This is an electronic version of the print textbook. Due to electronic rights restrictions, some third party content may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. The publisher reserves the right to remove content from this title at any time if subsequent rights restrictions require it. For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for materials in your areas of interest.
www.cengage.com/highered
This page intentionally left blank
Mark Ciampa, Ph.D.
Security+ Guide to Network Security Fundamentals
Fourth Edition
Security+ Guide to Network Security Fundamentals, Fourth Edition
Mark Ciampa
Vice President, Editorial: Dave Garza
Executive Editor: Stephen Helba
Managing Editor: Marah Bellegarde
Senior Product Manager: Michelle Ruelos Cannistraci
Developmental Editor: Deb Kaufmann
Editorial Assistant: Jennifer Wheaton
Vice President, Marketing: Jennifer Ann Baker
Marketing Director: Deborah S. Yarnell
Associate Marketing Manager: Erica Ropitzky
Production Director: Wendy Troeger
Production Manager: Andrew Crouth
Senior Content Project Manager: Andrea Majot
Senior Art Director: Jack Pendleton
© 2012, 2009, 2005, 2003 Course Technology, Cengage Learning
ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.
For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706
For permission to use material from this text or product,
submit all requests online at cengage.com/permissions
Further permissions questions can be emailed to
permissionrequest@cengage.com
Library of Congress Control Number: 2011931202
ISBN-13: 978-1-111-64012-5
ISBN-10: 1-111-64012-2
Course Technology 20 Channel Center Street Boston, MA 02210 USA
Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international.cengage.com/region
Cengage Learning products are represented in Canada by Nelson Education, Ltd.
For your lifelong learning solutions, visit www.cengage.com/coursetechnology
Purchase any of our products at your local college store or at our preferred online store www.cengagebrain.com
Visit our corporate website at www.cengage.com
Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers.
Any fictional data related to persons, companies or URLs used throughout this book is intended for instructional purposes only. At the time this book was printed, any such data was fictional and not belonging to any real persons or companies.
Course Technology and the Course Technology logo are registered trademarks used under license.
Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice.
The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs.
Printed in the United States of America 1 2 3 4 5 6 7 12 11
www.cengage.com/coursetechnology
www.cengagebrain.com
www.cengage.com
Brief Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1 Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2 Malware and Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
CHAPTER 3 Application and Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
CHAPTER 4 Vulnerability Assessment and Mitigating Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
CHAPTER 5 Host, Application, and Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
CHAPTER 6 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
CHAPTER 7 Administering a Secure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
CHAPTER 8 Wireless Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
CHAPTER 9 Access Control Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
CHAPTER 10 Authentication and Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
CHAPTER 11 Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
CHAPTER 12 Advanced Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
CHAPTER 13 Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
CHAPTER 14 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
APPENDIX A CompTIA SY0-301 Certification Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
APPENDIX B Downloads and Tools for Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
APPENDIX C Security Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
APPENDIX D Selected TCP/IP Ports and Their Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
APPENDIX E Sample Internet and E-Mail Acceptable Use Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
APPENDIX F Information Security Community Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
iii
This page intentionally left blank
Table of Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1 Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Challenges of Securing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Today’s Security Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Difficulties in Defending Against Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
What Is Information Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Defining Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Information Security Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Understanding the Importance of Information Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Who Are the Attackers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Hackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Script Kiddies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Spies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Insiders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Cybercriminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Cyberterrorists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Steps of an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Defenses Against Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Obscurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Simplicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
CHAPTER 2 Malware and Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Attacks Using Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Malware That Spreads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Malware That Conceals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Malware That Profits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Psychological Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Physical Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
v
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
CHAPTER 3 Application and Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Web Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Client-Side Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Buffer Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Network Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Denial of Service (DoS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Attacks on Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
CHAPTER 4 Vulnerability Assessment and Mitigating Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Vulnerability Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 What Is Vulnerability Assessment? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Assessment Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Assessment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Vulnerability Scanning vs. Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 What Is Vulnerability Scanning? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Mitigating and Deterring Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Creating a Security Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Configuring Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
CHAPTER 5 Host, Application, and Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Securing the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Securing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Securing the Operating System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
vi Table of Contents
Securing with Anti-Malware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Monitoring System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Application Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Securing Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
CHAPTER 6 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Security Through Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Standard Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Network Security Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Security Through Network Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Network Access Control (NAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Security Through Network Design Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Demilitarized Zone (DMZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Virtual LANs (VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
CHAPTER 7 Administering a Secure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Common Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Internet Control Message Protocol (ICMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 File Transfer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Network Administration Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Network Design Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Securing Network Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 IP Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Table of Contents vii
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
CHAPTER 8 Wireless Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Wireless Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Attacks on Bluetooth Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Wireless LAN Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Vulnerabilities of IEEE 802.11 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 MAC Address Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 SSID Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Wired Equivalent Privacy (WEP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Wi-Fi Protected Access 2 (WPA2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Other Wireless Security Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
CHAPTER 9 Access Control Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
What Is Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Access Control Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Best Practices for Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Implementing Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Account Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Terminal Access Control Access Control System (TACACS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Lightweight Directory Access Protocol (LDAP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
viii Table of Contents
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
CHAPTER 10 Authentication and Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 What You Know: Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 What You Have: Tokens and Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 What You Are: Biometrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Windows Live ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 OpenID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Open Authorization (OAuth) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Trusted Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
CHAPTER 11 Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Defining Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 What Is Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Cryptography and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Hash Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Symmetric Cryptographic Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Asymmetric Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Using Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Encryption Through Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Hardware Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Table of Contents ix
CHAPTER 12 Advanced Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Defining Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Managing Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Types of Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 What Is Public Key Infrastructure (PKI)?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Public-Key Cryptographic Standards (PKCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Managing PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Key Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Key Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Key-Handling Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Transport Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Secure Sockets Layer (SSL)/Transport Layer Security (TLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Hypertext Transport Protocol over Secure Sockets Layer (HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . 473 IP Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
CHAPTER 13 Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
What Is Business Continuity?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Redundancy and Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Data Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Electromagnetic Interference (EMI) Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 HVAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Incident Response Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 What Is Forensics? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 Basic Forensics Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
x Table of Contents
CHAPTER 14 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Reducing Risk Through Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 What Is a Security Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Balancing Trust and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Designing a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Types of Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Awareness and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 User Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Threat Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
APPENDIX A CompTIA SY0-301 Certification Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
APPENDIX B Downloads and Tools for Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
APPENDIX C Security Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
APPENDIX D Selected TCP/IP Ports and Their Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
APPENDIX E Sample Internet and E-Mail Acceptable Use Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
APPENDIX F Information Security Community Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table of Contents xi
This page intentionally left blank
Introduction
Security continues to be a primary concern of computer professionals today, and with good reason. Consider the evidence: the number of malware attacks against online banking is increasing annually by 60,000, and 85 percent of banks reported that they have sustained losses based on these attacks.i
Over $41 billion have been lost by victims to the Nigerian General scam, which is the number one type of Internet fraud and is growing at a rate of 5 percent.ii Over 20 million new specimens of mal- ware, including new malware as well as variants of existing families, were created in one eight-month period, and the average number of new threats created and distributed each day has increased from 55,000 to 63,000.iii Due to the increased power of desktop computers to crack passwords, researchers now claim that any password of seven or fewer characters is “hopelessly inadequate.”iv And a com- puter connected to the Internet is probed by an attacker on average once every 39 seconds.v
As these types of attacks continue to escalate, the need for trained security personnel also increases. Unlike some information technology (IT) functions, security is neither being offshored nor out- sourced. Because security is such a critical element in an organization, security functions generally remain within the organization. In addition, security positions do not involve “on-the-job training” where untrained employees can learn as they go; the risk is simply too great.
It is important that individuals who want to be employed in the ever-growing field of information security be certified. IT employers demand and pay a premium for security personnel who have earned a security certification. Recent employment trends indicate that employees with security certi- fications are in high demand, with one study showing that security certifications will earn employees 10 to 14 percent more pay than their uncertified counterparts.vi The Computing Technology Indus- try Association (CompTIA) Security+ certification is a vendor-neutral credential internationally rec- ognized as validating a foundation level of security skills and knowledge.
xiii
Security+ Guide to Network Security Fundamentals, Fourth Edition is designed to equip learners with the knowledge and skills needed to be secure IT professionals. Yet it is more than merely an “exam prep” book. This text teaches the fundamentals of information security by using the Comp- TIA Security+ exam objectives as its framework. It takes an in-depth and comprehensive view of security by examining the attacks that are launched against networks and computer systems, the nec- essary defense mechanisms, and even offers end-user practical tools, tips, and techniques to counter attackers. Security+ Guide to Network Security Fundamentals, Fourth Edition is a valuable tool for those who want to learn about security and who desire to enter the field of information security by providing the foundation that will help prepare for the CompTIA Security+ certification exam.
Intended Audience This book is designed to meet the needs of students and professionals who want to master practical network and computer security. A basic knowledge of computers and networks is all that is required to use this book. Those seeking to pass the CompTIA Security+ certification exam will find the text’s approach and content especially helpful, because all Security+ SY0-301 exam objectives are covered (see Appendix A). (For more information on Security+ certification, visit CompTIA’s Web site at www.comptia.org.) However, Security+ Guide to Network Security Fundamentals, Fourth Edition is much more than an examination prep book; it also covers all aspects of network and computer security while satisfying the Security+ objectives.
The book’s pedagogical features are designed to provide a truly interactive learning experience to help prepare you for the challenges of network and computer security. In addition to the informa- tion presented in the text, each chapter includes Hands-On Projects that guide you through imple- menting practical hardware, software, network, and Internet security configurations step by step. Each chapter also contains case studies that place you in the role of problem solver, requiring you to apply concepts presented in the chapter to achieve successful solutions.
Chapter Descriptions Here is a summary of the topics covered in each chapter of this book:
Chapter 1, “Introduction to Security,” begins by explaining the challenge of information security and why it is important. This chapter also introduces information security terminology, defines who the attackers are, and gives an overview of attacks and defenses. In addition, it explains the CompTIA Security+ exam, and explores career options for those interested in mastering security skills.
Chapter 2, “Malware and Social Engineering Attacks,” examines attacks that use different types of malware, such as viruses, worms, Trojans, and botnets. It also looks at the different types of social engineering attacks.
Chapter 3, “Application and Network Attacks,” explores both Web application attacks (cross- site scripting, SQL, XML, and command injection attacks) along with client-side application attacks. It also looks at the attacks directed at networks.
Chapter 4, “Vulnerability Assessment and Mitigating Attacks,” gives an overview of vulnerability assessment techniques and tools. It also compares vulnerability scanning with penetration testing. The chapter closes by exploring mitigating and steps for deterring attacks.
Chapter 5, “Host, Application, and Data Security,” examines steps for securing host computer systems along with securing applications. It also explores how data can be secured.
xiv Introduction
www.comptia.org
Chapter 6, “Network Security,” explores how to secure a network through standard network devices, through network technologies, and by network design elements.
Chapter 7, “Administering a Secure Network,” looks at the techniques for administering a net- work. This includes understanding common network protocols, employing network design princi- ples, and securing network applications.
Chapter 8, “Wireless Network Security,” explores security in wireless local area network and personal area network environments. It investigates wireless attacks, the vulnerabilities of wireless networks, and enhanced security protections for personal users as well as for enterprises.
Chapter 9, “Access Control Fundamentals,” introduces the principles and practices of access con- trol by examining access control terminology, the three standard control models, and best prac- tices. It also covers implementing access control methods and explores authentication services.
Chapter 10, “Authentication and Account Management,” examines the definition of authentica- tion and explores authentication credentials. It also looks at single sign-on, account management, and trusted operating systems.
Chapter 11, “Basic Cryptography,” explores how encryption can be used to protect data. It cov- ers what cryptography is and how it can be used for protection, how to protect data using three common types of encryption algorithms, and how to use cryptography on file systems and disks to keep data secure.
Chapter 12, “Advanced Cryptography,” looks at practical methods for applying cryptography to protect data. The chapter explores digital certificates and how they can be used, public key infra- structure and key management, and how to use cryptography on data that is being transported.
Chapter 13, “Business Continuity,” covers the importance of keeping business processes and communications operating normally in the face of threats and disruptions. It explores disaster recovery, environmental controls, and incident response procedures.
Chapter 14, “Risk Mitigation,” looks at how organizations can control and reduce risk. It also explores how education and training can help provide the tools to users to maintain a secure environment within the organization.
Appendix A, “CompTIA SY0-301 Certification Examination Objectives,” provides a complete listing of the latest CompTIA Security+ certification exam objectives and shows the chapters and headings in the book that cover material associated with each objective.
Appendix B, “Downloads and Tools for Hands-On Projects,” lists the Web sites used in the chapter Hands-On Projects.
Appendix C, “Security Web Sites,” offers a listing of several important Web sites that contain security-related information.
Appendix D, “Selected TCP/IP Ports and Their Threats,” lists common TCP ports and their security vulnerabilities.
Appendix E, “Sample Internet and E-Mail Acceptable Use Policies,” gives a comprehensive exam- ple of two acceptable use policies.
Appendix F, “Information Security Community Site,” lists the features of the companion Web site for the textbook.
Features To aid you in fully understanding computer and network security, this book includes many features designed to enhance your learning experience.
Introduction xv
● Maps to CompTIA Objectives. The material in this text covers all of the CompTIA Security+ SY0-301 exam objectives.
● Chapter Objectives. Each chapter begins with a detailed list of the concepts to be mastered within that chapter. This list provides you with both a quick reference to the chapter’s contents and a useful study aid.
● Today’s Attacks and Defenses. Each chapter opens with a vignette of an actual security attack or defense mechanism that helps to introduce the material covered in that chapter.
● Illustrations and Tables. Numerous illustrations of security vulnerabilities, attacks, and defenses help you visualize security elements, theories, and concepts. In addition, the many tables provide details and comparisons of practical and theoretical information.
● Chapter Summaries. Each chapter’s text is followed by a summary of the concepts introduced in that chapter. These summaries provide a helpful way to review the ideas covered in each chapter.
● Key Terms. All of the terms in each chapter that were introduced with bold text are gathered in a Key Terms list with definitions at the end of the chapter, providing additional review and highlighting key concepts.
● Review Questions. The end-of-chapter assessment begins with a set of review questions that reinforce the ideas introduced in each chapter. These questions help you evaluate and apply the material you have learned. Answering these questions will ensure that you have mastered the important concepts and provide valuable practice for taking CompTIA’s Security+ exam.
● Hands-On Projects. Although it is important to understand the theory behind network security, nothing can improve on real-world experience. To this end, each chapter provides several Hands-On Projects aimed at providing you with practical security software and hardware implementation experience. These projects use the Windows 7 and Windows Server 2008 operating systems, as well as software downloaded from the Internet.
● Case Projects. Located at the end of each chapter are several Case Projects. In these extensive exercises, you implement the skills and knowledge gained in the chapter through real design and implementation scenarios.
New to this Edition ● Fully maps to the latest CompTIA Security+ exam SY0-301 ● Updated information on the latest security attacks and defenses ● Expanded in-depth coverage of topics such as virus infections, social engineering attacks,
SQL injection, and others ● New material on Web application attacks, client-side attacks, mobile device security, fuzz
testing, data loss prevention, cloud computing, and other topics ● Additional Hands-On Projects in each chapter covering some of the latest security software ● More Case Projects in each chapter ● Information Security Community Site activity in each chapter allows learners to interact with
other learners and security professionals from around the world
xvi Introduction
Text and Graphic Conventions Wherever appropriate, additional information and exercises have been added to this book to help you better understand the topic at hand. Icons throughout the text alert you to additional materials. The following icons are used in this textbook:
The Note icon draws your attention to additional helpful material related to the subject being described.
Tips based on the authors’ experience provide extra information about how to attack a problem or what to do in real-world situations.
The Caution icons warn you about potential mistakes or problems, and explain how to avoid them.
Each Hands-On activity in this book is preceded by the Hands-On icon and a description of the exercise that follows.
Case Project icons mark Case Projects, which are scenario-based assign- ments. In these extensive case examples, you are asked to implement inde- pendently what you have learned.
Security+ icons list relevant CompTIA Security+ SY0-301 exam objectives for each major chapter heading.
CertBlaster Test Prep Resources Security+ Guide to Network Security Fundamentals includes CertBlaster test preparation ques- tions that mirror the look and feel of the CompTIA Security+ certification exam. For additional information on the CertBlaster test preparation questions, go to http://www.dtipublishing.com.
To log in and access the CertBlaster test preparation questions for CompTIA’s Security+ Certifi- cation exam, please go to http://www.certblaster.com/cengage.htm.
To install CertBlaster:
1. Click the title of the CertBlaster test prep application you want to download.
2. Save the program (.EXE) file to a folder on your C: drive. (Warning: If you skip this step, your CertBlaster will not install correctly.)
3. Click Start and choose Run.
Introduction xvii
http://www.dtipublishing.com
http://www.certblaster.com/cengage.htm
4. Click Browse and then navigate to the folder that contains the .EXE file. Select the .EXE file and click Open.
5. Click OK and then follow the on-screen instructions.
6. When the installation is complete, click Finish.
7. Click Start, choose All programs, and click CertBlaster.
To register CertBlaster:
1. Open the CertBlaster test you want by double-clicking it.
2. In the menu bar, click File > Register Exam and enter the access code when prompted. Use the access code provided inside the card placed in the back of this book.
What’s New with CompTIA Security+ Certification The CompTIA Security+ SY0-301 exam was updated in May 2011. There are several significant changes to the exam objectives. The exam objectives have been reorganized in five domains: Net- work Security, Compliance and Operational Security, Threats and Vulnerabilities, Application, Data and Host Security, Access Control and Identity Management, and Cryptography. Each of the other domains has been reorganized and expanded to more accurately reflect current security issues and knowledge requirements. Finally, the exam objectives now place more importance on knowing “how to” rather than just knowing or recognizing security concepts.
Here are the domains covered on the new Security+ exam:
Domain % of examination
1.0 Network Security 21%
2.0 Compliance and Operational Security 18%
3.0 Threats and Vulnerabilities 21%
4.0 Application, Data, and Host Security 16%
5.0 Access Control and Identity Management 13%
6.0 Cryptography 11%
How To Become CompTIA Certified In order to become CompTIA certified, you must:
1. Select a testing center and a certification exam provider. For more information, visit the follow- ing Web site: http://certification.comptia.org/getCertified/steps_to_certification.aspx.
2. Register for and schedule a time to take the CompTIA certification exam at a convenient location.
3. Take and pass the CompTIA certification exam.
For more information about CompTIA’s certifications, please visit http://certification.comptia.org/ getCertified.aspx.
CompTIA is a nonprofit information technology (IT) trade association. To contact CompTIA with any questions or comments, call 866-835-8020 or visit http://certification.
comptia.org/contact.aspx. The Computing Technology Industry Association (CompTIA) is the voice of
xviii Introduction
http://certification.comptia.org/getCertified/steps_to_certification.aspx
http://certification.comptia.org/getCertified.aspx
http://certification.comptia.org/getCertified.aspx
http://certification.comptia.org/contact.aspx
http://certification.comptia.org/contact.aspx
the world’s information technology (IT) industry. Its members are the companies at the forefront of innovation and the professionals responsible for maximizing the benefits organizations receive from their investments in technology.
CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy.
CompTIA is a not-for-profit trade information technology (IT) trade association. CompTIA’s cer- tifications are designed by subject matter experts from across the IT industry. Each CompTIA certi- fication is vendor-neutral, covers multiple technologies, and requires demonstration of skills and knowledge widely sought after by the IT industry.
Information Security Community Site Stay Secure with the Information Security Community Site! Connect with students, professors, and professional from around the world, and stay on top of this ever-changing field.
Visit www.cengage.com/community/infosec to do the following:
● Download resources such as instructional videos and labs. ● Ask authors, professors, and students the questions that are on your mind in our Discussion Forums. ● See up-to-date news, videos, and articles. ● Read weekly blogs from author Mark Ciampa. ● Listen to podcasts on the latest information security topics.
Each chapter includes information on a current security topic and asks the learner to post their reac- tions and comments to the Information Security Community Site. This allows users from around the world to interact and learn from other users as well as with security professionals and researchers.
Additional information can be found in Appendix F, Information Security Community Site.
Instructor’s Materials A wide array of instructor’s materials is provided with this book. The following supplemental mate- rials are available for use in a classroom setting. All the supplements available with this book are provided to the instructor on a single CD-ROM and online at the textbook’s Web site.
Electronic Instructor’s Manual. The Instructor’s Manual that accompanies this textbook includes the following items: additional instructional material to assist in class preparation, including sugges- tions for lecture topics, tips on setting up a lab for the Hands-On Projects, and solutions to all end-of-chapter materials.
ExamView Test Bank. This Windows-based testing software helps instructors design and admin- ister tests and pre-tests. In addition to generating tests that can be printed and administered, this full-featured program has an online testing component that allows students to take tests at the com- puter and have their exams automatically graded.
PowerPoint Presentations. This book comes with a set of Microsoft PowerPoint slides for each chapter. These slides are meant to be used as a teaching aid for classroom presentations, to be made available to students on the network for chapter review, or to be printed for classroom distri- bution. Instructors are also at liberty to add their own slides for other topics introduced.
Figure Files. All of the figures and tables in the book are reproduced on the Instructor Resources CD. Similar to PowerPoint presentations, these are included as a teaching aid for classroom presen- tation, to make available to students for review, or to be printed for classroom distribution.
Introduction xix
www.cengage.com/community/infosec
Instructor Resources CD (ISBN: 9781111640156) Please visit login.cengage.com and log in to access instructor-specific resources.
To access additional course materials, please visit www.cengagebrain.com. At the CengageBrain.com home page, search for the ISBN of your title (from the back cover of your book) using the search box at the top of the page. This will take you to the product page where these resources can be found.
Additional materials designed especially for you might be available for your course online. Go to www.cengage.com/coursetechnology and search for this book title periodically for more details.
Total Solutions for Security To access additional materials (including CourseMate, described in the next section), please visit www.cengagebrain.com. At the CengageBrain.com home page, search for the ISBN of your title (from the back cover of your book) using the search box at the top of the page. This will take you to the product page for your book, where you will be able to access these resources.
CourseMate
Security+ Guide to Network Security Fundamentals, Fourth Edition offers CourseMate, a comple- ment to your textbook. CourseMate includes the following:
● An interactive eBook, with highlighting, note-taking, and search capabilities. ● Interactive learning tools, including Quizzes, Flash Cards, PowerPoint slides, Glossary, and more! ● Engagement Tracker, a first-of-its-kind tool that monitors student engagement in the course.
Go to login.cengage.com to access the following resources:
● CourseMate Printed Access Code (ISBN: 9781111640231) ● CourseMate Instant Access Code (ISBN: 9781111640248)
Lab Manual for Security+ Guide to Network Security Fundamentals, Fourth Edition
Companion to Security+ Guide to Network Security Fundamentals, Fourth Edition. This Lab Manual contains over 60 labs to provide students with additional hands-on experience and to help prepare for the Security+ exam. The Lab Manual includes lab activities, objectives, materials lists, step-by-step procedures, illustrations, and review questions.
● Lab Manual (ISBN: 9781111640132)
CourseNotes
This laminated quick reference card reinforces critical knowledge for CompTIA’s Security+ exam in a visual and user-friendly format. CourseNotes will serve as a useful study aid, supplement to the textbook, or as a quick reference tool during the course and afterward.
● CourseNotes (ISBN: 9781111640347)
Web-Based Labs
Using a real lab environment over the Internet, students can log on anywhere, anytime via a Web browser to gain essential hands-on experience in security using labs from Security+ Guide to Network Security Fundamentals, Fourth Edition.
● Web-Based Labs (ISBN: 9781111640163)
xx Introduction
www.cengagebrain.com
www.cengage.com/coursetechnology
www.cengagebrain.com
dtiMetrics
dtiMetrics is an online testing system that automatically grades students and keeps class and student records. dtiMetrics tests against Cengage’s textbook as well as against the CompTIA Security+ certi- fication exam, including a quiz for each chapter in the book along with a mid-term and final exam. dtiMetrics is managed by the classroom instructor, who has 100 percent of the control, 100 percent of the time. It is hosted and maintained by dtiPublishing.
● dtiMetrics (ISBN: 9781111640330)
LabConnection
LabConnection provides powerful computer-based exercises, simulations, and demonstrations for hands-on skills courses such as this. It can be used as both a virtual lab and as a homework assign- ment tool, and provides automatic grading and student record maintenance. LabConnection maps directly to the textbook and provides remediation to the text and to the CompTIA Security+ certifi- cation exam. It includes the following features:
● Enhanced comprehension—Through the LabConnection labs and guidance, while in the virtual lab environment, the student develops skills that are accurate and consistently effective.
● Exercises—Lab Connection includes dozens of exercises that assess and prepare the learner for the virtual labs, establishing and solidifying the skills and knowledge required to complete the lab.
● Virtual labs—Labs consist of end-to-end procedures performed in a simulated environment where the student can practice the skills required of professionals.
● Guided learning—LabConnection allows learners to make mistakes but alerts them to errors made before they can move on to the next step, sometimes offering demonstrations as well.
● Video demonstrations—Video demonstrations guide the learners step-by step through the labs while providing additional insights to solidify the concepts.
● SCORM-compliant grading and record keeping—LabConnection will grade the exercises and record the completion status of the lab portion, easily porting to, and compatible with, dis- tance learning platforms.
● LabConnection Online (ISBN: 9781111640316) ● LabConnection on DVD (ISBN: 9781111640293)
Web Tutor for Blackboard
WebTutor for Blackboard is a content-rich, Web-based teaching and learning aid that reinforces and clarifies complex concepts while integrating into your Blackboard course. The WebTutor platform also provides rich communication tools for instructors and students, making it much more than an online study guide. Features include PowerPoint presentations, practice quizzes, and more, organized by chapter and topic.
WebTutor for Blackboard (ISBN: 9781111640354)
About the Author Mark Ciampa, Ph.D., Security+, is Assistant Professor of Computer Information Systems at Western Kentucky University in Bowling Green, Kentucky. Previously, he served as Associate Professor
Introduction xxi
and Director of Academic Computing for 20 years at Volunteer State Community College in Gallatin, Tennessee. Dr. Ciampa has worked in the IT industry as a computer consultant for the U.S. Postal Service, the Tennessee Municipal Technical Advisory Service, and the University of Tennessee. He is also the author of many Cengage/Course Technology textbooks, including: CWNA Guide to Wireless LANs, Second Edition; Guide to Wireless Communications; Security+ Guide to Network Security Fundamentals, Third Edition; Security Awareness: Applying Practical Security in Your World; and Networking BASICS. He holds a Ph.D. in digital communications systems from Indiana State University.
Acknowledgments A large team of dedicated professionals all contributed to the creation of this book. I am honored to be part of such an outstanding group of professionals, and to everyone on the team I extend my sincere thanks. A special thanks goes to Executive Editor Stephen Helba for giving me the opportu- nity to work on this project and for providing his continual support. Also thanks to Senior Product Manager Michelle Cannistraci who was very supportive and helped keep this fast-moving project on track, and to GreenPen QA for carefully reviewing the book and identifying many corrections. And a big Thank You to the team of peer reviewers who evaluated each chapter and provided very helpful suggestions and contributions: Angela Herring (Wilson Community College), Ahmad Nasraty (Heald University), Jerry Sherrod (Pellissippi State Community College), Richard Smolenski (Westwood College), and Bruce Waugh (Craven Community College).
Special recognition again goes to Developmental Editor Deb Kaufmann. She is everything—and more—that an author could ask for. Deb made many helpful suggestions, found all of my errors, watched every small detail, and somehow turned my words into a book. On top of it all, Deb is a joy to work with. Without question, Deb is simply the very best there is.
And finally, I want to thank my wonderful wife, Susan. Once again, she was patient and support- ive of me throughout this project. I could not have written this book without her by my side.
Dedication To Braden, Mia, and Abby.
To the User This book should be read in sequence, from beginning to end. Each chapter builds upon those that precede it to provide a solid understanding of networking security fundamentals. The book may also be used to prepare for CompTIA’s Security+ certification exam. Appendix A pinpoints the chapters and sections in which specific Security+ exam objectives are located.
Hardware and Software Requirements Following are the hardware and software requirements needed to perform the end-of-chapter Hands- On Projects:
● Microsoft Windows 7 ● Windows 2008 Server ● An Internet connection and Web browser ● Microsoft Office 2007 or Office 2003 ● Microsoft Office Outlook
xxii Introduction
Specialized Requirements Whenever possible, the needs for specialized requirements were kept to a minimum. The following chapter features specialized hardware:
● Chapter 6: An Active Directory environment and WSUS installed on a Windows Server 2008 server
Free Downloadable Software Requirements Free, downloadable software is required for the Hands-On Projects in the following chapters. Appen- dix B lists the Web sites where these can be downloaded.
Chapter 1:
● Secunia Personal Software Inspector ● Microsoft Windows Malicious Software Removal Tool
Chapter 2:
● Irongeek Thumbscrew ● Microsoft RootkitRevealer ● Wolfeye Keylogger
Chapter 3:
● GRC Securable
Chapter 4:
● GFI LANguard Vulnerability Scanner ● Unetbootin ● BackTrack
Chapter 6:
● ThreatFire ● K9 Web Protection
Chapter 7:
● Glub Secure FTP Client ● Google Namebench ● Gladinet ● VMware vCenter ● VMware Player
Chapter 8:
● Xirrus Wi-Fi Monitor ● Vistumbler ● KLC Consulting SMAC ● Virtual Router
Introduction xxiii
Chapter 10:
● KeePass Password Safe ● LastPass
Chapter 11:
● MD5DEEP ● Hash Tab ● TrueCrypt
Chapter 12:
● Comodo Digital Certificate
Chapter 13:
● Macrium Reflect ● Briggs Software Directory Snoop
References i. Lohrmann, Dan. “Should Governments Join Banks in Seeking Customers’ Help
Online?” Government Technology Blogs, July 30, 2010, accessed Feb. 28, 2011, http:// www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-join- banks.php.
ii. “419 Advance Fee Fraud Statistics 2009,” Jan. 2010, accessed Feb. 28, 2011, http:// www.ultrascan-agi.com/public_html/html/public_research_reports.html.
iii. Santana, Juan, “European commission suspends CO2 credit trading due to cyber- attack,” Panda Security Insight Blog, Jan. 25 2011, accessed Feb. 28 2011, http:// www.pandainsight.com/en/.
iv. “Case Study: Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System,” Georgia Tech Research Institute, accessed Feb. 28, 2011, http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics- Processing-Units-GPUs-Password-Security-System.
v. Popa, Bogdan, “2,244 Hacker Attacks Per Day,” Softpedia, Feb. 9, 2007, accessed Feb. 28, 2011, http://news.softpedia.com/news/2-244-Hacker-Attacks-Per-Day-46688.shtml.
vi. “2011 IT Salary and Skills Pay Benchmark Survey Research,” accessed Feb. 28, 2011, http://www.footepartners.com/.
xxiv Introduction
http://www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-joinbanks.php
http://www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-joinbanks.php
http://www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-joinbanks.php
http://www.ultrascan-agi.com/public_html/html/public_research_reports.html
http://www.pandainsight.com/en/
http://www.pandainsight.com/en/
http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
http://news.softpedia.com/news/2-244-Hacker-Attacks-Per-Day-46688.shtml
http://www.footepartners.com/
http://www.ultrascan-agi.com/public_html/html/public_research_reports.html
Today’s Security Imperative and Security Certification Contributed by Carol Balkcom, Director of Product Management, CompTIA Cyber security has become a U.S. national—and now international—concern as serious cyber attacks are being launched on banks and multi-national corporations across country boundaries. There has been a significant rise in security training and certification, worldwide. In fact, Security+ is the fastest growing certification in CompTIA’s certification portfolio. Organizations of every kind have realized that they can no longer afford to have IT staff who are not proven in the latest information security technologies and practices.
Today we see the impact of U.S. military requirements on certification; both military information assurance personnel and IT employees of government contractor companies who have contracts with the military are required to be certified, under the terms of their contracts. Included are many types of companies, from software, to systems integrators, to manufacture and service companies. Govern- ment agencies such as the U.S. State Department have special employee incentive programs in place; and governments and military from Canada to the Middle East have begun regular security training and certification in Security+.
Research Surveys show that criminal theft of information can be traced, in many cases, to human error within companies, or failure to have adequate security policies and training. CompTIA security research pub- lished in late 2010 shows that IT professionals attribute slightly more of the blame for security breaches to human error or shortcomings than technology shortcomings1. Additionally, the data sug- gests the human error factor is on the rise as a cause of security breaches.
“Vendor-Neutral” vs. “Vendor-Specific” Certification When an IT professional decides to complement his or her experience with certification, a vendor- neutral certification is often the first type of exam taken. A vendor-neutral exam is one that tests for knowledge of a subject across platforms and products—without being tied to any specific product— while validating baseline skills and knowledge in that subject area. CompTIA exams are vendor- neutral exams and serve that portion of the IT population who have a good foundation in their chosen field and want to become certified. Individuals who take CompTIA Security+ are serious about their role in information security. They typically have at least two years of hands-on technical security experience. They may have also taken an exam like CompTIA Network+ as a first entry into certification.
Who Is Becoming Certified There is a long list of employers where significant numbers of staff in IT roles are becoming Comp- TIA Security+ certified. Here are just a few of the significant ones:
Booz Allen Hamilton, HP, IBM, Motorola, Verisign, Telstra, Hitachi, Ricoh, Sharp, Lockheed Martin, Unisys, Hilton Hotels Corp., General Mills, U.S. Navy, Army, Air Force, and Marines.
1Eighth Annual Global Information Security Trends, November 2010.
Introduction xxv
While the majority of CompTIA Security+ certified professionals are in North America, there are growing numbers in over 100 countries, with a solid and growing base especially in Japan, the UK, Germany, Canada, and Southeast Asia. The need for information security training and certification has never been greater, and has become a worldwide issue.
xxvi Introduction
chapter1
Introduction to Security
After completing this chapter, you will be able to do the following:
● Describe the challenges of securing information ● Define information security and explain why it is important ● Identify the types of attackers that are common today ● List the basic steps of an attack ● Describe the five basic principles of defense
1
“Groundbreaking,” “amazing,” “never seen before,” “extremely impressive,” “clever,” “something out of a movie,” “scary,” “the most sophisticated malware ever,” “other attacks are child’s play compared to it….” These are just a few of the adjectives security researchers used to describe the Stuxnet malware.
The Stuxnet worm was first widely reported in mid-2010, although it’s now thought that it first appeared almost a year earlier. Shortly after it became widely recognized, Microsoft confirmed the worm was actively targeting Windows computers that man- aged large-scale industrial-control systems, which are often referred to as SCADA (Super- visory Control and Data Acquisition). SCADA can be found in military installations, oil pipeline control systems, manufacturing environments, and nuclear power plants. At first, it was thought that Stuxnet took advantage of a single, previously unknown, soft- ware vulnerability. Upon closer inspection, it was found that Stuxnet exploited four unknown vulnerabilities, something never seen before. (One of these vulnerabilities was “patched” in 2008 by Microsoft, but the fix was flawed and could still be exploited.)
Stuxnet, written in multiple languages, including C, C++, and other object-oriented languages, was introduced to industrial networks through infected Universal Serial Bus (USB) flash drives. It also used several tricks to avoid detection. Stuxnet had an internal counter that allowed it to spread to a maximum of three computers. This design ensured that it stayed only within the industrial facility and didn’t attract out- side attention. Also, because SCADA systems have no logging capabilities to record events and are rarely patched, the worm could live for a long period of time before being detected.
Using Windows vulnerabilities, Stuxnet performed an attack to gain administrative access to computers on the local network of an industrial plant and then looked for computers running SCADA. Next, it infected these SCADA computers—through two other vulnerabilities—and tried to break into the SCADA software by using the default passwords. Stuxnet was designed to alter the programmable logic control (PLC) software instructions of the SCADA systems, which would then give it power over the industrial machinery attached to the SCADA computers. This would put the entire facility under the control of the attacker, who could make the equipment operate in an unsafe manner, resulting in a massive explosion or even worse, a nuclear catastrophe.
It is speculated that Stuxnet’s primary target was the Iranian Bushehr nuclear power plant (almost six out of ten infected Stuxnet computers have been traced back to Iran). This reactor, located in southwestern Iran near the Persian Gulf, has been a source of tension between Iran and the West (including the United States) because of fear that
(continued)
Today’s Attacks and Defenses
2 Chapter 1 Introduction to Security
When historians reflect back on the early part of the twenty-first century, it is likely that one word will figure prominently: security. At no other time in the world’s history have we been forced to protect ourselves and our property from continual attacks by invisible foes. Suicide car bombings, subway massacres, airplane hijackings, random shootings, and guerrilla com- mando raids occur regularly around the world. To counteract this violence, governments and other organizations have implemented new types of security defenses. Passengers using public transportation are routinely searched. Fences are erected across borders. Telephone calls are monitored. The result is that these attacks and the security defenses have impacted almost every element of our daily lives and significantly affect how all of us work, play, and live.
One area that has also been an especially frequent target of attacks is information technology (IT). Seemingly endless arrays of attacks are directed at corporations, banks, schools, and indivi- duals through their computers, laptops, smartphones, pad computers, and similar technology devices. Internet Web servers must resist thousands of attacks daily. Identity theft has sky- rocketed. An unprotected computer connected to the Internet can be infected in less than one minute. One study found that over 48 percent of 22.7 million computers analyzed were infected with malware.1 Phishing, rootkits, back doors, social engineering, zombies, and botnets— virtually unheard of just a few years ago—are now part of our everyday information secu- rity vocabulary.
The need to defend against these attacks on our technology devices has created a new element of IT that is now at the very core of the entire industry. Known as information security, it is focused on protecting the electronic information of organizations and users.
The demand for IT professionals who know how to secure networks and computers is at an all-time high. Today, many businesses and organizations require employees as well as job applicants to demonstrate that they are familiar with computer security practices. To verify security competency, a vast majority of organizations use the CompTIA Security+ certifica- tion. As the most widely recognized vendor-neutral security certification, Security+ has become the security foundation for today’s IT professionals.
There are two broad categories of information security positions. Information security managerial positions include the administration and management of plans, policies, and peo- ple. Information security technical positions are concerned with the design, configuration,
spent fuel from the reactor could be reprocessed elsewhere in the country to produce weapons-grade plutonium for use in nuclear warheads. Some have even speculated that an unnamed government-sponsored team of programmers—or even teams from multiple opposition governments—created Stuxnet to cripple the Bushehr facility. Based on the complexity of the software, it is estimated that the cost for developing Stuxnet could have exceeded $4 million.
As far as can be determined, Stuxnet never did gain control of any SCADA systems or cause damage to industrial sites. No person or organization has yet stepped for- ward as the author of Stuxnet, so it remains cloaked in secrecy. Although we may not know who was behind it and why, Stuxnet is just one example of how extremely dangerous malicious software can be.
Introduction to Security 3
installation, and maintenance of technical security equipment. Within these two broad catego- ries, there are four generally recognized security positions:
● Chief Information Security Officer (CISO). This person reports directly to the CIO (large organizations may have more layers of management for reporting). Other titles used are Manager for Security and Security Administrator. They are responsible for the assessment, management, and implementation of security.
● Security manager. The security manager reports to the CISO and supervises technicians, administrators, and security staff. Typically, a security manager works on tasks identified by the CISO and resolves issues identified by technicians. This position requires an understanding of configuration and operation but not necessarily technical mastery.
● Security administrator. The security administrator has both technical knowledge and managerial skills. A security administrator manages daily operations of security technology, and may analyze and design security solutions within a specific entity as well as identify users’ needs.
● Security technician. This is generally an entry-level position for a person who has the necessary technical skills. Technicians provide technical support to configure security hardware, implement security software, and diagnose and troubleshoot problems.
Recent employment trends indicate that employees with security certifications are in high demand. As attacks continue to escalate, the need for trained security personnel also increases. Unlike some positions, security is being neither offshored nor outsourced. Because security is such a critical element in an organization, security positions generally remain within the organi- zation. In addition, security positions do not involve “on-the-job training” where a person can learn as they go; the risk is simply too great. IT employers want and pay a premium for certified security personnel.
A study by Foote Partners showed that security certifications will earn employees 10 to 14 percent more pay than their uncertified counterparts.2
The CompTIA Security+ Certification is a vendor-neutral credential that requires passing the current certification exam SY0-301. This exam is internationally recognized as validat- ing a foundation-level of security skills and knowledge. A successful candidate has the knowledge and skills required to identify risks and participate in risk mitigation activities; provide infrastructure, application, operational and information security; apply security controls to maintain confidentiality, integrity, and availability; identify appropriate tech- nologies and products; and operate with an awareness of applicable policies, laws, and regulations.
The CompTIA Security+ Certification is aimed at an IT security pro- fessional with the recommended background of a minimum of two years experience in IT administration with a focus on security. Such a professional is involved with daily technical information security experience, and has a broad knowledge of security concerns and implementation.
4 Chapter 1 Introduction to Security
1 This chapter introduces network security fundamentals that form the basis of the Security+ certification. It begins by examining the current challenges in computer security and why it is so difficult to achieve. It then describes information security in more detail and explores why it is important. Finally, the chapter looks at who is responsible for these attacks and at the fundamental defenses against attackers.
Challenges of Securing Information Although to a casual observer it may seem that there should be a straightforward solution to securing computers—such as using a better software product or creating a stronger password— in reality, there is no simple solution to securing information. This can be seen through the different types of attacks that users face today as well as the difficulties in defending against these attacks.
Today’s Security Attacks Despite the facts that information security continues to rank as the number one concern of IT managers and tens of billions of dollars are spent annually on computer security, the number of successful attacks continues to increase. Information regarding recent attacks includes the following:
● Fake anti-virus attacks are responsible for half of all malware delivered by Web advertising, which increased 500 percent in one 12-month period. Over 11,000 domains are involved with fake anti-virus distribution, and that number is increasing.3
In one example, a user who clicks an advertisement on a Web page offering a free online vulnerability scan suddenly sees a window that informs the user that the computer is infected. The pop-up window directs the user to click a button to purchase anti-virus software to disinfect their computer. However, this window cannot be closed, and even rebooting the system does not clear the message. In desperation, many users finally enter their credit card number to purchase the anti-virus software. Their credit card number is then transmitted to an attacker, who uses it to make online purchases. At the same time, other malware software is installed on the computer while the pop-up window remains open on the computer and never goes away.
● Approximately 80 percent of households in the United States use the Internet for managing their finances, up from only 4 percent just 15 years ago. And the trend is toward even more online banking. There are now Internet-only banks, with no physical branches to visit. One new bank is planning to limit its membership to smartphone users (although these users can access their account information from their computers as well). Yet the number of malware attacks against online banking is increasing annually by almost 60,000. About 85 percent of banks reported that they have sustained losses based on these attacks. The American Bankers Association says that consumers should monitor their online accounts for unauthorized transactions on a “continuous, almost daily, basis.”4
● A graphics processing unit (GPU), which is separate from the computer’s central processing unit (CPU), is used in graphics cards to render screen displays on
Challenges of Securing Information 5
computers. Today, some of the work of a CPU can be offloaded to a GPU to accelerate specific applications, most notably floating-point operations. A $500 GPU today can process about 2 trillion (teraflop) floating-point operations per second, whereas just 10 years ago, the fastest supercomputer in the world only ran at 7 teraflops and cost $110 million. Attackers are now using GPUs to break passwords. Researchers at the Georgia Tech Research Institute (GTRI) claim that an attacker with a computer that has a GPU could easily break a relatively weak password. They state, “Right now we can confidently say that a 7-character password is hopelessly inadequate.” They go on to say that any password with fewer than 12 characters could be vulnerable very soon—if it is not already.5
● According to a security report by IBM’s X-Force, on average, 55 percent of software vulnerabilities that were disclosed by vendors were not patched, which is an increase from the previous year’s 52 percent. The top ten vendors with the most disclosed yet unpatched vulnerabilities were Sun Microsystems (24%), Microsoft (23.2%), Mozilla (21.3%), Apple (12.9%), IBM (10.3%), Google (8.6%), Linux (8.2%), Oracle (6.8%), Cisco (6%), and Adobe (2.9%).6
● Over 135 employees at 17 of the Fortune 500 companies (including Google, WalMart, Symantec, Cisco, Microsoft, Pepsi, Coca-Cola, and Ford) were called on the phone by individuals participating in a Defcon Hacking Conference contest. The callers tried to get information from these employees that could be used in an attack. Callers could not ask for passwords or Social Security numbers, but they tried to find out information that could be useful to attackers, such as what operating system, anti-virus software, and browser their victims used. In addition, they also tried to persuade these employees to visit unauthorized Web pages. Of the 135 employees who were called, only five refused to provide any corporate information or visit the unauthorized Web sites (and all five were women).7
● An immigrant pretending to be “Prince Nana Kamokai of Sierra Leone” or “an airport director from Ghana” sent thousands of e-mails asking for help in moving money from Nigeria to the United States. By using fake documentation to convince his victims that he was legitimate, he persuaded them to wire him fees to cover “courier services” or as “PIN code fees.” After five years, he had made more than $1.3 million from 67 known victims. Yet this was only a drop in the bucket for this scam, known as the Nigerian 419 Advanced Fee Fraud (“419” is the Nigerian criminal code that addresses fraud). To date, it is estimated that over $41 billion dollars have been lost by victims in this scam, with $9.3 billion lost in 2009 alone. According to the U.S. Federal Bureau of Investigation (FBI), this scam is the number-one type of Internet fraud and is growing at a rate of 5 percent annually.8
● Firesheep is a free, open-source Firefox browser extension introduced in late 2010. An attacker can install this add-on and then connect to an unencrypted wireless network at a coffee shop, hotel, or library. Once the attacker clicks Start Capturing, then anyone using the wireless network who visits a site that is known by Firesheep (such as Facebook, Twitter, Amazon, FourSquare, Dropbox, Windows Live, WordPress, or Flickr) will have their name and even their photo displayed. The attacker can then double-click the name and be logged in as that person to that account.
6 Chapter 1 Introduction to Security
1 ● According to Panda Security, over 20 million new specimens of malware, including
new malware as well as variants of existing families, were created between January and October of 2010. This means that the average number of new threats created and distributed every day increased from 55,000 in 2009 to 63,000 in 2010. In one month, over 2 million files were identified as malware.9
● An analysis of 700,000 recorded attacks on computers in one week revealed that about one out of every eight attacks came by USB flash drive devices.10 A user’s USB device may become infected at home where they have less security. When they bring the infected device into the office to insert into their work computer, that computer is then infected. In addition, attackers leave infected USB flash drives in parking lots and other common areas outside an office, tempting users to pick them up on the way to their office and to insert them into their computers.
● Two former students at a college in Missouri were indicted on a series of charges for breaking into the school’s computers. These students (1) stole personal data on 90,000 students, faculty, staff, and alumni and tried to sell it for $35,000; (2) obtained the username and password of a residence hall director to access a university computer and then on 30 different occasions transferred university funds (from $50 to $4,300) to their own student accounts; (3) used their Facebook accounts to threaten potential witnesses; and (4) created a virus and infected other university computers that allowed them to monitor activity, record keystrokes, steal data, and even remotely turn on the computers’ webcams to watch users.11
● In late 2010, Apple released patches to address 134 security flaws (in March 2010, it released patches to fix 90 flaws) in its Leopard and Snow Leopard Mac OS X. An additional 25 nonsecurity fixes addressed stability issues. The patch was between 240 MB and 645 MB, depending on the version of Mac OS X.12
● Researchers at the University of Maryland attached four computers equipped with weak passwords to the Internet for 24 days to see what would happen. These computers were hit by an intrusion attempt on average once every 39 seconds, or 2,244 attacks each day for a total of 270,000 attacks. Over 825 of the attacks were successful, enabling the attackers to access the computers.13
● In 2010, smartphones outsold computers for the first time (421 million smartphones to 365 million personal computers). With the proliferation of smartphones, which are essentially mobile computing devices, attackers are turning their attention to them. The mobile-security company Lockout reported that it detected malware on 9 percent of the smartphones that it had scanned.14
● The number of security breaches that have exposed users’ digital data to attackers continues to rise. Table 1-1 lists some of the major security breaches that occurred during a one-month period, according to the Privacy Rights Clearinghouse. From January 2005 through February 2011, over 514 million electronic data records in the United States had been breached, exposing to attackers a range of personal electronic data, such as addresses, Social Security numbers, health records, and credit card numbers. 15
Security attacks continue to be a major concern of all IT users, especially those personnel responsible for protecting an organization’s information.
Challenges of Securing Information 7
Difficulties in Defending Against Attacks The challenge of keeping computers secure has never been greater, not only because of the number of attacks, but also because of the difficulties faced in defending against these attacks. These difficulties include the following:
● Universally connected devices. It is virtually unheard of today for a computer to not be connected to the Internet. Although this greatly expands the functionality of that device, it also makes it easy for an attacker halfway around the world to silently launch an attack on any connected device.
● Increased speed of attacks. With modern tools at their disposal, attackers can quickly scan thousands of systems to find weaknesses and launch attacks with unprecedented speed. Many tools can even initiate new attacks without any human participation, thus increasing the speed at which systems are attacked.
Organization Description of security breach
Number of identities exposed
Grays Harbor Pediatrics, WA
A backup tape, stolen from an employee’s car, was used for storing copies of paper records; patients may have had their names, Social Security numbers, insurance details, driver’s license information, immunization records, medical history forms, previous doctor records, and patient medical records stolen
12,000
Tulane University, LA
A university-issued laptop was stolen from an employee’s car. It was used to process 2010 tax records for employees, students, and others; the information included names, Social Security numbers, salary information, and addresses
10,000
Seacoast Radiology, NH
Patient names, Social Security numbers, addresses, phone numbers, and other personal information were exposed by a security breach
231,400
Centra, GA A laptop was stolen from the trunk of an employee’s rental car that contained patient names and billing information
11,982
Stony Brook University, NY
Student and faculty network and student IDs were posted online after a file with all registered student and faculty ID numbers was exposed
61,001
deviantART, Silverpop Systems Inc., CA
Attackers exposed the e-mail addresses, usernames, and birth dates of the entire user database
13,000,000
Twin America LLC, CitySights, NY
An attacker inserted a malicious script on a Web server and stole the customer database that contained customer names, credit card numbers, credit card expiration dates, CVV2 data, addresses, and e-mail addresses
110,000
Ohio State University, OH
Unauthorized individuals logged into an Ohio State server and accessed the names, Social Security numbers, dates of birth, and addresses of current and former students, faculty, staff, University consultants, and University contractors
750,000
Gawker, NY Attackers gained access to the database and accessed staff and user e-mails and passwords
1,300,000
Table 1-1 Selected security breaches involving personal information in a one-month period
8 Chapter 1 Introduction to Security
1 ● Greater sophistication of attacks. Attacks are becoming more complex, making it
more difficult to detect and defend against them. Attackers today use common Internet tools and protocols to send malicious data or commands to strike computers, making it difficult to distinguish an attack from legitimate traffic. Other attack tools vary their behavior so the same attack appears differently each time, further complicating detection.
● Availability and simplicity of attack tools. Whereas in the past an attacker needed to have an extensive technical knowledge of networks and computers as well as the ability to write a program to generate the attack, that is no longer the case. Today’s attack tools do not require any sophisticated knowledge. In fact, many of the tools have a graphical user interface (GUI) that allows the user to select options easily from a menu, as seen in Figure 1-1. These tools are freely available or can be purchased from other attackers at a low cost. This is illustrated in Figure 1-2.
● Faster detection of vulnerabilities. Weakness in software can be more quickly uncovered and exploited with new software tools and techniques.
● Delays in patching. Hardware and software vendors are overwhelmed trying to keep pace with updating their products against attacks. One anti-virus software vendor receives over 200,000 submissions of potential malware each month.16 At this rate, the anti-virus vendors would have to update and distribute their updates every 10 minutes to keep users protected. The delay in vendors patching their own products adds to the difficulties in defending against attacks.
Figure 1-1 Menu of attack tools © Cengage Learning 2012
Challenges of Securing Information 9
● Weak patch distribution. While mainstream products such as Microsoft Windows and Apple Mac OS have created a system for notifying users of patches and distributing those patches on a regular basis, other software vendors have not invested in distribution systems. Users are unaware that a security update even exists for a product, and usually it requires downloading and installing the latest version of the product instead of only installing a smaller patch. For these reasons, attackers today are focusing more on uncovering and exploiting vulnerabilities on these products.
● Distributed attacks. Attackers can use tens of thousands of computers under their control in an attack against a single server or network. This “many against one” approach makes it virtually impossible to stop an attack by identifying and blocking a single source.
● User confusion. Increasingly, users are called upon to make difficult security decisions regarding their computer systems, sometimes with little or no information to guide them. It is not uncommon for a user to be asked security questions such as, Do you want to view only the content that was delivered securely?, Is it safe to quarantine this attachment?, or Do you want to install this add-on? With little or no direction, users are inclined to provide answers to questions without understanding the security risks.
Table 1-2 summarizes the reasons it is difficult to defend against today’s attacks.
Disabling audits
Required knowledge of attackers
Exploiting known vulnerabilities
Hijacking sessions
Sweepers
Back doors
low
1990 2000 2012
high
Password cracking
Password guessing
Self-replicating code
Sniffers
Stealth diagnostics
Packet spoofing
Tools with GUI
Sophistication of attacker tools
Figure 1-2 As the sophistication of attack tools increases, the knowledge required by attackers decreases © Cengage Learning 2012
10 Chapter 1 Introduction to Security
1
What Is Information Security? 2.8 Exemplify the concepts of confidentiality, integrity and availability (CIA)
3.2 Analyze and differentiate among types of attacks
5.2 Explain the fundamental concepts and best practices related to authentication, authorization and access control
Before it is possible to defend computers against attacks, it is necessary to understand what information security is. In addition, knowing why information security is important today and who the attackers are is beneficial.
Defining Information Security In a general sense, security may be defined as the necessary steps to protect a person or prop- erty from harm. That harm may come primarily from two different sources:
● A direct action that is intended to inflict damage or suffering. ● An indirect and nonintentional action.
Consider a typical house. It is necessary to provide security for the house and its inhabitants from these two different sources. For example, the house and its occupants must be secure from the direct attack of a criminal who wants to inflict bodily harm to someone inside or who wants to burn down the house. This security may be provided by locked doors, a fence, or a strong police presence. In addition, the house must be protected from indirect acts that are not exclusively
Reason Description
Universally connected devices Attackers from anywhere in the world can send attacks
Increased speed of attacks Attackers can launch attacks against millions of computers within minutes
Greater sophistication of attacks Attack tools vary their behavior so the same attack appears differently each time
Availability and simplicity of attack tools
Attacks are no longer limited to highly skilled attackers
Faster detection of vulnerabilities Attackers can discover security holes in hardware or software more quickly
Delays in patching Vendors are overwhelmed trying to keep pace by updating their products against attacks
Weak patch distribution Many software products lack a means to distribute security patches in a timely fashion
Distributed attacks Attackers use thousands of computers in an attack against a single computer or network
User confusion Users are required to make difficult security decisions with little or no instruction
Table 1-2 Difficulties in defending against attacks
What Is Information Security? 11
directed against it. That is, the house needs to be protected from a hurricane (by being built with strong materials such as concrete blocks) or a flash flood (by being built off the ground).
Security usually includes preventive measures, rapid response, and in some instances, pre- emptive attacks. An individual who wants to be secure would take the preventive measures of not walking alone in a risky neighborhood at night and keeping car doors locked. An example of a rapid response could include holding a cell phone in one hand when making a withdrawal at an ATM, so that if anything suspicious begins to occur, an emergency call can quickly be made to the police. Preemptive attacks are sometimes carried out by one nation against another nation that has started to amass troops and equipment along a border. This approach of “strike them before they can strike us” can be used to deter an attack.
The term information security is frequently used to describe the tasks of securing information that is in a digital format. This digital information is typically manipulated by a microproces- sor (such as on a personal computer), stored on a magnetic, optical, or solid-state storage device (like a hard drive, DVD, or flash drive), and transmitted over a network (such as a local area network or the Internet).
Security may be viewed as sacrificing convenience for safety. Although it may be inconvenient to lock all the doors of the house or use long and complex passwords, the trade-off is that these steps result in a higher level of safety. Another way to think of security is giving up short-term ease for long-term protection. In any case, security usually requires making sacrifices to achieve a greater good.
Information security can be understood by examining its goals and how it is accomplished. First, information security ensures that protective measures are properly implemented. Just as the security measures taken for a house can never guarantee complete safety, information security cannot completely prevent attacks or guarantee that a system is totally secure. Rather, information security creates a defense that attempts to ward off attacks and pre- vents the collapse of the system when a successful attack occurs. Thus, information security is protection.
Second, information security is intended to protect information that provides value to people and organizations. Three protections must be extended over information. These three protec- tions are confidentiality, integrity, and availability or CIA:
1. Confidentiality. It is important that only approved individuals are able to access important information. For example, the credit card number used to make an online purchase must be kept secure and not made available to other parties. Confidentiality ensures that only authorized parties can view the information. Providing confidentiality can involve several different tools, ranging from software to “scramble” the credit card number stored on the Web server to door locks to prevent access to those servers.
2. Integrity. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered the data. In the example of the online purchase, an attacker who could change the amount of a purchase from $1,000.00 to $1.00 would violate the integrity of the information.
3. Availability. Information cannot be “locked up” so tight that no one can access it; otherwise, the information would not be useful. Availability ensures that data is accessible to authorized users. The total number of items ordered as the result of an
12 Chapter 1 Introduction to Security
1 online purchase must be made available to an employee in a warehouse so that the correct items can be shipped to the customer.
In addition to CIA, another set of protections must be implemented to secure information. These are authentication, authorization, and accounting (AAA):
1. Authentication. Authentication ensures that the individual is who they claim to be (the authentic or genuine person) and not an imposter. A person accessing the Web server that contains a user’s credit card number must prove that they are indeed who they claim to be and not a fraudulent attacker. One way authentication can be performed is by the person providing a password that only she knows.
2. Authorization. After a person has provided authentication, they are given authorization, or the ability to access the credit card number or enter a room that contains the Web server.
3. Accounting. Accounting provides tracking of events. This may include a record of who accessed the Web server, from what location, and at what specific time.
There is not universal agreement regarding the three elements of AAA. Some consider it assurance, authenticity, and anonymity, while others see it as authentication, authorization, and access control.
Yet information security involves more than protecting the information itself. Because this information is stored on computer hardware, manipulated by software, and transmitted by communications, each of these areas must also be protected. The third objective of informa- tion security is to protect the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information.
Information security is achieved through a combination of three entities. As shown in Figure 1-3 and Table 1-3, information, hardware, software, and communications are protected in three layers: products, people, and procedures. These three layers interact with each other. For exam- ple, procedures enable people to understand how to use products to protect information. Thus, a more comprehensive definition of information security is that which protects the integrity, confi- dentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures.
Information Security Terminology As with many advanced subjects, information security has its own set of terminology. The following scenario helps to illustrate information security terms and how they are used.
Suppose that Aiden wants to purchase a new set of rims for his car. However, because sev- eral cars have had their rims stolen near his condo, he is concerned about someone stealing his rims. Although he parks the car in the gated parking lot in front of his condo, a hole in the fence surrounding his condo makes it possible for someone to access the parking lot with- out restriction. Aiden’s car and the threats to the rims are illustrated in Figure 1-4.
Aiden’s new rims are an asset, which is defined as an item that has value. In an organization, assets have the following qualities: they provide value to the organization, they cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources, and they can form part of the organization’s corporate identity. Based on these qualities, not all elements of an organization’s information technology infrastructure may be classified as
What Is Information Security? 13
an asset. For example, a faulty desktop computer that can easily be replaced would generally not be considered an asset, yet the information contained on that computer can be an asset. Table 1-4 lists a description of the elements of an organization’s information technology infrastructure and whether or not they would normally be considered as an asset.
Communications
Confidentiality Integrity
Information
Availability
Hardware Software
People (personnel security)
Prod ucts (physical security)
ity
Software
Av
Hardware
vailabil
y
Proc edures
(organizational security)
Figure 1-3 Information security components © Cengage Learning 2012
Layer Description
Products Form the physical security around the data; may be as basic as door locks or as complicated as network security equipment
People Those who implement and properly use security products to protect data
Procedures Plans and policies established by an organization to ensure that people correctly use the products
Table 1-3 Information security layers
14 Chapter 1 Introduction to Security
1
The general question to ask when determining if an IT element is an asset is simply, “If this item were destroyed right now, how difficult would it be to replace?”
What Aiden is trying to protect his rims from is a threat, which is a type of action that has the potential to cause harm. Information security threats are events or actions that represent a
Element name Description Example Critical asset?
Information Data that has been collected, classified, organized, and stored in various forms
Customer, personnel, production, sales, marketing, and finance databases
Yes: Extremely difficult to replace
Application software
Software that supports the business processes of the organization
Customized order transaction application, generic word processor
Yes: Unique and customized for the organization No: Generic off- the-shelf software
System software
Software that provides the foundation for application software
Operating system No: Can be easily replaced
Physical items Computer equipment, communications equipment, storage media, furniture, and fixtures
Servers, routers, DVDs, power supplies
No: Can be easily replaced
Services Outsourced computing services
Voice and data communications
No: Can be easily replaced
Table 1-4 Information technology assets
Stolen rims (risk)
Exploit (go through fence hole)
Thief (threat agent)
Rims (asset)
Loss of rims (threat)
Fence hole (vulnerability)
Figure 1-4 Information security components analogy © Cengage Learning 2012
What Is Information Security? 15
danger to information assets. A threat by itself does not mean that security has been compro- mised; rather, it simply means that the potential for creating a loss is real. Although for Aiden the loss would be the theft of his rims, in information security, a loss can be the theft of infor- mation, a delay in information being transmitted, or even the loss of good will or reputation.
A threat agent is a person or element that has the power to carry out a threat. For Aiden, the threat agent is a thief. In information security, a threat agent could be a person attempting to break into a secure computer network. It could also be a force of nature such as a tornado or flood that could destroy computer equipment and thus destroy information, or it could be malicious software that attacks the computer network.
Aiden wants to protect his rims and is concerned about a hole in the fencing around his condo. The hole in the fencing is a vulnerability, which is a flaw or weakness that allows a threat agent to bypass security. An example of a vulnerability that information security must deal with is a software defect in an operating system that allows an unauthorized user to gain control of a computer without the user’s knowledge or permission.
If a thief can get to Aiden’s car because of the hole in the fence, then that thief is taking advantage of the vulnerability. This is known as exploiting the security weakness. An attacker, knowing that an e-mail system does not scan attachments for a virus, is exploiting the vulnerability by sending infected e-mail messages to its users.
Aiden must decide if the risk of theft is too high for him to purchase the new rims. A risk is the likelihood that the threat agent will exploit the vulnerability; that is, that the rims will be stolen. Realistically, risk cannot ever be entirely eliminated as it would cost too much and take too long. Rather, some degree of risk must always be assumed. An organization gener- ally asks, “How much risk can we tolerate?”
Sometimes risk is illustrated as the calculation: Risk = Threat x Vulnerability x Cost.
There are three options when dealing with risks: accept the risk, diminish the risk, or transfer the risk. In Aiden’s case, he could accept the risk and buy the new rims, knowing there is the chance of them being stolen. Or he could diminish the risk by parking the car in a rented locked garage. A third option is for Aiden to transfer the risk to someone else. He can do this by purchasing additional car insurance; the insurance company then absorbs the loss and pays if the rims are stolen. In information security, most risks should be diminished if possible. Table 1-5 summarizes information security terms.
Understanding the Importance of Information Security Information security is important to organizations as well as to individuals. The goals of infor- mation security are many and include preventing data theft, thwarting identity theft, avoiding the legal consequences of not securing information, maintaining productivity, and foiling cyberterrorism.
Preventing Data Theft Security is often associated with theft prevention: Aiden parks his car in a locked garage to prevent the rims from being stolen. The same is true with information security: preventing data from being stolen is often cited by organizations as a
16 Chapter 1 Introduction to Security
1
primary goal of information security. Business data theft involves stealing proprietary busi- ness information, such as research for a new drug or a list of customers that competitors would be eager to acquire.
According to a recent survey of 800 chief information officers, the com- panies they represented estimated they lost a combined $4.6 billion worth of intellectual property in one year alone and spent approxi- mately $600 million repairing damage from data breaches.17
Data theft is not limited to businesses. Individuals are often victims of data thievery. One type of personal data that is a prime target of attackers is credit card numbers. These can be used to purchase thousands of dollars of merchandise online—without having the actual card—before the victim is even aware the number has been stolen. Reported losses from the fraudulent use of stolen credit card information continue to soar, exceeding $5 billion annu- ally.18
The extent to which stolen credit card numbers are available can be seen in the price that online thieves charge each other for stolen card numbers. Because credit card numbers are so readily available, a sto- len number can be purchased for as little as $2 per card, although for a card that has a guaranteed limit of over $82,000, the cost of the stolen number is $700. If a buyer wants to use a stolen card number to purchase products online, yet is afraid of being traced through the delivery address, a third-party online thief will make the purchase and forward the goods for a fee starting at only $30.19