Security Terms Facts

Common security terms are listed below.

 Confidentiality ensures that data is not disclosed to unintended persons. This is provided through
encryption which converts the data into a form making it more likely to not be usable by an
unintended recipient.
 Integrity ensures that data is not modified or tampered with. This is provided through hashing.
 Availability ensures the uptime of the system so that data is available when needed.
 Authentication identifies and proves who you are. Examples of authentication include a password,
smart card, or biometrics.
 Authorization identifies what resources you can have access to.
 Accounting is logging the activity of the system.
 Non-repudiation provides validation of a message's origin. For example, if a user sends a digitally
signed e-mail, they cannot later claim later that the e-mail was not sent. Non-repudiation is
enforced by digital signatures.

In addition to these terms, you will often see the following that apply to multiple security goals:

 The CIA of Security refers to confidentiality, integrity, and availability. These are often identified
as the three main goals of security.
 AAA refers to authentication, authorization, and accounting. AAA is used in the process of access
control, allowing and controlling access to secured resources.

Active Directory Facts

Active Directory is a centralized database that contains user account and security information. In a
workgroup, security and management takes place on each computer, with each computer holding
information about users and resources. With Active Directory, all computers share the same central
database.

Active Directory organizes network resources and simplifies management using the following
components.

Component Description
A domain is an administratively-defined collection of network resources that share a
common directory database and security policies. The domain is the basic administrative
Domain unit of an Active Directory structure. Depending on the network structure and
requirements, the entire network might be represented by a single domain with millions
of objects, or the network might require multiple domains.
An organizational unit is like a folder that subdivides and organizes network resources
within a domain. An organizational unit:

 Is a container object
Organizational
 Can hold other organizational units
Unit (OU)
 Can hold objects such as users and computers
 Can be used to logically organize network resources
 Simplifies security administration
 Like OUs, generic containers are used to organize Active Directory objects. Generic
container objects:

Generic  Are created by default

Containers  Cannot be moved, renamed, or deleted
 Have very few properties you can edit

You cannot create generic containers. Use OUs instead.

Within Active Directory, each resource is identified as an object. Common objects
include:

 Users
 Groups
 Computers
Objects
 Printers
 Shared folders

Each object contains additional information about the shared resource that can be used
for locating and securing resources. The schema identifies the object classes (the type
of objects) that exist in the tree and the attributes (properties) of the object.
A domain controller is a server that holds a copy of the Active Directory database that
Domain
can be written to. Replication is the process of copying changes to Active Directory
Controller
between the domain controllers.

Group Policy Facts

A policy is a set of configuration settings that must be applied to users or computers. Collections of policy
settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry
settings, scripts, templates, and software-specific configuration values.

Each GPO has a common structure, with hundreds of configuration settings that can be enabled and
configured. Settings are divided into two categories:

GPO Category Description

Computer Computer policies (also called machine policies) are enforced for the entire computer,
Configuration and are initially applied when the computer boots. Computer policies include:

 Software that should be installed on a specific computer

 Scripts that should run at startup or shutdown
 Password restrictions that must be met for all user accounts
 Network communication security settings
 Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE
subtree)

Computer policies also include a special category of policies called user rights. User
 rights identify system maintenance tasks and the users or groups who can perform
these actions. Actions include:

 Changing the system time

 Loading and unloading device drivers
 Removing a computer from a docking station
 Shutting down the system

Computer policies are initially applied as the computer boots, and are enforced before
any user logs on.
User policies are enforced for specific users, and are initially applied when the user logs
on. User policy settings include:

 Software that should be installed for a specific user

 Scripts that should run at logon or logoff
User
 Internet Explorer user settings (such as favorites and security settings)
Configuration
 Registry settings that apply to the current user (the HKEY_CURRENT_USER
subtree)

User policies are initially applied as the user logs on, and often customize Windows
based on user preferences.

GPOs apply to objects when they are linked to containers and configured with specific settings.

 GPOs can be linked to Active Directory domains or organizational units (OUs). Built-in containers
(such as the Computers container) cannot have GPOs linked to them.
 A GPO only affects the users and computers beneath the object to which the GPO is linked.
 A local GPO is stored on a local machine. It can be used to define settings even if the computer is
not connected to a network.
 A specific setting in a GPO can be:
o Undefined, meaning that the GPO has no value for that setting and does not change the
current setting.
o Defined, meaning that the GPO identifies a new value to enforce.
 GPOs are applied in the following order:

1. The Local Group Policy on the computer

2. GPOs linked to the domain that contains the User or Computer object
3. GPOs linked to the organizational unit(s) that contain(s) the User or Computer object
(from the highest-level OU to the lowest-level OU).
 Individual settings within all GPOs are combined to form the effective Group Policy setting as
follows:

o If a setting is defined in one GPO and undefined in another, the setting will be enforced
(regardless of the position of the GPO in the application order).
o If a setting is configured in two GPOs, the setting in the last-applied GPO will be used.

Access Control Models Facts

Access control is the process by which use of resources and services is granted or denied. When
implementing access control, one of several models can be used. The following table lists the most
commonly used access control models:

Access Control
Characteristics
Model
Mandatory access control uses labels for both subjects (users who need access)
and objects (resources with controlled access).

 Classification labels, such as secret or top secret, are assigned to objects by

the owner (usually a management or governmental entity).
 Clearance labels are assigned to subjects.
Mandatory Access
 When a subject's clearance lines up with an object's classification, and when
Control (MAC)
the user has a need to know (referred to as a category), the user is granted
access.
 Access control is mandatory in that access is based on policy (the matching
of the labels) rather than identity. Owners can only assign labels; they
cannot allow access to specific subjects.

Discretionary access control assigns access directly to subjects based on the

discretion (or decision) of the owner.

 Objects have a discretionary access control list (DACL) with entries for each
subject.
Discretionary Access  Owners add subjects to the DACL and assign rights or permissions. The
Control (DAC) permissions identify the actions the subject can perform on the object.
 With discretionary access control, subjects can pass permissions on to other
subjects.

Many computer systems use discretionary access control to limit access to systems
or other resources.
Role-based access control allows access based on a role in an organization, not
individual users.

Role-Based Access
 Roles are defined based on job description or a security access level.
Control (RBAC)
 Users are made members of a role, and receive the permissions assigned to
the role.

Rule-based access control uses characteristics of objects or subjects, along with

rules, to restrict access.

 Access control entries identify a set of characteristics that will be examined

for a match.
 If all characteristics match, access is either allowed or denied based on the
Rule-Based Access rule.
Control  An example of a rule-based access control implementation is a router
access control list that allows or denies traffic based on characteristics within
the packet (such as IP address or port number).
 Because rule-based access control does not consider the identity of the
subject, a system that uses rules can be viewed as a form of mandatory
access control.
Authentication Facts

To access resources on a network a user must prove who they are and that they have permissions to
access the resources. This process consists of the following:

 Identification is the initial process of confirming the identity of a user requesting credentials and
occurs when a users types in a user ID to log on. Identity proofing occurs during the identification
phase as the user proves that they are who they say they are in order to obtain credentials. If a
person has previously been identified, but cannot provide their assigned authentication
credentials, for example a lost password, then identity proofing is called upon again.
 Authentication is the verification of the issued identification credentials. It is usually the second
step after identification, and establishes the user's identity, ensuring that users are who they say
they are. 

The three ways a user can prove identity to an authentication server are:

Type Description
Something you know authentication requires you to provide a password or some other data
that you know. This is the weakest type of authentication. Examples of something you know
authentication controls are:

 Passwords, codes, or IDs

 PINs
 Pass phrases (long, sentence-length passwords)
Type 1  Cognitive information such as questions that only the user can answer such as:
Something o Your mother's maiden name
you know o The model or color of your first car
o The city where you were born
 Composition passwords, which are created by the system and are usually two or
more unrelated words divided by symbols on the keyboard

Note: Usernames are not a form of Type 1 authentication. Usernames are often easy to
discover or guess. Only the passwords or other information associated with the usernames
can be used to validate identity.
Type 2 Something you have (also called token-based authentication) is authentication based on
Something something a user has in possession. Examples of something you have authentication
you have controls are:

 Swipe cards (similar to credit cards) with authentication information stored on the
magnetic strip.
 Photo IDs are very useful when combined with other forms of authentication, but are
high risk if they are the only form of required authentication. Photo IDs are easily
manipulated or reproduced, require personnel for verification, and cannot be verified
against a system.
 Smart cards contain a memory chip with encrypted authentication information. Smart
cards can:
o Require contact such as swiping or they can be contactless.
 o Contain microprocessor chips with the ability to add, delete, and manipulate
data on it.
o Can store digital signatures, cryptography keys, and identification codes.
o Use a private key for authentication to log a user into a network. The private
key will be used to digitally sign messages.
o Be based on challenge-response. A user is given a code (the challenge)
which he or she enters into the smart card. The smart card then displays a
new code (the response) that the user can present to log in.

Types of token-based authentication are:

 Using a static password, the password is saved on the token device. Swiping the
token supplies the password for authentication.
 A synchronous dynamic password generates new passwords at specific intervals on
the hardware token. Users must read the generated password and enter it along
with the PIN to gain access.
 An asynchronous dynamic password generates new passwords based on an event,
such as pressing a key.
 A challenge-response password generates a random challenge string. The
challenge text is entered into the token along with the PIN, and the token uses both
to generate a response which is then used for authentication.

Smart cards typically use certificates for identification and authentication. With certificates,
the digital document is associated with a user in one of the following ways:

 With a one-to-one mapping, each certificate maps to an individual user account

(each user has a unique certificate).
 With many-to-one mapping, a certificate maps to many user accounts (a group of
users share the same certificate).

Digital certificates require the implementation of a PKI which have high administrative
overhead.
Type 3 Something you are authentication uses a biometric system. A biometric system attempts to
Something identify a person based on metrics or a mathematical representation of the subject's
you are biological attribute. This is the most expensive and least accepted, but is generally
considered to be the most secure form of authentication.

Common attributes used for biometric systems are:

 Fingerprints (end point and bifurcation pattern)

 Hand topology (side view) or geometry (top down view)
 Palm scans (pattern, including fingerprints)
 Retina scans (blood vein pattern)
 Iris scans (color)
 Facial scans (pattern)
 Voice recognition
 Handwriting dynamics
 Keyboard or keystroke dynamics (behavioral biometric systems)
o Dwell time (key press time)
o Flight time (how fingers move from key to key)

When implementing a biometric system, the attribute that is used for authentication must
 meet the following criteria:

 Universality means that all individuals possess the attribute.

 Uniqueness means that the attribute is different for each individual.
 Permanence means that the attribute always exists and will not change over time.
 Collectability ensures that the attribute can be measured easily.
 Performance means that the attribute can be accurately and quickly collected.
 Circumvention allows for acceptable substitutes for the attribute in case the original
attribute is missing or can't be read.
 Acceptability identifies the degree to which the technology is accepted by users and
management.

Biometrics include multiple scans of the biological attribute. Scans are then translated into a
numeric constellation map of critical points. That mathematical representation is bound to a
digital certificate that links to the subject's user account in the user database. Most biometric
systems require implementation of a PKI system.

You should be aware of the following terms used to measure the effectiveness of authentication solutions:

Measure Description
A false negative (or Type I error) occurs when a person who should be allowed access is
False
denied access. The False Rejection Rate (FRR) is a measure of the probability that a false
negative
negative will occur.
A false positive (or Type II error) occurs when a person who should be denied access is
allowed access. The False Acceptance Rate (FAR) is a measure of the probability that a
False positive
false positive will occur. False positives are more serious than false negatives and represent
a security breach because unauthorized persons are allowed access.
The crossover error rate, also called the equal error rate, is the point where the number of
Crossover
false positives matches the number of false negatives in a biometric system. Select the
error rate
system with the lowest crossover error rate within your budget.
The processing rate, or system throughput, identifies the number of subjects or
Processing
authentication attempts that can be validated. An acceptable rate is 10 subjects per minute
rate
or above.

To increase security, you can use a combination of authentication methods as described in these options:

Authentication
Description Example
Method
Two-factor Requires two (or more) different To enter a secured building, you must insert your
Three-factor authentication types to be key card (Type 2) and undergo a retina scan (Type
Multi-factor deployed. 3).
To log on to an online banking system, you enter
Requires two or more methods, your username, password, and then must answer a
Strong
but they can be of the same type. random personal question (such as your birthplace
or mother's maiden name).
To log in, you supply a username and a password
(the username is not used for authentication, so the
Uses credentials of only one type,
only credential supplied for authentication is the
One-factor but may require multiple methods
password)
within the same type
To log in, you supply a username, PIN, and a pass
phrase (all credentials are of the same type)
 Requires that both parties To log in, your computer sends its digital certificate
authenticate with each other to prove its identity to a network server. The server
Mutual
before beginning then proves its identity to your computer before they
communications. will exchange messages.

If you are considering implementing biometrics, keep in mind the following:

 Some biometric factors are unique even between identical twins.

 When a biometric is used by itself, it is no more secure than a strong password. A single
successful attack can subvert a biometric in much the same way that a single successful attack
can subvert a password.
 Biometric attacks need not be physical harm based (such as cutting off a finger), but can include
a wide variety of realistic reproductions that fool the biometric reader device.
 The most important consideration for a biometric device is accuracy.
 When a biometric device has its sensitivity set too high, it will result in numerous false rejections,
that is when authorized users are not recognized and therefore rejected.
 To use a biometric, new users must go through a physical enrollment process that is more
complex and time consuming than the enrollment process for a password only based system.
 Biometric enrollment requires the new users to prove their identity physically to a user
administrator, then the new user must provide the first example of their biometric to a reader
device under the supervision of the user administrator. This first example is digitized and stored
as a reference template. All future uses of the biometric will compare the contemporary biometric
sample offered to the historical recorded template.

Single Sign-on Facts

Enterprise environments frequently implement a type of Single Sign-on (SSO) authentication. SSO is a
distributed access method that allows a subject to log in (sign on) once to a network and access all
authorized resources on the network. The SSO system authenticates the subject against a master system
and automatically logs the subject on to all servers the subject is authorized to access. Once
authenticated, the subject can request access to additional resources without additional login credentials
or passwords. A SSO system is commonly used in directory systems and some types of scripted access.

Advantages of SSO include:

 It is a more efficient logon process. Users only need to type their user ID and password once.
 The user can create stronger passwords because there aren't so many passwords to remember.
 The need for multiple passwords and change synchronization is avoided.
 Access to all authorized resources with a single instance of authentication through a single set of
user credentials.
 Inactivity timeout and attempt thresholds are applied closer to the user point of entry.
 Improved effectiveness of disabling all network and computer accounts for terminated users
because of SSO's ability to add and delete accounts across the entire network from a centralized
database and one user interface.

Disadvantages of SSO include:

  Once a user's ID and password are compromised in the system, an intruder can access all of the
resources authorized for the user without constraint.
 The system security policy must be followed to ensure access is granted and/or limited to
appropriate users.
 Implementation with microcomputer systems is difficult and can prevent full implementation.
 Ticket schemes do not scale very well.
 SSO presents a single point of failure.

User Account and Password Facts

Usernames and passwords are common credentials used during authentication. The username identifies
the user, while the password is used for authentication to prove identity.

Method Description
Account lockout disables a user account after a specified number of incorrect logon
attempts.

 The Account lockout threshold (also called the clipping level) identifies the
number of incorrect logon attempts that are allowed before the account is locked.
 The Account lockout duration determines the length of time the account will be
disabled (in minutes). When the time period expires, the account will be unlocked
Account
automatically. When set to 0, an administrator must unlock the account.
lockout
 The Reset account lockout counter after setting identifies the period of time
during which invalid passwords are entered. For example, if this value is set to one
hour, and the account lockout threshold is set to 5, the user can enter up to 4
incorrect passwords within an hour without the account being locked.

Account lockout can be used to prevent guessing of passwords by attackers, but can also
be used maliciously to lock an account and prevent a valid user from logging on.
Account restrictions place restrictions upon the use of a user account for logon. For
example, you can:

 Allow login only during certain days and hours.

 Allow login only from specific computers.
Account  Expire user accounts for temporary users to prevent them from being used past a
restrictions certain date.
 Disable accounts that are not being used to prevent login. For example, you can
disable accounts for employees who have left but who have not yet been replaced,
or you can disable accounts for users who are gone for extended periods of time
(such as on a long vacation of leave of absence).

Account Account policies control the composition and use of passwords.

(password)
policies  The maximum password age requires users to change the password after a given
length of time.
 The password history requires users to enter unique passwords when changing
the password. The password history keeps track of the last several passwords,
 and prevents users from re-using any recently remembered password.
 The minimum password age identifies the time period where users cannot change
a recently-changed password. The minimum age prevents users from changing
passwords immediately after they've been changed, preventing users from
immediately changing the password back to the original password.
 The minimum password length identifies the minimum number of characters in a
password.
 A complex password prevents using passwords that are easy to guess or crack.
On a Microsoft system, complex passwords:
o Must be over 7 characters or more.
o Must include a minimum of three of the four types of special characters
(e.g., lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &,
*).
o Cannot use dictionary words or any part of the user login identification.

Be aware of the following for controlling user account and password security:

 For large environments, implement a password management system with a self-service password
reset management system to allow users to change their own passwords and then only they
know the password and no one else. In a system where passwords are handed out by
administrators, that users cannot change, passwords are very insecure. In this arrangement,
more than one person knows the password, no matter how complex the password may be and
that can affect the security of the system.
 Implement account auditing to track incorrect logon attempts. Small numbers of incorrect logon
attempts occur naturally as users mis-type or forget passwords. Large numbers of incorrect logon
attempts could identify a potential hacker trying to guess passwords.
 Scan systems to identify unused user accounts or accounts with blank passwords.
 When implementing account lockout and account policies on Microsoft systems:
o The local security policy controls policies for user accounts defined on a local system.
o Policy settings in Group Policy linked to the domain control settings for all user accounts
in the domain. Settings defined at other levels in Group Policy do not affect password or
account lockout settings.

Hackers can use the following methods to try and discover passwords:

 Using tools to check for unencrypted or weakly encrypted passwords sent through the network.
 Guessing passwords by trying:
o Default passwords for new systems
o Blank passwords
o Use password as the password
o Rows of letters on the keyboard (e.g., qwerty)
o User's name or login name
o Name of significant other, pet, etc.
o Birthdate
o Name of celebrity
 Using social engineering to get a user to reveal the password. For example, the attacker can
pretend to be an administrator that needs the user's password.
 Trying all possible dictionary words.
 Using a brute force attack that tries all character combinations, not just words in the dictionary.
 Reverse engineering password hashes that have been captured by using precomputation
(Rainbow tables).
In addition to using account lockout, account restrictions, and password policies, use the following
strategies to protect against password attacks:

 Educate users on how to create and remember strong passwords. Enforcing strict password
restrictions might actually weaken network security if you do not educate users about proper
procedures to take to protect logon credentials. If users do not understand the restrictions that
have been implemented, they might try to circumvent these restrictions by writing down
passwords. Take the following measures to educate users:
o Tell users that they should not write down passwords or share logon credentials with
other users.
o Teach users how to construct and remember complex passwords. For example, for the
password bw2Fs3d, users might create the following sentence: bob went 2 the "capital"
Florist shop 3 times daily.
o Educate users about social engineering tactics. Instruct them not to respond to requests
for passwords from administrators or other seemingly trusted personnel. Implement
policies that prevent administrators from asking for sensitive information.
 Protect access to the password file. Passwords are typically stored in a password database file
that uses a one-way encryption algorithm (hashing). Use methods available in the operating
system to protect the password file.
 Apply a salt when hashing passwords. A salt is a value chosen randomly by the system at the
time the password is created which is incorporated into the calculation of the hashed password,
then is stored with the hashed password. Applying a salt allows two users with the same
password to have different hashed values, thus making it harder to create pre-built dictionaries of
likely hashes.
 Implement two-factor authentication.

Authorization Facts

Authorization is the process of controlling access to resources, such as computers, files, or printers.
When managing access to resources, be aware of the following:

 A group is an object that identifies a set of users with similar access needs. Microsoft systems
have two kinds of groups: distribution and security groups. Only security groups can be used for
controlling access to objects.
 An access control list (ACL) identifies users or groups who have specific security assignments to
an object. On a Microsoft network, the term permission identifies the type of access that is
allowed or denied for the object. For example, permissions for a file include read and write, and
can either allow or deny the specified access.
 A discretionary access list (DACL) is an implementation of discretionary access control (DAC).
Owners add users or groups to the DACL for an object and identify the permissions allowed for
that object.
 A system access list (SACL) is used by Microsoft for auditing to identify past actions performed
by users on an object.
 Assigning permissions to a group grants those same permissions to all members of the group.
 On a Microsoft system, a user right is a privilege or action that can be taken on the system, such
as logging on, shutting down the system, backing up the system, or modifying the system date
and time. Permissions apply to objects (files, folders, printers, etc.), while user rights apply to the
entire system (computer).
  A security principal is an object that can be given permissions to an object. Security principals
include users, groups, and computers.
 Each security principal is given a unique identification number called a SID (security ID).
 When a security principal logs on, an access token is generated. The access token is used for
controlling access to resources and contains the following information:
o The SID for the user or computer
o The SID for all groups the user or computer is a member of
o User rights granted to the security principal

When the security principal tries to access a resource or take an action, information in the access
token is checked. For example, when a user tries to access a file, the access token is checked for
the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL
to identify permissions that apply.

 On a Microsoft system, the access token is only generated during authentication. Changes made
to group memberships or user rights do not take effect until the user logs on again and a new
access token is created.

Authorization Facts

Authorization is the process of controlling access to resources, such as computers, files, or printers.
When managing access to resources, be aware of the following:

 A group is an object that identifies a set of users with similar access needs. Microsoft systems
have two kinds of groups: distribution and security groups. Only security groups can be used for
controlling access to objects.
 An access control list (ACL) identifies users or groups who have specific security assignments to
an object. On a Microsoft network, the term permission identifies the type of access that is
allowed or denied for the object. For example, permissions for a file include read and write, and
can either allow or deny the specified access.
 A discretionary access list (DACL) is an implementation of discretionary access control (DAC).
Owners add users or groups to the DACL for an object and identify the permissions allowed for
that object.
 A system access list (SACL) is used by Microsoft for auditing to identify past actions performed
by users on an object.
 Assigning permissions to a group grants those same permissions to all members of the group.
 On a Microsoft system, a user right is a privilege or action that can be taken on the system, such
as logging on, shutting down the system, backing up the system, or modifying the system date
and time. Permissions apply to objects (files, folders, printers, etc.), while user rights apply to the
entire system (computer).
 A security principal is an object that can be given permissions to an object. Security principals
include users, groups, and computers.
 Each security principal is given a unique identification number called a SID (security ID).
 When a security principal logs on, an access token is generated. The access token is used for
controlling access to resources and contains the following information:
o The SID for the user or computer
o The SID for all groups the user or computer is a member of
o User rights granted to the security principal
 When the security principal tries to access a resource or take an action, information in the access
token is checked. For example, when a user tries to access a file, the access token is checked for
the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL
to identify permissions that apply.

 On a Microsoft system, the access token is only generated during authentication. Changes made
to group memberships or user rights do not take effect until the user logs on again and a new
access token is created.

Physical Security Facts

Physical security is the protection of corporate assets from threats such as theft or damage. There are
three factors to keep in mind with physical security:

 Prevention is making the location less tempting to break into.

 Detection is identifying what was broken into, what is missing, and the extent of the damage.
 Recovery is the review of the physical security procedures, fixing any damage, and hardening the
physical security of the company against future problems.

Important aspects of physical security are:

 Restricting physical access to facilities and computer systems

 Preventing interruptions of computer services caused by problems such as loss of power or fire
 Preventing unauthorized disclosure of information
 Disposing of sensitive material
 Protecting the interior and exterior of your facility

The table below lists physical control measures and their characteristics:

Control
Characteristics
Measure
For a secure facility, the first physical security measure is to secure the building perimeter
and restrict access to only secure entry points. Methods for securing the perimeter include:

 Fences provide an environmental barrier that prevents easy access to the facility.
o A low fence (3 to 4 feet) acts as a deterrent to casual intrusion.
o A higher fence (6 to 7 feet) acts as a deterrent unless the trespasser has a
specific intent to violate security.
o A fence 8 feet or higher topped with barbed wire is an effective deterrent.
Perimeter  Guard dogs are generally highly reliable but appropriate only for physical perimeter
barriers security. They can be expensive to keep and maintain, and their use might raise
issues of liability and insurance.
 Lighting deters casual intruders, helps guards see intruders, and is necessary for
most cameras to monitor the area. To be effective, lights should be placed to
eliminate shadows or dark spots.
 Security guards offer the best protection for perimeter security because they can
actively respond to a variety of threat situations. However, guards are expensive,
require training, and can be unreliable or inconsistent.

Closed-circuit Closed-circuit television can be used as both a preventative tool (when monitoring live
television events) or as an investigative tool (when events are recorded for later playback). Camera
 types include:

 A bullet camera has a built-in lens and is long and round in shape. Most bullet
cameras can be used indoor or outdoor.
 A c-mount camera has interchangable lenses and is typically rectangle in shape
with the lens on the end. Most c-mount cameras require a special housing to be
used outdoors.
 A dome camera is a camera protected with a plastic or glass dome. These cameras
are more vandal-resistant than other cameras.
 A Pan Tilt Zoom (PTZ) camera lets you dynamically move the camera and zoom in
on specific areas to monitor (cameras without PTZ capabilities are manually set
looking a specific direction). Automatic PTZ mode automatically moves the camera
between several preset locations; manual PTZ lets an operator remotely control the
position of the camera.

When selecting cameras, be aware of the following characteristics:

 The focal length measures the magnification power of a lens. The focal length
(CCTV) controls the distance that the camera can see, as well as how much detail can be
seen at a specific range.
o The focal length is expressed in millimeters (mm). A higher focal length lets
you see more detail at a greater distance.
o Most cameras have a 4mm lens with a range of 30-35 feet, allowing you to
see facial features at that distance.
o A fixed lens camera has a set focal length. A varifocal camera lens lets you
adjust the focus (zoom).
 A lens with a 70 degree angle of view is the largest view angle possible without
distorting the image.
 The resolution is rated in the number of lines (such as 400) included in the image.
In general, the higher the resolution, the sharper the image.
 LUX is a measure of the sensitivity to light. The lower the number, the less light
needed for a clear image.
 Infrared cameras can record images in little or no light. Infrared cameras have a
range of about 25 feet in no light, or further in dimly-lit areas.

When used in a preventative way, you must have a guard or other person available who
monitors one or more cameras.
Doors Doors can enhance security if they are properly implemented. Specific door types include:

 A mantrap is a specialized entrance with two doors that creates a security buffer
zone between two areas.
o Once a person enters into the space between the doors, both doors are
locked.
o To enter the facility, authentication must be provided. This may include
visual identification and identification credentials.
o Mantraps should permit only a single person to enter, and authentication
must be provided by each person.
o If authentication is not provided, the intruder is kept in the mantrap until
authorities arrive.
 A turnstile is a barrier that permits entry in only one direction.
o Physical turnstiles are often used to control entry for large events such as
concerts or sporting events.
o Optical turnstiles use sensors and alarms to control entry.
 o Turnstiles are often used to permit easy exit from a secure area. Entry is
controlled through a mantrap or other system that requires authentication
for entry.
 A double entry door has two doors that are locked from the outside but with crash
bars on the inside that allow easy exit. Double entry doors are typically used only
for emergency exits, and alarms sound when the doors are opened.

Regular doors are susceptible to social engineering attacks such as piggybacking

(tailgating) where an unauthorized person will ask an authorized person to "hold the door."
Mantraps and turnstiles that permit only a single person and require individual
authentication are effective deterrents to piggybacking.
Door locks allow access only to those with the proper key. Lock types include:

 Pick resistant locks, with restricted key duplication, are the most secure key lock. It
is important to note that all traditional key locks are vulnerable to lock-picking
(shimming).
 Keypad locks require knowledge of a code and reduce the threat from lost keys and
Door locks cards. Clean keypads frequently to remove indications of buttons used.
 Electronic systems often use key cards (or ID badges) instead of keys to allow
access. Dumb cards contain limited information. Smart cards have the ability to
encrypt access information.
 Biometric locks increase security by using fingerprints or iris scans. They reduce the
threat from lost keys or cards. 

Physical Physical access logs are implemented by guards of a facility and require everyone gaining
access logs access to the facility to sign in.  
Physical access controls can be implemented inside the facility.

 Physical controls may include key fobs, swipe cards, or badges.

 To control access to sensitive areas within the facility, require a card swipe or
reader.
 Some systems can track personnel movement within a facility and proactively lock
or unlock doors based on the access token device.
Physical
 An anti-passback system prevents a card holder from passing their card back to
access
someone else.
controls
 Physical controls are often implemented together with sensors and alarms to detect
unauthorized access.
o Photoelectric sensors detect motion and are best suited to detect a
perimeter breach rather than interior motion detection.
o Wave pattern, heat sensing, and ultrasonic sensors are all better suited for
interior motion detection than perimeter breach detection.

Physical security should deploy in the following sequence. If a step in the sequence fails, the next step
should implement itself automatically.

1. Deter initial access attempts.

2. Deny direct physical access.
3. Detect the intrusion.
4. Delay the violator to allow for response.
When designing physical security, implement a layered defense system. A layered defense system is one
in which controls are implemented at each layer to ensure that defeating one level of security does not
allow an attacker subsequent access. Using multiple types of security controls within the same layer
further enhances security. Tips for implementing a multi-layered defense system are:

 Protect entry points with a card access system (or some other type of control) as well as a
security camera.
 Use a reception area to prevent the public, visitors, or contractors from entering secure areas of
the building without an escort.
 Use the card access or other system to block access to elevators and stairwells. This will prevent
someone who successfully tailgates from gaining further access.
 Use a different access system to secure offices or other sensitive area such as key locks, keypad
locks, or biometric controls.
 Implement security within offices and data centers using locking storage areas and computer
passwords.

Perform physical security inspections quarterly. Violations should be addressed in a formal manner with
warnings and penalties imposed.

Best Practices Facts

Access control best practices take into consideration the following security principles:

Principles Description
The principle of least privilege states that users or groups are given only the access they
need to do their job (and nothing more). Common methods of controlling access include:

 With implicit deny, users or groups which are not specifically given access to a
resource are denied access. Implicit deny is the weakest form of privilege control.
 Explicit allow specifically identifies users or groups who have access. Explicit
Principle of
allow is a moderate form of access control in which privilege has been granted to
least privilege
a subject.
 Explicit deny identifies users or groups who are not allowed access. Explicit deny
is the strongest form of access control and overrules all other privileges granted.

When assigning privileges, be aware that it is often easier to give a user more access
when they need it than to take away privileges that have already been granted.
Need to know describes the restriction of data that is highly sensitive and is usually
referenced in government and military context. Important facts to know about need to
know include:

 Even if an individual is fully cleared, information is still not divulged to persons who
Need to know simply don't need to know the information to perform their official duties. 
 Need to know discourages casual browsing of sensitive materials.
 In a classified environment, a clearance into a Top Secret compartment only
allows access to certain information within that compartment. This is a form of
MAC.

Separation of Separation of duties is the concept of having more than one person required to complete a
 task. This helps prevent insider attacks because no one person has end-to-end control
and no one person is irreplaceable. Important facts to know about separation of duties
include:

 System users should have the lowest level of rights and privileges necessary to
perform their work and should only have them for the shortest length of time
possible.
duties  To achieve a separation of duties, a business can use the principle of split
knowledge. This means that no single person has total control of a system's
security mechanisms, so no single person can completely compromise the
system.
 In cases of sensitive or high-risk transactions, a business can use two man
control. This means that two operators must review and approve each other's
work. 

Job rotation is a technique where users are cross-trained in multiple job positions, and
where responsibilities are regularly rotated between personnel. Job rotation:

 Cross trains staff in different functional areas in order to detect fraud.

Job rotation
 Exchanges positions of two or more employees to allow for an oversight of past
transactions.
 Can be used for training purposes.

Defense-in-depth is an access control method which implements multiple access control

Defense-in-
methods instead of relying on a single method. Multiple defenses make it harder to bypass
depth
the security measures.

Creeping privileges occurs when a user's job position changes and they are granted a new set of access
privileges and their previous access privileges are not removed or modified. As a result, the user
accumulates privileges over time that are not necessary for their current work tasks. The principle of least
privilege and separation of duties are countermeasures against creeping privileges.

Cryptography Facts

Cryptography is the science of converting data into a secret code to hide the meaning of the message
during transmission. Cryptographic systems provide the following security services:

 Confidentiality, by ensuring that only authorized parties can access data.

 Integrity, by verifying that data has not been altered in transit.
 Authentication, by proving the identity of the sender or receiver.
 Non-repudiation, by validating that communications have come from a particular sender at a
particular time.

The following terms are related to cryptography:

Term Definition
Plaintext Plaintext is a readable message.
Cipher text is the message in a form that makes it unreadable to all but those for whom
Cipher text
the message was intended.
Cryptographer A cryptographer is a person who develops ways of converting plaintext to cipher text.
Cryptanalysis is the method of recovering original data that has been encrypted without
having access to the key used in the encryption process. This can be done to measure
Cryptanalysis
and validate the strength of a cryptosystem. It can also be done to violate the
confidentiality and/or integrity of a cryptosystem.
A cryptosystem is the associated items of cryptography that are used as a unit to provide
Cryptosystem
a single means of encryption and decryption.
Cryptology Cryptology is the study of cryptography and cryptanalysis.
A key is a variable in a cipher used to encrypt or decrypt a message. The key should be
kept secret.
Key
The key space is the range of the possible values that can be used to construct a key.
Generally speaking, the longer the key space, the stronger the cryptosystem.
A cipher or algorithm is the process or formula used to convert a message or otherwise
hide its meaning. Examples of algorithms include:

 A transposition cipher (also called an anagram) changes the position of

characters in the plaintext message.
Algorithm  A substitution cipher replaces one set of characters with symbols or another
character set. A code substitutes hidden words with unrelated terms.
 A one-time pad is a cryptography method in which the plaintext is converted to
binary and combined with a string of randomly generated binary numbers
(referred to as the pad). It is a form of substitution.

Encryption is the process of using an algorithm to transform data from plaintext to a cipher
Encryption text in order to protect the confidentiality, integrity, and sometimes the authenticity of the
message.
Decryption Decryption is the procedure used to convert data from cipher text into plaintext.
Steganography, literally meaning "concealed writing", hides data or a message such that
only the sender or the recipient suspects that the hidden data exists. Examples of
steganography include:

 Embedding still pictures in a video stream. The picture can only be viewed by
stepping through the video frame-by-frame (playing the video in real time hides
the image because the eye cannot see one single frame within the video).
 Hiding text messages or hiding alternate images within a photograph. With this
Steganography method, data is distributed inside the last 2 bits of each color. When viewed
normally, the hidden information cannot be detected. Using special tools, the data
in the last 2 bits of each color is extracted to recreate the original.
 With watermarking, hidden data is embedded into an image or a file to prove
ownership. Because the file contains the special data sequence, a file with that
embedded data could only have come from the original source.
 Microdots is a technique of shrinking an image down to the size of a period, then
including the microdot in a seemingly harmless message.
Hashing Facts

A hash is a function that takes a variable-length string (message) and compresses and transforms it into a
fixed-length value. Important facts about hashes are:

 Hashes ensure the data integrity of files and messages in transit.

 Hashes do not ensure confidentiality (in other words, hashes are not used to encrypt data).
 A hash is a one-way function. You cannot reproduce the message by running it back through the
hash (or a different hash).
 The hash value (output) is also referred to as a message digest or digital fingerprint.
 The sender and the receiver use the same hashing algorithm on the original data. If the hashes
match, then the data can be assumed to be unmodified.

The larger the message digest the more secure the hash. The predominate hashing algorithms in use
today are:

 MD-5 developed by RSA (Rivest-Shamir-Adleman). MD-5 generates a message digest of 128

bits.
 SHA-1 developed by NIST and NSA. SHA-1 generates a message digest of 160 bits.

Hashing is often used for the following:

Use Description
Hashes are often used to prove the integrity of downloaded files. After a file is
downloaded, the recipient creates a hash of the file. If the recipient's hash matches the
hash of the original file you know that:

 The downloaded file is complete (no missing parts).

 The downloaded file was not corrupted during the download process.
File integrity
 The downloaded file is the same as the original and has not been altered by
inserting malicious code or replacing the original file with a virus or other
destructive file.

For this reason, files available for download are typically not encrypted, as the data
integrity of the file can be proven with the hash.
Hashes can be used to secure logon credentials during the exchange. The password is
used as the key to perform a hash on a challenge text value, and only the hashed value is
passed and not the password. The receiving host uses the same method to compare the
hashes to verify the identity of the user. Examples of protocols that use this method are:
Secure logon
credential  LANMAN
exchange
 NTLM
 CHAP
 MS-CHAP

Be aware of the following regarding hashes:

 Strong hash outputs should contain a large number of bits. This makes the duplication of the
hash value by an attacker more difficult.
 Hashes should be produced from the entire message, not just a portion of the message.
  Good hashing algorithms have high amplification, also known as the avalanche effect. This
means that a small change in the message results in a big change in the hashed value.
 Collision is the term used to describe a situation in which two different messages produce the
same hash value. This is an indication that a stronger hashing algorithm should be used.
 Collision resistance is the term used to describe a hash algorithm's ability to avoid the same
output from two guessed inputs.
 A birthday attack is a brute force attack in which the attacker hashes messages until one with the
same hash is found. This type of attack is based on the statistic that there is more than a 50%
chance that two out of 23 people in a room will have the same birthday. To match a selected day,
253 people would need to be in the room.
 A hacker may use a rainbow table when trying to identify a password through reverse
engineering. A rainbow table is a table of the hash value associated with all possible passwords.
Using the table, a computer can quickly compare the hash values being transmitted across the
wire to find a corresponding password value from the table.
 Salting the hash helps to mitigate rainbow table attacks by adding random bits to the password
before hashing takes place, thereby producing an entirely different hash value for the password.
Because the hacker does not know the extra random bits, the rainbow table will now be of no
value.

Symmetric encryption algorithms I had this really cool idea to walk around the block cast in the stream
for fish, caught 2 fish, both blowfish, was my destiny

Block Cipher vs. Stream cipher

RC4,RC5,RC6, (REALLY COOL)

IDEA block (IDEA)

CAST stream

TWOFISH BLOWFISH

DES,3DES, AES (rijandael)

Symmetric Encryption Facts

Symmetric key encryption (also known as secret key encryption, pre-shared key or private key
encryption) uses only one key to encrypt and decrypt data.

 Symmetric key encryption is a form of cryptography that provides confidentiality with a weak form
of authentication or integrity.
 Symmetric encryption is well suited for bulk encryption of less sensitive data because it is less
CPU-intensive than other encryption methods.
 Before communications begin, both parties must exchange the shared secret key using a secure
channel. This is often done manually or with some form of asymmetric key cryptography.
 Each pair of communicating entities requires a unique shared key. This means that the number of
keys required grows exponentially as the number of communication partners grows. For example,
1,000 users in a system would require the generation of almost 500,000 different keys.
  The key space is typically short, ranging from 56-bits to a maximum of 512-bits. (As the number
of bits in the key increases, so does the strength of the encryption. However, the greater the
number of bits in the key, the more CPU resources are required to perform the encryption.)
 Symmetric encryption uses two algorithm types:

Method Description
Block ciphers encrypt by transposing plaintext to cipher text in chunks (block-by-block).
Block ciphers:

o Are fast.
Block
o Can process large amounts of data. They do not process small amounts
of data well.
o Are typically implemented in software.

Stream ciphers use a sequence of bits known as a keystream which is the key used for
encryption. The encryption is performed on each bit within the stream in real time.
Stream ciphers:

Stream o Are best used for small amounts of data, usually less than 64 bits.
o Are slower than symmetric key block ciphers.
o Are best implemented in hardware because the data size makes it
infeasible to have enough RAM or CPU cycles to process the data.

Common symmetric cryptography methods include:

 Rivest Cipher (RC)

 International Data Encryption Algorithm (IDEA)
 Carlisle Adams Stafford Tavares (CAST)
 Twofish
 Blowfish
 Data Encryption Standard (DES)
 Triple DES (3DES)
 Advanced Encryption Standard (AES)

Be aware of the following:

 DES was one of the first symmetric encryption methods and is now obsolete (known weaknesses
can be used to break the encryption).
 3DES improves upon DES by applying the encryption three times. It is an acceptable alternative
to DES.
 AES is stronger and faster than 3DES when implemented with a large key size (256-bits).
 Blowfish and Twofish were alternatives to DES, but AES was selected as the protocol to
implement to replace DES.

Asymmetric Encryption Facts

Asymmetric encryption, also known as public key encryption, uses two keys that are mathematically
related. Both keys together are called the key pair.

 The public key is made available to anyone; the private key is kept secret.
  Use one key to encrypt and the other to decrypt. For example, if data is encrypted with the public
key, use the private key to decrypt the data.
 The strength of an asymmetric encryption system lies in the secrecy and security of its private
keys. If the private key is ever discovered, a new key pair must be generated.
 Both private and public keys are created on a local machine by a local security authority (the
security kernel) and a cryptographic service provider (CSP).
 Asymmetric encryption of large amounts of data is slow and requires high CPU usage.
Processing speeds are much slower (about 1,000 times slower) than symmetric key encryption.
 Asymmetric encryption requires fewer keys than symmetric key encryption, because only two
keys per user are required (not a key for every communicating partner). For example, 1,000 users
would require a total of 2,000 keys.

Asymmetric key encryption can provide confidentiality (encryption), strong authentication, and non-
repudiation. Asymmetric encryption is used for:

 Digital signing to confirm the integrity of the message and the authenticity of the sender.
 Key exchange to ensure keys are secure during transit. Asymmetric encryption is often used to
securely exchange symmetric keys.
 Data encryption to secure data.

Asymmetric encryption protocols include:

 Diffie-Hellman is a key exchange protocol used for generating and securely exchanging
symmetric encryption keys.
 ElGamal is a protocol used for encryption and is based on Diffie-Hellman. ElGamal is used in the
free GNU Privacy Guard software and recent versions of PGP. A variation of ElGamal, the Digital
Signature Algorithm, is used for digital signatures, but is very slow.
 RSA is a protocol used for both encryption and digital signatures. It was developed by Rivest,
Shamir, and Adleman and uses the multiplication of large prime numbers for encryption.
 Elliptic curve cryptography (ECC) is an approach to cryptography that uses a finite set of values
within an elliptic curve (an algebraic set of numbers). Elliptic curve cryptography is a more
efficient algorithm than other asymmetric algorithms (for example, a key size of 60 bits is
equivalent to a 1024-bit key used with RSA). Elliptic curve methods have been deployed for
encryption, digital signatures, and key exchange.

Asymmetric encryption is used with the following protocols:

 SSL/TLS
 IPSec
 VPNs (PPTP, L2TP, SSTP)
 S/MIME and PGP for e-mail security
 SSH tunnels

Certificate Lifecycle Facts

A digital certificate, also referred to as a public key certificate or identity certificate, is an electronic
document that uses a digital signature to bind together a public key with an identity. Identity information
includes the name of a person, computer, or organization. The certificate is the best way to provide non-
repudiation and can be used to verify that a public key belongs to an individual.

A public key infrastructure (PKI) is a hierarchy of computers that issue and manage certificates. A
Certificate Authority (CA) is the entity that issues certificates. The following process is used to request,
issue, and manage certificates:
 1. To request a certificate, a client must first generate a public and private key pair. The key pair is
generated by an application called a Cryptographic Service Provider (CSP). The CSP uses a
specific algorithm for generating the key pair.
2. The client requests a certificate from a CA by sending identifying information along with a copy of
the public key. The certificate request is digitally signed using the private key.
3. The CA uses information in the certificate request to approve or deny the certificate. How the
certificate is approved is dictated by the approval policy on the CA.
o A manual policy requires an administrator to manually approve or deny all requests
coming in.
o An automatic policy allows the CA to review information within the request to determine if
it is valid information. Based upon that information it can approve or deny automatically.

The CA performs identity proofing, in that the information submitted to prove identity is verified.
The purpose of this process is for the CA to validate that you are who you say you are.

4. If the certificate request is approved, the certificate is issued to the client. Issuance policies on the
CA identify the certificates that the CA is allowed to issue. For example, issuance policies can
restrict a CA to:
o Only be able to issue certain types of certificates.
o Only be able to issue certificates for a particular use.
o Only issue certificates that are valid for a specific amount of time.
5. Certificates are issued with a valid lifetime period. As the expiration time period approaches,
certificates can be renewed by submitting a renewal request. Instead of requesting a new
certificate, clients should renew existing certificates.
6. If a certificate becomes compromised, such as the private key being lost or stolen, it can be
revoked. This can be accomplished by going to the CA and revoking the certificate. Before
accepting a certificate, a client validates that the certificate has not been revoked. Two methods
exist for checking for revoked certificates:
o The Certificate Revocation List (CRL) is a list of certificates revoked by the CA. Clients
download the entire CRL and check the CRL for a certificate.
o With the Online Certificate Status Protocol (OCSP), clients can submit a verification
request for a specific certificate to a special server called an online responder. The online
responder maintains a list of revoked certificates, and responds to certificate status
requests on a certificate-by-certificate basis.

Certificates are used for proof of identity and for secure communications. The following process is an
example of using SSL and certificates to secure Web transactions:

1. A client with a Web browser accesses a Web server that is using HTTPS (SSL).
2. The server sends the client a copy of the SSL certificate that it obtained from a CA.
3. The client verifies information in the SSL certificate to decide if it trusts the certificate. The client
checks:
o Does the subject name in the certificate match the URL that was typed in the Web
browser?
o Has the certificate expired?
o Does the client trust the issuing CA? Every browser has a Trusted Root CA list that
identifies trusted CAs on the Internet. The browser compares the signature of the issuing
CA on the certificate to the list of trusted root CAs. If it does not exist in the list, it will not
trust the certificate.
4. If the certificate passes all three checks, the client trusts the issuing CA and trusts any certificates
that the CA issues; therefore the client trusts the Web server.

The following table reviews terms you should be familiar with.

Term Function
Certificate The Certificate Authority (CA) is an entity trusted to issue, store, and revoke digital
Authority (CA) certificates.
Certificate The Certificate Practice Statement (CPS) is a declaration of the security that the
Practice organization is implementing for all certificates issued by the CA holding the CPS. This
Statement statement tells potential partners or others relying on the security of the PKI system how
(CPS) well the security of the PKI system is being managed.
Cryptographic
Service
A Cryptographic Service Provider (CSP) resides on the client and generates the key pair.
Provider
(CSP)
Online
Certificate
The Online Certificate Status Protocol (OCSP) is a protocol used for checking the status of
Status
an individual digital certificate to verify if it is good or has been revoked.
Protocol
(OCSP)
Certificate The Certificate Revocation List (CRL) resides at the CA and consists of a list of certificates
Revocation that have been previously revoked. This list can be accessed by the client to verify the
List (CRL) validity of a digital certificate.
A Registration Authority (RA) can be used in large, enterprise environments to offload client
enrollment request processing by handling verification of clients prior to certificates being
issued. The RA:

Registration  Accepts registrations.

Authority (RA)  Distributes certificates and keys.
 Validates identities in a certificate request for the CA.
 Does not issue certificates directly. Though certificates are not issued until the RA
validates the information, the RA cannot issue certificates.

X.509 is the official standard that identifies the format for public key certificates and
X.509
certification path validation.
An enrollment agent is a user who is authorized to request certificates for other users.
Enrollment Enrollment agents are typically authorized to request certificates that are used on smart
agent cards. These agents can request the certificate and create the smart card that the
authorized user can then use.

PKI Management Facts

Be aware of the following when managing a public key infrastructure (PKI).

Consideration Description
PKI hierarchy A typical PKI involves multiple certificate authorities (CAs) arranged in a hierarchy.

 A root CA is the first CA in the hierarchy and the first CA you set up. The root CA
has a self-signed certificate, and is often offline to protect the CA from
 compromise. The root CA typically does not issue certificates to end users or
computers (unless the PKI structure is very small).
 A subordinate CA is a CA authorized by the root CA to issue certificates to other
CAs or users or computers.
o The subordinate CA gets its certificate from the root CA.
o You add subordinate CAs to your hierarchy to distribute the workload of
issuing certificates, or to designate specific CAs to issue certificates for
specific uses.
o The subordinate CA is responsible for issuing certificates, holding the
CPS, and publishing the Certificate Revocation List (CRL).
o Qualified subordination is implemented on a subordinate CA to restrict
the issuance and usage of certificates.

Two types of subordinate CAs are:

o An issuing CA is the CA at the bottom of the hierarchy which actually

issues the certificate to the clients.
o An intermediate CA is the CA in the middle of a multi-tier system, and
certifies issuing CAs or other intermediate CAs. An intermediate CA is a
subordinate CA.

A cross-certification or bridge model is used when one organization with a CA structure

needs to trust certificates from another organization who has their own CA structure. By
default, clients in an organization will trust certificates issued by that organization but
don't trust other root CAs unless they are in an official third party list for trusted root CAs
on the Internet. Cross-certification can be set up so both hierarchies trust each other.
Cross
certification  A root-to-root configuration allows clients in one organization to trust any
certificate issued by the other organization's CAs and vice versa.
 A mesh configuration provides trust paths that can be configured for more
restrictive certificate validation. This could include root-to-subordinate CA, or
even subordinate- to-subordinate.

Key archival is the backup and archival of private keys for end users in case they lose
their private keys. Normally, private keys are kept private and the CA would never get a
copy of the private key. With a key archival system:

 Private keys are sent to the CA and backed up by the CA.

 To protect the private keys during transit, they are encapsulated in a secure
Key archival transmission of data to the CA.
 The location of the private keys backup is secured.
 Recovery agents are users who are given the ability to restore private keys from
the archive.

Key archival uses a centralized approach to key management, where keys are managed
by the CA and not only by individual users.
Key escrow Key escrow is a form of key archival. The main difference between key escrow and key
archival is that escrow stores keys with a trusted third-party, either to increase security or
to allow access only under controlled circumstances. With key escrow, keys might be
retrieved by a business that needs access to employee files, or key escrow might allow
for key access by law enforcement with the proper authorization to investigate crimes or
 enforce laws.
Each certificate that is issued has a corresponding public and private key pair. If users are
issued a single key pair, that key pair is used for both digital signatures and encryption. In
an enterprise environment, it might be beneficial to use two key pairs: one key pair for
digital signatures, and the other for encryption.

 The private key used for digital signatures is kept completely private. Only the
user has access to this key and the key is never archived.
Dual key pairs
 The private key used for encryption is archived so that encrypted documents can
be recovered if the private key is lost.

If a single key pair is used for both digital signatures and encryption, it is possible for a
recovery agent to obtain the private key from the key archive and use that key for signing
documents. This violates the principle of non-repudiation because someone other than
the original user could have signed the document.

Secure Protocols Facts

When many protocols were created, they were designed with little or no security controls. An unsecured
protocol is one that does not provide authentication or encryption, or that uses plaintext for passing
authentication protocols or data. Security services (authentication and encryption) are often added to new
or existing protocols using one of the following secure protocols:

Protocol Description
Secure Secure Socket Layer (SSL) secures messages being transmitted on the Internet. SSL:
Sockets
Layer (SSL)  Requires the server to have a certificate issued by a CA and uses asymmetric
encryption.
 Uses RSA or the Key Exchange Protocol (KEA) for secure exchanging of
encryption keys.
 Requires two types of keys for a server and workstation to communicate:
o A public key is used to secure the communication.
o A session key is used between the client and the server for the duration of
the SSL session.
 Uses the SSL Handshake Protocol to establish the secure channel.
 Operates at the Session layer (layer 5) of the OSI model.
 Uses port 443 for encrypted traffic. Most firewalls allow port 443 traffic even when
other traffic is blocked. For this reason, technologies that can use SSL are more
likely to be allowed through firewalls than technologies that require other ports to be
opened.
 Provides an end-to-end encrypted tunnel that is impossible to monitor, scan, or
sniff.
o The advantage is that it increases security.
o The disadvantages are that:
 Security software cannot detect embedded attacks in transit.
 Internal users can use SSL to bypass proxy servers or Internet
content filtering systems that have been set up by organizations to
control Internet usage and content.
o SSL inspection can be used by organizations to decrypt the SSL session,
scan the content, and repackage the SSL session without end users
knowing. This is similar to a man-in-the middle attack, but for positive use.
  Has different versions, with the later versions being more secure. Secure Sockets
Layer (SSL) 3.0 was the last SSL version.

Transport Layer Security (TLS) is the successor to SSL 3.0.

 TLS and SSL are similar but not interoperable, although most applications can use
both SSL and TLS.
 Applications that can use both SSL and TLS negotiate which protocol to use during
the handshake process.
Transport
 Many secure connections that are described as using SSL might actually be using
Layer
TLS instead.
Security
 TLS uses Diffie-Hellman or RSA to exchange session keys.
(TLS)
 TLS is implemented through two protocols:
o TLS Record provides connection security with encryption (with DES for
example).
o TLS Handshake provides mutual authentication and choice of encryption
method.

SSH allows for secure interactive control of remote systems.

 SSH uses RSA public key cryptography for both connection and authentication.
 SSH uses the IDEA algorithm for encryption by default, but is able to use Blowfish
Secure Shell
and DES.
(SSH)
 SSH is a secure and acceptable alternative to Telnet.
 SSH is used by unsecured protocols to establish a secure channel. For example,
SFTP and SCP are secure file copy protocols that use SSH.

A common unsecured protocol is the Hyper Text Transfer Protocol (HTTP). HTTP is used for exchanging
Web content, but passes data in clear text. HTTP uses TCP port 80 and is stateless, which means by
default it doesn't keep track of clients. To solve this problem, cookies can be used to keep track of the
client's behavior. To secure HTTP, use one of the following protocols:

Protocol Description
Hyper Text Transfer Protocol Secure (HTTPS) is a secure form of HTTP that uses either SSL or
TLS to encrypt sensitive data before it is transmitted. HTTPS:

 Is stateful, which means that it keeps track of the client. To do this, the client must
communicate with the same HTTPS server for the duration of the session. Load
HTTPS balancing is not possible during the connection, and is only available to initially
determine which server will handle the client's session.
 Requires TCP port 443 inbound on the Web server to be allowed.
 Can be identified by verifying that the URL starts with https://, or by looking for a lock
symbol in the browser.

S-HTTP Secure Hypertext Transfer Protocol (S-HTTP) is an alternate protocol that is not widely used
because it is not as secure as HTTPS. S-HTTP :

 Is connectionless, unlike SSL which is connection-oriented.

 Provides only message security, unlike HTTPS which provides a full secure channel for
all messages.
  Does not use port 443.

IPSec Facts

IP Security (IPSec) provides secure data transmission over unprotected TCP/IP networks such as the
Internet. IPSec operates on the network layer (layer 3). It provides mutual authentication, integrity, and
confidentiality.

IPSec includes two protocols:

Protocol Function
AH provides authenticity, non-repudiation, and integrity. AH:

 Does not provide confidentiality because the data in the packet is

not encrypted.
 Provides protection against replay and man-in the-middle attacks.
Authentication Header (AH)
 Uses a keyed hash based on all the bytes in the packet for the
authentication information.
 Authenticates packets by digitally signing them.
 Uses IP Protocol 51.

ESP provides all the security of AH plus confidentiality. ESP:

Encapsulating Security  Is the most commonly used IPSec protocol.

Payload (ESP)  Provides data encryption.
 Uses IP Protocol 50.

Whether using AH or ESP there are two modes of operation that can be implemented with IPSec:

 Transport mode only encrypts the payload (data).

 Tunnel mode encrypts the entire packet. Both the data inside the packet and the IP headers are
encrypted. The entire packet is encapsulated in a new packet.

A Security Association (SA) is the establishment of shared security information between two network
entities to support secure communications. An SA may include algorithm selection, cryptographic keys,
and/or digital certificates. A Security Association can be established manually or automatically through a
protocol called Internet Key Exchange (IKE). IKE helps to establish automatic Security Association (SAs).
IKE:

 Helps the two endpoints set up a secure tunnel by providing a secure exchange of shared keys
before a full IPSec transmission begins:
 Uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic
keys are derived.
 Uses mutual authentication that is provided by either pre-shared keys on both endpoints or
certificates issued by a CA.
 Can be implemented to automate the selection of the best security association for each
connection.
 Uses UDP port 500.
Network Address Translation (NAT) can cause communication errors with an IPSec VPN tunnel because
it makes changes to the IP headers, such as changing source and destination IP addresses and ports.
NAT-Traversal (NAT-T) is a new method designed to allow IPSec to function properly through a NAT
device. 

Note: IPSec is most commonly used with L2TP VPNs.

OSI Model Facts

The Open Systems Interconnection (OSI) model is a theoretical way of classifying and talking about the
complex process of sending data on a network. The OSI model divides the complex task of networking
into various layers to facilitate the development of standards and to allow for interoperability between
protocols and hardware components.

Network security devices and solutions are often described based on the OSI model. As you learn about
network security, you should be familiar with the networking tasks associated with each OSI model layer.
The following table summarizes key facts about each OSI model layer.

Layer Description and Keywords

The Application layer integrates network functionality into the host operating system, and
enables network services. The Application layer does not include specific applications that
provide services, but rather provides the capability for services to operate on the network.
Application
(Layer 7)
The Application layer is associated with the data that is generated by a service or a
protocol. A security device operating at the Application layer makes security decisions
based on the actual data within a data stream.
The Presentation layer formats or "presents" data into a compatible form for receipt by the
Application layer or the destination system. Specifically, the Presentation layer ensures:

 Formatting and translation of data between systems.

Presentation
 Negotiation of data transfer syntax between systems, through converting character
(Layer 6)
sets to the correct format.
 Encapsulation of data into message envelopes by encryption and compression.
 Restoration of data by decryption and decompression.

The Session layer's primary function is managing the sessions in which data is transferred.
Functions at this layer include:

 Management of multiple sessions (each client connection is called a session). A

Session
server can concurrently maintain thousands of sessions.
(Layer 5)
 Assignment of the session ID number to each session to keep data streams
separate.
 Set up, maintain, and tear down communication sessions.

Transport The Transport layer provides a transition between the upper and lower layers of the OSI
(Layer 4) model, making the upper and lower layers transparent from each other. Two protocols
associated with the Transport layer are:

 The Transmission Control Protocol (TCP) provides services that ensure accurate
and timely delivery of network communications between two hosts. TCP provides
the following services to ensure message delivery:
 o Sequencing of data packets
o Flow control
o Error checking

TCP is referred to as a connection-oriented protocol because it includes these

delivery guarantees.

 The User Datagram Protocol (UDP) is similar to TCP, but does not include
mechanisms for ensuring timely and accurate delivery. Because it has less
overhead, it offers fast communications, but at the expense of possible errors or
data loss. UDP is referred to as a connectionless protocol because it lacks these
delivery guarantee mechanisms.

The Network layer describes how data is routed across networks and on to the destination.

 Protocols associated with the Network layer include IP and IPX.

Network  The logical host address, in the form of the IP address, is defined at the Network
(Layer 3) layer.
 Routers operate at the Network layer by reading the IP address in the packet to
make forwarding decisions.

The Data Link layer defines the rules and procedures for hosts as they access the Physical
layer.

 The physical device address, in the form of the MAC address used with Ethernet,
Data Link is defined at the Data Link layer.
(Layer 2)  Network interface cards (NICs) contain the MAC address and perform functions at
the Data Link layer.
 Switches operate at the Data Link layer by reading the MAC address in a frame to
make forwarding decisions.

The Physical layer sets standards for sending and receiving electrical signals between
Physical devices. Hubs operate at the physical layer because they simply forward electrical signals
(Layer 1) out all hub ports without interpreting the meaning of those signals that are present at higher
layers.

Network Protocol Facts

A protocol is a set of standards for communication between network hosts. Protocols often provide
services, such as e-mail or file transfer. Most protocols are not intended to be used alone, but instead rely
on and interact with other dependent or complimentary protocols. A group of protocols that is intended to
be used together is called a protocol suite.

The following table lists several major protocols.

Protocol Characteristics
Transmission TCP provides services that ensure accurate and timely delivery of network communications
Control between two hosts. TCP is a layer 4 (Transport layer) protocol. TCP is connection-oriented
Protocol which means that it provides a guaranteed delivery of data between hosts through the
(TCP) following services:
  Sequencing of data packets
 Flow control
 Error checking

The TCP three-way handshake is the process used to establish a TCP session. The steps
to a TCP three-way handshake process are:

1. A host sends a SYN packet to the target host.

2. The target host responds to the original host with a SYN ACK packet.
3. The host responds to the target host with an ACK packet.

User UDP is a host-to-host protocol like TCP. However, UDP is connectionless, which means
Datagram that it does not include mechanisms for ensuring timely and accurate delivery, but uses a
Protocol best effort delivery. Because it has less overhead, it offers fast communications, but at the
(UDP) expense of possible errors or data loss.  
Internet IP is a layer 3 protocol that is connectionless and relies on upper layer protocols like TCP to
Protocol (IP) ensure delivery and connection orientation.
Internetwork IPX is an older protocol used with older Novell networks. IPX has been replaced with
Packet TCP/IP in newer versions of NetWare. Unless you are running a version of NetWare that
Exchange does not support TCP/IP, or are using applications that rely on IPX, you should disable IPX
(IPX) to eliminate attacks against IPX on your network.
NetBIOS is the term used to describe the combination of two protocols: NetBEUI and
NetBIOS. Because NetBIOS is a non-routable protocol, it was often combined with TCP/IP
Network or IPX/SPX to enable internetwork communications.
Basic
Input/Output  NetBIOS was used in early Windows networks.
System  Beginning with Windows 2000, NetBIOS is no longer required.
(NetBIOS)  NetBIOS might be needed if the network includes clients running previous versions
of Windows.

ICMP is commonly used for troubleshooting and information gathering. ICMP works closely
with IP in providing error and control information, and by allowing hosts to exchange packet
status information which helps move the packets through the internetwork. Two common
management utilities use ICMP messages to check network connectivity.

Internet  ping is an ICMP Echo Request and once executed should initiate an Echo Reply to
Control the source from the target device. Ping can be used to determine whether devices
Message are reachable and can communicate across the network.
Protocol  traceroute determines how many routers (hops) are between the source and the
(ICMP) target and response time for each router.

ICMP also works with IP to send notices when destinations are unreachable and when
devices' buffers overflow. ICMP messages are used to determine the route and hops
packets take through the network and whether devices can communicate across the
network.
Address
Resolution ARP provides IP address-to-MAC address name address resolution. Using ARP, a host that
Protocol knows the IP address of a host can discover the corresponding MAC address.
(ARP)
Running an antiquated protocol, such as NetBIOS or IPX/SPX, on a system opens the system to attack.
Unless there is a critical reason, disable any unnecessary protocols on network devices.

 Common Ports

Ports are logical connections, provided by the TCP or UDP protocols at the Transport layer, for use by
protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers stored in
the header of a packet to determine what protocol incoming traffic should be directed to. Some
characteristics of ports are listed below:

 Ports allow a single host with a single IP address to run multiple network services. Each port
number identifies a distinct service.
 Each host can have over 65,000 ports per IP address.
 Port use is regulated by the Internet Corporation for Assigning Names and Numbers (ICANN).

 ICANN specifies three categories for ports.

 Well known ports range from 0 to 1023 and are assigned to common protocols and services.
 Registered ports range from 1024 to 49151 and are assigned by ICANN to a specific service.
 Dynamic (also called private or high) ports range from 49,152 to 65,535 and can be used by any
service on an ad hoc basis. Ports are assigned when a session is established, and released
when the session ends.

The following table lists the well known ports that correspond to common Internet services.

Port(s) Service
20 TCP
File Transfer Protocol (FTP)
21 TCP
22 TCP and UDP Secure Shell (SSH)
23 TCP Telnet
25 TCP Simple Mail Transfer Protocol (SMTP)
49 TCP and UDP Terminal Access Controller Access-Control System (TACACS)
*IP protocol number 50 Encapsulating Security Payload (ESP) (used with IPSec)
*IP protocol number 51 Authenticating Header (AH) (used with IPSec)
53 TCP and UDP Domain Name Server (DNS)
67 UDP
Dynamic Host Configuration Protocol (DHCP)
68 UDP
69 UDP Trivial File Transfer Protocol (TFTP)
80 TCP HyperText Transfer Protocol (HTTP)
88 TCP Kerberos
110 TCP Post Office Protocol (POP3)
119 TCP Network News Transport Protocol (NNTP)
123 UDP Network Time Protocol (NTP)
135 TCP
137 and 138 TCP and UDP Network Basic Input/Output System (NetBIOS)
139 TCP
143 TCP and UDP Internet Message Access Protocol (IMAP4)
161 TCP and UDP
Simple Network Management Protocol (SNMP)
162 TCP and UDP
 389 TCP and UDP Lightweight Directory Access Protocol (LDAP)
443 TCP and UDP HTTP with Secure Sockets Layer (SSL)
445 TCP Windows 2000 CIFS/SMB (file access)
500 UDP Internet Key Exchange (IKE) (used with IPSec)
636 TCP and UDP Lightweight Directory Access Protocol over TLS/SSL (LDAPS)
1701 UDP Layer 2 Tunneling Protocol (L2TP)
1723 TCP and UDP Point-to-Point Tunneling Protocol (PPTP)
1812 TCP and UDP
Remote Authentication Dial In User Service (RADIUS)
1813 TCP and UDP
3389 TCP Remote Desktop Protocol (RDP)

* Is not a port number, but an IP protocol number used with IPSec.

Note: Ports listed in the table above that are higher than the well known range (0-1023) are newer
protocols that were released after the initial Internet protocols were established.

Be aware of the following regarding ports:

 Attackers use port scanning software to identify open ports, then focus their attacks on services
that use those ports.
 Configure a firewall to open (allow) or block ports through the firewall or on a device.
 As a best practice, only open the necessary ports. For example, if the server is only being used
for e-mail, then shut down ports that correspond to FTP, DNS, and HTTP (among others).
 For auditing purposes, you can use a port scanner to check systems and firewalls for open ports.
o Use netstat -a to view a list of opened ports on a system.
o Use a port scanning tool such as Nmap to scan for open ports on local and remote
systems.

Network Device Facts

The following table lists characteristics of common network devices.

Device Description
A hub is the central connecting point of a physical star, logical bus topology. Hubs simply repeat
incoming frames without examining the MAC address in the frame and send it to every host
connected to the hub.

 Because frames are repeated out all hub ports, sniffers can be used to collect sensitive
information by capturing traffic that flows through the hubs.  
Hub
 All devices connected to a hub share the available bandwidth.
 Collisions are a natural consequence of the shared medium. As the number of devices
connected to the hub increases, so does the number of collisions. As the number of
devices increases, the performance also drops.
 For security and performance, replace hubs with switches whenever possible.

Switch A switch is a multiport device that performs filtering based on MAC addresses. Switches:

 Are more secure than hubs because switches only send communication to the destination
device, not to all the devices on the switch like a hub.
  Pass broadcasts to all ports. This is a disadvantage from a security perspective because
it allows sniffers to capture data in broadcasts.
 Offer guaranteed bandwidth to each switch port, eliminating collisions when a single
device is connected to a switch port and improving data availability.
 Can make additional forwarding decisions based on the MAC address. For example, a
switch can be configured to prevent unauthorized devices from sending frames through a
port.

A router is a layer 3 device that routes and forwards information between different IP subnets.
Routers receive packets, read their headers to find IP addressing information, and send them on
to their correct destination on the network or Internet.

 Routers can be used to connect dissimilar networks.

 Routers forward packets through an internetwork by maintaining routing information in a
database called a routing table.
o Static routing requires that entries in the routing table be configured manually.
Router
When changes occur to the network, static entries must be added or removed.
o A dynamic routing protocol allows routers to automatically share their routing
table entries. Dynamic routing protocols include RIP, OSPF, BGP, IGRP, EIGRP,
and IS-IS.
 A router can have an access control list (ACL) that allows or blocks packets based on
information contained in the packet (such as IP address or port).
 Routers do not pass broadcasts.