP connections from a forged IP address (for which they will never see
the response packets) that presumably will bypass security.
DNS poisoning through sequence prediction
DNS servers will "recursively" resolve DNS names. Thus, the DNS server that satisfies a client request
will become itself a client to the next server in the recursive chain. The sequence numbers it uses are
predictable. Thus, an intruder can send a request to the DNS server and a forged response to the server
to be the next server in the chain. It will then believe the forged response, and use that to satisfy other
clients.
Packet sniffing
Packet sniffing is a form of wire-tap applied to computer networks. It came into vogue with Ethernet,
which is known as a "shared medium" network. This means that traffic on a segment passes by all
hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing
traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyone’s traffic.
26
© 2003 certificationsuccess.com
Your Free Certification Portal
Today's networks are increasingly employing "switch" technology, preventing this technique from
being as successful as in the past. It is still useful, though, as it is becoming increasingly easy to install
remote sniffing programs on servers and routers, through which a lot of traffic flows.
Today's networks may already contain built- in sniffing modules. Most hubs support the RMON
standard, which allow the intruder to sniff remotely using SNMP, which has weak authentication.
Many corporations employ Network Associates "Distributed Sniffer Servers", which are set up with
easy to guess passwords. Windows NT machines often have a "Network Monitoring Agent" installed,
which again allows for remote sniffing.
Packets sniffing is difficult to detect, but it can be done. The popularity of packet sniffing stems from
the fact that it sees everything. Typical items sniffed include:
SMTP, POP, IMAP traffic - Allows intruder to read the actual e- mail.
POP, IMAP, HTTP Basic, Telnet authentication - Reads passwords off the wire in clear-text.
SMB, NFS, FTP traffic - Reads files of the wire.
SQL database - Reads financial transactions and credit card numbers.
Not only can sniffing read information that helps break into a system, it is an intrusion by itself
because it reads the very files the intruder is interested in. This technique can be combined with active
transmissions for even more effective attacks.
Virtual LANs
A VLAN is a group of PCs, servers and other network resources that behave as if they were connected
to a single, network segment even though they may not be. For example, all marketing personnel may
be spread throughout a building. Yet if they are all assigned to a single VLAN, they can share
resources and bandwidth as if they were connected to the same segment. The resources of other
departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to
specified individuals, at the IT manager's discretion.
This logical grouping of network nodes helps free IT managers from the restrictions of their existing
network design and cabling infrastructure. It offers a fundamental improvement in the ease with which
LANs can be designed, administered and managed. Since VLANs are software-based, they allow the
network structure to quickly and easily adapt to the addition, relocation or reorganization of nodes. No
longer does each change require a visit to the wiring closet.
Equally important, VLANs help meet performance needs by segmenting the network more effectively.
Unlike standard switching, they restrict the dissemination of broadcast as well as node-to-node traffic,
so the burden of extraneous traffic is reduced throughout the network. Security can also be improved.
Since all packets traveling between VLANs may also pass through a router, standard router-based
security measures can be implemented to restrict access as needed.
Benefits of VLANs
Flexible network segmentation
27
© 2003 certificationsuccess.com
Your Free Certification Portal
Users and resources that communicate most frequently with each other can be grouped into common
VLANs, regardless of physical location. Each group's traffic is largely contained within the VLAN,
reducing extraneous traffic and improving the efficiency of the whole network.
Simple management
The addition of nodes, as well as moves and other changes, can be dealt with quickly and conveniently
from the management console rather than the wiring closet.
Increased performance
VLANs free up bandwidth by limiting node-to-node and broadcast traffic throughout the network.
Better use of server resources
With a VLAN-enabled adapter, a server can be a member of multiple VLANs. This reduces the need to
route traffic to and from the server.
Enhanced network security
VLANs create virtual boundaries that can only be crossed through a router. So standard, router-based
security measures can be used to restrict access to each VLAN as required.
Basic models of VLAN
In general, there are three basic models for determining and controlling how a packet gets assigned to a
VLAN.
Port-based VLANs
In this implementation, the administrator assigns each port of a switch to a VLAN. For example, ports
1-3 might be assigned to the Sales VLAN, ports 4-6 to the Engineering VLAN and ports 7-9 to the
Administrative VLAN. The switch determines the VLAN membership of each packet by noting the
port on which it arrives.
When a user is moved to a different port of the switch, the administrator can simply reassign the new
port to the user's old VLAN. The network change is then completely transparent to the user, and the
administrator saves a trip to the wiring closet. However, this method has one significant drawback. If a
repeater is attached to a port on the switch, all of the users connected to that repeater must be members
of the same VLAN.
MAC address-based VLANs
The VLAN membership of a packet in this case is determined by its source or destination MAC
address. Each switch maintains a table of MAC addresses and their corresponding VLAN
memberships. A key advantage of this method is that the switch doesn't need to be reconfigured when
a user moves to a different port.
28
© 2003 certificationsuccess.com
Your Free Certification Portal
However, assigning VLAN membership to each MAC address can be a time consuming task. Also, a
single MAC address cannot easily be a member of multiple VLANs. This can be a significant
limitation, making it difficult to share server resources between more than one VLAN. (Although a
MAC address can theoretically be assigned to multiple VLANs, this can cause serious problems with
existing bridging and routing, producing confusion in switch forwarding tables.)
Layer 3 (or protocol)-based VLANs
With this method, the VLAN membership of a packet is based on protocols (IP, IPX, NetBIOS, etc.)
and Layer 3 addresses. This is the most flexible method and provides the most logical grouping of
users. An IP subnet or an IPX network, for example, can each be assigned their own VLAN.
Additionally, protocol-based membership allows the administrator to assign non-routable protocols,
such as NetBIOS or DECnet, to larger VLANs than routable protocols like IPX or IP. This maximizes
the efficiency gains that are possible with VLANs.
Another important distinction between VLAN implementations is the method used to indicate
membership when a packet travels between switches. Two methods exist i.e. implicit and explicit.
Implicit
VLAN membership is indicated by the MAC address. In this case, all switches that support a particular
VLAN must share a table of member MAC addresses.
Explicit
A tag is added to the packet to indicate VLAN membership. Cisco ISL and the IEEE 802.1q VLAN
specifications both use this method.
To summarize, when a packet enters its local switch, the determination of its VLAN membership can
be port-based, MAC-based or protocol-based. When the packet travels to other switches, the
determination of VLAN membership for that packet can be either implicit (using the MAC address) or
explicit (using a tag that was added by the first switch). Port-based and protocol-based VLANs use
explicit tagging as their preferred indication method. MAC-based VLANs are almost always implicit.
Network Address Translation (NAT)
NAT enables private IP addresses to be translated into public IP addresses for traffic to & from the
internet, useful to share a single internet connection with only a single public IP address.
NAT consists of following components
1) Translation component.
2) Addressing component.
3) Name resolution component.
NAT does not support following protocols
1) Kerberos
29
© 2003 certificationsuccess.com
Your Free Certification Portal
2) IP security protocol (IPsec).
NAT Editors
When we have to translate and adjust the payload beyond the IP, TCP & UDP headers, a NAT
editor is required.
Windows 2000 includes built in NAT editor for the following protocols:
Ø FTP.
Ø Internet Control Message Protocol(ICMP)
Ø Point to Point Tunneling Protocol(PPTP)
Ø Net BIOS over TCP/IP.
Additionally, the NAT routing protocol includes proxy software for the following protocol:
Ø H.323
Ø Direct play
Ø Lightweight Directory Access Protocol (LDAP)-based Internet Locator Service (ILS)
registration.
Ø Remote Procedure call.
Internet Connection Sharing & NAT
To connect a small office or have network to the internet, you can use either a routed or translated
connection.
Routed connection
The computer running windows 2000 server acts as an IP router that forwards packets between the
internet network & the public internet.
Translated Connection
The computer running windows 2000 server acts as a network address translator. Translated
connection requires less knowledge of IP addressing & routing and provide a simplified
configuration for hosts and the windows 2000 router.
Network intrusion detection system (NIDS)
An intrusion is somebody ("hacker" or "cracker") attempting to break into or misuse your system. The
word "misuse" is broad, and can reflect something severe as stealing confidential data to something
minor such as misusing your email system for spam (though for many of us, that is a major issue!).
An "Intrusion Detection System (IDS)" is a system for detecting such intrusions.
Network intrusion detection systems (NIDS) monitors packets on the network wire and
attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of
service attack). A typical example is a system that watches for large number of TCP connection
requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting
a TCP port scan. A NIDS may run either on the target machine who watches its own traffic (usually
integrated with the stack and services themselves), or on an independent machine promiscuously
30
© 2003 certificationsuccess.com
Your Free Certification Portal
watching all network traffic (hub, router, probe). Note that a "network" IDS monitors many machines,
whereas the others monitor only a single machine (the one they are installed on).
System integrity verifiers (SIV) monitors system files to find when an intruder changes them
(thereby leaving behind a backdoor). The most famous of such systems is "Tripwire". A SIV may
watch other components as well, such as the Windows registry and chron configuration, in order to
find well known signatures. It may also detect when a normal user somehow acquires
root/administrator level privileges. Many existing products in this area should be considered "tools"
than complete "systems": i.e. something like "Tripwire" that detects changes in critical system
components, but doesn't generate real-time alerts upon an intrusion.
Log file monitors (LFM) monitor log files generated by network services in a similar manner to
NIDS. These systems look for patterns in the log files that suggest an intruder is attacking. A typical
example would be a parser for HTTP server log files that are looking for intruders who try well-known
security holes, such as the "phf" attack.
The primary ways an intruder can get into a system:
Physical Intrusion If an intruders have physical access to a machine (i.e. they can use the keyboard
or take apart the system), they will be able to get in. Techniques range from special privileges the
console has, to the ability to physically take apart the system and remove the disk drive (and read/write
it on another machine). Even BIOS protection is easy to bypass: virtually all BIOSes have backdoor
passwords.
System Intrusion This type of hacking assumes the intruder already has a low-privilege user
account on the system. If the system doesn't have the latest security patches, there is a good chance the
intruder will be able to use a known exploit in order to gain additional administrative privileges.
Remote Intrusion This type of hacking involves an intruder who attempts to penetrate a system
remotely across the network. The intruder begins with no special privileges. There are several forms of
this hacking. An intruder has more difficult time if there is a firewall between him/her and the victim
machine.
Note that Network Intrusion Detection Systems are primarily concerned with Remote Intrusion.
How are intrusions detected
Anomaly detection
The most common way people approach network intrusion detection is to detect statistical anomalies.
The idea behind this approach is to measure a "baseline" of such stats as CPU utilization, disk activity,
user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this
baseline.
The benefit of this approach is that it can detect the anomalies without having to understand the
underlying cause behind the anomalies. For example, let's say that you monitor the traffic from
individual workstations. Then, the system notes that at 2am, a lot of these workstations start logging
31
© 2003 certificationsuccess.com
Your Free Certification Portal
into the servers and carrying out tasks. This is something interesting to note and possibly take action
on.
Signature recognition
The majority of commercial products are based upon examining the traffic looking for well-known
patterns of attack. This means that for every hacker technique, the engineers code something into the
system for that technique.
This can be as simple as a pattern match. The classic example is to examine every packet on the wire
for the pattern "/cgi-bin/phf?", which might indicate somebody attempting to access this vulnerable
CGI script on a web-server. Some IDS systems are built from large databases that contain hundreds (or
thousands) of such strings. They just plug into the wire and trigger on every packet they see that
contains one of these strings.
Techniques used by a NDIS to match signatures
Traffic consists of IP datagram flowing across a network. A NIDS is able to capture those packets as
they flow by on the wire. A NIDS consists of a special TCP/IP stack that reassembles IP datagram and
TCP streams. It then applies some of the following techniques:
Protocol stack verification A number of intrusions, such as "Ping-O-Death" and "TCP Stealth
Scanning" use violations of the underlying IP, TCP, UDP, and ICMP protocols in order to attack the
machine. A simple verification system can flag invalid packets. This can include valid, by suspicious,
behavior such as fragmented IP packets.
Application protocol verification A number of intrusions use invalid protocol behavior, such as
"WinNuke", which uses invalid NetBIOS protocol (adding OOB data) or DNS cache poisoning, which
has a valid, but an unusual signature. In order to effectively detect these intrusions, a NIDS must reimplement a wide variety of application- layer protocols in order to detect suspicious or invalid
behavior.
Creating new loggable events A NIDS can be used to extend the auditing capabilities of your network
management software. For example, a NIDS can simply log all the application layer protocols used on
a machine. Downstream event log systems (WinNT Event, UNIX syslog, SNMP TRAPS, etc.) can
then correlate these extended events with other events on the network.
Honeypots
Programs that pretend to be a service, but which do not advertise themselves. It can be something as
simple as one of the many BackOrifice emulators, or as complex as an entire subnet of bogus systems
installed for that purpose.
Honeypot can be defined as "a security resource who's value lies in being probed, attacked or
compromised". This means that whatever we designate as a Honeypot, it is our expectation and goal to
have the system probed, attacked, and potentially exploited. Keep in mind, Honeypots are not a
solution. They do not 'fix' anything. Instead, Honeypots are tools. How you use that tool is up to you
and depends on what you are attempting to achieve. A Honeypot may be a system that merely emulates
other systems or applications, creates a jailed environment, or may be a standard built system.
Regardless of how you build and use the Honeypot, it's value lies in the fact that it is attacked.
32
© 2003 certificationsuccess.com
Your Free Certification Portal
The Honeypot adds value to the security measures of an organization. Think of them as 'law
enforcement', their job is to detect and deal with bad guys. Traditionally, commercial organizations use
production Honeypots to help protect their networks. The second category “research Honeypots” are
Honeypots designed to gain information on the blackhat community. These Honeypots do not add
direct value to a specific organization. Instead they are used to research the threats organizations face,
and how to better protect against those threats. Think of them as 'counter-intelligence', their job is to
gain information on the bad guys. This information is then used to protect against those threats.
Traditionally, commercial organizations do NOT use research Honeypots. Instead, organizations such
as Universities, government, military, or security research organizations use them.
Value of Honeypots
Honeypots have certain advantages (and disadvantages) as security tools. It is the advantages that help
define the value of a Honeypot. The beauty of a Honeypot's lies in its simplicity. It is a device intended
to be compromised, not to provide production services. This means there is little or no production
traffic going to or from the device. Any time a connection is sent to the Honeypot, this is most likely a
probe, scan, or even attack. Any time a connection is initiated from the Honeypot, this most likely
means the Honeypot was compromised. As there is little production traffic going to or from the
Honeypot, all Honeypot traffic is suspect by nature. Now, this is not always the case. Mistakes do
happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address.
But in general, most Honeypot traffic represents unauthorized activity.
Because of this simplistic model, Honeypots have certain inherent advantages and disadvantages.
Advantages
Data Collection
Honeypots collect very little data, and what they do collect is normally of high value. This cuts the
noise level down and makes it much easier to collect and archive data. One of the greatest problems in
security is wading through gigabytes of data to find the data you need. Honeypots can give you the
exact information that you need, in a quick and easy to understand format.
Resources
Many security tools can be overwhelmed by bandwidth or activity. Network Intrusion Detection
Devices may not be able to keep up with network activity, dropping packets, and potential attacks.
Centralized log servers may not be able to collect all the system events, potentially dropping some
events. Honeypots do not have this problem, they only capture what comes to them.
Disadvantages
Single Data Point
Honeypots all share one huge drawback; they are worthless if no one attacks them. Yes, they can
accomplish wonderful things, but if the attacker does not send any packets to the Honeypot, the
Honeypot will be blissfully unaware of any unauthorized activity.
Risk
Honeypots can introduce risk to your environment. Different Honeypots have different levels of risk.
33
© 2003 certificationsuccess.com
Your Free Certification Portal
Some introduce very little risk, while others give the attacker entire platforms from which to launch
new attacks. Risk is variable, depending on how one builds and deploys the Honeypot.
It is because of these disadvantages that Honeypots do not replace any security mechanisms. They can
only add value by working with existing security mechanisms.
Hardening
The process of hardening is that of identifying exactly what a specific machine will be used for and
removing or disabling all system components not necessary for that function. It's like turning a general
purpose computer into a single or limited purpose computer. Here we're building a system suitable that
is used as a firewall, web server. The specific components left on a given machine will be determined
by the function or functions for which that computer will be used. Multiple Internet services may run
on a single hardened machine.
More generally hardening may be treated as any and all of the steps used to tighten or improve the
security on a computer. Often included are limiting the user population, password policies, access
controls and user and group rights and intrusion detection, which is treated separately.
It's preferable that a system being hardened should not be connected to a network until the hardening
process is complete. It should not be connected to a perimeter network or DMZ or whatever you call
your network segment that is directly connected to the Internet until the hardening is complete.
Building a hardened computer is not like installing a workstation or a test or experimental machine.
The first computer that should be hardened and will benefit most from being hardened is a firewall.
All computers with full time Internet connections should be protected by a firewall and hardened to
some degree.
What benefit is to be gained from removing features on a computer? Any potential intruder's purposes
won't be the same as those for which a hardened machine is built. The fewer the general purpose
features on a specific computer, the harder it will be for an intruder to access it or make effective use
of it if it is accessed. Hardening also makes it more difficult for internal staff to use a machine in other
than it's intended fashion.
Removing functions is preferred to disabling because part of the intent of hardening is prevent even
root users from being able to re-enable functions by making simple configuration changes. Depending
on what software is left on the hardened machine and what firewall and network security devices are
in place, it may or may not be possible for a root user to reinstall the removed pieces. The right
network setup can make it effectively impossible for any user without access to local removable media
to add components to a system. Even where it is possible, it's obviously more difficult to obtain the
necessary pieces of some software and put them in the right places and change the corresponding
configuration files than it is to just change the configuration files.
34
© 2003 certificationsuccess.com
Your Free Certification Portal
Security through Obscurity
There is a concept that is sometimes severely criticized by members of the security community. It's
called security through obscurity. There is often no security at all but simply putting things in obscure
places where it's hoped the wrong people won't find them. Some examples are public web and FTP
servers with no DNS entries. A little more obscure is a web server with no DNS entry and running on
an odd port. Placing a sensitive document deep in an unlikely directory tree is another example. These
are all examples security through obscurity that are rightly criticized as no security. In these cases, it's
likely to be simply a matter of time before the "hidden" resource is found by the unwanted. With
network and disk scanning tools it may not take long time.
On the other hand some perfectly valid security techniques are entirely dependent on obscurit y for
their effectiveness. The obvious example is passwords. That is why so much training needs to go into
selecting good passwords. Users naturally tend to select passwords that are not obscure enough and
hence are easily guessed or found by password cracking programs.
Even where obscurity isn't an inherent part of the technique, it is a useful complement. Firewalls don't
depend on obscurity to work. Still no network administrator in his or her right mind would publicly
post a firewall's rule set or diagrams of their network's topology. Doing so doesn't automatically give
potential intruders entry the way possession of a password in the right location does. Such information
will, however, help intruders or at a minimum keep them from wasting time on well defended
resources. Properly configured web servers don't enable directory listings except in very special
circumstances. If someone is going to launch an application level attack against a web server, learning
what scripts or programs are available is the first essential step.
Hardening Requires Making Choices
Hardening a system is about making choices. Specific choices may make a system somewhat more
secure but also more difficult to use and administer. The choices appropriate to one site may not be
appropriate at another. The approach described here is moderately extreme; some may regard the
resulting systems as unusable. Sometimes the effort or added system maintenance burden will simply
not seem worth the limited gain in security. Every site needs to decide what security measures are
appropriate to the resources being protected. Technical security measures will not work if your own
staff actively opposes them.
CRYPTOGRAPHY
Cryptography is a branch of mathematics based on the transformation of data. It provides an important
tool for protecting information and is used in many aspects of computer security. For example,
cryptography can help provide data confidentiality, integrity, electronic signatures, and advanced user
authentication. Although modern cryptography relies upon advanced mathematics, users can reap its
benefits without understanding its mathematical underpinnings.
Basic Cryptographic Technologies
Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a
key. In modern cryptographic systems, algorithms are complex mathematical formulae and keys are
35
© 2003 certificationsuccess.com
Your Free Certification Portal
strings of bits. For two parties to communicate, they must use the same algorithm (or algorithms that
are designed to work together). In some cases, they must also use the same key. Many cryptographic
keys must be kept secret; sometimes algorithms are also kept secret. There are two basic types of
cryptography:
secret key systems (also called symmetric systems) and public key systems (also called asymmetric
systems). Table below compares some of the distinct features of secret and public key systems. Both
types of systems offer advantages and disadvantages. Often, the two are combined to form a hybrid
system to exploit the strengths of each type. To determine which type of cryptography best meets its
needs, an organization first has to identify its security requirements and operating environment.
DISTINCT FEATURES
NUMBER OF KEYS
TYPES OF KEYS
PROTECTION OF KEYS
SECRET KEY
CRYPTOGRAPHY
Single key.
Key is secret.
Disclosure and modification.
RELATIVE SPEEDS
Faster.
PUBLIC KEY CRYPTOGRAPHY
Pair of keys.
One key is private, and one key is public.
Disclosure and modification for private
Keys and modification for public keys.
Slower.
Secret Key Cryptography
In secret key cryptography, two (or more) parties share the same key, and that key is used to encrypt
and decrypt data. As the name implies, secret key cryptography relies on keeping the key secret. If the
key is compromised, the security offered by cryptography is severely reduced or eliminated. Secret key
cryptography assumes that the parties who share a key rely upon each other not to disclose the key and
protect it against modification. The best known secret key system is the Data Encryption Standard
(DES). It is the most widely accepted publicly available cryptographic system today.
Public Key Cryptography
Public key cryptography uses a pair of keys for each party. One of the keys of the pair is "public" and
the other is "private." The public key can be made known to other parties; the private key must be kept
confidential and must be known only to its owner. Both keys, however, need to be protected against
modification. Public key cryptography is particularly useful when the parties wishing to communicate
cannot rely upon each other or do not share a common key. There are several public key cryptographic
systems. One of the first public key systems is RSA, which can provide many different security
services.
Hybrid Cryptographic Systems
Public and secret key cryptography have relative advantages and disadvantages. Although public key
cryptography does not require users to share a common key, secret key cryptography is much faster:
equivalent implementations of secret key cryptography can run 1,000 to 10,000 times faster than public
key cryptography. To maximize the advantages and minimize the disadvantages of both secret and
public key cryptography, a computer system can use both types in a complementary manner, with each
performing different functions. Typically, the speed advantage of secret key cryptography means that it
is used for encrypting data. Public key cryptography is used for applications that are less demanding to
a computer system's resources, such as encrypting the keys used by secret key cryptography (for
distribution) or to sign messages.
36
© 2003 certificationsuccess.com
Your Free Certification Portal
Key Escrow
Since cryptography can provide extremely strong encryption, it can thwart the government's efforts to
lawfully perform electronic surveillance. For example, if strong cryptography is used to encrypt a
phone conversation, a court-authorized wiretap will not be effective. To meet the needs of the
government and to provide privacy, the federal government has adopted voluntary key escrow
cryptography. This technology allows the use of strong encryption, but also allows the government to
obtain decryption keys held by escrow agents.
Uses of Cryptography
Cryptography is used to protect data both inside and outside the boundaries of a computer system.
Outside the computer system, cryptography is sometimes the only way to protect data. While in a
computer system, data is normally protected with logical and physical access controls (perhaps
supplemented by cryptography). However, when in transit across communications lines or resident on
someone else's computer, data cannot be protected by the originator's logical or physical access
controls. Cryptography provides a solution by protecting data even when the data is no longer in the
control of the originator.
Data Encryption
One of the best ways to obtain cost effective data confidentiality is through the use of encryption.
Encryption transforms intelligible data, called plaintext, into an unintelligible form, called ciphertext.
This process is reversed through the process of decryption. Once data is encrypted, the ciphertext does
not have to be protected against disclosure. However, if ciphertext is modified, it will not decrypt
correctly. Both secret key and public key cryptography can be used for data encryption although not all
public key algorithms provide for data encryption. To use a secret key algorithm, data is encrypted
using a key. The same key must be used to decrypt the data. When public key cryptography is used for
encryption, any party may use any other party's public key to encrypt a message; however, only the
party with the corresponding private key can decrypt, and thus read, the message. Since secret key
encryption is typically much faster, it is normally used for encrypting larger amount of data.
Integrity
In computer systems, it is not always possible for humans to scan information to determine if data has
been erased, added, or modified. Even if scanning was possible, the individual may have no way of
knowing what the correct data should be. For example, "do" may be changed to "do not," or $1,000
may be changed to $10,000. It is therefore desirable to have an automated means of detecting both
intentional and unintentional modifications of data. While error detecting codes have long been used in
communications protocols (e.g., parity bits), these are more effective in detecting (and correcting)
unintentional modifications. They can be defeated by adversaries. Cryptography can effectively detect
both intentional and unintentional modification; however, cryptography does not protect files from
being modified. Both secret key and public key cryptography can be used to ensure integrity. Although
newer public key methods may offer more flexibility than the older secret key method, secret key
integrity verification systems have been successfully integrated into many applications. When secret
key cryptography is used, a message authentication code (MAC) is calculated from and appended to
the data. To verify that the data has not been modified at a later time, any party with access to the
correct secret key can recalculate the MAC. The new MAC is compared with the original MAC, and if
they are identical, the verifier has confidence that the data has not been modified by an unauthorized
party.
37
© 2003 certificationsuccess.com
Your Free Certification Portal
Electronic Signature
An electronic signature is a cryptographic mechanism that performs a similar function to a written
signature. It is used to verify the origin and contents of a message. For example, a recipient of data
(e.g., an e- mail message) can verify who signed the data and that the data was not modified after being
signed. This also means that the originator (e.g., sender of an e- mail message) cannot falsely deny
having signed the data.
PKI
Certificates are fundamental elements of the Public key infrastructure (PKI). Certificate enable users to
use smart card, logon, send encrypted e- mail, & sign electronic documents. Certificates are issued
managed, renamed, & revoked by certificate authorities. Certificate is a digital document that attests to
the binding of a public key to an entity. A certificate may consist of a public key signed by a trusted
entity. Most widely used structure and syntax for digital certificate is defined by the International
Telecommunication Union (ITU) in ITU- T recommendation X.509.
Creation of a certificate
Ø
Ø
Ø
Ø
Ø
Ø
Generating a Key pair
Collecting Required Information
Requesting the Certificate
Verifying the information
Creating the Certificate
Sending or Posting the Certificate
Certificate Enrollment
The process of obtaining a digital certificate is called certificate enrollment. There are
various enrollment methods like.
1) Web-Based enrollment.
2) Client certificate enrollment.
3) Automated enrollment.
Physical Security
The physical facility is usually the building, other structure, or vehicle housing the system and network
components. Systems can be characterized, based upon their operating location, as static, mobile, or
portable. Static systems are installed in structures at fixed locations. Mobile systems are installed in
vehicles that perform the function of a structure, but not at a fixed location. Portable systems are not
installed in fixed operating locations. They may be operated in wide variety of locations, including
buildings or vehicles, or in the open.
1. The physical characteristics of these structures and vehicles determine the level of such physical
threats as fire, roof leaks, or unauthorized access.
2. The facility's general geographic operating location determines the characteristics of natural threats,
which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or
38
© 2003 certificationsuccess.com
Your Free Certification Portal
interception of transmissions; and damaging nearby activities, including toxic chemical spills,
explosions, fires, and electromagnetic interference from emitters, such as radars.
3. Supporting facilities are those services (both technical and human) that underpin the operation of the
system. The system's operation usually depends on supporting facilities such as electric power, heating
and air conditioning, and telecommunications. The failure or substandard performance of these
facilities may interrupt operation of the system and may cause physical damage to system hardware or
stored data.
Physical Access Controls
Physical access controls restrict the entry and exit of personnel (and often equipment and media) from
an area, such as an office building, suite, data center, or room containing a LAN server. The controls
over physical access to the elements of a system can include controlled areas, barriers that isolate each
area, entry points in the barriers, and screening measures at each of the entry points. In addition, staff
members who work in a restricted area serve an important role in providing physical security, as they
can be trained to challenge people they do not recognize. Physical access controls should address not
only the area containing system hardware, but also locations of wiring used to connect elements of the
system, the electric power service, the air conditioning and heating plant, telephone and data lines,
backup media and source documents, and any other elements that require system's operation. This
means that all the areas in the building(s) that contain system elements must be identified. It is also
important to review the effectiveness of physical access controls in each area, both during normal
business hours, and at other times particularly when an area may be unoccupied. Effectiveness depends
on both the characteristics of the control devices used (e.g., keycard-controlled doors) and the
implementation and operation. Statements to the effect that "only authorized persons may enter this
area" are not particularly effective. Organizations should determine whether intruders can easily defeat
the controls, the extent to which strangers are challenged, and the effectiveness of other control
procedures. Factors like these modify the effectiveness of physical controls. The feasibility of sneaky
entry also needs to be considered. For example, it may be possible to go over the top of a partition that
stops at the underside of a suspended ceiling or to cut a hole in a plasterboard partition in a location
hidden by furniture. If a door is controlled by a combination lock, it may be possible to observe an
authorized person entering the lock combination. If keycards are not carefully controlled, an intruder
may be able to steal a card left on a desk or use a card passed back by an accomplice. Corrective
actions can address any of the factors listed above. Adding an additional barrier reduces the risk to the
areas behind the barrier. Enhancing the screening at an entry point can reduce the number of
penetrations. For example, a guard may provide a higher level of screening than a keycard-controlled
door, or an anti-passback feature can be added. Reorganizing traffic patterns, work flow, and work
areas may reduce the number of people who need access to a restricted area. Physical modifications to
barriers can reduce the vulnerability to surreptitious entry. Intrusion detectors, such as closed-circuit
television cameras, motion detectors, and other devices, can detect intruders in unoccupied spaces.
Fire Safety Factors
Building fires are a particularly important security threat because of the potential for complete
destruction of hardware and data, the risk to human life. Smoke, corrosive gases and high humidity
from a localized fire can damage systems throughout an entire building. Consequently, it is important
to evaluate the fire safety of buildings that house systems. Following are important factors in
determining the risks from fire.
Ignition Sources. Fires begin because something supplies enough heat to cause other materials to
burn. Typical ignition sources are failures of electric devices and wiring, carelessly discarded
39
© 2003 certificationsuccess.com
Your Free Certification Portal
cigarettes, improper storage of materials subject to spontaneous combustion, improper operation of
heating devices.
Fuel Sources. If a fire is to grow, it must have a supply of fuel. Material that will burn to support its
growth, require adequate supply of oxygen. Once a fire becomes established, it depends on the
combustible materials in the building (referred to as the fire load) to support its further growth. The
more fuel per square meter, the more intense the fire will be.
Building Operation. If a building is well maintained and operated so as to minimize the accumulation
of fuel (such as maintaining the integrity of fire barriers), the fire risk will be minimized.
Building Occupancy. Some occupancies are inherently more dangerous than others because of an
above-average number of potential ignition sources. For example, a chemical warehouse may contain
an above-average fuel load.
Fire Detection. The more quickly a fire is detected, all other things being equal, the more easily it can
be extinguished, minimizing damage. It is also important to accurately pinpoint the location of the fire.
Fire Extinguishment. A fire will burn until it consumes all of the fuel in the building or until it is
extinguished. Fire extinguishment may be automatic, as with an automatic sprinkler system or a
HALON discharge system, or it may be performed by people using portable extinguishers, cooling the
fire site with a stream of water, by limiting the supply of oxygen with a blanket of foam or powder, or
by breaking the combustion chemical reaction chain. When properly installed, maintained, and
provided with an adequate supply of water, automatic sprinkler systems are highly effective in
protecting buildings and their contents. Nonetheless, one often hears uninformed persons speak of the
water damage done by sprinkler systems as a disadvantage. Fires that trigger sprinkler systems cause
the water damage. In short, sprinkler systems reduce fire damage, protect the lives of building
occupants, and limit the fire damage to the building itself. All these factors contribute to more rapid
recovery of systems following a fire. Each of these factors is important when estimating the occurrence
rate of fires and the amount of damage that will result. The objective of a fire-safety program is to
optimize these factors to minimize the risk of fire.
Failure of Supporting Utilities
Systems and the people who operate them need to have a reasonably well-controlled operating
environment. Consequently, failures of heating and air-conditioning systems will usually cause a
service interruption and may damage hardware. These utilities are composed of many elements, each
of which must function properly.
For example, the typical air-conditioning system consists of
(1) Air handlers that cool and humidify room air,
(2) Circulating pumps that send chilled water to the air handlers,
(3) Chillers that extract heat from the water,
(4) Cooling towers that discharge the heat to the outside air. .
Each of these elements has a mean-time-between- failures (MTBF) and a mean-time-to-repair (MTTR).
Using the MTBF and MTTR values for each of the elements of a system, one can estimate the
occurrence rate of system failures and the range of resulting service interruptions. This same line of
reasoning applies to electric power distribution, heating plants, water, sewage, and other utilities
required for system operation or staff comfort. By identifying the failure modes of each utility and
estimating the MTBF and MTTR, necessary failure threat parameters can be developed to calculate the
resulting risk. The risk of utility failure can be reduced by substituting units with lower MTBF values.
MTTR can be reduced by stocking spare parts on site and training maintenance personnel. The outages
resulting from a given MTBF can be reduced by installing redundant units under the assumption that
40
© 2003 certificationsuccess.com
Your Free Certification Portal
failures are distributed randomly in time. Each of these strategies can be evaluated by comparing the
reduction in risk with the cost to achieve it.
Structural Collapse
A building may be subjected to a load greater than it can support. Most commonly this is a result of an
earthquake, a snow load on the roof beyond design criteria, an explosion that displaces or cuts
structural members, or a fire that weakens structural members. Even if the structure is not completely
demolished, the authorities may decide to ban its further use, sometimes even banning entry to remove
materials. This threat applies primarily to high-rise buildings and those with large interior spaces
without supporting columns.
Plumbing Leaks
While plumbing leaks do not occur every day, they can be seriously disruptive. The building's
plumbing drawings can help locate plumbing lines that might endanger system hardware. These lines
include hot and cold water, chilled water supply and return lines, steam lines, automatic sprinkler lines,
fire hose standpipes, and drains. If a building includes a laboratory or manufacturing spaces, there may
be other lines that conduct water, corrosive or toxic chemicals, or gases. As a rule, analysis often
shows that the cost to relocate threatening lines is difficult to justify. However, the location of shutoff
valves and procedures that should be followed in the event of a failure must be specified. Operating
and security personnel should have this information immediately available for use in an emergency. In
some cases, it may be possible to relocate system hardware, partic ularly distributed LAN hardware.
Interception of Data
Depending on the type of data a system processes, there may be a significant risk if the data is
intercepted. There are three routes of data interception: direct observation, interception of data
transmission, and electromagnetic interception.
Direct Observation. System terminal and workstation display screens may be observed by
unauthorized persons. In most cases, it is relatively easy to relocate the display to eliminate the
exposure.
Interception of Data Transmissions . If an interceptor can gain access to data transmission lines, it
may be feasible to tap into the lines and read the data being transmitted. Network monitoring tools can
be used to capture data packets. Of course, the interceptor cannot control what is transmitted, and so
may not be able to immediately observe data of interest. However, over a period of time there may be a
serious level of disclosure. Local area networks typically broadcast messages. Consequently, all traffic,
including passwords, could be retrieved. Interceptors could also transmit spurious data on tapped lines,
either for purposes of disruption or for fraud.
Electromagnetic Interception. Systems routinely radiate electromagnetic energy that can be detected
with special-purpose radio receivers. Successful interception will depend on the signal strength at the
receiver location; the greater the separation between the system and the receiver, the lower the success
rate. TEMPEST shielding, of either equipment or rooms, can be used to minimize the spread of
electromagnetic signals. The signal-to- noise ratio at the receiver, determined in part by the number of
competing emitters will also affect the success rate. The more workstations of the same type in the
same location performing "random" activity, the more difficult it is to intercept a given workstation's
radiation. On the other hand, the trend toward wireless (i.e., deliberate radiation) LAN connections
may increase the likelihood of successful interception.
41
© 2003 certificationsuccess.com
Your Free Certification Portal
Mobile and Portable Systems
The analysis and management of risk usually has to be modified if a system is installed in a vehicle or
is portable, such as a laptop computer. The system in a vehicle will share the risks of the vehicle,
including accidents and theft, as well as regional and local risks. Portable and mobile systems share an
increased risk of theft and physical damage. In addition, portable systems can be "misplaced" or left
unattended by careless users. Secure storage of laptop computers is often required when they are not in
use. If a mobile or portable system uses particularly valuable or important data, it may be appropriate
to either store its data on a medium that can be removed from the system when it is unattended or to
encrypt the data. In any case, the issue of how custody of mobile and portable computers is to be
controlled should be addressed. Depending on the sensitivity of the system and its application, it may
be appropriate to require briefings of users and signed briefing acknowledgments.
Approach to Implementation
Like other security measures, physical and environmental security controls are selected because they
are cost-beneficial. This does not mean that a user must conduct a detailed cost-benefit analysis for the
selection of every control. There are four general ways to justify the selection of controls:
1. They are required by law or regulation. Fire exit doors with panic bars and exit lights are examples
of security measures required by law or regulation. Presumably, the regulatory authority has
considered the costs and benefits and has determined that it is in the public interest to require the
security measure. A lawfully conducted organization has no option but to implement all required
security measures.
2. The cost is insignificant, but the benefit is material. A good example of this is a facility with a keylocked low-traffic door to a restricted access. The cost of keeping the door locked is minimal, but there
is a significant benefit. Once a significant benefit/minimal cost security measure has been identified,
no further analysis is required to justify its implementation.
3. The security measure addresses a potentially "fatal" security exposure but has a reasonable cost.
Backing up system software and data is an example of this justification .For most systems, the cost of
making regular backup copies is modest (compared to the costs of operating the system), the
organization would not be able to function if the stored data were lost, and the cost impact of the
failure would be material. In such cases, it would not be necessary to develop any further cost
justification for the backup of software and data. However, this justification depends on what
constitutes a modest cost, and it does not identify the optimum backup schedule. Broadly speaking, a
cost that does not require budgeting of additional funds would qualify.
4. The security measure is estimated to be cost -beneficial. If the cost of a potential security measure is
significant, and it cannot be justified by any of the first three reasons listed above, then its cost (both
implementation and ongoing operation) and its benefit (reduction in future expected losses) need to be
analyzed to determine if it is cost-beneficial. In this context, cost-beneficial means that the reduction in
expected loss is significantly greater than the cost of implementing the security measure. Arriving at
the fourth justification requires a detailed analysis. Simple rules of thumb do not apply. Consider, for
example, the threat of electric power failure and the security measures that can protect against such an
event. The threat parameters, rate of occurrence, and range of outage durations depend on the location
of the system, the details of its connection to the local electric power utility, the details of the internal
power distribution system, and the character of other activities in the building that use electric power.
The system's potential losses from service interruption depends on the details of the functions it
performs. Two systems that are otherwise identical can support functions that have quite different
degrees of urgency. Thus, two systems may have the same electric power failure threat and
vulnerability parameters, yet entirely different loss potential parameters. Furthermore, a number of
42
© 2003 certificationsuccess.com
Your Free Certification Portal
different security measures are available to address electric power failures. These measures differ in
both cost and performance. For example, the cost of an uninterruptible power supply (UPS) depends
on the size of the electric load it can support, the number of minutes it can support the load, and the
speed with which it assumes the load when the primary power source fails. An on-site power generator
could also be installed either in place of a UPS (accepting the fact that a power failure will cause a
brief service interruption) or in order to provide long-term backup to a UPS system. Design decisions
include the magnitude of the load the generator will support, the size of the on-site fuel supply, and the
details of the facilities to switch the load from the primary source or the UPS to the on-site generator.
Interdependencies
Physical and environmental security measures rely on and support the proper functioning of many of
the other areas like:
Logical Access Controls. Physical security controls augment technical means for controlling access to
information and processing. Even if the most advanced and best- implemented logical access controls
are in place, if physical security measures are inadequate, logical access controls may be circumvented
by directly accessing the hardware and storage media. For example, a computer system may be
rebooted using different software.
Contingency Planning. A large portion of the contingency planning process involves the failure of
physical and environmental controls. Having sound controls, therefore, can help minimize losses from
such contingencies.
Identification and Authentication (I&A). Many physical access control systems require that people
be identified and authenticated. Automated physical security access controls can use the same types of
I&A as other computer systems. In addition, it is possible to use the same tokens (e.g., badges) as those
used for other computer-based I&A.
Other. Physical and environmental controls are also closely linked to the activities of the local guard
force, fire house, life safety office, and medical office. These organizations should be consulted for
their expertise in planning controls for the systems environment.
Cost Considerations
Costs associated with physical security measures range greatly. Useful generalizations about costs, are
therefore difficult. Some measures, such as keeping a door locked, may be a trivial expense. Other
features, such as fire-detection and -suppression systems, can be far more costly. Cost considerations
should inc lude operation. For example, adding controlled-entry doors requires persons using the door
to stop and unlock it. Locks also require physical key management and accounting (and re keying
when keys are lost or stolen). Often these effects will be inconseque ntial, but they should be fully
considered. As with other security measures, the objective is to select those that are cost-beneficial.
CONTINGENCIES AND DISASTERS
A computer security contingency is an event with the potential to disrupt computer operations, thereby
disrupting critical mission and business functions. Such an event could be a power failure, hardware
failure, fire, or storm. If the event is very destructive, it is often called a disaster. To avert potential
contingencies and disasters or minimize the damage they cause organizations can take steps early to
control the event. Generally called contingency planning, this activity is closely related to incident
handling, which primarily addresses malicious technical threats such as hackers and viruses.
Contingency planning involves more than planning for a move offsite after a disaster destroys a data
43
© 2003 certificationsuccess.com
Your Free Certification Portal
center. It also addresses how to keep an organization's critical functions operating in the event of
disruptions, both large and small. This broader perspective on contingency planning is based on the
distribution of computer support throughout an organization.
The contingency planning process can be divided into six steps
1. Identifying the mission- or business-critical functions.
2. Identifying the resources that support the critical functions.
3. Anticipating potential contingencies or disasters.
4. Selecting contingency planning strategies.
5. Implementing the contingency strategies.
6. Testing and revising the strategy.
Forensics
Technical evidence has become more important in proving criminal and civil cases. Its importance is
tied, in part, to advances in science and computer technology. It is extremely important that computer
evidence processing be done correctly in criminal cases. An essential part of any evidence processing
is the documentation of what was done. This is important so that memories can be refreshed as to the
steps taken and so the results of processing can be duplicated. This is especially true concerning the
processing of comp uter evidence.
The proper documentation of the steps taken during the evidence processing ranks as a top priority.
Good documentation tied to sound processing procedures is essential for success in computer crime
cases. Without the ability to reconstruct accurately what has been done, crucial evidence may be
subject to question. More important, the qualifications of the expert witness can become an issue if the
computer evidence processing was done haphazardly. Shortcuts should be avoided at all costs.
Adequate funding for the purchase of proper computer hardware, storage media and software should
not be an obstacle when it comes to law enforcement computer evidence processing.
Computer Time and Date Settings
The time and date that files were created can be important in cases involving computer evidence.
However, the accuracy of the time and date stamps on files is directly tied to the accuracy of the time
and date stored in the CMOS chip of the computer. Consequently, documenting the accuracy of these
settings on the seized computer is important. Without such information, it will be all but impossible to
validate the accuracy of the times and dates associated with relevant computer files. When the settings
on the computer are inaccurate, the times and dates associated with relevant files can be interpolated by
the computer specialist. Before running the computer or checking the time and date, making a bit
stream backup of the computer hard disk drive is important.
Hard Disk Partitions
The potential for hidden or missing data exists when computer hard disk drives are involved. As a
result, it is important to document the make, model and size of all hard disk drives contained in the
seized computers. This is accomplished by conducting a physical examination of the hard disk drive.
44
© 2003 certificationsuccess.com
Your Free Certification Portal
The factory information recorded on the outside of the hard disk drive should be documented.
Furthermore, a program like “ FDISK “ or “ PartInfo “ should be used to document the number and
size of partitions. It is important that hidden partitions and data are found and documented.
Operating System and Version
The seized computer may rely upon one or more operating systems. The operating system(s) involved
should be documented. On DOS and Windows-based computers this can be determined by examining
the boot sector of each partition. The results of findings should be noted and the software and version
used should be documented. The versions of the software used should also be retained and stored with
the documentation.
Data and Operating System Integrity
The accuracy of any data found will be directly tied to the integrity of the operating system, directory,
FAT and data storage areas. Therefore, it is important to document the results of running a program
like DOS “ ScanDisk “ and/or DOS “ ChkDisk “. In the event errors are found, they should be
documented. At the discretion of the computer specialist, errors should be corrected and/or repaired.
Any such corrective actions taken should be documented and the version of the software used should
be retained and stored with the documentation.
Computer Virus Evaluation
It is important that computer viruses are not introduced into the seized computer storage devices by the
computer specialist. Consequently, all processing software should be scanned by a certified virus
scanning utility, e.g., Mc Afee, Norton and Dr. Solomon, etc. Ideally two separate virus scanning
utilities should be used and the results of the scan should be documented. The seized computer hard
disk drives and floppy diskettes should also be scanned and any viruses found should be documented.
At the discretion of the computer specialist the computer virus should be removed. As with the other
software used, the version of the software used should be retained and stored with the documentation.
It is also important to realize that infected programs and word processing files can be stored within
compressed files, e.g., zip files. Some computer virus scanning programs automatically search inside
zip files, other programs do not evaluate the contents of zip files. This should be taken into account
regarding the creation of documentation.
File Catalog
The files stored on the computer hard disk drive(s) and floppy diskettes should be listed and cataloged.
The dates and times that the files were created and/or updated should also be recorded. Many times
relevant leads can be obtained through the sorting of the files by file date and time. The combination of
such information from multiple computers seized as evidence in the same case can also prove valuable
for leads. Such information can be helpful in documenting a conspiracy when sorted file dates and
times are evaluated.
Software Licensing
The essential software tools used in computer evidence processing are relatively inexpensive and some
software companies support law enforcement agencies with free and discounted forensic software. Be
sure that you are licensed to use the software and document that fact in your reports. Also, be sure to
register your software with the software publisher after purchase.
45
© 2003 certificationsuccess.com
Your Free Certification Portal
Retention of Software, Input Files and Output Files
As technology moves forward most software manufacturers enhance and upgrade their software. Over
the course of just one year a program will probably be upgraded several times. Therefore, it is
important that you retain the exact version and copy of software used in the processing of computer
evidence. The recommended storage media is a Jazz Disk (By Iomega) or another external storage
device that allows file access.
COMPUTER SECURITY RISK
MANAGEMENT
Risk is the possibility of something adverse happening. Risk management is the process of assessing
risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk. Though
perhaps not always aware of it, individuals manage risks every day. Actions as routine as buckling a
car safety belt, carrying an umbrella when rain is forecast, or writing down a list of things to do rather
than trusting to memory fall into the purview of risk management. People recognize various threats to
their best interests and take precautions to guard against them or to minimize their effects.
Risk Assessment
Risk assessment, the process of analyzing and interpreting risk, is comprised of three basic activities:
(1) Determining the assessment's scope and methodology;
(2) Collecting and analyzing data;
3) Interpreting the risk analysis results.
Determining the Assessment's Scope and Methodology
The assessment may be focused on certain areas where either the degree of risk is unknown or is
known to be high. Different parts of a system may be analyzed in greater or lesser detail. Defining the
scope and boundary can help ensure a cost-effective assessment. Factors that influence scope include
what phase of the life cycle a system is Methodologies can be formal or informal, detailed or
simplified, high or low level, quantitative (computationally based) or qualitative (based on descriptions
or rankings), or a combination of these. No single method is best for all users and all environments.
How the boundary, scope, and methodology are defined will have major consequences in terms of
(1) the total amount of effort spent on risk management and
(2) the type and usefulness of the assessment's results.
The boundary and scope should be selected in a way that will produce an outcome that is clear,
specific, and useful to the system and environment under scrutiny.
Collecting and Analyzing Data
Risk has many different components: assets, threats, vulnerabilities, safeguards, consequences, and
likelihood. This examination normally includes gathering data about the threatened area and
synthesizing and analyzing the information to make it useful. Because it is possible to collect much
more information than can be analyzed, steps need to be taken to limit information gathering and
analysis. This process is called screening. A risk management effort should focus on those areas that
result in the greatest consequence to the organization
A risk management methodology does not necessarily need to analyze each of the components of risk
separately. For example, assets/consequences or threats/likelihoods may be analyzed together.
46
© 2003 certificationsuccess.com
Your Free Certification Portal
Asset Valuation. These include the information, software, personnel, hardware, and physical assets
(such as the computer facility). The value of an asset consists of its intrinsic value and the near-term
impacts and long-term consequences of its compromise.
Consequence Assessment. The consequence assessment estimates the degree of harm or loss that
could occur. Consequences refers to the overall, aggregate harm that occurs, not just to the near term or
immediate impacts. While such impacts often result in disclosure, modification, destruction, or denial
of service, consequences are the more significant long-term effects, such as lost business, failure to
perform the system's mission, loss of reputation, violation of privacy, injury, or loss of life. The more
severe the consequences of a threat, the greater the risk to the system (and, therefore, the organization).
Threat Identification. A threat is an entity or event with the potential to harm the system. Typical
threats are errors, fraud, disgruntled employees, fires, water damage, hackers, and viruses. Threats
should be identified and analyzed to determine the likelihood of their occurrence and their potential to
harm assets. In addition to looking at "big-ticket" threats, the risk analysis should investigate areas that
are poorly understood, new, or undocumented. If a facility has a well- tested physical access control
system, less effort to identify threats may be warranted for it than for unclear, untested software
backup procedures. The risk analysis should concentrate on those threats most likely to occur and
affect important assets. In some cases, determining which threats are realistic is not possible until after
the threat analysis is begun.
Safeguard Analysis. A safeguard is any action, device, procedure, technique, or other measure that
reduces a system's vulnerability to a threat. Safeguard analysis should include an examination of the
effectiveness of the existing security measures. It can also identify new safeguards that could be
implemented in the system; however, this is normally performed later in the risk management process.
Vulnerability Analysis. A vulnerability is a condition or weakness in (or absence of) security
procedures, technical controls, physical controls, or other controls that could be exploited by a threat.
Vulnerabilities are often analyzed in terms of missing safeguards. Vulnerabilities contribute to risk
because they may "allow" a threat to harm the system.
Likelihood Assessment. Likelihood is an estimation of the frequency or chance of a threat happening.
A likelihood assessment considers the presence, tenacity, and strengths of threats.
Interpreting Risk Analysis Results
The risk assessment is used to support two related functions:
1. The acceptance of risk
2. The selection of cost-effective controls.
To accomplish these functions, the risk assessment must produce a meaningful output that reflects
what is truly important to the organization. Limiting the risk interpretation activity to the most
significant risks is another way that the risk management process can be focused to reduce the overall
effort while still yielding useful results. If risks are interpreted consistently across an organization, the
results can be used to prioritize systems to be secured.
47
© 2003 certificationsuccess.com
Your Free Certification Portal
Risk Mitigation
Risk mitigation involves the selection and implementation of security controls to reduce risk to a level
acceptable to management, within applicable constraints. Although there is flexibility in how risk
assessment is conducted, the sequence of identifying boundaries, analyzing input, and producing an
output is quite natural. The process of risk mitigation has greater flexibility, and the sequence will
differ more, depending on organizational culture and the purpose of the risk management.
AWARENESS, TRAINING, AND EDUCATION
People, who are all fallible, are usually recognized as one of the weakest links in securing systems. The
purpose of computer security awareness, training, and education is to enhance security by:
1. Improving awareness of the need to protect system resources.
2. Developing skills and knowledge so computer users can perform their jobs more securely.
3. Building in-depth knowledge, as needed, to design, implement, or operate security programs
for organizations and systems.
Making computer system users aware of their security responsibilities and teaching them correct
practices helps users change their behavior. It also supports individual accountability, which is one of
the most important ways to improve computer security. Without knowing the necessary security
measures (and to how to use them), users cannot be truly accountable for their actions.
48
© 2003 certificationsuccess.com
Your Free Certification Portal