Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Https cs signal army mil dodiaa default

23/10/2021 Client: muhammad11 Deadline: 2 Day

This is an electronic version of the print textbook. Due to electronic rights restrictions, some third party content may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. The publisher reserves the right to remove content from this title at any time if subsequent rights restrictions require it. For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for materials in your areas of interest.

www.cengage.com/highered
This page intentionally left blank

Mark Ciampa, Ph.D.

Security+ Guide to Network Security Fundamentals

Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition

Mark Ciampa

Vice President, Editorial: Dave Garza

Executive Editor: Stephen Helba

Managing Editor: Marah Bellegarde

Senior Product Manager: Michelle Ruelos Cannistraci

Developmental Editor: Deb Kaufmann

Editorial Assistant: Jennifer Wheaton

Vice President, Marketing: Jennifer Ann Baker

Marketing Director: Deborah S. Yarnell

Associate Marketing Manager: Erica Ropitzky

Production Director: Wendy Troeger

Production Manager: Andrew Crouth

Senior Content Project Manager: Andrea Majot

Senior Art Director: Jack Pendleton

© 2012, 2009, 2005, 2003 Course Technology, Cengage Learning

ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.

For product information and technology assistance, contact us at

Cengage Learning Customer & Sales Support, 1-800-354-9706

For permission to use material from this text or product,

submit all requests online at cengage.com/permissions

Further permissions questions can be emailed to

permissionrequest@cengage.com

Library of Congress Control Number: 2011931202

ISBN-13: 978-1-111-64012-5

ISBN-10: 1-111-64012-2

Course Technology 20 Channel Center Street Boston, MA 02210 USA

Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international.cengage.com/region

Cengage Learning products are represented in Canada by Nelson Education, Ltd.

For your lifelong learning solutions, visit www.cengage.com/coursetechnology

Purchase any of our products at your local college store or at our preferred online store www.cengagebrain.com

Visit our corporate website at www.cengage.com

Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers.

Any fictional data related to persons, companies or URLs used throughout this book is intended for instructional purposes only. At the time this book was printed, any such data was fictional and not belonging to any real persons or companies.

Course Technology and the Course Technology logo are registered trademarks used under license.

Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice.

The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs.

Printed in the United States of America 1 2 3 4 5 6 7 12 11

www.cengage.com/coursetechnology
www.cengagebrain.com
www.cengage.com
Brief Contents

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

CHAPTER 1 Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

CHAPTER 2 Malware and Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

CHAPTER 3 Application and Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

CHAPTER 4 Vulnerability Assessment and Mitigating Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

CHAPTER 5 Host, Application, and Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

CHAPTER 6 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

CHAPTER 7 Administering a Secure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

CHAPTER 8 Wireless Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

CHAPTER 9 Access Control Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

CHAPTER 10 Authentication and Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

CHAPTER 11 Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

CHAPTER 12 Advanced Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

CHAPTER 13 Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

CHAPTER 14 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

APPENDIX A CompTIA SY0-301 Certification Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

APPENDIX B Downloads and Tools for Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

APPENDIX C Security Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

APPENDIX D Selected TCP/IP Ports and Their Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

APPENDIX E Sample Internet and E-Mail Acceptable Use Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

APPENDIX F Information Security Community Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

iii

This page intentionally left blank

Table of Contents

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

CHAPTER 1 Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Challenges of Securing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Today’s Security Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Difficulties in Defending Against Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

What Is Information Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Defining Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Information Security Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Understanding the Importance of Information Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Who Are the Attackers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Hackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Script Kiddies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Spies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Insiders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Cybercriminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Cyberterrorists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Steps of an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Defenses Against Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Obscurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Simplicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

CHAPTER 2 Malware and Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Attacks Using Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Malware That Spreads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Malware That Conceals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Malware That Profits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Psychological Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Physical Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

v

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

CHAPTER 3 Application and Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Web Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Client-Side Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Buffer Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Network Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Denial of Service (DoS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Attacks on Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

CHAPTER 4 Vulnerability Assessment and Mitigating Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Vulnerability Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 What Is Vulnerability Assessment? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Assessment Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Assessment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Vulnerability Scanning vs. Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 What Is Vulnerability Scanning? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Mitigating and Deterring Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Creating a Security Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Configuring Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

CHAPTER 5 Host, Application, and Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Securing the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Securing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Securing the Operating System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

vi Table of Contents

Securing with Anti-Malware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Monitoring System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Application Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Securing Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

CHAPTER 6 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Security Through Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Standard Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Network Security Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Security Through Network Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Network Access Control (NAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Security Through Network Design Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Demilitarized Zone (DMZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Virtual LANs (VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

CHAPTER 7 Administering a Secure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Common Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Internet Control Message Protocol (ICMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 File Transfer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Network Administration Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Network Design Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Securing Network Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 IP Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Table of Contents vii

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

CHAPTER 8 Wireless Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Wireless Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Attacks on Bluetooth Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Wireless LAN Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Vulnerabilities of IEEE 802.11 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 MAC Address Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 SSID Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Wired Equivalent Privacy (WEP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Wi-Fi Protected Access 2 (WPA2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Other Wireless Security Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

CHAPTER 9 Access Control Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

What Is Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Access Control Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Best Practices for Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Implementing Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Account Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Terminal Access Control Access Control System (TACACS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Lightweight Directory Access Protocol (LDAP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

viii Table of Contents

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

CHAPTER 10 Authentication and Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 What You Know: Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 What You Have: Tokens and Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 What You Are: Biometrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Windows Live ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 OpenID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Open Authorization (OAuth) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Trusted Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

CHAPTER 11 Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Defining Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 What Is Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Cryptography and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Hash Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Symmetric Cryptographic Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Asymmetric Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Using Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Encryption Through Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Hardware Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Table of Contents ix

CHAPTER 12 Advanced Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Defining Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Managing Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Types of Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 What Is Public Key Infrastructure (PKI)?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Public-Key Cryptographic Standards (PKCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Managing PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Key Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Key Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Key-Handling Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Transport Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Secure Sockets Layer (SSL)/Transport Layer Security (TLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Hypertext Transport Protocol over Secure Sockets Layer (HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . 473 IP Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

CHAPTER 13 Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

What Is Business Continuity?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Redundancy and Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Data Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Electromagnetic Interference (EMI) Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 HVAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Incident Response Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 What Is Forensics? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 Basic Forensics Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

x Table of Contents

CHAPTER 14 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Reducing Risk Through Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 What Is a Security Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Balancing Trust and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Designing a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Types of Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544

Awareness and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 User Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Threat Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

APPENDIX A CompTIA SY0-301 Certification Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

APPENDIX B Downloads and Tools for Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

APPENDIX C Security Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

APPENDIX D Selected TCP/IP Ports and Their Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

APPENDIX E Sample Internet and E-Mail Acceptable Use Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

APPENDIX F Information Security Community Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

Table of Contents xi

This page intentionally left blank

Introduction

Security continues to be a primary concern of computer professionals today, and with good reason. Consider the evidence: the number of malware attacks against online banking is increasing annually by 60,000, and 85 percent of banks reported that they have sustained losses based on these attacks.i

Over $41 billion have been lost by victims to the Nigerian General scam, which is the number one type of Internet fraud and is growing at a rate of 5 percent.ii Over 20 million new specimens of mal- ware, including new malware as well as variants of existing families, were created in one eight-month period, and the average number of new threats created and distributed each day has increased from 55,000 to 63,000.iii Due to the increased power of desktop computers to crack passwords, researchers now claim that any password of seven or fewer characters is “hopelessly inadequate.”iv And a com- puter connected to the Internet is probed by an attacker on average once every 39 seconds.v

As these types of attacks continue to escalate, the need for trained security personnel also increases. Unlike some information technology (IT) functions, security is neither being offshored nor out- sourced. Because security is such a critical element in an organization, security functions generally remain within the organization. In addition, security positions do not involve “on-the-job training” where untrained employees can learn as they go; the risk is simply too great.

It is important that individuals who want to be employed in the ever-growing field of information security be certified. IT employers demand and pay a premium for security personnel who have earned a security certification. Recent employment trends indicate that employees with security certi- fications are in high demand, with one study showing that security certifications will earn employees 10 to 14 percent more pay than their uncertified counterparts.vi The Computing Technology Indus- try Association (CompTIA) Security+ certification is a vendor-neutral credential internationally rec- ognized as validating a foundation level of security skills and knowledge.

xiii

Security+ Guide to Network Security Fundamentals, Fourth Edition is designed to equip learners with the knowledge and skills needed to be secure IT professionals. Yet it is more than merely an “exam prep” book. This text teaches the fundamentals of information security by using the Comp- TIA Security+ exam objectives as its framework. It takes an in-depth and comprehensive view of security by examining the attacks that are launched against networks and computer systems, the nec- essary defense mechanisms, and even offers end-user practical tools, tips, and techniques to counter attackers. Security+ Guide to Network Security Fundamentals, Fourth Edition is a valuable tool for those who want to learn about security and who desire to enter the field of information security by providing the foundation that will help prepare for the CompTIA Security+ certification exam.

Intended Audience This book is designed to meet the needs of students and professionals who want to master practical network and computer security. A basic knowledge of computers and networks is all that is required to use this book. Those seeking to pass the CompTIA Security+ certification exam will find the text’s approach and content especially helpful, because all Security+ SY0-301 exam objectives are covered (see Appendix A). (For more information on Security+ certification, visit CompTIA’s Web site at www.comptia.org.) However, Security+ Guide to Network Security Fundamentals, Fourth Edition is much more than an examination prep book; it also covers all aspects of network and computer security while satisfying the Security+ objectives.

The book’s pedagogical features are designed to provide a truly interactive learning experience to help prepare you for the challenges of network and computer security. In addition to the informa- tion presented in the text, each chapter includes Hands-On Projects that guide you through imple- menting practical hardware, software, network, and Internet security configurations step by step. Each chapter also contains case studies that place you in the role of problem solver, requiring you to apply concepts presented in the chapter to achieve successful solutions.

Chapter Descriptions Here is a summary of the topics covered in each chapter of this book:

Chapter 1, “Introduction to Security,” begins by explaining the challenge of information security and why it is important. This chapter also introduces information security terminology, defines who the attackers are, and gives an overview of attacks and defenses. In addition, it explains the CompTIA Security+ exam, and explores career options for those interested in mastering security skills.

Chapter 2, “Malware and Social Engineering Attacks,” examines attacks that use different types of malware, such as viruses, worms, Trojans, and botnets. It also looks at the different types of social engineering attacks.

Chapter 3, “Application and Network Attacks,” explores both Web application attacks (cross- site scripting, SQL, XML, and command injection attacks) along with client-side application attacks. It also looks at the attacks directed at networks.

Chapter 4, “Vulnerability Assessment and Mitigating Attacks,” gives an overview of vulnerability assessment techniques and tools. It also compares vulnerability scanning with penetration testing. The chapter closes by exploring mitigating and steps for deterring attacks.

Chapter 5, “Host, Application, and Data Security,” examines steps for securing host computer systems along with securing applications. It also explores how data can be secured.

xiv Introduction

www.comptia.org
Chapter 6, “Network Security,” explores how to secure a network through standard network devices, through network technologies, and by network design elements.

Chapter 7, “Administering a Secure Network,” looks at the techniques for administering a net- work. This includes understanding common network protocols, employing network design princi- ples, and securing network applications.

Chapter 8, “Wireless Network Security,” explores security in wireless local area network and personal area network environments. It investigates wireless attacks, the vulnerabilities of wireless networks, and enhanced security protections for personal users as well as for enterprises.

Chapter 9, “Access Control Fundamentals,” introduces the principles and practices of access con- trol by examining access control terminology, the three standard control models, and best prac- tices. It also covers implementing access control methods and explores authentication services.

Chapter 10, “Authentication and Account Management,” examines the definition of authentica- tion and explores authentication credentials. It also looks at single sign-on, account management, and trusted operating systems.

Chapter 11, “Basic Cryptography,” explores how encryption can be used to protect data. It cov- ers what cryptography is and how it can be used for protection, how to protect data using three common types of encryption algorithms, and how to use cryptography on file systems and disks to keep data secure.

Chapter 12, “Advanced Cryptography,” looks at practical methods for applying cryptography to protect data. The chapter explores digital certificates and how they can be used, public key infra- structure and key management, and how to use cryptography on data that is being transported.

Chapter 13, “Business Continuity,” covers the importance of keeping business processes and communications operating normally in the face of threats and disruptions. It explores disaster recovery, environmental controls, and incident response procedures.

Chapter 14, “Risk Mitigation,” looks at how organizations can control and reduce risk. It also explores how education and training can help provide the tools to users to maintain a secure environment within the organization.

Appendix A, “CompTIA SY0-301 Certification Examination Objectives,” provides a complete listing of the latest CompTIA Security+ certification exam objectives and shows the chapters and headings in the book that cover material associated with each objective.

Appendix B, “Downloads and Tools for Hands-On Projects,” lists the Web sites used in the chapter Hands-On Projects.

Appendix C, “Security Web Sites,” offers a listing of several important Web sites that contain security-related information.

Appendix D, “Selected TCP/IP Ports and Their Threats,” lists common TCP ports and their security vulnerabilities.

Appendix E, “Sample Internet and E-Mail Acceptable Use Policies,” gives a comprehensive exam- ple of two acceptable use policies.

Appendix F, “Information Security Community Site,” lists the features of the companion Web site for the textbook.

Features To aid you in fully understanding computer and network security, this book includes many features designed to enhance your learning experience.

Introduction xv

● Maps to CompTIA Objectives. The material in this text covers all of the CompTIA Security+ SY0-301 exam objectives.

● Chapter Objectives. Each chapter begins with a detailed list of the concepts to be mastered within that chapter. This list provides you with both a quick reference to the chapter’s contents and a useful study aid.

● Today’s Attacks and Defenses. Each chapter opens with a vignette of an actual security attack or defense mechanism that helps to introduce the material covered in that chapter.

● Illustrations and Tables. Numerous illustrations of security vulnerabilities, attacks, and defenses help you visualize security elements, theories, and concepts. In addition, the many tables provide details and comparisons of practical and theoretical information.

● Chapter Summaries. Each chapter’s text is followed by a summary of the concepts introduced in that chapter. These summaries provide a helpful way to review the ideas covered in each chapter.

● Key Terms. All of the terms in each chapter that were introduced with bold text are gathered in a Key Terms list with definitions at the end of the chapter, providing additional review and highlighting key concepts.

● Review Questions. The end-of-chapter assessment begins with a set of review questions that reinforce the ideas introduced in each chapter. These questions help you evaluate and apply the material you have learned. Answering these questions will ensure that you have mastered the important concepts and provide valuable practice for taking CompTIA’s Security+ exam.

● Hands-On Projects. Although it is important to understand the theory behind network security, nothing can improve on real-world experience. To this end, each chapter provides several Hands-On Projects aimed at providing you with practical security software and hardware implementation experience. These projects use the Windows 7 and Windows Server 2008 operating systems, as well as software downloaded from the Internet.

● Case Projects. Located at the end of each chapter are several Case Projects. In these extensive exercises, you implement the skills and knowledge gained in the chapter through real design and implementation scenarios.

New to this Edition ● Fully maps to the latest CompTIA Security+ exam SY0-301 ● Updated information on the latest security attacks and defenses ● Expanded in-depth coverage of topics such as virus infections, social engineering attacks,

SQL injection, and others ● New material on Web application attacks, client-side attacks, mobile device security, fuzz

testing, data loss prevention, cloud computing, and other topics ● Additional Hands-On Projects in each chapter covering some of the latest security software ● More Case Projects in each chapter ● Information Security Community Site activity in each chapter allows learners to interact with

other learners and security professionals from around the world

xvi Introduction

Text and Graphic Conventions Wherever appropriate, additional information and exercises have been added to this book to help you better understand the topic at hand. Icons throughout the text alert you to additional materials. The following icons are used in this textbook:

The Note icon draws your attention to additional helpful material related to the subject being described.

Tips based on the authors’ experience provide extra information about how to attack a problem or what to do in real-world situations.

The Caution icons warn you about potential mistakes or problems, and explain how to avoid them.

Each Hands-On activity in this book is preceded by the Hands-On icon and a description of the exercise that follows.

Case Project icons mark Case Projects, which are scenario-based assign- ments. In these extensive case examples, you are asked to implement inde- pendently what you have learned.

Security+ icons list relevant CompTIA Security+ SY0-301 exam objectives for each major chapter heading.

CertBlaster Test Prep Resources Security+ Guide to Network Security Fundamentals includes CertBlaster test preparation ques- tions that mirror the look and feel of the CompTIA Security+ certification exam. For additional information on the CertBlaster test preparation questions, go to http://www.dtipublishing.com.

To log in and access the CertBlaster test preparation questions for CompTIA’s Security+ Certifi- cation exam, please go to http://www.certblaster.com/cengage.htm.

To install CertBlaster:

1. Click the title of the CertBlaster test prep application you want to download.

2. Save the program (.EXE) file to a folder on your C: drive. (Warning: If you skip this step, your CertBlaster will not install correctly.)

3. Click Start and choose Run.

Introduction xvii

http://www.dtipublishing.com
http://www.certblaster.com/cengage.htm
4. Click Browse and then navigate to the folder that contains the .EXE file. Select the .EXE file and click Open.

5. Click OK and then follow the on-screen instructions.

6. When the installation is complete, click Finish.

7. Click Start, choose All programs, and click CertBlaster.

To register CertBlaster:

1. Open the CertBlaster test you want by double-clicking it.

2. In the menu bar, click File > Register Exam and enter the access code when prompted. Use the access code provided inside the card placed in the back of this book.

What’s New with CompTIA Security+ Certification The CompTIA Security+ SY0-301 exam was updated in May 2011. There are several significant changes to the exam objectives. The exam objectives have been reorganized in five domains: Net- work Security, Compliance and Operational Security, Threats and Vulnerabilities, Application, Data and Host Security, Access Control and Identity Management, and Cryptography. Each of the other domains has been reorganized and expanded to more accurately reflect current security issues and knowledge requirements. Finally, the exam objectives now place more importance on knowing “how to” rather than just knowing or recognizing security concepts.

Here are the domains covered on the new Security+ exam:

Domain % of examination

1.0 Network Security 21%

2.0 Compliance and Operational Security 18%

3.0 Threats and Vulnerabilities 21%

4.0 Application, Data, and Host Security 16%

5.0 Access Control and Identity Management 13%

6.0 Cryptography 11%

How To Become CompTIA Certified In order to become CompTIA certified, you must:

1. Select a testing center and a certification exam provider. For more information, visit the follow- ing Web site: http://certification.comptia.org/getCertified/steps_to_certification.aspx.

2. Register for and schedule a time to take the CompTIA certification exam at a convenient location.

3. Take and pass the CompTIA certification exam.

For more information about CompTIA’s certifications, please visit http://certification.comptia.org/ getCertified.aspx.

CompTIA is a nonprofit information technology (IT) trade association. To contact CompTIA with any questions or comments, call 866-835-8020 or visit http://certification.

comptia.org/contact.aspx. The Computing Technology Industry Association (CompTIA) is the voice of

xviii Introduction

http://certification.comptia.org/getCertified/steps_to_certification.aspx
http://certification.comptia.org/getCertified.aspx
http://certification.comptia.org/getCertified.aspx
http://certification.comptia.org/contact.aspx
http://certification.comptia.org/contact.aspx
the world’s information technology (IT) industry. Its members are the companies at the forefront of innovation and the professionals responsible for maximizing the benefits organizations receive from their investments in technology.

CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy.

CompTIA is a not-for-profit trade information technology (IT) trade association. CompTIA’s cer- tifications are designed by subject matter experts from across the IT industry. Each CompTIA certi- fication is vendor-neutral, covers multiple technologies, and requires demonstration of skills and knowledge widely sought after by the IT industry.

Information Security Community Site Stay Secure with the Information Security Community Site! Connect with students, professors, and professional from around the world, and stay on top of this ever-changing field.

Visit www.cengage.com/community/infosec to do the following:

● Download resources such as instructional videos and labs. ● Ask authors, professors, and students the questions that are on your mind in our Discussion Forums. ● See up-to-date news, videos, and articles. ● Read weekly blogs from author Mark Ciampa. ● Listen to podcasts on the latest information security topics.

Each chapter includes information on a current security topic and asks the learner to post their reac- tions and comments to the Information Security Community Site. This allows users from around the world to interact and learn from other users as well as with security professionals and researchers.

Additional information can be found in Appendix F, Information Security Community Site.

Instructor’s Materials A wide array of instructor’s materials is provided with this book. The following supplemental mate- rials are available for use in a classroom setting. All the supplements available with this book are provided to the instructor on a single CD-ROM and online at the textbook’s Web site.

Electronic Instructor’s Manual. The Instructor’s Manual that accompanies this textbook includes the following items: additional instructional material to assist in class preparation, including sugges- tions for lecture topics, tips on setting up a lab for the Hands-On Projects, and solutions to all end-of-chapter materials.

ExamView Test Bank. This Windows-based testing software helps instructors design and admin- ister tests and pre-tests. In addition to generating tests that can be printed and administered, this full-featured program has an online testing component that allows students to take tests at the com- puter and have their exams automatically graded.

PowerPoint Presentations. This book comes with a set of Microsoft PowerPoint slides for each chapter. These slides are meant to be used as a teaching aid for classroom presentations, to be made available to students on the network for chapter review, or to be printed for classroom distri- bution. Instructors are also at liberty to add their own slides for other topics introduced.

Figure Files. All of the figures and tables in the book are reproduced on the Instructor Resources CD. Similar to PowerPoint presentations, these are included as a teaching aid for classroom presen- tation, to make available to students for review, or to be printed for classroom distribution.

Introduction xix

www.cengage.com/community/infosec
Instructor Resources CD (ISBN: 9781111640156) Please visit login.cengage.com and log in to access instructor-specific resources.

To access additional course materials, please visit www.cengagebrain.com. At the CengageBrain.com home page, search for the ISBN of your title (from the back cover of your book) using the search box at the top of the page. This will take you to the product page where these resources can be found.

Additional materials designed especially for you might be available for your course online. Go to www.cengage.com/coursetechnology and search for this book title periodically for more details.

Total Solutions for Security To access additional materials (including CourseMate, described in the next section), please visit www.cengagebrain.com. At the CengageBrain.com home page, search for the ISBN of your title (from the back cover of your book) using the search box at the top of the page. This will take you to the product page for your book, where you will be able to access these resources.

CourseMate

Security+ Guide to Network Security Fundamentals, Fourth Edition offers CourseMate, a comple- ment to your textbook. CourseMate includes the following:

● An interactive eBook, with highlighting, note-taking, and search capabilities. ● Interactive learning tools, including Quizzes, Flash Cards, PowerPoint slides, Glossary, and more! ● Engagement Tracker, a first-of-its-kind tool that monitors student engagement in the course.

Go to login.cengage.com to access the following resources:

● CourseMate Printed Access Code (ISBN: 9781111640231) ● CourseMate Instant Access Code (ISBN: 9781111640248)

Lab Manual for Security+ Guide to Network Security Fundamentals, Fourth Edition

Companion to Security+ Guide to Network Security Fundamentals, Fourth Edition. This Lab Manual contains over 60 labs to provide students with additional hands-on experience and to help prepare for the Security+ exam. The Lab Manual includes lab activities, objectives, materials lists, step-by-step procedures, illustrations, and review questions.

● Lab Manual (ISBN: 9781111640132)

CourseNotes

This laminated quick reference card reinforces critical knowledge for CompTIA’s Security+ exam in a visual and user-friendly format. CourseNotes will serve as a useful study aid, supplement to the textbook, or as a quick reference tool during the course and afterward.

● CourseNotes (ISBN: 9781111640347)

Web-Based Labs

Using a real lab environment over the Internet, students can log on anywhere, anytime via a Web browser to gain essential hands-on experience in security using labs from Security+ Guide to Network Security Fundamentals, Fourth Edition.

● Web-Based Labs (ISBN: 9781111640163)

xx Introduction

www.cengagebrain.com
www.cengage.com/coursetechnology
www.cengagebrain.com
dtiMetrics

dtiMetrics is an online testing system that automatically grades students and keeps class and student records. dtiMetrics tests against Cengage’s textbook as well as against the CompTIA Security+ certi- fication exam, including a quiz for each chapter in the book along with a mid-term and final exam. dtiMetrics is managed by the classroom instructor, who has 100 percent of the control, 100 percent of the time. It is hosted and maintained by dtiPublishing.

● dtiMetrics (ISBN: 9781111640330)

LabConnection

LabConnection provides powerful computer-based exercises, simulations, and demonstrations for hands-on skills courses such as this. It can be used as both a virtual lab and as a homework assign- ment tool, and provides automatic grading and student record maintenance. LabConnection maps directly to the textbook and provides remediation to the text and to the CompTIA Security+ certifi- cation exam. It includes the following features:

● Enhanced comprehension—Through the LabConnection labs and guidance, while in the virtual lab environment, the student develops skills that are accurate and consistently effective.

● Exercises—Lab Connection includes dozens of exercises that assess and prepare the learner for the virtual labs, establishing and solidifying the skills and knowledge required to complete the lab.

● Virtual labs—Labs consist of end-to-end procedures performed in a simulated environment where the student can practice the skills required of professionals.

● Guided learning—LabConnection allows learners to make mistakes but alerts them to errors made before they can move on to the next step, sometimes offering demonstrations as well.

● Video demonstrations—Video demonstrations guide the learners step-by step through the labs while providing additional insights to solidify the concepts.

● SCORM-compliant grading and record keeping—LabConnection will grade the exercises and record the completion status of the lab portion, easily porting to, and compatible with, dis- tance learning platforms.

● LabConnection Online (ISBN: 9781111640316) ● LabConnection on DVD (ISBN: 9781111640293)

Web Tutor for Blackboard

WebTutor for Blackboard is a content-rich, Web-based teaching and learning aid that reinforces and clarifies complex concepts while integrating into your Blackboard course. The WebTutor platform also provides rich communication tools for instructors and students, making it much more than an online study guide. Features include PowerPoint presentations, practice quizzes, and more, organized by chapter and topic.

WebTutor for Blackboard (ISBN: 9781111640354)

About the Author Mark Ciampa, Ph.D., Security+, is Assistant Professor of Computer Information Systems at Western Kentucky University in Bowling Green, Kentucky. Previously, he served as Associate Professor

Introduction xxi

and Director of Academic Computing for 20 years at Volunteer State Community College in Gallatin, Tennessee. Dr. Ciampa has worked in the IT industry as a computer consultant for the U.S. Postal Service, the Tennessee Municipal Technical Advisory Service, and the University of Tennessee. He is also the author of many Cengage/Course Technology textbooks, including: CWNA Guide to Wireless LANs, Second Edition; Guide to Wireless Communications; Security+ Guide to Network Security Fundamentals, Third Edition; Security Awareness: Applying Practical Security in Your World; and Networking BASICS. He holds a Ph.D. in digital communications systems from Indiana State University.

Acknowledgments A large team of dedicated professionals all contributed to the creation of this book. I am honored to be part of such an outstanding group of professionals, and to everyone on the team I extend my sincere thanks. A special thanks goes to Executive Editor Stephen Helba for giving me the opportu- nity to work on this project and for providing his continual support. Also thanks to Senior Product Manager Michelle Cannistraci who was very supportive and helped keep this fast-moving project on track, and to GreenPen QA for carefully reviewing the book and identifying many corrections. And a big Thank You to the team of peer reviewers who evaluated each chapter and provided very helpful suggestions and contributions: Angela Herring (Wilson Community College), Ahmad Nasraty (Heald University), Jerry Sherrod (Pellissippi State Community College), Richard Smolenski (Westwood College), and Bruce Waugh (Craven Community College).

Special recognition again goes to Developmental Editor Deb Kaufmann. She is everything—and more—that an author could ask for. Deb made many helpful suggestions, found all of my errors, watched every small detail, and somehow turned my words into a book. On top of it all, Deb is a joy to work with. Without question, Deb is simply the very best there is.

And finally, I want to thank my wonderful wife, Susan. Once again, she was patient and support- ive of me throughout this project. I could not have written this book without her by my side.

Dedication To Braden, Mia, and Abby.

To the User This book should be read in sequence, from beginning to end. Each chapter builds upon those that precede it to provide a solid understanding of networking security fundamentals. The book may also be used to prepare for CompTIA’s Security+ certification exam. Appendix A pinpoints the chapters and sections in which specific Security+ exam objectives are located.

Hardware and Software Requirements Following are the hardware and software requirements needed to perform the end-of-chapter Hands- On Projects:

● Microsoft Windows 7 ● Windows 2008 Server ● An Internet connection and Web browser ● Microsoft Office 2007 or Office 2003 ● Microsoft Office Outlook

xxii Introduction

Specialized Requirements Whenever possible, the needs for specialized requirements were kept to a minimum. The following chapter features specialized hardware:

● Chapter 6: An Active Directory environment and WSUS installed on a Windows Server 2008 server

Free Downloadable Software Requirements Free, downloadable software is required for the Hands-On Projects in the following chapters. Appen- dix B lists the Web sites where these can be downloaded.

Chapter 1:

● Secunia Personal Software Inspector ● Microsoft Windows Malicious Software Removal Tool

Chapter 2:

● Irongeek Thumbscrew ● Microsoft RootkitRevealer ● Wolfeye Keylogger

Chapter 3:

● GRC Securable

Chapter 4:

● GFI LANguard Vulnerability Scanner ● Unetbootin ● BackTrack

Chapter 6:

● ThreatFire ● K9 Web Protection

Chapter 7:

● Glub Secure FTP Client ● Google Namebench ● Gladinet ● VMware vCenter ● VMware Player

Chapter 8:

● Xirrus Wi-Fi Monitor ● Vistumbler ● KLC Consulting SMAC ● Virtual Router

Introduction xxiii

Chapter 10:

● KeePass Password Safe ● LastPass

Chapter 11:

● MD5DEEP ● Hash Tab ● TrueCrypt

Chapter 12:

● Comodo Digital Certificate

Chapter 13:

● Macrium Reflect ● Briggs Software Directory Snoop

References i. Lohrmann, Dan. “Should Governments Join Banks in Seeking Customers’ Help

Online?” Government Technology Blogs, July 30, 2010, accessed Feb. 28, 2011, http:// www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-join- banks.php.

ii. “419 Advance Fee Fraud Statistics 2009,” Jan. 2010, accessed Feb. 28, 2011, http:// www.ultrascan-agi.com/public_html/html/public_research_reports.html.

iii. Santana, Juan, “European commission suspends CO2 credit trading due to cyber- attack,” Panda Security Insight Blog, Jan. 25 2011, accessed Feb. 28 2011, http:// www.pandainsight.com/en/.

iv. “Case Study: Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System,” Georgia Tech Research Institute, accessed Feb. 28, 2011, http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics- Processing-Units-GPUs-Password-Security-System.

v. Popa, Bogdan, “2,244 Hacker Attacks Per Day,” Softpedia, Feb. 9, 2007, accessed Feb. 28, 2011, http://news.softpedia.com/news/2-244-Hacker-Attacks-Per-Day-46688.shtml.

vi. “2011 IT Salary and Skills Pay Benchmark Survey Research,” accessed Feb. 28, 2011, http://www.footepartners.com/.

xxiv Introduction

http://www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-joinbanks.php
http://www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-joinbanks.php
http://www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-joinbanks.php
http://www.ultrascan-agi.com/public_html/html/public_research_reports.html
http://www.pandainsight.com/en/
http://www.pandainsight.com/en/
http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
http://news.softpedia.com/news/2-244-Hacker-Attacks-Per-Day-46688.shtml
http://www.footepartners.com/
http://www.ultrascan-agi.com/public_html/html/public_research_reports.html
Today’s Security Imperative and Security Certification Contributed by Carol Balkcom, Director of Product Management, CompTIA Cyber security has become a U.S. national—and now international—concern as serious cyber attacks are being launched on banks and multi-national corporations across country boundaries. There has been a significant rise in security training and certification, worldwide. In fact, Security+ is the fastest growing certification in CompTIA’s certification portfolio. Organizations of every kind have realized that they can no longer afford to have IT staff who are not proven in the latest information security technologies and practices.

Today we see the impact of U.S. military requirements on certification; both military information assurance personnel and IT employees of government contractor companies who have contracts with the military are required to be certified, under the terms of their contracts. Included are many types of companies, from software, to systems integrators, to manufacture and service companies. Govern- ment agencies such as the U.S. State Department have special employee incentive programs in place; and governments and military from Canada to the Middle East have begun regular security training and certification in Security+.

Research Surveys show that criminal theft of information can be traced, in many cases, to human error within companies, or failure to have adequate security policies and training. CompTIA security research pub- lished in late 2010 shows that IT professionals attribute slightly more of the blame for security breaches to human error or shortcomings than technology shortcomings1. Additionally, the data sug- gests the human error factor is on the rise as a cause of security breaches.

“Vendor-Neutral” vs. “Vendor-Specific” Certification When an IT professional decides to complement his or her experience with certification, a vendor- neutral certification is often the first type of exam taken. A vendor-neutral exam is one that tests for knowledge of a subject across platforms and products—without being tied to any specific product— while validating baseline skills and knowledge in that subject area. CompTIA exams are vendor- neutral exams and serve that portion of the IT population who have a good foundation in their chosen field and want to become certified. Individuals who take CompTIA Security+ are serious about their role in information security. They typically have at least two years of hands-on technical security experience. They may have also taken an exam like CompTIA Network+ as a first entry into certification.

Who Is Becoming Certified There is a long list of employers where significant numbers of staff in IT roles are becoming Comp- TIA Security+ certified. Here are just a few of the significant ones:

Booz Allen Hamilton, HP, IBM, Motorola, Verisign, Telstra, Hitachi, Ricoh, Sharp, Lockheed Martin, Unisys, Hilton Hotels Corp., General Mills, U.S. Navy, Army, Air Force, and Marines.

1Eighth Annual Global Information Security Trends, November 2010.

Introduction xxv

While the majority of CompTIA Security+ certified professionals are in North America, there are growing numbers in over 100 countries, with a solid and growing base especially in Japan, the UK, Germany, Canada, and Southeast Asia. The need for information security training and certification has never been greater, and has become a worldwide issue.

xxvi Introduction

chapter1

Introduction to Security

After completing this chapter, you will be able to do the following:

● Describe the challenges of securing information ● Define information security and explain why it is important ● Identify the types of attackers that are common today ● List the basic steps of an attack ● Describe the five basic principles of defense

1

“Groundbreaking,” “amazing,” “never seen before,” “extremely impressive,” “clever,” “something out of a movie,” “scary,” “the most sophisticated malware ever,” “other attacks are child’s play compared to it….” These are just a few of the adjectives security researchers used to describe the Stuxnet malware.

The Stuxnet worm was first widely reported in mid-2010, although it’s now thought that it first appeared almost a year earlier. Shortly after it became widely recognized, Microsoft confirmed the worm was actively targeting Windows computers that man- aged large-scale industrial-control systems, which are often referred to as SCADA (Super- visory Control and Data Acquisition). SCADA can be found in military installations, oil pipeline control systems, manufacturing environments, and nuclear power plants. At first, it was thought that Stuxnet took advantage of a single, previously unknown, soft- ware vulnerability. Upon closer inspection, it was found that Stuxnet exploited four unknown vulnerabilities, something never seen before. (One of these vulnerabilities was “patched” in 2008 by Microsoft, but the fix was flawed and could still be exploited.)

Stuxnet, written in multiple languages, including C, C++, and other object-oriented languages, was introduced to industrial networks through infected Universal Serial Bus (USB) flash drives. It also used several tricks to avoid detection. Stuxnet had an internal counter that allowed it to spread to a maximum of three computers. This design ensured that it stayed only within the industrial facility and didn’t attract out- side attention. Also, because SCADA systems have no logging capabilities to record events and are rarely patched, the worm could live for a long period of time before being detected.

Using Windows vulnerabilities, Stuxnet performed an attack to gain administrative access to computers on the local network of an industrial plant and then looked for computers running SCADA. Next, it infected these SCADA computers—through two other vulnerabilities—and tried to break into the SCADA software by using the default passwords. Stuxnet was designed to alter the programmable logic control (PLC) software instructions of the SCADA systems, which would then give it power over the industrial machinery attached to the SCADA computers. This would put the entire facility under the control of the attacker, who could make the equipment operate in an unsafe manner, resulting in a massive explosion or even worse, a nuclear catastrophe.

It is speculated that Stuxnet’s primary target was the Iranian Bushehr nuclear power plant (almost six out of ten infected Stuxnet computers have been traced back to Iran). This reactor, located in southwestern Iran near the Persian Gulf, has been a source of tension between Iran and the West (including the United States) because of fear that

(continued)

Today’s Attacks and Defenses

2 Chapter 1 Introduction to Security

When historians reflect back on the early part of the twenty-first century, it is likely that one word will figure prominently: security. At no other time in the world’s history have we been forced to protect ourselves and our property from continual attacks by invisible foes. Suicide car bombings, subway massacres, airplane hijackings, random shootings, and guerrilla com- mando raids occur regularly around the world. To counteract this violence, governments and other organizations have implemented new types of security defenses. Passengers using public transportation are routinely searched. Fences are erected across borders. Telephone calls are monitored. The result is that these attacks and the security defenses have impacted almost every element of our daily lives and significantly affect how all of us work, play, and live.

One area that has also been an especially frequent target of attacks is information technology (IT). Seemingly endless arrays of attacks are directed at corporations, banks, schools, and indivi- duals through their computers, laptops, smartphones, pad computers, and similar technology devices. Internet Web servers must resist thousands of attacks daily. Identity theft has sky- rocketed. An unprotected computer connected to the Internet can be infected in less than one minute. One study found that over 48 percent of 22.7 million computers analyzed were infected with malware.1 Phishing, rootkits, back doors, social engineering, zombies, and botnets— virtually unheard of just a few years ago—are now part of our everyday information secu- rity vocabulary.

The need to defend against these attacks on our technology devices has created a new element of IT that is now at the very core of the entire industry. Known as information security, it is focused on protecting the electronic information of organizations and users.

The demand for IT professionals who know how to secure networks and computers is at an all-time high. Today, many businesses and organizations require employees as well as job applicants to demonstrate that they are familiar with computer security practices. To verify security competency, a vast majority of organizations use the CompTIA Security+ certifica- tion. As the most widely recognized vendor-neutral security certification, Security+ has become the security foundation for today’s IT professionals.

There are two broad categories of information security positions. Information security managerial positions include the administration and management of plans, policies, and peo- ple. Information security technical positions are concerned with the design, configuration,

spent fuel from the reactor could be reprocessed elsewhere in the country to produce weapons-grade plutonium for use in nuclear warheads. Some have even speculated that an unnamed government-sponsored team of programmers—or even teams from multiple opposition governments—created Stuxnet to cripple the Bushehr facility. Based on the complexity of the software, it is estimated that the cost for developing Stuxnet could have exceeded $4 million.

As far as can be determined, Stuxnet never did gain control of any SCADA systems or cause damage to industrial sites. No person or organization has yet stepped for- ward as the author of Stuxnet, so it remains cloaked in secrecy. Although we may not know who was behind it and why, Stuxnet is just one example of how extremely dangerous malicious software can be.

Introduction to Security 3

installation, and maintenance of technical security equipment. Within these two broad catego- ries, there are four generally recognized security positions:

● Chief Information Security Officer (CISO). This person reports directly to the CIO (large organizations may have more layers of management for reporting). Other titles used are Manager for Security and Security Administrator. They are responsible for the assessment, management, and implementation of security.

● Security manager. The security manager reports to the CISO and supervises technicians, administrators, and security staff. Typically, a security manager works on tasks identified by the CISO and resolves issues identified by technicians. This position requires an understanding of configuration and operation but not necessarily technical mastery.

● Security administrator. The security administrator has both technical knowledge and managerial skills. A security administrator manages daily operations of security technology, and may analyze and design security solutions within a specific entity as well as identify users’ needs.

● Security technician. This is generally an entry-level position for a person who has the necessary technical skills. Technicians provide technical support to configure security hardware, implement security software, and diagnose and troubleshoot problems.

Recent employment trends indicate that employees with security certifications are in high demand. As attacks continue to escalate, the need for trained security personnel also increases. Unlike some positions, security is being neither offshored nor outsourced. Because security is such a critical element in an organization, security positions generally remain within the organi- zation. In addition, security positions do not involve “on-the-job training” where a person can learn as they go; the risk is simply too great. IT employers want and pay a premium for certified security personnel.

A study by Foote Partners showed that security certifications will earn employees 10 to 14 percent more pay than their uncertified counterparts.2

The CompTIA Security+ Certification is a vendor-neutral credential that requires passing the current certification exam SY0-301. This exam is internationally recognized as validat- ing a foundation-level of security skills and knowledge. A successful candidate has the knowledge and skills required to identify risks and participate in risk mitigation activities; provide infrastructure, application, operational and information security; apply security controls to maintain confidentiality, integrity, and availability; identify appropriate tech- nologies and products; and operate with an awareness of applicable policies, laws, and regulations.

The CompTIA Security+ Certification is aimed at an IT security pro- fessional with the recommended background of a minimum of two years experience in IT administration with a focus on security. Such a professional is involved with daily technical information security experience, and has a broad knowledge of security concerns and implementation.

4 Chapter 1 Introduction to Security

1 This chapter introduces network security fundamentals that form the basis of the Security+ certification. It begins by examining the current challenges in computer security and why it is so difficult to achieve. It then describes information security in more detail and explores why it is important. Finally, the chapter looks at who is responsible for these attacks and at the fundamental defenses against attackers.

Challenges of Securing Information Although to a casual observer it may seem that there should be a straightforward solution to securing computers—such as using a better software product or creating a stronger password— in reality, there is no simple solution to securing information. This can be seen through the different types of attacks that users face today as well as the difficulties in defending against these attacks.

Today’s Security Attacks Despite the facts that information security continues to rank as the number one concern of IT managers and tens of billions of dollars are spent annually on computer security, the number of successful attacks continues to increase. Information regarding recent attacks includes the following:

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Assignment Guru
Instant Assignments
Essay & Assignment Help
Professional Coursework Help
Financial Solutions Provider
Professional Accountant
Writer Writer Name Offer Chat
Assignment Guru

ONLINE

Assignment Guru

I have assisted scholars, business persons, startups, entrepreneurs, marketers, managers etc in their, pitches, presentations, market research, business plans etc.

$50 Chat With Writer
Instant Assignments

ONLINE

Instant Assignments

This project is my strength and I can fulfill your requirements properly within your given deadline. I always give plagiarism-free work to my clients at very competitive prices.

$28 Chat With Writer
Essay & Assignment Help

ONLINE

Essay & Assignment Help

This project is my strength and I can fulfill your requirements properly within your given deadline. I always give plagiarism-free work to my clients at very competitive prices.

$27 Chat With Writer
Professional Coursework Help

ONLINE

Professional Coursework Help

I have read your project details and I can provide you QUALITY WORK within your given timeline and budget.

$28 Chat With Writer
Financial Solutions Provider

ONLINE

Financial Solutions Provider

I have read your project details and I can provide you QUALITY WORK within your given timeline and budget.

$48 Chat With Writer
Professional Accountant

ONLINE

Professional Accountant

I am an elite class writer with more than 6 years of experience as an academic writer. I will provide you the 100 percent original and plagiarism-free content.

$35 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Bs 970 817m40 equivalent - List of uk qualified solicitors - Recover hotmail account from years ago - Discussion - Concepts and theories in nursing - How to use a locking clip - Ostrich feeding and nutrition - Merrill lynch cash management account - Percy jackson chapter 3 questions and answers - You purchase a bond with an invoice price of - Features of a newspaper report - Three necessary ingredients for thunderstorm formation - Acap diploma of counselling - Vmware vcenter converter standalone product - International development job search - Barras bridge family court - Ssca group of schools - Tv news report script - Synthesis Paper - Syrian colloquial arabic mp3 - What are the advantages and disadvantages of easily obtainable information - Taking turns ja huss epub - What is a bailey in a motte and bailey castle - During a dysphoric manic episode the patient experiences mania and - Deakin computer science electives - Strengths and weaknesses of the american constitution - A Comprehensive Guide for Writing an Effective Essay - Aa sayings and slogans - Professional identity of a Nurse - Network - Planned termination in social work - Auto lead data format - During the year a company recorded prepayments of expenses - 7 3 skills practice similar triangles - An american childhood critical thinking answers - Discussion - Discussion 5 - Techniques used in guernica - I need 1300 words assignment to demonstrate the role and significance of continuous professional development and its benefits - Montoure company uses a perpetual inventory system - Neo scholasticism metaphysics - Literature Search, Rapid Critical Appraisal, and Summary - Vashisht gotra ki kuldevi - Three constraints placed on law enforcement - More than meets the eye worksheet answers - Ethnosemantics - Social change model of leadership 7 c's - Super teacher worksheets multiplication - Computer Science - How to write a poem about world war 1 - How to make a survivorship curve on excel - Lebron reverse celebration pack sample championship - Role of theory in research - Beautiful black lesbian seduces young girl - Persuasive speech on obesity - Cap coast netball association - The three crosses william lester - Mean Making 4-Brody - How to learn pig latin - Classes of stock outstanding of coca cola - Ethical autobiography example - A zero wage increase again - What is the paced decision making process - Leadership and management term paper - Rig veda creation hymn summary - Chisholm dandenong plumbing department - Manifest destiny - French revolution essay outline - My thought whose murder yet is but fantastical technique - The norm of voluntary participation threatens the social research goal of generalizability. - Persuasive articles herald sun - Dividing the World - Counseling Case Study - Jon by george saunders sparknotes - Video - Please strictly follow the instructions - Fry's third 100 words - Penn foster written communication writing assignment - Healthcare management resources - Introduction for time management - Major nerves that serve the following body areas - Module 4 Discussion - Shouts and murmurs submissions word count - Cafe menu reading strategies - Classification of food service establishment - What is the peak voltage of a 230v mains supply - CIFDQ6-2 - What milestones is starbucks known for - Montana 1948 truth quotes - Appendix sample in project report - EXPLAIN NOLA PENDER'S MODEL AND HOW CAN YOU APPLY IT TO YOUR NURSING PRACTICE. EXPLAIN IN 150 WORDS - HA560 Unit 2 Assignment - Annoated on cybersecurity - Musi20149 music psychology - Launchpad statistics answers - Client consultation form nails template - Building components ppt presentation - Bradfords mini digger hire - Ethics And Organizational Culture - Sunshine coast recycling centre