Principles of computer security comptia security+ and beyond 3rd edition pdf

Principles of Computer Security: CompTIA

Security+™ and Beyond (Exam SY0-301)

Third Edition

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:47 PM

Color profile: Disabled Composite Default screen

■ About the Authors Dr. Wm. Arthur Conklin is an assistant professor in the College of Technol- ogy at the University of Houston. Dr. Conklin has terminal degrees from the Naval Postgraduate School in electrical engineering and The University of Texas at San Antonio in business administration. Dr. Conklin’s research in- terests lie in the areas of software assurance and the application of systems theory to security issues associated with critical infrastructures. His disser- tation was on the motivating factors for home users in adopting security on their own PCs. He has coauthored six books on information security and has written and presented numerous conference and academic journal papers. He has over ten years of teaching experience at the college level and has as- sisted in building two information security programs that have been recog- nized by the NSA and DHS as Centers of Academic Excellence in Information Assurance Education. A former U.S. Navy officer, he was also previously the Technical Director at the Center for Infrastructure Assurance and Security at The University of Texas at San Antonio.

Dr. Gregory White has been involved in computer and network security since 1986. He spent 19 years on active duty with the U.S. Air Force and is currently in the Air Force Reserves assigned to the Pentagon. He obtained his Ph.D. in computer science from Texas A&M University in 1995. His dis- sertation topic was in the area of computer network intrusion detection, and he continues to conduct research in this area today. He is currently the Director for the Center for Infrastructure Assurance and Security and is an associate professor of computer science at The University of Texas at San Antonio. Dr. White has written and presented numerous articles and con- ference papers on security. He is also the coauthor for five textbooks on computer and network security and has written chapters for two other secu- rity books. Dr. White continues to be active in security research. His current research initiatives include efforts in high-speed intrusion detection, com- munity infrastructure protection, and visualization of community and orga- nization security postures.

Dwayne Williams is Associate Director, Special Projects for the Center for Infrastructure Assurance and Security (CIAS) at the University of Texas at San Antonio and has over 18 years of experience in information systems and network security. Mr. Williams’s experience includes six years of commis- sioned military service as a Communications-Computer Information Sys- tems Officer in the U.S. Air Force, specializing in network security, corporate information protection, intrusion detection systems, incident re- sponse, and VPN technology. Prior to joining the CIAS, he served as Direc- tor of Consulting for SecureLogix Corporation, where he directed and provided security assessment and integration services to Fortune 100, government, public utility, oil and gas, financial, and technology clients. Mr. Williams graduated in 1993 from Baylor University with a Bachelor of Arts in Computer Science. Mr. Williams is a Certified Information Systems Security Professional (CISSP) and coauthor of McGraw-Hill’s Voice and Data Security and CompTIA Security+ All-in-One Exam Guide.

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter ii

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:48 PM

Color profile: Disabled Composite Default screen

Roger L. Davis, CISSP, CISM, CISA, is Program Manager of ERP systems at the Church of Jesus Christ of Latter-day Saints, managing the Church’s global financial system in over 140 countries. He has served as president of the Utah chapter of the Information Systems Security Association (ISSA) and various board positions for the Utah chapter of the Information Systems Audit and Control Association (ISACA). He is a retired Air Force lieutenant colonel with 30 years of military and information systems/security experi- ence. Mr. Davis served on the faculty of Brigham Young University and the Air Force Institute of Technology. He coauthored McGraw-Hill’s CompTIA Security+ All-in-One Exam Guide and Voice and Data Security. He holds a mas- ter’s degree in computer science from George Washington University, a bachelor’s degree in computer science from Brigham Young University, and performed post-graduate studies in electrical engineering and computer science at the University of Colorado.

Chuck Cothren, CISSP, is the president of Globex Security, Inc., and applies a wide array of network security experience to consulting and training. This includes performing controlled penetration testing, network security poli- cies, network intrusion detection systems, firewall configuration and man- agement, and wireless security assessments. He has analyzed security methodologies for voice over IP (VoIP) systems and supervisory control and data acquisition (SCADA) systems. Mr. Cothren was previously em- ployed at the University of Texas Center for Infrastructure Assurance and Security. He is coauthor of Voice and Data Security and CompTIA Security+ All-in-One Exam Guide. Mr. Cothren holds a B.S. in Industrial Distribution from Texas A&M University.

About the Technical Editor Bobby E. Rogers is a principal information security analyst with Dynetics, Inc., a national technology firm specializing in the certification and accredi- tation process for the U.S. government. He also serves as a penetration test- ing team lead for various government and commercial engagements. Bobby recently retired from the U.S. Air Force after almost 21 years, where he served as a computer networking and security specialist and designed and managed networks all over the world. His IT security experience includes several years working as an information assurance manager and a regular consultant to U.S. Air Force military units on various cybersecurity/com- puter abuse cases. He has held several positions of responsibility for net- work security in both the Department of Defense and private company networks. His duties have included perimeter security, client-side security, security policy development, security training, and computer crime investi- gations. As a trainer, he has taught a wide variety of IT-related subjects in both makeshift classrooms in desert tents and formal training centers. Bobby is also an accomplished author, having written numerous IT articles in various publications and training materials for the U.S. Air Force. He has also authored numerous security training videos.

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter iii

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:48 PM

Color profile: Disabled Composite Default screen

He has a Bachelor of Science degree in computer information systems from Excelsior College and two Associates in Applied Science degrees from the Community College of the Air Force. Bobby’s professional IT certifica- tions include A+, Security+, ACP, CCNA, CCAI, CIW, CIWSA, MCP+I, MCSA (Windows 2000 & 2003), MCSE (Windows NT4, 2000 & 2003), MCSE: Security (Windows 2000 & 2003), CISSP, CIFI, CEH, CHFI, and CPTS, and he is also a certified trainer.

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter iv

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:48 PM

Color profile: Disabled Composite Default screen

Principles of Computer Security: CompTIA

Security+™ and Beyond (Exam SY0-301)

Third Edition

Wm. Arthur Conklin Gregory White

Dwayne Williams Roger Davis

Chuck Cothren

New York Chicago San Francisco Lisbon London Madrid Mexico City Milan

New Delhi San Juan Seoul Singapore Sydney Toronto

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:51 PM

Color profile: Disabled Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

Cataloging-in-Publication Data is on file with the Library of Congress

McGraw-Hill books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please e-mail us at bulksales@mcgraw-hill.com.

Principles of Computer Security: CompTIA Security+™ and Beyond, Third Edition (Exam SY0-301)

Copyright © 2012 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill makes no claim of ownership by the mention of products that contain these marks.

1 2 3 4 5 6 7 8 9 0 QDB QDB 1 0 9 8 7 6 5 4 3 2

ISBN: Book p/n 978-0-07-178616-4 and CD p/n 978-0-07-178617-1 of set 978-0-07-178619-5

MHID: Book p/n 0-07-178616-3 and CD p/n 0-07-178617-1 of set 0-07-178619-8

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

McGraw-Hill is an independent entity from CompTIA®. This publication and CD may be used in assisting students to prepare for the CompTIA Security+ exam. Neither CompTIA nor McGraw- Hill warrants that use of this publication and CD will ensure passing any exam. CompTIA and CompTIA Security+ are trademarks or registered trademarks of CompTIA in the United States and/or other countries. All other trademarks are trademarks of their respective owners.

SANS Institute IT Code of Ethics reproduced with permission, © SANS Institute.

Sponsoring Editor Timothy Green

Editorial Supervisor Janet Walden

Project Editor LeeAnn Pickrell

Acquisitions Coordinator Stephanie Evans

Technical Editor Bobby E. Rogers

Copy Editor LeeAnn Pickrell

Proofreader Paul Tyler

Indexer Rebecca Plunkett

Production Supervisor Jean Bodeaux

Composition Cenveo Publisher Services

Illustration Cenveo Publisher Services

Art Director, Cover Jeff Weeks

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:51 PM

Color profile: Disabled Composite Default screen

■ This book is dedicated to the many security professionals who daily work to ensure the safety of our nation’s critical infrastructures. We want to recognize the thousands of dedicated individuals who strive to protect our national assets but who seldom receive praise and often are only noticed when an incident occurs. To you, we say thank you for a job well done!

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter vii

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:51 PM

Color profile: Disabled Composite Default screen

■ Acknowledgments We, the authors of Principles of Computer Security: CompTIA Security+™ and Beyond, Third Edition, have many individuals who we need to acknowl- edge—individuals without whom this effort would not have been success- ful. This third edition would not have been possible without Tim Green, who navigated a myriad of problems and made life easier for the author team. He brought together an all-star production team that made this book more than just a new edition, but a complete learning system.

The list needs to start with those folks at McGraw-Hill who worked tire- lessly with the project’s multiple authors and contributors and lead us suc- cessfully through the minefield that is a book schedule and who took our rough chapters and drawings and turned them into a final, professional prod- uct we can be proud of. We thank all the good people from the Acquisitions team, Tim Green and Stephanie Evans; from the Editorial Services team, Janet Walden and LeeAnn Pickrell; from the Illustration and Production teams, Jean Bodeaux and Amarjeet Kumar and the composition team at Cenveo Publisher Services. We also thank the technical editor, Bobby Rogers; the copy editors, Bill McManus and LeeAnn Pickrell; the proofreader, Paul Tyler; and the indexer, Rebecca Plunkett; for all their attention to detail that made this a finer work after they finished with it.

We also need to acknowledge our current employers who, to our great delight, have seen fit to pay us to work in a career field that we all find excit- ing and rewarding. There is never a dull moment in security, because it is constantly changing.

We would like to thank Art Conklin for herding the cats on this one. Finally, we would each like to individually thank those people who—on a

personal basis—have provided the core support for us individually. Without these special people in our lives, none of us could have put this work together.

Successful cat herders have many behind them helping them succeed. I owe thanks to many friends, their friendship and support makes efforts such as this possible. And to Susan, my lovely wife and friend, thank you for your sacrifices that enable me to do the things I do.

—Art Conklin, Ph.D.

I would like to thank my wife, Charlan, for the tremendous support she has always given me. It doesn’t matter how many times I have sworn that I’ll never get involved with another book project only to return within months to yet another one; through it all, she has remained supportive.

I would also like to publicly thank the United States Air Force, which provided me numerous opportunities since 1986 to learn more about secu- rity than I ever knew existed.

To whoever it was who decided to send me as a young captain—fresh from completing my master’s degree in artificial intelligence—to my first assignment in computer security: thank you, it has been a great adventure!

—Gregory B. White, Ph.D.

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter viii

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:51 PM

Color profile: Disabled Composite Default screen

For Macon. —Chuck Cothren

Geena, thanks for being my best friend and my greatest support. Any- thing I am is because of you. Love to my kids and grandkids!

—Roger L. Davis

To my wife and best friend Leah for your love, energy, and support— thank you for always being there. Here’s to many more years together.

—Dwayne Williams

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter ix

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:40:51 PM

Color profile: Disabled Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

ABOUT THIS BOOK

■ Important Technology Skills

Information technology (IT) offers many career paths and information security is one of the fastest- growing tracks for IT professionals. This book provides coverage of the materials you need to begin your exploration of information security.

In addition to covering all of the CompTIA Security+ exam objectives, additional material is included to help you build a solid introductory knowledge of information security.

Makes Leaning Fun!— Rich, colorful text and illustrations bring technical concepts to life.

Engaging and Motivational — Using a conversational style and proven instructional approach, the authors explain technical subjects in a clear, interesting way using real-world examples.

Tech Tip sidebars provide inside information from experienced information security professionals.

Key Terms, identified in red, point out important vocabulary and definitions that you need to know.

Proven Learning Method Keeps You on Track Designed for classroom use and written by instructors for use in their own classes, Principles of Computer Security: CompTIA Security+ and Beyond is structured to give you comprehensive knowledge of information security. The textbook’s active learning methodology guides you beyond mere recall and—through thought-provoking activities, labs, and sidebars—helps you develop critical- thinking, diagnostic, and communication skills.

Cross Check questions develop reasoning skills: ask, compare, contrast, and explain.

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:41:37 PM

Color profile: Disabled Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

Offers Practical Experience— Tutorials and lab assignments develop essential hands-on skills and put concepts in real-world contexts.

Robust Learning Tools— Summaries, key term lists, quizzes, essay questions, and lab projects help you practice skills

Notes, Tips, Warnings, and Exam Tips create a road map for success.

Chapter Review sections provide concept summaries, key terms lists, and lots of questions and projects.

Each chapter includes: ■ Learning Objectives that set measurable goals for

chapter-by-chapter progress

■ Illustrations that give you a clear picture of the concepts and technologies

■ Try This!, Cross Check, and Tech Tip sidebars that encourage you to practice and apply concepts in real- world settings

■ Notes, Tips, and Warnings that guide you, and Exam Tips that give you advice or provide information specifically related to preparing for the exam

■ Chapter Summaries and Key Terms Lists that provide you with an easy way to review important concepts and vocabulary

■ Challenging End-of-Chapter Tests that include vocabulary-building exercises, multiple-choice questions, essay questions, and on-the-job lab projects

■ Effective Learning Tools

This feature-rich textbook is designed to make learning easy and enjoyable and to help you develop the skills and critical thinking abilities that will enable you to adapt to different job situations and to troubleshoot problems. Written by

instructors with decades of combined information security experience, this book conveys even the most complex issues in an accessible, easy-to- understand format.

Try This! exercises apply core skills in a new setting.

Key Terms List presents the important terms identified in the chapter.

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:43:03 PM

Color profile: Disabled Composite Default screen

CONTENTS AT A GLANCE

Chapter 1 ■ Introduction and Security Trends 1

Chapter 2 ■ General Security Concepts 20

Chapter 3 ■ Operational and Organizational Security 50

Chapter 4 ■ The Role of People in Security 66

Chapter 5 ■ Cryptography 82

Chapter 6 ■ Public Key Infrastructure 116

Chapter 7 ■ Standards and Protocols 154

Chapter 8 ■ Physical Security 180

Chapter 9 ■ Network Fundamentals 208

Chapter 10 ■ Infrastructure Security 232

Chapter 11 ■ Authentication and Remote Access 264

Chapter 12 ■ Wireless Security 298

Chapter 13 ■ Intrusion Detection Systems and Network Security 322

Chapter 14 ■ Baselines 364

xii Contents at a Glance

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:43:03 PM

Color profile: Disabled Composite Default screen

Chapter 15 ■ Types of Attacks and Malicious Software 396

Chapter 16 ■ E-Mail and Instant Messaging 430

Chapter 17 ■ Web Components 454

Chapter 18 ■ Secure Software Development 484

Chapter 19 ■ Disaster Recovery, Business Continuity, and Organizational Policies 502

Chapter 20 ■ Risk Management 536

Chapter 21 ■ Change Management 556

Chapter 22 ■ Privilege Management 572

Chapter 23 ■ Computer Forensics 594

Chapter 24 ■ Legal Issues and Ethics 610

Chapter 25 ■ Privacy 632

Appendix A ■ Objective Map 654

Appendix B ■ About the CD 666

■ Glossary 668

■ Index 684

Contents at a Glance xiii

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:43:03 PM

Color profile: Disabled Composite Default screen

CONTENTS

Preface. . . . . . . . . . . . . . . . . . . . . . . . . xxi Introduction . . . . . . . . . . . . . . . . . . . . . xxiii CompTIA Approved Quality Curriculum . . . . xxvi Instructor and Student Web Site . . . . . . . . . . xxxi

Chapter 1 ■ Introduction and Security Trends 1 The Security Problem . . . . . . . . . . . . . . . 1

Security Incidents . . . . . . . . . . . . . . . 1 Threats to Security . . . . . . . . . . . . . . . 7 Security Trends . . . . . . . . . . . . . . . . 10

Avenues of Attack . . . . . . . . . . . . . . . . . 11 The Steps in an Attack . . . . . . . . . . . . . 12 Minimizing Possible Avenues of Attack . . . . 13 Types of Attacks . . . . . . . . . . . . . . . . 14

Chapter 1 Review . . . . . . . . . . . . . . . . . . 15

Chapter 2 ■ General Security Concepts 20 Basic Security Terminology . . . . . . . . . . . . 21

Security Basics . . . . . . . . . . . . . . . . . 21 Access Control . . . . . . . . . . . . . . . . . 31 Authentication . . . . . . . . . . . . . . . . . 31 Authentication and Access Control Policies . . . 32

Social Engineering . . . . . . . . . . . . . . . . . 33 Security Policies . . . . . . . . . . . . . . . . . . . 34

Change Management Policy . . . . . . . . . . 35 Classification of Information . . . . . . . . . . 36 Acceptable Use Policy . . . . . . . . . . . . . 36 Due Care and Due Diligence . . . . . . . . . 38 Due Process . . . . . . . . . . . . . . . . . . 38 Need to Know . . . . . . . . . . . . . . . . . 39 Disposal and Destruction Policy . . . . . . . 39 Service Level Agreements . . . . . . . . . . . 40 Human Resources Policies . . . . . . . . . . . 40

Security Models . . . . . . . . . . . . . . . . . . . 42 Confidentiality Models . . . . . . . . . . . . . 43 Integrity Models . . . . . . . . . . . . . . . . 44

Chapter 2 Review . . . . . . . . . . . . . . . . . . 46

Chapter 3 ■ Operational and Organizational

Security 50 Security Operations

in Your Organization . . . . . . . . . . . . . . 51 Policies, Procedures, Standards,

and Guidelines . . . . . . . . . . . . . . . 51 The Security Perimeter . . . . . . . . . . . . 52

Physical Security . . . . . . . . . . . . . . . . . . 53 Access Controls . . . . . . . . . . . . . . . . 54 Physical Barriers . . . . . . . . . . . . . . . . 56

Environmental Issues . . . . . . . . . . . . . . . 56 Fire Suppression . . . . . . . . . . . . . . . . 57

Wireless . . . . . . . . . . . . . . . . . . . . . . . 58 Electromagnetic Eavesdropping . . . . . . . . . 59 Location . . . . . . . . . . . . . . . . . . . . . . . 60 Chapter 3 Review . . . . . . . . . . . . . . . . . . 62

Chapter 4 ■ The Role of People in Security 66 People—A Security Problem . . . . . . . . . . . 67

Social Engineering . . . . . . . . . . . . . . . 67 Poor Security Practices . . . . . . . . . . . . 72

People as a Security Tool . . . . . . . . . . . . . 76 Security Awareness . . . . . . . . . . . . . . 76 Individual User Responsibilities . . . . . . . . 77

Chapter 4 Review . . . . . . . . . . . . . . . . . . 79

Chapter 5 ■ Cryptography 82 Algorithms . . . . . . . . . . . . . . . . . . . . . 84 Hashing Functions . . . . . . . . . . . . . . . . . 87

SHA . . . . . . . . . . . . . . . . . . . . . . 89 RIPEMD . . . . . . . . . . . . . . . . . . . . 90 Message Digest . . . . . . . . . . . . . . . . 90 Hashing Summary . . . . . . . . . . . . . . . 92

Symmetric Encryption . . . . . . . . . . . . . . . 92 DES . . . . . . . . . . . . . . . . . . . . . . 93 3DES . . . . . . . . . . . . . . . . . . . . . . 94

xiv Contents

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:43:03 PM

Color profile: Disabled Composite Default screen

AES . . . . . . . . . . . . . . . . . . . . . . 94 CAST . . . . . . . . . . . . . . . . . . . . . . 95 RC . . . . . . . . . . . . . . . . . . . . . . . 96 Blowfish . . . . . . . . . . . . . . . . . . . . 97 Twofish . . . . . . . . . . . . . . . . . . . . . 98 IDEA . . . . . . . . . . . . . . . . . . . . . . 98 Symmetric Encryption Summary . . . . . . . 98

Asymmetric Encryption . . . . . . . . . . . . . . 99 RSA . . . . . . . . . . . . . . . . . . . . . . 99 Diffie-Hellman . . . . . . . . . . . . . . . . . 100 ElGamal . . . . . . . . . . . . . . . . . . . . 101 ECC . . . . . . . . . . . . . . . . . . . . . . 101 Asymmetric Encryption Summary . . . . . . 102

Quantum Cryptography . . . . . . . . . . . . . . 102 Steganography . . . . . . . . . . . . . . . . . . . 103 Cryptography Algorithm Use . . . . . . . . . . . 105

Confidentiality . . . . . . . . . . . . . . . . . 105 Integrity . . . . . . . . . . . . . . . . . . . . 105 Nonrepudiation . . . . . . . . . . . . . . . . 106 Authentication . . . . . . . . . . . . . . . . . 106 Key Escrow . . . . . . . . . . . . . . . . . . . 107 Digital Signatures . . . . . . . . . . . . . . . 108 Digital Rights Management . . . . . . . . . . 108 Transport Encryption . . . . . . . . . . . . . 109 Cryptographic Applications . . . . . . . . . . 110

Chapter 5 Review . . . . . . . . . . . . . . . . . . 112

Chapter 6 ■ Public Key Infrastructure 116 The Basics of Public Key Infrastructures . . . . . 117 Certificate Authorities . . . . . . . . . . . . . . . 119 Registration Authorities . . . . . . . . . . . . . . 120

Local Registration Authorities . . . . . . . . . 122 Certificate Repositories . . . . . . . . . . . . . . 122 Trust and Certificate Verification . . . . . . . . . 123 Digital Certificates . . . . . . . . . . . . . . . . . 126

Certificate Attributes . . . . . . . . . . . . . 127 Certificate Extensions . . . . . . . . . . . . . 128 Certificate Lifecycles . . . . . . . . . . . . . . 129

Centralized and Decentralized Infrastructures . 134 Hardware Storage Devices . . . . . . . . . . . 135 Private Key Protection . . . . . . . . . . . . . 136 Key Recovery . . . . . . . . . . . . . . . . . . 137 Key Escrow . . . . . . . . . . . . . . . . . . . 138

Public Certificate Authorities . . . . . . . . . . . 139 In-House Certificate Authorities . . . . . . . . . 140

Choosing Between a Public CA and an In-House CA . . . . . . . . . . . . 140

Outsourced Certificate Authorities . . . . . . 141

Tying Different PKIs Together . . . . . . . . 142 Trust Models . . . . . . . . . . . . . . . . . . 142

Certificate-Based Threats . . . . . . . . . . . . . 147 Chapter 6 Review . . . . . . . . . . . . . . . . . . 149

Chapter 7 ■ Standards and Protocols 154 PKIX and PKCS . . . . . . . . . . . . . . . . . . . 156

PKIX Standards . . . . . . . . . . . . . . . . 157 PKCS . . . . . . . . . . . . . . . . . . . . . . 158 Why You Need to Know the PKIX

and PKCS Standards . . . . . . . . . . . . 160 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . 162 SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . 163 ISAKMP . . . . . . . . . . . . . . . . . . . . . . . 164 CMP . . . . . . . . . . . . . . . . . . . . . . . . . 165 XKMS . . . . . . . . . . . . . . . . . . . . . . . . 166 S/MIME . . . . . . . . . . . . . . . . . . . . . . . 168

IETF S/MIME History . . . . . . . . . . . . 168 IETF S/MIME v3 Specifications . . . . . . . . 169

PGP . . . . . . . . . . . . . . . . . . . . . . . . . . 170 How PGP Works . . . . . . . . . . . . . . . . 170

HTTPS . . . . . . . . . . . . . . . . . . . . . . . . 171 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . 172 CEP . . . . . . . . . . . . . . . . . . . . . . . . . . 172 FIPS . . . . . . . . . . . . . . . . . . . . . . . . . 172 Common Criteria for Information Technology

Security (Common Criteria or CC) . . . . . . 173 WTLS . . . . . . . . . . . . . . . . . . . . . . . . 173 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . 174 WEP . . . . . . . . . . . . . . . . . . . . . . . . . 174

WEP Security Issues . . . . . . . . . . . . . . 174 ISO/IEC 27002 (Formerly

ISO 17799) . . . . . . . . . . . . . . . . . . . . 175 Chapter 7 Review . . . . . . . . . . . . . . . . . . 176

Chapter 8 ■ Physical Security 180 The Security Problem . . . . . . . . . . . . . . . 181 Physical Security Safeguards . . . . . . . . . . . 185

Walls and Guards . . . . . . . . . . . . . . . 185 Policies and Procedures . . . . . . . . . . . . 187 Access Controls and Monitoring . . . . . . . 191 Environmental Controls . . . . . . . . . . . . 194 Fire Suppression . . . . . . . . . . . . . . . . 195 Electromagnetic Interference . . . . . . . . . . 198 Authentication . . . . . . . . . . . . . . . . . 199

Chapter 8 Review . . . . . . . . . . . . . . . . . . 204

Contents xv

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Front Matter

P:\010Comp\BaseTech\619-8\FM.vp Wednesday, November 09, 2011 5:43:04 PM

Color profile: Disabled Composite Default screen

Chapter 9 ■ Network Fundamentals 208 Network Architectures . . . . . . . . . . . . . . . 209 Network Topology . . . . . . . . . . . . . . . . . 210 Network Protocols . . . . . . . . . . . . . . . . . 211

Packets . . . . . . . . . . . . . . . . . . . . . 213 TCP vs. UDP . . . . . . . . . . . . . . . . . 214 ICMP . . . . . . . . . . . . . . . . . . . . . . 215

Packet Delivery . . . . . . . . . . . . . . . . . . . 217 Local Packet Delivery . . . . . . . . . . . . . 217 Remote Packet Delivery . . . . . . . . . . . . 218 IP Addresses and Subnetting . . . . . . . . . 219 Network Address Translation . . . . . . . . . 221 Security Zones . . . . . . . . . . . . . . . . . 222 VLANs . . . . . . . . . . . . . . . . . . . . . 226

Tunneling . . . . . . . . . . . . . . . . . . . . . . 227 Chapter 9 Review . . . . . . . . . . . . . . . . . . 228

Chapter 10 ■ Infrastructure Security 232 Devices . . . . . . . . . . . . . . . . . . . . . . . . 233

Workstations . . . . . . . . . . . . . . . . . . 233 Servers . . . . . . . . . . . . . . . . . . . . . 235 Virtualization . . . . . . . . . . . . . . . . . 236 Network Interface Cards . . . . . . . . . . . . 236 Hubs . . . . . . . . . . . . . . . . . . . . . . 237 Bridges . . . . . . . . . . . . . . . . . . . . . 237 Switches . . . . . . . . . . . . . . . . . . . . 238 Loop Protection . . . . . . . . . . . . . . . . 239 Routers . . . . . . . . . . . . . . . . . . . . . 239 Firewalls . . . . . . . . . . . . . . . . . . . . 240 Wireless . . . . . . . . . . . . . . . . . . . . 242 Modems . . . . . . . . . . . . . . . . . . . . 243 Telecom/PBX . . . . . . . . . . . . . . . . . . 245 VPN . . . . . . . . . . . . . . . . . . . . . . 245 Intrusion Detection Systems . . . . . . . . . . 246 Network Access Control . . . . . . . . . . . . 246 Network Monitoring/Diagnostic . . . . . . . 247 Mobile Devices . . . . . . . . . . . . . . . . . 248 Device Security, Common Concerns . . . . . 249

Media . . . . . . . . . . . . . . . . . . . . . . . . 249 Coaxial Cable . . . . . . . . . . . . . . . . . . 249 UTP/STP . . . . . . . . . . . . . . . . . . . . 250 Fiber . . . . . . . . . . . . . . . . . . . . . . 251 Unguided Media . . . . . . . . . . . . . . . . 252

Security Concerns for Transmission Media . . . 254 Physical Security Concerns . . . . . . . . . . . . 254

Removable Media . . . . . . . . . . . . . . . . . 255 Magnetic Media . . . . . . . . . . . . . . . . 255 Optical Media . . . . . . . . . . . . . . . . . 258 Electronic Media . . . . . . . . . . . . . . . . 259

Cloud Computing . . . . . . . . . . . . . . . . . 259 Software as a Service . . . . . . . . . . . . . . 260 Platform as a Service . . . . . . . . . . . . . . 260 Infrastructure as a Service . . . . . . . . . . . 260 Network Attached Storage . . . . . . . . . . . 260

Chapter 10 Review . . . . . . . . . . . . . . . . . 261

Chapter 11 ■ Authentication and Remote Access 264 The Remote Access Process . . . . . . . . . . . . 265

Identification . . . . . . . . . . . . . . . . . . 266 Authentication . . . . . . . . . . . . . . . . . 266 Authorization . . . . . . . . . . . . . . . . . 271 Access Control . . . . . . . . . . . . . . . . . 272

IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . 274 Wireless Protocols . . . . . . . . . . . . . . . 275

RADIUS . . . . . . . . . . . . . . . . . . . . . . . 275 RADIUS Authentication . . . . . . . . . . . 276 RADIUS Authorization . . . . . . . . . . . . 277 RADIUS Accounting . . . . . . . . . . . . . 277 Diameter . . . . . . . . . . . . . . . . . . . . 278

TACACS+ . . . . . . . . . . . . . . . . . . . . . . 278 TACACS+ Authentication . . . . . . . . . . 279 TACACS+ Authorization . . . . . . . . . . . 280 TACACS+ Accounting . . . . . . . . . . . . 280

Authentication Protocols . . . . . . . . . . . . . 281 L2TP and PPTP . . . . . . . . . . . . . . . . 281 PPP . . . . . . . . . . . . . . . . . . . . . . . 281 PPTP . . . . . . . . . . . . . . . . . . . . . . 282 EAP . . . . . . . . . . . . . . . . . . . . . . 283 CHAP . . . . . . . . . . . . . . . . . . . . . 283 NTLM . . . . . . . . . . . . . . . . . . . . . 284 PAP . . . . . . . . . . . . . . . . . . . . . . 284 L2TP . . . . . . . . . . . . . . . . . . . . . . 284 Telnet . . . . . . . . . . . . . . . . . . . . . . 285 SSH . . . . . . . . . . . . . . . . . . . . . . 285

FTP/FTPS/SFTP . . . . . . . . . . . . . . . . . . 287 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . 287 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . 288