CompTIA Security+ Certification Study Guide
This page intentionally left blank
CompTIA Security+ Certification Study Guide Exam SYO-201 3E
Ido Dubrawsky Naomi J. Alpern, Michael Cross, Jeremy Faircloth, Kevvie Fowler, Michael Gregg, Mark Horninger, Eric Irvin, Alun Jones, Mohan Krishnamurthy, Kenneth Majors, Tony Piltzecker and David K. Wallace
AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an imprint of Elsevier
SYNGRESS®
Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress:The Definition of a Serious Security Library™,”“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 CompTIA Security+ Certification Study Guide Copyright © 2009 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN 13: 978-1-59749-426-7 Publisher: Acquisitions Editor: Technical Editor: Developmental Editor: Indexer:
Laura Colantoni Rachel Roumeliotis Ido Dubrawsky Gary Byrne diacriTech
Project Manager: Page Layout and Art: Copy Editors: Cover Designer:
Andre Cuello diacriTech diacriTech Alisa Andreola
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email:
[email protected]. Library of Congress Cataloging-in-Publication Data Dubrawsky, Ido. The CompTIA Security+ Certification Guide / Ido Dubrawsky. p. cm. ISBN 978-1-59749-426-7 1. Electronic data processing personnel—Certification. 2. Computer security—Examinations—Study guides. 3. Computer networks—Security measures—Examinations—Study guides. I.Title. QA76.3.D77 2009 005.8—dc22 2009018985 Printed in the United States of America 1234567890
Contents About the Authors....................................................................................................xvii
PART 1 Systems Security CHAPTER 1 Systems Security Overview............................................................... 3 Introduction........................................................................................3 Security Threats..................................................................................4 Privilege Escalation........................................................................4 Viruses and Worms........................................................................5 Trojan...........................................................................................14 Spyware and Adware...................................................................14 Rootkits and Botnets....................................................................19 Logic Bombs................................................................................21 Hardware and Peripheral Security Risks..........................................22 BIOS.............................................................................................22 USB Devices.................................................................................25 Cell Phones..................................................................................28 Removable Storage Devices.........................................................30 Network-Attached Storage...........................................................35 Summary of Exam Objectives..........................................................35 Exam Objectives Fast Track..............................................................36 Security Threats...........................................................................36 Hardware and Peripheral Security Risks.....................................37 Exam Objectives Frequently Asked Questions.................................38 Self Test.............................................................................................39 Self Test Quick Answer Key.............................................................42
CHAPTER 2 OS Hardening................................................................................ 43 Introduction......................................................................................43 General OS Hardening......................................................................44 MAC/DAC/RBAC..........................................................................44 Services........................................................................................48 File System...................................................................................49 Hotfixes/Patches..........................................................................51 Service Packs/Maintenance Updates...........................................53 Patch Management......................................................................54 Windows Group Policies.............................................................55 Creating a Policy..........................................................................56
v
vi Contents
Security Templates......................................................................58 Configuration Baselines...............................................................61 Server OS Hardening........................................................................65 Nonessential Services..................................................................66 Nonessential Protocols................................................................66 Disabling Nonessential Processes...............................................67 Disabling Nonessential Programs................................................67 FTP Servers..................................................................................67 DNS Servers.................................................................................68 Network News Transfer Protocol Servers...................................69 File and Print Servers...................................................................69 DHCP Servers...............................................................................71 Data Repositories.........................................................................72 Workstation OS.................................................................................75 Summary of Exam Objectives..........................................................76 Exam Objectives Fast Track..............................................................76 General OS Hardening.................................................................76 Workstation OS............................................................................77 Exam Objectives Frequently Asked Questions.................................77 Self Test.............................................................................................78 Self Test Quick Answer Key.............................................................81
CHAPTER 3 Application Security...................................................................... 83 Introduction......................................................................................83 Threats Are Moving “Up the Stack”..................................................84 Rationale......................................................................................85 Threat Modeling..........................................................................86 Application Security Threats............................................................88 Browser........................................................................................88 Configuring Security Zones.........................................................95 Buffer Overflows.......................................................................109 Instant Messaging (IM).............................................................. 112 Peer-to-Peer................................................................................ 114 SMTP Open Relays..................................................................... 116 Summary of Exam Objectives........................................................ 117 Exam Objectives Fast Track............................................................ 118 Threats Are Moving “Up the Stack”.......................................... 118 Application Security Threats..................................................... 118 Exam Objectives Frequently Asked Questions............................... 118 Self Test........................................................................................... 119 Self Test Quick Answer Key...........................................................123 References.......................................................................................123
Contents vii
Chapter 4 Implementing System Security Applications.................................. 125 Host Intrusion Detection System....................................................125 Signature Based.........................................................................127 Behavior Based..........................................................................129 Personal Software Firewall.............................................................132 Windows XP Firewall................................................................133 Windows Vista Firewall.............................................................133 Configuring the Windows Firewall...........................................134 Advanced Configuration of the Windows Firewall................... 143 CheckPoint ZoneAlarm............................................................. 172 Antivirus.........................................................................................182 Viruses, Worms, and Trojan Horses..........................................183 Spyware and Adware.................................................................190 Prevention and Response.......................................................... 192 Windows Defender.................................................................... 193 Using Windows Defender..........................................................194 How to Use the Windows Defender Software Explorer...........195 Antispam.........................................................................................196 Pop-Up Blockers.............................................................................198 12Ghosts Popup-Killer...............................................................198 Yahoo! Anti-Spy Toolbar............................................................199 Google Toolbar..........................................................................202 Mozilla Firefox...........................................................................203 Summary of Exam Objectives........................................................203 Exam Objectives Fast Track............................................................204 Host Intrusion Detection System...............................................204 Personal Software Firewalls......................................................205 Antivirus....................................................................................205 Antispam....................................................................................206 Pop-Up Blockers........................................................................206 Exam Objectives Frequently Asked Questions...............................206 Self Test...........................................................................................208 Self Test Quick Answer Key........................................................... 211
CHAPTER 5 Virtualization Technologies.......................................................... 213 Introduction.................................................................................... 213 The Purpose of Virtualization........................................................ 213 Benefits of Virtualization................................................................ 214 Types of Virtualization.............................................................. 217 Designing a Virtual Environment..............................................221
viii Contents
System Virtualization......................................................................227 Management of Virtual Servers.................................................230 Application Virtualization..............................................................230 Terminal Services (Remote Desktop Services).........................232 XenApp......................................................................................233 Application Streaming...............................................................233 Summary of Exam Objectives........................................................235 Exam Objectives Fast Track............................................................237 The Purpose of Virtualization...................................................237 Benefits of Virtualization...........................................................237 System Virtualization.................................................................237 Application Virtualization.........................................................238 Exam Objectives Frequently Asked Questions...............................238 Self Test...........................................................................................240 Self Test Quick Answer Key...........................................................245
PART 2 Network Infrastructure CHAPTER 6 Network Security......................................................................... 249 Introduction....................................................................................249 General Network Security..............................................................250 Network Services and Risks Associated with Them.................250 Network Design Elements.........................................................250 Network Security Tools..................................................................250 Intrusion Detection and Prevention Systems............................ 251 Installing WinDUMP for Packet Capture and Analysis.............254 Firewalls.....................................................................................255 Honeypots..................................................................................262 Install a HoneyPot......................................................................265 Content Filters...........................................................................267 Protocol Analyzers.....................................................................267 Network Ports, Services, and Threats............................................267 Network Ports and Protocols....................................................268 Scanning for Vulnerabilities......................................................270 Network Threats........................................................................ 274 ARP Spoofing.............................................................................277 Network Design Elements and Components.................................281 What Is a DMZ?..........................................................................289 Subnets.......................................................................................295 VLANs........................................................................................296 Network Address Translation....................................................297
Contents ix
Network Access Control/Network Access Protection..............300 Telephony..................................................................................301 Summary of Exam Objectives........................................................302 Exam Objectives Fast Track............................................................302 General Network Security.........................................................302 Network Security Tools.............................................................303 Network Ports, Services, and Threats.......................................303 Network Design Elements and Components............................303 Exam Objectives Frequently Asked Questions...............................303 Self Test...........................................................................................304 Self Test Quick Answer Key...........................................................307
Chapter 7 Wireless Networks....................................................................... 309 Introduction....................................................................................309 Wireless Network Design............................................................... 310 Wireless Communications......................................................... 310 Spread Spectrum Technology.................................................... 311 Wireless Network Architecture................................................. 313 CSMA/CD and CSMA/CA.......................................................... 314 Service Set ID Broadcast................................................................. 315 Wireless Security Standards........................................................... 316 Security of 40-Bit versus 104-Bit Keys....................................... 317 WPA and WPA2......................................................................... 318 Wireless Application Protocol................................................... 318 Wireless Transport Layer Security............................................ 319 Authentication........................................................................... 319 Rogue APs.......................................................................................325 Data Emanation...............................................................................326 Bluetooth........................................................................................327 Summary of Exam Objectives........................................................327 Exam Objectives Fast Track............................................................329 Wireless Network Design..........................................................329 Service Set ID Broadcast............................................................330 Wireless Security Standards......................................................330 Rogue APs.................................................................................. 331 Data Emanation.......................................................................... 331 Bluetooth................................................................................... 331 Exam Objectives Frequently Asked Questions............................... 331 Self Test...........................................................................................333 Self Test Quick Answer Key...........................................................335 References.......................................................................................335
x Contents
PART 3 Access Control Chapter 8 Network Access........................................................................... 339 Introduction....................................................................................339 General Network Access................................................................340 Access Control...........................................................................340 Access Control Models...............................................................341 Authentication Models and Components..................................344 Identity.......................................................................................349 Access Control Methods and Models..............................................349 Implicit Deny.............................................................................349 Separation of Duties..................................................................349 Least Privilege............................................................................350 Job Rotation............................................................................... 351 MAC........................................................................................... 351 DAC............................................................................................353 Viewing DAC Settings................................................................354 Role-Based Access Control (RBAC)........................................... 355 Access Control Organization..........................................................357 Security Groups.........................................................................357 Security Controls.......................................................................358 Logical Access Control Methods....................................................360 ACLs...........................................................................................360 Group Policies...........................................................................361 Domain Policies.........................................................................361 Time of Day Restrictions...........................................................362 Account Expiration....................................................................362 Logical Tokens...........................................................................362 Physical Access Security Methods..................................................363 Access Lists and Logs.................................................................366 Hardware Locks.........................................................................366 ID Badges...................................................................................367 Door Access Systems.................................................................368 Mantrap......................................................................................369 Video Surveillance.....................................................................370 Summary of Exam Objectives........................................................370 Exam Objectives Fast Track............................................................ 371 General Network Access........................................................... 371 Access Control Methods and Models......................................... 371 Access Control Organization.....................................................372 Logical Access Control Methods...............................................372 Physical Access Security Methods.............................................372
Contents xi
Exam Objectives Frequently Asked Questions...............................372 Self Test........................................................................................... 375 Self Test Quick Answer Key...........................................................379
Chapter 9 Network Authentication................................................................ 381 Introduction....................................................................................381 Introduction to AAA..................................................................381 Access Control...........................................................................382 Authentication...........................................................................383 Auditing.....................................................................................383 Authentication Methods.................................................................383 One-Factor.................................................................................384 Two-Factor.................................................................................386 Three-Factor..............................................................................387 Single Sign-On............................................................................388 Authentication Systems..................................................................388 Remote Access Policies and Authentication..............................389 Biometrics..................................................................................389 RADIUS......................................................................................390 Kerberos....................................................................................393 LDAP..........................................................................................396 Password Authentication Protocol............................................402 Challenge Handshake Authentication Protocol.........................402 TACACS/TACACS+.....................................................................403 Mutual Authentication...............................................................405 802.1x Methods.........................................................................406 Extensible Authentication Protocol...........................................409 Protected EAP............................................................................ 411 Summary of Exam Objectives........................................................ 413 Exam Objectives Fast Track............................................................ 414 Authentication Methods............................................................ 414 Authentication Systems............................................................. 414 Exam Objectives Frequently Asked Questions............................... 415 Self Test........................................................................................... 416 Self Test Quick Answer Key........................................................... 419
PART 4 Assessments and Audits CHAPTER 10 Risk Assessment and Risk Mitigation............................................ 423 Introduction....................................................................................423 Conduct Risk Assessments and Implement Risk Mitigation..........424 Vulnerability Assessment Tools.................................................424 Packet Sniffing...........................................................................424
xii Contents
Password Crackers.....................................................................428 Network Mapping Tools............................................................429 Use Monitoring Tools on Systems and Networks...........................430 Workstations.............................................................................. 431 Performing a Simple Metasploit Attack.....................................432 Logging and Auditing.....................................................................441 Auditing Systems........................................................................441 Configuring Auditing in Microsoft Windows............................443 Preventing Access to a Computer Using Password-Protected Screensavers............................................. 451 Audits.............................................................................................. 452 Summary of Exam Objectives........................................................ 452 Exam Objectives Fast Track............................................................ 452 Conduct Risk Assessments and Implement Risk Mitigation........................................................................... 452 Use Monitoring Tools on Systems and Networks......................453 Exam Objectives Frequently Asked Questions...............................453 Self Test...........................................................................................454 Self Test Quick Answer Key...........................................................457 References.......................................................................................457
PART 5 Cryptopgraphy Chapter 11 General Cryptographic Concepts................................................... 461 Introduction....................................................................................461 General Cryptography....................................................................462 Symmetric Key Cryptography...................................................462 Asymmetric Key Cryptography.................................................464 Hashes and Applications............................................................464 Digital Signatures.......................................................................468 Certificates.................................................................................469 Confidentiality, Integrity, and Availability—For All Your Security Needs...........................................................................473 Nonrepudiation.........................................................................475 Comparative Strength of Algorithms.........................................475 Key Management.......................................................................476 Encryption Algorithms...................................................................477 DES.............................................................................................477 Triple DES..................................................................................479 RSA.............................................................................................479 Advanced Encryption Standard.................................................480 Elliptic Curve Cryptography.....................................................480
Contents xiii
One-Time Pads...........................................................................480 Transmission Encryption...........................................................481 Protocols.........................................................................................482 Cryptographic Protocols...........................................................483 Cryptography in Operating Systems..............................................494 File and Folder Encryption........................................................494 E-mail.........................................................................................496 Whole Disk Encryption.............................................................497 TPM............................................................................................498 Summary of Exam Objectives........................................................499 Exam Objectives Fast Track............................................................499 General Cryptography...............................................................499 Encryption Algorithms..............................................................500 Protocols....................................................................................500 Cryptography in Operating Systems.........................................500 Exam Objectives Frequently Asked Questions...............................501 Self Test...........................................................................................504 Self Test Quick Answer Key...........................................................507
CHAPTER 12 Public Key Infrastructure.............................................................. 509 Introduction....................................................................................509 PKI Overview................................................................................. 510 PKI Encryption.......................................................................... 510 PKI Standards............................................................................ 513 PKI Solutions............................................................................. 514 Components of PKI........................................................................ 516 Digital Certificates..................................................................... 518 Reviewing a Digital Certificate.................................................. 519 Certificate Authority..................................................................525 Certificate Revocation List (CRL)..............................................527 Key Escrow................................................................................529 Registration..................................................................................... 531 Recovery Agents............................................................................. 531 Implementation..............................................................................533 Certificate Management.................................................................534 Summary of Exam Objectives........................................................536 Exam Objectives Fast Track............................................................537 PKI Overview............................................................................537 Components of PKI...................................................................537 Registration................................................................................537 Recovery Agents........................................................................537
xiv Contents
Implementation.........................................................................538 Certificate Management............................................................538 Exam Objectives Frequently Asked Questions...............................538 Self Test...........................................................................................539 Self Test Quick Answer Key...........................................................542
PART 6 Organizational Security CHAPTER 13 Redundancy Planning.................................................................. 545 Introduction....................................................................................545 Alternate Sites.................................................................................545 Hot Site.......................................................................................547 Warm Site...................................................................................547 Cold Site.....................................................................................547 Redundant Systems.........................................................................548 Servers.......................................................................................549 Connections...............................................................................550 Internet Service Provider..........................................................550 Redundant Arrays of Inexpensive Disks........................................ 551 Spare Parts...................................................................................... 552 Backup Generator...........................................................................554 Uninterruptible Power Supply........................................................554 Summary of Exam Objectives........................................................ 555 Exam Objectives Fast Track............................................................ 555 Alternate Sites............................................................................ 555 Redundant Systems....................................................................556 Redundant Arrays of Inexpensive Disks...................................556 Spare Parts.................................................................................557 Backup Generator......................................................................557 Uninterruptible Power Supply...................................................558 Exam Objectives Frequently Asked Questions...............................558 Self Test...........................................................................................559 Self Test Quick Answer Key...........................................................562
CHAPTER 14 Controls and Procedures.............................................................. 563 Introduction....................................................................................563 Environmental Controls.................................................................563 Fire Suppression........................................................................564 HVAC..........................................................................................566 Shielding....................................................................................568 Implementing Disaster Recovery and Incident Response Procedures.....................................................................570
Contents xv
Disaster Recovery......................................................................571 Incident Response.....................................................................576 Defending against Social Engineering.......................................587 Summary of Exam Objectives........................................................593 Exam Objectives Fast Track............................................................593 Environmental Controls............................................................593 Implementing Disaster Recovery and Incident Response Procedures.................................................................................594 Exam Objectives Frequently Asked Questions...............................596 Self Test...........................................................................................596 Self Test Quick Answer Key.......................................................... 600
CHAPTER 15 Legislation and Organizational Policies........................................ 601 Introduction....................................................................................601 Secure Disposal of Systems............................................................602 Retention/Storage......................................................................603 Destruction................................................................................604 Acceptable Use Policies..................................................................605 Password Complexity.....................................................................607 Strong Passwords...................................................................... 608 Password Changes and Restrictions......................................... 608 Using Passwords as Part of a Multifaceted Security System..........................................................................609 Administrator Accounts.............................................................609 Change Management...................................................................... 610 Information Classification.............................................................. 610 Vacations......................................................................................... 612 Separation of Duties.................................................................. 613 Personally Identifiable Information................................................ 614 Privacy....................................................................................... 614 Due Care......................................................................................... 616 Due Process.................................................................................... 617 Due Diligence................................................................................. 618 Service Level Agreements............................................................... 618 User Education and Awareness Training........................................620 Communication......................................................................... 621 User Awareness..........................................................................622 Education...................................................................................623 Online Resources.......................................................................625 Security-Related HR Policies...........................................................625 Code of Ethics............................................................................627
xvi Contents
Summary of Exam Objectives........................................................627 Exam Objectives Fast Track............................................................628 Exam Objectives Frequently Asked Questions...............................629 Self Test...........................................................................................630 Self Test Quick Answer Key...........................................................634 Appendix......................................................................................................... 635 Index................................................................................................................ 741
About the Authors Technical Editor Ido Dubrawsky (CISSP, Security+, CCNA) is the Chief Security Advisor for Microsoft’s Communication Sector Americas division. His responsibilities include providing subject matter expertise on a wide range of technologies with customers as well as discussions on policy, regulatory concerns, and governance. Prior to working at Microsoft, Ido was the acting Security Consulting Practice Lead at AT&T’s Callisma subsidiary and a Senior Security Consultant where he as tasked with helping to rebuild the practice. Ido has held a wide range of previous roles including Network Security Architect for Cisco Systems Inc. on the SAFE Architecture Team. He has worked in the systems and network administration field for almost 20 years in a variety of environments from government to academia to private enterprise and has a wide range of experience in various networks, from small to large and relatively simple to complex. Ido is the primary author of three major SAFE white papers and has written, and spoken, extensively on security topics. He has been a regular contributor to the Security Focus Web site on a variety of topics covering security issues. He holds a B.Sc. and an M.Sc. in Aerospace Engineering from the University of Texas at Austin.
Contributing Authors Naomi J. Alpern currently works for Microsoft as a consultant specializing in unified communications. She holds many Microsoft certifications, including an MCSE and MCT, as well as additional industry certifications such as Citrix Certified Enterprise Administrator, Security+, Network+, and A+. Since the start of her technical career, she has worked in many facets of the technology world, including IT administration, technical training, and, most recently, full-time consulting. She likes to spend her time reading cheesy horror and mystery novels when she isn’t browsing the Web. She is also the mother of two fabulous boys, Darien and Justin, who mostly keep her running around like a headless chicken. Michael Cross (MCSE, MCP+I, CNA, Network+) is an internet specialist/programmer with the Niagara Regional Police Service. In addition to designing and maintaining the Niagara Regional Police’s Web site (www.nrps.com) and intranet, he has also provided support and worked in the areas of programming, hardware, database administration, graphic design, and network administration. In 2007, he was awarded a Police Commendation for the work he did in developing a system to track high-risk offenders and sexual offenders in the Niagara Region. As part of an IT team that provides support to a user base of over 1000 civilian and uniformed users, his theory is that when the users carry guns, you tend to be more motivated in solving their problems.
xvii
xviii About the Authors
Michael was the first computer forensic analyst in the Niagara Regional Police Service’s history, and for five years, he performed computer forensic examinations on computers involved in criminal investigations. The computers he examined for evidence were involved in a wide range of crimes, including homicides, fraud, and possession of child pornography. In addition to this, he successfully tracked numerous individuals electronically, as in cases involving threatening e-mail. He has consulted and assisted in numerous cases dealing with computer-related/Internet crimes and served as an expert witness on computers for criminal trials. Michael has previously taught as an instructor for IT training courses on the Internet, Web development, programming, networking, and hardware repair. He is also seasoned in providing and assisting in presentations on Internet safety and other topics related to computers and the Internet. Despite this experience as a speaker, he still finds his wife won’t listen to him. Michael also owns KnightWare, which provides computer-related services like Web page design, and Bookworms, which provides online sales of merchandise. He has been a freelance writer for over a decade and has been published over three dozen times in numerous books and anthologies. When he isn’t writing or otherwise attached to a computer, he spends as much time as possible with the joys of his life: his lovely wife, Jennifer; darling daughter Sara; adorable daughter Emily; charming son Jason; and beautiful and talented daughter Alicia. Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I, A+, etc.) is a Senior Principal IT Technologist for Medtronic Inc., where he and his team architect and maintain enterprisewide client/server and Web-based technologies. He also acts as a technical resource for other IT professionals, using his expertise to help others expand their knowledge. As a systems engineer with over 18 years of real-world IT experience, he has become an expert in many areas, including Web development, database administration, enterprise security, network design, and project management. He currently lives in Minnesota with his wife, Christina, and son, Austin, both of whom support his lifestyle as a professional geek (which he greatly appreciates). Jeremy has contributed to several Syngress books, including Microsoft Log Parser Toolkit (Syngress, ISBN: 978-1-932266-52-8), Managing and Securing a Cisco SWAN (ISBN: 978-1-932266-91-7), C# for Java Programmers (ISBN: 978-1-931836-54-8), Snort 2.0 Intrusion Detection (ISBN: 978-1-931836-74-6), Perl Scripting for Windows Security (ISBN: 978-1-59749-173-0), and Security+ Study Guide & DVD Training System (ISBN: 978-1-931836-72-2). Kevvie Fowler (GCFA Gold, CISSP, MCTS, MCSD, MCSE) is the Director of Managed Security Services at TELUS, where he delivers specialized security, incident response, and forensic services. He is also the founder and principal consultant of Ringzero, a company focusing on the security and forensic analysis of Microsoft products. Kevvie is the author of SQL Server Forensic Analysis and the contributing author of How to Cheat at Securing SQL Server 2005, and The Best Damn Exchange, SQL, and IIS Book Period. In addition to writing books, he also reviews security- and
About the Authors xix
forensic-related book proposals for publishers and is a SANS GIAC Gold advisor who reviews and helps guide the direction of emerging security and forensic research. As an expert within the information security industry, Kevvie has presented at leading security conferences such as Black Hat and SecTor and is a member of the High Technology Crime Investigation Association. Michael Gregg (CISSP, CISA, CISM, MCSE, MCT, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, DCNP, ES Dragon IDS) is the founder and Chief Technology Officer of Superior Solutions Inc., a Houston-based IT security consulting firm. Superior Solutions performs security assessments and penetration testing for Fortune 1000 firms. Michael is responsible for working with organizations to develop cost-effective and innovative technology solutions to security issues and for evaluating emerging technologies. Michael supervises client engagements to ensure high-quality solutions are developed for software design issues, systems administration concerns, policy development, and security systems testing. Michael has more than 20 years of experience in the IT field and holds two associate’s degrees, a bachelor’s degree, and a master’s degree. He has written or cowritten a number of other books, including Que’s Certified Ethical Hacker Exam Prep 2 and Wiley’s How to Build Your Own Network Security Lab. He is a member of the American College of Forensic Examiners, the Independent Computer Consulting Association, and speaks at many security conferences and events. Mark Horninger (A+, Net+, Security+, MCSE+I, MCSD, MCAD, MCDBA, MCTS, MCITP, MCPD) is manager of database operations at Internet Pipeline Inc. He is also the founder of Haverford Consultants Inc. (www.haverford-consultants.com/), located in the suburbs of Philadelphia, PA. He develops custom applications and system engineering solutions, specializing primarily in Microsoft .NET technology and Microsoft SQL Server. He is a contributing author to Securing SQL 2005, Configuring and Troubleshooting Windows XP Professional MCSE Windows 2000 Professional Study Guide, and Designing SQL Server 2000 Databases for .NET Enterprise Servers published by Syngress, an imprint of Elsevier Inc. Mark has also served as an adjunct professor at Kaplan University teaching Web design. Mark has over 20 years of computer consulting experience and has passed 50+ Microsoft certification exams. He lives with his wife, Debbie, and son, Robby, in the Philadelphia area. C. Eric Irvin (CISSP, MCITP: Enterprise Admin, MCSE, MCSA, CCNA) is a Security Engineering Analyst for Blue Cross and Blue Shield of Alabama, and consultant for IrvTech, LLC. He specializes in security project management, as well as end-user security awareness, and security compliance assurance. He specializes in Cisco routers, switches, and VPN solutions. His focus is in providing business-enablement solutions that provide functionality and security to the customers of his organization. Eric holds a bachelor’s degree from Amridge University, and is a member of Infragard and the Information Systems Security Association. He volunteers his
xx About the Authors
security background with local municipal government organizations. Eric currently resides in Birmingham, Alabama. Eric wrote the practice exam questions for this book. Alun Jones (MVP, MCP) is the President of Texas Imperial Software. Texas Imperial Software develops secure networking software and provides security engineering consulting services. Texas Imperial Software’s flagship product is WFTPD Pro, a secure FTP server for Windows, written entirely by Alun. Alun entered the security engineering field as more and more of WFTPD’s support needs indicated that few companies were trying to meet their needs for security on the Internet. His current day job is as an Information Systems Security Engineer at Premera Blue Cross, a health insurance provider based in the Pacific Northwest of the USA. Alun has attended, but not completed, university at Corpus Christi College, Cambridge, and Bath University, and now lives in Seattle, Washington, with his wife, Debbie, and son, Colin. Mohan Krishnamurthy Madwachar is the GM–Network Security at Almoayed Group in Bahrain. Mohan is a key contributor to Almoayed Group’s projects division and plays an important role in the organization’s security initiatives including network, information, and physical security. Mohan has a strong networking, security, and training background. His tenure with companies such as Schlumberger Omnes and Secure Network Solutions India adds to his experience and expertise in implementing large and complex network and security projects. Mohan holds leading IT industry-standard and vendor certifications in systems, networking, and security. Mohan would like to dedicate his contributions to this book to his beloved wife Pallavi. Mohan has coauthored six books published by Syngress: Designing & Building Enterprise DMZs (ISBN:1597491004), Configuring Juniper Networks NetScreen & SSG Firewalls (ISBN:1597491187), How to Cheat at Securing Linux (ISBN: 1597492078), How to Cheat at Administering Office Communications Server 2007 (ISBN:1597492126), Microsoft Forefront Security Administration Guide (ISBN: 1597492447), and The Real MCTS/MCITP Windows Server 2008 Configuring Applications Infrastructure Exam 70-643 Prep Kit (ISBN:1597492478). He also writes in newspaper columns on various subjects and has contributed to leading content companies as a technical writer and a subject matter expert. Kenneth Majors (MCSE, MCSA, Project+, VMware VCP, Citrix CCEA, CCA) is a Senior Technology Advisor for Choice Solutions LLC. Choice Solutions is a systems integrator headquartered in Overland Park, Kansas. Choice Solutions provides IT design, project management, and support for enterprise computing systems. Kenneth is a key contributor to defining best practices for Microsoft technologies including Windows Server, Hyper-V and SharePoint, Citrix XenApp, XenServer, and XenDesktop, VMware ESX and VDM, and development of documentation
About the Authors xxi
standards. As such, he develops technology solutions and methodologies focused on improving client business processes.These technology solutions touch every part of a system’s lifecycle—from assessment, blueprint, construct, and deployment on projects to operational management and strategic planning for the business process. Kenneth holds a bachelor’s degree from Colorado Technical University. He currently resides in Olathe, Kansas, with his loving and supportive wife, Sandy, and near their children, Tabitha and Keith, and their grandsons, Wesley “Peanut” and Austin. Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System and How to Cheat at Managing Microsoft Operations Manager 2005, is an independent consultant based in Boston, Massachusetts. Tony’s specialties include network security design, Microsoft operating system and applications architecture, and Cisco IP telephony implementations. Tony’s background includes positions as systems practice manager for Presidio Networked Solutions, IT manager for SynQor Inc., network architect for Planning Systems Inc., and senior networking consultant with Integrated Information Systems. Along with his various certifications, Tony holds a bachelor’s degree in business administration. Tony currently resides in Leominster, Massachusetts, with his wife, Melanie, and his daughters, Kaitlyn and Noelle. David K. Wallace is Director of Network Operations and Chief Security Officer for Internet Pipeline, the leader in SAS that supports marketing, selling, and processing solutions for the nation’s top insurance carriers and producers, David oversees all data center operations, infrastructure, business continuity planning, and security. He brings to iPipeline over 15 years of systems and management experience. Since joining iPipeline, David’s team has implemented multiple security enhancements and programs (HIPAA Compliance), infrastructure upgrades, and VMware to provide scalability and redundancy of Internet Pipeline’s services. iPipeline’s infrastructure growth and scalability are key as they continue to bring cutting edge technology to the insurance and financial markets. Prior to iPipeline, David spent seven years as the Director of Information Technology at ICG Commerce in King of Prussia, Pennsylvania. ICG Commerce is one of the largest and most successful Procurement Outsourcing Providers in the world. There he built their data center capabilities from scratch to a 24 × 7 fully redundant network and systems that are utilized throughout the world. David holds a bachelor’s degree in business administration and a minor in information systems. He is currently working on an M.B.A. from Villanova University, Villanova, Pennsylvania. David lives in Ardmore, Pennsylvania, a suburb just outside of Philadelphia. He would like to thank his nine nieces and nephews (Ben, Claire, Fiona, Owen, Jane, Gavin, Kieran, Colin, and Torin) for all their love, support, and the joy they add to his life.
This page intentionally left blank
PART
Systems Security
1
This page intentionally left blank
CHAPTER
Systems Security Overview
1
E x a m o b j e c tiv e s in this c hapt e r Security Threats..................................................................................................................... 4 Hardware and Peripheral Security Risks................................................................................ 22
Introduction There are security risks to almost any system. Any computer, network, or device that can communicate with other technologies either allows software to be installed or is accessible to groups of people and, therefore, faces an increasing number of potential threats. The system may be at risk of unauthorized access, disclosure of information, destruction or modification of data, code attacks through malicious software, or any number of other risks discussed in this book. Some of the most common threats to systems come in the form of malicious software, which is commonly referred to as malware. Malware programs are carefully crafted, written, and designed by attackers to compromise security and/or do damage. These programs are written to be independent and do not always require user intervention or for the attacker to be present for their damage to be done. Among the many types of malware, the ones we will look at in this chapter are viruses, worms, Trojan horses, spyware, adware, logic bombs, and rootkits. Every year, an increasing number of devices are at risk. The communication methods and functionality traditionally associated with computers have expanded over the years, moving from stand-alone computers to networks to mobile devices. The core components of a computer, like the basic input/output system (BIOS), can be compromised, and the data stored on network and removable devices can be stolen, corrupted, or destroyed. In addition, there are other technologies that can be threatened by attacks and malicious software. Every year more Universal Serial Bus (USB) devices are introduced into the market, and these devices can either be used to disseminate malicious code or be damaged by attacks, while software installed on cell phones can be just as vulnerable to viruses as programs running on computers. Preparing for potential threats requires understanding what devices exist in your organization and taking the appropriate steps to ensure their security.
3
4 CHAPTER 1 Systems Security Overview
Security Threats In terms of computers and networks, security is the process of protecting systems and data from unauthorized access, from malicious users and software, and from other threats that could result in the loss of integrity, damage, or loss of data and equipment. Securing systems requires safeguarding not only data but also the equipment on which this information resides on and is transmitted across. To do this, companies may incorporate a wide variety of security measures, including cameras to monitor and prevent damage and theft of computers, peripherals, media, and other technology. They will also hire professionals with a level of expertise in using firewalls and other software to protect data. Threats can come from internal and external sources, and both can be equally dangerous. System administrators commonly deal with external threats, but may overlook an organization’s internal threats. While it’s important to set up firewalls to protect against hackers and virus-infected file attachments in e-mail, this action would do nothing against a disgruntled or uneducated employee who could insert a USB flash drive into a computer and release a virus or unwittingly install a program that sends sensitive information to a third party. When you are protecting an organization against threats, it is important to identify the sources so that you can then set up appropriate countermeasures. There are many reasons why these threats exist to various systems. Programming students may merely want to exercise their skills and prove they can write the code that creates a virus, whereas other groups may have a particular agenda in destroying data. Other people may use a variety of tools and skills to gain entry to systems, with some of them simply satisfying the curiosity of wanting to see what they’re not supposed to see. Others will attempt to perform these actions for financial motivation, such as in cases of corporate espionage, blackmail, or other criminal activities. All of these threats have one thing in common, however … it’s up to you to understand and stop them from harming your organization.
Privilege Escalation Privilege escalation occurs when a user acquires greater permissions and rights than he or she was intended to receive. Of course, network administrators can make mistakes and assign a user greater privilege than originally intended, but the major threat we’ll discuss here comes from software. A user could gain unauthorized access and elevated privileges through bugs or backdoors in programs. Bugs are errors in software, causing the program to function in a manner that wasn’t intended. Backdoors are methods of accessing a system in a manner that bypasses normal authentication methods. For example, a developer may include a backdoor into a program, so that he or she can gain access to an application when it’s being debugged. Unfortunately, if the backdoor remains after the software is released or bugs don’t get fixed, a hacker or other unauthorized user can exploit these vulnerabilities and gain greater access to systems, such as having administrator access to the system.
Security Threats 5
Preventing privilege escalation from occurring relies on the software developer providing good support, and system administrators being diligent in keeping up-to-date on any security issues and fixes available for software on systems. Programmers need to ensure that after a program has been debugged, any backdoors in the software have been removed. If the software has already been released and a developer discovers any backdoors and/or errors in the code, these need to be reported to the development team so that a patch can be created that will fix the problem. System administrators should check the software vendor’s Web site to see if any patches or security updates are available. These should then be downloaded and installed on systems to fix any problems. For example, Microsoft regularly provides fixes to potential security problems on its Windows Update Web site (http://windowsupdate.microsoft.com), which can automatically scan your computer to identify if there are any patches or updates that need to be applied to Microsoft products.
Viruses and Worms Malicious software has appeared in many forms over the decades, but the problem has increased as more computers and devices communicate with one another. Before networking became common, a person transferring data needed to physically transport software between machines, often using floppy disks or other removable media. Malicious software could write itself to the media without the user’s knowledge, but the chances of this event occurring in a secure environment was minimal. After all, without networks, data was being passed from one computer within an organization to another, with minimum connectivity to the outside world. Unless an employee wrote malicious code or accidentally acquired one from a vendor or client, there was little chance of being infected. This changed dramatically with the widespread use of networking (especially the Internet), where exploitable vulnerabilities, file sharing, or e-mail attachments make it very easy for malware to disseminate. There are many different types of malicious code that are written with the intention of causing damage to systems, software, and data.The code may be used to target a particular person or organization, but in most cases, it is a mass attack; whoever comes in contact with it becomes a victim. While we’ll discuss many different types of malicious code in the pages that follow and see how they can wreak havoc on networks and computers, two of the most common forms are viruses and worms.
Head of the Class Viruses, Worms, and Removal Information A good resource for keeping up-to-date on the latest threats, risks, and vulnerabilities is Symantec’s Threat Explorer site at www.symantec.com/norton/security_response/threatexplorer/ index.jsp. At this site, you can view information on new threats, and browse or search Symantec’s database for information on viruses, worms, and other malicious software. When
6 CHAPTER 1 Systems Security Overview
looking at a particular virus in the database, you’ll find information on how significant a threat the worm or virus is, the technical details about the worm or virus, and information on how to remove the worm or virus from a system.
Viruses Viruses are probably the most well-known type of malicious code. A computer virus is defined as a self-replicating computer program that interferes with the hardware, software, or operating system (OS) of a computer. It is code that has the primary purpose of creating a copy of itself that attaches to other files. These code segments contain enough information to replicate and perform other damage, such as deleting or corrupting important files on your system. Like any other computer program, a virus must be executed to function (it must be loaded into the memory of the computer) and then the computer must follow the virus’s instructions. Those instructions constitute the payload of the virus. The payload may disrupt or change data files, display a message, or cause the OS to malfunction. Using this definition, let’s explore in more depth exactly what a virus does and what its potential dangers are. Viruses spread when the instructions (executable code) that run programs are transferred from one computer to another. A virus can replicate by writing itself to removable media, hard drives, or legitimate computer programs across the local network or even throughout the Internet. One positive aspect is that a computer attached to an infected computer network or one that downloads an infected program does not necessarily become infected. Remember, the code has to actually be executed before your machine can become infected. However, chances are good that if you download a virus to your computer and do not explicitly execute it, the virus may contain the logic to trick your OS into running the viral program. Other viruses exist that have the capability to attach themselves to otherwise legitimate programs. This could occur when programs are created, opened, or even modified. When the program is run, so is the virus. Let’s take a closer look at the following categories that a virus could fall under and the definitions of each: ■■
■■
■■
■■
Parasitic Parasitic viruses infect executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged, but appends to the host in such a way that the virus code is executed first. Bootstrap sector Bootstrap sector viruses live on the first portion of the disk, known as the boot sector (this includes both hard disks and other removable media). This virus replaces either the programs that store information about the contents of the disk or the programs that start the computer. This type of virus is most commonly spread through the physical exchange of removable media. Multipartite Multipartite viruses combine the functionality of the parasitic virus and the bootstrap sector viruses by infecting either files or boot sectors. Companion A companion virus, instead of modifying an existing program, creates a new program with the same name as an already existing legitimate
Security Threats 7
rogram. It then tricks the OS into running the companion program, which p delivers the virus payload. ■■
■■
Link Link viruses function by modifying the way the OS finds a program, tricking it into first running the virus and then the desired program. This virus is especially dangerous, because entire directories can be infected. Any executable program accessed within the directory will trigger the virus. Data File A data file virus can open, manipulate, and close data files. Data file viruses are written in macro languages and automatically execute when the legitimate program is opened. A well-known type of data file virus is a macro virus, which can be embedded in such files as Microsoft Office documents and spreadsheets.
Hoax Viruses Hoax viruses are inauthentic warnings of viruses. These hoaxes consist of a warning designed to fool the recipient into believing that the virus is real. Although the viruses aren’t real, they can sometimes be as dangerous as the real thing. ■■
■■
■■
The warnings may provide instructions on how to “remove” the virus, informing the recipient to delete crucial files or make registry changes that may cause the OS or specific programs to fail. Users who become jaded by hoax viruses may begin to ignore legitimate warnings about real viruses. In some cases, a known virus hoax may be modified to include a real virus. For example, in March 1997, a hoax warning began to be distributed on America Online advising that an e-mail with the subject “aol4free.com” contained a virus that could delete files from your hard disk. This e-mail warning was a hoax. However, around the same time, someone attached a Trojan horse program named AOL4FREE.COM to the original hoax e-mail. People who believed the e-mail to be a hoax would click the attachment, executing the Trojan which invoked the DOS program DELTREE.exe to delete files from the victim’s hard disk.
Worms Worms are another common type of malicious code, and are often confused with viruses. A worm is a self-replicating program that does not alter files but resides in active memory and duplicates itself by means of computer networks. It can travel across a network from one computer to another, and in some cases, different parts of a worm run on different computers. Worms run automatically within the OSes and software and are invisible to the user. Often, worms aren’t even noticed on systems until the network resources are completely consumed or the victim PC’s performance is degraded to unusable levels. Some worms not only self-replicate but also contain a malicious payload. As we’ll see later in this chapter when we discuss botnets, some worms will create a backdoor that allows access to the computer. A backdoor is an undocumented and, generally,
8 CHAPTER 1 Systems Security Overview
an unauthorized way of gaining remote access to a computer. Once the system is compromised, the backdoor will listen for commands on a network port, allowing the computer to be accessed by a hacker or controlled by the worm’s creator. Exam Warning A worm can take down a system because it has the capability to replicate itself inside of the memory of the target computer. Once it uses up the memory, the system goes down. Similarly, the replication of worms across a network can use up bandwidth, causing any transmission of legitimate data across the network to slow dramatically.
Hackers create malicious worms that replicate wildly and can also exploit weaknesses in the OS and perform other harmful actions. Their capability to replicate quickly makes them an attractive tool for attackers. There are many ways in which worms can be transmitted, including e-mail, Internet chat rooms, peer-to-peer (P2P) programs, and of course the Internet.
Difference Between Viruses and Worms The distinction between viruses and worms has become blurred. Originally, the term worm was used to describe code that attacked multiuser systems (networks), whereas the term virus described programs that replicated on individual computers. However, these attributes are no longer the key factors that discriminate between the two, as both are used for widespread attacks and are commonly disseminated using networks like the Internet. However, while there are similarities between worms and viruses, there are also a number of key differences. Like a normal virus, worms replicate themselves to spread across the network. However, a virus needs a host application to transport itself, whereas worms are selfcontained. For example, a hacker may incorporate a virus in an executable, so that when someone executes the program, that person’s computer becomes infected. A worm, however, will replicate from system-to-system, and duplicates itself by means of computer networks. Worms use the facilities of an OS that are meant to be automatic and invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes the resources of the system, which then slows or halts other tasks. Whereas a virus intends to damage the system and files stored there, a worm is intended to consume the resources on the system. A worm doesn’t alter the files on a computer, but will replicate to the point that network bandwidth is used up (making the network slow up) and/or use up memory on a machine until it finally shuts down. This results in a server crash that cannot be remedied until the worm has been removed from the system. Test Day Tip On the day of the exam, review the differences between viruses and worms. By understanding the differences, you will be able to identify whether a question is asking you about one or the other, and this knowledge may lead you toward the correct answer.
Security Threats 9
Virus Examples There are thousands of viruses that have been disseminated over the decades, resulting in innumerable annoying messages and damaged files on people’s computers. To understand some of the elements and damage caused by viruses, let’s look at a couple of the more recent ones: ■■
■■
In July 2008, the Repulik. A virus appeared, and it began infecting computers running Windows 9x, Windows NT, Windows ME, Windows 2000, Windows XP, Windows Server 2003, or Windows Vista. It infects files with the extensions .doc, .pps, .ppt, .rtf, and .xls (that is, Microsoft Office files) and renames the infected files as .vbs. This is the file extension for Visual Basic Script files, meaning that opening one of the infected files will execute the virus’s code. Repulik. A will also copy files to removable drives and rename these drives as “REPVBLIK,” modify MP3 files, and modify the registry. Another virus that can infect computers running Windows 9x, Windows NT, Windows ME, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista is the W32. Shoren virus. This virus first appeared in March 2009, and infection spreads through executable files that are infected with the virus. Once the virus has infected a file, it is rendered unusable because the virus has prepended itself to the file, thus corrupting the data.
Worm Examples Some of the most infamous viruses that have infected computers on the Internet are actually worms. Using the Internet to move from one computer to another, worms have infected millions of machines and cost billions of dollars in damage to data, lost labor costs, and so on. To understand worms better, it’s worthwhile to look at some of the most infamous ones from previous years: ■■
■■
The SQL Slammer worm in 2003 exploited a known buffer overflow in Microsoft’s SQL Server and Microsoft SQL Server Desktop Engine (MSDE). The worm, in its self-replicating attempts, caused infected machines to generate enormous amounts of traffic. Local networks and the Internet itself slowed down considerably and infected thousands of machines and servers. The Nimda and Code Red worms in 2001 attacked known vulnerabilities in Microsoft’s Internet Information Server (IIS) Web server. These two worms and their variants replicate themselves on the victim machines and begin scanning the network for additional vulnerable machines. Nimda and Code Red certainly set another precedent for the danger of worms, and they are not harmless. Nimda creates open network shares on infected computers, and it also creates a Guest account with Administrator privileges, thus allowing access to the system and opening it up to whatever a knowledgeable hacker wants to do to it. Code Red (and its variant, Code Red II, which also opened a backdoor for the attacker) defaces Web sites, degrades system performance, and causes instability by spawning multiple threads and using bandwidth.
10 CHAPTER 1 Systems Security Overview
■■
■■
■■
The Sasser worm in 2004 exploited a known buffer overflow in Microsoft’s Local Security Authority Subsystem Service (LSASS) through port 139, and caused infected machines to spontaneously reboot. It affected networks, including those of Delta Airlines, Goldman Sachs, and the British Coastguard. The Zotob worm in 2005 used vulnerability in Microsoft Windows’s Plug-andPlay service to spread through networks. It was prominent in that it infected CNN computers and so was reported live on television. A year later, a Moroccan teenager was sentenced for its creation. Conficker (also known as Downadup) is a worm that first appeared in November 2008, and has infected upwards of 20 million computers including those used by the French Air Force, Royal Navy, and UK Ministry of Defence. The worm exploits a known vulnerability in computers running Windows 9x, Windows NT, Windows ME, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. It can do considerable damage to systems by turning off the automatic backup service, deleting restore points, and disabling security. It is so serious that Microsoft allocated $250,000 as a reward to those who would help the company find the source of the worm.
Exam Warning There are thousands of worms, viruses, and other malicious software that can infect your computer. Don’t spend significant time memorizing information about them, as in the exam there won’t be questions that target your knowledge about specific viruses and worms. The information provided here allows you to see what viruses, worms, and other malware can do to your system, and how they work.
From looking at these worms, we note that it is easy to understand that effective protection against many worms is the timely and prompt installation of patches released by software vendors, especially Microsoft because of its market presence. In the case of the Conficker worm, Microsoft had released a patch that would have protected many systems infected by the worm. Unfortunately, only those who downloaded and installed the patch were protected. It is also important to correctly configure firewalls to allow only necessary ports both inbound and outbound: Sasser replicated using Network Basic Input/Output System (NetBIOS) and SQL-Server ports, which should not be allowed exposed outside the enterprise network.
Defending Against Viruses and Worms Protection against viruses, worms, and other malicious code usually includes up-to-date antivirus software, a good user education program, and diligent application of the software patches provided by vendors. When network administrators or security professionals take the necessary steps to protect systems, many of the viruses and worms on the market are unable to infect or do significant damage to systems. Antivirus software applications are designed to detect viruses, worms, and other malware on a computer system. These programs may monitor the system
Security Threats 11
for suspicious activity that indicates the presence of malware, but more often will detect viruses using signature files. Signature files are files that contain information on known viruses, and these files are used by antivirus software to identify viruses on a system. The antivirus software will compare data in files on your system with a dictionary of viral code in the signature files, and use this comparison to identify the presence of a virus. If the signature of a virus (that is, viral code) is found in a file on your system, the antivirus software will then attempt to remove the virus. There are many ways it may attempt to do this, including cleaning the virus from the file (that is, removing the viral code), deleting the infected file, or quarantining the file so that it can’t be used. There are numerous vendors of antivirus software, including the following: ■■
AVG (www.avg.com)
■■
F-Prot Anti-Virus (www.f-prot.com)
■■
McAfee Anti-Virus (www.mcafee.com)
■■
Norton Anti-Virus (www.norton.com) or Symantec (www.symantec.com)
Vendors of antivirus software provide regular updates of signature files, ensuring their software can detect code from the latest viruses. Unfortunately, if a person doesn’t update the signature files, then their antivirus software can’t detect any viruses that came out after the software was initially released. Therefore, it is vital that the antivirus software is updated on a regular basis. In some cases, a virus or worm may be so difficult to remove that besides running an antivirus software, you may also need to download special removal software or follow specific instructions that are available from the antivirus vendor’s site. When a virus has been detected, it is wise to review the details on the antivirus vendor’s site to determine whether additional actions are required. User education is an important factor in preventing viruses from being executed and infecting a system. Because a virus is a program, it must be started before it can be loaded into the memory and begin doing the damage. Because the virus requires user interaction to load, it is important for users to be aware that they shouldn’t open attached files that have executable code (such as files with the extension .com, .exe, and .vbs). Users should also avoid opening attachments from people they don’t know. Of course, since viruses and other malware may exploit an e-mail program to forward the virus to everyone in an address book, infected files can be sent from people you know. Therefore, you should verify that the person did send you an attachment, especially in cases where an executable file has been sent. Updating your system and applying the latest patches and updates are other important factors in protecting your system. In the established security community, when researchers discover a flaw or vulnerability, they report it to the software vendor, and the vendor then typically works on quickly developing a fix to the flaw. The vulnerability (without an exploit) is reported once a fix has been found and is available. Although there are exceptions to this rule, this is the standard operating procedure. However, if hackers discover the flaw, it is possible that
12 CHAPTER 1 Systems Security Overview
an exploit is developed and disseminated through the hacking community before the vendor is aware of the flaw or a patch is developed. Such an exploit is called a zero-day attack, because there is no warning before the attack can take place. The best defenses against zero-day attacks are security devices that can detect attacks without the need for attack signatures. Another important factor in protecting data is to prepare for the worst. You can prepare for an infection by a virus or worm by creating backups of legitimate original software and data files on a regular basis. These backups will help to restore your system, should that ever be necessary. For the individual user, using Write-Once media (compact disc-recordable [CD-R] or digital video disc-recordable [DVD-R]), and activating the write-protection notch on removable media like a USB disk or a floppy disk will help to protect against a virus on your backup copy. For networks, keeping a series of backups is vital in restoring data to the state it was in prior to being infected. You can also help to prevent against infection by using only software that has been received from legitimate, secure sources. Always test software on a “test” machine (either not connected to your production network or using a virtual machine) prior to installing it on any other machines to help ensure that it is virus-free.
Notes from the Field Anyone Want an Infection? For Some, the Answer is Yes! In 2007, Computer specialist Didier Stevens paid for a Google advertisement that offered to infect a person’s computer with a virus. The advertisement asked, “Is your PC virusfree? Get it infected here!” Surprisingly, over a period of six months, 409 people clicked on the advertisement. Clicking the advertisement took them to a Web site that thanked them for visiting and recorded their visit. Fortunately, no viruses or malware were installed on computers visiting the site, but it does show that some people will click anything, and even the most obvious signs of being infected by a virus may be ignored. For more information, you can visit Didier Stevens’ blog at http://blog.didierstevens. com/2007/05/07/is-your-pc-virus-free-get-it-infected-here/.
Common File Types That Carry Viruses There are a number of file types that are commonly used to disseminate viruses. As we’ve mentioned, file types that are susceptible to viruses can be attached to e-mails and sent out to other users in a person’s address book. These files can be compiled programs or contain code that is executed by the OS when the file is opened. Because virus writers target these types of files, it is wise to prevent users from opening certain file types. You can also configure mail servers to remove specific file types from e-mail. As it reaches the mail server, the susceptible file is removed from the e-mail so that the e-mail can be sent to the recipient without the attachment.
Security Threats 13
File types that are commonly used to distribute viruses include those with the following extensions: ■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
.bat This specifies batch files that will run one or more commands automatically in sequence. .cmd This specifies batch files that will run one or more commands automatically in sequence. .com This specifies command files that are binary executables, similar to files with the extension.exe. For example, in Windows you’ll find many executable programs that use the .com extension. It is unrelated to the domain .com used on the Internet. Unfortunately, if a file is received with a name like www.microsoft.com, it can appear to be a Web site link but it will actually execute as a program on the machine. .doc This specifies Microsoft Word document files, which can contain macro viruses. .dll This specifies dynamic-link library files that contain programming code that may be used by one or more programs. The functions in these files are executable and can be invoked by commands in other programs or files. .exe This specifies executable binary files. These are programs that can be loaded into memory, and provide various functions and execute commands automatically or with user intervention. .htm or .html This specifies Web pages (documents written in Hypertext Markup Language and opened in Web browsers). .js This specifies scripts written in the JavaScript language and contain programming code that can execute upon opening the file. .mdb This specifies Microsoft Access database files, which can contain macro viruses. .scr This specifies screensavers and is commonly used in the dissemination of viruses. .reg This specifies extracts of Registry settings. Running these files can add or modify registry settings on your computer. .vbs This specifies scripts written in Microsoft Visual Basic Scripting language and contains programming code that can execute code upon opening the file. .xls This specifies Microsoft Excel spreadsheets, which can contain macro viruses.
Test Day Tip It’s important to know the file types that are most likely to contain a virus. Before taking the exam, review the listing of file types, and understand what these files do.
14 CHAPTER 1 Systems Security Overview
Trojan A Trojan horse closely resembles a virus, but is actually in a category of its own. The Trojan horse is often referred to as the most elementary form of malicious code. A Trojan horse is used in the same manner as it was in Homer’s Iliad; it is a program in which malicious code is contained inside of what appears to be harmless data or programming. It is most often disguised as something fun, such as a game or other application. The malicious program is hidden, and when called to perform its functionality, can actually ruin your hard disk. One saving grace of a Trojan horse, if there is one, is that it does not propagate itself from one computer to another (selfreplication is a characteristic of the worm). A common way for you to become the victim of a Trojan horse is for someone to send you an e-mail with an attachment that purports to do something useful. To the naked eye, it will most likely not appear that anything has happened when the attachment is launched. The reality is that the Trojan has now been installed (or initialized) on your system. What makes this type of attack scary is the possibility that it may be a remote control program. After you have launched this attachment, anyone who uses the Trojan horse as a remote server can now connect to your computer. Hackers have tools to determine what systems are running remote control Trojans, which can include communication over chat networks, e-mails, or Web pages, to alert the hacker that a new system has been infected and is available. After the specially designed port scanner on the hacker’s end finds your system, all of your files are accessible to that hacker. Although many people get Trojans from programs shared and downloaded from the Internet, viruses can be disseminated using devices that attach to your computer. In February 2008, the Motmex Trojan was found on digital picture frames shipped from China. These frames were sold by many large companies throughout North America, and allowed people to store their images on removable storage, which were then displayed on the frame’s screen. When a person attaches the frame to their computer using a USB cable and activates the Trojan, the computer then becomes infected. The Trojan was able to block many antivirus programs from detecting it, and it was unstoppable by Windows Firewall. However, because people generally don’t scan such removable storage devices with antivirus software, many people wouldn’t have realized their computer was compromised until after the Trojan had infected their computer. Test Day Tip Remember the story of the Trojan horse to help you remember what a Trojan horse is in terms of computer security. A Trojan horse seems to be a legitimate program or file (such as a game, utility, or application) but it actually contains malicious code that will attack your system.
Spyware and Adware Spyware and adware are two other types of programs that can be a nuisance or malicious software. Both of these may be used to gather information about your
Security Threats 15
computer, or other information that you may not want to share with other parties. In some cases, they may be a platform for distributing other malicious software.
Spyware As its name states, spyware is a type of program that is used to track user activities and spy on their machines. They have the capability to scan systems, gather personal information (with or without the user’s permission), and relay that information to other computers on the Internet. The information that is gathered may be used for a variety of purposes, including those with unethical or criminal intentions. Spyware has become such a pervasive problem that dozens of antispyware programs have been created. Most spyware programs do not have harmful payloads, and their danger lies in the instability and the consumption of computing resources they cause in the infected systems. There are a lot of types of spyware in terms of their purpose, their installation method, their collection methods, and so forth. Some spyware will hijack browser settings, changing your home page, or redirect your browser to sites you didn’t intend to visit. Some are used for even criminal purposes, stealing passwords and credit card numbers, sending it to the spyware’s creator. Users may unknowingly download them from Web sites or willingly install the spyware believing it to be something else. But more often than not they are tricked into installing it as it is covertly installed as part of another utility’s installation or installed through the exploitation of vulnerability in the user’s browser. As for the method of collecting information, they can record and inform on Web site browsing history, look for information stored in the file system of the computer, or even log keystrokes looking for passwords. It is important to compare spyware versus other malware. Spyware usually does not self-replicate, meaning that they need to be installed in each computer they infect. Some spyware programs are well-behaved and even legal. Many spyware programs take the form of browser toolbars and, in some cases, infected machines usually have more than one spyware program installed. As they’re normally linked to browsing activity, they can flood the victim’s desktop with nonstop pop-up windows, many to pornographic sites.
Adware Adware is software that displays advertising while the product is being used, allowing software developers to finance the distribution of their product as freeware (software for which you don’t have to pay for its usage). Legitimate products will display advertising in a section of the application, game, or utility. The developer makes money from the sale of advertisements, and the user gets to use the application for free. The advertising funds the software’s development, and allows users to “try before you buy.” If the user wishes to no longer see the advertisements, he or she can pay for the full version and register the program, or remove the program from their computer. Despite its positive points, some adware programs can be risky to use. Some include features that are used for gathering information for the purposes of marketing
16 CHAPTER 1 Systems Security Overview
by gathering information on browsing habits. For example, a program might track the sites you’ve visited for marketing or other purposes, and send the information from your computer to an Internet location. In some cases, the pop-up advertisements you receive will be related to the types of sites you’ve visited. This can cause an added security risk, since you have no control over the advertisements being displayed, and don’t know if Web pages used for the advertisements contain or can download something malicious. Another problem is that adware can cause performance issues. These graphical advertisements may use up bandwidth, and multiple windows opening to show the advertisements can use up memory. Some of these programs may also try to download additional programs that aren’t required for the application to run, or try to hijack browser settings. For example, the application may attempt to download and install toolbars for your Web browser, or try to change the search engine or homepage in your Web browser. Because of these and other reasons that we’ll discuss next, adware has developed a bad reputation that’s synonymous with spyware.
The Difference between Spyware and Adware In looking at adware and spyware, we can see that they are two distinctly different types of programs. Adware is a legitimate way for developers to make money from their programs. Although the advertisements may be a nuisance, it allows you to use the software for free and is generally harmless. Spyware, however, is an insidious security risk. Without a person knowing, their computer may be monitored and information may be sent to a third party. This could include personal information, credit card numbers, passwords, or other sensitive data that’s transmitted to an Internet location. While adware displays what someone wants to say, spyware monitors and shares what you do. Adware and spyware are often confused with one another, mostly because of the overlap between them. Adware may incorporate some elements that track information, but this should only be with the user’s permission. Spyware will send information whether you like it or not. A problem is that while you may believe that you’re using a simple adware program, it may actually be bundled with other programs that run in the background, which may be spyware or malicious software.
Spyware Example There are numerous examples of spyware that have caused significant problems for people, and can be extremely difficult to fully remove once they are installed. Some of these include CoolWebSearch, BargainBuddy, Zango (formerly 180 solutions), and Internet Optimizer. There are also versions that are commercially available, and can be purchased and used by anyone. For example, CYBERsitter (www.cybersitter. com) is a company that has provided Internet filtering software that parents can use to prevent their children from viewing unwanted content on the Internet. One of their products is a controversial spyware tool called Snoopstick, which is available at www snoopstick.com.
Security Threats 17
Snoopstick is a suite of tools stored on a flash drive. By plugging it into the USB port of a computer, you can install a hidden program to monitor the computer, or install tools that allow you to do the following: ■■ ■■
■■ ■■
■■
Connect to a remote computer and monitor a person’s activities. View logs of a person’s activities, such as Web sites they’ve visited, instant messages, and e-mail a person has sent or received, view screenshots, and so on. Block the computer from viewing certain Web sites. Send commands to the remote computer, including having it shut down, restart, log off a person, and disabling a person’s Internet access. Deny the computer access to certain Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports (such as those used for File Transfer Protocol [FTP], Dynamic Host Configuration Protocol [DHCP], instant messaging, Simple Mail Transfer Protocol [SMTP], or those used by specific programs [such as Apple iTunes]).
As seen in Figure 1.1, Snoopstick provides a user friendly Activity Viewer to connect to another computer and view their activity and modify the settings. While this occurs, the person on the remote computer has no idea their activities are being monitored or possibly having settings reconfigured. Obviously, this can be a serious privacy and security issue in an organization. Although designed as a parental
Figure 1.1 Snoopstick Activity Viewer
18 CHAPTER 1 Systems Security Overview
control tool for checking what a child is doing online, it has the potential for causing significant problems for a user who’s unaware he or she is being watched or having the settings of a computer modified.
Adware Example
Figure 1.2 Eudora Options ■■
■■
■■
An example of adware is Qualcomm’s e-mail program Eudora (www.eudora. com). Prior to version 7.1, Eudora was an adware program that allowed users to use a fully functional version without paying for it, so long as they didn’t mind viewing advertisements in the lower left-hand pane of the program. As seen in Figure 1.2, Eudora provided three ways to use its program:
Paid Mode A mode in which the person paid for a registration code that allowed them to use all of the program’s features and not see any advertisements. Sponsored Mode A mode which allowed people to use all of the program’s features without paying, but displayed random paid advertising in the advertisement window, along with sponsored links. Lite Mode A mode which allowed people to use it for free but provided only a limited set of features.
The graphics and links that appeared in Eudora’s advertisement window were pushed to computers at regular intervals from Qualcomm’s Internet advertisement servers. This allowed only those sponsors who paid to have their advertisements displayed on the computers of potential customers. After years of commercial success with Eudora, in 2006, Qualcomm announced that the e-mail program would become open source after their last commercial version, 7.1. As a result, it would no longer be pushing advertisements to computers running Eudora.
Defending Against Spyware and Adware Preventing spyware and adware from being installed on a computer can be difficult, as a person will either give or be tricked into giving permission for the program to install on a machine. For example, a Web site may trick a user into clicking a link that pushes spyware onto the person’s computer, or a person may install a program they want, not realizing that it’s an adware. People need to be careful in the programs they install on a machine, including the following:
Security Threats 19
■■
■■
■■
■■
■■
Read the end user license agreement (EULA), as a trustworthy freeware program that uses advertising to make money will specifically say it’s an adware. If it says it is, and you don’t want an adware, don’t install it. Avoid installing file-sharing software, as these are commonly used to disseminate adware/spyware. Install and/or use a pop-up blocker on your machine, such as the one available with Google Toolbar, MSN Toolbar, or the pop-up blocking feature available in Internet Explorer running on Windows XP SP2 or later. The pop-up blocker prevents browser windows from opening and displaying Web pages that display advertisements or may be used to push spyware to a computer. Be careful when using your Web browser and clicking on links. If you see a dialog box asking you to download and install an ActiveX control or another program, ensure that it’s something you want to install and that it’s from a reliable source. If you’re unsure, don’t install it. Use tools that scan for spyware and adware, and can remove any that are found on a machine.
Fortunately, there are a lot of programs available that provide protection against spyware and adware. Many of the antivirus vendors, including those we discussed earlier in this chapter, offer security suites that have the capability to detect and remove malicious software. There are also programs that are specifically designed to scan systems and remove spyware and adware, such as: ■■
Ad-Aware (www.lavasoft.com)
■■
Spyware Doctor (www.pctools.com/spyware-doctor)
■■
Spybot—Search and Destroy (www.safer-networking.org)
As is the case with antivirus programs, you must keep antispyware/antiadware programs up-to-date. Programs like Ad-Aware (seen in Figure 1.3) use signature or definition files, similar to those used by antivirus software, which we discussed earlier. The definitions in these files are compared to files on your system, and used to identify and remove any spyware or adware that is found.
Rootkits and Botnets Botnets and rootkits are tools used to exploit vulnerabilities in OSes and other software. Rootkits are software that can be hidden on systems, and can provide elevated privileges to hackers. They are a collection of tools, which are used to gain high levels of access to computers (such as that of an administrator). Even though the rootkit is running on a machine, it may run as a series of processes that makes function calls that filter its appearance on the machine, so that it won’t appear in Task Manager or other tools.
20 CHAPTER 1 Systems Security Overview
Figure 1.3 Ad-Aware Scanning a Computer and Finding a Potential Threat
Bots are a type of program that runs automatically, as robots performing specific tasks without the need for user intervention. For example, a type of bot was developed and used by Google to seek out Web pages and return information about each page for use in their search engine. Unfortunately, while bots can be used for legitimate reasons, they can also be used for malicious purposes. Bots can be installed on a computer without a user being aware of it, accepting commands from a remote user called a bot herder. The bot herder can send simultaneous commands to multiple machines that work together as a network of bots, called a botnet. Using these bots, the bot herder can make the computers perform various actions, such as sending out spam, or simultaneously sending e-mail to a single address or sending a request to a single Web site to cause that server to crash.This is called a denial of service (DoS) attack.
Rootkits A rootkit is a type of malware that tries to conceal its presence from the OS and antivirus programs in a computer. Its name comes from the UNIX world, where hackers try to keep root-level (superuser) access to a computer long after they infect it. A rootkit can modify the basic blocks of an OS like the kernel or communication drivers, or replace commonly used system programs with rootkit versions. Security researchers have even demonstrated rootkits that install as a virtual machine manager, and then load the victim’s OS as a virtual machine. Such a rootkit would be virtually impossible to detect. Rootkits can make it easy for hackers to install remote control programs or software that can cause significant damage. Note J. K. Rutkowski’s article titled “Execution path analysis: finding kernel based rootkits” provides detailed information on the detection of kernel rootkits. The article is available to view at www.phrack.com/issues.html?issue=59&id=10#article.
Security Threats 21
The most famous and widespread rootkit infestation happened in 2005, when Sony BMG Music Entertainment used a rootkit to implement copy protection in some of its music CDs. Even worse, other attackers could use the rootkit’s stealth features to hide their own viruses on infected computers. The rootkit was very hard to uninstall, and according to some researchers, it could have infected over 500,000 computers. Eventually, major antivirus vendors included removal tools for the rootkit, but it was a public relations nightmare for Sony.
Botnets Botnets are one of the biggest and best hidden threats on the Internet. Often, a botnet will be installed on a machine as a worm or Trojan horse, and run silently on a person’s machine. The person who controls the botnets is referred to as the bot herder, and he or she can send commands to the bots and receive data (such as passwords or access to other resources) from them. The reason the bot herder does this can vary, ranging from using the bots to store files on other people’s machines, instruct them to send simultaneous requests to a single site in a DoS attack, or for sending out spam mail. To illustrate how a bot may be used, consider a bot herder who wishes to send spam to large numbers of users. These e-mail messages may claim they’re from e-Bay or another popular site, and request the person to update their personal and credit card information. The bot herder sends out a Trojan horse that infects computers with the botnet. These infected computers are now referred to as agents or zombies, and will automatically log on to a Web server or Internet Relay Chat (IRC) server, which is referred to as the Command and Control (C&C) server. The bot herder can now send messages to the botnets through the C&C server, instructing each of the zombie machines to send out the spam. The problem with identifying the person responsible is that the e-mail or other data leads back to a victim and not a bot herder. If you traced who sent out the e-mail back to its source, such an e-mail would lead back to the zombie computer, and not the actual bot herder. In other words, if a bot on your computer had sent out the e-mail, it would appear that it came from you. To identify whether a bot was used, you can use antivirus software. Antivirus software like those we discussed previously will search a system using up-to-date signature files. Scanning for Trojans on the machine may identify the existence of known bots that have infected the machine. Bots may be disseminated using Trojan horses, which are programs that provide a functional use (such as games), but when executed will also install the bot on a computer. Test Day Tip Remember that botnets are a network of bots (robots) that can be used to take over a computer to send spam or do DoS attacks.
Logic Bombs A logic bomb is a type of malware that can be compared to a time bomb. It is designed to execute and do damage after a certain condition is met. This can be the passing of
22 CHAPTER 1 Systems Security Overview
a certain date or time, or other actions like a command being sent or a specific user account being deleted. Often attackers will leave a logic bomb behind when they’ve entered a system to try to destroy any evidence that system administrators might find. Logic bombs may exist on systems for long periods of time, without anyone being aware of their existence until they are triggered. For example, a disgruntled employee might program a logic bomb to trigger on the date of his or her retirement, or have it go off if he or she doesn’t send a specific command each month to delay its execution. Widely disseminated logic bombs may be distributed with worms or viruses, with ones containing common elements being detected by antivirus software. There have been a wide variety of different logic bombs that have appeared on people’s computers over the years. Well-known logic bombs include the Michelangelo virus, which was set to go off on March 6, the birthday of the famous Renaissance painter, and delete the data from hard disks; the DDoS attack Blaster attempted on http://windowsupdate.com, and Code Red’s attempted attack on the White House Web site. Although most logic bombs aren’t this well publicized, they can easily do similar or greater damage.
Hardware and Peripheral Security Risks If someone is given the chance, there are many ways to threaten a network or computer. Having physical access to a computer or other device can enable an unauthorized or uneducated user to make changes to settings that can seriously impact its security and functionality. Conversely, a system administrator can configure hardware settings so that authentication is required, or disable features that could be used for malicious purposes. Although making such changes to a computer is vital to ensuring a system is secure, it’s important to realize that there are more devices on a network than just computers. Technologies like USB have provided the means to plug a wide variety of devices into computers and have also led to advances in how data can be stored. Devices like cell phones have incorporated technology to provide similar functions to that of a computer, allowing them to communicate with other devices using Bluetooth or the Internet. More and more, computers are moving away from devices that need to be installed inside the machine or screwed into a port. Peripherals are devices that are connected to a computer using cables or wireless technologies. When you think of peripherals, you probably might think of printers, monitors, and keyboards. However, this category can also include various storage devices like removable drives, USB flash drives, memory cards, and other devices and media. In the forthcoming sections, we’ll discuss the various types of hardware and peripherals that are commonly found on a network, and see how these devices and media can affect an organization or network’s overall security.
BIOS BIOS is an acronym for basic input/output system, and refers to a chip that resides on the motherboard of a computer. This chip contains instructions on how to start
Hardware and Peripheral Security Risks 23
the computer and load the OS, and low-level instructions about how the system is to handle various hardware and peripherals. Information used by the BIOS is set and stored through the complementary metal oxide semiconductor (CMOS). The CMOS uses a battery on the motherboard to retain power, so that any settings used by the BIOS aren’t lost when the computer turns off. A user interface allows you to edit CMOS settings, so that you can configure the date, time, boot sequence, video settings, hard drive configuration, and security settings. When a computer starts, the BIOS checks for the presence of certain types of hardware and whether it is working properly. For example, it will check for the presence of a video card, check the voltage of the power supply, and so on. If there is an issue, it will inform the user of the problem through a series of audible beeps. If not, it will check the amount of memory on your computer, identify, and configure hardware on the computer, and identify the boot drive. It is at this point that the boot sector of the boot drive is used to start the OS.
How Can the BIOS Be a Security Risk? Because of the importance of the BIOS, you can see that making changes to it can seriously affect how the computer starts, or if it will start at all. The CMOS settings are the lowest level that you can provide instructions to the computer, or implement security settings like passwords. If someone were to modify settings or upgrade the BIOS incorrectly or maliciously, it could cause that computer to be unable to start. This would be a major issue in cases where the machine was a production server.
Passwords A basic method of protecting a computer is by setting passwords that prevent unauthorized users from starting up the machine and/or changing the settings. The CMOS setup program allows you to configure the system, and can be accessed on many machines by pressing specific keys (such as the F10 or DEL key) when the computer is first turned on. When the setup software appears, there are generally options that allow you to set passwords. A power-on password can be set, requiring anyone who starts the computer to enter a password before the OS loads. This prohibits hackers from using password-cracking tools to gain entry through the OS. Another password may also be set to prevent unauthorized persons from accessing the setup software and making changes to the computer. Setting this password also prevents malicious users from configuring power-on and BIOS passwords, which would restrict valid users from starting the computer or making system changes. A drawback to using power-on passwords is that the protection it offers can also be a danger in some situations. A person who’s authorized to use the computer and doesn’t have the password would be unable to start the system. One such situation could be a DoS attack, which would require restarting the server. If the person rebooting the server didn’t have the power-on password, the server would remain offline until the password could be found. Another example would be a user who has put a power-on password on a laptop, and delivered it to be repaired or upgraded. The hardware technician would be unable to properly complete the necessary tasks
24 CHAPTER 1 Systems Security Overview
for upgrading or repairing without being able to start the machine and load the OS. Although power-on passwords can provide a great deal of security, it can also cause significant problems in organizations if the people who need the passwords don’t have them. Exam Warning Once a person has physical access to a computer, the power-on password is the first line of defense in accessing any data on the machine. The power-on password is required before the OS loads, and is necessary to start up the computer.
Flashing the BIOS Because the BIOS and CMOS incorporate software to control low-level settings and security, it follows that there are times when this software may need to be upgraded to a newer version. As with any software, the BIOS may have known bugs that can be fixed with updated software. Similarly, the CMOS may need updating to fix errors or changes, and allow you to modify settings related to new features or hardware. Since the software is stored in a chip on the motherboard, this requires using special software that erases information on the chip and replaces it with updated programming. This special program is called a flash utility, which is why upgrading the BIOS is called flashing. Flashing the BIOS is generally done on rare occasions, because any mistakes could cause the computer to stop functioning. Some of the reasons why BIOS is upgraded is because there is a need to support newer hardware (such as larger hard disks or newer processors) or fix certain bugs. For example, the most widespread instance of people flashing the BIOS of computers was in 1999 to fix the Y2K bug. Because the date on computers was two digits, it was feared that when the year switched from 1999 to 2000, computers would register this date change as being 1900. Fortunately, because people and organizations upgraded the BIOS on computers and updated programming, there were few cases in which this caused problems. There are two main reasons why flashing the BIOS would fail. If there were a power failure during the upgrade, the BIOS would be corrupt. While flashing, if the wrong version of BIOS is used, the BIOS wouldn’t function properly afterwards. In other words, if you flashed the BIOS with software that was meant for a different computer, it would be filled with bad information. Because the computer wouldn’t start again after either of these situations, you wouldn’t be able to fix the machine. While flashing the BIOS is a relatively easy process, it is the potential catastrophic damage that keeps many from upgrading to later versions. Because you are overwriting all of the information used by the BIOS, flashing it will subsequently erase any passwords that have been set. This means that even if you’ve set a power-on password or a CMOS settings password, these will no longer exist after the BIOS has been flashed. If an authorized technician is flashing the BIOS, this means he or she will need to reset the passwords. If an unauthorized person does it, they now have access to the computer.
Hardware and Peripheral Security Risks 25
Exam Warning The CMOS settings are the lowest level that you can configure settings on a computer. Any changes to these settings will affect the BIOS and can impact how it starts the computer.
Booting the Computer The CMOS settings allow you to control the boot order of disks and disable certain hardware on the computer. Using these settings, you can control the order in which the computer will try to find an OS to load. It determines if the computer will first check the floppy disk, USB ports, or CD/DVD ROM for an OS to boot from, or if it will boot from the hard disk. For example, let us say a computer was set to first check a floppy drive, then a compact disc read-only memory (CD-ROM) or DVD-ROM, USB ports, and finally the hard disk for the presence of an OS. If these devices are active, an unauthorized user with physical access to the machine could insert a floppy or CD/ DVD into the drive, or a USB flash drive into a USB port. When the computer started, it would bypass the OS on the hard disk, and start the machine from the media he or she inserted into the computer. Now that the person has access, they can view any data stored on the machine, modify or delete files, or do other malicious activities. To prevent users from booting the machine from a disk or USB flash drive, administrators will often set the computer to first (or only) boot from a hard disk, and/or disable drives and USB ports. Unauthorized users are thereby prevented from using the drives or port to start the machine. If IT staff need to modify the boot order or use one of these devices, they would then temporarily change the CMOS settings.
USB Devices USB is an acronym for Universal Serial Bus, and is a standard technology that is used to allow devices to connect through a port on a computer. USB devices can be plugged into the computer and recognized by the OS, without the need to shut down the computer. Using USB, a wide variety of peripherals, such as mice, keyboards, external hard disks, flash drives, scanners, printers, and so on, can be installed on a machine by simply plugging them in. With improvements in technology, gigabytes of storage capacity are now available on flash drives, memory cards, MP3 players, external hard disks, or other USB devices. This obviously creates a security risk for organizations. In the past, an organization would be concerned that a series of files might be copied to a floppy disk or CD, and then removed from the office, but today a user could potentially copy an entire hard disk of information and carry it home in their pocket or briefcase. Because of this, there is a justified fear of data being lost or stolen with these devices. Organizations deal with the potential loss of data from USB devices in a number of ways. Some companies have strict policies that discourage users from transferring data from their computers. It is also common in secure environments for USB ports on computers to be disabled through CMOS settings, so that even if a flash drive
26 CHAPTER 1 Systems Security Overview
were inserted into a USB port, the computer wouldn’t recognize it. However, by preventing user access to technology, they are also limited from doing work at home or perhaps performing certain functions at work. To ensure that data stored on USB devices is secure, it is wise to encrypt and/or password-protect the files stored on them. In doing so, if a USB flash drive or other device were lost or stolen, anyone with access to the device would need to decrypt the data or have a password to open any files on the device. Another issue that should be considered with USB devices is possible infection from viruses, worms, and other malicious software. Because some USB devices can be used for storage, it follows suit that some of the files may be infected. To prevent the computer from being infected by a virus or other malware, the autoplay feature in Windows should be turned off. This is the feature that will start any programs on media inserted into drives or USB ports automatically. Turning off the autoplay feature can prevent an infected program from being executed as soon as Windows reads the disk or device. In addition to this, any USB storage devices should be scanned with up-to-date antivirus software before any files are opened. Test Day Tip USB devices are common to computers, with USB flash drives replacing other media like floppy disks. Because they are a commonly used technology, you can expect to see questions that directly ask about USB or include them as part of a scenario.
Flash Memory Cards Flash memory cards and sticks are popular for storing and transferring varying amounts of data. Memory cards have typically ranged from 8 to 512 MB, but new cards are capable of storing upwards of 8 GB of data. They are commonly used for storing photos in digital cameras (and transferring them to PCs) and for storing and transferring programs and data between handheld computers (pocket PCs and palm OS devices). Although called “memory,” unlike random access memory (RAM), flash media is nonvolatile storage; that means that the data is retained until it is deliberately erased or overwritten. PC Card (Personal Computer Memory Card International Association [PCMCIA]) flash memory cards are also available. Flash memory reader/writer come in many handheld and some laptop/notebook computers and external readers can be attached to PCs through USB or serial port. Flash memory cards include the following: ■■
Secure digital (SD) memory card
■■
CompactFlash (CF) memory card
■■
Memory stick (MS) memory card
■■
Multimedia memory card (MMC)
■■
xD-Picture card (xD)
■■
SmartMedia (SM) memory card
Hardware and Peripheral Security Risks 27
USB Flash Drives USB flash drives are small, portable storage devices that use a USB interface to connect to a computer. Like flash memory cards, they are removable and rewritable, and have become a common method of storing data. However, while flash memory cards require a reader to be installed, USB flash drives can be inserted into the USB ports found on most modern computers. The storage capacity of these drives range from 32 MB to 64 GB. USB flash drives are constructed of a circuit board inside of a plastic or metal casing, with a USB male connector protruding from one end. The connector is then covered with a cap that slips over it, allowing the device to be carried in a pocket or on a key fob without worry of damage. When needed, the USB flash drive can then be inserted into the USB port on a computer, or into a USB hub that allows multiple devices to be connected to one machine. USB flash drives often provide a switch that will set write-protection on the device. In doing so, any data on the device cannot be modified, allowing it to be easily analyzed. This is similar to the write protection that could be used on floppy disks, making it impossible to modify or delete any existing data, or add additional files to the device. Although USB flash drives offer limited options in terms of their hardware, a number of flash drives will come with software that can be used to provide additional features. Encryption may be used, protecting any data on the device from being accessed without first entering a password. Compression may also be used, allowing more data to be stored on the device. There are also a number of programs that are specifically designed to run from a USB flash drive rather than a hard disk. For example, Internet browsers may be used that will store any history and temporary files on the flash drive. This makes it more difficult to identify the browsing habits of a person.
iPod iPod is the brand name of portable media players that was developed by Apple Inc. in 2001. iPods were originally designed to play audio files, with capability to play media files added in 2005. Variations of the iPod were introduced by Apple with different capabilities. For example, the full-sized iPod stores data on an internal hard disk, whereas iPod nano and iPod shuffle both use flash memory, which we’ll discuss later in this chapter. Although iPod is a device created by Apple, the term has come to apply in popular culture to any portable media player. iPods store music and video by transferring the files from a computer. Audio and video files can be purchased from iTunes, or can be acquired illegally by downloading them from the Internet using P2P software or other Internet sites and applications, or sharing them between devices. iPods can be used to store and transfer photos, video files, calendars, and other data. As such, they can be used as storage devices to store files. Using the Enable Disk Use option in iTunes activates this function, and allows you to transfer files to the iPod. Because any media files are stored in a hidden folder on the iPod, you
28 CHAPTER 1 Systems Security Overview
will need to enable your computer to view hidden files to browse any files stored on the iPod. iPods use a file system that is based on the computer formatting the iPod. When you plug an iPod into a computer, it will use the file system corresponding to the type of machine it’s connecting to. If you were formatting it on Windows XP, it would use a FAT32 format, but if it were formatted on a machine running Macintosh OS X, then it would be formatted to use the HFS Plus file system. The exception to this is the iPod shuffle, which only uses FAT32.
Damage and Defense IPod Virus and Windows There are some sources of viruses that don’t immediately spring to mind. When you think of iPods, you probably associate them with Apple computers, and might never think they could infect a computer running Windows with a virus. However, iPods are designed to work with Windows, and many owners will connect them to Windows machines so they can transfer video and music files between the device and their computer. Unfortunately, in 2006, people bought more than they bargained for with the purchase of a new iPod. In 2006, Apple estimates that about 1% of the video iPods shipped between September 12 and October 18 were infected with the RavMonE worm. This worm opens a backdoor on Windows computers, allowing remote access to the machine. As soon as the iPod was plugged into a Windows machine, the autoplay feature would start programs that were designed for Windows and activate the worm. If the autoplay feature was disabled and had up-to-date antivirus software, the antivirus program would detect and remove the worm before it could infect the computer.
Cell Phones Cell phones, also known as wireless or mobile phones, are handheld devices that allow people to communicate over a network. Although cell phones were originally only used for voice communication, many mobile phones provide additional services that are comparable to features previously only seen on computers. These include e-mail, Internet browsing, personal digital assistant (PDA) functionality, digital camera, short message service (SMS) for text messaging, games, and the ability to watch video or listen to music. As new features are added to cell phones, the risks associated with owning one also increase. Because they’re smaller and more portable than laptops or other computers, they are more at risk of being stolen or lost. Someone with access to an insecure device could then access e-mail or other sensitive data on the phone and use the features of the device for their own purposes. Because of this, it’s important that cell phones used by an organization have as much security as possible set up on the device. People using these devices should never leave them unattended (that is, on a desk or left in a car), and they should be carried in a holster or case that can be
Hardware and Peripheral Security Risks 29
closed, making it more difficult to be stolen. If the cell phone supports a power-on password or has a key lock, which prevents the phone from being used unless a personal identification number (PIN) is entered, these features should be activated on the phone. Because data can be stored on memory cards used by cell phones, and phone calls can be intercepted, encryption should be used when possible. Encryption prevents any calls made with the phone from being heard and text messages, passwords, and other data from being viewed by outside parties who may intercept the cell phone’s transmissions. Organizations should also decide whether they want to limit or prohibit the use of cameras on cell phones. Using a camera on a cell phone, a person could take pictures of sensitive data displayed on a screen, or other classified information that may be displayed in plain sight. Because of this, companies who issue cell phones to employees may want to disable any feature that allows pictures or video to be taken.
Cell Phone Viruses There was a time when cell phone viruses were nothing more than a hoax. After all, as we discussed earlier in this chapter, viruses needed to be attached to a file that when executed would infect the computer. Even as late as the early 2000s, it was virtually impossible to acquire a virus on your cell phone, because any software on the phone was installed at the factory or by a vendor. By the mid-2000s, however, many of the most basic cell phones had an OS with services to access Internet sites, download applications, games, and other files that could be installed on the phone, and could attach to a computer using a cable or wirelessly using Bluetooth technology. Whereas people used to be limited to using a computer to read e-mail or send instant messages, mobile phones became a common tool for text messages and e-mails. Because of these advances, viruses not only gained the capability to run on cell phones, but also could be easily disseminated to cell phone users. The first virus targeting cell phones appeared in 2004. Cabir spread between cell phones that used the Symbian OS by transmitting itself using Bluetooth. Apart from displaying a message when the cell phone was turned on, the virus did little other than prove that cell phones could be infected. In 2005, the source code for Cabir was posted to the Internet, and other cell phone viruses have appeared. This includes the following: ■■
■■
■■
Mabir This indicates a version of Cabir that could also spread through a multimedia messaging service (MMS). Mosquito This indicates a Trojan horse that’s spread through a version of the downloadable game of the same name. This virus sends messages to premium numbers, which the cell phone user is charged for calling. Brador This indicates the first backdoor Trojan infecting mobile phones using Windows CE and Windows Mobile. It has the capability to reset the phone, delete files, and send data to a third party.
30 CHAPTER 1 Systems Security Overview
Bypassing Network Firewalls A firewall is software and/or hardware that serve as a barrier between an internal network or computer and an external network, such as the Internet. Networks commonly incorporate firewalls into their security to prevent hackers or malicious software from accessing internal resources. Unfortunately, even in cases where cell phones are configured to get internal e-mail from a corporate mail server, they are always able to bypass network firewalls because they use technologies that are external to the network. For example, a user will enter a Web site address into their Web browser, and this request will go through the firewall before being passed to the Internet. In doing so, the firewall has rules set up that will allow or deny access. A cell phone user has no such restrictions, as he or she can browse the Internet using the services provided by the wireless phone company. In doing so, the cell phone can bypass the network firewall and any security set up on it. Another issue with cell phones is that they can be used as modems. By connecting a cell phone to a computer, it can be used as a modem to connect to the Internet or a remote computer. Once connected, a person could then transfer files from the computer by e-mailing them as attachments or copying them to a remote computer or an Internet location. Another method of transferring data is using Bluetooth technology. Bluetooth is a wireless protocol and service that allows Bluetooth-enabled devices to communicate and transfer data with one another. For example, you could use Bluetooth to copy a picture from your cell phone to a laptop computer, or vice versa. Unfortunately, Bluetooth is notoriously insecure. It has a discovery mode that allows devices to automatically detect and connect with other devices. Without authentication, a person could connect to a Bluetooth-enabled cellphone or other device and download data. Bluesnarfing is a term used for someone who leaves their laptop or another device in discovery mode, so that they can connect to any nearby Bluetooth device that’s unprotected. Cell phones have become the common way of making voice calls, and are increasingly used for other services that were only available on computers. Because Blackberry devices and other mobile phones have become a necessity for some people and businesses to stay in contact, it is important that security policies and procedures remember to include cell phone technologies.
Removable Storage Devices Removable storage, also referred to as removable media, is any device that can be attached to a system and used for storing data. Storage is referred to as removable because the disk itself is separate from the drive (the device that reads and writes to it). As we discussed previously, there are also devices that attach to a computer through a port, allowing data to be transferred between the machine and storage device. Because they can be attached and removed from the computer, using this kind of storage adds an element of risk that the media will be lost, damaged, or stolen. Removable storage includes devices like USB flash drives and memory cards
Hardware and Peripheral Security Risks 31
(which we discussed earlier), but also include devices that provide the capability to store data on such media as: ■■
CD
■■
DVD
■■
Blu Ray
■■
Floppy disks
■■
Magnetic tape
Exam Warning Removable media refers to media that can have a disk or other storage method removed from a drive or port. This isn’t the same as hard disks or other devices that can be removed from the computer. For example, removable disk racks and bays allow you to easily slide an Integrated Device Electronics (IDE) or small computer system interface (SCSI) hard disk drive (mounted in a carrier rack) in and out of a docking bay, which remains attached to the advanced technology attachment (ATA) or SCSI interface of a computer. Hard disk drives can also be inserted into external bays that are easily plugged into and removed from the USB port of a computer. The distinction is that in these cases you are removing the entire drive, not just the disk itself, whereas with true removable storage media, the drive stays attached to the computer and only the media—disk, tape, or card—is removed.
CD/DVD CDs and DVDs are rigid disks a little less than 5 in. in diameter, made of hard plastic with a thin layer of coating. CDs and DVDs are called optical media because CD and DVD drives use a laser beam, along with an optoelectronic sensor, to write data and read the data that is “burned” into the coating material (a compound that changes from reflective to nonreflective when heated by the laser). The data is encoded in the form of incredibly tiny pits or bumps on the surface of the disc. CDs and DVDs work similarly, but the latter can store more data because the pits and tracks are smaller, because DVDs use a more efficient error-correction method (that uses less space), and because DVDs can have two layers of storage on each side instead of just one.
CD The term CD originates from “compact disc” under which audio disks were marketed. Philips and Sony still hold the trademark to this name. There are several different types of CDs that have developed over the years, with the first being CD audio or compact disc digital audio (CDDA). CD audio were the first CDs that were used to record audio disks. Little has changed in the physics of CD since the origin of CD audio disks in 1980. This is due
32 CHAPTER 1 Systems Security Overview
in part to the desire to maintain physical compatibility with an established base of installed units, and because the structure of CD media was both groundbreaking and nearly ideal for this function. There are different variations of CDs available for data storage. These include the following: ■■
■■
CD-R This implies CD-Recordable. This type of CD is a write once-read many (WORM) media that allows you to record data to it once, so that you can later read the data. Once data is written to a CD-R, no additional data can be written to the CD. CD-RW This implies CD-Rewritable. This type of CD allows you to erase and write to the disk multiple times.
CD-ROM Until 1985, CDs were used only for audio, when Philips and Sony introduced the CD-ROM standard. CD-ROM is an acronym for compact disc read-only memory, and it refers to any data CD. However, the term has grown to refer to the CD-ROM drive used to read this optical storage media. For example, when you buy software, the disc used to install the program is called an installation CD. These discs are capable of holding up to 700 MB of data, and they remain a common method of storing data.
DVD Originally, DVD was an acronym for digital video disc and then later digital versatile disc. Today, it is generally agreed that DVD is not an acronym for anything. However, while these discs were originally meant to store video, they have become a common method of storing data. In fact, in addition to being capable of copying (ripping) or creating (burning) data on a DVD, DVD-ROM drives are also backwards compatible and able to copy and create CDs. DVDs are an evolutionary growth of CDs with slight changes. Because development of DVD follows the CD by 14 years, you can see that the CD was truly a revolutionary creation in its time. It is important to understand that both CDs and DVDs are electrooptical devices, as opposed to nearly all other computer peripherals which are electromagnetic. There are no magnetic fields in the reading or recording of these discs; therefore, they are immune to magnetic fields of any strength, unlike the hard drives. Owing to its immunity to magnetic fields, CDs and DVD media are unaffected by electromagnetic pulse (EMP) effects, X-rays, and other sources of electromagnetic radiation. The primary consideration with recordable CD media (and to a lesser extent, manufactured media) is energy transfer. It takes a significant amount of energy to affect the media that the writing laser transfers to the disc. Rewritable discs (which we’ll discuss later) require even more energy to erase or rewrite data. This is in direct contrast to floppy discs and hard drives, both of which can be affected by electromagnetic devices such as magnetic resonance imaging (MRI)
Hardware and Peripheral Security Risks 33
machines, some airport X-ray scanners, and other devices that create a strong magnetic field. CDs and DVDs are also immune to EMP from nuclear detonations. It is important to understand that CD and DVD media are read with light, and recordable discs are written with heat. Using an infrared (IR) laser, data is transferred to a CD or DVD onto a small, focused area that places all of the laser energy onto the target for transfer. It should be noted that all CD and DVD media are sensitive to heat (that is, above 120 °F/49 °C), and recordable media are sensitive to IR, ultraviolet (UV), and other potential intense light sources. Some rewritable media are affected by erasable programmable read-only memory (EPROM) erasers, which use an intense UV light source. Both CD and DVD media are organized as a single line of data in a spiral pattern. This spiral is over 3.7 miles (or 6 km) in length on a CD, and 7.8 miles (or 12.5 km) for a DVD. The starting point for the spiral is toward the center of the disc with the spiral extending outward. This means that the disc is read and written from the inside out, which is the opposite of how hard drives organize data. With this spiral organization, there are no cylinders or tracks like those on a hard drive. The term track refers to a grouping of data for optical media. The information along the spiral is spaced linearly, thus following a predictable timing. This means that the spiral contains more information at the outer edge of the disc than at the beginning. It also means that if this information is to be read at a constant speed, the rotation of the disc must change between different points along the spiral.
Types of DVDs Just as there are several types of CDs that may be used for various purposes, there are a wide variety of DVDs available. As mentioned previously, the storage capacity of a DVD is immense when compared with that of a CD, and can range from 4.5 GB on a single-layer, single-sided DVD to 17 GB on a dual layer, double-sided DVD. The various types of DVDs on the market include the following: ■■
■■
■■
DVD-R This stands for DVD minus recordable. A DVD-R disc will hold up to 4.5 GB of data, and is a WORM medium. In other words, once it is written to, the data on the DVD cannot be modified. DVD+R This stands for DVD plus recordable. A DVD+R disc will also hold up to 4.5 GB of data, and is similar to the DVD-R. Choosing between DVD-R and DVD+R discs should be guided by the intended use of the disc. There is some evidence that DVD-R discs are more compatible with consumer DVD recorders than DVD+R discs; however, there are consumer players that will only read DVD+R discs. DVD-R discs are often the best choice for compatibility if the disc being produced contains data files. Early DVD-ROM drives can generally read DVD-R discs but are incapable of reading DVD+R discs. DVD writers that only write DVD+R/RW discs will read DVD-R discs. DVD-RW This stands for “DVD minus read write.” This, like CD-RW discs, allows an average of 1000 writes in each location on the disc before failing. A DVD-RW disc will hold up to 4.5 GB of data and is recordable.
34 CHAPTER 1 Systems Security Overview
■■
■■
■■
DVD+R DL (dual layer) This is an extension of the DVD standard to allow for dual-layer recording. Previously the only dual-layer discs were those manufactured that way. This allows up to 8.5 GB of data to be written to a disc. Most current DVD drives support reading and writing DVD+R DL discs. DVD+RW This stands for “DVD plus read write.” This, like CD-RW discs, allows an average of 1000 writes in each location on the disc before failing. A DVD+RW disc will hold up to 4.5 GB of data and is recordable. DVD-RAM This is a relatively obsolete media format, which emphasized rewritable discs that could be written to more than 10,000 times. There were considerable interoperability issues with these discs and they never really caught on.
Blu-Ray Blu-Ray is a high-density optical storage method that was designed for recording high-definition video. The name of this technology comes from the blue-violet laser that is used to read and write to the discs. A single-layer Blu-Ray disc can store up to 25 GB of data, whereas a dual-layer Blu-Ray disc can store up to 50 GB of data. Although many people are familiar with the stand-alone Blu-Ray players to play movies, there are also Blu-Ray drives that allow users to record and play data on computers. In 2007, Pioneer announced the release of a Blu-Ray drive that can record data to Blu-Ray discs, as well as DVDs and CDs. In addition to this, Sony has also released their own rewritable drive for computers.
Floppy Disks In the early days of personal computing, floppy disks were large (first 8 in., then later 5.25 in. in diameter), thin, and flexible. Today’s “floppies,” often and more accurately called disks, are smaller (3.5 in.), rigid, and less fragile. The disk inside the disk housing is plastic, coated with magnetic material. The drive into which you insert the disk contains a motor to rotate the disk so that the drive heads, made of tiny electromagnets, can read and write to different locations on the disk. Standard disks today hold 1.44 MB of data; SuperDisk technology (developed by Imation Corporation) provides for storing either 120 or 240 MB on disks of the same size.
Magnetic Tape In the early days of computing, magnetic tapes were one of the few methods used to store data. Magnetic tapes consist of a thin plastic strip that has magnetic coating, on which data can be stored. Early systems throughout the 1950s to 1970s used 10.5 in. magnetic tape, whereas home computers in the early 1980s used audiocassette tapes for storing programs and data. Today, magnetic tape is still commonly used to back up data on network servers and individual computers. Magnetic tape is a relatively inexpensive form of removable storage, especially for backing up data. It is less useful for data that needs to be accessed frequently
Summary of Exam Objectives 35
because it is a sequential access media. You have to move back and forth through the tape to locate the particular data you want. In other words, to get from file 1 to file 20, you have to go through files 2 through 19. This is in contrast to direct access media like disks, in which the heads can be moved directly to the location of the data you want to access without progressing in sequence through all the other files.
Network-Attached Storage Corporate networks commonly request users to store their data on shared, centralized storage. Users commonly access through a mapped drive on their computer, which allows them to save to a file server. The file server has one or more hard disks that users utilize to save or retrieve data. Because the data is centralized, network administrators can back up the data stored on the server easily. Users who don’t use this storage, and choose to back up the data on a local drive generally don’t have the benefit of data being backed up. Although file servers have been a common component of networks, another storage system is becoming increasingly popular on networks. Network-attached storage (NAS) is a system that is connected to a network to provide centralized storage of data. Unlike a traditional file server, which can be used to run applications, databases, or provide other resources, NAS is only used for data storage. It is scaled down to only providing access to a file system in which data is stored, and management tools that are accessed remotely. It consists of a set of hard disks that can be configured as redundant array of independent disks (RAID) arrays, and supports authentication, encryption, permissions, and rights. To access the data, users connect using protocols like network file system (NFS) or server message blocks (SMB).
Summary of Exam Objectives In this chapter, we discussed a number of technologies, tools, and risks associated with computer and network security. Code attacks are carefully crafted programs written by attackers and designed to do damage. Trojan horses, viruses, spyware, rootkits, and malware, are all examples of this kind of attack. These programs are written to be independent and do not always require user intervention or for the attacker to be present for their damage to be done. By configuring your computer and using antivirus/antispyware utilities, you can protect your systems from known versions of malicious software. In addition to discussing how data can be threatened, we also discussed methods of storing and transferring data. Today, there are more data storage devices and methods for getting devices to communicate with one another than ever before. In addition to more traditional technologies like floppy disks, CDs, and DVDs, there are USB devices that can store more data than early hard disks on PCs. Other devices like iPods and cell phones can also be used to store and transmit data. Each of these technologies brings increased benefits to users, and new challenges to security professionals.
36 CHAPTER 1 Systems Security Overview
Exam Objectives Fast Track Security Threats ■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
Malware is malicious software, carefully crafted programs written and designed by attackers to compromise security and/or do damage. Computer security is the process of protecting systems and data from unauthorized access, malicious users and software, and other threats that could result in the loss of integrity, damage, or loss of data and equipment. Privilege escalation occurs when a user acquires greater permissions and rights than he or she was intended to receive. This can occur as a result of bugs or backdoors in the software. Bugs are errors in software, causing the program to function in a manner that wasn’t intended. Backdoors are methods of accessing a system in a manner that bypasses normal authentication methods. Viruses are programs that automatically spread, usually when an innocent victim executes the virus’ payload, and generally causes damage. Viruses have a long history in computing, and take many different forms. Today’s antivirus software is effective in catching most viruses before they can spread or cause damage. Worms are basically network viruses, spread without user knowledge that wreaks havoc on computers and systems by consuming vast resources. Because they are self-replicating, a worm outbreak can reach hundreds of thousands of machines in a matter of days or hours. Antivirus software is an application that is designed to detect viruses, worms, and other malware on a computer system. These programs may monitor the system for suspicious activity that indicates the presence of malware, or use signature files to detect and remove viruses from your system. Signature files are files that contain information on known viruses, and are used by antivirus software to identify viruses on a system. Trojan horses are different from viruses in that they require the user to run them. They usually come hidden, disguised as some kind of interesting program, or sometimes even as a patch for a virus or common computer problem. Installing back doors or deleting files are common behaviors for Trojan horses. Most antiviral software can catch and disable Trojan horses. Rootkits are a collection of tools that are used to acquire elevated privileges on a computer, thereby allowing a hacker access to data or functions he or she wouldn’t normally have. Rootkits try to hide their presence from the OS by modifying the kernel, drivers, or common applications. They are hard to detect and eliminate, and are used to plant other malicious software like backdoors or viruses.
Exam Objectives Fast Track 37
■■
■■
■■
■■
Spyware is currently one of the most prevalent, although in theory less harmful, code attacks. Most of them are more annoying than dangerous, but some can have criminal intentions, and most cause instability in affected systems. Adware is software that displays advertising while the product is being used, and is used by software developers to finance the distribution of their product as freeware. Bots (short for robots) are a type of program that run automatically, and can be used to receive commands from a remote computer used by a bot herder. A network of bots is known as a botnet, and can be used for simultaneous attacks on sites, or to send spam from multiple machines. Logic bombs are a type of program that is designed to execute and do damage after a certain condition is met, such as after a certain amount of time has passed, a specific date occurs, or other events or actions that activate malicious code.
Hardware and Peripheral Security Risks ■■
■■
■■
■■
■■
■■
■■
BIOS is a chip on the motherboard of a computer, and contains instructions on how to start the computer and load the OS, and low-level instructions about how the system is to handle various hardware and peripherals. Information used by the BIOS is set and stored through the CMOS. The CMOS uses a battery on the motherboard to retain power, so that any settings used by the BIOS aren’t lost when the computer turns off. A power-on password can be set in the CMOS settings, requiring anyone who starts the computer to enter a password before the OS loads. Another password may also be set to prevent unauthorized persons from accessing the setup software and making changes to the computer. Flashing the BIOS is done to upgrade it to a newer version. It will overwrite all information, clearing any power-on passwords or CMOS settings. USB is a standard technology that’s used to allow devices to connect through a port on a computer, so that devices can be installed on a computer without having to shut down the machine. There are numerous USB devices available, including storage devices like flash drives. USB flash drives are storage devices that can store any type of data, including photos, video, documents, and various other types of data. They come in a range of storage sizes (upwards to 64 GB) and can be used with almost any system that supports the USB version of the device. iPod is the brand name of portable media players that was developed by Apple, and can be used to store audio, video, and other files.
38 CHAPTER 1 Systems Security Overview
■■
■■
■■
■■ ■■
■■
■■
■■
Flash memory cards and sticks are storage devices that are commonly used for storing photos in digital cameras (and transferring them to PCs) and for storing and transferring programs and data between handheld computers (pocket PCs and palm OS devices). Cell phones, also known as wireless or mobile phones, are handheld devices that allow voice and data communication. Although older cell phones only provided voice communication, most modern phones provide features like e-mail, text messaging, gaming, Internet access, digital camera, and other tools and services that were only available previously with a computer. CD is an acronym for compact disc. CD is a 5-in. optical disc that can contain up to 700 MB of data. DVDs are 5-in. optical discs with the capacity to store 4.7 to 17 GB of data. Blu-Ray is a high-density optical storage method that was designed for recording high-definition video. A single-layer Blu-Ray disc can store up to 25 GB of data, whereas a dual-layer Blu-Ray disc can store up to 50 GB of data. Floppy disks have been a common method of storing data since the early days of personal computers. The 3.5-in. floppy disks are disks that are coated with a magnetic material and housed in plastic. They are capable of storing 1.44 MB of data. Magnetic tapes consist of a thin plastic strip that has magnetic coating, on which data can be stored. Tapes are commonly used to back up data on network servers and individual computers. NAS is a system that is connected to a network to provide centralized storage of data.
EXAM OBJECTIVES Frequently Asked Questions Q: If I don’t open file attachments from people I don’t know, will this prevent me from getting a virus? A: It is always wise not to open file attachments from people you don’t know, but this won’t completely protect you from a virus. As we discussed in this chapter, a virus may send itself to everyone in an e-mail program’s address book, so it may appear that it’s coming from someone you know. It’s important not to open any documents you weren’t expecting, especially when they come from people you don’t know. If you do receive an e-mail attachment you weren’t e xpecting or that seems suspicious, don’t open it. If you know the sender, you can always contact that person to confirm if they have sent you a file attachment. Q: My company has a firewall, do I need to worry about worms?
Self Test 39
A: Yes. Many users these days have laptop computers that are connected to a number of different networks. Each new network is a new vector for worm attack. Many companies stand to face outages caused by worms brought in on employee laptops. Also, some worms/viruses/Trojans are unwittingly downloaded from seemingly harmless Web sites. Firewalls need to inspect all allowed traffic to filter out attacks through normally safe protocols. Q: Should I avoid opening common file types used by viruses, and completely block them with the firewall? A: In configuring firewalls and educating users on how to handle different file extensions, common sense must be exercised. For example, if your boss e-mailed an internal memo in the form of a Microsoft Word document, it would probably be wise not to ignore it. Similarly, a bookkeeper may need to send regular spreadsheets to an external payroll company, or else no one would get paid. Business doesn’t stop simply because of the possibility of viruses. While you should never open an executable file that you weren’t expecting, such as those ending in .com, .exe, .scr, and so on, it is important to identify what business processes rely on transmitting certain file types over the network or Internet.
Self Test
1. You are analyzing the current security of your network and are concerned about the possibility that users will bypass authentication and gain greater permissions than they were given. What are the two major causes of privilege escalation? Choose all that apply. A. Bugs in software C. Backdoors B. Spyware D. BIOS
2. A user reports that his machine frequently crashes, and that he believes someone has accessed his e-mail account with his password. He has performed an antivirus scan on his computer and it is clean. What other likely culprit is behind the attack? A. A worm C. A Rootkit B. A Trojan horse D. A logic bomb
3. You open a Microsoft Word document and notice that other files you have open suddenly close. When you reopen these files, you find that the information in them has been modified. The same behavior doesn’t occur when other programs are used. What type of virus has probably infected your system? A. Parasitic C. Boot sector B. Data file D. A logic bomb
40 CHAPTER 1 Systems Security Overview
4. A programmer has recently been fired from the organization. On the programmer’s next birthday, your server suddenly locks up. Upon investigating, you find that there have been numerous Registry changes, and system files have been deleted by a service created by the dismissed programmer. What has a ffected your system? A. Nothing. Programs often modify Registry settings. B. Link C. Boot sector D. Logic bomb
5. You have installed a new program on your computer. The software doesn’t cost anything, but it does display intermittent advertisements for products in a corner of the screen. After installing, you notice that there is a sudden increase in received data across your Internet connection, although there is no real increase in data being sent. You’re not using your Web browser, e-mail software, or other Internet applications, so you’re concerned whether the new program is sending data over the Internet. Which of the following has most likely been installed? A. Virus C. Adware B. Antivirus D. Worm
6. What are good ways to protect against worms? (Select all that apply.) A. User education programs B. Correct firewall configuration C. Timely software patches D. Antivirus scans
7. You receive an e-mail warning you about a virus, stating that if a Windows XP computer contains the file mstsc.exe, you have been infected with the virus. As such, you should delete that file and a series of others. In searching the Internet, you find information that this is a normal Windows file. What type of virus is this? A. Link C. Data file B. Companion D. Hoax
8. A user has a laptop computer that normally isn’t connected to the network. She complains that her computer has slowed down considerably, and certain programs on the machine no longer open. She ran her antivirus program, but it found nothing. You establish a remote connection to the computer so that you can view what’s installed on the laptop, and see that she has antivirus software installed and running. When you map a drive letter to the laptop and run the antivirus software on your computer, you find several viruses have infected the laptop. Why are you able to find the viruses but not her?
Self Test 41
A. The antivirus software on her laptop hasn’t been updated with the latest signature files. B. It is a hoax virus. C. You are getting a false positive. The virus must be on your machine and not the laptop, because you can’t scan mapped drives with antivirus software. D. She didn’t have antivirus software installed or running on her machine.
9. You are configuring a firewall to block certain file types from being attached to incoming e-mail. When the e-mail reaches the firewall, you want these files to be removed from the e-mail, so that only the message reaches the user on your network. Which of the following file extensions are associated with executables that are commonly targeted by viruses and should be removed? Choose all that apply. A. .doc C. .exe B. .com D. .reg
10. Your company’s Web server suddenly gets tens of thousands of simultaneous requests for a Web page. After the Web server crashes, you restart the server and then take a look at the log files. You see that some of the requests came from your own network. What kind of attack has most likely happened? A. Rootkit C. Virus B. Botnet D. Worm 11. You have purchased a used computer in an auction. When you power-on the computer, you are asked for a password before the OS even loads. Since you don’t have it, how will you clear the password so that you can start the computer and begin using it? A. Clear the password in the CMOS settings B. Flash the BIOS C. Press F10 or DEL on the keyboard D. There is nothing you can do if you don’t have the power-on password. 12. You have heard that upgrading the BIOS on a computer can help to fix any bugs and provide new features. You download a new BIOS version and begin the upgrade. Everything seems to go well, and you recycle the power on the computer. It doesn’t start but produces a blank screen. What most likely is the cause of the computer not starting? A. The wrong BIOS version was installed. B. There was a power outage during the upgrade. C. The CMOS editor needs to be reconfigured. D. You should never flash the BIOS as it will cause the computer to fail.
42 CHAPTER 1 Systems Security Overview
13. Your company has started issuing USB flash drives to employees. Employees now use the devices to copy data from their home computers, insert them into computers used by other businesses, and so on. Members of the sales team and others who deal with outside organizations need this removable storage, so they can obtain copies of specifications, orders, and so forth. In copying files from computers outside of your network, you’re concerned about viruses. Which of the following should you do to ensure that users can benefit from the functionality of their flash drives, while protecting the network from any viruses? A. Turn off autoplay on Windows computers used by your company B. Disable USB ports on any computers attached to your network C. Set write-protection on the flash drive so that viruses can’t be written to the device D. Create a policy that prohibits users from copying data outside of the organization to flash drives 14. You are planning to implement removable storage devices in your organization. Before doing so, your boss wants you to provide information on various types of removable media that users can use to read, write, and rewrite data to. Which of the following storage devices will you discuss? A. Hard disks B. CD-R
C. DVD-R D. Flash memory card
15. You need to migrate 40 GB of data from a hard disk to removable media. You want to ensure that all of the data is stored on a single disc or media. Which of the following will you use? A. Blu-Ray B. DVD
C. CD D. Disk
Self Test Quick Answer Key 1. 2. 3. 4. 5.
A, and C C B D C
6. 7. 8. 9. 10.
B, and C D A B, and C B
11. 12. 13. 14. 15.
A A A D A
CHAPTER
OS Hardening
2
E x a m o b j e c tiv e s in this c hapt e r General OS Hardening........................................................................................................... 44 Server OS Hardening............................................................................................................. 65 Workstation OS..................................................................................................................... 75
Introduction Security+ technicians need to fully understand the fundamentals of system hardening (also described as “locking down” the system). This knowledge is needed not only to pass the Security+ exam, but also to work in the field of information security. You will learn that the skills needed to detect breeches and exploits are an essential part of the security technician’s repertoire. The Security+ exam covers the general fundamentals of hardening. Operating system (OS) hardening covers important concepts such as locking down file systems, controlling software installation, and use and methods for configuring file systems properly to limit access and reduce the possibility of a breach. Some other steps to take to harden the OS include installing only protocols that are used, enabling only services that are needed, installing only the software that is needed and approved, and granting the minimum rights to users as required. Additional steps could be to limit the users’ ability to perform tasks they would not perform, such as installing unauthorized software, or changing Windows settings. In some cases, it may also be necessary to encrypt files on disk to further restrict access to sensitive data. Many OS default configurations do not provide an optimum level of security, because priority is given to those who need access to data. Even so-called secure OSes may have been configured incorrectly to allow full access. Thus, it is important to modify OS settings to harden the system for access control. Other topics covered in the area of OS hardening are how to receive, test, and apply service packs and hotfixes to secure potential vulnerabilities in systems. Depending on the environment, it may be necessary to disable external devices, such as USB interfaces and compact disc, read-only memory (CD-ROM) drives to prevent users from installing unauthorized software.
43
44 CHAPTER 2 OS Hardening
General OS Hardening OS hardening involves making the OS less vulnerable to threats. In this chapter, we’ll cover many of the ways you can help to harden the OS. You should follow a documented, step-by-step process to harden your OS. It is recommended you use standard approaches to securing your OSes across the board. When looking at ways to provide file and directory security, you must first look at how file security can be structured. ■■ ■■
Start with everything accessible and lock down the things you want to restrict. Start with everything locked down and open up the things you want to allow access to.
Of these two potential methods, the second, which is also referred to as the rule of least privilege, is the preferred method. Least privilege is when you start with the most secure environment and then loosen the controls as needed. Using this method works to be as restrictive as possible with the authorizations provided to users, processes, or applications that access these resources. Accessibility and security are usually at opposite ends of the spectrum; this means that the more convenient it is for users to access data, the less secure the network. While looking at hardening security through permissions (for example, authentication, authorization, and accounting [AAA]), administrators should also consider updating the methods used to access the resources. It starts with the process of evaluating risk. That’s one of the key steps in the hardening process, as the question will often arise as to what is secure enough? That’s the role of the risk assessment in this process. As an example, your child’s piggy bank may be protected by no more than a small lock hidden on the bottom. Although that’s suitable for your child’s change, you have probably noticed that your bank has many more controls protecting you and their other customers’ assets. Risk assessment works the same way in that the value of the asset will drive the process of access control and what type of authorization will be needed to access the protected resource. It is important to look at the use and appropriateness of mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC) in controlling access appropriately and to coordinate this effort with the establishment of file system controls. Let’s discuss each type of access control.
MAC/DAC/RBAC In discussing access control, MAC, DAC, and RBAC are individual areas that take on a new meaning. ■■
MAC In this context, is not a network interface card (NIC) hardware address but rather a concept called MAC.
General OS Hardening 45
■■ ■■
DAC Is often referred to as the use of discretionary access control lists (DACLs). RBAC Should not be confused with rule-based access control but is instead an access control method based on the use of the specific roles played by individuals or systems.
All three methods have varying uses when trying to define or limit access to resources, devices, or networks. The following sections explore and illustrate each of the three access control methods.
MAC MAC is generally built into and implemented within the OS being used, although it may also be designed into applications. MAC components are present in UNIX, Linux, Microsoft’s Windows OSes, OpenBSD, and others. Mandatory controls are usually hard-coded and set on each object or resource individually. MAC can be applied to any object within an OS and allows a high level of granularity and function in the granting or denying of access to the objects. MAC can be applied to each object and can control access by processes, applications, and users to the object. It cannot be modified by the owner or creator of the object. The following example illustrates the level of control possible. When using MAC, if a file has a certain level of sensitivity (or context) set, the system will not allow certain users, programs, or administrators to perform operations on that file. Think of setting the file’s sensitivity higher than that of an e-mail program. You can read, write, and copy the file as desired, but without an access level of root, superuser, or administrator, you cannot e-mail the file to another system, because the e-mail program lacks clearance to manipulate the file’s level of access control. For example, this level of control is useful in the prevention of Trojan horse attacks, since you can set the access levels appropriately to each system process, thus severely limiting the capability of the Trojan horse to operate. The Trojan horse would have to have intimate knowledge of each of the levels of access defined on the system to compromise it or make the Trojan horse viable within it. To review briefly, MAC is ■■
Nondiscretionary The control settings are hard-coded and not modifiable by the user or owner.
■■
Multilevel Control of access privileges is definable at multiple access levels.
■■
Label-based May be used to control access to objects in a database
■■
Universally Applied Applied to all objects
DAC DAC is the setting of access permissions on an object that a user or application has created or has control of. This includes setting permissions on files, folders, and shared resources. The “owner” of the object in most OS environments applies DACs. This ownership may be transferred or controlled by root or other superuser/
46 CHAPTER 2 OS Hardening
administrator accounts. It is important to understand that DAC is assigned or controlled by the owner rather than being hard-coded into the system. DAC does not allow the fine level of control available with MAC, but requires less coding and administration of individual files and resources. To summarize, DAC is ■■
■■
■■
Discretionary Not hard-coded and not automatically applied by the OS/ network operating system (NOS) or application Controllable Controlled by the owner of the object (file, folder, or other types) Transferable The owner may give control away.
RBAC RBAC can be described in different ways. The most familiar process is a comparison or illustration using the “groups” concept. In Windows, UNIX/Linux, and NetWare systems, the concept of groups is used to simplify the administration of access control permissions and settings. When creating the appropriate groupings, you have the ability to centralize the function of setting the access levels for various resources within the system. We have been taught that this is the way to simplify the general administration of resources within networks and local machines. However, although the concept of RBAC is similar, it is not the exact same structure. With the use of groups, a general level of access based on a user or machine object grouping is created for the convenience of the administrator. However, when the group model is used, it does not allow for the true level of access that should be defined, and the entire membership of the group gets the same access. This can lead to unnecessary access being granted to some members of the group. RBAC allows for a more granular and defined access level, without the generality that exists within the group environment. A role definition is developed and defined for each job in an organization, and access controls are based on that role. This allows for centralization of the access control function, with individuals or processes being classified into a role that is then allowed access to the network and to defined resources. This type of access control requires more development and cost but is superior to MAC in that it is flexible and able to be redefined more easily. RBAC can also be used to grant or deny access to a particular router or to File Transfer Protocol (FTP) or Telnet. RBAC is easier to understand using an example. Assume that there is a user at a company whose role within the company requires access to specific shared resources on the network. Using groups, the user would be added to an existing group which has access to the resource and access would be granted. RBAC on the other hand would have you define the role of the user and then allow that specific role access to whatever resources are required. If users get a promotion and change roles, changing their security permissions is as simple as assigning them to their new
General OS Hardening 47
roles. If they leave the company and are replaced, assigning the appropriate role to the new employees grants them access to exactly what they need to do their jobs without trying to determine all of the appropriate groups that would be necessary without RBAC. In summary, RBAC is: ■■ ■■
■■
■■
Job Based The role is based on the functions performed by the user. Highly Configurable Roles can be created and assigned as needed or as job functions change. More Flexible Than MAC MAC is based on very specific information, whereas RBAC is based off of a user’s role in the company, which can vary greatly. More Precise Than Groups RBAC allows the application of the principle of least privilege, granting the precise level of access required to perform a function.
An example of this would be using groups in Windows Active Directory to grant access to users, as opposed to granting access directly. For example, a file share used by accounting could be granted read-write access to the accounting group. The accounting group would contain all the accountants within an organization. Exam Warning Be careful! RBAC has two different definitions in the Security+ exam. The first is defined as Role-Based Access Control. A second definition of RBAC that applies to control of (and access to) network devices is defined as Rule-Based Access Control. This consists of creating access control lists (ACL) for those devices and configuring the rules for access to them.
The challenge is to secure the OS and provide what’s needed to allow the system to perform as desired without allowing anything that is unnecessary. For example, you should turn off any unused services or features that could be exploited. Surface area refers to the area (services, ports, and so forth) available on a computer for attack. Reducing the surface area, which means reducing the area that’s available for a hacker to attack, is a good part of securing an OS. While this extends beyond the OS, we will focus on reducing surface area in the OS in this chapter. More services, file shares, features, or programs running on a computer provide more opportunity for a hacker to attack. For example, if a file server has Internet Information Services (IIS) running on it, this would provide more avenues or surface exposed for attack. Exposing the least amount of surface area for attack will greatly enhance the security of your computer. You can use tools such as port scanners to analyze what’s open and exposed from outside the computer. “Penetration testing” to see if you can get past the computer’s defenses is one method of testing.
48 CHAPTER 2 OS Hardening
The following sections discuss and explore the methods used to harden defenses and reduce vulnerabilities that exist in systems. To get things started, let’s review the general steps to follow for securing an OS:
1. Disable all unnecessary services
2. Restrict permissions on files and access to the Registry
3. Apply the latest patches and fixes
4. Remove unnecessary programs
Services Windows-based computers also have the capability to enable and disable services. Figure 2.1 shows some of the services dialog on a workstation. Services can be disabled through the properties for the service (see Figure 2.2). Best practices would be to disable any services on a server or workstation that are not required. Note As you begin to evaluate the need to remove protocols and services, make sure that the items you are removing are within your area of control. Consult with your system administrator on the appropriate action to take and make sure you have prepared a plan to back out and recover if you make a mistake.
While considering removal of nonessential services, it is important to look at every area of the computer’s application to determine what is actually occurring and running on the system. The appropriate tools are needed to do this, and the Internet contains a wealth of resources for tools and information to analyze and inspect systems.
Figure 2.1 Workstation Services
General OS Hardening 49
Figure 2.2 Workstation Services Properties
File System Controlling access is an important element in maintaining system security. The most secure environments follow the “least privileged” principle, as mentioned earlier. This principle states that users are granted the least amount of access possible that still enables them to complete their required work tasks. Expansions to that access are carefully considered before being implemented. Law enforcement officers and those in government agencies are familiar with this principle regarding noncomputerized information, where the concept is usually termed need to know. Generally, following this principle means that network administrators receive more complaints from users unable to access resources. However, receiving complaints from authorized users is better than suffering access violations that damage an organization’s profitability or ability to conduct business. In practice, maintaining the least privileged principle directly affects the level of administrative, management, and auditing overhead, increasing the levels required to implement and maintain the environment. One alternative, the use of user groups,
50 CHAPTER 2 OS Hardening
is a great time saver. Instead of assigning individual access controls, groups of similar users are assigned the same access. In cases where all users in a group have exactly the same access needs, this method works. However, in many cases, individual users need more or less access than other group members. When security is important, the extra effort to fine-tune individual user access provides greater control over what each user can and cannot access. Keeping individual user access as specific as possible limits some threats, such as the possibility that a single compromised user account could grant a hacker unrestricted access. It does not, however, prevent the compromise of more privileged accounts, such as those of administrators or specific service operators. It does force intruders to focus their efforts on the privileged accounts, where stronger controls and more diligent auditing should occur.
Head of the Class How Should We Work with File System Access? Despite the emphasis on group-based access permissions, a much higher level of security can be attained in all operating platforms by individually assigning access permissions. Administratively, however, it is difficult to justify the expense and time involved in tracking, creating, and verifying individual access permissions for thousands of users trying to access thousands of individual resources. RBAC is a method that can be used to accomplish the goal of achieving the status of least privileged access. It requires more design and effort to start the implementation, but develops a much higher level of control than does the use of groups. Good practice indicates that the default permissions allowed in most OS environments are designed for convenience, not security. For this reason, it is important to be diligent in removing and restructuring these permissions.
Encrypted File System Encrypted file system (EFS) can be used on Windows machines to provide an additional layer of protection when it comes to securing the OS. The encrypting file system is part of the Windows OS. What it does is encrypt the files on the disk using symmetric and asymmetric keys. EFS occurs at the OS level. If someone tries to access the file without the appropriate key, they get an “access denied” message. This is used to help ensure unauthorized users don’t get access to encrypted files. The keys are generally tied to an account—once they are imported to the account the access is relatively transparent to the user. This is why it’s important to protect the keys—if someone gains access to the keys, they would be able to access the files, so the keys should be well protected. Using EFS is particularly useful with laptop users. In this day and age with reports of personal data such as credit card information and social security numbers being lost by large companies, EFS would help to protect that data in the event that the
General OS Hardening 51
Figure 2.3 Encrypting a File
hardware is lost or stolen. While the thief may have the files, he won’t be able to access them since he does not have the key. It’s also important to protect the keys from loss, as if the keys are lost, it’s nearly impossible to recover the data. There is a recovery agent that should have the keys imported to it. By encrypting sensitive files, and preventing access to them by unauthorized users, this will contribute to the overall security of the machine being hardened. Figure 2.3 shows how to encrypt files. Clicking the details will show the information about encryption after the file has been encrypted (see Figure 2.4). The main drawback to using EFS is performance. Even though encryption and decryption occur at the OS level, there is still some overhead involved in the process which will add to the CPU load on the machine performing the encryption and decryption. Exam Warning The Security+ exam requires good knowledge of the hardening processes. It includes questions relating to hardening that you may not have thought about. For example, hardening can include concepts present in other security areas, such as locking doors, restricting physical access, and protecting the system from natural or unnatural disasters.
Hotfixes/Patches Updates for OSes are provided by the manufacturer of the specific component. Updates contain improvements to the OS, and new or improved components that the manufacturer believes will make the product more stable, usable, secure, or otherwise attractive to end users. For example, Microsoft updates are often specifically
52 CHAPTER 2 OS Hardening
Figure 2.4 Encryption Details
labeled Security Updates. If you have never taken a look at these, you can find the latest updates at www.microsoft.com/protect/default.mspx. These updates address security concerns recognized by Microsoft and should be evaluated and installed as needed. Updates should be thoroughly tested in nonproduction environments before implementation. It is possible that a “new and improved” function (especially one that enhances user convenience) may actually allow more potential for a security breach than the original component. Complete testing is a must. It’s a good idea to keep up with the hotfixes and patches for your respective OSes. Most vendors will provide regular patch releases and periodic hotfixes. Many of the hotfixes and patches will address security-related features. Microsoft has a mailing list you can subscribe to for information about security updates. To receive automatic notifications whenever Microsoft Security Bulletins and Microsoft Security Advisories are issued or revised, subscribe to Microsoft Technical Security Notifications on www.microsoft.com/technet/security/bulletin/notify.mspx. Another good location would be to subscribe to the Computer Emergency Response Team (CERT) Web site, which may be found at www.cert.org. CERT is located at Carnegie Mellon University’s Software Engineering Institute. One other really good resource is the SecurityFocus Web site at www.securityfocus. com. They have OS specific mailing lists you can join to receive regular updates on
General OS Hardening 53
available patches as well as security flaws to beware of and discussions on current security topics and best practices.
Service Packs/Maintenance Updates Microsoft offers service packs and maintenance updates. Service packs are regular releases with bug fixes and sometimes minor enhancements in them. They are usually a good idea to install; however, it’s a good idea to test.
Hotfixes Hotfixes are packages that can contain one or more patches for software. They generally fix a specific issue or group of issues with a particular piece of software or OS. Hotfixes are generally created by the vendor when a number of clients indicate that there is a compatibility or functional problem with a manufacturer’s products used on particular hardware platforms. These are mainly fixes for known or reported problems that may be limited in scope. As with the implementation of updates, these should be thoroughly tested in a nonproduction environment for compatibility and functionality before being used in a production environment. Because these are generally limited in function, it is not a good practice to install them on every machine. Rather, they should only be installed as needed to correct a specific problem.
Service Packs Service packs are accumulated sets of updates or hotfixes. Service packs are usually tested over a wide range of hardware and applications in an attempt to assure compatibility with existing patches and updates and to initiate much broader coverage than just hotfixes. The recommendations discussed previously also apply to service pack installation. Service packs must be fully tested and verified before being installed on live systems. Although most vendors of OS software attempt to test all the components of a service pack before distribution, it is impossible for them to test every possible system configuration that may be encountered in the field, so it is up to the administrator to test their own. The purpose is to slow or deter compromise, provide security for resources, and assure availability.
Damage & Defense What Should I Do to Try to Minimize Problems with Updates, Service Packs, Patches, and Hotfixes? 1. Read the instructions. Most repair procedures include information about their applicability to systems, system requirements, removal of previous repairs, or other conditions. 2. Install and test in a nonproduction environment, not on live machines. 3. If offered, use the option to back up the existing components for repair if the update fails.
54 CHAPTER 2 OS Hardening
4. Verify that the condition that is supposed to be updated or repaired is actually repaired. 5. Document the repair.
Patch Management Patches for OSes are available from the vendor supplying the product. These are available by way of the vendor’s Web site or from mirror sites around the world. They are often security related and may be grouped together into a cumulative patch to repair many problems at once. Except for Microsoft, most vendors issue patches at unpredictable intervals; it is therefore important to stay on top of their availability and install them after they have been tested and evaluated in a nonproduction environment. The exception to this is when preparing a new, clean install. In this case, it is wise to download and install all known patches prior to introducing the machines to the network.
Patches Windows-based platforms allow the configuration of OS and network services from provided administrative tools. This can include a service applet in a control panel in Windows NT Server or a Microsoft Management Console (MMC) tool in Windows 2000 and above (XP/2003/Vista/2008). It may also be possible to check or modify configurations at the network adapter properties and configuration pages. In either case, it is important to restrict access and thus limit vulnerability due to unused or unnecessary services or protocols.
Scripts Scripts are a versatile way to manage patches. They can be used to perform custom installations, automatic installations, and pretty much anything a programmer is clever enough to write a script for. Windows provides Windows Scripting Host, which would enable you to create scripts or use predefined script to perform almost any task. You can add users to groups, set features, and so forth. PowerShell is an extensible command line shell which has its own full-featured scripting language. It’s very powerful and integrates with .Net Framework. You can write more complex code using PowerShell.
Patch Management Systems There are quite a few systems out there for managing patches, including homemade systems, Microsoft’s SMS/System Center, Microsoft’s Software Update Services, and so forth.
Altiris Altiris is now part of Symantec, the company that produces Norton Antivirus and Norton utilities. Altiris allows for the management of a wide spectrum of clients from Windows to UNIX to Linux and MacOS machines—all from a single management platform. Altiris has the ability to discover, catalog, and inventory software on
General OS Hardening 55
Windows, UNIX, Linux, and Mac machines, which can help determine the patch level of the computers in your organization.
SMS/System Center Microsoft SMS 2003 and System Center 2007 products are designed to aid in monitoring system health and also can be used to distribute software and settings out to different groups of computers in your organization. SMS 2003 and System Center rely heavily on Active Directory and integrate with Windows Group Policy.
Windows Software Update Services Windows Software Update Services (WSUS) is a freely available product that allows enterprise users to manage Microsoft updates on their computers running the Windows OS. WSUS in its simplest form gets the latest updates from Microsoft and allows the administrators to determine whether to approve or decline individual updates as well as to distribute them across their infrastructure. By distributing the updates from a local server, an administrator can not only control which updates are applied but also help control the amount of Internet bandwidth needed for those updates as well as the time of day the updates are installed.
Windows Group Policies Group Policy in Windows allows you to set security settings as well as install specific software (such as virus scanning) on a group of computers. To understand Group Policy, we need to step back and take a look at Active Directory. You can use Group Policy to manage all aspects of the client desktop environment for Windows clients (Windows servers and workstations), including Registry settings, software installation, scripts, security settings, and so forth. The possibilities of what can be done with Group Policy are almost limitless. With VBScript, Jscript, or PowerShell you can write entire applications to execute via Group Policy. You can install software automatically across the network and apply patches to applications. When deciding on the Group Policies you plan to enforce on your network, keep in mind that the more policies applied, the more network traffic, and hence the longer it could take for users to log onto the network. Group Policies are stored in Active Directory as Group Policy Objects (GPOs). These objects are the instructions for the management task to perform. Group Policy is implemented in four ways: ■■
■■
Local Group Policy Using local Group Policy involves setting up Group Policy on the local machine. This is not very useful for managing computers on a network. Local Group Policy is configured on the local computer. Site Group Policy Site Group Policy is when the GPO is linked to the site. Site Group Policies can generate unwanted network traffic, so use these only when absolutely necessary.
56 CHAPTER 2 OS Hardening
■■
■■
Domain Group Policy Domain Group Policy is when the GPO is linked to the domain. This will apply the GPO to all computers and users within a domain. This is especially useful for enforcing company-wide settings. This is one of the two most commonly used applications of Group Policy. Organizational Unit Group Policy Organizational Unit Group Policy is when the GPO is linked to the organizational unit (OU). OU Group Policy is especially useful for applying a GPO to a logical grouping (OU) of users or computers. This is particularly useful when placing computers for specific tasks in an OU container. For example, you can place all the Web servers in an OU to apply specific settings to those Web servers via Group Policy.
Group Policies provide administrators with the ability to control and configure users’ settings, manage users’ data, and perform remote software installation and maintenance. Group Policies require Active Directory and it is important to remember that the number and complexity of GPOs can adversely affect network performance and login times. Ideally, you should segregate computers that will have the same settings applied into defined OUs. This can be done on a Windows machine using the Active Directory users and computers MMC snap-in. Figure 2.5 shows three OUs for computers: Once the OUs have been created, you can use the Group Policy editor and Group Policy management console to create a Group Policy. In Figure 2.6, we show the Group Policy management console. Most of the options in this console are self-explanatory and help is built-in. Figure 2.5 This can be used to explore and create new GPOs. Three OUs
Exercise 1 Creating a Policy For this exercise, we will create a policy that will audit login events for our Structured Query Language (SQL) Servers. 1.
Right click on the policy and select edit. This starts the Group Policy editor allowing us to define the policy. There are quite a few options available as far as defining restrictions and hardening the computer. Take care when defining options so that the options selected won’t inhibit users from getting their jobs done.
General OS Hardening 57
Figure 2.6 The Group Policy Management Console
2.
Expand the nodes on the right and select audit policy.
3.
Pick audit account login events on the right panel (see Figure 2.7).
4.
Once you’ve made a selection from the right panel, a dialog box opens. In this example, we will enable auditing and click OK. If you were not sure what a setting did, you could view information about the setting on the “Explain This Setting” tab (see Figure 2.8).
5.
Once you click OK, you’ll see the GPO edit screen. You should see the selection reflected in the settings in the right panel as shown in Figure 2.9.
6.
Now close out the GPO editor. Your policy has been created. Note that it is possible to define as many settings as you’d like in the GPO editor, even though in this example we’ve only defined one (see Figure 2.10).
In Figure 2.10, we could check the settings tab and see more information about the settings defined in this GPO. Microsoft provides an easy method to define Group Policy and apply it to groups of machines. This is one way we can harden the OSes and make them less vulnerable to attack.
58 CHAPTER 2 OS Hardening
Figure 2.7 Selecting Audit Account Login Events
Security Templates
Figure 2.8 Viewing Information about Settings
Security templates are basically a “starting point” for defining system settings in Windows. These templates contain hundreds of possible settings that can control a single computer or a whole network of computers and can be customized extensively. Some of the areas which security templates control include user rights, password policies, system policies, and user and system permissions. The base security templates provided by Microsoft are predefined settings to accomplish a specific task. For example, compatws in Windows is used to reduce the security level to allow older applications to run, hisecdc is used to apply a high security level to a domain controller. Similarly,
General OS Hardening 59
Figure 2.9 The GPO Edit Screen
Figure 2.10 A Group Policy Setting
60 CHAPTER 2 OS Hardening
hisecws is used to apply stringent security controls on a workstation. Windows security templates can be found in C:\Windows\Security\templates in XP/Server 2003. The security templates for Windows Vista are available in the Vista Security Guide available at www.microsoft.com.
Windows Security templates are actually part of Group Policy in the Microsoft Windows OS. The security templates can be copied and modified. Windows comes with the following default security templates. ■■
■■
■■ ■■
■■
■■
■■
Compatws.inf This template will change the file and Registry permissions to make the security settings consistent with what would be needed to support older applications. It is generally used when older application support is needed. This should only be used when necessary. DC security.inf This template is created when a server is promoted to a domain controller. It can be used to set a domain controller back to the default settings applied when it was promoted to a domain controller. Hisecdc.inf This is used to increase the security on a domain controller. Hisecws.inf This is used to increase the security on client computers and member servers. Notssid.inf This specifies to remove Windows Terminal Server Security Identifier (SIDs) from the file system and Registry locations. It is used to allow older applications to run under terminal services. Securedc.inf This is used to increase the security on a domain controller, but not to the level of the High Security DC security template. Securews.inf This is used to increase the security on client computers and member servers, but not to the level of the High Security DC security template.
Setup security.inf This is created during installation and will be different between computers. This represents the default security settings that get applied during the installation. Security templates can be managed through the security template snap-in (see Figure 2.11). ■■
Notes from the Field New Templates When making a new template, you can save a lot of time and aggravation by starting with one of the Windows templates that’s already created.
General OS Hardening 61
Figure 2.11 The Security Template Snap-in
SE Linux Linux also has a number of different tools and many different templates which can be used to help harden the OS. While each version of Linux may have differences, there are also a lot of similarities. The same principles that can be applied to Windows can also be applied to Linux. The principle of least access, disabling services and daemons that are not used, and so forth all should be considered. An example would be if you were using a Linux server for file storage, it wouldn’t make sense to have Apache installed and configured on that particular server. Ideally, only services that are used should be enabled. Bastille is an automated security setup tool that provides a level of security based on the usage of the server. The administrator answers a series of questions and based on the answers the settings are determined and then applied. Bastille is freely available at http://bastille-linux.sourceforge.net and works not only on Linux but on UNIX and MacOS X as well.
Configuration Baselines Configuration baselines are standard setups used when configuring machines in organizations. Configuration baselines are used to provide a starting point where machines can then be customized with respect to their specific roles in the network. For example, a Windows domain controller may not require Windows Media Services to be installed since its primary function is that of a directory service. A Web server would not necessarily require a database to be installed. Additionally specific
62 CHAPTER 2 OS Hardening
services would be installed, turned off, or even removed completely based on the final location of the system in the network architecture.
Determining Configuration Baselines When considering baselines for an organization, it is important to always keep in mind the principle of least access. You should determine each of the “functions” that will be needed within your organization and create baseline configurations for each. This could apply to both people and machines; in this case, we’ll use machines as an example. The following example describes the different baselines or types of computers used in a typical organization. Each category would have its own baseline “build” which would consist of set groups of services, programs, settings, and features on a particular machine. In the following example, the consulting organization, Haverford Consultants, Inc. has seven categories of systems that are deployed on their network. These categories are: ■■
Web server
■■
File and print server
■■
Database server
■■
Domain controller
■■
Normal workstation
■■
Developer workstation
■■
Domain name system (DNS), Dynamic Host Control Protocol (DHCP) server
Each category requires specific settings to be applied. The domain controllers may have the hisecdc security template applied since they contain user account information as well as directory services for the organization as a whole. The normal workstation may only need to have the compatws template applied as the end workstations will only be used by the regular users. The Web servers as well as the DNS servers will most likely have tight security requirements as they could be placed outside the corporate firewall in a demilitarized zone (DMZ) that is accessible from the Internet. It is important to remember that the generic security templates provided by Microsoft or used in such hardening tools as Bastille will need to be further customized by an organization to meet their specific security requirements.
Utilizing Configuration Baselines for Security Metrics Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (MBSA) is a free tool for small and medium businesses that can be used to analyze the security state of a Windows network relative to Microsoft’s own security recommendations. In addition to identifying security
General OS Hardening 63
Figure 2.12 The MBSA Startup Screen
issues, the tool offers specific remediation guidance. MBSA will detect common security misconfigurations and missing security updates on Windows systems. The initial MBSA startup screen is shown in Figure 2.12. MBSA can scan multiple computers or a single computer. In Exercise 2, we’ll scan one computer.
Exercise 2 Running MBSA
1. Start up by either double-clicking on the MBSA shortcut on the desktop or by selecting MBSA from the Programs menu. Once MBSA starts up, you are presented with the “Tasks” screen. Select “Scan a computer.”
2. Enter the information of the computer to be scanned as shown in Figure 2.13. This could be either the computer name or its IP address. Click “Start Scan.”
3. When the scan completes, the results are available in a report shown in the MBSA tool (see Figure 2.14).
Each of the items on the report should be evaluated in detail to ensure all security issues are understood and resolved. The MBSA is an excellent tool that will provide insight into security vulnerabilities in your organization.
64 CHAPTER 2 OS Hardening
Figure 2.13 Scanning a Computer
Figure 2.14 Results from Scanning a Computer
Server OS Hardening 65
Server OS Hardening Server OS hardening can be a very complex and daunting task. However, by following a standard set of procedures and using tools such as security templates and MBSA, this task can be made significantly easier and can result in improved security across your network. One of the first tasks to focus on is deciding which services and protocols need to be enabled and which should be disabled.
Enabling and Disabling Services and Protocols When you are considering whether to enable and disable services and protocols in relation to network hardening, there are extra tasks that must be done to protect the network and its internal systems. As with the OSes and NOSes discussed earlier, it is important to evaluate the current needs and conditions of the network and infrastructure, and then begin to eliminate unnecessary services and protocols. This leads to a cleaner network structure with more capacity and less vulnerability to attack. Eliminating unnecessary network protocols includes eliminating such protocols as Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), AppleTalk, and/or NetBIOS Extended User Interface (NetBEUI). It is also important to look at the specific operational protocols used in a network such as Internet Control Messaging Protocol (ICMP), Internet Group Management Protocol (IGMP), Service Advertising Protocol (SAP), and the Network Basic Input/Output System (NetBIOS) functionality associated with Server Message Block (SMB) transmissions in Windows-based systems. Note As you begin to evaluate the need to remove protocols and services, make sure that the items you are removing are within your area of control. Consult with your system administrator on the appropriate action to take, and make sure you have prepared a plan to back out and recover if you make a mistake.
While you are considering removal of nonessential protocols, it is important to look at every area of the network to determine what is actually occurring and running on the system. The appropriate tools are needed to do this, and the Internet contains a wealth of resources for tools and information to analyze and inspect systems. A number of functional (and free) tools can be found at sites such as www. foundstone.com/us/resources-free-tools.asp. Among these, tools like SuperScan 4.0 are extremely useful in the evaluation process. If working in a mixed environment with Windows, UNIX, Linux, and/or NetWare machines, a tool such as Big Brother for monitoring may be downloaded and evaluated (or in some cases used without charge) by visiting www.bb4.com. Another useful tool is Nmap, which is available at http://insecure.org/nmap/. These tools can be used to scan, monitor, and report on multiple platforms, giving a better view of what is present in an environment. In Linux-based systems, nonessential services can be controlled in different ways, depending on the distribution being worked with. This may include editing or
66 CHAPTER 2 OS Hardening
making changes to xinetd.conf or inetd.conf or use of the graphical Linuxconf or ntsysv utilities or even the Webmin configuration tool. It may also include the use of ipchains or iptables in various versions to restrict the options available for connection at a firewall.
Nonessential Services Let’s begin with a discussion about the concept of nonessential services. Nonessential services are the ones you do not use or have not used in some time. For many, the journey from desktops to desktop support to servers to entire systems support involves a myriad of new issues to work on. And as we progressed, we wanted to see what things could be done with the new hardware and its capabilities. In addition, we were also often working on a system that we were not comfortable with, had not studied, and had little information about. Along with having a superior press for using the latest and greatest information, we hurried and implemented new technologies without knowing the pitfalls and shortcomings. Nonessential services may include network services, such as DNS or DHCP, Telnet, Web, or FTP services. They may include authentication services for the enterprise, if located on a nonenterprise device. They may also include anything that was installed by default that is not part of your needed services. Systems without shared resources need not run file and print services. In a Linux environment, if the machine is not running as an e-mail server, then remove sendmail. If the system is not sharing files with a Windows-based network, then remove Samba. Likewise, if you are not using NIS for authentication, you should disable the service or remove it. This is applicable for any type of OS. The Security+ exam is OS agnostic, meaning that the same general principles apply regardless of the OS that you use. Being familiar with the services that are unnecessary for the specific OS that you are working with is an important part of ensuring that the system is well secured. The basic premise is to disable the services that you do not need. The list of services that this covers varies by OS or even the specific version or release of the OS.
Nonessential Protocols Nonessential protocols can provide the opportunity for an attacker to reach or compromise your system. These include network protocols such as IPX/SPX (in Windows OSes, NWLink) and NetBEUI. It also includes the removal of unnecessary protocols such as ICMP, IGMP, and specific vendor supplied protocols such as Cisco’s Cisco Discovery Protocol (CDP), which is used for communication between Cisco devices, but may open a level of vulnerability in your system. Evaluation of protocols used for communication between network devices, applications, or systems that are proprietary or used by system device manufacturers, such as the protocols used by Cisco to indicate private interior gateways to their interoperating devices, should also be closely examined.
Server OS Hardening 67
Evaluation of the protocols suggested for removal may show that they are needed in some parts of the system but not others. Many OS platforms allow the flexibility of binding protocols to certain adaptors and leaving them unbound on others, thus reducing the potential vulnerability level.
Disabling Nonessential Processes Processes running on your systems should be evaluated regarding their necessity to operations. Many processes are installed by default but are rarely or never used by the OS. In addition to disabling or removing these processes, you should regularly evaluate the running processes on the machine to make sure they are necessary. As with disabling unnecessary protocols and services and systems, you must be aware of the need for the processes and their potential for abuse that could lead to system downtime, crashes, or breach. UNIX, Linux, Windows server and workstation systems, and NetWare systems all have mechanisms for monitoring and tracking processes, which will give you a good idea of their level of priority and whether they are needed in the environments you are running.
Disabling Nonessential Programs Like the other areas we have discussed, it is appropriate to visit the process of disabling or removing unnecessary programs. Applications that run in the background are often undetected in normal machine checks and can be compromised or otherwise affect your systems negatively. An evaluation of installed programs is always appropriate. Aside from the benefit of more resources being available, it also eliminates the potential that a breach will occur.
FTP Servers FTP servers are potential security problems, as they are often exposed to outside interfaces, thereby inviting anyone to access them. The vast majority of FTP servers open to the Internet support anonymous access to public resources. Additionally, incorrect file system settings in a server acting as an FTP server allow unrestricted access to all resources stored on that server and could lead to a system breach. FTP servers exposed to the Internet are best operated in the DMZ rather than the internal network and should be hardened with all of the OS and NOS fixes available. All services other than FTP should be disabled or removed. Contact from the internal network to the FTP server through the firewall should be restricted and controlled through ACL entries to prevent possible traffic through the FTP server from returning to the internal network. FTP servers providing service in an internal network are also susceptible to attack; therefore, administrators should consider establishing access controls including usernames and passwords, as well as the use of Secure Sockets Layer (SSL) for authentication.
68 CHAPTER 2 OS Hardening
Some of the hardening tasks that should be performed on FTP servers include: ■■
Protection of the server file system
■■
Isolation of the FTP directories
■■
Positive creation of authorization and access control rules
■■
Regular review of logs
■■
Regular review of directory content to detect unauthorized files and usage
DNS Servers Hardening DNS servers consists of performing normal OS hardening and then considering the types of control that can be done with the DNS service itself. Older versions of Berkeley Internet Name Domain (BIND) DNS were not always easy to configure, but current versions running on Linux and UNIX platforms can be secured relatively easily. Microsoft’s initial offering of DNS on NT was plagued with violations of their integrity, making internetwork attacks much easier to accomplish, since information about the internal network was easy to retrieve. With Windows 2003, Microsoft made significant strides to secure their DNS server. Among the many changes made were the addition of controls to prevent zone transfer operations to machines that are not approved to request such information, thus better protecting the resources in the zone files from unauthorized use. With the release of BIND 9, a new capability was added to provide different functionality from the software based on the hosts accessing the server. This capability is invoked with the view clause in the named.conf. When hardening a DNS server, it is critical to restrict zone transfers. Zone transfers should only be allowed to designated servers. Additionally, those users who may successfully query the zone records with utilities such as nslookup should be restricted via the ACL settings. Zone files contain all records of a zone that are entered; therefore, an unauthorized entity that retrieves the records has retrieved a record of what is generally the internal network, with host names and IP addresses. There are records within a DNS server that can be set for individual machines. These include HINFO records, which generally contain descriptive information about the OS and features of a particular machine. HINFO records were used in the past to track machine configurations when all records were maintained statically, and were not as attractive a target as they are today. A best practice in this case would be to not use HINFO records in the DNS server. Attackers attempt zone transfers by using the following command: First, by typing nslookup from the command line, next the target server’s DNS server address is entered, server
, then the set type=any command is entered. Finally, the ls -d target.com is entered to try and force the zone transfer. If successful, a list of zone records will follow. There are a number of known exploits against DNS servers in general. For example, a major corporation placed all their DNS servers on a single segment. This made
Server OS Hardening 69
it relatively simple to mount a denial of service (DoS) attack using ICMP to block or flood traffic to that segment. Other attacks that administrators must harden against are attacks involving cache poisoning, in which a server is fed altered or spoofed records that are retained and then duplicated elsewhere. In this case, a basic step for slowing this type of attack is to configure the DNS server to not do recursive queries. It is also important to realize that BIND servers must run under the context of root and Windows DNS servers must run under the context of Local System to access the ports they need to work with. It is possible to run BIND under a chroot jail in UNIX and to run Windows DNS under a different, lower privilege, account as well. If the base NOS is not sufficiently hardened, a compromise can occur.
Network News Transfer Protocol Servers Network News Transfer Protocol (NNTP) servers are also vulnerable to some types of attacks, because they are often heavily used from a network resource perspective. NNTP servers that are used to carry high volumes of newsgroup traffic from Internet feeds are vulnerable to DoS attacks that can be mounted when “flame wars” occur. This vulnerability also exists in the case of listserv applications used for mailing lists. NNTP servers also have vulnerabilities similar to e-mail servers, because they are not always configured correctly to set storage parameters, purge newsgroup records, or limit attachments. It is important to be aware of malicious code and attachments that can be attached to the messages that are being accepted and stored. NNTP servers should be restricted to valid entities, which require that the network administrator correctly set the limits for access. It is also important to be aware of the platform being used for hosting a NNTP server. If Windows-based, it will be subject to the same hardening and file permission issues present in Windows IIS servers. Therefore, there are additional services and protocols that must be limited for throughput and defenses such as virus scanning that must be in place.
File and Print Servers The ability to share files and printers with other members of a network can make many tasks simpler and, in fact, this was the original purpose for networking computers. However, this ability also has a dark side, especially when users are unaware that they are sharing resources. If a trusted user can gain access, the possibility exists that a malicious user can also obtain access. On systems linked by broadband connections, crackers have all the time they need to connect to shared resources and exploit them. The service called file and print sharing in Windows allows others to access the system from across the network to view and retrieve files or use resources. Other OSes have similar services (and thus similar weaknesses). The Microsoft file- and print-sharing service uses NetBIOS with SMB traffic to advertise shared resources, but does not offer security to restrict who can see and access those resources.
70 CHAPTER 2 OS Hardening
This security is controlled by setting permissions on those resources. The problem is that when a resource is created in a Windows-based system, they are set by default to give full control over the resource to everyone who accesses that system. By default, the file- and print-sharing service is bound to all interfaces being used for communication. Under Windows XP and 2000 when sharing is enabled for the purpose of sharing resources with a trusted internal network over a NIC, the system is also sharing those resources with the entire untrusted external network over the external interface connection. This is no longer the case with Windows Vista, however connecting to an untrusted network automatically turns off file sharing. Many users are unaware of these defaults and do not realize their resources are available to anyone who knows enough about Windows to find them. For example, users with access to port scanning software or using the basic analysis provided through the use of NetBIOS statistics (NBTSTAT) or the net view command in a Windows network would have the capability to list shared resources if NetBIOS functionality exists.
Notes from the Field Look at What Is Exposed To look at the resources exposed in a Windows network, open a command window in any version of Windows that is networked. Click the Start button at the bottom left of the task bar. Click the “Run” option and in the dialog box type cmd. In the command window that opens up type net view and press the Return [Enter] key. You will see a display showing machines with shared resources in the network segment and the machines they are attached to. The display will look something like this: Server Name Remark ----------------------------------------\\EXCELENTXP \\EXC2003 The command completed successfully. Next, type net view \\machine name at the prompt, and hit the Enter or Return key. That display might look like this: Shared resources at \\excnt4 Share name Type Used as Comment -----------------------------------------public Disk The command completed successfully. As can be seen, it does not take much effort for attackers inside or outside a network to view vulnerabilities that are shown when NetBIOS functionality is present.
Server OS Hardening 71
At the very least, the file- and print-sharing service should be unbound from the external network interface’s adapter. Another solution (or a further precaution to take in addition to unbinding the external adapter) is to use a different protocol on the internal network. For example, computers could communicate over NetBEUI on a small local nonrouted network. If file and print sharing is bound to NetBEUI and unbound from Transmission Control Protocol/Internet Protocol (TCP/IP), internal users can still share resources, but those resources will be unavailable to “outsiders” on the Internet. If a user does not need to share resources with anyone on the internal (local) network, the file- and print-sharing service should be completely disabled. On most networks where security is important, this service is disabled on all clients. This action forces all shared resources to be stored on network servers, which typically have better security and access controls than end-user client systems.
DHCP Servers DHCP servers add another layer of complexity to some layers of security, but also offer the opportunity to control network addressing for client machines. This allows for a more secure environment if the client machines are configured properly. In the case of the clients, this means that administrators have to establish a strong ACL to limit the ability of users to modify network settings, regardless of platform. Nearly all OSes and NOSes offer the capability to add DHCP server applications to their server versions. As seen in each of the application server areas, administrators must also apply the necessary security patches, updates, service packs, and hotfixes to the DHCP servers they are configuring and protecting. DHCP servers with correct configuration information will deliver addressing information to the client machines. This allows administrators to set the node address, mask, and gateway information, and to distribute the load for other network services by creation of appropriate scopes (address pools). Additional security concerns arise with DHCP. Among these, it is important to control the creation of extra DHCP servers and their connections to the network. A rogue DHCP server can deliver addresses to clients, defeating the settings and control efforts for client connection. In most systems, administrators are required to monitor network traffic consistently to track these possible additions and prevent a breach of the system. Some OS and NOS manufacturers have implemented controls in their access and authentication systems to require a higher level of authority for authorizing DHCP server operation. In the case of Windows, a Windows DHCP server that belongs to an Active Directory domain will not service client requests if it has not been authorized to run in Active Directory. However, a stand-alone Windows DHCP server can still function as a rogue. Someone could still also introduce a rogue server running a different OS and NOS or a stand-alone server that does not belong to the domain. Administrators should also restrict access to remote administration tools to limit the number of individuals who can modify the settings on the DHCP server.
72 CHAPTER 2 OS Hardening
Data Repositories Data repositories include many types of storage systems that are interlinked in systems for maintenance and protection of data. It is important to discuss the need for protection and hardening of the various types of storage that are maintained. This includes different storage media combinations, methods of connection to the information, consideration of the access implications and configurations, and maintenance of the integrity of the data. When considering tightening and securing the data repository area, file services such as those detailed earlier in the file and print section and also the Network Attached Storage (NAS) and Storage Area Network (SAN) requirements must be considered. NAS and SAN configurations may present special challenges to hardening. For example, some NAS configurations used in a local area network (LAN) environment may have different file system access protections in place that will not interoperate with the host network’s OS and NOS. In this case, a server OS is not responsible for the permissions assigned to the data access, which may make configuration of access or integration of the access rules more complex. SAN configuration allows for intercommunication between the devices that are being used for the SAN, and thus freedom from much of the normal network traffic in the LAN, providing faster access. However, extra effort is initially required to create adequate access controls to limit unauthorized contact with the data it is processing.
Directory Services Directory services information can be either very general in nature and publicly available or restricted in nature and subject to much tighter control. While looking at directory services in the application area, it is important to look at different types of directory service cases and what should be controlled within them. Directory services data are maintained and stored in a hierarchical structure. One type of directory service is structured much like the white pages of a telephone book and may contain general information such as e-mail addresses, names, and so forth. These servers operate under the constraints of Lightweight Directory Access Protocol (LDAP) and the X.500 standard. This type of service contains general information that is searchable. Typically, these directories are write-enabled to the administrator or the owner of the record involved and read-enabled to all other users. A second type of directory services operation includes the operation of systems like Novell’s eDirectory and Windows 2003s Active Directory. Both of these services are based on the X.500 standard, as is the conventional LDAP directory service. They are not LDAP-compliant, however, as they can interoperate with LDAP directories, but have been modified for use in their respective directory services. These types of directories usually follow the LDAP/X.500 naming convention to indicate the exact name of the objects, which include designations for common name, organization, country, and so on. This might appear as CN=Joe User, O=His Company or C=US, which would designate that the record was for Joe User, a member of his company, in the United States. It is important to impose and verify
Server OS Hardening 73
stringent control on what is allowed to be written to a records database and who can write to it, because much of the information in this directory service is used to authenticate users, processes, services, and machines for access to other resources within the networks. At the same time, administrators will want to control who can read information in specific areas of the database, because they need to restrict access to some parts of the directory information. Hardening of directory services systems requires evaluation not only of the permissions to access information, but of permissions for the objects that are contained in the database. Additionally, these systems require the use of the LDAP on the network, which also requires evaluation and configuration for secure operation. This includes setting perimeter access controls to block access to LDAP directories in the internal network, if they are not public information databases. Maintenance of security-based patches and updates from the NOS manufacturer is absolutely imperative in keeping these systems secure.
Network Access Control As seen in this chapter, hardening is an important process. Another way to harden the network is to use network access control (NAC). There are several different incarnations of NAC available. These include infrastructure-based NAC, endpoint-based NAC, and hardware-based NAC.
1. Infrastructure-based NAC requires an organization to be running the most current hardware and OSes. OS platforms such as Microsoft’s Windows Vista have the capability to participate in NAC.
2. Endpoint-based NAC requires the installation of software agents on each network client. These devices are then managed by a centralized management console.
3. Hardware-based NAC requires the installation of a network appliance. The appliance monitors devices for specific behavior and can limit connectivity should noncompliant activity be detected.
NAC offers administrators a way to verify that devices meet certain health standards before they’re allowed to connect to the network. Laptops, desktop computers, or any device that doesn’t comply with predefined requirements can be prevented from joining the network or can even be relegated to a controlled network where access is restricted until the device is brought up to the required security standards.
Databases Database servers may include servers running SQL or other databases such as Oracle. These types of databases present unique and challenging conditions when considering hardening the system. For example, in most SQL-based systems, there is both a server function and a client front end that must be considered. In most database
74 CHAPTER 2 OS Hardening
systems, access to the database information, creation of new databases, and maintenance of the databases is controlled through accounts and permissions created by the application itself. Although some databases allow the integration of access permissions for authenticated users in the OS and NOS directory services system, they still depend on locally created permissions to control most access. This makes the operation and security of these types of servers more complicated than is seen in other types. Unique challenges exist in the hardening of database servers. Most require the use of extra components on client machines and the design of forms for access to the data structure to retrieve the information from the tables constructed by the database administrator. Permissions can be extremely complex, as rules must be defined to allow individuals to query database access to some records and no access to others. This process is much like setting access permissions but at a much more granular and complex level. Forms designed for the query process must also be correctly formulated to allow access only to the appropriate data in the search process. Integrity of the data must be maintained, and the database itself must be secured on the platform on which it is running to protect against corruption. Other vulnerabilities require attention when setting up specific versions of SQL in a network. For example, Microsoft’s SQL Server 2000 and earlier versions set two default conditions that must be hardened in the enterprise environment. First, the “sa” account, which is used for security associations and communication with the SQL processes and the host machine, is installed with a blank password. Second, the server is configured using mixed mode authentication, which allows the creation of SQL-specific accounts for access that are not required to be authenticated by the Windows authentication subsystem. This can lead to serious compromise issues and allow control of the server or enterprise data. It is strongly recommended that administrators harden these two conditions, using a strong password on the sa account and using Windows authentication instead of mixed-mode authentication. Network access concerns must also be addressed when hardening the database server. SQL, for example, requires that ports be accessible via the network depending on what platform is in use. Oracle may use ports 1521, 1522, 1525, or 1529, among others. MS SQL Server uses ports 1433 and 1434 for communication. As can be seen, more consideration of network access is required when using database servers. Normal OS concerns must also be addressed. SQL Server security takes an ongoing and constant effort to try to protect databases and their content. An excellent discussion of the SQL Server security model by Vyas Kondreddi can be viewed at www.sql-server-performance.com/vk_sql_security.asp. Test Day Tip Spend a few minutes reviewing port and protocol numbers for standard services provided in the network environment. This will help when you are analyzing questions that require configuration of ACL lists and determinations of appropriate blocks to install to secure a network.
Workstation OS 75
Exam Warning The Security+ exam can ask specific questions about ports and what services they support. It’s advisable to learn common ports before attempting the exam. 21 FTP 22 Secure Shell (SSH) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 DNS 80 HTTP 110 Post Office Protocol (POP) 161 Simple Network Management Protocol (SNMP) 443 SSL Memorizing these will help you with the Security+ exam.
Workstation OS Workstations can present special challenges. Depending on the users’ knowledge and capabilities, they may tinker with the steps IT takes to secure their workstation and violate company policy when it comes to best practices. As laptops become more commonplace, they present specific challenges to the organization when it comes to securing OSes. Since laptops are portable, it’s very possible they could be stolen. If you have sensitive data on your laptop, it should not be placed on laptop drives, but in some cases, this cannot be avoided. In these cases, you should at a minimum encrypt the sensitive data. There are a number of third-party applications, such as utimaco’s safeguard— available at http://go.utimaco.com.
User Rights and Groups Ideally, the minimum required rights for a person to perform their job should be given. Under older Windows OSes (XP and 2000 most notably), the user of a machine was given administrative rights or was added to the “Power Users” group to gain full functionality from the OS. However, if a user account is compromised, the entire machine could be compromised and could potentially lead to the entire domain being compromised. Under Vista and Windows 7, users no longer need to have administrative privileges to their systems to be able to be fully functional. This allows the system administrator to reduce the rights assigned to regular users and follows the principle of least access. Figure 2.15 shows the common workstation groups on a Windows XP computer. You’ll note the Users group and the Power Users group. In many cases, being in the Users group or Power Users group would be enough rights for a person to perform their tasks.
76 CHAPTER 2 OS Hardening
Figure 2.15 Common Workstation Groups on a Windows XP Computer
Test Day Tip Remember the principle of least access! In many cases, this will help you to make the correct choice
Summary of Exam Objectives This chapter looked at the broad concept of infrastructure security and specifically discussed the concepts and processes for hardening various sections of systems and networks. OS security and configuration protections were discussed as were file system permission procedures, access control requirements, and methods to protect the core systems from attack. Security+ exam objectives were studied in relation to OS hardening and in relation to hardening by visiting potential problem areas including configuration concerns, ACLs, and elimination of unnecessary protocols and services from the computer. We also looked at how these hardening steps might improve and work with the OS hardening and ways to obtain, install, and test various fixes and software updates.
Exam Objectives Fast Track General OS Hardening ■■
Harden following the principle of “least privilege” to limit access to any resource
■■
Set file access permissions as tightly as possible
■■
■■
Track, evaluate, and install the appropriate OS patches, updates, service packs, and hotfixes in your system environment Remember the principle of least access!
Exam Objectives Frequently Asked Questions 77
Server OS Hardening ■■
■■
■■
Eliminating unnecessary network protocols includes eliminating such protocols as Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), AppleTalk, and/or NetBIOS Extended User Interface (NetBEUI). As you begin to evaluate the need to remove protocols and services, make sure that the items you are removing are within your area of control. Consult with your system administrator on the appropriate action to take and make sure you have prepared a plan to back out and recover if you make a mistake. While you are considering removal of nonessential protocols, it is important to look at every area of the network to determine what is actually occurring and running on the system.
Workstation OS ■■
■■
■■
Follow best practices for hardening specific application-type servers such as e-mail, FTP, and Web servers Data repositories require more consideration, planning, and control of access than other application servers Application-specific fixes, patches, and updates are used in addition to OS and NOS fixes.
Exam Objectives Frequently Asked Questions Q: How should I determine how much access a person needs to a system? A: By applying the principle of least privilege. Users should be granted the minimum level of access that will allow them to do their job effectively. Q: Should I apply patches directly to my production machines? A: As a general rule, as patches and updates become available, they should be tested as soon as possible in a nonproduction environment before applying to production. Q: What protocols and services should I enable on my server? A: You should enable only the protocols and services you are using. Do not enable services and protocols “just in case” you might need them at some future point. Enable them as they are used. Q: What exactly is operating system hardening? A: Operating system hardening consists of locking down file systems and controlling software installation and use and methods for configuring file
78 CHAPTER 2 OS Hardening
systems properly to limit access and reduce the possibility of a breach. The idea is to reduce the likelihood of someone gaining access to or harming the operating system. Q: What is Windows Group Policy? A: Windows Group Policy uses active directory to apply settings to groups of computers. In this way, it becomes easier to manage many computers (and users) by applying consistent operating system settings to the computers and/or users in a group.
Self Test
1. You have a computer and through a portscan discover that port 25 is enabled. This computer is used for file and print services only. What should you do? A. Disable SMTP B. Disable POP C. Disable IIS D. Port 25 should be enabled
2. You have a computer and through a portscan discover that port 25 and Port 80 are enabled. This computer is used for serving Web pages only. What should you do? A. Disable SMTP B. Disable POP C. Disable IIS D. Port 25 and 80 should be enabled.
3. You notice port scans on a Web server. The server processes both secure and insecure pages. What steps can you take to help secure the OS? A. Enable port 80, disable all other ports B. Enable port 443, disable all other ports C. Enable port 25, disable all other ports D. Enable port 80, 443, and 25, disable all other ports E. Enable port 80 and 443, disable all other ports
4. What port does SNMP use? A. Port 80 B. Port 25
C. Port 161 D. Port 443
Self Test 79
5. As part of the overall OS hardening process, you are disabling services on a Windows server machine. How do you decide which services to disable? A. Disable all services, and then re-enable them one by one B. Research the services required and their dependencies, then disable the unneeded services C. Leave all services enabled, since they may be required at some point in the future D. Disable all workstation services
6. You are configuring a server to be used for IIS. You have disabled all unused services. All access to the server will be through secure pages using HTTPS. What ports should you enable? A. Port 80 C. Port 161 B. Port 25 D. Port 443
7. Robby is preparing to evaluate the security on his Windows XP computer and would like to harden the OS. He is concerned as there have been reports of buffer overflows. What would you suggest he do to reduce this risk? A. Remove sample files B. Upgrade is OS C. Set appropriate permissions on files D. Install the latest patches
8. Marissa is planning to evaluate the permissions on a Windows 2003 server. When she checks the permissions, she realizes that the production server is still in its default configuration. She is worried that the file system is not secure. What would you recommend Melissa do to alleviate this problem? A. Remove the anonymous access account from the permission on the root directory B. Remove the system account permissions on the root of the C:\ drive directory C. Remove the “everyone” group from the permissions on the root directory D. Shut down the production server until it can be hardened
9. You have been asked to review the general steps used to secure an OS. You have already obtained permission to disable all unnecessary services. What should be your next step? A. Remove unnecessary user accounts and implement password guidelines B. Remove unnecessary programs C. Apply the latest patches and fixes D. Restrict permissions on files and access to the Registry
80 CHAPTER 2 OS Hardening
10. Yesterday, everything seemed to be running perfectly on the network. Today, the Windows 2003 production servers keep crashing and running erratically. The only events that have taken place are a scheduled backup, a CD/ DVD upgrade on several machines, and an unscheduled patch install. What do you think has gone wrong? A. The backup altered the archive bit on the backup systems B. The CD/DVDs are not compatible with the systems in which they were installed C. The patches were not tested before installation D. The wrong patches were installed 11. Debbie is reviewing open ports on her Web server and has noticed that port 23 is open. She has asked you what the port is and if it presents a problem. What should you tell her? A. Port 23 is no problem because it is just the Telnet client B. Port 23 is a problem because it is used by the Subseven Trojan C. Port 23 is open by default and is for system processes D. Port 23 is a concern because it is a Telnet server and is active 12. Monday morning has brought news that your company’s e-mail has been blacklisted by many Internet service providers (ISPs). Somehow your e-mail servers were used to spread spam. What most likely went wrong? A. An insecure e-mail account was hacked B. Sendmail vulnerability C. Open mail relay D. Port 25 was left open 13. Management was rather upset to find out that someone has been hosting a music file transfer site on one of your servers. Internal employees have been ruled out as it appears it was an outsider. What most likely went wrong? A. Anonymous access B. No Web access control C. No SSL D. No bandwidth controls 14. You have been given the scan below and asked to review it. Interesting ports on (18.2.1.88): (The 1263 ports scanned but not shown below are in state: filtered) Port 22/tcp
State open
Service ssh
Self Test Quick Answer Key 81
53/udp 80/tcp 110/tcp 111/tcp
open open open open
dns http pop3 sun rpc
Your coworker believes it is a Linux computer. What open port led to that assumption? A. Port 53 B. Port 80 C. Port 110 D. Port 111 15. During a routine check of a file server, you discover a hidden share someone created that contains 100 Gb of music content. You discover the share was created on a drive that everyone has full control over. What steps should you take to ensure this doesn’t happen again? A. Define an acceptable use policy B. Remove full control from the “everyone” group C. Remove full control from the offending user D. Remove the files and the directory
Self Test Quick Answer Key 1. 2. 3. 4. 5.
A A E C A
6. 7. 8. 9. 10.
D D C A C
11. 12. 13. 14. 15.
D C A D A, B, and D
This page intentionally left blank
CHAPTER
Application Security CHAPTER
3
E x a m o b j e c tiv e s in this c hapt e r Threats Are Moving “Up the Stack”��������������������������������������������������������������������������������������� 84 Application Security Threats������������������������������������������������������������������������������������������������� 88
Introduction In today’s business world, applications are utilized to automate processes and provide 24/7/365 services to customers. Outside the business world, applications are also heavily used by millions of home Internet users. Whether these applications are used for processing online merchandise orders, renewing medical subscriptions, or utilized by the government to transfer information and control your country’s national defenses, they are a critical component of most organizations. Consequently, applications that are not effectively secured can pose a grave risk to information security and allow unauthorized data access, computer misuse, or even be used to monitor the actions of an unsuspecting victim. Because of the complexity and dynamic nature of applications, they can prove to be quite challenging to secure. Organizations ranging from large financial payment processors, to law-enforcement, to major software vendors’ themselves have suffered security incidents resulting from the exploitation of application vulnerabilities. Today, application security is an essential skill for information security professionals. This chapter will provide you with a good overview of application security including: ■■
■■
■■
How to effectively identify application vulnerabilities including some of the most dangerous application vulnerabilities that are frequently targeted by hackers. Countermeasures application developers can use to correct existing vulnerabilities and prevent the occurrence of new ones. Steps that home and business application users can take to configure applications such as Web browsers and instant messaging clients in a secure manner and help to prevent the exploitation of application vulnerabilities.
83
84 CHAPTER 3 Application Security
Upon completion of this chapter, you will have the knowledge required to pass the Application Security Security+ exam objective, and effectively secure applications in your professional career and at your home.
Threats Are Moving “Up the Stack” Data must pass through multiple layers of communication when sent from one network device to another. These layers of communication were documented and released in 1984 within the Open Systems Interconnection (OSI) model. The OSI model details seven layers of communication and when viewing the model from the bottom up, each layer ultimately supports the layer above it. Figure 3.1 is an illustration of the OSI model. An example of the dependency between OSI model layers, the physical layer (Layer 1) relates to the physical connection of two devices such as connecting a computer to a switch with a network cable. This physical connection between the two devices allows the second layer of the OSI model, the data link layer to verify that the connection between the two devices is intact. When data is sent from one computer to another it starts at the application layer (Layer 7) and works its way down the stack. When the other network device receives data, the process is reversed and data begins at the physical layer and works its way up. Over recent years, there has been a large shift in the focus of computerrelated attacks moving from lower layers of the OSI model to the application layer.
Figure 3.1 The OSI Model
Threats Are Moving “Up the Stack” 85
This is due to changes in network architecture and security technologies as well as efforts by vendors of operating systems (Sun, Microsoft, etc.) to harden the underlying operating system from attack. Examples of lower level attacks include Address Resolution Protocol (ARP) spoofing attacks, which allow an attacker to intercept and modify data sent between two network devices and ultimately allow the hijacking of networking communications. ARP spoofing attacks target the data link layer of the OSI model and have been largely overshadowed today by attacks targeting buffer overflow, cross-site scripting, and other application-related vulnerabilities residing within the application layer. When an attacker launches an application-based attack against another networked system, it would be received by the victim system at the physical layer and effectively work its way “up the stack.” In this chapter, we’ll discuss some of the most dangerous attacks targeting the application layer of the OSI model, but first let’s take a closer look at the reason for this shift in hacker focus. Test Day Tip In preparation for the exam, you should understand the seven layers of the OSI model as well as the specific function within each.
Rationale In recent years, the objective of computer attacks has shifted from generating large denial-of-service (DoS) conditions such as those caused by the Blaster and Nachi worms to covert attacks involving data that is withheld, manipulated, or resold for financial benefit. The reason for this shift in focus is simple, crime pays. Attackers today are much more interested in receiving financial rewards for their crimes as opposed to gaining recognition within the digital underground. (For more information refer to www.symantec.com/business/resources/articles/article.jsp?aid=symantec_ threat_report_documents_increasingly_sophisticated_attacks.) Personal information such as health and financial data are prime targets of cyber crime. When attackers gain access to data for resale they often advertise it within black market forums referred to as an “underground economy.” Symantec, a leading antivirus and research organization, has recently released its 2008 report on the underground economy. Symantec’s findings show that in 2008 the most popular commodity advertised within the underground economy over a 12-month period was credit card numbers with an advertised price ranging between 10 cents and US$25 per number.1 Data that is resold within the underground economy typically resides within the application layer of the OSI model. Because of this it’s not surprising that research by Gartner shows that 75 percent of attacks occur within the application layer. Applications ranging from large e-commerce sites, such as ebay.com, to small applications, such as Internet Explorer (IE), installed on a local user’s computer are a critical component of any digital system and it’s imperative that there are knowledgeable information security professionals who can effectively secure them. Over the past few years, security professionals have turned to a process called threat modeling to identify and assess security risks.
86 CHAPTER 3 Application Security
Threat Modeling Threat modeling is a comprehensive process for assessing a system’s security risks. Threat modeling has been in use within large software organizations for many years; however, recently over the past few years, it has caught the eye of security professionals to address internal security challenges. Threat modeling can be applied to any information system; however, in this chapter we’ll look at how it can be used to secure applications. Threat modeling differs from other traditional forms of vulnerability assessments. A traditional vulnerability assessment performed within the corporate world involves running some sort of automated vulnerability scanning tool against an infrastructure. Scan results are generated and findings are associated with a generic risk rating that was developed by the vulnerability scanning tool vendor. Scan results at this point may be qualified and sent out to the appropriate individuals for remediation. This approach may be viewed by many as effective; however, the reality is that this type of vulnerability assessment typically detects only a small subset of vulnerabilities that actually exist within an application. The reason for this is automated scans look primarily at common forms of insecure coding practices, misconfigurations, and missing patches. However, serious risks that don’t fit into this category often go undetected. As an example, running a vulnerability scan against an application may identify vulnerabilities, such as buffer overflow vulnerability within an application, which could be exploited to gain unauthorized access to data. This is good if your only security objective is preventing an unauthorized user from gaining access to data. Taking a step back, we note that information security is more than just protecting an application against a hacker; what about an attack from within? If the attacker is an insider— let’s say a database administrator (DBA)—he or she would have little reason to exploit a buffer overflow vulnerability to gain access to data if he or she could simply walk up to a server and steal the targeted sensitive information. Viewing information security with a narrow focus often neglects other high-risk attack vectors. Threat modeling uses a systematic approach setting clear objectives and taking a holistic view of security to identify the threats and vulnerabilities that threaten defined objectives. There have been several books, articles, and case studies written about the threat modeling process. Although these publications each cover the practice of threat modeling, the various sources often have slightly different views about the phases of the threat modeling process. In this chapter, we’ll look at the threat modeling process as defined by Microsoft, an organization that has made a considerable investment in it and developed a vendor-neutral process that will prepare you for the exam. Figure 3.2 illustrates the five major phases of the threat modeling process. Details on the phases illustrated within Figure 3.2 are covered in greater detail in the following sections: Security Objective Definition: Security is a broad subject, which without clear focus can quickly become overwhelming. In this phase, the security objectives placed on the application are identified, thus helping to control the scope of the threat modeling process. For example, one might define the security objective of ensuring the confidentiality and integrity of credit card data stored, processed, or
Threats Are Moving “Up the Stack” 87
accessed by a Web application. This Web application may contain multiple components some of which are in no way involved in accessing, storing, or processing credit card data and these components should be omitted from the threat modeling process. Application Review: In this stage, the application solution and design documentation is reviewed to identify key functionality. Special attention should be placed on the application architecture and technologies in use, how the application is used, and the security mechanisms in use. An application diagram is developed based on the information gathered Figure 3.2 during the application review and used The Five Major Phases of Threat Modeling to plan further in-depth analysis within the application decomposition phase. Application Decomposition: This stage focuses on the in-depth review of application internals such as ingress and egress data flows and application trust boundaries. Trust boundaries mark areas within applications that require a change in trust, for example, a trust boundary would be placed on an administrator function seeing it cannot be accessed by a normal user account or receiving data input from an untrusted source. This section involves further application diagramming and the findings within this phase will aid in threat identification. Threat Identification: Threats to the earlier defined security objectives are identified factoring in knowledge gained during application decomposition. This is normally completed by way of brain-storming sessions where participants review prior collected information to identify possible areas of attack. To aid in threat categorization, a threat model framework such as Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE)2 is used. An example of a common application threat is gaining unauthorized access through a brute force attack. Vulnerability Identification: On the basis of the earlier documented threats, the application is reviewed and specific vulnerabilities are documented. In a brute force attack, the exploitable vulnerability would be weak password controls including password complexity and account lock out settings within the application. Threat modeling can be an effective process if the correct people are involved. The best threat models involve representation from many groups within an organization including security analysts, developers, business analysts, and information architects. Combined, this group will provide a comprehensive understanding of the application, associated technologies, and vulnerabilities, therefore creating a much better threat model than the one created solely by a security analyst.
88 CHAPTER 3 Application Security
Because of the large amount of time and effort required to build a threat model, they are usually reserved for securing large or complex applications such as those that are custom developed by organizations. Test Day Tip You will neither be expected to develop nor analyze a provided threat model during the exam. For preparation gain an understanding of the benefits and the five process phases.
Now that we have walked through an overview of threat models, we’ll look at some of the most dangerous application security threats that may find their way onto threat models that you are tasked with creating or reviewing.
Application Security Threats When one thinks of application security one often thinks of custom developed applications as opposed to those developed and distributed by major software vendors. However, application security involves securing both custom developed as well as Common Off The Shelf (COTS) applications. Web applications dominate the business world so it’s only fitting that we look at the insecurities of the number one client application used to interact with these Web applications, the Web browser.
Browser The primary purpose of using a Web browser is to navigate and interact with Webbased applications. On a daily basis a large number of Internet users store and process sensitive financial and health data within these Web browsers. With more than 248 million Internet users in North America alone, it’s not difficult to see why these widely deployed applications are a target for cybercrime. Browser-based security was ranked the No. 1 threat in 2007 by the SysAdmin, Audit, Network, Security Institute (SANS) in their Top 20 Security Risks report3 and again in 2008 within their Top 10 Cyber Security Menaces report.4 We won’t cover all browser-based attacks featured in these reports; however, we will take a look at an extremely serious method of attack, d rive-by-download, that was a large factor for these ratings.
Drive-by-Download Drive-by-download attacks occur when a user navigates to or is unknowingly directed to a malicious Web site and hostile content is automatically downloaded and executed on the user’s computer. This code when executed can provide a hacker full control of the visiting user’s computer and the user normally has no idea this attack has occurred. When a hacker gains access to a user’s computer, he or she can perform
Application Security Threats 89
any action, such as downloading hacking, keystroke logging, or other types of tools to run on the victim’s computer to steal data. What makes these attacks so devastating is that a user doesn’t need to formally perform any interaction and computers are actively being compromised silently in the background of standard user Web browsing. Most users have no idea at all that they have been comprised or were ever at risk. According to research by Symantec in 2008, there were more than 18 million drive-by-download attacks.5 Figure 3.3 Figure 3.3 illustrates a drive-by-download attack. Drive-by-Download Attack Drive-by-download attacks apply to many popular Web browsers including IE and Firefox. Although the same general principles apply, each of the popular Web browser programs has slightly different security features and methods to configure them. As we look at the technologies within these browsers that are exploited to launch browser-based attacks such as drive-by-download, we’ll also look how settings within IE, the most widely used Web browser in the world, can be used to prevent or minimize the impact of browserbased threats. To find information on how to secure other browsers available on the Internet, you can visit their individual Web sites and refer to the browser documentation to determine which options are available and how to properly configure them. The Web sites for other popular browsers include the following: ■■
Konqueror www.konqueror.org
■■
Mozilla Firefox www.mozilla.com/en-US/firefox/
■■
Apple Safari www.apple.com/safari
■■
Opera www.opera.com/support/tutorials/security
One of the most widely used Web technologies actively exploited by hackers to carry out drive-by-download and other forms of attack is ActiveX.
ActiveX ActiveX is a Microsoft-created technology that enables software applications to share and reuse software components. This functionality is routinely implemented within ActiveX controls, which are tiny applications that can be developed using various programming languages such as C-Sharp (C#), Visual C++, Visual Basic, and Java. ActiveX controls written in one language can actually share code with controls written in another. The use of ActiveX controls greatly enhances Web applications as they can access operating system functionality which is not readily available via
90 CHAPTER 3 Application Security
Hypertext Markup Language (HTML) or the Web browser. An example of this is a Web application that reuses the spell-check functionality of the operating system within a Web page displayed to the user. Reusing ActiveX features is widely performed on the Internet and even several Microsoft applications including IE use ActiveX controls to load other applications within the Web browser. Depending on the configuration of a user’s browser, it’s possible for downloaded ActiveX controls to have no restrictions when executing on a local computer including accessing and manipulating files within the local file system or the system registry. Microsoft Windows Operating Systems are shipped with several ActiveX controls; however, in addition to these default controls many organizations write and compile their own ActiveX controls. Many vulnerabilities have been and continue to be discovered in both Microsoft-issued and third-party ActiveX controls, which make them a prime concern for security professionals. One such example is Microsoft Security bulletin MS08-041,6 which details an ActiveX vulnerability that was discovered within a Microsoft-developed ActiveX control. This vulnerability when executed could grant an attacker full control over victim users’ computers. These types of vulnerabilities aside from being used by drive-by-download attacks are being exploited and can be used by hackers to compromise computers, monitor user actions, and steal data both sent and received from victim computers. In response to vulnerabilities within ActiveX controls, Microsoft introduced Authenticode to help ensure the integrity and nonrepudiation of ActiveX controls.
Developing Secure ActiveX Controls Authenticode is a method of code signing that allows developers to obtain a digital certificate generated by a certificate authority (CA) and digitally sign an ActiveX control. This process helps Web users to identify the true issuer of a control and verify that the control has not been modified since it was developed. Although implementing Authenticode on an ActiveX control does not certify that it contains no security vulnerabilities, it is often regarded within the industry as safer than a nonsigned control. Additional security features were introduced within Web browsers to support Authenticode, allowing users to configure security policies that grant controls with Authenticode greater access without user interaction for an improved user experience then those that were not signed when executing within the browser. One of the most common vulnerabilities with ActiveX controls has to do with the programmer’s perception of the capabilities of the control. Programmers are usually driven to write efficient ActiveX controls that are also user-friendly. User-friendly controls often avoid any unnecessary pop-up messages that can cloud the user interface. There is a conflict of interest associated with ActiveX control security as the same programmer who is motivated to write user-friendly controls also has the ability to mark it as “safe-for-scripting,” meaning that it bypasses the code checking process and is not checked for an Authenticode signature. The end result is that the control may contain serious security vulnerabilities but can be run without the user being aware of a problem. As you can see, this is a double-edged sword. If it is not
Application Security Threats 91
marked “safe,” users will be inundated with warnings and messages on the potential risk of using a control that is not signed or not marked as safe. Depending on the security settings in the browser, they may not be allowed to run it at all. However, after it is marked as safe, other applications and controls have the ability to execute the control without requesting the user’s approval. You can see how this situation could be dangerous. A good example of the potential effects of ActiveX is the infamous Windows Exploder control. This was a neat little ActiveX control written by Fred McLain (www.halcyon.com/mclain/ActiveX) that demonstrates what he calls “dangerous” technology. His control only performs a clean shutdown and power-off of the affected Windows system. This might not seem so bad, but it was written that way to get the point across that the control could be used to perform much more destructive acts. Programmers have to be careful with ActiveX controls and be sure that they know everything their control is capable of before releasing it. Ultimately, developers have the decision on marking their controls as safe or using Authenticode. Regardless of what that decision is in the default configuration of most Web browsers, ActiveX controls will still ultimately function as designed with the proper user interaction. Developers can use the following recommendations to help minimize the number of vulnerabilities that exist within developed ActiveX controls. ■■
■■
Follow secure coding practices Adhering to secure coding processes will minimize the number of vulnerabilities identified within ActiveX controls. Secure coding practices including data validation (which we’ll cover later in this chapter) can be obtained from the Microsoft Development Network (MSDN).7 Use Authenticode Sign controls with a certificate issued from a trusted CA to ensure ActiveX controls are not tampered with after they are developed.
Following the above recommendations will help to improve the security of ActiveX controls. Even taking these into consideration, people are human and regardless of secure coding practices or Authenticode, vulnerabilities are inevitably discovered and exploited. With this in mind, let’s look at how users can secure the executing of these potential malicious ActiveX controls within their browsers.
Securing the Execution of ActiveX Controls within the Web Browser Numerous vulnerabilities have been identified with both vendor-shipped and thirdparty-developed ActiveX controls. Typically, these ActiveX controls are downloaded when a user visits a Web site and executes the control within the user’s browser. Even security companies are not immune to developing and shipping vulnerable ActiveX controls within their products. One such example is Symantec corporation which in 2008 disclosed that there was a buffer overflow present within an ActiveX control shipped with several of their products including Norton Internet Security 2008,8 a product that normally provides protection against these type of attacks. Successful exploitation of this vulnerability could result in arbitrary code execution. Earlier in this chapter, we looked at drive-by-download attacks. These attacks were carried against technologies such as ActiveX that automatically download and execute
92 CHAPTER 3 Application Security
without user interaction. Prior to 2006, ActiveX controls could have been loaded in a user’s Web browser without them knowing about it. However, IE6.0 on Windows XP SP2 or Windows Server 2003 SP1 implemented controls requiring users to click on ActiveX controls before they are downloaded. Users may, however, simply click the prompt to allow the ActiveX control to execute and thereby permit the attack to complete. The amount of control provided to the user on the actions that are occurring in the background with the Web site they are visiting is controlled through zones in IE. A zone is a named collection of Web sites (from the Internet or a local intranet) that can be assigned a specific security level. IE uses zones to define the threat level a specific Web site poses to the system. IE offers four security zone options: ■■ ■■
■■
■■
Internet It contains all sites not assigned to other zones. Local Intranet It contains all sites within the local intranet or on the local system. The OS maintains this zone automatically. Trusted Sites It contains only sites manually added to this zone. Users should add only fully trusted sites to this zone. Restricted Sites It contains only sites manually added to this zone. Users should add any sites that are specifically not trusted or that are known to be malicious to this zone.
Each zone is assigned a predefined security level or a custom level can be created. The predefined security levels are offered on a slide controller with up to five settings with a description of the content that will be downloaded under particular conditions. The possible settings are: ■■
■■
■■
■■
■■
Low This provides the least security and allows all active content to run, and most other content to be downloaded and run without prompts. With this setting, there is minimal security for users, so it should only be used with sites that are explicitly trusted. Medium-Low This is the default setting for the local intranet zone and provides the same security as the medium level except that users aren’t prompted. Medium This is the default level for trusted sites and the lowest setting available for the Internet zone. Unsigned ActiveX content isn’t downloaded, and the user is prompted before downloading potentially unsafe content. Medium-High This is the default setting for the Internet zone, as it is suitable for most Web sites. Unsigned ActiveX content isn’t downloaded, and the user is prompted before downloading potentially unsafe content. High This is not only the default level for restricted sites but also is the only level available for that zone. It is the most restrictive setting and has a minimum number of security features enabled.
Zones are defined on the Tools | Internet Options | Security tab as seen within Figure 3.4.
Application Security Threats 93
Figure 3.4 Internet Explorer Security Zone Administration Tab
Custom security levels can be defined to fit the specific security restrictions of an environment. Within a custom security level there are numerous individual security controls related to how ActiveX, downloads, Java, data management, data handling, scripting, and logon are handled. The most secure configuration is to set all zones to the high security level. However, keep in mind that increased security means less functionality and capability. When vulnerabilities are exploited within ActiveX controls they primarily place the user’s local computer at grave risk. To help minimize this risk, there are some steps users can take to safeguard their machines against ActiveX exploitation. ■■
Ensure your computer is up-to-date with security patches Because of the sheer number of ActiveX controls published on the Internet and the frequency that vulnerabilities are found within these controls, it’s imperative that
94 CHAPTER 3 Application Security
c omputers run the latest security patches which will update known vulnerabilities within these ActiveX controls and related components. To obtain the latest patches for Microsoft developed ActiveX controls and related components, you can visit http://windowsupdate.microsoft.com. Because ActiveX controls are developed by numerous third parties, you will also need to make sure that other installed controls possibly from other installed applications or which have been downloaded from Web sites are updated with the latest patches. To obtain a listing of downloaded ActiveX controls within IE7 or IE8 you can click on the Tools | Manage Add-ons | Enable or Disable Add-ons menu item. In doing so, you will see a dialog box similar to that shown in Figure 3.5,
Figure 3.5 Manage Add-ons Dialog Box in IE7
Application Security Threats 95
which lists the ActiveX controls loaded and used by IE, downloaded from the Internet, and ones that can run without permission. ■■
■■
Don’t click on suspicious links or navigate to Web sites you are not familiar with User vigilance is an important element of ActiveX security. Avoiding sites and links you are not familiar with can be an effective way to avoid the execution of malicious code. Utilize browser-based security zones Granular ActiveX restrictions should be implemented using zones. Focus should be placed not only on unsigned controls but also on making you aware of what is happening in the background while you are connected to a Web site.
Exam Warning ActiveX-related vulnerabilities will be covered in the exam. In preparation, you should ensure that you are familiar with IE security zones, default permissions, and how to add or remove sites from zones.
Damage and Defense Many security professionals have had significant struggles with securing ActiveX. Some, including the US Computer Emergency Response Team (US-CERT), are now formally recommending that it be disabled altogether.9
Exercise 1 Configuring Security Zones Properly setting security zones can dramatically reduce the potential vulnerability to ActiveX controls. There are five security zones: ■■
Local intranet zone
■■
Trusted sites zone
■■
Restricted sites zone
■■
Internet zone
■■
My computer zone
The last zone, My Computer, is only available through the Internet Explorer dministration Kit (IEAK) as opposed to the browser interface. The IEAK is a A Microsoft-developed application that can be used to define and dynamically manage ActiveX controls. The IEAK can be downloaded from Microsoft’s Web site.
96 CHAPTER 3 Application Security
If you do not have access to the IEAK, you can also access the security zone settings through the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones] Registry key. The appropriate settings for this key are shown in Table 3.1. Complete the following steps to modify the security zone settings through IE7: 1.
From the Tools menu, select Internet Options. The Internet Options dialog box appears (Figure 3.6).
2.
Select the Security tab.The Security Options panel appears (Figure 3.7).
Table 3.1 Security Zone Settings in IE, Outlook, and Outlook Express Registry Key Setting
Security Zone
0
My computer zone
1
Local intranet zone
2
Trusted sites zone
3
Internet zone
4
Restricted sites zone
Figure 3.6
Figure 3.7
The Internet Options Dialog Box
The Security Tab of the Internet Options Dialog Box
Application Security Threats 97
Figure 3.9 Viewing a Warning about Zone Settings
Figure 3.8 Security Settings Panel
3.
Select the zone you wish to change. For most users, this is the Internet zone, but depending on your circumstances, you may need to repeat these steps for the Local Intranet zone as well.
4.
Click the Custom Level button. The Security Settings panel appears (Figure 3.8).
5.
Change one or more of the following settings for your desired level of security: ■■ Set Run ActiveX controls and plug-ins to administrator approved, disable, or prompt. ■■ Set Script ActiveX controls marked safe for scripting to disable or prompt.
6.
Click OK to accept these changes. A dialog box appears asking if you are sure you want to make these changes (Figure 3.9).
7.
Click Yes.
8.
Click OK to close the Internet Options dialog box and save your settings.
End users should exercise extreme caution when prompted to download or run an ActiveX control. They should also make sure that they disable ActiveX controls and other scripting languages in their e-mail applications, which is a measure that is often overlooked. A lot of people think that if they do not use a Microsoft e-mail application, they are safe. But if an e-mail client is capable of displaying HTML pages (for example, Eudora), chances are that they are just as vulnerable as using Outlook Express. Developers have the most important responsibility. They control the first line of defense against ActiveX vulnerability. They must stay current on the tools available
98 CHAPTER 3 Application Security
to assist in securing the software. They must always consider the risks involved in writing mobile code and follow good software engineering practices and be extra careful to avoid common coding problems and easily exploited coding mistakes. But most importantly, they must use good judgment and common sense and perform repeated tests before releasing the code to the public. Remember, after signing it and releasing it, it is fair game. Note Hackers can usually create some creative way to trick a user into clicking on a seemingly safe link or opening e-mail with a title like, “In response to your comments.” Once a Web page is loaded in the browser, or an e-mail is opened or previewed in the e-mail software, scripts, components, and applets in the HTML document can be downloaded, loaded into memory, and run. If the code is malicious, and designed to exploit vulnerability, any number of issues (including running remote code) may occur. It is important to be wary of e-mail from unknown users or Web pages that seem to be legitimate. It is even more important to have the latest service packs and patches installed to resolve vulnerability issues and to make sure that security software on the computer (including antivirus software) is up-to-date.
Head of the Class One of the most important aspects of using a browser securely is to practice safe surfing habits. Common sense should determine what users do, both online and offline. Visiting Web sites of questionable design is the virtual equivalent of putting yourself in harm’s way in a dark alley, but Internet users do it all the time. Here are some guidelines that should be followed to ensure safe surfing: ■■ ■■
■■ ■■
■■
Download software only from original vendor Web sites. Always attempt to verify the origin or ownership of a Web site before downloading materials from it. Never assume anything presented online is 100 percent accurate. Avoid visiting suspect Web sites—especially those that offer cracking tools, pirated programs, or pornography—from a system that needs to remain secure. Always reject certificates or other dialog box prompts by clicking No, Cancel, or Close when prompted by Web sites or vendors with which you are unfamiliar.
To help address ActiveX security concerns, Microsoft, within IE7 and IE8, secured several of the default ActiveX controls and disabled many others that were deemed high risk. This security feature was called ActiveX-option and more information can be obtained at http://msdn.microsoft.com/en-us/library/bb250471.aspx. Windows
Application Security Threats 99
IE8 provides further security by restricting ActiveX controls to specific user profiles as opposed to Web sites. Another popular browser add-in is Java. Java is considered by many to be similar to ActiveX; however, there are some core differences which according to many make it more secure when compared to ActiveX. Exam Warning For the Security+ exam, you will not be expected to know how to set specific settings on your Web browser, but you will be expected to know what will be exploited if you do not set such settings.
Java Java is a programming language, developed by Sun Microsystems, which is used to make small applications (applets) for the Internet as well as stand-alone programs. Similar to ActiveX, the purpose of Java applets is to reuse the code existing on the local machines of visiting Web site users. In some cases, this bypasses programming limitations associated with HTML and allows developers to create feature-rich applications. Applets are embedded into the Web page and are run when the user’s browser loads it into memory. Many operating systems, including Windows, Unix, and Mac OS X, use embedded interpreters to recognize and interpret Java bytecode within the applets. Arguably, the interpreter of choice is the Java Runtime Environment (JRE) developed by Sun. A core component of the JRE is the Java Virtual Machine (JVM), which is a collection of programs that execute applications and scripts. The JVM supports a computer intermediate language referred to as Java bytecode. Each operating system has a JVM that serves as an abstraction layer between the operating system and the executing Java bytecode, which allows for a Java applet to be written once and run on many different operating systems. In addition to providing an abstraction layer, the JVM also incorporates security features such as the bytecode verifier, which verifies the code for a list of predetermined insecurities and sandboxing that isolates executing code in a reserved area of memory to limit the damage potentially malicious code could inflict on the user’s machine. We will look at these two security features a little later after we look at how developers can secure their Java applets.
Notes from the Field Java Vulnerabilities Despite integrated security features such as the bytecode verifier and code isolation, Java is not immune to vulnerabilities that place end users at risk. An example of this is documented within US Cert Technical Cyber Security Alert TA08-340A.10 This alert contains 13 vulnerabilities discovered within JRE with the worst carrying a payload of remote code execution.
100 CHAPTER 3 Application Security
Developing Secure Java Applets Developers who write Java applets can help secure their code by implementing code signing. Code signing, as we reviewed earlier in this chapter, involves digitally signing an object which proves to users that it was issued by the advertised individual or organization and that the code has not been tampered with since development. Similar to ActiveX, a signed Java applet does not guarantee that it is clear of the security vulnerabilities that can place users at risks. The JVM uses sandboxing to restrict the damage a Java applet can inflict on a user’s computer; however, when a control is digitally signed, it is allowed to leave the sandbox and obtain access to client resources that can result in a security issue. The level of access signed Java applets will have on a user’s computer is dictated by the security policies set on the local client. Similar to ActiveX, the two practices a developer can implement to raise the level of security within their Java applets are as follows: ■■
■■
Follow secure coding practices Adhering to secure coding practices will minimize the number of vulnerabilities within Java applets. Guidelines on developing secure controls can be obtained from Sun’s Web site.11 Sign Java applets Signing Java applets with a certificate issued from a trusted CA will ensure that the applets are not tampered with after it is published on the Internet.
Let’s now look at the steps a user can take to further secure the execution of potentially malicious Java applets.
Securing the Execution of Java Applets A key security component within the JVM is a built-in Security Manager, which controls the level of restrictions placed on executing Java bytecode. This includes what code must run within a sandbox. We talked about the security added by sandbox functionality, which is great for security; however, developers complained the restrictions affected the capabilities and usefulness of the technology. Therefore, there was a workaround introduced and digitally signed Java applets (similar to Authenticode within ActiveX) were then allowed to escape the sandbox for a greater level of access to client system resources. These restrictions are controlled by the user through security policies. Security policies are similar to zones in IE as we reviewed earlier. To secure the execution of Java applets on local clients, the following recommendations can be followed: ■■
Ensure systems are regularly patched Java applets like other browserbased technologies are developed by numerous third-party organizations and you will need to be vigilant in ensuring the latest security patches have been applied to correct vulnerabilities. To obtain patches related to the JRE- and Sun-developed applets, you can view Sun’s online database of bugs at www. bugs.sun.com. For Java applets developed by third parties you will need to ensure that the updates are received from the issuing vendor.
Application Security Threats 101
■■
■■
Use Java security policies Local security policies can be used to restrict the level of privileges downloaded Java applets (including signed applets) have on your local computer. Don’t click on suspicious links or navigate to Web sites you are not familiar with User vigilance is an important element of Java security. Avoiding sites and links that you are not familiar with can be an effective way to avoid the execution of malicious code.
Test Day Tip Both Authenticode and signed applets are methods of object signing ActiveX and Java applets. This code signing allows granular security policies to be placed on ActiveX and Java code.
Exam Warning Remember that an applet is a program that has the capability of performing malicious activities on your system. The known security vulnerabilities in Java and ActiveX can be fixed by downloading security-based hot fixes from the browser creators’ Web site.
Scripting Another popular development technology widely in use on the Internet and corporate intranets is scripting. Contrary to ActiveX and Java applets which were developed in actual programming languages, lightweight scripting was released by Microsoft and Netscape to allow people with no formal programming experience to develop flexible Web pages. However, similar to ActiveX and Java applets, these scripts could be exploited resulting in many attacks including the drive-by-download which we discussed earlier. The Internet today is dominated by a handful of scripting languages, such as JavaScript, Active Scripting, VBScript, and Jscript.
JavaScript In 1995, Netscape launched a new language, Javascript (not to be confused with Java), to perform client-side Web development and to reuse functionality within other Web objects. Javascript was designed to look like Java but it is a much simpler language to grasp, making it a favorite for people without much Java-specific programming experience. Unfortunately, in addition to looking like Java, JavaScript carried the same type of vulnerabilities as its big brother Java. JavaScript scripts carried additional restrictions over and above what was placed on Java. JavaScripts are downloaded and run inside a sandbox that prevents execution of privileged tasks, such as reading and writing files on the local computer or accessing additional information.
102 CHAPTER 3 Application Security
Notes from the Field Java Script Vulnerabilities Despite these restrictions, JavaScript contains similar vulnerabilities to that of Java including vulnerabilities within applets written by countless software vendors. An example vulnerability is detailed in US-CERT Vulnerability Note VU#788019.12 In this advisory, a vulnerability in a piece of JavaScript code written by Adobe Systems could be exploited granting an attacker the ability to execute remote code on vulnerable systems.
Active Scripting Active Scripting is a Microsoft-developed scripting language similar to ActiveX that enables software components to share information and interact with each other. It’s used commonly today to support animation and dynamic content within Web pages and/or e-mail clients. Microsoft released active scripting in 1996 within their IE3.0 Web browser under the name of ActiveX scripting. This name formally changed a little later to Active Scripting which is widely used today. Test Day Tip You will not be expected to understand how to program or review code snippets in the exam. You should focus your studying on understanding the common browser-based programming and scripting languages, vulnerabilities, and countermeasures.
VBScript and Jscript VBScript is a scripting language developed by Microsoft to compete with Netscape’s JavaScript. It was regarded by many as even easier to use than Java, which, at the time, was regarded by many as the easiest language to use for development. However, after seeing the widespread adoption and success Netscape achieved with JavaScript, Microsoft developed Jscript in 1996 as a comparable language for Microsoft systems. VBScript and Jscript scripts are tiny pieces of code that are similar to active scripting and allow developers to extend and reuse Web functionality. When a user connects to a Web server the scripts are downloaded and executed on the user’s machine depending on the security zone the site resides within on recent editions of the IE.
Vulnerabilities with JavaScript, Active Scripting, VBScript, and Jscript JavaScript, Active Scripting, VBScript, and Jscript all suffer from similar vulnerabilities as do ActiveX and Java applets, poorly written code can be exploited by attackers, as can the scripting engine which processes the downloaded scripts. An example of a vulnerability affecting the VBScript and Jscript engines is MS08-022.13 This vulnerability occurs when the scripting engine processes malicious code making it possible for an attacker to obtain full control over the vulnerable system. Looking back at our drive-by-download example, we note that if malicious VBScript was placed on a site,
Application Security Threats 103
when a user visited that site the default configuration of IE would have downloaded that script and executed it, thereby granting full control of the vulnerable system to the attacker at the same privilege level as the user. Depending on the user’s browser settings, all of this could occur without prompting the user.
Securing the Execution of Client-Side Scripts To secure browsers against active scripting vulnerabilities, you can follow similar recommendations to those we looked at to secure ActiveX and Java:
1. Ensure application updates are downloaded regularly There have been numerous vulnerabilities identified within scripts that are routinely fixed by vendors, and program updates should be downloaded to ensure the latest script updates are received.
2. Use browser security zones Browser controls such as security zones should be used to restrict the level of privileges granted to executing client-side scripts.
3. Don’t click on suspicious links or navigate to Web sites you are not familiar with User vigilance is an important element of Java security.Avoiding sites and links that you are not familiar with can be an effective way to avoid the execution of malicious code. Exam Warning Remember that the exploitation of browser-based vulnerabilities within ctiveX, Java, and scripting only directly impacts the client computers. However, it is possible A for a compromise of credentials stored or typed into a client computer to result in unauthorized access to the very Web application that issued the vulnerable code.
As we conclude our review of browser-based code and scripting vulnerabilities, it is important to look at some security risks associated with cookies that are heavily utilized by these programming and scripting languages.
Cookies Cookies are small text files downloaded and locally stored by a user’s browser. Cookies typically contain information about the user’s session and preferences. Occasionally, Web sites also store authentication-related information such as usernames and passwords. Each time the user visits the Web site, the cookie is retrieved by the site’s Web application and data from the cookie is processed. Storing this information within client-side cookies prevents Web sites from having to store and maintain information about all user sessions and preferences. There are three main cookie types: session, persistent, and tracking.
Session Cookies Session cookies are used by Web applications to store information and when a user closes their Web browser session the cookie is deleted. Session cookies can often
104 CHAPTER 3 Application Security
contain authentication-related information about the user’s session such as display preferences and in some cases session identifiers or user names and passwords.
Persistent Cookies Persistent cookies are also used by Web applications to store information about the user connection. Persistent cookies are typically used to store user preferences about a Web site that is nonsensitive; therefore, there is less of a concern with it persistently stored on a user’s hard drive. These cookies however are not deleted when the user closes their Web browser (session). Instead, the cookies have a timeout value set by the application and the cookies are downloaded by a user’s Web browser and stored up until expiation of the timeout value.
Tracking Cookies When a user connects to certain Web sites, a tracking cookie may be downloaded in the background. As their name suggests these cookies are used to record user’s Web activity such as the type and specific sites they visit. Many sites may use the same form of tracking cookie. If the same tracking cookie is used by multiple sites, these sites can all read and write to the contents of it. Access to cookies will differ depending on the type of Web browser in use. In IE, cookies can be accessed by navigating to Tools | Internet Options | Settings | View Files. For simplicity you can arrange the files by type and look for text documents. Cookies are normally prefixed with the name cookie. An example of the cookie store of an IE7 browser is shown in Figure 3.10. By double-clicking on a cookie it can be viewed within notepad. An example of cookie contents stored by the blogs.msdn.com site is shown in Figure 3.11.
Cookie Vulnerabilities Applications use cookies as files to store data for processing. Anytime when there are data inputs into an application there are potential security risks; cookies are no
Figure 3.10 Screenshot of Cookies within IE7 Browser
Figure 3.11 Screenshot of a Cookie’s Contents
Application Security Threats 105
different. Cookies, small and seamless, present a large security concern and are the target of many types of attacks. We’ll now discuss some common cookie vulnerabilities and learn how to prevent them from exploitation.
Cookie Hijacking Cookies containing sensitive information such as usernames, passwords, or session identifiers can be a target for hackers. Attackers can sniff network traffic and capture a cookie downloaded from a site to a Web browser or gain access to a computer and view a cookie stored on the local hard drive. By capturing cookies, it’s possible for an attacker to initiate another session to the same Web site and submit your cookie to bypass site authentication and perform actions within your account without your knowledge.
Notes from the Field A common countermeasure to cookie hijacking attacks is to send cookies over encrypted channels. This prevents cookies from being intercepted and replayed or disclosed. However, a recent tool named Cookie Monster showed how easy it really is to hijack cookies even sent over encrypted channels. Cookie Monster is an advanced cookie hijacking tool that was debuted in 2008 at DefCon 16, a popular hacking security conference. There, a demonstration of how Cookie Monster will monitor network traffic and filter for Hypertext Transfer Protocols (HTTPs) connections was provided. Cookie Monster stores information about the connection that it will later use to replay to the Web site the next time the user uses the Internet to trick the Web site into sending the authentication cookie over HTTP, a nonencrypted channel. Cookies are harvested and can be used by an attacker to masquerade as a legitimate user and gain unauthorized access to many popular Web sites. Additional information can be found on the http://defcon.org Web site.
Cookie Poisoning Some cookies used by popular Web sites store authentication data such as session identifiers, user names, and passwords using cookies stored on users’ computers. Cookie poisoning involves the modification of the data stored within a cookie. When the cookie containing the modified contents is used by the application, the values entered by the attacker are processed by the application which may allow an attacker to gain access to sensitive information about the Web site, a user, or even impersonate the user’s session. Example: A user uses an online banking application and makes a payment to an account number stored within a cookie. By tampering with the cookie and changing the account number to your own, the payment made by the user during the session would be made to the account of the hacker as opposed to the user’s account as intended.
106 CHAPTER 3 Application Security
Cookie Leaking Cookie leaking occurs when sensitive information such as user names and passwords and account numbers are stored within cookies and then the information is obtained by unauthorized users. In some cases browsing habits recorded by session cookies may also be considered sensitive. By gaining access to this information via cookies, unauthorized users may use this knowledge to launch other attacks.
Preventing Against Cookie Attacks The following steps can be used to prevent or minimize the impact of cookie-related attacks for Web developers: ■■
■■
■■
■■
Enable the secure-bit setting on cookies, which will prevent the application from transmitting cookies over unencrypted channels such as HTTP. Always initiate SSL connections to supported sites to help prevent the network interception of cookies. Web site developers should avoid using cookies to hold sensitive information. If absolutely necessary, the data values should be encrypted. The following steps can be used to prevent or minimize the impact of cookierelated attacks for users: Block third-party cookies. Third-party cookies are any cookie that does not originate from the domain you are visiting. Third-party cookies typically scan newly created cookies on your system and based on key words will generate targeted popup advertisements. To help combat this, IE7 introduced Advanced Privacy Settings that allow a user to specify the level of interaction they would like with cookie activity occurring on their system. To configure Advanced Privacy Settings within IE7, open Internet Options | Privacy and click the Advanced button, which will load the Advanced Privacy Settings window seen in Figure 3.12.
Exam Warning Cookie security is often thought of as something the Web developer is responsible for. However, integrated features within popular browsers such as IE can be used to implement security restrictions on cookie usage on the client.
As we discussed earlier in this chapter, sensitive information stored and processed by applications is big business in the underground economy. Cyber criminals will use multiple methods to gain unauthorized access to this information. Two common attacks used by hackers to gain unauthorized access to information are through the exploitation of cross-site scripting and buffer overflow vulnerabilities.
Application Security Threats 107
Figure 3.12 Advanced Privacy Settings within IE7
Cross-Site Scripting (XSS) XSS attacks occur when one user injects malicious code into a Web site where it is downloaded and executed by another user. These attacks are performed without an attacker needing to modify Web site files or binaries. Injected data is stored within a Web application (temporarily within a variable or permanently in a file or other object on the server) and executed on the computers of unsuspecting victims. The typical method used to load and execute malicious code stored in a vulnerable Web site is in the form of client-side scripts. XSS attacks generally fall into one of two categories, Reflected and Stored.
Reflected XSS Attacks Reflected XSS attacks involve an attacker reflecting (echoing) code of a Web application to another user where it is downloaded and executes actions crafted by the hacker. Reflected XSS attacks typically affect a single or small group of users and require user input. Therefore, hackers usually combine reflected XSS attacks with another attack such as social engineering to trick a victim into navigating to the site where the malicious code is echoed and executed by the user’s Web browser. An example of a nonpersistent attack is as follows:
1. A malicious Web site user identifies a XSS vulnerability within a Web application.
2. The malicious user crafts a hyperlink inclusive of malicious code and sends it to a victim enticing them to click on the hyperlink.
108 CHAPTER 3 Application Security
3. When the victim clicks on the hyperlink, the Web page within the hyperlink is loaded and the malicious code developed by the hacker is input into a variable within a Web page that is downloaded by the victim and executed on their local machine.
In this example, once the code has finished executing that is the end of the attack. If the attacker would like to launch another attack against the victim they would need to craft another malicious hyperlink and entice the victim to open it as well.
Stored XSS Attacks Stored XSS attacks occur when the data supplied by a user is stored on the server by the Web application. This may be in the registry, file system, or database. This data is later retrieved by the Web application and downloaded by the Web site visitor and executed on their local machine. An example of this type of attack is as follows:
4. A malicious Web site user identifies a XSS vulnerability within the bulletin board feature of a Web application.
5. The hacker crafts a message inclusive of malicious code that is uploaded through the bulletin board application and stored within the bulletin board’s database.
6. When any user views the bulletin board message, the Web application retrieves the message’s text (and malicious code) from the database and it is then downloaded and executed automatically by the victims’ Web browser without their knowledge.
In this example, the attack is stored; therefore, every user who visits the site and views the message page will have the malicious code executed on their machines even if the user reboots his or her machine in between visits.
Preventing XSS Attacks The following recommendations can be used to help prevent XSS attacks ■■
■■
■■ ■■
Ensure all application data input is properly validated Data input can come in many forms including form fields, HTTP headers, cookies, and application variables. Regardless of where it is stored all the data should be properly validated before application processing. Encode user supplied data Encoding is the process of converting data from one format to another. Encoding data input will not prevent the reflection of malicious code but rather will change malicious code into a format that is nonexecutable to block the attack. Don’t click on unknown or malicious hyperlinks Implement restrictive security zones As we discussed earlier, security zones will help to limit the impact of hostile code executing on your local machine.
Application Security Threats 109
The second common attack of choice used by attackers is the buffer overflow attack. These attacks are extremely dangerous and often don’t require any user interaction to exploit, making them a preference by hackers and virus writers.
Buffer Overflows A buffer is a holding area for data. To speed processing, many software programs use a memory buffer to store changes to data, then the information in the buffer is copied to the disk. When more information is put into the buffer than it is able to handle, a buffer overflow occurs. Overflows can be caused deliberately by hackers and then exploited to run malicious code. There are two types of overflows: stack and heap. The stack and the heap are two areas of the memory structure that are allocated when a program is run. Function calls are stored in the stack, and dynamically allocated variables are stored in the heap. A particular amount of memory is allocated to the buffer. Static variable storage (variables defined within a function) is referred to as stack, because they are actually stored on the stack in memory. Heap data is the memory that is dynamically allocated at runtime, such as by C’s malloc() function. This data is not actually stored on the stack, but somewhere amidst a giant “heap” of temporary, disposable memory used specifically for this purpose. Actually exploiting a heap buffer overflow is a lot more involved, because there are no convenient frame pointers (as are on the stack) to overwrite. Attackers can use buffer overflows in the heap to overwrite a password, a filename, or other data. If the filename is overwritten, a different file will be opened. If this is an executable file, code will be run that was not intended to be run. On UNIX systems, the substituted program code is usually the command interpreter, which allows the attacker to execute commands with the privileges of the process’s owner. This risk further increases if the exploited process was configured with the Set-User ID (SUID) option. Within UNIX, processes can be configured to run as root regardless of the level of permissions the user who is executing it has. Exploitation of buffer overflow vulnerability within a SUID program can grant an attacker the ability to execute malicious code as root on the victim system. On Windows systems, the overflow code could be sent using an HTTP request to download malicious code of the attacker’s choice. In either case, under the right circumstances, the result could be devastating. Buffer overflows are based on the way the C or C++ programming languages work. Many function calls do not check to ensure that the buffer will be big enough to hold the data copied to it. Programmers can use calls that do this check to prevent overflows, but many do not. Creating a buffer overflow attack requires that the hacker understand assembly language as well as technical details about the OS to be able to write the replacement code to the stack. However, the code for these attacks is often published so that others, who have less technical knowledge, can use it. Some types of firewalls, called stateful inspection firewalls, allow buffer overflow attacks through, whereas application gateways (if properly configured) can filter out most overflow attacks.
110 CHAPTER 3 Application Security
Buffer overflows constitute one of the top flaws for exploitation on the Internet today. A buffer overflow occurs when a particular operation/function writes more data into a variable (which is actually just a place in memory) than the variable was designed to hold. The result is that the data starts overwriting other memory locations without the computer knowing those locations have been tampered with. To make matters worse, most hardware architectures (such as Intel and Sparc) use the stack (a place in memory for variable storage) to store function return addresses. Thus, the problem is that a buffer overflow will overwrite these return addresses, and the computer—not knowing any better—will still attempt to use them. If the attacker is skilled enough to precisely control what values are used to overwrite the return pointers, the attacker can control the computer’s next operation(s). Now that we’ve looked at the seriousness of a buffer overflow attack let’s look at a common fix, input validation. Proper input validation is the number one safeguard that can be implemented within applications and will not only prevent buffer overflow vulnerabilities but also multiple other types of attacks including XSS which we previously discussed.
Input Validation For over a decade now, application security best practices have stated that input validation is a core requirement for building a secure application. Despite this awareness as reported by the Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors report,14 in 2008, lack of or improper use of input validation accounted for the largest source of vulnerabilities identified within applications. Any time information received from a user should be treated as untrusted and validated by a trusted application component prior to processing, regardless of whether or not the user providing the input has been successfully authenticated. To satisfy this requirement, many developers validate user input using server side code. Otherwise the user may intentionally or unintentionally provide malicious input to an application that can exploit a vulnerability. An example of this is if an application is expecting to receive a numeric value from a Web user and the user enters an alphanumeric string; if no trusted input validation is in place to detect this condition and prevent processing by the application, it may result in an error during processing and associated DoS condition, or even worse, the possibility of remote code execution.
Damage and Defense Client-side Input validation In 2003, I was experimenting with Visual Studio.Net 2003, which provided seemingly excellent data input/validation controls integrated into Web page objects such as text boxes and drop down lists. These controls worked well in IE; however, to my amazement, loading the Web page within a Netscape browser generated several script errors and resulted in some of
Application Security Threats 111
the contents of the page being incorrectly displayed. The integrated data validation controls did not function under this condition; however, the browser was still able to submit invalidated data using the Web page controls back to the server side C# application. This was a large security concern and just one example of how relying solely on client-based input validation controls can be bypassed without malicious intent.
Input validation is a single programming practice which if implemented properly can result in code that is immune from many types of attacks including the following: ■■
Cross-site scripting
■■
Response splitting
■■
Buffer overflows
■■
Data injection
■■
Directory transversals
■■
Denial of service
Not all of the aforementioned attacks will be on the exam and therefore we will not cover them in detail. They are listed to help convey the number of attacks that exist due to a lack of proper input validation. To avoid duplicating other content in this book, we will not step into the attacks that will be on the exam and are covered in various areas throughout this book. You can locate them by using the book’s index and Table of Contents.
Preventing Input Validation-Related Attacks The best countermeasure against input validation-related attacks, such as buffer overflow, SQL Injection, or XSS vulnerabilities, is to implement proper input validation. Although the primary method used today to receive input from users is through text boxes on a Web page, applications can be written to send or receive data using multiple vectors including HTTP headers, cookies, and even text files. Therefore, proper data input validation needs to be implemented whenever and wherever data is received by the application and performed prior to processing, regardless of the method used to receive it. Data input validation should evaluate data at a minimum for the following criteria: ■■
■■
■■
Type Verifies data received is within the specified format. For example, if an integer is expected the application should not process alpha values such as ABC. Length Ensures the length of received data does not fall outside of an expected number of characters. Format Verifies data is received within the specified format, for example YY/ DD/MM.
112 CHAPTER 3 Application Security
■■
Range Ensures the data falls within a specified range of values, for example, a value between 1 and 1,000.
Data input that does not pass all validation checks should be rejected. Data input functionality should be performed on the server that typically exists within a trusted location on the network. Malicious tools can easily bypass client-side input validation. If client-side validation is in place, data can be captured after the validation routine is run on the client, maliciously modified by an attacker, and submitted to the Web application, which could result in error.
Notes from the Field Exploiting Client-Side Data Validation Two popular tools used by hackers and penetration testers are Achilles and WebScarab. These tools can be used to observe how applications communicate with Web browsers. However, they can also function as a proxy that allows them to capture and manipulate application data submitted by a client and submit this data to a Web application. This can be used to exploit applications relying solely on client-side validation and result in information disclosure, DoS condition, or in some cases even remote code execution.
Test Day Tip For the exam you will not be expected to review code snippets and identify buffer overflow vulnerability. Just gain an understanding of what they are, what actions an attacker can perform after successful exploitation of one, and how to prevent them.
Thus far in this chapter, we have focused on some of the most serious types of application vulnerabilities such as browser-based, buffer overflow, and XSS vulnerabilities. Applications however in their default configurations and during expected use can present other significant risks to users over and above the types of attacks we have covered thus far. We’ll now shift our focus to looking at some of these risks within popular COTS applications beginning with instant messaging clients.
Instant Messaging (IM) As more and more people go online and more businesses and their employees rely on communicating in real time, IM has grown by leaps and bounds. IM involves using tools such as ICQ, AOL Instant Messenger (AIM), Yahoo! Messenger, Google Talk, Windows Live Messenger (aka MSN Messenger or .NET Messenger), or Windows Messenger that comes with Windows XP. Additionally, other products include Lotus Sametime as well as Microsoft’s Office Communicator. This technology allows you to
Application Security Threats 113
communicate with other members of your staff when used at work, or with friends and family when used at home. Generally, each of these IM clients ties into a service that transfers messages between other users with the same client software. However, there are programs like Trillian that allow users to consolidate their accounts on different IM networks and connect to AIM, Yahoo! Messenger, Windows Live Messenger, I Seek You (ICQ), and Internet Relay Chat (IRC) all within a single interface. In recent years, such features have also been folded into other IM software, such as Windows Live Messenger supporting messages exchanged with Yahoo! Messenger clients. Despite the popularity of IM clients, many businesses prohibit the use of IM programs on network computers. One reason is practical: incessant “chatting” can become a bigger time waster than gossiping at the water fountain (and one that is less obvious for management to detect). But an even more important reason is that IM technologies pose significant security risks. Each of the messenger programs has been exploited and most of them require a patch. The hacker community has discovered exploits, which range from DoS attacks all the way to executing remote commands on a system. For the Security+ exam, the following security issues that are related to using IM technology must be acknowledged: ■■
■■
■■
Internet Protocol (IP) address exposure is prominent and, because an attacker can get this information from IM technology, provides a way that an attacker can isolate a user’s home machine, crack into it, and then exploit it. IM technology includes a file transfer capability, with some providing the ability to share folders (containing groups of files) with other users. In addition to the potential security issues of users making files available, there is the possibility that massive exploits can occur in that arena if the firewall technology is not configured to block it. All kinds of worms and viruses can be downloaded (circumventing the firewall), which could cause huge problems on an internal network. Companies’ Human Resources (HR) policies need to be addressed because there is no way to really track IM communication out of the box. Thus, if an employee is communicating in an improper way, it might be more difficult to prove as compared with improper use of e-mail or Web sites visited.To help solve this problem, some IM clients like Microsoft’s Office Communicator allow IM conversations to be stored in the Exchange environment and subjected to retention policies.
Exam Warning Make sure you fully understand the implications of using IM technology on your network. Many exploits, attacks, and hoaxes can be performed using IM.
For companies that want to allow IM for business purposes but prevent abuse, there are software products available, such as Akonix’s security gateway for public instant messaging, Zantaz’s Digital Safe, IMlogic’s IM Manager, and Microsoft Forefront Security for Office Communicator that allow companies to better control IM
114 CHAPTER 3 Application Security
traffic and log and archive IM communications. Such products (combined with antivirus software and security solutions already on a server running the IM service, and the client computer running the IM client software) add to the security of IM.
Packet Sniffers and Instant Messaging Packet sniffers are tools that can capture packets of data off of a network, allowing you to view its contents. As we will see later in Chapter 6, a considerable amount of data can be obtained by viewing the contents of captured packets, including usernames and passwords. By using a packet sniffer to monitor IM on a network, you can view what people are chatting about and other sensitive information. The reason packet sniffers can view IM information so easily is because the messages are passed between IM users as cleartext. Cleartext messages are transmitted without any encryption, meaning the messages being carried across a network can be easily viewed by anyone with the proper tools. Being sent as cleartext makes them as easy to view in a packet sniffer as a text message would be on your computer. In addition to packet sniffers, there are also a number of tools specifically designed to capture IMs. For example, a program called MSN Sniffer 2 is available at EffeTech’s Web site (www.effetech.com). This tool will capture any MSN chats on a local network and store them so they can be analyzed at a later time. If there is concern that information is being leaked, or policies are being broken through IM software on the network, you could use this tool to view the chats and use them as evidence for disciplinary actions or to provide to police when pressing criminal charges. A peer-to-peer client is another type of application that is often used to promote data disclosure and an input vector for viruses.
Peer-to-Peer Peer-to-Peer (P2P) networks have become a mainstream application with two of the largest P2P networks being BitTorrrent and eMule. Unfortunately, a large motivation for P2P networks is to allow users to illegally share copyrighted materials. However, there are groups of users and even some organizations who do use P2P networks for legal and morally acceptable use and need to be secured. A typical network consists of a client-server model where there are dedicated servers that, as their name suggests, serve content to clients. P2P networks alternatively utilize a model where each client is a peer and serves each other client on the network. Figure 3.13 is an illustration of comparison client-server and P2P networks. To join a P2P network, you must install a supported client application on a computer and ensure the appropriate network ports are open between the client computer and other P2P hosts. By looking at the previous illustration you will notice that if this were a client server model firewall rules could have been used to restrict port access between a specific client and the central server. However, with P2P networks each computer communicates with other systems. For this to work properly, a firewall rule would be required to allow traffic to and from all addresses that existing and future clients may use. For many P2P networks this would include the Internet
Application Security Threats 115
Figure 3.13 Comparison of Traditional and P2P Networks
and that would be a very bad idea. Aside from limitations on your inability to implement restrictive network-based Access Control Lists, P2P networks are associated with the following additional risks: ■■
■■
■■
Used as a target ingress path for Trojans and viruses The port(s) used between P2P clients to share data can include viruses. Furthermore, files within P2P networks are often renamed countless times and often only closely resemble what the contents are. Malicious users also purposely rename known Trojans with popular file names so they are appealing and hopefully downloaded by a larger number of users. There are even some viruses specifically written to spread over P2P ports in an effort to infect other P2P clients. Used as an egress vector to transfer stolen data Stealing data requires first a successful attack granting an attacker access to data and secondly a means for the attacker to transfer the stolen information off a client/network to a location under the attacker’s control. P2P networks can satisfy the means of transferring data off a compromised computer. Information disclosure Some P2P clients such as Kazaa and Gnutella provide backdoor file system access to other peers on the P2P network. These peers may have direct access to files stored locally on a user’s hard drive. Without strict configuration guidelines the unintentional disclosure of information can occur.
Securing P2P Clients To help limit the risks associated with P2P networks, you can implement the following safeguards: ■■
Enforce application software restrictions Software restriction policies enforced within Windows Group Policy, McAfee Host Intrusion Prevention agents, or other comparable product can be used to prevent the installation of unauthorized P2P client software.
116 CHAPTER 3 Application Security
■■
■■
Virus scan all files retrieved from P2P networks All files downloaded from a P2P network should be scanned using an up-to-date antivirus client before execution. Implement strict restrictions on folders that are shared by other P2P clients This will help you to ensure that you specify and are aware of which file folders are being shared over the P2P network and can ensure not to store sensitive information within them.
Specific steps on how to implement the preceding will vary depending on the P2P client and you should refer to vendor documentation for specific instructions. The last application we’ll look at are Simple Mail Transfer Protocol (SMTP) relays, which are used to e-mail data from a host to specific recipients. SMTP relays are used for legitimate purposes and by hackers for illegitimate purposes such as spreading spam.
SMTP Open Relays Organized crime is a significant driving force behind spam. Research from Cisco shows that spam accounted for 90 percent of e-mail messages sent over the Internet during 2008. Each of these messages clogs network bandwidth, fills user mailboxes, and requires users to read or partially read the message and delete it. This wastes a significant amount of user productivity within organizations and serves as an annoyance for home users. With thoughts of spam dominating the Internet, you may envision a server room controlled by cybercrime lords or questionable product and service companies developing advertising for the sole purpose of blanketing Internet pipes with millions of spam messages per day. In reality, this scenario is rarely the case and most spam is sent from open SMTP relays existing on corporate networks or home computers without the knowledge or consent of the owner. Corporate mail systems usually contain fast servers with large network pipes; however, home computers although much slower than corporate systems can distribute millions of spam messages a day. When multiplied by the number of home computers with open mail relays, either intentionally installed or silently installed via malware, both are prime targets for relaying mail. When attackers relay a mail message, they bounce it off an open mail relay, which in turn forwards the message to an address of the attacker’s choosing. Viewing mail headers and other network logs would lead back to the location of the mail relay application as opposed to the hacker. Aside from serving as the source of spam messages that could lead authorities back to your organization during a cyber investigation, there are additional risks associated with sending spam via an open mail relay: ■■
■■
Denial-of-Service conditions Although businesses often use large Internet pipes, a single mail relay can quickly clog this pipe causing a DoS condition where legitimate business functions cease to operate due to lack of network resources. Damage to brand Spam messages may include advertising, images, or in some cases viruses. If one of these viruses were to impact another organization,
Summary of Exam Objectives 117
especially a client, then that organization could see the incident as an indication of the its internal security challenges, and this may affect future business. ■■
Blacklisted on spam sites Blacklisting sites are used to track computers on the Internet that have been reported to be a major source of originating spam. These blacklists are maintained by spam-fighting organizations and used by several antispam products as the gospel to block e-mails originating from computers on these spam lists. In Chapter 6, we’ll discuss network address translation (NAT), which allows several computers within an organization to share the same IP address. This means that a single computer within an organization that is captured on the spam lists can prevent your entire organization from conducting business on the Internet with other companies using antispam technologies.
The preceding risks are most applicable for business but also apply to home users. There are several free Web sites on the Internet that can test SMTP mail relays for misconfigurations exposing open mail forwarding. One such example is www.abuse.net/ relay.html that allows the user to type in the IP address of a mail relay in which the site will attempt to forward an e-mail from this mail relay just like an attacker would. A report with the test results is displayed on the Web site or e-mailed to a provided e-mail address.
Securing Mail Relays To prevent the relaying of mail, mail relays and mail servers need to be properly configured to prohibit relaying or mail. In cases where mail relaying is legitimately needed, restrictions should be placed on the mail application to restrict which systems can relay mail off of it. The exact steps on how to configure mail relays will differ depending on the application; however, you can view vendor documentation for specifics. Exam Warning For the exam just focus on understanding Open SMTP relay risks and countermeasures. You will not be expected to know the specific steps in securing a SMTP relay against this form of attack.
Summary of Exam Objectives In this chapter, we reviewed application security-related Security+ exam objectives. We looked at how the focus of cybercrime has shifted in past years and how threat modeling, a relatively new method of risk assessment can help secure these complex applications. Internet usage is higher than ever, and browser-based threats are prevalent in the industry. We looked at some of the most serious browser-based threats and how they can be secured both by the developers who write them as well as the users to which they are downloaded and executed. Understanding the information, threats, and countermeasures in this chapter will not only help you to prepare for the Security+ exam but also provide you the insight needed to tackle application security, one of the largest threats to information security today.
118 CHAPTER 3 Application Security
Exam Objectives Fast Track Threats Are Moving “Up the Stack” ■■
■■
■■
The OSI model references the seven layers of communication that occur when two network devices communicate with each other. Computer attacks now more than ever are targeting the application layer (Layer 7) of the OSI model. Threat modeling uses a five-phased process of assessing and documenting a system’s security risks.
Application Security Threats ■■
■■ ■■
■■
■■
Application security consists of securing custom-developed applications in addition to COTS applications. One of the largest risks within application security is browser-based threats. ActiveX controls, Java applets, and scripting are tiny pieces of code stored on a Web site that are downloaded and executed on visiting users’ machines. These applications often contain serious vulnerabilities that place unsuspecting users at risk. XSS attacks occur when one user injects malicious code into a Web site where it is downloaded and executed by another user. Input validation is the single most overlooked secure coding practice that prevents many common forms of attack including buffer overflow and XSS attacks.
Exam Objectives Frequently Asked Questions Q: Will threat models find all vulnerabilities within a software application? A: No, threat models are a good method to identify and rate vulnerabilities that are typically missed when simply executing typical vulnerability assessment such as running a vulnerability scanner against an application. However, regardless of the number of teams involved in the threat modeling process and the level of depth it uses, there is no known method today to identify all vulnerabilities within a software application. Q: How can my applications be protected against buffer overflow attacks? A: It’s impossible to provide 100 percent protection, but a good start is making sure you are current with patches from the software vendor. Another approach for developers is to perform code reviews, looking for overlooked
Self Test 119
flaws in the code that could potentially be exploitable, and adopting secure coding practices with a security development lifecycle. Q: I am afraid of Web servers learning my identity and using it against me. I think that if they have access to my cookies, they have access to my system. Is this true? A: No, it is not. A cookie is a kind of token or message that a Web site hands off to a Web browser to help track a visitor between clicks. The browser stores the message on the visitor’s local hard disk in a text file. The file contains information that identifies the user and their preferences or previous activities at that Web site. A Web server can gain valuable information about you, but although it can read the cookie, that does not mean that the Web server can necessarily read the files on your hard disk. Q: Do all buffer overflow vulnerabilities lead to privileged remote code execution which can allow an attacker to compromise a computer? A: Not all buffer overflow vulnerabilities can result in privileged code execution (administrator level permission within the operating system). Depending on the application and the nature of the buffer overflow vulnerability it is possible that the only payload available to an attacker who successfully exploits a BO vulnerability is to cause a DoS condition. Other possible payloads are information disclosure, nonprivileged code execution which allows the code to be executed within the context of the vulnerable application or interactively logged in user account. Q: Whose job is it to implement cookie-related security—the Web user or the Web a pplication developer? A: It is the Web application developer’s job to ensure that the cookie is not storing sensitive plain text information within the cookie and the actions of the cookie. However, not all Web application developers follow this principle; therefore, as a Web site user you should ensure that you implement browserbased cookie controls such as ensuring only cookies are received from the site you are visiting and that you should be prompted to alert you when cookies are being written to your computer and what the contents of these cookies are.
Self Test
1. A user contacts you with concerns over cookies found on their hard disk. The user visited a banking site several months ago, and when filling out a form on the site, provided some personal information that was saved to a cookie. Even though this was months ago, when the user returned to the site, it displayed his name and other information on the Web page. This led
120 CHAPTER 3 Application Security
the user to check his computer, and find that the cookie created months ago is still on the hard disk of his computer. What type of cookie is this? A. Temporary C. Persistent B. Session D. Tracking
2. Your company has recently installed IM software on computers throughout the network, to encourage better communication between departments. A user on a network has installed a packet sniffer, and is using it to attempt viewing IMs transmitted between users of the network. When the packet sniffer captures one of the packets from an IM session, which of the following will occur? A. The information from the IM session can’t be viewed because it is encrypted. B. The information from the IM session can be viewed because it is sent as cleartext. C. The message will be unreadable because IM only allows small messages to be sent, meaning that the entire message will be split between numerous packets. D. The message will be unreadable because the Short Message Service (SMS) Center automatically encrypts every message sent over SMS.
3. Which layer of the OSI model is the target of most Internet-based attacks? A. The network layer directly above the data link layer B. The session layer directly above the transport layer C. The application layer directly above the session layer D. The application layer directly above the presentation layer
4. What does the term drive-by-download refer to? A. Downloading Trojans from P2P networks B. Downloading Trojans from instant messaging applications C. Downloading mail attachments via an open mail relay D. Navigating to a Web site and having malicious code auto execute without your knowledge
5. Cookie security is truly only at the mercy of the Web site administrator. Is this statement true or false?
6. Proper input validation should include which of the following checks? (Select all that apply) A. Data type D. Name of the user submitting the data B. Data length E. Range of values C. IP address of data transmission
Self Test 121
7. If P2P networks are to be used on corporate networks, which of the following steps does the best job of securing it? A. Configure P2P client to share files within a single directory and install an antivirus client on all the computers running P2P software B. Disable any open mail relays that are accessible from P2P clients C. Disable ActiveX, Java, and scripting within users’ Web browsers D. Disable any IM clients installed on the P2P clients
8. Monday morning has brought news that your company’s e-mail has been blacklisted by many ISPs. Somehow your e-mail servers were used to spread spam. What most likely went wrong? A. An insecure e-mail account was hacked B. Sendmail vulnerability C. Open mail relay D. Port 25 was left open
9. Your developer contacts you for guidance on how to secure ActiveX controls he or she plans on using within his Web application. What advice would you provide him? A. Ensure to follow secure coding practices and sign the control before publishing B. Only transfer the control over SSL sessions to and from the Web browser C. Write the ActiveX control within Java D. Perform a Threat Model on the ActiveX control
10. Multiple user laptops have been compromised due to exploitation of vulnerabilities in Java applets downloaded from third parties. What should you do to secure Java and help prevent further security incidents from recurring? (Select the best answer) A. Install the latest patches for all employee computers B. Install the latest patches for all employee computers and ensure employees only visit sites with proper input validation C. Install the latest patches for all employee computers and use Internet Explore security zones to restrict the permissions of downloaded Java applets D. Install the latest patches for all employee computers and use Internet Explore security zones to restrict the permissions of downloaded JavaScript
122 CHAPTER 3 Application Security
11. You are tasked with creating a threat model for a new application your company is developing. Who should you include in the threat modeling process? A. A member of the corporate security team B. Members of the security team and upper management C. Members of the security team and middle management D. Members of the security team and members from all teams responsible for the design and operation of the application 12. You perform a security assessment of your company’s Web server and identify a cross-site scripting vulnerability. What recommendation can you provide to your company to correct the vulnerability? (Choose the best answer) A. Advise Web site users to ensure cookies are only transferred over secure connections B. Implement a policy mandating that Web site users disable ActiveX support within their Web browsers C. Implement a policy mandating that Web site users disable Java applet support within their Web browsers D. Advise the Web administrator to ensure all Web application data inputs are validated prior to processing 13. You push out a security hardening policy to corporate users and later receive complaints from users stating that they can no longer view business Web sites. What element of your security hardening policy is most likely the cause of the issue? A. Removal of open mail relays B. Disabling of ActiveX controls and Java applets C. Implementation of P2P client restrictions D. Implementation of IM client filtering 14. Which of the following is not a phase within the threat modeling process? A. Security objective definition B. Application review C. Application decomposition D. Threat identification E. Vulnerability identification F. Application vulnerability scan
References 123
15. Bob is preparing to evaluate the security on his Windows XP computer and would like to harden the OS. He is concerned as there have been reports of buffer overflows. What would you suggest he do to reduce this risk? A. Remove sample files B. Upgrade his OS C. Set appropriate permissions on files D. Install the latest patches
Self Test Quick Answer Key 1. 2. 3. 4. 5.
C B D D False
6. 7. 8. 9. 10.
A, B, and E A C A C
11. 12. 13. 14. 15.
D D B F D
References 1. Symantec Report on the Underground Economy—Goods and Services Advertised [document on the Internet]. Cupertino, CA: Symantec Corporation; 26 November 2008 [cited 25 June 2009]. Available from https://forums2.symantec.com/t5/ISTR/Symantec-Report-on-theUnderground-Economy-Goods-and-Services/ba-p/368226. 2. Threat Risk Modeling [document on the Internet]. Columbia, MD: The Open Web Application Security Project (OWASP); 2009? [last modified 27 May 2009; cited 25 June 2009]. Available from www.owasp.org/index.php/Threat_Risk_Modeling#STRIDE. 3. SANS Top-20 2007 Security Risks (2007 Annual Update) [document on the Internet]. Bethesda, MD: The SANS (SysAdmin, Audit, Network, Security) Institute; 2007? [cited 25 June 2009]. Available from www.sans.org/top20/. 4. Top Ten Cyber Security Menaces for 2008 [document on the Internet]. Bethesda, MD: The SANS (SysAdmin, Audit, Network, Security) Institute; 2008? [cited 25 June 2009]. Available from www.sans.org/2008menaces/. 5. The Latest in the Threat Landscape—Web Based Attacks: February 2009 [document on the Internet]. Cupertino, CA: Symantec Corporation; 2009 [cited 25 June 2009]. Available from www.symantec.com/connect/articles/latest-threat-landscape-web-based-attacks-february2009-0. 6. Microsoft Security Bulletin MS08-041—Critical: Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617) [document on the Internet]. Redmond, WA: Microsoft Corporation; 12 August 2008 [updated 15 October 2008; cited 25 June 2009]. Available from www.microsoft.com/technet/security/ bulletin/ms08-041.mspx.
124 CHAPTER 3 Application Security
7. Desiging Secure ActiveX Controls [document on the Microsoft Developer Network Web site]. Redmond, WA: Microsoft Corporation; 2009 [cited 25 June 2009]. Available from http://msdn .microsoft.com/en-us/library/aa752035(VS.85).aspx. 8. Symantec AutoFix Support Tool ActiveX Control Vulnerabilities [document number SYM08009 on Symantec’s Web site]. Cupertino, CA: Symantec Corporation; 2 April 2008 [updated on 30 May 2008; cited on 25 June 2009]. Available from www.symantec.com/avcenter/ security/Content/2008.04.02a.html. 9. Dormann, W. and Rafail, J. Securing Your Web Browser [document on the Internet]. Washington, D.C.: United States Computer Emergency Readiness Team (US-CERT); 23 January 2006 [updated 14 February 2008; cited 25 June 2009]. Available from www.us-cert.gov/reading_room/ securing_browser/browser_security.html#Internet_Explorer. 10. National Cyber Alert System: Technical Cyber Security Alert TA08-340A: Sun Java Updates for Multiple Vulnerabilities [document on the Internet]. Washington, D.C.: United States Computer Emergency Readiness Team (US-CERT); 5 December 2008 [cited 25 June 2009]. Available from www.us-cert.gov/cas/techalerts/TA08-340A.html. 11. Secure Coding Guidelines Version 2.0 for the Java Programming Language [document on the Sun Developer Network]. Santa Clara, CA: Sun Microsystems, Inc. [cited 25 June 2009]. Available from http://java.sun.com/security/seccodeguide.html. 12. Vulnerability Note VU#788019: Adobe Reader and Adobe Acrobat contain an unspecified flaw in a JavaScript method [document on the Internet]. United States Computer Emergency Readiness Team (US-CERT); 25 June 2008 [updated 25 June 2008; cited 25 June 2009]. Available from www.kb.cert.org/vuls/id/788019. 13. Microsoft Security Bulletin MS08-022—Critical Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338) [document on the Internet]. Redmond, WA: Microsoft; 8 April 2008 [updated 3 September 2008; cited 25 June 2009]. Available from www.microsoft.com/technet/security/bulletin/MS08-022.mspx. 14. Martin, B. Experts Announce Agreement on the 25 Most Dangerous Programming Errors— And How to Fix Them. Agreement Will Change How Organizations Buy Software [document on the Internet]. Bethesda, MD: The SANS (SysAdmin, Audit, Network, Security) Institute; 12 January 2009 [cited 25 June 2009]. Available from www.sans.org/top25errors/.
Chapter
Implementing System Security Applications
4
E x a m o b j e c tiv e s in this c hapt e r Host Intrusion Detection System..........................................................................................125 Personal Software Firewall.................................................................................................132 Antivirus.............................................................................................................................182 Antispam............................................................................................................................196 Pop-Up Blockers.................................................................................................................198
Host Intrusion Detection System Firewalls and other simple boundary devices lack some degree of intelligence when it comes to observing, recognizing, and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. A successful security strategy requires many layers and components. One of these components is the intrusion detection system (IDS). Intrusion detection is an important piece of security in that it acts as a detective control. As an example, consider a locked car in a parking lot. Locking the car is much like securing the network. It provides security but only deters attacks. What if someone breaks into the locked car, how would the driver detect this? In the world of automobile security that could be accomplished with an alarm system. In the computer world this is done with an IDS. Whereas other boundary devices may collect all the information necessary to detect (and often to foil) attacks that may be getting started or are already underway, they have not been programmed to inspect for and detect the kinds of traffic or network behavior patterns that match known attack signatures or that suggest potential unrecognized attacks may be incipient or in progress. In a nutshell, the simplest way to define an IDS is to describe it as a specialized tool that knows how to read and interpret the contents of log files from sensors placed on the network, routers, firewalls, servers, and other network devices. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the logs it is monitoring against those signatures to recognize when a close match between a signature and current
125
126 CHAPTER 4 Implementing System Security Applications
or recent behavior occurs. At that point, the IDS can issue alarms or alerts, take various kinds of automatic action ranging from shutting down Internet links or specific servers to launching backtraces, and make other active attempts to identify attackers and actively collect evidence of their nefarious activities. By analogy, an IDS does for a network what an antivirus software package does for files that enter a system: it inspects the contents of network traffic to look for and deflect possible attacks, just as an antivirus software package inspects the contents of incoming files, e-mail attachments, active Web content, and so forth to look for virus signatures (patterns that match known malicious software [malware]) or for possible malicious actions (patterns of behavior that are at least suspicious, if not downright unacceptable). Exam Warning To eliminate confusion on the Security+ exam, the simplest definition of IDS is a device that monitors and inspects all inbound- and outbound-network traffic, and identifies patterns that may indicate suspicious activities or attacks. Do not confuse this with a firewall, which is a device that inspects all inbound- and outbound-network traffic looking for disallowed types of connections.
To be more specific, intrusion detection means detecting unauthorized use of or attacks on a system or network. An IDS is designed and used to detect and then to deflect or deter (if possible) such attacks or unauthorized use of systems, networks, and related resources. Like firewalls, IDSes may be software-based or may combine hardware and software (in the form of preinstalled and preconfigured stand-alone IDS devices). There are many opinions as to what is the best option. For the exam what’s important is to understand the differences. Often, IDS software runs on the same devices or servers where firewalls, proxies, or other boundary services operate; however, an IDS is not running on the same device or server where the firewall or other services are installed to monitor those devices closely and carefully. Although such devices tend to operate at network peripheries, IDSes can detect and deal with insider attacks as well as external attacks as long as the sensors are appropriately placed to detect such attacks. Exam Warning The Security+ exam expects you to understand the different types of IDSes, what they are used for, and how they can help protect your network.
There are two types of IDSes that can be used to secure a network: system IDSes or network IDSes. A system IDS (referred to as a host IDS—host intrusion detection system [HIDS]—or a Kernel Proxy) runs on each individual server on which the administrator wants to perform intrusion detection. A network IDS (NIDS) does intrusion detection across the network. System IDSes are great for ensuring that the server
Host Intrusion Detection System 127
on which it is installed is capable of detecting attacks. They are also more efficient than NIDS because they only analyze the data from one system rather than the entire network. An NIDS, however, has the capability to detect attacks that may be occurring on multiple systems at the same time or to catch someone doing a portscan of an entire network.
Signature Based An IDS is, quite simply, the high-tech equivalent of a burglar alarm configured to monitor access points, hostile activities, and known intruders. These systems typically trigger on events by referencing network activity against an attack signature database. If a match is made, an alert takes place and is logged for future reference. It is the makeup of this signature database that is the Achilles’ heel of these systems. Attack signatures consist of several components used to uniquely describe an attack. The signature is a kind of detailed profile that is compiled by doing an analysis of previous successful attacks. An ideal signature would be one that is specific to the attack, while being as simple as possible to match with the input data stream (large complex signatures may pose a serious processing burden). Just as there are varying types of attacks, there must be varying types of signatures. Some signatures define the characteristics of a single Internet Protocol (IP) option, perhaps that of an Nmap portscan, whereas others are derived from the actual payload of an attack. Most signatures are constructed by running a known exploit several times, monitoring the data as it appears on the network, and looking for a unique pattern that is repeated on every execution. This method works fairly well at ensuring that the signature will consistently match an attempt by that particular exploit. Remember, the idea is for the unique identification of an attack, not merely the detection of attacks. Exam Warning Signatures are defined as a set of actions or events that constitute an attack pattern. They are used for comparison in real time against actual network events and conditions to determine if an active attack is taking place against the network. The drawback of using attack signatures for detection is that only those attacks for which there is a released signature will be detected. It is vitally important that the signature database is kept updated.
A computing system, in its most basic abstraction, can be defined as a finite state machine, which literally means that there are only a specific predefined number of states that a system may attain. This limitation hinders the IDS, in that it can be well armed at only a single point in time (in other words, as well armed as the size of its database). This poses several problems, which are as follows: ■■
First, how can one have foreknowledge of the internal characteristics that make up an intrusion attempt that has not yet occurred? You cannot alert on attacks you have never seen.
128 CHAPTER 4 Implementing System Security Applications
■■
■■
■■
Second, there can be only educated guesses that what has happened in the past may again transpire in the future. You can create a signature for a past attack after the fact, but there is no guarantee you will ever see that attack again. Third, an IDS may be incapable of discerning a new attack from the background white noise of any network. The network utilization may be too high, or many false positives can cause rules to be disabled. And finally, the IDS may be incapacitated by even the slightest modification to a known attack. A weakness in the signature matching process, or more f undamentally, a weakness in the packet analysis engine (packet sniffing/ reconstruction) will thwart any detection capability.
The goals of an attacker in relation to IDS evasion are twofold: ■■ ■■
to evade detection completely to use techniques and methods that increase the processing load of the IDS sensor significantly
As more methods are employed by attackers on a wide scale, more vendors will be forced to implement more complex signature matching and packet analysis engines. These complex systems will undoubtedly have lower operating throughputs and will present more opportunities for evasion. The paradox is that the more complex a system becomes, the more opportunities there are for vulnerabilities. Finally, advances in IDS design have led to a new type of IDS, called an intrusion prevention system (IPS). An IPS is capable of responding to attacks when they occur. This behavior is desirable from two points of view. For one thing, a computer system can track behavior and activity in near-real time and respond much more quickly and decisively during the early stages of an attack. Since automation helps hackers mount attacks, it stands to reason that it should also help security professionals fend them off as they occur. For another thing, an IPS can stand guard and run 24 hours per day/7 days per week, but network administrators may not be able to respond as quickly during the off hours as they can during the peak hours. By automating a response and moving these systems from detection to prevention they actually have the ability to block incoming traffic from one or more addresses from which an attack originates. This allows the IPS the capability to halt an attack in process and block future attacks from the same address. Exam Warning To eliminate confusion on the Security+ exam about the differences between an IDS and an IPS, remember that an IPS is designed to be a preventive control. When an IDS identifies patterns that may indicate suspicious activities or attacks, an IPS can take immediate action that can block traffic, blacklist an IP address, or even segment an infected host to a separate virtual local area network (VLAN) that can only access an antivirus server.
Host Intrusion Detection System 129
Behavior Based Indeed, signature detection is the most widely used approach in commercial IDS technology today. Another approach is called anomaly detection or behavior-based detection, which uses rules or predefined concepts about “normal” and “abnormal” system activity (called heuristics) to distinguish anomalies from normal system behavior and to monitor, report on, or block anomalies as they occur. Some IDSes support limited types of anomaly detection; most experts believe this kind of capability will become part of how more IDSes operate in the future. Read on for more information about these two kinds of event analysis techniques: ■■ ■■
■■
■■ ■■
■■
Signature-based IDS characteristics Pros A signature-based IDS examines ongoing traffic, activity, transactions, or behavior for matches with known patterns of events specific to known attacks. As with antivirus software, a signature-based IDS requires access to a current database of attack signatures and some way to actively compare and match current behavior against a large collection of signatures. Except when entirely new attacks occur, this technique works extremely well. Cons Signature databases must be constantly updated, and IDSes must be able to compare and match activities against large collections of attack signatures. If signature definitions are too specific, a signature-based IDS may miss variations on known attacks. (A common technique for creating new attacks is to change existing known attacks rather than to create entirely new ones from scratch.) Signature-based IDSes can also impose noticeable performance drags on systems when current behavior matches multiple (or numerous) attack signatures, either in whole or in part. Anomaly based IDS characteristics Pros An anomaly based IDS examines ongoing traffic, activity, transactions, or behavior for anomalies on networks or systems that may indicate attack. The underlying principle is the notion that “attack behavior” differs enough from “normal user behavior” that it can be detected by cataloging and identifying the differences involved. By creating baselines of normal behavior, anomaly based IDS systems can observe when current behavior deviates statistically from the norm. This capability theoretically gives anomaly based IDSes the capability to detect new attacks that are neither known nor for which signatures have been created. Cons Because normal behavior can change easily and readily, anomaly based IDS systems are prone to false positives, where attacks may be reported based on changes to the norm that are “normal,” rather than representing real attacks. Their intensely analytical behavior can also impose heavy processing overheads on systems they are running. Furthermore, anomaly based systems take a while to create statistically significant baselines (to separate normal behavior from anomalies); they are relatively open to attack during this period.
130 CHAPTER 4 Implementing System Security Applications
Today, many antivirus packages include both signature-based and anomaly based detection characteristics, but only a few IDSes incorporate both approaches. Most experts expect anomaly based detection to become more widespread in IDSes, but research and programming breakthroughs will be necessary to deliver the kind of capability that anomaly based detection should be but is currently not able to deliver. By implementing the following techniques, IDSes can fend off expert and novice hackers alike. Although experts are more difficult to block entirely, these techniques can considerably slow them down. ■■
■■
■■
■■
Breaking Transmission Control Protocol (TCP) connections by injecting reset packets into attacker connections causes attacks to fall apart. Deploying automated packet filters to block routers or firewalls from forwarding attack packets to servers or hosts under attack stops most attacks cold— even denial of service (DoS) or distributed denial of service (DDoS) attacks. This works for attacker addresses and for protocols or services under attack (by blocking traffic at different layers of the Advanced Research Projects Agency [ARPA] networking model, so to speak). Deploying automated disconnects for routers, firewalls, or servers can halt all activity when other measures fail to stop attackers (as in extreme DDoS attack situations, where filtering would only work effectively on the Internet service provider [ISP] side of an Internet link, if not higher up the ISP chain as close to Internet backbones as possible). Actively pursuing reverse domain name system (DNS) lookups to detect a hacker’s identity is a technique used by some IDSes. These types of IDSes generate reports of malicious activity to all ISPs in the routes used between the attacker and the victim. Because such responses may themselves raise legal issues, experts recommend obtaining legal advice before repaying hackers in kind.
Head of the Class Getting More Information on IDS For quick access to a great set of articles and resources on IDS technology, visit www. searchsecurity.techtarget.com and search for intrusion detection. There are several good articles to be found on this topic including, but not limited to the following: ■■
“Intrusion Detection: A Guide to the Options” at www.techrepublic.com/article_guest. jhtml?id=r00620011106ern01.htm
■■
■■
“Intrusion-detection Systems Sniff Out Security Breaches” at http://searchsecurity. techtarget.com/originalContent/0,289142,sid14_gci802278,00.html “Recommendations for Deploying an Intrusion-detection System” at http://searchsecurity. techtarget.com/originalContent/0,289142,sid14_gci779268,00.html
Host Intrusion Detection System 131
Cisco CSA Cisco, generally accepted as the leader in all things networking, is also well known for its security products. One of the lesser known products is Cisco’s Security Agent, or CSA. Cisco pitches the product as “the first endpoint security solution that combines zero-update attack defense, policy-driven data loss prevention, and signaturebased antivirus detection in a single agent. This unique blend of capabilities defends servers and desktops against sophisticated day-zero attacks, and enforces acceptableuse and compliance policies within a simple management infrastructure.” The concept of day-zero is that viruses can be prevented simply by determining the normal state of a system prior to any potential infection. Cisco does this by creating a set of rules for a specific type of system. These policies vary by type of operating system (OS), as CSA supports a wide variety of client and server OSes (see Table 4.1). Beyond the OS itself, CSA allows you to allow behaviors inherent to a specific role of a system. For example, standard policies are available for DNS, Dynamic Host Configuration Protocol (DHCP), and Web servers. These standard policies define “norms” for, say, a DNS system. For example, a typical workstation or server would not need to allow incoming DNS requests. For non-DNS servers, this type of traffic is automatically dropped (and may potentially be logged). However, DNS does need to allow this traffic—and still may be required to be logged for auditing purposes. CSA allows for this flexibility, even allowing you to write your own rules and policies for nonstandard software packages and other enterprise-specific behaviors. In older versions of the CSA product, protection of the systems was strictly behavior-based, meaning that if a server acted outside of the norm, that behavior was either blocked and/or potentially logged for later review. In the most recent version of the product, signature-based antivirus has also been included in the product, offering a complete antivirus solution.
Table 4.1 Operating Systems Supported by Cisco Security Agent Server OS
Client OS
Windows 2003 Server
Windows Vista
Windows 2000 Server and Advanced Server
Windows Embedded Point of Service (WEPOS)
Solaris 9 SPARC architecture (64-bit kernel)
Windows XP Professional
Solaris 8 SPARC architecture (64-bit kernel)
Windows XP Tablet Edition
Red Hat Enterprise Linux 4.0 ES and AS
Windows 2000 Professional
Red Hat Enterprise Linux 3.0 ES and AS
Red Hat Enterprise Linux 4.0 WS
VMware GSX 3.2
Red Hat Enterprise Linux 3.0 WS
VMware ESX 3.0 and 2.5
VMware WS 5.x
132 CHAPTER 4 Implementing System Security Applications
Cisco Security Agent is made up of two parts, the Cisco Security Agent (which runs on the protected system), and the Management Center for Cisco Security Agents, or “MC” for short. The MC will run on a Windows 2003 system (SP0, 1, or 2), requires a 1-Ghz processor, 1 GB of memory, and a minimum of 9 GB free disk space. Cisco also recommends that the MC be installed on a new technology file system (NTFS) partition because of the 4 GB limitation for FAT32. Cisco also provides Microsoft SQL Server Express in the installation package for the back-end database but suggests that SQL Server Standard Edition or Enterprise Edition be installed for implementations over 1000 seats. Once an agent has been deployed to a client, these systems can be placed in a “silent” mode, meaning their activity is logged, but the rules are not being enforced. This type of deployment allows for the agent to collect information about the behavior of systems so that an administrator can develop a common set of rules for typical behavior for their environment outside of the standard set of rules created as a part of the OS policies, for example, customized line-of-business software that acts outside of the norm of what Cisco has defined for a Windows XP system. An example of this might be an older application that makes frequent writes to the system registry. A rule can be created so that the specific application and/or process can be allowed to write to a certain key or hive inside of the Windows registry. Over a period of time, these rules can be created and packaged into specialized policies that are unique to an organization.
Personal Software Firewall Back in the mid-1990s, when corporations big and small were just starting to come online, there was a pretty common belief that you needed two things for Internet security: a firewall and an antivirus. What was discovered over time was that this simply wasn’t enough. Two things happened: first, it became apparent that perimeter firewalls were good for stopping about 90% of intrusions on a network, but for the 10% that made it through, a way was needed to stop it at the server or desktop level. Second, people and computers became much more mobile. Because of the sweeping change from desktop computers to laptop computers, as well as the rapid growth of broadband connectivity both at home and abroad, having a perimeter firewall did nothing to prevent attacks against these mobile machines when not plugged into the corporate network. One of the technologies that was developed to help combat this was the personal firewall. It was essentially a piece of software that was installed onto a computer to prevent unauthorized access to that system. Some of them were very crude and basic, effectively blocking all incoming traffic. Some were much more elegant, allowing policies to be written on how traffic was allowed in, from where, and in what manner. As OSes evolved, these software firewall solutions were incorporated into the OS itself. This section describes the personal software firewalls that are incorporated into Microsoft’s two most recent desktop OSes: Windows XP and Windows Vista. We will also take a look at one of the stand-alone software firewall products that still exists today: Check Point’s ZoneAlarm.
Personal Software Firewall 133
Windows XP Firewall Windows Firewall was first introduced in Windows XP, but was very basic, even by the standards of that timeframe. Windows XP firewall could be turned off and turned on, and had a very minimal amount of “exceptions” that could be allowed. These exceptions were available for applications and services, such as File and Print Sharing, Remote Desktop, and Remote Assistance. Applications and ports could be added to the firewall, but were again very basic as compared to Windows XP, which we will discuss shortly. Applications, for example, were an all-or-nothing rule, meaning that the application was allowed to communicate over any port it wanted. The only restriction available was to control what IP addresses or subnets the application was allowed to connect to or from. Similarly, TCP and User Datagram Protocol (UDP) ports had this same level of control (called scopes), but very little advanced control was available. The more “advanced” functions of the Windows XP firewall were not so much advanced at all. You were allowed to enable or disable certain network firewall settings per-network interface. You were also allowed to log information regarding the firewall, specifically dropped packets and successful connections. However, these logs were stored locally on a hard drive, with no real capability to review or manage the logs from a central location. Outside of the functionality mentioned above, the only additional configuration option available within Windows XP firewall was the capability to control Internet Control Message Protocol (ICMP) settings. ICMP is defined as “a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses IP datagrams, but the messages are processed by the IP software and are not directly apparent to the application user.” Within the Windows XP firewall, you have the ability to allow incoming echo (ping) requests, timestamp requests, and many more. Generally, on an internal network, these ICMP services are left on, but outside of the corporate network, many administrators choose to turn them off to prevent unwanted traffic to the system as well as unwanted discovery of networked devices.
Windows Vista Firewall The Windows Vista firewall represents a significant improvement over the firewall available in Windows XP SP2. Before you examine the new firewall features available with Vista, it’s helpful to take a moment to look at the introduction of the Windows Firewall within the Windows XP OS. With the release of Windows XP SP2, information technology (IT) professionals saw a huge leap forward in Microsoft’s desktop security strategy with the addition of the Windows Firewall. In some ways, the Windows Firewall was a natural progression from the Internet Connection Firewall (ICF) that had been bundled into XP since its original release, but in most respects, the Windows Firewall was a huge departure from earlier Microsoft desktop security mechanisms. The ICF was turned off by default on new XP installations, so many users didn’t even realize it existed. And those people who manually enabled ICF often found that it was difficult to use
134 CHAPTER 4 Implementing System Security Applications
and configure. This was particularly the case for system administrators because the ICF was not configurable across an enterprise; the only Group Policy setting associated with ICF was the ability to disable it en masse. The release of the Windows Firewall in XP SP2 presented a much broader range of options for securing the Windows desktop, particularly for Active Directory administrators who wanted to deploy a consistent firewall configuration across an enterprise. Most prominently, the SP2 upgrade process would prompt the user to turn on the Windows Firewall when the installation was completed, and the Windows Firewall was turned on out of the box on computers that were preinstalled with SP2. This configuration eliminated many instances of the “My computer got compromised in the time it took me to go out to Windows Update and get my patches” phenomenon that had previously plagued end users and system administrators. The Windows Firewall also added dozens of configurable settings within Group Policy. For example, administrators can use Group Policy to specify which applications or ports to open and whether connections to those resources must be secure, all within the new Windows Firewall with Advanced Security Group Policy node. Group Policy allows administrators to exert granular control of its configuration across an entire organization or a single subset of users. Windows Vista takes this a step further by introducing the Windows Firewall with Advanced Security. Note For brevity’s sake, we will continue to refer to the Vista firewall as the Windows Firewall through the remainder of this chapter, except where we are referencing new features specific to the new Windows Firewall with advanced security interface.
Configuring the Windows Firewall Similar to the Windows XP firewall, the Windows Firewall with Advanced Security is a stateful, host-based firewall that you can configure to allow or disallow traffic that is generated by either a particular executable file, such as C:\Program Files\ Microsoft SQL Server\sqlserver.exe, or traffic that is destined for one or more TCP or UDP ports, such as TCP port 80 for Hypertext Transfer Protocol (HTTP) traffic. You’ll find that basic firewall configuration tasks haven’t changed much between Windows XP and Windows Vista; you’ll continue to make these changes using the Windows Firewall Control Panel applet. But even this piece has been updated to make it more intuitive and informative for the end user: When you open the Windows Firewall applet, the first thing you see is a summary of your current Windows Firewall settings, as shown in Figure 4.1. As you can see, this provides an at-a-glance summary of the current state of the firewall; whether it is turned on or off, how exceptions and notifications are being handled, and the network location to which the computer is currently connected. By clicking on Change settings, you’ll be taken to a familiar-looking interface that will actually allow you to make changes, as shown in Figure 4.2.
Personal Software Firewall 135
Figure 4.1 A New Look for the Windows Firewall Control Panel Applet
Similar to Windows XP, we define the three settings on the General tab as follows: ■■
■■
On (recommended) This is the recommended setting and is enabled by default when Vista is installed. This will block any unsolicited incoming communication attempts that are made against the Vista workstation. All outbound traffic will still be permitted, and any inbound responses to outbound traffic that was initiated by the user will also be permitted. On the Exceptions tab, you can still define exceptions for inbound traffic that should be permitted. Block all incoming connections By placing a checkmark here, you will instruct the Windows Firewall to block all unsolicited connection attempts even if exceptions are defined on the Exceptions tab. You should select this option if you are connected to a public or otherwise insecure network such as one in a hotel, airport, or coffee house, or if a known virus or worm is spreading across the Internet and you want to be extra careful until the threat has largely run its course.When you remove the checkmark next to this option, any traffic defined on the Exceptions tab will once again be permitted to connect to the Vista workstation.
136 CHAPTER 4 Implementing System Security Applications
Figure 4.2 Configuring Basic Windows Firewall Settings
■■
Off (not recommended) Microsoft does not recommend this setting for obvious reasons, as it leaves the workstation vulnerable to hackers and malicious software. The only reason you might want to turn off the Windows Firewall would be if you or your organization has already standardized on a third-party software firewall such as the ones offered by Symantec, McAfee, and others.
The Advanced tab in the Control Panel applet has had most of its functionality removed relative to Windows XP SP2. In XP SP2, the Advanced tab allowed you to configure settings for firewall logging, allowing or disallowing inbound ICMP traffic, and creating exceptions on a per-interface basis. As you can see in Figure 4.3, the Advanced tab in the Vista firewall only allows you to do the following: ■■
Enable or disable the firewall on each installed network interface
■■
Restore the Windows Firewall to its default settings
Personal Software Firewall 137
Figure 4.3 The Advanced Tab in the Windows Vista Firewall
Note The functions that were formerly found on the Advanced tab, as well as a number of new features in the Vista firewall, have been moved to the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in, which we’ll discuss in the following section.
Working with Built-In Firewall Exceptions In Figure 4.4, you can see the Exceptions tab of the Windows Firewall Control Panel applet. Windows Vista has improved this tab by offering a much wider array of preconfigured firewall exceptions, including the following: ■■
BITS Peercaching This allows workstations in the same subnet to locate and share files from the Background Intelligent Transfer Service (BITS) cache using the Web Services on Devices API (WSDAPI) framework.
138 CHAPTER 4 Implementing System Security Applications
Figure 4.4 Viewing the List of Windows Firewall Exceptions
■■
■■
■■
■■
■■
Connect to a Network Projector The Windows Firewall allows users to easily connect to projectors over wired or wireless networks using WSDAPI. Core Networking This allows for basic inbound and outbound network connectivity over wired and wireless connections. Distributed Transaction Coordinator This coordinates transactions that update transaction-protected resources such as databases, message queues, and file systems. File and Printer Sharing This is used for sharing local files and printers with other users. File and Printer Sharing still relies on network basic input/output system ( NetBIOS), server message block (SMB), and remote-procedure call (RPC) to communicate. iSCSI Service This is used for connecting to iSCSI target servers and devices.
Personal Software Firewall 139
■■
Media Center Extenders This allows Media Center Extenders to communicate with a computer running Windows Media Center.
Note The exceptions for the Microsoft Office and MSN Messenger products that you see in Figure 4.4 are not default exceptions that come with Windows Vista; these exceptions were configured automatically by the Office and Messenger installation routines.
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
Network Discovery As we discussed earlier in this chapter, this feature allows a Windows Vista device to discover other devices and be discovered by other devices on the network using Simple Service Discovery Protocol (SSDP), universal Plug and Play (UPnP), NetBIOS, and LLMNR (Linklocal Multicast Name Resolution). Remote Administration This feature allows administrators to connect remotely to the local computer using interfaces such as the Computer Management MMC snap-in, as well as familiar administrative hidden drive shares such as \\computername\c$. Remote Desktop This feature allows a remote user to connect to the Vista desktop using the Remote Desktop client over TCP port 3389. Remote Event Log Management This feature allows remote viewing and management of the local event log using Named Pipes and RPC. Remote Scheduled Task Management This feature allows remote management of the local task scheduling service over RPC. Remote Service Management This feature allows remote management of local services using Named Pipes and RPC. Remote Volume Management This feature provides the capability to manage software and hardware disk volumes remotely over RPC. Routing and Remote Access This feature creates exceptions to allow incoming virtual private network (VPN) and remote access server (RAS) connections. Telnet and Telnet Server Remote Administration This feature creates a firewall exception to allow remote administration using Telnet on TCP port 21. Windows Collaboration Computer Name Registration Service This feature allows other computers to locate and communicate with the local computer using the Peer Name Resolution Protocol and SSDP. Windows Firewall Remote Management This feature allows for remote management of the Windows Firewall over RPC. Windows Management Instrumentation (WMI) This feature allows system administrators to retrieve and modify configuration information about the local PC using a standard set of classes and components.
140 CHAPTER 4 Implementing System Security Applications
■■
■■
■■
■■
■■
■■
Windows Media Player This feature allows users to receive streaming media using UDP. Windows Media Player Network Sharing Service This feature allows users to share media using UPnP and SSDP. Windows Meeting Space This feature creates an exception to allow users to share desktops, programs, and documents over the network. Windows Peer to Peer Collaboration Foundation This feature creates a common framework to allow various peer-to-peer application traffic to pass through the Windows Firewall. Windows Remote Management This feature allows remote management of a Vista system using WS-Management, which is a Web services-based protocol that allows for remote management of OSes and devices. Wireless Portable Devices This feature allows users to transfer media from a networked camera or other media device using the Media Transfer Protocol (MTP). This exception relies on UPnP and SSDP to function.
Creating Manual Firewall Exceptions In addition to the built-in firewall exceptions we just discussed, you can also create additional firewall exceptions to allow inbound traffic to pass through the Windows Firewall. In many cases, these manual exceptions will be created automatically by the installer for a particular program, or else you’ll need to manually specify them from the Exceptions tab. The two types of exceptions you can create are as follows: ■■
■■
Port exceptions These exceptions allow all incoming traffic destined for particular TCP or UDP ports; for example, you can create an exception to allow incoming traffic on TCP port 80 for HTTP traffic, or on UDP port 69 for Trivial File Transfer Protocol (TFTP) traffic. Program exceptions These exceptions allow all incoming traffic that is destined for a particular executable file running on the local workstation, which will typically correspond to a service running on the local computer. To understand the difference between a port exception and a program exception, let’s look at the example of creating an exception for sqlserver. exe, the executable file associated with Microsoft SQL Server, versus opening an exception for TCP port 1433, which is the default TCP port that the Structured Query Language (SQL) Server uses. By creating an exception for sqlserver.exe, the Windows Firewall will allow incoming traffic only when the SQL Server service is actually running; if you stop the service to perform an application upgrade or database maintenance, the Windows Firewall will not accept incoming SQL traffic while the application is not running. By contrast, creating a port exception for TCP 1433 will create an “always on”
Personal Software Firewall 141
exception; the Windows Firewall will accept traffic from port 1433 regardless of whether the SQL Server service is running. To create a program exception, click Add program from the Exceptions tab. You’ll see the Add a Program screen shown in Figure 4.5. Click Browse to select the executable file for which you want to create an exception and then select Open. By default, any new exception that you create will be accessible by any computer, including those on the Internet. To restrict the scope of an exception that you’ve created, click the Change scope button. You’ll be presented with the screen shown in Figure 4.6, which will allow you to set one of three scopes: ■■
■■
Any computer (including those on the Internet) This scope will allow any computer on any network to access this program, including computers located anywhere on the Internet. My network (subnet) only For example, if your workstation has an IP address of 192.168.1.100 and a subnet mask of 255.255.255.0, the exception will be accessible by a machine with an IP address of 192.168.1.1 through 192.168.1.254.
Figure 4.5 Creating a Program Exception
142 CHAPTER 4 Implementing System Security Applications
Figure 4.6 Configuring the Scope of an Exception ■■
Custom list Here you can specify a list of individual IP addresses or ranges and their associated subnet masks, separate multiple entries with commas. For example, you can allow an exception for an entire range of clients plus an administrative workstation as follows: 192.168.1.146/255.255.255.255, 192.168.2.0/255.255.255.0. Unfortunately, there isn’t a good way to specify a range of addresses that does not correspond to a subnet mask; if you want to allow an exception for 192.168.1.152 through 192.168.1.159, you will need to specify each IP address individually.
Warning Use the My network (subnet) only scope with care if you are creating an e xception for a computer that is attached to a home-based ISP using a cable modem or DSL connection. Depending on the way in which your ISP has configured its network, using this exception on a home network might open up the firewall exception not just to every machine on your home network, but to every machine in a much larger portion of the ISP’s customer base.
To create a port exception, you’ll likewise click the Add port button when creating the exception. Creating a port exception requires the following information: ■■
■■
Name A descriptive name for the exception, such as “HTTP,” “WSUS Administration Port,” and so on. Port The port number of the exception.
Personal Software Firewall 143
■■
■■
TCP/UDP This is used to find whether the exception corresponds to a TCP port or a UDP port. Scope By clicking the Change scope button, you’ll specify the scope of the exception just as you would for a program exception.
Advanced Configuration of the Windows Firewall Unlike the Windows Firewall in XP SP2, you cannot modify the scope or properties of the preconfigured Windows Vista exceptions from the Control Panel applet, as you can see in Figure 4.7. However, there is a new interface for more advanced configuration of the firewall through an MMC snap-in, called Windows Firewall with Advanced Security. This new snap-in provides a number of new features that were not previously available in the XP firewall, including the following: ■■
■■
Controlling outbound as well as inbound traffic. The inability to control outbound traffic was a major criticism of the Windows Firewall in XP SP2, which was limited in functionality to controlling inbound traffic only. Configuring the Windows Firewall on remote computers. This feature allows you to attach to a remote computer and configure the firewall from within the Windows Firewall with an Advanced Security snap-in.
Figure 4.7 Viewing a Firewall Exception in the Control Panel
144 CHAPTER 4 Implementing System Security Applications
■■
■■
■■
Integrating Windows Firewall functionality with IP Security (IPSec). You can now control and administer both of these features from within the same MMC snap-in to avoid conflicts between them. Configuring Authenticated IPSec Bypass is a feature that allows IPSec-authenticated computers to bypass firewall rules that would otherwise block incoming or outgoing connection attempts. Creating and configuring separate firewall profiles based on whether a computer is attached to a private network or a corporate domain versus attaching to a public network in an airport, coffee shop, and so on. The XP SP2 firewall allowed for only two profiles—Domain and Standard—which did not allow the level of granularity that is often required for mobile computers and traveling workers.
You can access the new Windows Firewall with Advanced Security applet from the Administrative Tools menu, or by opening a blank MMC console and clicking on File | Add/Remove Snap-In. As you can see, this snap-in provides a very different view of the Windows Firewall. The left-hand and right-hand panes provide you quick access to perform common tasks and to access different portions of the snap-in, such as viewing inbound rules, outbound rules, connection security rules, and firewall monitoring. The main screen of the snap-in provides an at-a-glance view of the three available firewall profiles, as well as a visual indicator of which profile is active. The Vista firewall allows you to create different firewall settings for the following profiles: ■■
■■
■■
The Domain Profile is active whenever the computer is attached to a corporate Active Directory domain. The Private Profile is active when the computer is attached to a private network. The Public Profile is active when the computer is attached to a public network.
The default Windows Firewall settings are similar for all three profiles: The Windows Firewall is turned on, inbound connections that do not have a defined exception are blocked, and all outbound traffic is permitted. To customize this default behavior for one or more profiles, click the Windows Firewall Properties link; you’ll see the screen shown in Figure 4.8. From here, you can change the firewall state from on to off, and change the behavior for inbound and outbound connections. You can change the behavior for inbound connections to one of the following: ■■
■■
Block Blocks any inbound connection attempt that doesn’t have an exception associated with it. This is the default setting for inbound connections on all three profiles. Block all connections Blocks all incoming connection attempts regardless of whether there is a rule associated with them; this corresponds to the Block all incoming connections checkbox in the Windows Firewall Control Panel applet.
Personal Software Firewall 145
Figure 4.8 Customizing Windows Firewall Settings ■■
Allow This setting allows any inbound connection attempt.
You can set the behavior for outbound connections to Allow (the default for all three profiles) or Block, which will block outbound traffic unless a rule has been created to allow it. Clicking Customize under the Settings header will allow you to configure the following: ■■
■■
Whether to display a notification when Windows Firewall blocks an incoming connection. By default, notifications are enabled in all three profiles. Whether to allow a unicast response to broadcast or multicast traffic. This is permitted by default in all three profiles. Disabling this feature will not interfere with the operation of a DHCP server, as the Windows Firewall will always permit responses to DHCP messages. However, disabling this feature will interfere with many network discovery protocols, such as NetBIOS, SSDP, and WSDAPI.
146 CHAPTER 4 Implementing System Security Applications
Clicking Customize under the Logging header will allow you to configure the following settings: ■■
■■
The name, size, and location of the Windows Firewall logfile. By default, this file is located at %systemroot%\system32\LogFiles\Firewall\pfirewall.log and has a maximum size of 4096 KB. Whether to log dropped packets and/or successful connections within the Windows Firewall logfile. By default, neither dropped packets nor successful connections are logged within the Domain, Public, and Private profiles.
Note If you change the location of the Windows Firewall logfile, be sure that the Windows Firewall service account has Write permissions to the new directory.
Modifying IPSec Defaults The final tab that you see in Figure 4.8 is the IPsec Settings, which allows you to configure the settings IPSec uses to establish secured connections, as well as whether ICMP traffic should be exempted from IPSec rule processing. These advanced options allow you to configure the default manner in which IPSec handles key exchange, data protection (integrity and encryption), and authentication settings to meet the needs of your network. Note You can still create connection security rules (discussed in the next section) that deviate from these defaults; this simply creates the baseline that all rules will follow unless you specify otherwise.
By default, IPSec exemptions for ICMP are turned off; however, you may want to enable these exemptions to allow for troubleshooting of network connectivity by allowing PING and TRACERT traffic to pass through the Windows Firewall. By clicking Customize from the IPsec Defaults header, you can customize the default behavior of IPSec from the screen shown in Figure 4.9. From here, you can customize IPSec’s default behavior in several areas, as we discuss in the following sections.
Key Exchange (Main Mode) IPSec key exchange is used to establish authentication and data encryption between two computers. This process is divided into two phases: Main Mode and Quick Mode. In Main Mode, the two computers that are communicating use the Internet Key Exchange (IKE) protocol to set up a secure, authenticated channel between them. This process creates a Main Mode security association (SA). You’ll sometimes also hear this referred to as a Phase I SA. The settings that you define here will apply to all IPSec connection security rules that you create (we’ll discuss connection
Personal Software Firewall 147
Figure 4.9 Viewing the Default IPSec Settings
security rules next); the default settings that are used to create a Main Mode SA are as follows: ■■ ■■
Key lifetime (minutes) 480 minutes. Key lifetime (sessions) 0. Having a key lifetime of zero sessions forces any new keys to be issued in accordance with the Key lifetime (minutes) setting only.
148 CHAPTER 4 Implementing System Security Applications
■■ ■■
■■
Key exchange algorithm Diffie–Hellman Group 2. Security methods (integrity) IPSec security methods include both integrity algorithms and encryption algorithms. You can use any combination of these algorithms to secure the key exchanges. You can have as many of these combinations as you want, arranged in whatever order you want. These combinations of integrity and encryption algorithms will be attempted in the order that you’ve specified; the first combination that is supported by both peer computers will be the one that is used. If the computers are not capable of using any of the combinations that you’ve defined for IPSec, the two computers will not be able to communicate using IPSec. The default security method used for data integrity is SHA-1. Security methods (encryption) AES-128 is the primary method, and triple DES (3DES) is the secondary method.
Either you can accept the defaults for Main Mode key exchange, or you can select Customize to manually specify any of the settings we’ve described here. Figure 4.10 illustrates the Properties screen where you can modify any of these settings.
Figure 4.10 Customizing Advanced Main Mode Settings
Personal Software Firewall 149
Data Protection (Quick Mode) Phase 2 of the IKE process provides for the integrity and/or encryption of the data that is being transmitted between two computers that have established a Main Mode SA. The default settings for IPSec Quick Mode are as follows: ■■
■■
Data Integrity To provide data integrity only within Quick Mode (instead of providing both integrity and encryption), IPSec will first attempt to use the Encapsulating Security Payload (ESP) combined with the SHA-1 Data Integrity protocol to protect each packet. If ESP protection fails, IPSec will then use the Authentication Header (AH) protocol combined with SHA-1 to protect each packet. When using this method, IPSec does not incorporate any encryption algorithms such as AES or 3DES. In both cases, the Quick Mode key lifetime is 60 minutes or 100,000 KB of data transmitted, whichever comes first. Data Integrity and Encryption To provide for both data integrity and encryption, IPSec will first attempt to communicate using ESP combined with SHA-1 for data integrity and AES-128 for data encryption. If this connection attempt fails, IPSec will attempt to communicate using ESP, SHA-1, and 3DES encryption. The key lifetime is the same as before: 60 minutes/100,000 KB.
Again, you can either accept the defaults for IPSec Quick Mode, or select Customize to manually specify any of the settings we’ve described here. Figure 4.11 illustrates the Properties screen where you can modify any of these settings.
Figure 4.11 Customizing IPSec Quick Mode Settings
150 CHAPTER 4 Implementing System Security Applications
Authentication Method The authentication method settings that you select here will determine how two computers will authenticate one another to create an IPSec SA. The default authentication method is Computer (using Kerberos V5), but you can choose any of the following preconfigured methods: ■■
■■
■■
■■
Computer and User (using Kerberos V5) This authentication method requires both computer and user authentication, which means that both the user and the computer must authenticate successfully for the two computers to communicate. You can use this option to configure domain isolation, which will create a requirement that any incoming connections to the local computer originate only from domain-joined computer or user objects. Computer (using Kerberos V5) This method requires only the computer account to authenticate before communication can take place; the computer must be a part of the same Active Directory domain or in a separate domain that has a trust relationship configured. This option creates domain isolation by only allowing incoming connection attempts from domain-joined computers. User (using Kerberos V5) Similar to the preceding method, this method requires authentication from the user who is logged on to the remote computer; the user must belong to the same Active Directory domain or a trusted domain. This option creates domain isolation by only allowing incoming connections from Active Directory user accounts in the same domain or in a trusted domain. Computer certificate from this certification authority This method will authenticate computers using certificates issued by a particular certificate authority (CA). This method is useful if you need to allow IPSec traffic to nondomain-joined computers or computers that are members of nontrusted Active Directory domains. You can further specify that this method will accept only health certificates, which the Network Access Protection (NAP) service uses to confirm that a computer that is requesting a connection is up-to-date on patching, antivirus, and other health checks that are required for access to the network.
By clicking on Advanced | Customize, you can configure a custom combination of authentication methods; Figure 4.12 illustrates the settings that you can configure in this way. The First authentication method describes how the computer account is authenticated, and the Second authentication method describes user authentication. As you can see, you can specify that one of these steps is optional; useronly authentication would use Second authentication only, for example. When you click Add within the First authentication section, you see the screen shown in Figure 4.13.
Personal Software Firewall 151
Figure 4.12 Creating a Custom Authentication Method
Warning Although it is technically possible to make both first authentication and second authentication optional, this is not recommended because doing so effectively disables IPSec authentication within your environment.
When creating a custom method for computer authentication, you can select from one of the following options: ■■
■■
■■
Computer (Kerberos V5) This is the default method for first authentication and will authenticate a computer in the same or in a trusted domain using Kerberos V5. Computer (NTLMv2) This method is used for backward compatibility and to provide authentication for nondomain-joined PCs or PCs joined to untrusted domains. Computer certificate from this certification authority (CA) This method will authenticate computers using certificates issued by a particular CA. You can further control this method by selecting one or both of the following: ❏❏
Accept only health certificates This will accept only certificates that the NAP process utilizes.
152 CHAPTER 4 Implementing System Security Applications
Figure 4.13 Customizing Computer Authentication ❏❏
■■
Enable certificate to account mapping This allows you to map a certificate to one or more computer accounts within Active Directory, thus allowing you to use a single certificate for a group of computers.
Preshared key (not recommended) This is the least secure authentication method and Microsoft does not recommend it; it is present only for backward compatibility and to ensure compliance with the RFC standards for IPSec. If you configure a preshared key as the first authentication method, you cannot use any method for second authentication.
Figure 4.14 illustrates the options available when creating a custom method for second authentication. Similar to first authentication, you can create a custom user authentication method by selecting one of the following: ■■
■■
■■
User (Kerberos V5) This is the default method for second authentication and can authenticate any user in the local domain or in any trusted domain. User (NTMLv2) This method exists for backward compatibility and to authenticate nondomain-joined users. User certificate from this certification authority (CA) This method will authenticate users using certificates issued by a particular CA. You have the
Personal Software Firewall 153
Figure 4.14 Customizing User Authentication
option to enable certificate-to-account mapping to use a single certificate to authenticate one or multiple users. ■■
Computer health certificate from this certification authority (CA) This method allows you to authenticate using computer health certificates used by the NAP service. You again have the option to enable certificate-to-account mapping of NAP health certificates.
Creating Connection Security Rules Once you’ve configured the default IPSec behavior for your individual computer or for an entire network, you can create connection security rules that will define how the Windows Firewall with Advanced Security will enforce authentication requirements for different situations. You can view any existing rules by clicking Connection Security Rules from the main screen of the MMC snap-in. If you right-click Connection Security Rules, you can view only a subset of these rules, filtered in one of the following two ways: ■■
■■
Filter by Profile This will show only those rules that have been configured for the Domain, Private, or Public profile. Selecting Show All will remove any filters. Filter by State This will show only those rules that are currently enabled or disabled. Again, selecting Show All will remove any filters and display all defined rules.
154 CHAPTER 4 Implementing System Security Applications
To create a new rule, right-click Connection Security Rules and select New Rule. You’ll see the screen shown in Figure 4.15. You can create one of the following types of connection security rules; we will discuss each one in turn: ■■
■■
■■
■■
■■
An isolation rule will restrict connections to one or more computers based on authentication criteria, by using domain memberships, certificates issued by a CA, or network health certificates issued by NAP. An authentication exemption rule will allow a connection to take place without attempting to authenticate the two computers involved. A server-to-server connection security rule will authenticate a connection between two specific computers. A tunnel connection security rule will authenticate connections between two gateway computers—for example, two computers that are being used to configure a site-to-site VPN. A custom connection security rule will allow you to define the exact parameters that the rule should abide by, if one of the preconfigured choices is not appropriate.
Configuring an Isolation Rule To configure an isolation connection security rule, select Isolation from the screen shown in Figure 4.15 and then click Next. You will then be prompted to select one of the following three authentication requirements for the new isolation rule: ■■ ■■
■■
Request authentication for inbound and outbound connections Require authentication for inbound connections and request authentication for outbound connections Require authentication for inbound and outbound connections
Once you have made your choice, click Next. You will then be prompted to select the authentication method that this rule should use. Choose the options among the following: ■■
Default
■■
Computer and User (Kerberos V5)
■■
Computer (Kerberos V5)
■■
■■
Computer Certificate If you select this option, you will be prompted to enter the name of a CA on your network. You will also have the option to accept only NAP health certificates. Advanced If you select this option, you will be prompted to configure a custom authentication method as described in the “Authentication Method” section, earlier in this chapter.
Personal Software Firewall 155
Figure 4.15 Creating a Connection Security Rule
Once you have made your choice, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles. Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
Configuring an Authentication Exemption Rule To create an authentication exemption rule, perhaps for a destination computer that does not support IPSec or that needs to be made available to public-facing clients, select Authentication exemption from the screen shown in Figure 4.15 and click Next.
156 CHAPTER 4 Implementing System Security Applications
Click Add to configure the list of computers that should be exempt from IPSec authentication; you’ll see the screen shown in Figure 4.16. You can configure exemptions for one or more single IP addresses, for a range of IP addresses, or for one of the following predefined sets of computers: ■■
Default gateway
■■
Windows Internet Name Service (WINS) servers
■■
DHCP servers
■■
DNS servers
■■
Local subnet This includes all computers available to the local computer, except for any that are configured with public IP addresses (interfaces). This includes both local area network (LAN) and wireless addresses.
When you’ve added all of the IP addresses or devices that should be exempt from IPSec authentication, click Next. You will then be prompted to select which
Figure 4.16 Defining a List of IP Addresses
Personal Software Firewall 157
Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles. Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
Configuring a Server-to-Server Connection Security Rule To configure a connection security rule that defines how authentication should take place between a specific set of servers or devices, select Server-to-server from the screen shown in Figure 4.15 and click Next. You’ll see the screen shown in Figure 4.17. To specify individual devices to which this rule should apply, click Add. You’ll be taken to the IP Address screen shown in Figure 4.16, where you’ll be able to specify one or more single IP addresses, a range of IP addresses, or one of the
Figure 4.17 Configuring a Server-to-Server Rule
158 CHAPTER 4 Implementing System Security Applications
predefined sets of devices discussed in the “Configuring an Authentication Exemption Rule” section. You can also select Customize to specify the type of interface to which the rule should apply: LAN, remote access, or wireless. The rule can be applied to one, two, or all three of these interface types; it will be applied to all interface types by default. Click Next once you have specified the endpoints to which this rule should apply. You will then be prompted to select one of the following three authentication requirements for the new isolation rule: ■■ ■■
■■
Request authentication for inbound and outbound connections Require authentication for inbound connections and request authentication for outbound connections Require authentication for inbound and outbound connections
Click Next once you’ve made your selection. You can then choose from one of the following three authentication methods: ■■
■■
■■
Computer Certificate If you select this option, you will be prompted to enter the name of a CA on your network. You will also have the option to accept only NAP health certificates. Preshared key As we discussed earlier, this is a low-security authentication method that Microsoft does not recommend; it is included only for backward compatibility and to ensure compliance with the IPSec RFC standards. Advanced If you select this option, you will be prompted to configure a custom authentication method as described earlier, in the “Authentication Method” section.
When you’ve selected the authentication method that this rule should use, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles. Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
Configuring a Tunnel Connection Security Rule To create a tunnel connection security rule, most commonly in the case of a site-tosite VPN, select Tunnel from the screen shown in Figure 4.15 and then click Next. You’ll be presented with the screen in Figure 4.18. Use the Add button to specify the computers that are being protected by each tunnel node; you’ll be taken to the IP Address screen shown in Figure 4.15, where you’ll be able to specify one or more single IP addresses, a range of IP addresses, or
Personal Software Firewall 159
Figure 4.18 Configuring a Tunnel Connection Security Rule
one of the predefined sets of devices discussed in the “Configuring an Authentication Exemption Rule” section. Then specify the IP address of the tunnel gateway node for each endpoint; you can specify the IPv4 and IPv6 addresses if they are available. Click Next once you’ve specified the IP addresses and tunnel endpoints for each end of the connection. You can then choose from one of the following three authentication methods: ■■
■■
■■
Computer Certificate If you select this option, you will be prompted to enter the name of a CA on your network. You will also have the option to accept only NAP health certificates. Preshared key As we discussed earlier, this is a low-security authentication method that Microsoft does not recommend; it is included only for backward compatibility and to ensure compliance with the IPSec RFC standards. Advanced If you select this option, you will be prompted to configure a custom authentication method as described earlier, in the “Authentication Method” section.
160 CHAPTER 4 Implementing System Security Applications
When you’ve selected the authentication method that this rule should use, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles. Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
Creating a Custom Connection Security Rule If none of the preconfigured rule definitions fits your needs, you can create a custom rule by selecting Custom from the screen shown in Figure 4.15 and clicking Next. You’ll be taken to the screen shown in Figure 4.17, where you’ll need to specify which IP address or addresses are contained in Endpoint 1 and Endpoint 2. To specify individual devices to which this rule should apply, click Add. You’ll be taken to the IP Address screen shown in Figure 4.16, where you’ll be able to specify one or more single IP addresses, a range of IP addresses, or one of the predefined sets of devices discussed in the “Configuring an Authentication Exemption Rule” section. You can also select Customize to specify the type of interface to which the rule should apply: LAN, remote access, or wireless. The rule can be applied to one, two, or all three of these interface types; it will be applied to all interface types by default. Click Next once you have specified the endpoints to which this rule should apply. You will then be prompted to select one of the following three authentication requirements for the new isolation rule: ■■ ■■
■■
Request authentication for inbound and outbound connections Require authentication for inbound connections and request authentication for outbound connections Do not authenticate
Click Next once you’ve made your selection. You will then be prompted to select the authentication method that this rule should use. Choose the options among the following: ■■
Default
■■
Computer and User (Kerberos V5)
■■
Computer (Kerberos V5)
■■
Computer Certificate If you select this option, you will be prompted to enter the name of a CA on your network. You will also have the option to accept only NAP health certificates.
Personal Software Firewall 161
■■
Advanced If you select this option, you will be prompted to configure a custom authentication method as described earlier, in the “Authentication Method” section.
Once you have made your choice, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles. Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
Creating Firewall Rules In addition to configuring connection security rules, you can use the Windows Firewall with Advanced Security MMC snap-in to exert far more granular control over inbound traffic rules than is available within the Control Panel applet. You can view any existing inbound rules by clicking on Inbound Rules from the main screen of the MMC snap-in; likewise, you can view any existing outbound rules by clicking on Outbound Rules. If you right-click either of these nodes, you can view only a subset of these rules, filtered in one of three ways: ■■
■■
■■
Filter by Profile This will show only those rules that have been configured for the Domain, Private, or Public profile. Selecting Show All will remove any filters. Filter by State This will show only those rules that are currently enabled or disabled. Again, selecting Show All will remove any filters and display all defined rules. Filter by Group This will only show rules that are associated with a particular predefined rule set, such as BITS Peercaching or Connect to a Network Projector, or you can display only those rules that are not associated with a group. Selecting Show All will remove any filters. To create a new rule, rightclick Inbound Rules and select New Rule. You’ll see the screen shown in Figure 4.19. You can create one of the following types of inbound rules; we will discuss each one in turn: Program This creates a rule that is associated with a particular executable file, similar to the Add Program option on the Exceptions tab of the Windows Firewall Control Panel applet. ❏❏ Port This creates a rule associated with a network port, similar to the Add Port option in the Windows Firewall Control Panel applet. ❏❏
162 CHAPTER 4 Implementing System Security Applications
Figure 4.19 Creating a New Firewall Rule
Predefined This creates a rule associated with one of the services that have been predefined within the Windows Vista firewall, such as BITS Peercaching or Network Discovery. ❏❏ Custom This creates a custom rule when none of the preconfigured choices is appropriate for your needs. ❏❏
Note The graphical user interface (GUI) screens used in creating an inbound rule and an outbound rule are nearly identical; we will be creating an inbound rule in the following example and we’ll point out any differences as needed.
Creating a Program Firewall Rule To configure a firewall rule associated with a particular application, select Program from the screen shown in Figure 4.19 and click Next. You can create a rule that applies to one of the following options: ■■
All programs This option affects all programs that are installed on the local computer.
Personal Software Firewall 163
■■
This program path This option allows you to click Browse to select an individual .exe file.
Click Next when you have made your selection. You’ll be prompted to select one of the following Actions that should be taken when an executable is found that matches this rule: ■■ ■■
■■
Allow the connection Allow the connection if it is secure If you select this option, you can select one or both of the following additional options: ❏❏ Require the connections to be encrypted ❏❏ Override block rules This option enables the Authenticated IPSec Bypass option that will allow IPSec-authenticated users and computers to bypass inbound firewall rules. This option is available only when configuring an inbound rule. Block the connection
Warning If your Windows Firewall configuration is set to Block All Connections (or if you’ve selected the Block All Incoming Connections option from the Control Panel applet), Authenticated IPSec Bypass will have no effect and the incoming traffic in question will still be blocked.
Click Next once you have chosen the appropriate action for this rule to take. If you select Allow the connection if it is secure, you will be taken to the screen shown in Figure 4.20. To restrict connections to only specific computers, place a checkmark next to Only allow connections from these computers; click Add to add one or more Active Directory computer accounts to the firewall rule. To restrict inbound connections to specific Active Directory user objects, place a checkmark next to Only allow connections from these users; click Add to specify one or more Active Directory user or group objects. Both of these checkboxes are optional; you do not need to restrict the rule to specific users or computers if you do not want to do so. Note When creating an outbound rule, the wizard will read Only allow connections to these computers. In addition, the option to restrict connections according to user accounts will not be available.
If you were taken to the Users and Computers screen shown in Figure 4.20, click Next once you have made the appropriate selections. Once you have made your choice, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles.
164 CHAPTER 4 Implementing System Security Applications
Figure 4.20 Restricting Firewall Connection by User or Computer
Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
Creating a Port Firewall Rule To configure a firewall rule associated with a particular network port, select Port from the screen shown in Figure 4.19 and click Next. You’ll need to specify the following information: ■■ ■■
Is the exception being created for a TCP port or a UDP port? Does the exception correspond to all port numbers (whether TCP or UDP), or one or more specific local ports? You can enter an individual port number, or you can separate multiple port numbers with commas. However, ports within an individual rule must be all TCP or all UDP. You cannot create a single firewall rule that corresponds to TCP port 138 and UDP port 138; this will require that two separate rules be created.
Personal Software Firewall 165
Figure 4.21 Modifying a Preconfigured Exception
Click Next once you’ve entered the port information. The remaining steps in the wizard are identical to creating a program firewall rule: ■■
■■
Specify the action to be taken: Allow, Block, Secure, Secure and require encryption, or Secure and override block rules. If you are creating a Secure rule, optionally restrict connections to specific user or computer objects for inbound connections, or to specific computer objects for outbound connections.
■■
Specify which profile(s) the rule should apply to.
■■
Provide a name and a description for the rule.
You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
166 CHAPTER 4 Implementing System Security Applications
Configuring a Predefined Firewall Rule To modify the rules associated with one of the predefined Windows Vista exceptions, choose Predefined from the screen shown in Figure 4.19. (You should select this option with care, because you will be overwriting the predefined firewall rules that were installed with Windows Vista.) Select the exception that you want to modify and click Next. For this example, we have selected the Connect to a Network Projector exception. You will see the screen shown in Figure 4.21. Place a checkmark next to as many individual rules as you want to modify, and then click Next. Again, select this option with care, because you will be overwriting the existing rule set. You’ll be prompted to select one of the following actions that should be taken when an executable is found that matches this rule: ■■ ■■
Allow the connection Allow the connection if it is secure If you select this option, you can select one or both of the following additional options: Require the connections to be encrypted ❏❏ Override block rules. This enables the Authenticated IPSec Bypass option that will allow IPSec-authenticated users and computers to bypass inbound firewall rules. This option is available only when configuring an inbound rule. ❏❏
■■
Block the connection
Warning If your Windows Firewall configuration is set to Block All Connections (or if you’ve selected the Block All Incoming Connections option from the Control Panel applet), then Authenticated IPSec Bypass will have no effect and the incoming traffic in question will still be blocked.
If you select Allow the connection if it is secure, you will be returned to the screen shown in Figure 4.20 to specify which user and/or computer accounts to allow connections to or from. Otherwise, your only option will be to select Finish to save your changes. Note When modifying an outbound predefined exception, the wizard will read Only allow connections to these computers. In addition, the option to restrict connections according to user accounts will not be available.
Creating a Custom Firewall Rule Configuring a custom firewall rule allows you the greatest amount of flexibility in configuring the Windows Firewall. To begin configuring a custom rule, select Custom from the screen shown in Figure 4.19 and then click Next.
Personal Software Firewall 167
Your first configuration step will be to define the program to which this exception applies. Select one of the following: ■■
■■
All programs This rule will apply to all connections to the local computer that match any other properties defined within the custom rule. This program path Select this option and browse to the specific executable file to which the custom exception refers.
Also on this screen, you’ll need to configure which services and processes this exception will refer to. Click Customize to select one of the following options: ■■
Apply to all programs and services
■■
Apply to services only
■■
Apply to this service This option allows you to select a specific Windows service.
■■
Apply to service with this service shortname This option allows you to specify the shortname of the service in question, such as eventlog or w3svc.
Click Next once you’ve defined the program to which this exception applies. You’ll be taken to the screen shown in Figure 4.22, which will allow you to specify the following information about any specific port to which this exception refers: ■■
■■
■■
■■
■■
Protocol type Most commonly TCP, UDP, or ICMPv4, but other options such as Internet Group Management Protocol (IGMP) and generic routing encapsulation (GRE) are available. Protocol number This field is automatically populated based on your choice of protocol type. Local port You can choose Any port or specify one or more specific ports from which this traffic will originate, with multiple port numbers separated by commas. All ports that you specify must be of the same protocol type: TCP 135 and TCP 139, for example, but not TCP 21 and UDP 22. Remote port Similar to the local port, you can choose Any port or specify one or more ports of the same protocol type. Internet Control Message Protocol (ICMP) settings If you select ICMPv4 or ICMPv6 as the protocol type, you can allow this rule to apply to all ICMP traffic, or you can specify one or more of the following ICMP message types.
For ICMPv6, the message types are as follows:
1. Destination Unreachable
2. Packet Too Big
3. Time Exceeded
4. Parameter Problem
168 CHAPTER 4 Implementing System Security Applications
Figure 4.22 Configuring a Custom Port Definition
5. Echo Request
6. Multicast Listener Query
7. Multicast Listener Report
8. Multicast Listener Done
9. Router Solicitation
10. Router Advertisement 11. Neighbor Discovery Solicitation 12. Neighbor Discovery Advertisement 13. Redirect 14. Multicast Listener Report v2
Personal Software Firewall 169
And for ICMPv4, the message types are as follows:
1. Packet Too Big
2. Destination Unreachable
3. Source Quench
4. Redirect
5. Echo Request
6. Router Advertisement
7. Router Solicitation
8. Time Exceeded
9. Parameter Problem
10. Timestamp Request 11. Address Mask Request Once you’ve defined any relevant port and protocol settings, click Next. You’ll then need to define both the local and remote IP addresses to which this exception refers. For both the local and remote addresses, you can select either Any IP Address or These IP Addresses. To specify the IP addresses to which this rule should apply, click These IP Addresses and then click Add. You’ll be taken to the IP Address screen shown in Figure 4.16, where you’ll be able to specify one or more single IP addresses, a range of IP addresses, or one of the predefined sets of devices discussed in the “Configuring an Authentication Exemption Rule” section. You can also select Customize to specify the type of interface to which the rule should apply: LAN, remote access, or wireless. The rule can be applied to one, two, or all three of these interface types; it will be applied to all interface types by default. Click Next once you have specified the local and remote IP addresses to which this rule should apply. You’ll be prompted to select one of the following actions that should be taken when a packet is found that matches this custom rule: ■■ ■■
■■
Allow the connection Allow the connection if it is secure If you select this option, you can select one or both of the following additional options: ❏❏ Require the connections to be encrypted ❏❏ Override block rules This enables the Authenticated IPSec Bypass option that will allow IPSec-authenticated users and computers to bypass inbound firewall rules. This option is available only when configuring an inbound rule. Block the connection
170 CHAPTER 4 Implementing System Security Applications
Warning If your Windows Firewall configuration is set to Block All Connections (or if you’ve selected the Block All Incoming Connections option from the Control Panel applet), then Authenticated IPSec Bypass will have no effect and the incoming traffic in question will still be blocked.
If you select Allow the connection if it is secure, you will be returned to the screen shown in Figure 4.20 to specify which user and/or computer accounts to allow connections to or from. Otherwise, your only option will be to select Finish to save your changes. Note When modifying an outbound predefined exception, the wizard will read Only allow connections to these computers. In addition, the option to restrict connections according to user accounts will not be available.
If you were taken to the Users and Computers screen shown in Figure 4.20, click Next once you have made the appropriate selections. Once you have made your choice, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles. Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.
Tools and Traps Configuring the Windows Firewall from the Command Line In addition to the GUI configuration options we’ve outlined thus far, you can also administer the Windows Firewall using the netsh command-line utility. Netsh allows you to configure and monitor the Windows Firewall by creating rules, monitoring connections, and displaying the status of the Windows Firewall. To access netsh simply go to the command prompt and enter netsh advfirewall. From this context, you will have the following subcommands available: ■■
export This command exports the current firewall policy to a file.
■■
help This command displays a list of available commands.
Personal Software Firewall 171
■■
import This command imports the firewall configuration from a particular file.
■■
reset This command restores the Windows Firewall to its default configuration.
■■
set file This command copies the console output to a file.
■■
set machine This command denotes the computer that should be configured.
■■
show allprofiles This command displays the firewall properties for all three profiles.
■■
show domainprofile This command displays the firewall properties for the domain profile.
■■
show privateprofile This command displays the firewall properties for the private profile.
■■
show publicprofile This command displays the firewall properties for the public profile.
You can also access the following additional subcontexts to configure additional aspects of the Windows Firewall: ■■
consec This command helps to view and configure connection security rules.
■■
inbound This command helps to view and configure inbound firewall rules.
■■
outbound This command helps to view and configure outbound firewall rules.
■■
monitor This command helps to view and configure monitoring information.
And of course, you can obtain help from any netsh menu by simply typing ? and pressing Enter.
Monitoring the Windows Firewall Using the Windows Firewall with Advanced Security MMC snap-in, administrators now have access to real-time firewall configuration information that can be invaluable in troubleshooting connectivity issues on Vista workstations. Simply open the MMC snap-in and select Monitoring in the left-hand pane, as shown in Figure 4.23. From the main Monitoring screen shown in Figure 4.23, you will see an at-aglance summary of your current firewall settings, describing the overall state of the firewall, which profile is active, as well as notification and logging settings. You also have the ability to drill down to a detailed view of any of the following: ■■
Active firewall rules
■■
Active security connection rules
■■
Active IPSec SAs
In Figure 4.24 you can see the information that is displayed when you drill down to the Firewall node: which firewall rules are currently active, and specific details on each rule including the name of the rule, the action associated with that rule (allow, secure, block), whether it is an inbound or outbound firewall rule, and much more.
172 CHAPTER 4 Implementing System Security Applications
Figure 4.23 Monitoring the Windows Firewall
CheckPoint ZoneAlarm Before Windows XP SP2 and Windows Vista incorporated firewall components into the OS, machines were potentially more susceptible to attack. One way a user could protect their PC was to install and configure a software firewall on their own. Many different corporations offer software firewalls, and these are still a viable alternative to using the built-in firewall software that is included with Windows XP SP2 or Windows Vista. The software firewalls on the market today vary from complex to simple, and there is a software firewall for every user skill level that exists. Many of them have very advanced settings, which let the user control each and every aspect of the program and determine what the action is for all traffic. If a user does not desire this level of control, many software firewalls have the capability to automatically scan the computer and make determinations on how the firewall rules should be configured. In this section, we will focus specifically on CheckPoint’s ZoneAlarm. As we will see, ZoneAlarm has the capability to automatically scan a computer to set the firewall rules up automatically, or if you prefer you can take control and configure the program’s advanced settings on your own to determine how it will behave with different traffic types.
Personal Software Firewall 173
Figure 4.24 Monitoring Active Firewall Rules
ZoneAlarm was originally developed by Zone Labs, which was acquired by CheckPoint in 2003. ZoneAlarm is currently available in multiple versions. Depending on what functionality you would like to include in your install, there are different bundled choices to select from. ZoneAlarm in its simplest form is a free download and only includes the software firewall with inbound and outbound network functionality. If you require additional features, you have many choices. The ZoneAlarm product functions as an inbound/outbound firewall analyzing network traffic, but it can be further extended to an OS Firewall that monitors your installed programs for comparison against a known set of applications to ensure what you are running is legitimate. You can additionally tack on antivirus, antispam, antispyware, antiphishing, and identity theft protection. The product even has the capability to have parental controls configured and can help to ensure secure Web browsing. For a complete product feature comparison please visit the ZoneAlarm Web site at www.zonealarm.com/security/en-us/compare-anti-virus-spyware-software.htm. In this section, we will explore the software firewall component of CheckPoint ZoneAlarm. We will first review how to configure ZoneAlarm and then explore more advanced configuration settings.
174 CHAPTER 4 Implementing System Security Applications
Configuring the ZoneAlarm firewall The ZoneAlarm console is divided into four main sections. Each of these sections performs different functions that allow you to customize ZoneAlarm to meet your needs. The four sections are as follows: ■■
Overview
■■
Firewall
■■
Program Control
■■
Alerts & Logs
The Overview screen is depicted in Figure 4.25 and is primarily for viewing statistical and licensing information and is divided into three sections: Main, Product Info, and Preferences. Because we have only installed the free firewall component, notice that on the Main screen only the Firewall Security section is available; all other options are grayed out. In order to view your firewall statistics click anywhere in the green Firewall Security area on the Main screen and a separate pop-up window appears. ZoneAlarm keeps track of inbound and outbound firewall traffic and allows you to view the traffic
Figure 4.25 ZoneAlarm Main Screen with Only Free Firewall Installed
Personal Software Firewall 175
and action history. Figure 4.26 displays a sample of the statistics screen. In the bottom left-hand corner of the screen, the Reset Counters button allows you to reset the tracked values. The Product Info section of the ZoneAlarm Overview allows you to view the version information, licensing information, support and update information, as well as product registration status. The Preferences section allows you to configure the general behavior of ZoneAlarm. You can configure whether or not to check for product updates, and also decide on the startup behavior of ZoneAlarm. Figure 4.27 shows the preferences screen. In the next sections, we will discuss the additional configuration screens for setting up ZoneAlarm.
Working with Security Zones
Figure 4.26
The Firewall section of ZoneAlarm ZoneAlarm Protection Details Statistics allows you to primarily control inbound and outbound port access by manipulating two configuration sections: Main and Zones. Much of what is set up in ZoneAlarm is done through autodetection during installation, but you have the ability to override or adjust the firewall settings at any time. ZoneAlarm regulates traffic by dividing the network environment into zones. Traffic to or from your computer is compared against defined zones and the action taken on the traffic depends on the zone match and the rules configured. There are two default zones: the Internet zone and the Trusted zone. The zones can be configured manually, or ZoneAlarm can autodetect your network circumstances, which populates the zones based on the discovered configuration. Internal networks will be included in the Trusted zone, and all other networks fall into the Internet zone. Each of the zones has the following three security levels that can be configured from the Main section: ■■
High
■■
Medium
■■
Off
When a zone is configured to High, the local computer is not accessible on the network and is effectively invisible to other machines. File and printer sharing is blocked
176 CHAPTER 4 Implementing System Security Applications
Figure 4.27 ZoneAlarm Preferences
and all port access is blocked unless permission has been explicitly granted. Outbound traffic is allowed and the local machine is able to view and access other computers. When a zone is configured to Medium, the local computer is accessible from the network. File and print sharing is allowed and access to Windows services is permitted. Port and program permissions are still enforced. If the security zone is set to Off, no firewall protection is enforced. Figure 4.28 displays the firewall configuration Main screen with the defaults enabled. By default the Internet security zone is configured to High, and the Trusted security zone is configured to Medium. If the default settings are not appropriate for your circumstances, it is possible to adjust the configurations as well as add additional custom zones. To edit the default zone settings, you can simply slide the bar for the zone up or down depending on your desired setting. To create a new zone, you must first select the Firewall section and then the Zones section, and finally use the Add button in the Zones section to select the criteria that will be used to classify the machines in the zone. The following criteria choices are available: ■■
Host/Site
■■
IP Address
Personal Software Firewall 177
Figure 4.28 Main Firewall Screen with Default Security Zones ■■
IP Range
■■
Subnet
Once you have selected the criteria type, you must enter the applicable value and select the security zone that will be applied to the criteria. Optionally you may add in a description value. In Exercise 4.1, you will step through creating a custom zone.
Exercise 4.1 In this exercise, you will create and configure a custom zone. This exercise assumes you have already installed the ZoneAlarm free firewall, you are logged on as a user with ZoneAlarm configuration privileges, and that ZoneAlarm is running. 1.
In the System Tray, double-click the ZoneAlarmicon to bring up the ZoneAlarm console. See Figure 4.29 for a ZoneAlarm sample System Tray icon.
2.
Once the console screen has opened click Firewall | Zones.
Figure 4.29 ZoneAlarm System Tray Icon
178 CHAPTER 4 Implementing System Security Applications
Figure 4.30 ZoneAlarm Zones
3.
In the Zones detail pane in the bottom right-hand corner, click the Add>> button and then select IP Address. See Figure 4.30 for a sample Zones screen.
4.
In the Add IP Address dialog box, click the drop-down box next to Zones and select Trusted.
5.
In the IP Address box, type in 192.168.1.5.
6.
In the Description field, type Practice Zone Configuration.
7.
Click OK.
8.
You will now see your new zone displayed in the screen.
By utilizing zones in your ZoneAlarm configuration you can optimize the way traffic flows to and from your computer and thoroughly control the access.
Working with Program Control Just as you can control inbound and outbound port traffic to a machine with ZoneAlarm, you additionally have the capability to use the basic Program Control included with the ZoneAlarm free firewall to identify program behavior that is considered acceptable. The Program Control section is broken into two components: Main and Programs.
Personal Software Firewall 179
The Main section is further broken down into two sections. The first section, Program Control, indicates the system’s configured level of protection. It has a slide bar that is similar to the Firewall slide bar, and offers the following four possible settings for Program Control: ■■
High
■■
Medium
■■
Low
■■
Off
Figure 4.31 displays the Program Control screen. High is the most restrictive s etting for Program Control, and will generate the most number of alerts due to Program activity. High is only available to be configured when the ZoneAlarm Security Suite is installed, and not with the simple free firewall. The default setting for the free firewall for Program Control is Medium. Medium forces programs to ask permissions to connect to the Internet zone by prompting the user for authorization each time connection is attempted. It also forces any application that requires server rights to be authorized as well.
Figure 4.31 ZoneAlarm Program Control
180 CHAPTER 4 Implementing System Security Applications
In Low mode, the system is placed into learning mode and server control and stealth mode are not available. By changing the Program Control setting to Off, Program Control is disabled all together and program traffic is not evaluated or acted upon. The second section under Main contains settings for the Automatic lock feature. Automatic lock allows for the ZoneAlarm to protect your computer when the machine stays connected to the Internet for a long period of time. When the lock is on, only programs with permission to initiate outbound traffic are allowed to function. Inbound traffic is restricted. The lock can be configured to turn on after a certain number of minutes or simply when the machine’s screen saver kicks in. With ZoneAlarm set to the default Program Control level each program that runs on your computer will be flagged and the user prompted for a determination on what to do about the traffic request. Figure 4.32 shows a sample reoccurring traffic pattern detected by ZoneAlarm. The traffic is being presented to the user so that a decision can be made as to what to do with the traffic. Notice that possible actions include allowing the program to perform the behavior that it is attempting, or denying the behavior. You also have the ability to teach ZoneAlarm that an application is considered safe by selecting the Remember this setting option. Program behavior is broken down into two action types: Access and Server. Access is when an application is asking to be granted access to a particular zone. The zone is displayed in the alert, as you can see in Figure 4.32. Figure 4.32 displays a reoccurring request. Figure 4.33 shows another example, but this is the program’s
Figure 4.32
Figure 4.33
Reoccurring Program Traffic Prompt
New Program Alert
Personal Software Firewall 181
first attempt to access the zone and thus the alert is formatted differently, and states that it is a first attempt to access the zone. Programs can also at times require the capability to act as a server. Any type of server activity will also result in a user prompt asking for an Allow or Deny. Use caution when approving an application to act as a server; very few applications on a workstation machine need this capability. If you accidentally grant act as a server rights to an application you can always use the Programs section under Program Control to adjust the configuration. Figure 4.34 displays the Programs section. Notice there are two columns, one for Access and one for Server and each has a listing for the two default zones, Trusted and Internet. To change any of the settings you would simply left-click the currently displayed icon in a column and a menu will appear allowing you to choose Allow, Block, or Ask. Any application that is set to block will be denied access when attempting to perform the blocked action. The user will be notified of this activity by a pop-up alert, as shown in Figure 4.35. If the blocked activity is erroneous, you must adjust the applications configuration in the Programs section under Program Control. The program can either be deleted from the list by right-clicking and selecting Remove or the setting may be modified as was described above.
Figure 4.34 Viewing Program Control Configurations
182 CHAPTER 4 Implementing System Security Applications
Monitoring ZoneAlarm When you are monitoring ZoneAlarm, there are two factors to consider. The first thing to keep in mind is that ZoneAlarm is a software firewall, and thus depends on a service to be running to protect your machine. Therefore, it is a good idea to monitor the ZoneAlarm service to ensure that your machine is protected at all times. When you install ZoneAlarm, a service is added to your machine called TrueVector Internet Monitor. This service displays in the control panel of the local machine, and if the service is stopped or fails, then ZoneAlarm will no longer be able to run, leaving your Figure 4.35 machine vulnerable. Blocked Traffic Alert Additionally, the ZoneAlarm console allows you to view the ZoneAlarm log file content under a section titled “Alerts & Logs.” Alerts & Logs is divided into two sections: Main and Log Viewer. The Main section simply turns Alert events on or off. There is also an Advanced button, which allows you to configure certain logging settings, such as the log file formatting. The Log Viewer section displays the log file content. The history and the rating of the security events that have taken place on the machine are displayed as well as additional content such as the date and time of the occurrence, the protocol used, the source and destination IP address, and the direction of the traffic among others. Figure 4.36 shows sample Log Viewer content.
Antivirus Intruders, hackers, or attackers who access networks and systems without authorization and with malicious motives can plant various types of programs to cause damage to the network, your system, and your data. These programs—often lumped together under the general term viruses—perform many different functions and are classified under different categories. In this section, we will look at how granular the term malware can actually be. It is important to have a general understanding of the different classifications of malware, and it is equally important to understand their general behavior. Malware is any software product or program that has been created with an intent to cause damage or harm. The word malice is a legal term used to define the intention of one party to harm or cause injury to another party. When applied to computer technology, the word holds equal meaning. A malicious party creates software to cause
Antivirus 183
Figure 4.36 Log Viewer Content
havoc on any host that downloads and installs it, whether knowingly or unknowingly. When discussing malware, it’s important to classify it. The term malware is generally used to describe a broad spectrum of different types of software, such as computer viruses, Trojans, worms, adware, and spyware. Just about any form of hostile, intrusive, or annoying software or program code can be classified as malware. Note You should not confuse malware with defective software, which is software that has a legitimate purpose but contains bugs that cause the program not to work as advertised. Malware is intended. A software bug is not intended.
Viruses, Worms, and Trojan Horses Many of the original MS-DOS-based viruses and other types of malware were written as experiments intended to be either harmless or destructive, and many were created as simple and harmless pranks. As time went on, the level of skill used to create such malware grew by leaps and bounds, and the severity of each payload grew exponentially as well. This inevitably caused many software programmers to stop
184 CHAPTER 4 Implementing System Security Applications
coding, learn security fundamentals, and start coding again while applying those fundamentals. Because it appeared that the exploit writers were outpacing the software developers, this practice became “mandatory” within Microsoft’s own camp.
Notes from the Field Vista Is Still Susceptible to Older Malware Since its release, Microsoft Windows Vista has already been reported to be affected by old malware. In particular, Vista has been found to be susceptible to three common malware exploits, which are as follows: ■■
■■
■■
Stratio-Zip W32/Stratio-Zip is a family of Zip files containing worms in the Stration family. The worms in the Stration family are a group of multicomponent mass mailing worms. The worms use encryption mechanisms in an attempt to side step antivirus systems, and can also modify the host’s file and disable security-related services. Netsky-D W32/Netsky-D is a worm that spreads through e-mail. When e-mailing itself the worm can spoof the sender’s e-mail address. This worm can impact any version of Windows, including Windows Vista. MyDoom-O W32/MyDoom-O is an e-mail worm that creates a file named services.exe in the Windows or Temp folder, and then runs the file. Services.exe is a backdoor component. The worm then searches the hard disk’s e-mail addresses.
When deploying Vista, be aware that although malware defense has been fortified, it still has its faults. For more information on this subject, visit www.sophos.com/pressoffice/ news/articles/2006/11/toptennov.html and http://news.zdnet.co.uk/security/0,1000000189 ,39284939,00.htm.
Young, inexperienced software programmers and script kiddies learning about viruses and the techniques used to write them were getting more advanced as the tools they either created or had at their disposal expanded in number. Some of these malware attacks proved to hurt a global economy that now thrived on the use of the Internet. As time went on, a chase seemed to ensue, and it appeared as though the exploit writers were outpacing the product’s legitimate software development teams. As the use of the Internet exploded, it seemed as though malware grew more and more destructive on a daily basis. Newer exploits were coming out rapidly that were designed to destroy files on a hard disk or to corrupt the file system so that it could not be used. Viruses were created to cause traffic flooding to legitimate Web servers, putting them out of business. The list goes on and on. It wasn’t until malware became extremely destructive that action was taken on a grand scale. In 1999, Melissa (a well-known computer virus) really showed us how fast (and far) a virus could spread. It also showed us how vulnerable our systems were to attacks that could hurt a company’s bottom line. Melissa was the first virus to be widely disseminated through e-mail. It is a macro virus, written in Visual Basic for Applications (VBA), and it was embedded in a Microsoft Word 97/2000
Antivirus 185
document. When the infected document was opened, the macro ran (unless Word was set not to run macros), sending itself to the first 50 entries in every Microsoft Outlook Messaging Application Programming Interface (MAPI) address book it could find. These included mailing list addresses, which resulted in very rapid propagation of the virus. The virus also made changes to the Normal.dot template, which caused newly created Word documents to be infected. Because of the huge volume of mail it produced, the virus caused a DoS attack on infected e-mail servers.
Are You Owned? Script Kiddies and DoS Attacks A script kiddie is an inexperienced hacker who uses already developed tools and methods to exploit a system or penetrate a system’s defenses, instead of creating those tools and methods on his own. Advanced hackers and code programmers are generally considered to be elite. These experienced individuals can create a rootkit, whereas a script kiddie will only obtain and execute it. A DoS attack is an attack on a network or system that is designed to tie up the system’s or network’s resources so that legitimate requests for service cannot be answered. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks, and steps they can take to attempt to prevent the attacks. Since 2003, the majority of widespread viruses and worms have been designed to take control of users’ computers for use in DoS attacks to hide the identity of the true attacker. Infected computer system hosts (called zombies) are used to send large amounts of data, spam, pornography, and other random data to legitimate hosts. A DoS attack is usually sourced from one or multiple locations to attack a single location. A DDoS attack is the “distributed” form of the same attack, using multiple zombie hosts to perform a larger-scale attack more quickly.
Viruses A virus is a malicious program that is commonly installed on a target host with the intent to cause harm or damage. A virus (just like the medical version of the term) infects the host, usually by being installed by the end user of the target host. A virus is almost always executed by the end user without him knowing the true intention of the malware. Viruses are made to perform undesirable actions. Viruses are also created to replicate themselves, infecting other systems by writing themselves to any disk that is used in the computer or sending themselves across a network when activated. Viruses are often distributed as attachments to e-mail or as macros in word processing documents easily sent through e-mail and opened by unsuspecting e-mail users. Some viruses activate immediately on installation, and others lay dormant until a specific date or time, or until a particular system event triggers their payload.
186 CHAPTER 4 Implementing System Security Applications
Viruses come in literally thousands of varieties. They can do anything from sending a pop-up message on your desktop to scare you (which is considered a prank), to erasing the entire contents of a computer’s hard disk (which is considered destructive and harmful). The proliferation of computer viruses has also led to the phenomenon of the virus hoax, which is a warning—generally circulated through e-mail or Web sites— about a virus that does not exist or that does not do what the warning claims it will do. The same malicious effect takes place because through the hoax, the end user can cause the same damage to the target system without creating a software tool using programming languages. In the past, some of these hoaxes have prompted computer users to manually delete needed system files, either because they sounded malicious or because the icon image they used by default looked malicious. Real viruses, however, present a real threat to your network. Companies such as Symantec and McAfee make antivirus software that is aimed at detecting and removing virus programs, and is updated daily to thwart newly created ones, which seem to also come out on a daily basis. Tip Because new viruses are created constantly, it is very important to download new virus definition files regularly. These updates contain information required to detect each virus type, to ensure that your virus protection stays updated, and to take action when certain parameters are tripped.
Although viruses come in many varieties, they can be classified into four general categories: e-mail-based, boot sector-based, application-based, and macro-based. The common thread that holds these types together is that they need to be executed on the target host. ■■
■■
■■
■■
E-mail viruses E-mail viruses are transmitted through e-mail and contain a payload that is activated when the end user is provoked to activate it, or when something in the e-mail client and how it reads e-mail (and scripts) activates the payload upon delivery or viewing, without opening the e-mail (such as with an automatic reading pane found in most e-mail clients). Boot sector viruses Boot sector viruses are often transmitted through disk. The virus is written to the master boot record on the hard disk, from which it is loaded into the computer’s memory every time the system boots. Application or program viruses Application viruses are executable programs that, when run, infect your system. Viruses can also be attached to other, harmless programs and installed at the same time the desirable program is installed. Macro viruses Macro viruses are embedded in documents (such as Microsoft Word documents) that can use macros, which are small applications or “applets” that automate the performance of some task or sequence. Although Microsoft Office documents are not executable files, they can contain macros. Thus, Office documents should be treated as though they are executables, unless the capability to run macros is disabled in the Office program.
Antivirus 187
Warning A virus can be programmed to mutate into something else, and can be written with defense mechanisms to protect itself from detection and/or deletion. One type of virus that can avoid detection is called a polymorphic virus. Polymorphic viruses are written to use encryption routines that constantly change to avoid detection.
Worms Worms are ugly, regardless of whether they are dangling from a fish hook or taking down your public Internet connection. Worms can also be very destructive. History has shown us that since its inception, the worm has consistently transferred itself over networks to infect target hosts, whereas common viruses typically infect a single target host only. The worm is then transferred through e-mail or floppy disk to other hosts in a hope that they become infected as well. A worm is written to propagate quickly, and to infect as many target hosts through propagation as possible, thereby causing as much turmoil as possible. Although the line between malware terms such as worm and virus is sometimes blurred, this is the major distinction between the two. A worm is programmed to “scan” the network from the infected host to find other hosts with open and vulnerable services and ports. As an example, a worm may infect a target host through a network port and then find 30 hosts on the connected subnet with the same open port. Once this criterion is met, the worm then propagates to those 30 hosts, and so on. Examples of this come in the form of the Sasser and Slammer worms. The Sasser worm exploited TCP port 5554. The Slammer worm exploited a known SQL Server vulnerability by sending a single packet to UDP port 1434. Tip Although most ports are programmable, many well-known services operate on designated ports such as DNS, which operates on TCP and UDP ports 53. For a complete list of these default port assignments, visit the IANA Web site, www.iana.org/assignments/ port-numbers.
One of the first worms, the Morris worm, was unleashed on the Internet from MIT in November 1988. In 2001, worms such as Code Red started to pop up at an alarming rate. This self-propagating worm began to infect Microsoft-based Web servers running Internet Information Server (IIS), and because so many such servers were in use, the virus spread extremely quickly. On various trigger dates, the infected machines would try to connect to TCP port 80 (used for Web services) on computers with randomly selected Internet Protocol (IP) addresses. When successful, the worm attempted to infect any remote system it could find and connect to. Some variations of the worm also defaced Web pages stored on the server as a form of digital graffiti. On other dates, the infected machine would launch a DoS attack against a specific IP address embedded in the code. Computer Emergency Response Team (CERT) (www.cert.org) reported that Code Red infected more than 250,000 systems over the course of 9 hours on July 19, 2001.
188 CHAPTER 4 Implementing System Security Applications
Then came Nimda—a newly created worm used to take advantage of known flaws within the Microsoft OS. In late summer 2001, the Nimda worm infected numerous computers running Windows 95/98/ME, NT, and 2000. The worm made changes to Web documents and executable files on the infected systems and created multiple copies of itself. Nimda spread through e-mail, across network shares, and through the infected Web sites. It also exploited vulnerabilities in IIS versions 4 and 5 and spread from client machines to Web servers through the backdoors left by the Code Red II worm. Nimda allowed attackers to then execute arbitrary commands on IIS machines that had not been patched, and denials of service were caused by the worm’s programmed payload. As the IT community repaired systems at a feverish rate to recover from Code Red and Nimda, Klez reared its ugly head. In late 2001 and early 2002, the Klez worm spread throughout the Internet, primarily through e-mail. It propagated through e-mail mass mailings and exploited vulnerabilities in the unpatched versions of Outlook and Outlook Express mail clients, attempting to run when the message containing it was viewed or previewed in the preview pane. When Klez runs, it copies itself to the System or System32 folder in the system root directory, and modifies a Registry key to cause it to be executed when Windows is started. It also tries to disable any virus scanners and sends copies of itself to addresses in the Windows address book, in the form of a random filename with a double extension (for example, file.doc. exe). As though this wasn’t harmful enough, the worm had a secret payload, which executed on the thirteenth day of every other month, starting with January, resulting in files on local and mapped drives being set to 0 bytes in length. Worm outbreaks have become a cyclical plague for both home users and businesses, and have been eclipsed only recently in terms of damage by spyware. As they were from inception, today most worms are commonly written for the Windows OS, although a small number are also written for Linux and UNIX systems, such as 2005’s Lupper, which was aimed at the growing use of Linux Web servers in the marketplace. Note The words virus and worm are often used interchangeably. Today some draw the distinction between viruses and worms by saying that a virus requires user intervention to spread, whereas a worm spreads automatically. Using this distinction, infections transmitted by e-mail or Microsoft Word documents, which rely on the recipient opening a file to infect the system, would be classified as viruses and not as worms.
Trojan Horses For a malicious program to accomplish its goals, it must be able to do so without being shut down by the user or administrator of the computer on which it’s running. Concealment is a major goal of a malware creator. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. When reflecting on history, the documented first use of the Trojan horse was when the Greeks gave their enemies (the Trojans) a gift during the Trojan War. The gift (a gigantic wooden horse) was given in peace so that the Trojans would
Antivirus 189
bring it into their stronghold, but at night, when the city slept, the Greek soldiers snuck out of the back of the horse and attacked and then captured the city of Troy. This is how the Trojan horse exploit performs. The Trojan horse will appear harmless enough for the recipient to install, because it hides its true intention, which is based on malicious activity. The Trojan horse conceals a harmful or malicious payload within its seemingly harmless shell. The payload may take effect immediately and can lead to many undesirable effects, such as deleting the entire user’s files, or more commonly, installing further harmful software on the user’s system for future payloads.
Tools and Traps Rootkits, Backdoors, and Keyloggers Malware can be very nasty, especially when it and its payload are concealed. For instance, consider the use of rootkits, backdoors, and keyloggers. ■■
■■
■■
Rootkits A rootkit is a form of malware that hides its presence on the target host. Now used as a general term, its original meaning was to define a set of tools installed by an attacker on a UNIX system, where the attacker had gained administrator (root) access. Today rootkit is used as a general term to describe any concealed malware on any type of system, such as UNIX or Windows. Rootkits act by modifying the host OS so that the malware is hidden from the user. Rootkits will remain undetected and can prevent a malicious process from being reported in the process table. Backdoors A backdoor is a routine used to sidestep the normal authentication procedure found on most systems to keep them secure. Backdoors are just as dangerous as rootkits. Generally, backdoors are network-aware programs that allow access from an attacker into the target system without the target system’s user knowing about it. A backdoor is a method of bypassing normal authentication procedures. Many software manufacturers preinstall backdoors on their products to provide technical support for customers. The malware version performs the same function, but it is definitely not used to provide you with any help. Keyloggers A keylogger is a form of malicious software that monitors what a user types on his keyboard. This will generally lead to the compromise of sensitive information, such as user credentials (usernames and passwords) and other sensitive data. Sometimes keyloggers are also implemented in hardware connected to the back of a PC or server without the user’s knowledge.
Trojans can be very cleverly disguised as innocuous programs, utilities, or screensavers. A Trojan can also be installed by an executable script (JavaScript, a Java applet, ActiveX control, and so on) on a Web site. Accessing the site can initiate the program’s installation if the Web browser is configured to allow scripts to run automatically. Trojans can use the default behavior of Windows to disguise their true nature. Because the file extension (the characters that appear after the last dot in a filename) are hidden by default, a hacker can name a file something such as harmless.jpg.exe
190 CHAPTER 4 Implementing System Security Applications
and it will appear in Windows Explorer as harmless.jpg, seeming to be an innocent graphics file, when it is really an executable program. Of course, double-clicking it to open the “harmless picture” will run the program. Trojans that are designed to allow hackers to gain unauthorized access across a network, such as Back Orifice and NetBus, are sometimes called remote access Trojans. Back Orifice, Back Orifice 2000, NetBus, and SubSeven were the most commonly used Trojans of their time, although literally hundreds exist. Newer Trojan horses, such as Xombe and Dloader-L, both of which arrive as an executable attachment in spam e-mail messages claiming to come from [email protected], are meant to wreak havoc by fooling you into thinking that the attachment legitimately came from Microsoft. Because the spoofed e-mail address “seemed” legitimate, many were fooled into executing the attachment, which can be thought of as any system administrator’s nightmare. Note Hackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors, hackers use either a Trojan horse or a computer worm, with the payload being the backdoor routine.
Trojan horses known as droppers are used to initiate a worm outbreak, by injecting the worm into users’ local networks. Spyware is commonly distributed as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Web, or from a peer-to-peer file-sharing network such as LimeWire (www. limewire.com). When the user installs the software, the spyware is installed alongside it. Spyware authors who attempt to act legally may include an End User License Agreement (EULA), which states the behavior of the spyware in loose terms, but with the knowledge that users are unlikely to read or understand it.
Spyware and Adware Somewhere along the malware timeline, virus and exploit writers started to shift gears from attacking with a purpose, such as harm and damage, to just getting paid. Spyware and adware have become lucrative business ventures for those who have tried it and were successful at it. Spyware programs are designed to monitor users’ Web browsing habits and then market relevant advertisements to these users based on their browsing history. Some spyware programs display unsolicited advertisements and then trick or force the user to click them. Some are even self-activated. Other forms of spyware are intelligent enough to redirect affiliated marketing revenues to the spyware creator. Spyware programs do not spread like viruses do; they are generally installed by exploiting known security holes or are packaged with software that the end user downloads and installs onto the target host. Spyware programs are usually installed as Trojan horses, meaning you believe you are installing software that does a specific function, but in the background, other functions are taking place. Spyware differs from standard viruses in that their creators present themselves openly as businesses, whether legitimate or not.
Antivirus 191
Spyware exploits are also used to obtain user information. Similar to how cookies help to aid your browsing experience, spyware does the same by analyzing what sites you go to and what your browsing habits are. However, it then invades your privacy further by not only using that information to market products to you but also avoiding deletion or removal so that you cannot remove it. A cookie, however, is generally pretty easy to deny or delete, especially with Internet Explorer 7. Note A cookie is a very small text file that a Web server hosting a site deposits on your computer when you visit that site. A cookie contains information about the user, such as user IDs, preferences, and browsing history.
Some spyware can trick you by changing your search engine results to paid advertisements that benefit the spyware creator. Others change the affiliate marking codes so that all revenue goes to the spyware creator instead of to you. This is sometimes called stealware. You can use spyware detection programs such as third-party vendor tools (for example, Ad-Aware; www.lavasoftusa.com), or you can use Microsoft Defender in conjunction with SpyNet to help stop your spyware woes. Similar to antivirus software, spyware-removal programs compare a list of known spyware with files on your computer and then remove any that it detects. Antispyware programs can combat spyware from being installed, but the best strategy is to carefully examine and analyze what you choose to download and install. Warning Most spyware programs present the user with a EULA that purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court. Stanford (http://cyberlaw.stanford.edu/packets003459. shtml) and Yale (http://research.yale.edu/lawmeme/modules.php?name=News&file=article &sid=1652) have both released data on how EULAs and law hold up when malware is a concern.
Botnets Much like the DDoS attack, the botnet is a program that will facilitate an attack from coordinated systems. Software robots (or bots, for short) are controlled through a botnet. In a botnet, the malware logs on to an Internet Relay Chat (IRC) channel or other chat-based system. The attacker can then give instructions to all the infected systems Tip Attackers are using IRC as a main transport for their malware. IRC robots (bots) are used to execute commands unsuspectingly on host systems using IRC, which is a largescale network of text channels used for communication. To learn more about botnets, IRC, and other malicious code, visit the forums at www.ryan1918.com and www.irchelp.org.
192 CHAPTER 4 Implementing System Security Applications
simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to antivirus and antispyware software or other security measures.
Prevention and Response Before we get into how Microsoft’s new products can help you reduce the threat of malware, it makes sense to discuss prevention and response first. As mentioned earlier, staying secure is a two-step dance. You need good software that protects you, and the mindset to protect your surfing habits. Protecting systems and networks from the damage caused by Trojans, viruses, and worms is mostly a matter of common sense. It is up to you to prevent harm by being aware of it, and then being able to respond to it and make the systems (or network) operational without any downtime, if possible. Although there are many ways to protect yourself and your system using Microsoft’s tools, it always helps to practice some of the following general security practices as well: ■■
■■
■■
■■
■■
■■
■■
■■
Periodically update every piece of software you install on your system, as well as the OS itself, which also needs to be updated periodically. You can do this by installing the latest updates, hotfixes, security patches, and service packs that are available for your software. Keep on top of when new patches come out, and try to test and then install the current patches to keep your system at its best. When using your e-mail client, pay close attention to “who” is sending you e-mail and “where” the e-mail originates. Because e-mail can be spoofed, you may not always be able to do this, but in most cases, a spam filter can quickly identify unspoofed e-mail and send it right to the trash or automatically remove it. If you receive files from sources that you do not recognize, it is wise not to execute them. Instead, delete them. In other words, if someone sends you a file such as harmless.jpg.exe, it is a good idea to delete the file and not execute it because it seems to fall into the characteristic of a typical malware hoax intended on getting you to launch it. When using your e-mail client, make sure you turn off any preview pane functionality so that you do not open and, therefore, execute any attached scripts simply by opening your Inbox. To prevent macro viruses, ensure that macro security is enabled in Office so that if you open a Word document, you won’t necessarily run a malicious script that may also be contained within it. Do not use floppy disks from untrusted sources. Also, pay attention to any file that enters your system from any source, whether it is a CD or DVD-ROM, USB flash device, or something similar. Use host-based IDS/IPS software if possible, as well as firewall software, antivirus software, and spyware removal software such as Microsoft Defender. Harden your systems and disable unneeded or unwanted services.
Antivirus 193
■■
■■
Use a strong password policy. If malware does attempt to try to steal your credentials, having a strong password policy in place will help you if your system gets infected. Configure your Web browser (such as Internet Explorer 7) to ignore or warn for cookies, and disable JavaScript and ActiveX, two commonly exploited scripting languages. Keep a close eye on sites that are not trusted and try to block sites that you know are malware-infected.
You may also want to make sure your network is also secure. Some more advanced practices include the following: ■■
■■
■■
■■ ■■
■■
■■
Configure your routers, switches, and other adjoining network hardware to be secure, which means locking down services, keeping the router or switch OS updated, and applying any security measures such as disabling broadcasts on certain interfaces, applying access control lists, and so on. Disable the Simple Network Management Protocol (SNMP) and any other services that you do not need. Make sure any e-mail relays in use are protected and aren’t being used to send spam. Use application gateway firewalls to protect against large-scale attacks. Apply defense in depth. Using a firewall alone is almost meaningless. You need to ensure that you have multiple levels of security in place, such as desktop policies, a firewall, and an IDS. Use a security policy and keep it updated. Security is upheld only when it’s supposed to be, so make sure your company has a policy in place that dictates what needs to be secured and how it needs to be secured. Make sure you have an incident response plan ready, with detailed steps and a team that can carry it out. Your goal should be to prevent a crisis if you can, but your real responsibility when dealing with incident response concerns the response; in other words, taking care of the issue either while it is happening or after it has happened.
Tip Creating backups of your important data is one place to start. Incident prevention and risk mitigation begin with your proactive planning. A great response to an attack that destroys your company’s important data is data backup that restores that data to its original state.
Windows Defender In December 2004, Microsoft acquired the Windows Defender security technology from GIANT Company Software, Inc. Windows Defender provides continuous security against malware, and if it detects anything suspicious, it will alert you of what it finds. It does this by using three specific tools:
194 CHAPTER 4 Implementing System Security Applications
■■
■■
■■
Internet agents Internet agents are used to monitor changes to Internet access settings, as well as to stop unauthorized connection attempts through the network. System agents System agents are used to monitor changes to your system’s settings, such as passwords and permissions. Application agents Application agents are used to monitor changes to applications installed on your OS, such as Internet Explorer being modified by downloadable toolbar applications.
Note Windows Defender is used locally to protect an end user’s Web browsing experience. Windows Defender does not include enterprise management tools.
Windows Defender protects against and removes malware as well as provides control over modifications to software installed on the system. Windows Defender provides real-time monitoring functionality, which means it will always run and keep you protected while you are using your Windows Vista system. The Windows Vista version of Windows Defender features an updated scanning engine, simplified alerting functionality, multiple-language support, and other enhancements. Windows Defender provides top-notch spyware detection and removal, and it is connected to an online service that will keep it updated and on top of the latest threat trends. Because malware constantly evolves, so does Windows Defender and its support team.
Using Windows Defender You can find Windows Defender by opening the Windows Security Center (WSC) and selecting the Windows Defender link. This will invoke the Windows Defender application. If your system is already up-to-date, Windows Defender will report that there is no harmful or unwanted software on your system and that your computer is running normally. If you have not run a scan yet, or your last scan was a while ago, you will be prompted with scan options. Select the scan option that best suits what you want to do. If you want to perform a quick scan of the most common areas within your system affected by malware, check the Quick scan radio button. If you want to check your entire system, check the Full system scan radio button (note that a full system scan will take far longer to perform than a quick scan). You can also specify which drives or areas of your system you want Windows Defender to scan. Figure 4.37 shows Windows Defender prompting you to begin a scan. Click Scan Now to begin the scan. Once the scan is complete, you can view the report. If anything malicious is found, you will be asked how you want to handle it. Figure 4.38 shows Windows Defender completing a quick scan and not finding any malware on the system. (Because this was a quick scan, there still may be an issue with this system;
Antivirus 195
Figure 4.37 Starting a Scan with Windows Defender
however, a full system scan should be run to verify that the system is in fact free of malicious software.) By clicking on Tools on top of the Windows Defender dialog box, you can adjust the settings for Windows Defender and select other tools to further secure your system. Once you open the Tools and Settings configuration within Windows Defender, you can change the settings, use Microsoft SpyNet, view quarantined items, use the Windows Defender Software Explorer, set allowed items, and visit and use the Microsoft Windows Defender public Web site.
How to Use the Windows Defender Software Explorer One of the newest and most helpful tools Microsoft has added to Vista and Windows Defender is the Software Explorer. Software Explorer provides you with an unfettered view of the software that is currently running on your computer, along with details of each piece. It also helps you monitor programs that are set to start when the computer boots, programs that run in the background or as background processes, and programs that are used to perform low-level network functions (that is, Winsock service providers). Note To use some Software Explorer options, you must be logged on as Administrator or be a member of the Administrators group.
196 CHAPTER 4 Implementing System Security Applications
Figure 4.38 Viewing Windows Defender Reporting a Quick Scan Completed
Using Software Explorer Changing how a program runs on your computer, such as blocking Internet or network connections and ending processes, can cause problems with Windows and other programs that you use. Use Software Explorer to change how a program runs on your computer only if you are certain that the program is causing a problem. Once you open Software Explorer, you can select which category of programs you want to view or adjust. For example, in Figure 4.39, you can see Software Explorer in use. Here, the Startup Programs category is shown but blurred out to protect the identity of the system in use.
Antispam One of the first “advertising” models the Internet created was e-mail spam. It costs virtually nothing to mass-distribute an e-mail message to millions and millions of people around the world. If 10, or 100, or a few thousand respond, the spam
Antispam 197
Figure 4.39 Using Software Explorer
advertising campaign is a huge success and everyone is happy—except for the other 9.99 million people who got the spam and weren’t interested. Spam quickly became the bane of Internet existence and, by some accounts, even threatened the very growth and productivity of the Internet. Even today, spam e-mail accounts for nearly 75 percent of all e-mail traffic zipping around the Internet. On a given day, a user is likely to receive 10 times more unsolicited advertisements or other unwanted e-mail messages than legitimate, useful messages. Thankfully, tools and products have been created to detect and filter the vast majority of those messages so that users aren’t bothered by them. But legitimate companies do not want to have their reputation or their product associated with spam marketing. Companies, just like everyone else, had to adapt quickly to the advent of the Internet. At first, many struggled to figure out how to effectively sell or market their merchandise over the World Wide Web. However, it didn’t take long for some to figure out that Web surfing and Internet shopping are easily monitored goldmines of user information.
198 CHAPTER 4 Implementing System Security Applications
By applying some of the same techniques used to track demographic data in brick-and-mortar retail shops, combined with the speed and efficiency of electronic data and database storage, companies could once again target their marketing at those most likely to be interested.
Pop-Up Blockers Although antispyware applications are very useful and efficient for removing spyware, most of them concentrate only on spyware that has already infected a computer system. The capability to catch spyware before it has been installed is normally accomplished by an add-on to the product, and it is usually very hardware intensive because it has to continually scan all processes. A Web browser toolbar can simplify this process a great deal. A core feature in virtually all toolbars is the capability to block pop-up windows from appearing while you are surfing Web sites. This feature targeted one of the most annoying and effective means of displaying unsolicited images and information to Web surfers. All of the toolbar solutions that we will discuss in this section can block pop-up applications before your Web browser can process them, which will help prevent a large number of spyware-related applications from being installed. These toolbars also provide many other utilities that enhance your Web surfing experience, or additional security that is not normally found in the Web browsers. Even though all toolbars focus on blocking pop-ups, they are not all created equal. Some pop-up blockers may end up missing many forms of pop-ups, and may block legitimate windows. If you want to test the effectiveness of a particular pop-up blocker, visit the pop-up test Web site at www.popuptest.com. The pop-up test Web site simulates a variety of pop-up window techniques to validate your particular blocker utility.
12Ghosts Popup-Killer 12Ghosts Inc. is known for its large variety of Windows-based tools and utilities designed for common computer owners and power users. All the applications of 12Ghosts are grouped together into relevant packages, such as the 12Ghosts Security package, sometimes advertised as 12Ghosts PowerGee. This package contains a variety of security-related tools, including Popup-Killer Pro, Shredder, Startup Guard, Wash Pro, and other, smaller utilities. Of particular relevance to us, though, is the Popup-Killer application. Popup-Killer is released as a shareware product in which you are free to evaluate the software, with many of its features disabled. The Web browser provided by 12Ghosts Popup-Killer is a simple application, but it provides a handful of unique features not found in other products. When you enable the toolbar from within Internet Explorer, by selecting View | Toolbars | 12-Popup, it provides a number of labeled buttons that control its use.These include the following: ■■
Enable Popup Blocking When this button is selected, Popup-Killer will block most forms of pop-up windows.
Pop-Up Blockers 199
■■
■■
■■
■■
Images Off When this button is selected, all images contained within Web sites will not be displayed. This is a particularly useful feature when dealing with the plethora of pornographic pop-ups, as the immediate visual threat is neutralized. Run ActiveX When this button is selected, ActiveX controls will be permitted to run. ActiveX is a Microsoft implementation that allows Web sites to run miniature applications on your computer, but it is also a large carrier of spyware applications. Protect Homepage When this button is selected, Popup-Killer will prevent Web sites and applications from changing Internet Explorer’s assigned home page. Pictures This utility will attempt to save all images included in and linked to the current Web site.
Not only does 12Ghosts Popup-Killer provide a toolbar for protecting against pop-ups, but it also constantly runs in the background in Windows. In doing so, it can detect applications that attempt to automatically start Internet Explorer for the purpose of displaying advertisements. When an application attempts to start Internet Explorer, a window will appear to allow the application to continue, or to block it, as shown in Figure 4.40.
Yahoo! Anti-Spy Toolbar Although most toolbar solutions focus simply on blocking pop-ups from occurring within your Web browser, the Yahoo! toolbar not only blocks pop-ups, but also includes a basic antispyware application. The application, named Anti-Spy, has a
Figure 4.40 12Ghosts Popup-Killer Pop-Up Warning
200 CHAPTER 4 Implementing System Security Applications
rudimentary built-in spyware scanner. The Yahoo! toolbar also features the capability to add tabbed windows to Internet Explorer, a feature that is used extensively within the Opera and Firefox Web browsers and is not found in Internet Explorer versions before 7.0. Tabbed windows allow you to view multiple Web sites from within the same physical window, with each window being shown as a separate tab below the Yahoo! toolbar, as shown in Figure 4.41. This is an extremely useful feature for Web surfers that occasionally have dozens of Web sites open simultaneously. Tabbed browsing allows sites to be contained within a single window so that dozens of windows do not appear on the Windows taskbar. It also allows you to logically organize similar sites within the same window. The most pertinent feature within the Yahoo! toolbar, though, is the built-in spyware scanner. You can summon the spyware scanner at any time from within a Web browser by selecting the Anti-Spy icon in the toolbar, symbolized by an orange box with a red target symbol. When you click the Anti-Spy button, the Anti-Spy application will run and display a large window, as shown in Figure 4.42. The application contains very few items, making it straightforward and user friendly. When you select the Check for Updates button, Anti-Spy will go to the Internet and check for any updates to the spyware definitions that it contains.
Figure 4.41 Yahoo! Toolbar for Internet Explorer
Pop-Up Blockers 201
Figure 4.42 Yahoo! Anti-Spy Main Window
Anti-Spy contains three basic options, as shown on the initial scanning window: ■■
■■
■■
Scan for Tracking Cookies As well as searching for spyware and adware, this will enable Anti-Spy to search within your Web browser cookies for ones that track your movement on the Web. Check for Updates on Startup This option enables Anti-Spy to automatically check for updates when you first start up Internet Explorer. Scan at Launch This option causes Anti-Spy to immediately perform a spyware scan when it is launched from within your Web browser.
Once you have chosen suitable options, select the large Begin Scan button to begin performing the spyware scan. Once the scan is complete, you will be presented with a listing of all the items Anti-Spy has located, as shown in Figure 4.43. At this point, you can review each item and decide whether it should be removed or whether it should remain. In this review screen, each spyware item is designated by its overall application name along with the total number of objects found that is part of that application. Also, the type of application found will be displayed in the category column, be it spyware or adware, and a general recommendation will be given. You can list the objects within the application directly by selecting the application and clicking View Details. This will open a new window displaying detailed information about the selected application, and it will list all objects found associated with it, as shown in Figure 4.43.
202 CHAPTER 4 Implementing System Security Applications
Figure 4.43 Yahoo! Anti-Spy Scan Results
After you have had the chance to review the found applications, you can decide to either remove the applications or allow them to stay. You can choose these options by selecting the corresponding buttons on the Scan Results screen. Note, although, that when you choose to allow an application to stay, the scanner will see it as a trusted application and it will not appear on a scan again.
Google Toolbar Following the success of some of its competitors, Google released its Google toolbar to enable users to easily search for data on the Internet, from any Web site. The core feature of the initial versions of the Google toolbar was a field in which to submit search queries from within any Web browser window. This feature countered the inconvenience of having to return to www.google.com before performing a search. The toolbar also grew to include many more options and functions, such as a spellchecker and a language translator. One of the greatest features of the Google toolbar is its automated pop-up blocker. The Google toolbar can automatically detect most forms of pop-up windows and automatically block them before they are displayed on the screen. The pop-up blocker requires no configuration or setup; it automatically starts working as soon
Summary of Exam Objectives 203
as you load the Google toolbar. An icon located on the toolbar keeps a running tally of the total number of pop-ups blocked. The toolbar itself blocks a large majority of pop-up windows, but it cannot protect a browser from all forms. There are some implementations of pop-up windows for which there is no protection yet.
Mozilla Firefox Although we have discussed a number of toolbar applications here, it should be noted that these applications were written primarily for Microsoft Internet Explorer. These toolbars provide extra security by blocking malicious behavior that Internet Explorer allows by design. Sometimes extra security may be better incorporated by changing to a different Web browser instead of just applying third-party applications to fix the currently used one. For this reason, we should discuss Mozilla Firefox. Firefox is a free, open source Web browser based on the nearly deprecated Netscape Navigator. Due to its open source design, hundreds if not thousands of developers have teamed together to build and modify Firefox to make it a great product. Much of the influence that goes into developing the product comes from acknowledging security risks and loopholes in other applications, and designing Firefox to overcome such issues. Firefox features an internal pop-up blocker that is enabled and is operational by default. By performing tests at www.popuptest.com, you may find that Firefox’s internal pop-up blocker outperforms nearly all third-party toolbars for Internet Explorer. Firefox also blocks the use of ActiveX controls, simply because it does not know how to run them.
Summary of Exam Objectives In this chapter, we have focused on implementing system security applications. The usage of these applications helps to secure your environment and alert the administrator when suspicious or unauthorized activity is taking place. By being proactive with detection and prevention systems, you have taken steps which can result in either stopping a malicious act in progress or preventing it from occurring altogether. IDS systems can be deployed to monitor network traffic to thwart malicious attacks. There are two different types of IDS systems: HIDS and NIDS. HIDS allow for the protection of specific servers on the network. HIDS systems can be fine tuned more readily since they only protect a single device. NIDS systems are network devices and thus process large amounts of traffic. They require fine tuning to reduce the number of false positives. Personal software firewalls are host-based installations, which assist in protecting a device by blocking specific protocols or ports. Windows XP introduced the first built-in Windows-based firewall, and Windows Vista greatly improved upon it. Administrators can centrally control software firewalls to configure them to meet the need of the environment.
204 CHAPTER 4 Implementing System Security Applications
Antivirus software protects host machines by stopping known viruses from entering the system. These days, antivirus is more encompassing than it once was, going well beyond simple virus protection by including known Trojans and worms as well. In addition to traditional viruses, spyware and adware present a newer threat that administrators must also address. Spyware and adware have a different motive then viruses, worms, and Trojans. Although viruses, worms, and Trojans are typically destructive and attack the local host, spyware and adware oftentimes have the financial gain as their motivation. Tracking your browsing habits and redirecting your Internet browser to sites that benefit their creators are hallmarks of spyware and adware. Software such as Windows Defender and Lavasoft’s Ad-Aware are available to combat these types of threats. Much of the software that is out there works to assist once a machine has been infected. Pop-up blockers are one type of software that attempts to help by preventing infection from taking place. When browsing the Web, users are bound to encounter pop-ups. These pop-ups are typically attempting to sell something or send you to a particular Web site or often times just popping up pornographic Web sites for you to visit. By preventing the pop-ups from taking place in the first place you help to protect your machines and prevent the execution of a virus or Trojan before it takes place. Many Web browser toolbars exist today that contain built-in pop-up blockers. E-mail is another entry point for mail-ware and viruses, but it also can be abused to send out advertisements, known as spam. Spam is unwanted e-mail that is typically a solicitation of some type. By deployment of a good message hygiene solution that covers both antivirus and antispam functions you can work to keep your e-mail environment more sanitary.
Exam Objectives Fast Track Host Intrusion Detection System ■■
■■
An IDS is a specialized tool that knows how to read and interpret the contents of log files from routers, firewalls, servers, and other network devices. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the logs it is monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs. At that point, the IDS can issue alarms or alerts, take various kinds of automatic action ranging from shutting down Internet links or specific servers to launching backtraces, and make other active attempts to identify attackers and actively collect evidence of their nefarious activities. IDSes that monitor network backbones and look for attack signatures are called network-based IDSes, whereas those that operate on hosts defend and monitor the operating and file systems for signs of intrusion and are called
Exam Objectives Fast Track 205
host-based IDSes. Some IDSes monitor only specific applications and are called application-based IDSes. (This type of treatment is usually reserved for important applications such as database management systems, content management systems, accounting systems, and so forth.) ■■
■■
IDSes may also be distinguished by their differing approaches to event analysis. Some IDSes primarily use a technique called signature detection. This resembles the way many antivirus programs use virus signatures to recognize and block infected files, programs, or active Web content from entering a computer system, except that it uses a database of traffic or activity patterns related to known attacks, called attack signatures. Signature detection is the most widely used approach in commercial IDS technology today. Another approach is called anomaly detection. It uses rules or predefined concepts about “normal” and “abnormal” system activity (called heuristics) to distinguish anomalies from normal system behavior and to monitor, report on, or block anomalies as they occur. A honeypot is a computer system that is deliberately exposed to public access— usually on the Internet—for the express purpose of attracting and distracting attackers. Likewise, a honeynet is a network set up for the same purpose, where attackers find vulnerable services or servers and also find vulnerable routers, firewalls, and other network boundary devices, security applications, and so forth.
Personal Software Firewalls ■■
■■
■■
The Windows Vista Firewall with Advanced Security is a stateful, host-based firewall that can be configured to allow or disallow traffic that is generated by an executable file or by one or more TCP or UDP ports. Windows Vista offers numerous preconfigured Windows Firewall exceptions to allow traffic for common Vista networking scenarios, such as using BITS Peercaching or connecting to a network projector. Windows XP firewall is a very basic firewall compared to Windows Vista.
Antivirus ■■
■■
■■
Antivirus is a critical application in any environment. It works to protect your enterprise systems against known threats and as new threats arise antivirus vendors update their virus definition files to continue to protect your resources. Many antivirus solutions today go well beyond just protecting from viruses. Vendors will often provide software that has been expanded to function as a fullblown malware solution, which encompasses protection from many different types of unwanted software: worms, Trojans, spyware, adware, and viruses. When you are deploying antivirus software, it is important to remember that a layer approach works best. For instance, if you have deployed an antivirus product to your Web servers, but not to your workstations or e-mail servers, you are
206 CHAPTER 4 Implementing System Security Applications
leaving the infrastructure exposed. There is a good chance that malware could enter the network from any unguarded point, so being sure to layer protection is the best strategy.
Antispam ■■
■■
■■
The 12Ghosts Popup-Killer toolbar not only prevents pop-up windows in Internet Explorer but also blocks ActiveX controls and toggles the display of images in Web sites. The Yahoo! toolbar features Yahoo!’s own basic spyware scanner, Anti-Spy, as well as the capability to use tabbed windows, similar to Firefox and Internet Explorer 7 and 8. Google’s toolbar provides some of the best protection against pop-up windows, as well as the capability to check the spelling of any entered data, and the capability to translate words to other languages by simply pointing the cursor at them.
Pop-Up Blockers ■■
■■
■■
Pop-up blockers will stop unwanted additional browser windows from launching on your machine when you connect to Web sites on the Internet. Commonly these pop-up windows are intent on installing some sort of malware on your system, and by preventing the launch of the window you can thwart many of these attacks. Pop-up blockers are useful in combating malware before it has the opportunity to infect a machine instead of after it has infected a machine. Today, most Web browser–based toolbars come equipped with a built-in pop-up blocking mechanism.
Exam Objectives Frequently Asked Questions Q: What advantage does a honeypot offer me over a traditional IDS system? A: A honeypot is a very intelligent IDS that not only monitors an attacker, but also interacts with attackers, keeping them interested in the honeypot and away from the real production servers on your network. While the attacker is distracted and examining the noncritical data they find in the honeypot, you have more time to track the attacker’s identity. Q: What type of IDS should I choose? A: The type of IDS you choose to employ on your network will depend on what type of network you have and what types of applications you are running.
Exam Objectives Frequently Asked Questions 207
Host-based IDSes can effectively monitor one specific computer, but not the entire network. Network-based IDSes can monitor the entire network from a high-level view, but may miss some type of attacks. Application-based IDSes are specific to one application, such as a database application, and will monitor attacks only on that application. Q: What does the Windows Firewall do if it is configured with two conflicting rules: one that disallows a particular type of traffic and one that allows it? A: Block rules will be given precedence over allow rules; if Windows Vista encounters a firewall rule that blocks a particular type of traffic, that traffic will be blocked even if other allow rules are in place. Q: I would like to configure Windows Firewall settings across my entire organization. Does Vista allow for this? A: If you are working in an Active Directory environment, you can use Group Policy to apply consistent settings across an entire organization for numerous Windows Vista features, including Internet Explorer, Windows Defender, and the Windows Firewall. Q: I don’t visit any bad sites, I use pop-up blockers, and I don’t install unknown applications. Am I still at risk for spyware, malware, and spam? A: No matter how well you regulate your Internet activities there is still a chance of inadvertently downloading spyware or adware applications. Many innocuous-looking Web site banners will take you to Web sites that are faked copies of real security sites, but really contain malicious applications for download. Even outside of the Web are numerous AOL Instant Messenger and e-mail worms that look legitimate but actually contain links to download spyware. There is always a risk, especially as the creators of spyware innovate new ways to spread their wares. Q: I am considering using Cisco CSA in my environment for zero-day protection, but I am using VMWare ESX for virtualization. Is this supported? A: This configuration will work, but you should take the amount of network traffic into consideration. If you are planning to use ESX (or Microsoft’s Hyper-V) to host CSA, you may want to dedicate a network adapter just to that virtual machine. Q: I am currently running Windows XP and I am waiting for Microsoft to release Windows 7, but I like the features of the Windows Vista firewall. Is there an add-on or service pack I can install to get this functionality? A: Unfortunately, no. If you plan to remain on XP for the time being, you will need to look at third-party firewall products.
208 CHAPTER 4 Implementing System Security Applications
Self Test
1. You have been asked to install a SQL database on the intranet and recommend ways to secure the data that will reside on this server. While traffic will be encrypted when it leaves the server, your company is concerned about potential attacks. With this in mind, which type of IDS should you recommend? A. A network-based IDS with the sensor placed in the demilitarized zone B. A host-based IDS that is deployed on the SQL server C. A network-based IDS with the sensor placed in the intranet D. A host-based IDS that is deployed on a server in the DMZ
2. Which security control can best be described by the following? Because normal user behavior can change easily and readily, this security control system is prone to false positives where attacks may be reported based on changes to the norm that are “normal,” rather than representing real attacks. A. Anomaly based IDS C. Honeypot B. Signature-based IDS D. Honeynet
3. Your network is configured to use an IDS to monitor for attacks. The IDS is network-based and has several sensors located in the internal network and the DMZ. No alarm has sounded. You have been called in on a Friday night because someone is claiming their computer has been hacked. What can you surmise? A. The misconfigured IDS recorded a positive event B. The misconfigured IDS recorded a negative event C. The misconfigured IDS recorded a false positive event D. The misconfigured IDS recorded a false negative event
4. You have installed an IDS that is being used to actively match incoming packets against known attacks. Which of the following technologies is being used? A. Stateful inspection B. Protocol analysis C. Anomaly detection D. Pattern matching
5. You have been reading about the ways in which a network-based IDS can be attacked. Which of these methods would you describe as an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time? A. Evasion C. Session splicing B. IP fragmentation D. Session hijacking
Self Test 209
6. You have been asked to explore what would be the best type of IDS to deploy at your company site. Your company is deploying a new program that will be used internally for data mining. The IDS will need to access the data mining application’s log files and needs to be able to identify many types of attacks or suspicious activity. Which of the following would be the best option? A. A network-based IDS that is located in the internal network B. A host-based IDS C. An application-based IDS D. A network-based IDS that has sensors in the demilitarized zone
7. You are a Microsoft engineer working on a new project. You need to configure a secure environment for systems and their users to perform networking functions. You want to achieve this through Windows Firewall. Which of the following correctly describes the MS recommended settings for this firewall service? A. The Windows Firewall service should be enabled for protecting all profiles on all incoming interfaces. B. The Windows Firewall service should be enabled for protecting all administrator profiles on all interfaces. C. The Windows Firewall service should be enabled for protecting all profiles on all public interfaces. D. The Windows Firewall service should be enabled for protecting all profiles on all interfaces. E. The Windows Firewall service should be enabled for protecting all standard user profiles on all private interfaces.
8. Dan is a user on your network. Computer policies prevent him from utilizing file sharing while he is connected to the company network but he needs to be able to share files while he is working from home. What would you do to accomplish this request? A. Use the MMC with the Windows Firewall with Advanced Security snap-in and change the private profile to allow incoming connections. B. Use the MMC with the Windows Firewall with Advanced Security snap-in and change the public profile to allow incoming connections. C. Use the Windows Firewall from within the control panel to allow file sharing. D. Use the MMC with the Windows Firewall with Advanced Security snap-in and change the domain profile to allow incoming connections.
9. Sam is a network administrator for a small company that has 15 Vista Business computers all joined to a domain. When checking the logs on the domain controller, he notices that there are errors communicating with
210 CHAPTER 4 Implementing System Security Applications
1 particular computer. When he checks the computer, it is able to access the Internet, file servers, and is able to communicate with the Domain Controller that was reporting the errors. What is the most likely cause of the errors? A. The Vista PC’s firewall profile is set to Public. B. The Vista PC’s firewall profile is set to Private. C. The Vista PC’s firewall profile is set to Domain. D. The Vista PC’s firewall profile is set to Block All Incoming Connections. 10. Your manager has asked you to install and configure a server to run the Cisco Security Agent Management Console. The server you choose has the following specs: Windows Server 2003 SP1, 1.2 Ghz processor, 2 GB memory, a 20 GB hard drive with two partitions, one with 4 GB of free space on an NTFS partition and one with 4 GB of free space on a FAT32 partition. What must you do to install the Management Console? A. Nothing, this configuration will support the CSA MC. B. You must add an additional 2 GB of memory. C. You must install Service Pack 2 for Windows Server 2003. D. You must add an additional hard drive with 9 GB of free space on an NTFS partition. 11. You are configuring some of the advanced features of the Windows XP firewall. You want to block the client machine from responding to pings. Which of the advanced setting types would you need to change to accomplish this? A. Network connection settings C. ICMP B. Security logging D. None of the above 12. You have decided to use a third-party pop-up blocker solution as opposed to the built-in Microsoft Internet Explorer pop-up blocker. You are looking at the Anti-Spy feature of the Yahoo! Toolbar. Which of the following is NOT one of the three available options for scanning? A. Scan at Launch C. Scheduled Scan B. Scan for Tracking Cookies D. Check for Updates on Startup 13. You are deciding between a behavior-based IDS and signature-based IDS. Which of the following are positive characteristics of a signature-based IDS? A. Examines ongoing traffic B. Uses a database of current attack signatures C. Examines ongoing activity on the system D. All of the above
Self Test 211
14. A user contacts the helpdesk to gain assistance in unblocking port 39873, which is the customized port she has assigned to an application she runs. The client application must make an outbound connection on port 80, and then the server side responds on port 39873, which is currently being blocked inbound. In what type of product would the action of unblocking a port take place? A. Pop-up blocker C. Software firewall B. Port configuration tool D. Adware tool 15. You have a user that has been calling to complain that as she is browsing the Internet she frequently receives a pop-up message asking her to install antivirus software. She states that she has gone through the install four times and she doesn’t understand why she is still receiving this message from time to time. She wants you to perform the installation to be sure it is being performed correctly and so that it will not have to be continually repeated. What could be happening on this user’s machine to create these circumstances? A. Her antivirus software is out-of-date, and she must renew it before the pop-ups for reinstall will stop. B. She had to be a local administrator on the machine for the install to complete successfully, and therefore she isn’t able to complete the install herself. C. The pop-up message was generated by the corporate antivirus server and was sent out mistakenly.You must correct the issue on the antivirus server. D. This user has adware on her machine and the pop-up to install antivirus is not an actual antivirus installation window.The user’s machine should be scanned and cleaned.
Self Test Quick Answer Key 1. 2. 3. 4. 5.
B A D D C
6. 7. 8. 9. 10.
C D A A D
11. 12. 13. 14. 15.
C C D C D
This page intentionally left blank
CHAPTER
Virtualization Technologies
5
E x a m o b j e c tiv e s in this c hapt e r The Purpose of Virtualization..............................................................................................213 Benefits of Virtualization.....................................................................................................214 System Virtualization......................................................................................................... 227 Application Virtualization................................................................................................... 230
Introduction This chapter will introduce you to the concepts of virtualization and is new to the Security+ certification. Virtualization is a very popular technology and many businesses are exploring it to reduce costs and maximize their server resources. There are several different types of virtualization all of which can be used to securely deliver applications and computing power to the end users. This technology is increasing in popularity and is accepted in both small business and enterprise data centers. It is very likely that you will encounter some form of virtualization in your career as an Information Technology (IT) professional at some point. This chapter will help you prepare for this exam and also give you a basic understanding of virtualization technology in general.
The Purpose of Virtualization Virtualization gets a lot of attention for consolidating the number of physical servers in a data center on to a few more powerful physical servers. The ability to allow one physical computer to run multiple instances of an operating system or multiple operating systems on the same physical computer is a benefit of this technology, but we are going to look at how to apply these features with a security focus. The basic concepts of virtualization are not new but come from the mainframe computing world. They were originally designed to maximize the resource utilization of expensive hardware and software, so businesses could get the best, most
213
214 CHAPTER 5 Virtualization Technologies
efficient utilization of their mainframe processing capacity. Today’s versions are not much different in their goals. Today’s application of virtualization technologies allows computer owners to maximize the hardware and software resources available to them by running multiple virtual machines (VMs) on a single physical computer. This is not much different than the mainframe, but the cost of the computer is significantly less. This capability of the more modern servers also presents both security challenges and benefits. While the number of physical computers may drop, the number of VMs will grow at an even faster rate. This makes your job as a security administrator more critical to the organization. With more VMs, there are more patches that need to be applied, more servers to be secured, VMs to be created and just as important removed, and users accessing both internal and external resources. In addition to server virtualization, there is application virtualization technology. Virtual applications run on servers located remote from the users. These users do not need to have the application or data loaded on their desktop devices. Application virtualization allows applications that may be sensitive or not compatible with a user’s desktop to operate as if they were loaded locally. These virtual applications also do not leave a trace on the client machine, so they are safe to use from computers outside the trusted network.
Benefits of Virtualization There are many benefits of virtualization for both the IT professional and the organization. With the cost of servers remaining basically flat, the power and capabilities of these is ever increasing. This has created a situation where very little of the power and performance of the physical computers are actually used in running the process or application that has been tasked on that server. It has been shown in different white papers by VMware, www.vmware.com/pdf/Solution_Blueprint.pdf, and Computerworld articles like “RightSizing Program to Boost Vendor’s Server Utilization Rates” at www.computerworld.com/action/article.do?command=viewArticleBasic&articleId= 9020679 that most modern servers are only running at 2 to 20 percent of their capacity. This is an inefficient use of the resources. Businesses want to get a better value for the money they spend on servers. The way server consolidation is achieved is through a thin software layer called a hypervisor. The hypervisor sits between the operating system that controls the physical hardware and the VMs. The hypervisor isolates the VMs from the physical hardware and even each other. This isolation enables different operating systems and multiple VMs to be run on the same physical server at the same time. One of the key benefits of a virtual infrastructure is that all the VMs have standard virtual hardware regardless of the physical platform they are currently running on. This feature creates a utility computing environment. The VMs simply work on
Benefits of Virtualization 215
whatever physical server the organization chooses. As long as you maintain the same hypervisor, the VMs can be run on any server supporting the hypervisor. If you are changing hypervisors, you may need to use a converter utility available from several vendors. This is the only type of change that is necessary to bring up a VM on different physical hardware. By leveraging the advanced features of many hypervisors, you can move running VMs to another physical server without interruption to the users accessing the virtual server. The old physical server can be upgraded, repaired, or replaced all without changing the VM. This utility computing feature allows for rapid recovery in case of disaster or security breach. The virtual server configuration files and virtual disks can be copied or snapshots taken transferred to a remote facility or separate storage and then used to restart the VM in a different location without regard to drives or physical hardware differences. This feature allows for recovery of VMs in minutes instead of hours or days using traditional servers. If a server becomes compromised, a previous snapshot can be applied and the VM is back to that point in time. The corruption does not have to be removed because it was not present when the snapshot was taken. The same methods can be used when testing new software or a new patch. If the patch or software causes a problem, then the system can be rapidly restored to the previous condition without rebuilding it. This saves a significant amount of time in the development and testing of software and patches. There are other side expenses related to consider when determining the value of virtualization such as the cost of network ports, power connections, heating and cooling, space requirements, maintenance and upgrades, replacement and disposal of equipment, and the amount of manpower it takes to manage and maintain a physical infrastructure. For the organization, the benefits can be as follows: ■■
■■
■■
■■
Reduced cost of hardware One physical server can support several VMs at the same time. The VMs can share the physical resources such as processor, memory, disk storage, network interface card (NIC), and power connections. Reduced space requirements VMs don’t require any additional rack or floor space in the data center other than what their host server requires. With the demand for servers increasing, the available rack or floor space in a data center becomes a valuable commodity. If your servers are in a hosted facility, you pay for space by the rack unit or U. Virtualization reduces the number of rack units required to host your computing needs. Rapid deployment of new servers VMs are nothing more than large files, so they can be rapidly copied or cloned from a previously configured VM. You do still need to perform the customizations on the copied or cloned VM. High availability Because VMs are just files, they can be moved to a different host and restarted if the physical host server experiences a problem, needs an upgrade, or needs to be replaced. This makes updating your server hardware a much easier process than with a physical server.
216 CHAPTER 5 Virtualization Technologies
■■
■■
■■
■■
■■
Hosting multiple environments You may have configured a server before with a dual boot capability. While this will allow you to run multiple operating systems on a single computer, you can only run one of them at a time. With virtualization, you can run multiple operating systems on the same physical computer at the same time. Separation of VMs Each VM is independent from the others running on the same physical server. If one VM fails, it does not affect the others. VMs can be stopped and started without impacting the other VMs. Ability to maintain a test/development environment Virtualization enables the organization to have an environment that will closely match the production environment without the additional expense of duplicate physical servers. Developers can program on systems that will match the production servers, recover quickly from any program crashes, and be isolated from the production network. For the security administrator You can create a template for the VMs to use as they are created. This will maintain the proper security settings and patches. The ability to set up virtual “honey pots” allows you to monitor any intrusion attempts and quickly isolate them and replace the server with a fresh one. Software testing and training Most training and testing can be done using a VM without the need to purchase additional hardware. This gives the organization the ability to test potential software or allow the security administrators to train on a production-like computer without the need to purchase multiple servers.
Head of the Class This autonomy of VMs allows you to create secure virtual “data center in a box” environments. With additional NICs and using virtual local area networks (VLAN), you can create an Internet facing network connection to a firewall running on a Linux server with an internal connection to virtual servers running in a DMZ or connected to the production network. Figure 5.1 shows this concept using three physical NICs and an internal switch with the physical server and seven VMs. The Firewall server is connected to the Internet using NIC 1 and is connected to the production using NIC 2. The production servers, domain controller, file server, and the application server are all sharing NIC 2 to access the production network. The Web server, mail server, and File Transfer Protocol (FTP) server are connected to the Firewall DMZ network using an internal switch. This effectively isolates that environment from the production network and the Internet. An additional management network is connected to NIC 3 to separate the physical server from the production network.
Benefits of Virtualization 217
Figure 5.1 Data Center in a Box
Types of Virtualization Like most everything else there are different types of virtualization. While each type provides an isolated environment for the VMs, they go about it in different methods. The actual methods of virtualization are outside the scope of this book and the Security+ exam. We will go over the basics so you will be aware of the major differences. All four use a layer of software or firmware called a hypervisor. It is the hypervisor that isolates the VMs from the physical hardware or operating systems of the host and manages the system calls to the physical resources of the host computer. There are basically four types of virtualization: hosted, binary translation, paravirtualization, and hardware assist. ■■
Hosted This type of virtualization uses a base operating system to run the physical computer, and the hypervisor manages access to the physical resources through the operating system. The base operating system is normally Windows or Linux, but there are hosted virtualization versions for the Mac. Figure 5.2 shows the logical connections between the VMs and the physical resources. While this type of hypervisor is workable on a smaller scale, it still inherits the vulnerabilities and overheads of the host operating system. Hypervisors of this type are commonly used for running multiple VMs on
218 CHAPTER 5 Virtualization Technologies
Figure 5.2 Hosted Hypervisor
desktops or laptops. VMware Workstation and Parallels Desktop along with Microsoft Virtual PC are examples of the desktop virtualization products. VMware Virtual Server and M icrosoft Virtual Server 2005 are examples of a server-based hypervisor using a hosted design. The benefits of this type of hypervisor are that you can utilize most any additional hardware resources the host operating system can support. ■■
Binary Translation This type of virtualization has a very thin operating system below the hypervisor. The hypervisor captures all system calls for hardware resources and translates the virtual to physical calls. Figure 5.3 shows how this type of hypervisor works. By translating all system calls, each VM is completely isolated from the underlying hardware. All VMs have the same type of virtual hardware regardless of the underlining physical hardware. This allows VMs r unning on different physical hardware to be migrated to all hosts. The drawback to this type of hypervisor is that there is a performance cost as the hypervisor must translate all system calls for hardware resources. This requirement of complete translation severely limits the type of physical
Benefits of Virtualization 219
Figure 5.3 Binary Translation Hypervisor
r esources that can be presented to the VMs. VMware ESX server is an example of this type of hypervisor. ■■
■■
Paravirtualization This design of hypervisor allows some specific system calls to be passed directly to the physical resources. The remaining system calls are still translated before passing to the physical resources. In a true paravirtualization hypervisor, small pieces of the guest operating system are changed to modify kernel operations. These changes are picked up by the hypervisor and translated to the physical resources. Some less disruptive hardware calls are allowed to pass directly to the physical resources. Figure 5.4 shows the paravirtualization hypervisor. Hardware Assist This type of hypervisor leverages the benefits of the paravirtualization design and takes it a step further by adding specific CPU calls from the guest VMs. This allows for an even thinner hypervisor and increased performance of the VMs. Both Intel VT and AMD-V are examples of hardware assist in a paravirtualized hypervisor. Commercial versions of this type of hypervisor can be found in Citrix XenServer, Microsoft Hyper-V, and VMware
220 CHAPTER 5 Virtualization Technologies
Figure 5.4 Paravirtualization Hypervisor
ESX 3.5. Figure 5.5 shows how this additional feature can be used by the guest VMs. You must have specific hardware and a hypervisor that will support these features. Most modern servers will have hardware assist virtualization settings in the BIOS. You must enable these features to use them with your hypervisor. In many instances, your hypervisor will not successfully install unless these features are present and active. The management application program interface is the interface into the physical computer and the underlying operating system that controls the physical resources and interfaces with the hypervisor. The guest VMs do not interact with this component. Microsoft, Citrix, and VMware make a separate piece of software that connects directly to this layer for creation and management of the physical and VM. Exam Warning One of the benefits of virtualization is the rapid deployment and restoration of a compromised virtual server. Remember that you can use the snapshot features of the hypervisor to get a clean copy of the VM. If it becomes corrupted or compromised, the snapshot can be used to rapidly recover the virtual server to its original state.
Benefits of Virtualization 221
Figure 5.5 Hardware Assist Hypervisor
Designing a Virtual Environment The differences in hypervisors have now been explained and some of the benefits of a virtual environment explored. These new tools while very flexible and powerful can also present challenges to the security team if the environment is not well designed and manageable. VMs are isolated both from the physical host computer and each other for the most part. It is important to remember that most of the physical resources are shared even though there is a separation between the VMs. You should take advantage of the physical capabilities of the hypervisor and add additional NICs and separate your storage and use the snapshot and backup features of the hypervisor. If you properly allocate your physical resources, you can create a robust and secure environment for your virtual infrastructure. The virtual infrastructure is very similar to a physical infrastructure in what can be done. It is possible to connect VMs to internal switches, physical NIC bonds or teams, VLANs, and internal and external storage. These features allow you to design and connect the different VMs to the necessary resources and still maintain your security design.
222 CHAPTER 5 Virtualization Technologies
Processors Most modern processors are now multicore and have the hardware assist features for virtualization. They are mostly all x64-bit technology and will support both 64-bit and 32-bit guests. If you do run across an older processor, you may need to use a hosted hypervisor for your VMs. You would then be limited by the restrictions of the host operating system. There are hosted hypervisors for both Windows and Linux. Multicore processors are like adding additional physical processors to your server. They appear as either a two or four processor system. Some hypervisors do require at least two physical processors. Once loaded, they will utilize each core as a separate processor. There are some limitations you should be aware of when considering the processor selection for your virtual environment. ■■
■■
Total number of processor cores Most hypervisors will only support up to 32 processor cores. Current versions will allow up to 256 or more, but you should check the limitations of the hypervisor you select. It sounds like a lot of capacity until you do the math. A standard dual core/dual processor server is four processor cores. If the same server has quad core processors, we have eight cores. If we have a four processor server with quad core processors, we have 16 cores. The eight core processors are coming out soon so it is not as difficult to hit the limits as it once was. Pick a processor family Both Intel and AMD make multicore processors with hardware assist virtualization built in. Everyone has his own particular favorite, and each vendor will change position based on its latest release, so we won’t get into the debate on which is better. Just pick the one you prefer and stick with that processor family. Some hypervisors allow motion of running VMs between physical servers, but they must have processors from the same family. That means if you select one vendor as your processor of choice, you should stick with that family of processors. It is possible to move VMs between processor families, but it normally requires you to shut down the VM.
Networking It is normally possible to support between 6 and 32 physical NIC cards on a host server depending on the version and vendor of your hypervisor. You should consult the Administrator Guide or Read ME notes of your selected version for specific limits. Each VM can have four or more virtual NIC cards. These NICs can be connected to internal switches or external port groups. As can be clearly seen, there is plenty of flexibility for the virtual infrastructure. Figure 5.6 shows a minimum network configuration recommendation. By adding or redistributing the physical NIC connection to a team, a wide variety of designs can be created. With the resources shown in Figure 5.6, you could create several groupings from four individual networks to two teams of two NICs or a team of three NICs and a second LAN of one NIC. Just remember that a physical NIC can only be part of a single team. A team can consist of one or more
Benefits of Virtualization 223
Figure 5.6 Recommended Network Configuration
physical NIC cards. You can also configure internal only virtual switches that require no physical NIC cards. This flexibility allows you the ability to meet most any security or network need. Test Day Tip You can use VLANs for dividing your VMs and setting up different network connections. You can also use an internal switch to connect VMs without connecting them to an external network. Take the time and draw the connection maps to make sure you are meeting all the requirements of the questions.
For security, you could break up the NIC team into two groups of two NICs or four groups of one NIC and assign each to different VMs. You could assign a different set of VLANs or port group to each physical NIC and assign each VM to a separate port group to isolate them. You could even set an internal switch and connect the VMs to act as an internal firewall between different VLANs. As you can see, the configuration
224 CHAPTER 5 Virtualization Technologies
can get quite complicated, so it is recommended that you create and maintain good documentation for which physical NICs are connected to the port groups and assigned to specific VMs. Internal switches need to be documented as well. Because the network cards are shared among VMs, it is recommended that you try to use gigabit NIC cards where possible. Your external switches should also be nonblocking or wire speed if possible for best performance.
Storage Storage is where the VMs are kept along with their data. You can use the server’s local disk drives or Direct Attached Storage Devices (DASD), a Storage Area Network (SAN), or a Network Attached Storage (NAS), or a combination of each for this purpose. Remember that your VMs are really big files that must be managed by the physical server. While this is not normally a problem for the hypervisor, the type of storage you choose can make a big difference in the performance and availability of your VMs. How you use your storage can also increase the security of your virtual infrastructure. Authentication protocols and encryption can be applied to the storage used to increase the security and control access to the shared storage. The different storage types each have benefits, and the basic advantages will be shown here. There are more options than the ones listed, but these will give you a solid knowledge of what is available and how it can be used. ■■
■■
DASD This type is the most common and familiar. These are the local hard drives in the physical server. These may be connected to a Redundant Array of Inexpensive Disks (RAID) controller or just connected to the internal disk controller. Either way, this type of storage is normally exclusive to the physical server it is connected to and cannot be shared with other servers. This storage can have a very fast transfer rate and good read write speeds but can require the physical server to manage and send instructions to the disk controller for reads and writes. If you are using a hardware RAID controller, much of this management overhead is removed from the processor and handled by the RAID controller. Figure 5.7 shows a RAID controller design using DASD storage. There are several types of RAID configurations and each requires a minimum set of disk drives and provides a different level of data protection from none to multiple disk failures. In Figure 5.7, you can see we have two arrays configured. One is for the system containing the operating system and hypervisor. The second is configured for the VMs. The VM array may be much larger because VMs are actually large files themselves. It is not uncommon for the VM to be 20 to 100GB in size. Remember the VM files represent a complete server including the local storage for that server. SAN The SAN is a standalone device that can share the storage among multiple physical servers. These connections are typically made using either Fiber Channel (FC) or Internet small computer system interface (iSCSI) connections. There are other connection protocols but these are the two we will discuss
Benefits of Virtualization 225
Figure 5.7 Direct Attached Storage Devices
in this chapter. Figure 5.8 shows a typical SAN design. Notice the SAN switch in between the servers and the storage. This is the component that allows for multiple physical servers to connect to the storage. This switch must match the protocol of the SAN. Exam Warning You should know the different types of storage and any security associated with them. FC has the least storage because of the design and protocol. The FCSecurity Protocol (SP) is being adopted, but because this is a fiber network that only moves disk Input/Output (I/O) traffic and is typically local only to the data center, there is less opportunity for compromise of the data. iSCSI and NAS storage use Ethernet and Transmission Control Protocol (TCP)/Internet Protocol (IP) for communications and therefore are more vulnerable to compromise. iSCSI uses Challenge Handshake Authentication Protocol (CHAP) authentication and NAS devices use either Network File System (NFS) or New Technology File System (NTFS) and rely on a user name and password for access.
■■
FC SAN connections can transfer data between 1 and 8 Gbps. They use a special interface card called a host bus adapter (HBA) and are typically connected using a fiber optic cable. FC-SP is designed to secure the transfer of data across the network between the storage and the server. It does not address the data stored on the SAN. Because of the protocol used, the data are not routed or sent across routers or outside the data center. The VMs would normally be loaded on the SAN and accessed by the physical server when they needed to be run. The fast data transfer rate and relatively large number of disks make this a very robust solution.
226 CHAPTER 5 Virtualization Technologies
Figure 5.8 Storage Area Network
■■
■■
iSCSI SAN connections transfer data at 1 Gbps using normal Ethernet protocols. This disk traffic should be isolated on a separate VLAN to improve performance and security. The iSCSI protocol can take advantage of jumbo frames on an Ethernet network. This feature must be supported by the network switch before it can be used. It is also recommended that an iSCSI HBA be used instead of a normal server NIC. This iSCSI HBA will offload the network processing of the iSCSI traffic and generally improve the performance of the physical server. Because of the ability to transfer data over a normal network, security is built into the protocols. CHAP is a protocol that is used to authenticate the connection and is based upon sharing a security key that is similar to a password. NAS This type of storage is similar to the SAN except it uses normal server NICs and a protocol called NFS.This type of shared storage was originally developed for sharing files to individual computers by allowing the storage to be mapped to the local system as a local disk drive.The transfer of data is limited to the speed of the network. Figure 5.9 shows the design of a NAS device connection. NAS devices use configuration files for security.The first is the /etc/exports file and lists the IP addresses of client machines allowed to connect to the NAS device. Further security is applied using file and directory level security. If your NAS device is a Linuxbased device, you may be able to further edit the /etc/hosts.allow and /etc/host. deny file to allow or deny specific client server connections.You could also have a NAS that uses the NTFS. This type of file system is secured using your existing Active Directory or other workgroup permissions. Either way the VMs are accessed by connecting to the file shares and mapping the drive to the hypervisor before starting the VM.There is more overhead for this type of connection, so it is recommended that a separate VLAN or network be created for your NAS connections.
System Virtualization 227
Figure 5.9 Network Attached Storage
As you can see, it is very easy to start using multiple NICs in a virtualized infrastructure. Planning the implementation and leveraging the features of the hypervisor will help you maintain the security policies while still providing a robust and flexible virtual environment.
Damage and Defense In the real world, a shared storage model is the preferred design. Using shared storage is what enables all the advanced features of the hypervisor. To use the motion, load balancing, and high availability features, you must have a shared storage design.
System Virtualization Now that we know what the different components are and how to leverage them into the virtual infrastructure, we need to look at how to virtualize our systems. We need a method to virtualize both existing and any new systems we might need. We also
228 CHAPTER 5 Virtualization Technologies
want to be able to manage these systems once they are virtualized and we need to know how to remove the VMs when they have reached their end of life. While each individual hypervisor has tools for performing all these functions and they all look a bit different, the functionality is common across all the major hypervisors. Each hypervisor may even have its own file format for the virtual systems. Some will read the different virtual file systems; others may even use other formats directly in some instances. When a VM is created, there are at least two files created, a configuration file and a virtual hard drive. The format of the configuration file may vary from one hypervisor to the next, but it contains similar information such as the location of the virtual hard drive, the name of the VM, the amount of memory allocated to the VM, the number of virtual NICs, and any other virtual hardware or connections for this specific VM. Figure 5.10 shows an excerpt of a configuration file. It is best not to directly edit these files unless you are experienced with the specific formats used by your particular hypervisor. If you manage to corrupt the configuration file, you can always just create a new VM and attach a current virtual disk to it. The new VM will start up using the settings in the new VM. Test Day Tip VMs consist of a configuration file and a virtual disk file. The configuration file is either text or XML and describes the virtual hardware and memory configurations. The virtual hard disk file is a specific format and is not directly readable. You need both files to start a VM.
<SwitchName type=“string”>60d80302-00e6-4256-91ee-ce8ca0ba449d <_83f8638b-8dca-4152-9eda-2ca8b33039b4_> <pathname type=“string”>C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\TS Gateway.vhd VHD <pathname type =“string”> NONE <pathname type=“string”>C:\Windows\system32\vmguest.iso ISO
Figure 5.10 Configuration File for a VM
System Virtualization 229
This is only a small part of the total file and is shown as an illustration of the type of information contained in the configuration file. The virtual disk file is where the operating system and data files are stored for the VMs. Depending on the specific features of the hypervisor, this file may be created all at once, a 20GB file or it may be allocated for the specified size and created in 2GB chunks. This makes the virtual hard disk much faster to create and does not use any space that it really doesn’t need. This saves storage space but still makes the operating system believe it has full access to the allocated storage. You can mix operating systems, Windows and Linux, on most all hypervisors. Some will only allow multiple versions of the core operating system. Each VM can be started and stopped independently just like physical servers.
Exam Warning You can have VMs running different operating systems on the same physical machine. You can also have VMs with different virtual hardware configurations like multiple processor configurations or multiple NIC cards or additional virtual hard disks.
Creating VMs can be done one of two ways, physical to virtual conversion and creating a new system. ■■
■■
Physical to virtual conversion This method is best if you are moving from a physical infrastructure to a virtual infrastructure. The method of conversion can be done online or offline depending on the utility you are using to do the conversion. Most will allow an online conversion and are nondestructive to the physical machine. This feature helps maintain a recovery path should the VM encounter problems. Simply power the physical server back on and restore access to the users. Normally, once a server is virtualized, you will want to go through and remove any unnecessary device drivers. You may need to maintain an end of life operating system on a server that is experiencing hardware problems. There may not be a way to replace the failing hardware or find drivers for the old operating system that work with the new hardware. Virtualization can be used to maintain the failing server by migrating it to a virtual environment. You should check the supported operating systems of the chosen hypervisor to verify the end of life operating system is supported. Creating new virtual servers This is the same process as loading a new physical server. The difference is that since it is a VM, it can be done faster and in many instances a clone or template can be used of an existing virtual server. This method makes the process of creating a new server a mostly automated and quick process. After loading the operating system, you should run the integration tools to set up the video, mouse, network, and other basic drivers to use the virtual drivers. Most hypervisors have virtual drivers for both Windows and Linux.
230 CHAPTER 5 Virtualization Technologies
Notes from the Field It is a recommended practice to create “golden masters” of each type of VM in your environment. You can use this VM to clone new VMs and they will startup with the latest patches and service packs. This will save a lot of time as you build your virtual infrastructure. Just remember to update this master machine on a regular basis.
Management of Virtual Servers Most hypervisors have a management console to control the virtual environment. This is typically loaded on a separate server beside the physical host. There is also a connection client for some that will allow you to connect to specific VMs for management of that VM. Usernames and specific roles can be assigned to functions and available VMs. This feature allows the security administrator to control administrative access to only the necessary level of access and specify the VMs a user can access or the administrative tasks that can be performed. Figure 5.11 shows a management console. Although each one is different, the f unctions are all similar. From this console, you can see which VMs are configured, which are running or stopped, which have a snapshot, and when it was taken, and you can edit the settings of both the VM and the physical host and hypervisor. If you want to create a new VM, you can use this console to perform the necessary functions. The ability to load a console manager on a separate desktop or server allows true remote management and a lights out environment. With most hypervisors, you can create an International Organization for Standardization (ISO) file store. This is used to copy the installation media of operating systems and applications that are used for your VMs. Each VM can mount either the physical DVD of the host or an ISO image to the virtual DVD drive. By connecting the virtual DVD of the VM to an ISO image, you can have multiple installations going at the same time. You also want to make sure to disconnect the virtual DVD and the virtual floppy from each VM. This not only improves the performance of the VMs but prevents an inserted disk from autostarting and running any malicious code.
Application Virtualization Another method of virtualization is to virtualize applications. This technology allows users to be presented either a desktop or a list of available applications for performing their tasks. The applications actually run on a server that may be located either on the local area network or across wide area links. Because the applications are executed on a server and only the display, key strokes, and mouse movements are presented across the network, performance is seen as if the application is being executed locally.
Application Virtualization 231
Figure 5.11 Hyper-V Management Console
There is a robust set of security options to control both what a user can do and what a user can see. Even the connection can be configured to support full encryption from end to end on the connections. There are two common types of application virtualization in the Windows environment, Microsoft Terminal Services (now called Remote Desktop Services), and Citrix XenApp. There are versions of XenApp that will run on UNIX and most versions of UNIX/Linux support Xwindow services. Regardless of the method of application used, the principles are the same. The client connects to the server and is presented the application interface. While the client is entering information and operating the application from their desktop, the real work is actually being performed on the server in the data center. These are commonly referred to as a thin client solution because there is no application processing being performed on the client desktop. Test Day Tip Application virtualization is the easiest method of deploying and updating applications to users. You just need to update the applications on the terminal servers and all the users will receive the new or updated version the next time they log on.
232 CHAPTER 5 Virtualization Technologies
Terminal Services (Remote Desktop Services) This is the multiuser feature of Windows that enables remote access and application virtualization. Users connect to the application server using the Remote Desktop Protocol (RDP). User key strokes and mouse movements are sent to the server and the display is sent back to the user.While user sessions are basically isolated from one another, they are subject to a shared server. The Terminal Services Web interface allows users to access the terminal servers using a Web browser. This can have a Secure Sockets Layer (SSL) certificate attached to it for encryption of the channel between the user and the Web server. Microsoft has also supplied a Terminal Services Gateway service that provides a more secure connection between the end user and the terminal servers. Log-on authentication is provided by the internal Active Directory. Users connect using RDP over SSL on port 443 (see Figure 5.12). Once granted access, the connections are over the normal RDP port 3389. Users can connect to either an application being provided by a server running Terminal Services or a desktop or server allowing remote connections. Even using the RDP client, a user can be prevented from downloading files or even printing to other than network resources. This prevents users from compromising the security policies and maintains the security of data within the data center. A server-based desktop can be provided to users, but this desktop will need to be restricted using group policies to prevent improper actions from the users. Settings
Figure 5.12 Terminal Services Connection
Application Virtualization 233
like removing the Shutdown option must be set to prevent a user from inadvertently shutting down the terminal server and dropping all the connected users. Microsoft has developed a new option for application virtualization with Windows Server 2008 called RemoteApp. This feature creates an installer package that can be deployed like a normal application. It will create icons and Start menu items on a user’s desktop. When clicked on these, RemoteApps will initiate a connection to the remote terminal server and start the application on the server. This feature also allows the RemoteApp to be published from the Web server for clientless operations.
XenApp Citrix has developed additional functionality for Terminal Services for several years. Application servers are able to load balance, and policies that apply specifically to the terminal servers can be added. There is also a much more granular administrative permissions allowing for nonadministrators or users to perform specific functions like password resets and client connection management. Users take advantage of Citrix’s Independent Computing Architecture (ICA) protocol to access the application server’s resources. This client allows for a full 128-bit encryption and supports TLS and SSL certificates. When used with SSL certificates the ICA protocol encrypts the entire connection from client to server. The ICA protocol also channelizes different types of data streams. This allows security administrators to restrict file downloads to local disk drives or even printing to unauthorized printers. This all combines to make this a very secure protocol for remote users. This protocol is also optimized for low bandwidth and can provide a better multimedia experience to remote users. Like Terminal Services a server-based desktop can be presented to users but careful application of group policies must be used to prevent access to server system drives, and folders by users. The use of roaming profiles and home drives is the recommended design for providing users their own flexible environments. Like Terminal Services the Access Gateway provides secure remote access from remote users across the Internet. There are several versions of this Gateway ranging from a software-only-based solution to a fully load-balanced, hardware-based solution. The hardware-based solutions can also act as SSL virtual private network (VPN) access points. Exam Warning The Terminal Services Gateway from either Microsoft or Citrix both use an SSL certificate from a trusted authority like Verisign or Thawte to secure their communications and the user connections. This makes the URL require the HyperText Transfer Protocol Secure (HTTPS) tag.
Application Streaming Application streaming is another method of application virtualization. This method uses a sequencer that monitors how an application starts up. It records the different
234 CHAPTER 5 Virtualization Technologies
program modules as they load and monitors when the application becomes f unctional. The application is sequenced so the most functional blocks are loaded first and the application can be used. As the user requests additional features those blocks are streamed to the application. When the application is sequenced, the streaming file is stored on a file server. The application is presented to the user through XenApp, a RemoteApp, or even from an Active Directory installation file. When the user clicks on the application, the file server is contacted and the application is streamed to the user’s computer or session for processing. When the user closes the application, all files are removed from the computer executing the application. Figure 5.13 shows the process for application streaming. It is possible with this technology to check out an application if a user is going to be working offline. The checked out application will fully stream to the user’s desktop and will function as if installed for a preset period of time. After that time, the application will not start back up. When the user reconnects back to the network, the files created will be synchronized back to their file server and the application can be checked back in or renewed for checkout.
Test Day Tip Application streaming is a way to make applications portable. The streamed application runs in an isolated memory space and does not conflict with other applications loaded on the desktop. When the application is closed, there are no traces left on the client desktop.
Figure 5.13 Application Streaming
Summary of Exam Objectives 235
Both Microsoft and VMware offer an application streaming product. Microsoft App-V, formerly SoftGrid, allows applications to be streamed to both a terminal service environment and a traditional PC desktop. The ThinApp from VMware lets an admin package an application so it can be run from a thumb drive or checked out to a physical or virtual desktop. Both types of application streaming present the application in an isolated environment and do not leave any residual traces on the client desktop. These can be very useful in deploying applications without actually doing an installation on a desktop. They both use the computing resources of the local desktop to run the application locally on the desktop.
Summary OF EXAM OBJECTIVES In this chapter, we explored the following: ■■
■■
■■
■■
■■
The purpose and application of virtualization technology Using virtual technologies, we can rapidly deploy servers of different operating systems on common physical hardware.These VMs are fully functional and present themselves as physical servers to users and the outside world.We can leverage the flexibility of a virtual environment to deploy security servers alongside normal production servers. It is possible to create a complete data center in a box by using virtualization. The benefits of virtualization Leveraging virtual servers can reduce the overall number of physical servers that must be maintained in the data center. This reduces overall costs and decreases the cost of power, cooling, and rack space. All VMs on a hypervisor have the same virtual hardware, so they can be moved between physical servers without changes even if the physical servers are from different manufacturers or have different hardware. If a VM is compromised, it can be restored from a snapshot rapidly and the breach was never there. Each VM is isolated from the others and is isolated from the physical host. If a VM crashes, it does not affect the other running VMs. Using multiple NICs and managing the connections of the VMs, complete isolated environments can be quickly created. There are four types of virtualization: hosted (requires an underlying operating system), binary translation (all system calls to hardware are translated by the hypervisor), paravirtualization (some system calls are passed directly to the hardware), and hardware assisted (specific system calls are interpreted by the virtualization instructions in the host CPU). Using multicore processors can add more processing horsepower to our host server, but the limits of the hypervisor need to be accounted for if we are using more than four physical processors. Leveraging multiple network cards allows us to design complete infrastructures that can isolate virtual servers to create security zones or connect different VMs to different VLANs as the needs of the organization dictate.
236 CHAPTER 5 Virtualization Technologies
■■
■■
■■
■■
■■
■■
■■
Selecting the type of storage used in a virtual infrastructure can provide a means of high availability and motion for the VMs between physical servers. Selecting between local disks (DASD), SAN using either FC or iSCSI, or NAS connecting to the data network, can provide a wide variety of solutions to the organization and meet the needs of most all requirements and budgets. System virtualization Shows that the VMs are actually just files that are read by the hypervisor. A VM consists basically of two files: a configuration file (contains all the virtual hardware settings of the VM) and a virtual hard disk file (contains the hard disk information and data for the VM). These files can be moved between physical hosts or used as a template to create additional VMs. You can use third-party tools or sometimes tools provided by the hypervisor vendor to migrate current physical servers to a virtual environment. A repository of ISO image files for operating systems and applications can be created to be used for creating new VMs or adding applications to one or many virtual servers at the same time. Most hypervisors have a management console that allows an administrator to perform basic functions of starting, stopping, or pausing VMs. From the console, the administrator can take a snapshot of a VM or change the virtual hardware setting to add or modify the virtual hardware. The administrator can also remove VMs when they are no longer needed. Application virtualization The virtualization of applications allows a user to access and run an application hosted on a server as if it were loaded locally on their desktop. Applications respond the same but are actually running on a server in a remote location. The permission of the connection can be adjusted, so files cannot be saved to the local device or printed to unauthorized printers. When the user disconnects from the application, there is nothing left on the client desktop. Applications being hosted can be accessed securely from outside the network and from untrusted clients by using a gateway device or software. These gateways will establish a secure connection using SSL certificates and may allow complete encryption form the client to the application server. Application streaming is a method of application virtualization that sends only the necessary application modules for the user to begin working, while waiting for a request for the remaining modules. When a user exits the applications, all traces of it are removed. This is a good method for deploying applications in an isolated environment where the streamed application may conflict with a locally loaded application. If a user needs the application in an offline mode, it can be checked out and performed as if loaded locally. After the specified time expires, the application will no longer work. This is a good feature if a desktop or laptop is stolen or lost because all applications will cease to run and the data are not recoverable.
Exam Objectives Fast Track 237
Exam Objectives Fast Track The Purpose of Virtualization ■■
■■
■■
Virtualization increases the availability of enterprise resources in a highly available, secure manner. Servers, desktops, and applications can all be accessed using virtualization. Application virtualization lowers cost by increasing the lifespan of user desktops. Application virtualization can allow older client devices to run current software by leveraging the server resources and only presenting the application to the user. Increasing the portability of enterprise resources reduces costs and increases reliability. Server virtualization converts physical servers into files on a host server. These files can be transferred between physical hosts and are isolated from each other, so if a virtual server fails, it does not affect the other VMs.
Benefits of Virtualization ■■
■■
■■
■■
Virtualization of servers will increase the overall utilization of server resources. High performance servers support many VMs and different operating systems on the same physical host. Virtualization of storage makes better use of resources among the physical hosts by eliminating silos of underutilized disk storage. Virtualization of applications allows for lower powered desktops to run current applications by leveraging server resources. Operating costs are lower because virtual servers use less power, network, and storage connections. They also produce less heat and require fewer physical servers and rack space.
System Virtualization ■■
■■ ■■
■■
Server virtualization allows for multiple VMs to be run at the same time to maximize the utilization of the physical hardware resources. VMs can have different operating systems all running at the same time. A hypervisor is a thin layer of software that allows VMs to run on the same server. The four types of hypervisor are hosted, binary translation, paravirtualization, and hardware assist.
238 CHAPTER 5 Virtualization Technologies
Application Virtualization ■■ ■■
■■
■■
■■
Virtualized applications can be published or streamed. Published applications use the power of the server’s resources to run the applications and merely present the screens to the user and accept the mouse and keyboard inputs. Streamed applications can be run locally on the client desktop without being installed on the desktop. When the user closes the application, all traces disappear. Streamed applications can be checked out so users can run them without being connected to the network. Virtualized applications can be updated centrally for all users. When users access them the next time, the updated application is what will be presented.
Exam OBJECTIVES FREQUENTLY ASKED QUESTIONS Q: What kinds of servers can be virtualized? A: Most servers running Windows or Linux can be virtualized. Each hypervisor has a specific list of all supported operating systems. The biggest challenge to virtualizing a server is the workload the server is performing. Servers with CPU, memory, or input/output (I/O) intensive workloads may not make good candidates for virtualization. Servers requiring peripherals like FAX boards or USB dongles may not be good candidates for virtual servers. Alternatives for some of these restrictions can usually be found. Typical good candidates are file and print servers, domain controllers, application servers, firewalls, management servers, proxy servers, Web servers, and remote access servers. Q: Can VMs have different operating systems when running on the same physical host servers? A: Yes, you can mix supported operating systems for VMs on the same physical host server. This is a key feature of virtualization and makes this technology a desirable choice for server consolidation and remote office deployments. It is also possible to run a mix of 64-bit and 32-bit operating systems on the same physical host as long as the host is loaded with a 64-bit hypervisor. Q: What makes a good candidate for a VM? A: Most servers are underutilized. These servers are the prime targets for virtualization. Servers used in test and development that must be rapidly deployed or easily recovered to a known state are good candidates. In the security world, all types of support servers for proxy, firewall, or intrusion
Exam Objectives Frequently Asked Questions 239
detection are good choices. The ability of the physical host to support multiple NICs allows for segmentation of the network to fit most any design. Q: Is shared storage required for VMs? A: Shared storage is not required for virtualization. It is desired if there is more than one physical host and a requirement for high availability or motion of the VMs between the hosts. Additional benefits are gained by using shared storage by eliminating unused storage islands of local disks. Q: What type of shared storage is supported on a physical host? A: Most hypervisors will support local disks and RAID controllers (DASD), SANs using either iSCSI or FC connections, or NAS using either NFS or NTFS connections. Each type has its own benefits and weaknesses. You should make sure your selected storage type is supported before purchasing a solution. Using hardware HBAs for FC and iSCSI will improve performance of the host servers and access to the shared storage. Q: What are the benefits of a NIC team on the physical host? A: Using a NIC team allows multiple network cards to be joined together to increase the bandwidth to the VMs attached to that team. The team can also be configured to be fault tolerant; in the event a NIC or switch port fails, the VMs will maintain their network connections. Q: How can I tell if my physical server can support hardware assisted virtualization? A: If you are running a modern processor from Intel or AMD, it is likely you have the hardware assisted features built into your processor. You can check the manufacturer Web site for your model, check the BIOS for an enable feature, or look for the AMD-V or Intel VT logos. Q: What applications can be virtualized using Terminal Services or XenApp? A: Most any application that can be run locally on a server can be virtualized for users to access using Terminal Services or XenApp. This does not mean every application is capable, but as these technologies have evolved, the number of noncompliant applications has diminished. Most applications published using application virtualization are user applications and not server applications. Examples of user applications are Microsoft Office, Adobe Acrobat, or FrontRange GoldMine. These are applications that users access to perform their jobs everyday. Server applications are the back-office applications like database servers or messaging servers. Users do not normally interact directly with this type of application. Once the application is virtualized, it can support multiple users and removes the processing of the application from the client device. User connections can be configured to use encryption and prevent access to local disk drives or printers to protect the data security.
240 CHAPTER 5 Virtualization Technologies
Q: When would I need to use application streaming? A: Application streaming is a useful feature if it is necessary to run two different versions of the same application on a client device. The application stream is running in an isolated environment and will not conflict with the other applications on the client device. Another good use is to deploy applications to roaming users. These users can check out an application and use it when disconnected from the network for a specified period of time. If they do not connect to the network to check in or renew their application checkout, the application will cease to function. If a laptop is lost or stolen, the application will only work for a short time before being rendered inoperable. Q: How are virtual applications accessed securely over the Internet? A: Both Terminal Services and XenApp have a gateway server that allows secure connection using SSL certificates. This allows users to connect over the Internet using any device and maintain a secure connection while not leaving anything behind on the client machine. The different products have similar features and differences to fit your specific needs.
Self Test
1. You are the security administrator for Versa Corp. You have been assigned the task of creating a “honey pot” server on the company’s Internet DMZ. You have decided to use virtualization and a VM for this purpose. One of the best reasons for using a VM is A. VMs run Windows only and cannot have security template applied to them B. VMs can be rapidly restored when breached C. VMs cannot join the production Active Directory D. VMs are not vulnerable to viruses
2. Which is a benefit of virtualization? A. Lower operating system costs B. Reduced bandwidth requirements C. Reduced hardware costs D. Reduced need for backups
3. You are the security administrator for Versa Corp. You need to have three VMs running on HP DL380 servers. There are IBM x3350 servers also running the same hypervisor and processor family with available resources. You
Self Test 241
have moved your VMs to the IBM servers. What should you do to configure your VMs to run on the IBM servers? A. Replace the network and RAID controller drivers on all the servers immediately after powering them up B. Replace only the RAID controller drivers C. Replace only the network drivers D. Nothing
4. You are the security administrator for Versa Corp. You have been tasked with designing a single server solution for the remote branch offices. You must have in your solution: A. A Linux-based firewall B. A mail server in a DMZ C. A domain controller D. A file server
5. A VM is hosted on a server you are going to retire. The host server is not connected to a SAN but is connected to a network. You have access to the administrator account. You need to move it to another host. The fastest way to accomplish this task is to A. Locate the VM configuration file and the virtual hard disk file; use Service Control Point (SCP) to copy these files to the new server B. Locate the virtual disk file for the VM and use the backup solution to back up this file to tape; restore this file to the new server C. Locate the configuration file for the VM and use the backup solution to backup this file to tape; restore the configuration file to the new server D. Use SFTP to create a snapshot of the VM and copy it to the new server
6. You are the security administrator of Versa Corp. You have several “honey pot” virtual servers running on a physical host along with production virtual servers. You notice that one of them has been breached. You must move quickly to isolate this server. You need to maintain the server intact so it can be analyzed but must maintain the security of the organization. Which action will accomplish the required goals? A. Immediately log on to the affected server and shut it down; once shutdown, make a copy of the virtual hard disk file and export it to your laptop for analysis B. Immediately log on to the hypervisor console and disconnect the virtual network card; mount the ISO file for the analysis tools to the virtual DVD drive and install the analysis tools
242 CHAPTER 5 Virtualization Technologies
C. Immediately shut down the physical host; disconnect all NICs from the physical host and load your security analysis tool to this server D. Immediately log on to the affected server and shut it down; disconnect the virtual hard disk from the virtual server and mount it to another virtual server running the analysis tools
7. You are the security administrator of Versa Corp. You have recently noticed a lot of VMs on your physical hosts that are powered off or have not been accessed in over two weeks. You have decided to remove the powered down VMs. What is the best method of removing these VMs? A. Use the console for your hypervisor and delete the VM and its associated virtual hard disk B. Use the SAN console to remove the logical unit number (LUN) associated with each VM C. Notify the owners of the VM that you are going to remove them from the physical server; remove the virtual hard drive but leave the virtual server configuration file in case they need the server again later D. Use the hypervisor console to convert the VMs to templates in case they are needed again at a later date
8. You are the security administrator for Versa Corp. You have been asked to virtualize 10 security servers without altering their configurations. Your manager wants to retain the physical servers just in case there is a problem later. What is your best course of action to accomplish the assigned tasks? A. Build new VMs on the physical host to match the security servers, and once loaded, you copy the data files from each of the original servers to the virtual servers; you leave the original servers online until the new servers are verified as working B. You copy the disk drives of the original servers to the SAN; once completed you create new VMs and attach the data on the SAN to the VM; you shut down the original servers C. You use a physical to virtual migration tool to copy the disk drives of the physical servers to the new VMs; once completed, you shut down the original server and power on the new virtual server D. You create a new VM and use a bulk copy utility to copy all the data from the source servers to the new VMs; when complete, you leave the original servers online until the new servers are verified
9. You are the security administrator for Versa Corp. You have recently moved the virtual hard disk file for the virtual firewall to the D drive on your physical host. When you try to start the VM you receive the message,
Self Test 243
“The virtual hard disk cannot be found.” What action should you take to correct the problem? A. Rename the virtual hard drive and try to restart the VM B. Edit the boot.ini file of the VM to point to the D drive C. Mount the virtual hard disk file to another VM and edit the /etc/ hosts.allow file D. Edit the VM configuration file to point the path of the virtual hard disk to the D drive 10. You are the security administrator for Versa Corp.Your manager has given you a new server to develop and test a new security design.You want to be able to test the performance and capabilities of both Windows- and Linux-based servers. You want to minimize the amount of time you spend building and rebuilding servers for testing.What is your best course of action to accomplish your goals? A. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; after the test, delete the VMs and recreate them for the next round of tests B. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; take snapshots of each server; configure each VM for your test; after the test, restore the VMs using the snapshots before the next round of tests C. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; convert each configured VM to a template; after the test, use the templates to recreate the VMs for the next round of tests D. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; after the test clone the VMs for the next round of tests 11. What is a benefit of application virtualization? A. Applications are executed on the local clients instead of the application server B. Applications are all Web based C. Only Windows clients can access the published applications D. Any device that can run the client can access the applications 12. You are the security administrator for Versa Corp. You have several executives that travel with laptops. Your internal applications servers publish applications for all users and are maintained in a secure fashion. Your executives complain that they cannot run a necessary financial application while disconnected from the corporate network. These executives are rarely
244 CHAPTER 5 Virtualization Technologies
disconnected longer than 10 days at a time. What action can you perform to satisfy the executive request and still maintain security? A. Enable the Terminal Services Gateway and allow the executives to connect remotely using RDP over HTTPS B. Enable application streaming for the financial application and set a timeout on checked out applications for 2 weeks C. Load the financial application on the executive laptops and set a group policy to enable encryption on the data files D. Load the latest XenApp client and configure it to use the highest level of encryption when connecting to the application server 13. You are the security administrator for Versa Corp. The company has decided to terminate the leased line T-1 between branch offices and the home office. All users use virtualized applications running on a terminal server to perform their daily work. All user files are located near the application servers. Each branch office is connected to the Internet using either a DSL line or a cable connection. Which action will allow users to continue working with the least amount of effort and still maintain the company’s security policy? A. Set up a Terminal Server Gateway with a SSL certificate; direct all users to connect using the URL of the gateway to access the application servers B. Have users create an Internet Protocol Security (IPSEC) tunnel to the application servers to continue working C. Have the users generate personal certificates and use them to access the firewall to gain access to the application servers D. Have the users load and configure the VPN client software for your firewall; then create a VPN connection to access the application servers to continue working 14. You are the security administrator for Versa Corp. You have been asked to create 10 new VMs for a new development project. Each new VM needs to have identical resources and configurations. You have a physical host running a hypervisor and connected to a SAN. What is the best method for accomplishing this task? A. Create a new VM and load and configure the operating system; take careful notes and configure each identically until you have all 10 VMs B. Create a new VM and load and configure the operating system; clone this VM nine more times and apply system customizations to each new VM
Self Test Quick Answer Key 245
C. Create a new VM and load and configure the operating system; copy the virtual hard drive to create the other nine servers D. Create a new VM and load and configure the operating system; use the SAN features to replicate the LUN to create the remaining servers 15. You are the security administrator for Versa Corp. You currently have ap hysical host running a hypervisor. You have a VM running a firewall application. You have received a new version of the software and need to set it up and configure it with a minimum of disruption to the users. The best method to accomplish the task would be to A. Create a new VM and load the operating system and the new firewall software; connect it to the Test network; configure the software to match the production firewall; when testing is complete disconnect the virtual NIC on the production firewall from the Internet network and connect the new firewall to the Internet network B. Create a new VM and load the operating system and the new firewall software; connect it to the Internet network; disconnect the virtual NIC on the production firewall from the Internet network and shut down the old firewall; configure the new firewall software C. Load the new firewall software on the production firewall; configure the software D. Create a snapshot of the production firewall; load the new firewall software on the production firewall; configure the software; if testing fails, you can reload the snapshot to restore the old configuration.
Self Test Quick Answer Key 1. 2. 3. 4. 5.
B C D D A
6. 7. 8. 9. 10.
B A C D B
11. 12. 13. 14. 15.
D B A B A
This page intentionally left blank
PART
Network Infrastructure
2
This page intentionally left blank
CHAPTER
Network Security
6
E x a m o b j e c tiv e s in this c hapt e r General Network Security.................................................................................................... 250 Network Security Tools....................................................................................................... 250 Network Ports, Services, and Threats................................................................................... 267 Network Design Elements and Components........................................................................... 281
Introduction In today’s network infrastructures, it is critical to know the fundamentals of basic security infrastructure. Before any computer is connected to the Internet, planning must occur to make sure that the network is designed in a secure manner. Many of the attacks that hackers use are successful because of an insecure network design. That is why it is so important for a security professional to use secure topologies and tools like intrusion detection and prevention. Another example is virtual local area networks (VLANs), which are responsible for securing a broadcast domain to a group of switch ports. This relates directly to secure topologies, because different Internet Protocol (IP) subnets can be put on different port groupings and separated, either by routing or by applying an access control list (ACL). This allows for separation of network traffic, for example, the executive group can be isolated from the general user population on a network. Other items related to topology that we examine in this chapter include demilitarized zones (DMZs). We will explore how DMZs can be used in conjunction with network address translation (NAT) and extranets to help build a more secure network. By understanding each of these items, you will see how they can be used to build a layered defense against attack. This chapter also covers intrusion detection. It is important to understand not only the concepts of intrusion detection, but also the use and placement of intrusion detection systems (IDSes) within a network infrastructure. The placement of an IDS is critical to deployment success. We will also cover intrusion prevention systems (IPSes), honeypots, honeynets, and incident response and how they each have a part to play in protecting your network environment.
249
250 CHAPTER 6 Network Security
Test Day Tip An ACL is a list of users who have permission to access a resource or modify a file. ACLs are used in nearly all modern-day operating systems (OSes) to determine what permissions a user has on a particular resource or file.
General Network Security All networks contain services that provide some type of functionality. Some of the services are essential to the health of the network, or required for user functionality, but others can be disabled or removed because they are superfluous. When services exist on networks that are not actively being used, the changes of exploitation are increased. Simply having a service enabled, offers additional opportunity for hackers to attempt entrance into your infrastructure. If a service is required and utilized in the organization, it becomes your job as the administrator to safeguard the service and ensure that all is in working order. When a network service is installed and made available but it is not in use or required by the organization, there is a tendency for the service to fall out of view. It may not be noticed or monitored by system administrators, which provides a perfect mechanism for malicious attackers. They can hammer away at your environment, seemingly without your knowledge in an attempt to breach your environment.
Network Services and Risks Associated with Them When you are considering whether to enable and disable services, there are things that must be considered to protect the network and its internal systems. It is important to evaluate the current needs and conditions of the network and infrastructure, and then begin to eliminate unnecessary services. This leads to a cleaner network structure, which then becomes less vulnerable to attack.
Network Design Elements Not all networks are created the same; thus, not all networks should be physically laid out in the same fashion. The judicious usage of differing security topologies in a network can offer enhanced protection and performance. We will discuss the components of a network and the security implications of each. By understanding the fundamentals of each component and being able to design a network with security considerations in mind, you will be able to better prepare yourself and your environment for the inevitable barrage of attacks that take place every day. With the right planning and design you will be able to minimize the impact of attacks, while successfully protecting important data.
Network Security Tools Many tools that exist today can help you to better manage and secure your network environment. We will focus on a few specific tools that give you the visibility that is
Network Security Tools 251
needed to keep your network secure, especially intrusion detection and protection, firewalls, honeypots, content filters, and protocol analyzers. These tools will allow network administrators to monitor, detect, and contain malicious activity in any network environment. Each of these tools plays a different part in the day-to-day work of a network administrator and makes sure that you are well armed and well prepared to handle whatever malicious attacks might come your way.
Intrusion Detection and Prevention Systems A successful security strategy requires many layers and components. One of these components is the intrusion detection system (IDS) and the newer derivation of this technology, the intrusion prevention system (IPS). Intrusion detection is an important piece of security in that it acts as a detective control. A simple analogy to an intrusion detection system is a house alarm. When an intruder enters a house through an entry point that is monitored by the alarm the siren sounds and the police are alerted. Similarly an intrusion prevention system would not only sound the siren and alert the police but it would also kick the intruders out of the house and keep them out by closing the window and locking it automatically. The big distinction between an IDS/IPS and a firewall or other edge screening device is that the latter are not capable of detailed inspection of network traffic patterns and behavior that match known attack signatures. Therefore they are unable to reliably detect or prevent developing or in progress attacks. The simplest definition of an IDS is “a specialized tool that can detect and identify malicious traffic or activity in a network or on a host.” To achieve this an IDS often utilizes a database of known attack signatures which it can use to compare patterns of activity, traffic, or behavior it sees in the network or on a host. Once an attack has been identified the IDS can issue alarms or alerts or take a variety of actions to terminate the attack. These actions typically range from modifying firewall or router access lists to block the connection from the attacker to using a TCP reset to terminate the connection at both the source and the target. In the end the final goal is the same—interrupt the connection between the attacker and the target and stop the attack. Like firewalls, intrusion detection systems may be software-based or may combine hardware and software (in the form of preinstalled and preconfigured standalone IDS devices). There are many opinions as to what is the best option. For the exam what’s important is to understand the differences. Often, IDS software runs on the same devices or servers where firewalls, proxies, or other boundary services operate. Although such devices tend to operate at the network periphery, IDS systems can detect and deal with insider attacks as well as external attacks as long as the sensors are placed appropriately to detect such attacks. As we explained in Chapter 4, intrusion protection systems (IPSes) are a possible line of defense against system attacks. By being proactive and defensive in your approach, as opposed to reactive, you stop more attempts at network access at the door. IPSes typically exist at the boundaries of your network infrastructure and function much like a firewall. The big distinction between IPS and firewalls is
252 CHAPTER 6 Network Security
that IPSes are smarter devices in that they make determinations based on content as opposed to ports and protocols. By being able to examine content at the application layer the IPSes can perform a better job at protecting your network from things like worms and Trojans, before the destructive content is allowed into your environment. An IPS is capable of responding to attacks when they occur. This behavior is desirable from two points of view. For one thing, a computer system can track behavior and activity in near-real time and respond much more quickly and decisively during the early stages of an attack. Because automation helps hackers mount attacks, it stands to reason that it should also help security professionals fend them off as they occur. For another thing, an IPS can stand guard and run 24 h per day and 7 days per week, but network administrators may not be able to respond as quickly during off hours as they can during peak hours. By automating a response and moving these systems from detection to prevention, they actually have the ability to block incoming traffic from one or more addresses from which an attack originates. This allows the IPS the ability to halt an attack in process and block future attacks from the same address.
Using an NIDS and an NIPS Network intrusion detection systems (NIDS) and network intrusion prevention systems (NIPS) are similar in concept, and an NIPS is at first glance what seems to be an extension of an NIDS, but in actuality, the two systems are complementary and behave in a cooperative fashion. An NIDS exists for the purpose of catching malicious activity once it has arrived in your world. Whether the NIDS in your DMZ or your intranet captures the offending activity is immaterial; in both instances the activity is occurring within your network environment. With an NIPS the activity is typically being detected at the perimeter and disallowed from entering the network. By deploying an NIDS and an NIPS you provide for a multilayered defense and ideally your NIPS is able to thwart attacks approaching your network from the outside in. Anything that makes it past the NIPS ideally would then be caught by the NIDS inside the network. Attacks originating from inside the network would also be addressed by the NIDS.
Head of the Class Weighing IDS Options In addition to the various IDS and IPS vendors mentioned in the list below, judicious use of a good Internet search engine can help network administrators to identify more potential suppliers than they would ever have the time or inclination to investigate in detail. That is why we also urge administrators to consider an alternative: deferring some or all of the organization’s network security technology decisions to a special type of outsourcing company. Known as
Network Security Tools 253
managed security services providers (MSSPs), these organizations help their customers select, install, and maintain state-of-the-art security policies and technical infrastructures to match. For example, Guardent is an MSSP that includes comprehensive firewall, IDS and IPS services among its many customer offerings; visit www.guardent.com for a description of the company’s various service programs and offerings.
A huge number of potential vendors can provide IDS and IPS products to companies and organizations. Without specifically endorsing any particular vendor, the following products offer some of the most widely used and best-known solutions in this product space: ■■
■■
■■
■■
■■
■■
Cisco Systems It is best known for its switches and routers, but offers significant firewall and intrusion detection products as well (www.cisco.com). GFI LANguard It is a family of monitoring, scanning, and file integrity check products that offer broad intrusion detection and response capabilities (www. gfi.com/languard/ ). TippingPoint It is a division of 3Com that makes an inline IPS device that is considered one of the first IPS devices on the market. Internet Security Systems (ISS) (a division of IBM) ISS offers a family of enterprise-class security products called RealSecure, that includes comprehensive intrusion detection and response capabilities (www.iss.net). McAfee It offers the IntruShield IPS systems that can handle gigabit speeds and greater (www.mcafee.com). Sourcefire It is the best known vendor of open source IDS software as it is the developer of Snort, which is an open source IDS application that can be run on Windows or Linux systems (www.snort.org).
Head of the Class Getting Real Experience Using an IDS One of the best ways to get some experience using IDS tools like TCPDump and Snort is to check out one of the growing number of bootable Linux OSes. Because all of the tools are precompiled and ready to run right off the CD, you only have to boot the computer to the disk. One good example of such a bootable disk is Backtrack. This CD-based Linux OS actually has more than 300 security tools that are ready to run. Learn more at www.remote-exploit. org/backtrack.html.
A clearinghouse for ISPs known as ISP-Planet offers all kinds of interesting information online about MSSPs, plus related firewall, virtual private networking (VPN),
254 CHAPTER 6 Network Security
intrusion detection, security monitoring, antivirus, and other security services. For more information, visit any or all of the following URLs: ■■
■■
■■
■■
■■
■■
ISP-Planet Survey Managed Security Service Providers, participating provider’s chart, www.isp-planet.com/technology/mssp/participants_chart.html. Managed firewall services chart, www.isp-planet.com/technology/mssp/ firewalls_chart.html. Managed VPN chart, www.isp-planet.com/technology/mssp/services_chart. html. Managed intrusion detection and security monitoring, www.isp-planet.com/ technology/mssp/monitoring_chart.html. Managed antivirus and managed content filtering and URL blocking, www. isp-planet.com/technology/mssp/mssp_survey2.html. Managed vulnerability assessment and emergency response and forensics, www.isp-planet.com/technology/mssp/mssp_survey3.html.
Exercise 1 introduces you to WinDump. This tool is similar to the Linux tool TCPDump. It is a simple packet-capture program that can be used to help demonstrate how IDS systems work. All IDS systems must first capture packets so that the traffic can be analyzed.
Exercise 1 Installing WinDUMP for Packet Capture and Analysis 1.
Go to www.winpcap.org/windump/install/
2.
At the top of the page you will see a link for WinPcap. This program will need to be installed as it will allow the capture of low level packets.
3.
Next, download and install the WinDump program from the link indicated on the same Web page.
4.
You’ll now need to open a command prompt by clicking Start, Run, and entering cmd in the Open Dialog box.
5.
With a command prompt open, you can now start the program by typing WinDump from the command line. By default, it will use the first Ethernet adaptor found. You can display the help screen by typing windump –h. The example below specifies the second adaptor.
C:\>windump −i 2
6.
You should now see the program running. If there is little traffic on your network, you can open a second command prompt and ping a host such as
Network Security Tools 255
www.yahoo.com. The results should be seen in the screen you have open that is running WinDump as seen below.
windump: listening on \Device\eth0_
14:07:02.563213 IP earth.137 > 192.168.123.181.137: UDP, length 50
14:07:04.061618 IP earth.137 > 192.168.123.181.137: UDP, length 50
14:07:05.562375 IP earth.137 > 192.168.123.181.137: UDP, length 50
Firewalls A firewall is the most common device used to protect an internal network from outside intruders. When properly configured, a firewall blocks access to an internal network from the outside, and blocks users of the internal network from accessing potentially dangerous external networks or ports. There are three firewall technologies examined in the Security+ exam: ■■
Packet filtering
■■
Application layer gateways
■■
Stateful inspection
Head of the Class What Is a Firewall? A firewall is a security system that is intended to protect an organization’s network against external threats, such as hackers, coming from another network, such as the Internet. In simple terms, a firewall is a hardware or software device used to keep undesirables electronically out of a network the same way that locked doors and secured server racks keep undesirables physically away from a network. A firewall filters traffic crossing it (both inbound and outbound) based on rules established by the firewall administrator. In this way, it acts as a sort of digital traffic cop, allowing some (or all) of the systems on the internal network to communicate with some of the systems on the Internet, but only if the communications comply with the defined rule set.
All of these technologies have advantages and disadvantages, but the Security+ exam specifically focuses on their abilities and the configuration of their rules. A packetfiltering firewall works at the network layer of the Open Systems Interconnect (OSI) model and is designed to operate rapidly by either allowing or denying packets. The second generation of firewalls is called “circuit level firewalls,” but this type has been largely disbanded as later generations of firewalls absorbed their functions. An application layer gateway operates at the application layer of the OSI model, analyzing each
256 CHAPTER 6 Network Security
packet, and verifying that it contains the correct type of data for the specific application it is attempting to communicate with. A stateful inspection firewall checks each packet to verify that it is an expected response to a current communications session. This type of firewall operates at the network layer, but is aware of the transport, session, presentation, and application layers and derives its state table based on these layers of the OSI model. Another term for this type of firewall is a “deep packet inspection” firewall, indicating its use of all layers within the packet including examination of the data itself. To better understand the function of these different types of firewalls, we must first understand what exactly the firewall is doing. The highest level of security requires that firewalls be able to access, analyze, and utilize communication information, communication-derived state, and application-derived state, and be able to perform information manipulation. Each of these terms is defined below: ■■ ■■
■■ ■■
Communication Information Information from all layers in the packet. Communication-derived State The state as derived from previous communications. Application-derived State The state as derived from other applications. Information Manipulation The ability to perform logical or arithmetic functions on data in any part of the packet.
Different firewall technologies support these requirements in different ways. Again, keep in mind that some circumstances may not require all of these, but only a subset. In that case, it is best to go with a firewall technology that fits the situation rather than one that is simply the newest technology. Table 6.1 shows the firewall technologies and their support of these security requirements.
Proxy Servers A proxy server is a server that sits between an intranet and its Internet connection. Proxy servers provide features such as document caching (for faster browser retrieval) and access control. Proxy servers can provide security for a network by filtering and discarding requests that are deemed inappropriate by an administrator. Proxy servers also protect the internal network by masking all internal IP addresses—all Table 6.1 Firewall Technologies Requirement
Packet Filtering
Application-Layer Gateways
Stateful Inspection
Communication information
Partial
Partial
Yes
Communication-derived state
No
Partial
Yes
Application-derived state
No
Yes
Yes
Information manipulation
Partial
Yes
Yes
Network Security Tools 257
connections to Internet servers appear to be coming from the IP address of the proxy servers.
Network Layer Firewalls A network layer firewall or a packet-filtering firewall works at the network layer of the OSI model and can be configured to deny or allow access to specific ports or IP addresses. The two policies that can be followed when creating packet-filtering firewall rules are allow by default and deny by default. Allow by default allows all traffic to pass through the firewall except traffic that is specifically denied. Deny by default blocks all traffic from passing through the firewall except for traffic that is explicitly allowed. Deny by default is the best security policy, because it follows the general security concept of restricting all access to the minimum level necessary to support business needs. The best practice is to deny access to all ports except those that are absolutely necessary. For example, if configuring an externally facing firewall for a demilitarized zone (DMZ), Security+ technicians may want to deny all ports except port 443 (the Secure Sockets Layer [SSL] port) to require all connections coming in to the DMZ to use Hypertext Transfer Protocol Secure (HTTPS) to connect to the Web servers. Although it is not practical to assume that only one port will be needed, the idea is to keep access to a minimum by following the best practice of denying by default. A firewall works in two directions. It can be used to keep intruders at bay, and it can be used to restrict access to an external network from its internal users. Why do this? A good example is found in some Trojan horse programs. When Trojan horse applications are initially installed, they report back to a centralized location to notify the author or distributor that the program has been activated. Some Trojan horse applications do this by reporting to an Internet Relay Chat (IRC) channel or by connecting to a specific port on a remote computer. By denying access to these external ports in the firewall configuration, Security+ technicians can prevent these malicious programs from compromising their internal network. The Security+ exam extensively covers ports and how they should come into play in a firewall configuration. The first thing to know is that of 65,535 total ports, ports 0 through 1,023 are considered well-known ports. These ports are used for specific network services and should be considered the only ports allowed to transmit traffic through a firewall. Ports outside the range of 0 through 1,023 are either registered ports or dynamic/private ports. ■■
User ports range from 1,024 through 49,151.
■■
Dynamic/private ports range from 49,152 through 65,535.
If there are no specialty applications communicating with a network, any connection attempt to a port outside the well-known ports range should be considered suspect. Although there are some network applications that work outside of this range that may need to go through a firewall, they should be considered the
258 CHAPTER 6 Network Security
exception and not the rule. With this in mind, ports 0 through 1,023 still should not be enabled. Many of these ports also offer vulnerabilities; therefore, it is best to continue with the best practice of denying by default and only opening the ports necessary for specific needs. For a complete list of assigned ports, visit the Internet Assigned Numbers Authority (IANA) at www.iana.net. The direct link to their list of ports is at www.iana. org/assignments/port-numbers. The IANA is the centralized organization responsible for assigning IP addresses and ports. They are also the authoritative source for which ports applications are authorized to use for the services the applications are providing.
Damage and Defense Denial-of-Service Attacks A port is a connection point into a device. Ports can be physical, such as serial ports or parallel ports, or they can be logical. Logical ports are ports used by networking protocols to define a network connection point to a device. Using Transmission Control Protocol/Internet Protocol (TCP/IP), both TCP and User Datagram Protocol (UDP) logical ports are used as connection points to a network device. Because a network device can have thousands of connections active at any given time, these ports are used to differentiate between the connections to the device. A port is described as well known for a particular service when it is normal and common to find that particular software running at that particular port number. For example, Web servers run on port 80 by default, and File Transfer Protocol (FTP) file transfers use ports 20 and 21 on the server when it is in active mode. In passive mode, the server uses a random port for data connection and port 21 for the control connection.
To determine what port number to use, technicians need to know what port number the given software is using. To make that determination easier, there is a list of common services that run on computers along with their respective wellknown ports. This allows the technician to apply the policy of denying by default, and only open the specific port necessary for the application to work. For example, if they want to allow the Siebel Customer Relations Management application from Oracle to work through a firewall, they would check against a port list (or the vendor’s documentation) to determine that they need to allow traffic to port 2,320 to go through the firewall. A good place to search for port numbers and their associated services online is on Wikipedia. This list is fairly up to date and can help you find information on a very large number of services running on all ports (http:// en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers). You will notice that even Trojan horse applications have well-known port numbers. A few of these have been listed in Table 6.2.
Network Security Tools 259
Table 6.2 Well-known Ports of Trojan Horses Trojan Horse
Port
AimSpy
777
Back Orifice
31337 and 31338 (modifiable)
Back Orifice 2000
8787, 54320, and 54321 (modifiable)
OpwinTrojan
10000 and 10005
SubSeven
1243, 1999, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, and 54283 (depending on the version)
WinSatan
999 and 6667
Exam Warning The Security+ exam requires that you understand how the FTP process works. There are two modes in which FTP operates: active and passive. Active Mode 1. The FTP client initializes a control connection from a random port higher than 1,024 to the server’s port 21. 2. The FTP client sends a PORT command instructing the server to connect to a port on the client one higher than the client’s control port. This is the client’s data port. 3. The server sends data to the client from server port 20 to the client’s data port. Passive Mode 1. The FTP client initializes a random port higher than 1,023 as the control port, and initializes the port one higher than the control port as the data port. 2. The FTP client sends a PASV command instructing the server to open a random data port. 3. The server sends a PORT command notifying the client of the data port number that was just initialized. 4. The FTP client then sends data from the data port it initialized to the data port the server instructed it to use.
Unfortunately, for nearly every possible port number, there is a virus or Trojan horse application that could be running there. For a more comprehensive list of Trojans listed by the port they use, go to the SANS Institute Web site at www.sans.org/ resources/idfaq/oddports.php.
260 CHAPTER 6 Network Security
Exam Warning The Security+ exam puts a great deal of weight on your knowledge of specific well-known ports for common network services. The most important ports to remember are: 20 FTP Active Mode Control Port (see the Security+ exam warning on FTP for further information) 21 FTP Active Mode Data Port (see the Security+ exam warning on FTP for further information) 22 Secure Shell (SSH) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 80 HTTP 110 Post Office Protocol 3 (POP3) 119 Network News Transfer Protocol (NNTP) 143 Internet Message Access Protocol (IMAP) 443 SSL (HTTPS) Memorizing these ports and the services that run on them will help you with firewall and network access questions on the Security+ exam.
Packet filtering has both benefits and drawbacks. One of the benefits is speed. Because only the header of a packet is examined and a simple table of rules is checked, this technology is very fast. A second benefit is ease of use. The rules for this type of firewall are easy to define and ports can be opened or closed quickly. In addition, packet-filtering firewalls are transparent to network devices. Packets can pass through a packet-filtering firewall without the sender or receiver of the packet being aware of the extra step. A major bonus of using a packet-filtering firewall is that most current routers support packet filtering. There are two major drawbacks to packet filtering: ■■
■■
A port is either open or closed. With this configuration, there is no way of simply opening a port in the firewall when a specific application needs it and then closing it when the transaction is complete. When a port is open, there is always a hole in the firewall waiting for someone to attack. The second major drawback to packet filtering is that it does not understand the contents of any packet beyond the header. Therefore, if a packet has a valid header, it can contain any payload. This is a common failing point that is easily exploited.
To expand on this, as only the header is examined, packets cannot be filtered by user name, only IP addresses. With some network services such as Trivial File
Network Security Tools 261
Transfer Protocol (TFTP) or various UNIX “r” commands (rsh, rcp, and so forth), this can cause a problem. Because the port for these services is either opened or closed for all users, the options are either to restrict system administrators from using the services, or invite the possibility of any user connecting and using these services. The operation of this firewall technology is illustrated in Figure 6.1. Referring to Figure 6.1 the sequence of events is as follows:
1. Communication from the client starts by going through the seven layers of the OSI model.
2. The packet is then transmitted over the physical media to the packet-filtering firewall.
3. The firewall works at the network layer of the OSI model and examines the header of the packet.
4. If the packet is destined for an allowed port, the packet is sent through the firewall over the physical media and up through the layers of the OSI model to the destination address and port.
Figure 6.1 Packet Filtering Technology
262 CHAPTER 6 Network Security
Application Layer Firewalls The second firewall technology is called application filtering or an applicationlayer gateway. This technology is more advanced than packet filtering, as it examines the entire packet and determines what should be done with the packet based on specific defined rules. For example, with an application-layer gateway, if a Telnet packet is sent through the standard FTP port, the firewall can determine this and block the packet if a rule is defined disallowing Telnet traffic through the FTP port. It should be noted that this technology is used by proxy servers to provide applicationlayer filtering to clients. One of the major benefits of application-layer gateway technology is its application-layer awareness. Because application-layer gateway technology can determine more information from a packet than a simple packet filter can, application-layer gateway technology uses more complex rules to determine the validity of any given packet. These rules take advantage of the fact that application-layer gateways can determine whether data in a packet matches what is expected for data going to a specific port. For example, the application-layer gateway can tell if packets containing controls for a Trojan horse application are being sent to the HTTP port (80) and thus, can block them. Although application-layer gateway technology is much more advanced than packet-filtering technology, it does have its drawbacks. Because every packet is disassembled completely and then checked against a complex set of rules, application-layer gateways are much slower than the packet filters. In addition, only a limited set of application rules are predefined, and any application not included in the predefined list must have custom rules defined and loaded into the firewall. Finally, applicationlayer gateways process the packet at the application layer of the OSI model. By doing so, the application-layer gateway must then rebuild the packet from the top down and send it back out. This breaks the concept behind client/server architecture and slows the firewall down even further. Client/server architecture is based on the concept of a client system requesting the services of a server system. This was developed to increase application performance and cut down on the network traffic created by earlier file sharing or mainframe architectures. When using an application-layer gateway, the client/server architecture is broken as the packets no longer flow between the client and the server. Instead, they are deconstructed and reconstructed at the firewall. The client makes a connection to the firewall at which point the packet is analyzed, then the firewall creates a connection to the server for the client. By doing this, the firewall is acting as a proxy between the client and the server. The operation of this technology is illustrated in Figure 6.2.
Honeypots A honeypot is a computer system that is deliberately exposed to public access— usually on the Internet—for the express purpose of attracting and distracting attackers. In other words, these are the technical equivalent of the familiar police “sting” operation. Although the strategy involved in luring hackers to spend time
Network Security Tools 263
Figure 6.2 Application-Layer Gateway Technology
investigating attractive network devices or servers can cause its own problems, finding ways to lure intruders into a system or network improves the odds of being able to identify those intruders and pursue them more effectively. Figure 6.3 shows a graphical representation of the honeypot concept in action.
Notes from the Field Walking the Line between Opportunity and Entrapment Most law enforcement officers are aware of the fine line they must walk when setting up a “sting”—an operation in which police officers pretend to be victims or participants in crime, with the goal of getting criminal suspects to commit an illegal act in their presence. Most states have laws that prohibit entrapment, that is, law enforcement officers are not allowed to cause a person to commit a crime and then arrest him or her for doing it. Entrapment is a defense to prosecution; if the accused person can show at trial that he or she was entrapped, the result must be an acquittal.
264 CHAPTER 6 Network Security
Figure 6.3 A Honeypot in Use to Keep Attackers from Affecting Critical Production Servers
Courts have traditionally held, however, that providing a mere opportunity for a criminal to commit a crime does not constitute entrapment. To entrap involves using persuasion, duress, or other undue pressure to force someone to commit a crime that the person would not otherwise have committed. Under this holding, setting up a honeypot or honeynet would be like the (perfectly legitimate) police tactic of placing an abandoned automobile by the side of the road and watching it to see if anyone attempts to burglarize, vandalize, or steal it. It should also be noted that entrapment only applies to the actions of law enforcement or government personnel. A civilian cannot entrap, regardless of how much pressure is exerted on the target to commit the crime. (However, a civilian could be subject to other charges, such as criminal solicitation or criminal conspiracy, for causing someone else to commit a crime.)
The following characteristics are typical of honeypots: ■■
Systems or devices used as lures are set up with only “out of the box” default installations, so that they are deliberately made subject to all known vulnerabilities, exploits, and attacks.
Network Security Tools 265
■■
■■
■■
The systems or devices used as lures do not include sensitive information (for example, passwords, data, applications, or services an organization depends on or must absolutely protect), so these lures can be compromised, or even destroyed, without causing damage, loss, or harm to the organization that presents them to be attacked. Systems or devices used as lures often also contain deliberately tantalizing objects or resources, such as files named password.db, folders named Top Secret, and so forth—often consisting only of encrypted garbage data or log files of no real significance or value—to attract and hold an attacker’s interest long enough to give a backtrace a chance of identifying the attack’s point of origin. Systems or devices used as lures also include or are monitored by passive applications that can detect and report on attacks or intrusions as soon as they start, so the process of backtracing and identification can begin as soon as possible.
Exam Warning A honeypot is a computer system that is deliberately exposed to public access—usually on the Internet—for the express purpose of attracting and distracting attackers. Likewise, a honeynet is a network set up for the same purpose, where attackers not only find vulnerable services or servers, but also find vulnerable routers, firewalls, and other network boundary devices, security applications, and so forth. You must know these for the Security+ exam.
The honeypot technique is best reserved for use when a company or organization employs full-time Information Technology (IT) security professionals who can monitor and deal with these lures on a regular basis, or when law enforcement operations seek to target specific suspects in a “virtual sting” operation. In such situations, the risks are sure to be well understood, and proper security precautions, processes, and procedures are far more likely to already be in place (and properly practiced). Nevertheless, for organizations that seek to identify and pursue attackers more proactively, honeypots can provide valuable tools to aid in such activities. Exercise 2 outlines the basic process to set up a Windows Honeypot. Although there are many vendors of honeypots that will run on both Windows and Linux computers, this exercise will describe the install of a commercial honeypot that can be used on a corporate network.
Exercise 2 Install a HoneyPot 1.
KFSensor is a Windows-based honeypot IDS that can be downloaded as a demo from www.keyfocus.net/kfsensor/.
266 CHAPTER 6 Network Security
2.
Fill out the required information for download.
3.
Once the program downloads, accept the install defaults and allow the program to reboot the computer to finish the install.
4.
Once installed, the program will step you through a wizard process that will configure a basic honeypot.
5.
Allow the system to run for some time to capture data. The program will install a sensor in the program tray that will turn red when the system is probed by an attacker.
Honeynets A honeynet is a network that is set up for the same purpose as a honeypot: to attract potential attackers and distract them from your production network. In a honeynet, attackers will not only find vulnerable services or servers but also find vulnerable routers, firewalls, and other network boundary devices, security applications, and so forth. The following characteristics are typical of honeynets: ■■
■■
■■
Network devices used as lures are set up with only “out of the box” default installations, so that they are deliberately made subject to all known vulnerabilities, exploits, and attacks. The devices used as lures do not include sensitive information (for example, passwords, data, applications, or services an organization depends on or must absolutely protect), so these lures can be compromised, or even destroyed, without causing damage, loss, or harm to the organization that presents them to be attacked. Devices used as lures also include or are monitored by passive applications that can detect and report on attacks or intrusions as soon as they start, so the process of backtracing and identification can begin as soon as possible.
The Honeynet Project at www.honeynet.org is probably the best overall resource on the topic online; it not only provides copious information on the project’s work to define and document standard honeypots and honeynets, but it also does a great job of exploring hacker mindsets, motivations, tools, and attack techniques. Although this technique of using honeypots or honeynets can help identify the unwary or unsophisticated attacker, it also runs the risk of attracting additional attention from savvier attackers. Honeypots or honeynets, once identified, are often publicized on hacker message boards or mailing lists, and thus become more subject to attacks and hacker activity than they otherwise might be. Likewise, if the organization that sets up a honeypot or honeynet is itself identified, its production systems and networks may also be subjected to more attacks than might otherwise occur.
Network Ports, Services, and Threats 267
Content Filters Content filtering is the process used by various applications to examine content passing through and make a decision on the data based on a set of criteria. Actions are based on the analysis of the content and the resulting actions can results in block or allow. Content filtering is commonly performed on e-mail and is often also applies to Web page access as well. Filtering out gambling or gaming sites from company machines may be a desired effect of management and can be achieved through content filtering. Examples of content filters include WebSense and Secure Computings WebWasher/SmartFilter. An open source content filter example would be DansGuardian and Squid.
Protocol Analyzers A protocol analyzer is used to examine network traffic as it travels along your Ethernet network. They are called by many names, such as pack analyzer, network analyzer, and sniffer, but all function in the same basic way. As traffic moves across the network from machine to machine, the protocol analyzer takes a capture of each packet. This capture is essentially a photocopy, and the original packet is not harmed or altered. Capturing the data allows a malicious hacker to obtain your data and potentially piece it back together to analyze the contents. Different protocol analyzers function differently, but the overall principle is the same. A sniffer is typically software installed on a machine that can then capture all the traffic on a designated network. Much of the traffic on the network will be destined for all machines, as in the case of broadcast traffic. These packets will be picked up and saved as part of the capture. Also, all traffic destined to and coming from the machine running the sniffer will be captured. To capture traffic addressed to/from another machine on the network, the sniffer should be run in promiscuous mode. If a hub exists on the network this allows the capturing of all packets on the network regardless of their source or destination. Be aware that not all protocol analyzers support promiscuous mode, and having switches on the network makes promiscuous mode difficult to use because of the nature of switched traffic. In the cases where a sniffer that runs promiscuous mode is not available or unfeasible, it might make sense to use the built-in monitor port on the switch instead—if it exists. The monitor port exists to allow for the capture of all data that passes through the switch. Depending on your network architecture, this could encompass one or many subnets.
Network Ports, Services, and Threats In this section, we will discuss network ports, network services, and potential threats to your network. To properly protect your network, you need to first identify the existing vulnerabilities. As we will discuss, knowing what exists in your
268 CHAPTER 6 Network Security
network is the best first defense. By identifying ports that are open but may not be in use, you will be able to begin to close the peep holes into your network from the outside world. By monitoring required services and removing all others, you reduce the opportunity for attack and begin to make your environment more predictable. Also, by becoming familiar with common network threats that exist today you can take measures to prepare your environment to stand against these threats. The easiest way for a hacker to make its way into your environment is to exploit known vulnerabilities. By understanding how these threats work you will be able to safeguard against them as best possible and be ready for when new threats arise.
Network Ports and Protocols As discussed earlier in Chapter 2, OS Hardening, unnecessary network ports and protocols in your environment should be eliminated whenever possible. Many internal networks today utilize TPC/IP as the primary protocol. This has resulted in the partial or complete elimination of such protocols as Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), and/or NetBIOS Extended User Interface (NetBEUI). It is also important to look at the specific operational protocols used in a network such as Internet Control Messaging Protocol (ICMP), Internet Group Management Protocol (IGMP), Service Advertising Protocol (SAP), and the Network Basic Input/Output System (NetBIOS) functionality associated with Server Message Block (SMB) transmissions in Windows-based systems.
Notes from the Field Eliminate External NetBIOS Traffic One of the most common methods of obtaining access to a Windows-based system and then gaining control of that system is through NetBIOS traffic. Windows-based systems use NetBIOS in conjunction with SMB to exchange service information and establish secure channel communications between machines for session maintenance. If file and print sharing is enabled on a Windows computer, NetBIOS traffic can be viewed on the external network unless it has been disabled on the external interface. With the proliferation of digital subscriber line (DSL), Broadband, and other “always on” connections to the Internet, it is vital that this functionality be disabled on all interfaces exposed to the Internet.
Although considering removal of nonessential protocols, it is important to look at every area of the network to determine what is actually occurring and running on the system. The appropriate tools are needed to do this, and the Internet contains a wealth of resources for tools and information to analyze and inspect systems.
Network Ports, Services, and Threats 269
A number of functional (and free) tools can be found at sites such as www.foundstone.com/knowledge/free_tools.html. Among these, tools like SuperScan 3.0 are extremely useful in the evaluation process. Monitoring a mixed environment of Windows, UNIX, Linux, and/or Netware machines can be accomplished using tools such as Big Brother, which may be downloaded and evaluated (or in some cases used without charge) by visiting www.bb4.com or Nagios that can be found at www.nagios.org. Another useful tool is Nmap, a portscanner, which is available at http://insecure.org/ nmap/. These tools can be used to scan, monitor, and report on multiple platforms giving a better view of what is present in an environment. In UNIX- and Linux-based systems, nonessential services can be controlled in a variety of ways depending on the distribution being worked with. This may include editing or making changes to configuration files like xinetd.conf or inetd.conf or the use of graphical administration tools like linuxconf or webmin in Linux, or the use of facilities like svcadm in Solaris. It may also include the use of ipchains, iptables, pf, or ipfilter in various versions to restrict the options available for connection at a firewall. Note As you begin to evaluate the need to remove protocols and services, make sure that the items you are removing are within your area of control. Consult with your system administrator on the appropriate action to take, and make sure you have prepared a plan to back out and recover if you found that you have removed something that is later deemed necessary or if you make a mistake.
Exam Warning The Security+ exam can ask specific questions about ports and what services they support. It’s advisable to learn common ports before attempting the exam. Here are some common ports and services: 21 FTP 22 Secure Shell (SSH) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 DNS 80 HTTP 110 Post Office Protocol (POP) 161 Simple Network Management Protocol (SNMP) 443 SSL Memorizing these will help you with the Security+ exam.
270 CHAPTER 6 Network Security
Modern Windows-based platforms allow the configuration of OS and network services from provided administrative tools. This can include a service applet in a control panel or a Microsoft Management Console (MMC) tool in a Windows XP/ Vista/2003/2008 environment. It may also be possible to check or modify configurations at the network adaptor properties and configuration pages. In either case, it is important to restrict access and thus limit vulnerability due to unused or unnecessary services or protocols. Let’s take a moment to use a tool to check what protocols and services are running on systems in a network. This will give you an idea of what you are working with. Exercise 3 uses Nmap to look at the configuration of a network, specifically to generate a discussion and overview of the services and protocols that might be considered when thinking about restricting access at various levels. Nmap is used to scan ports and while it is not a full blown security scanner it can identify additional information about a service that can be used to determine an exploit that could be effective. Security scanners that can be used to detail existing vulnerabilities include products like Nessus and LANGuard Network Security Scanner. If using a UNIX-based platform, a number of evaluation tools have been developed, such as Amap, P0f, and Nessus, which can perform a variety of port and security scans. In Exercise 3, you will scan a network to identify potential vulnerabilities.
Exercise 3 Scanning for Vulnerabilities In this exercise, you will examine a network to identify open ports and what could be potential problems or holes in specific systems. In this exercise, you are going to use Nmap, which you can download and install for free prior to starting the exercise by going to http://insecure.org/nmap/download.html and selecting the download tool. This tool is available for Windows or Linux computers. To begin the exercise, launch Nmap from the command line. You will want to make sure that you install the program into a folder that is in the path or that you open it from the installed folder. When you have opened a command line prompt, complete the exercise by performing the following steps: 1.
From the command line type Nmap. This should generate the following response: C:\>nmap Nmap V. 4.20 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types (‘*’ options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan
Network Ports, Services, and Threats 271
-sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: “1-1024,1080,6666,31337” -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don’t ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG Output normal/XML/grepable scan logs to -iL Get targets from file; Use ‘-’ for stdin * -S /-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) --win_help Windows-specific features Example: nmap -v -sS -O www.my.com 192.168.0.0/16 ‘192.88 90.*.*’
2.
This should give you some idea of some of the types of scans that Nmap can perform. Notice the first and second entries. The –sS is a Transmission Control Protocol (TCP) stealth scan, and the –sT is a TCP full connect. The difference in these is that the stealth scan does only two of the three steps of the TCP handshake, while the full connect scan does all three steps and is slightly more reliable. Now run Nmap with the –sT option and configure it to scan the entire subnet. The following gives an example of the proper syntax. C:\>nmap -sT 192.168.1.1-254
3.
The scan may take some time. On a large network expect the tool to take longer as there will be many hosts for it to scan.
4.
When the scan is complete the results will be returned that will look similar to those shown here. Interesting ports on (192.168.1.17): (The 1,600 ports scanned but not shown below are in state: filtered)
272 CHAPTER 6 Network Security
Port
State
Service
80/tcp
Open
http
Interesting ports on (192.168.1.18): (The 1,594 ports scanned but not shown below are in state: filtered) Port
State
Service
80/tcp
Open
http
139/tcp
Open
netbios-ssn
445/tcp
Open
printer
9100/tcp
Open
jetdirect
9111/tcp
Open
DragonIDSConsole
9152/tcp
Open
ms-sql2000
Interesting ports on (192.168.1.19): (The 1,594 ports scanned but not shown below are in state: filtered) Port
State
Service
80/tcp
Open
http
9100/tcp
Open
jetdirect
9111/tcp
Open
DragonIDSSensor
9152/tcp
Open
ms-sql2000
Interesting ports on VENUS (192.168.1.20): (The 1,596 ports scanned but not shown below are in state: filtered) Port
State
Service
135/tcp
Open
loc-srv
139/tcp
Open
netbios-ssn
445/tcp
Open
microsoft-ds
Interesting ports on PLUTO (192.168.1.21): (The 1,596 ports scanned but not shown below are in state: filtered)
Network Ports, Services, and Threats 273
Port
State
Service
21/tcp
Open
ftp
80/tcp
Open
http
139/tcp
Open
netbios-ssn
515/tcp
Open
printer
Interesting ports on (192.168.1.25): (The 1,598 ports scanned but not shown below are in state: filtered) Port
State
Service
23/tcp
Open
Telnet
69/udp
Open
tftp
80/tcp
Open
http
Nmap run completed—254 IP addresses (six hosts up) scanned in 2,528 s. In the example mentioned earlier, notice how you can see the ports that were identified on each system. Although this is the same type of tool that would be used by an attacker, it’s also a valuable tool for the security professional. You can see from the example that there are a number of ports open on each of the hosts that were probed. Remember that these machines are in an internal network, so some of these ports should be allowed. Test Day Tip Spend a few minutes reviewing port and protocol numbers for standard services provided in the network environment. This will help when you are analyzing questions that require configuration of ACL lists and determinations of appropriate blocks to install to secure a network.
The question as to “should the ports be open” should lead us back to our earlier discussion of policy and risk assessment. If nothing else this type of tool can allow us to see if our hardening activities have worked and verify that no one has opened services on a system that is not allowed. Even for ports that are allowed and have been identified by scanning tools, decisions must be made as to which of these ports are likely to be vulnerable, and then the risks of the vulnerability weighed against the need for the particular service connected to that port. Port vulnerabilities are constantly updated by various vendors and should be reviewed and evaluated for risk at regular intervals to reduce potential problems. It is important to remember that scans of a network should be conducted initially to develop a baseline of what services and protocols are active on the
274 CHAPTER 6 Network Security
network. Once the network has been secured according to policy, these scans should be conducted on a periodic basis to ensure that the network is in compliance with policy.
Network Threats Network threats exist in today’s world in many forms. It seems as if the more creative network administrators become in protecting their environments, the more creative hackers and script kiddies become at innovating ways to get past the most admirable security efforts. One of the more exciting and dynamic aspects of network security relates to the threat of attacks. A great deal of media attention and many vendor product offerings have been targeting attacks and attack methodologies. This is perhaps the reason that CompTIA has been focusing many questions in this particular area. Although there are many different varieties and methods of attack, they can generally all be grouped into several categories: ■■
By the general target of the attack (application, network, or mixed)
■■
By whether the attack is active or passive
■■
By how the attack works (for example, via password cracking, or by exploiting code and cryptographic algorithms)
It’s important to realize that the boundaries between these three categories aren’t fixed. As attacks become more complex, they tend to be both application-based and network-based, which has spawned the new term mixed threat applications. An example of such an attack can be seen in the MyDoom worm, which targeted Windows machines in 2004. Victims received an e-mail indicating a delivery error, and if they executed the attached file, MyDoom would take over. The compromised machine would reproduce the attack by sending the e-mail to contacts in the user’s address book and copying the attachment to peer-to-peer (P2P) sharing directories. It would also open a backdoor on port 3,127, and try to launch a denial of service (DoS) attack against The SCO Group or Microsoft. So, as attackers get more creative, we have seen more and more combined and sophisticated threats. In the next few sections, we will detail some of the most common network threats and attack techniques so that you can be aware of them and understand how to recognize their symptoms and thereby devise a plan to thwart attack.
Head of the Class Attack Methodologies in Plain English In this section, we’ve listed network attacks, application attacks, and mixed threat attacks, and within those are included buffer overflows, distributed denial of service (DDoS) attacks, fragmentation attacks, and theft of service attacks. Although the list of descriptions might look overwhelming, generally the names are self-explanatory. For example, consider a DoS
Network Ports, Services, and Threats 275
attack. As its name implies, this attack is designed to do just one thing—render a computer or network nonfunctional so as to deny service to its legitimate users. That’s it. So, a DoS could be as simple as unplugging machines at random in a data center or as complex as organizing an army of hacked computers to send packets to a single host to overwhelm it and shut down its communications. Another term that has caused some confusion is a mixed threat attack. This simply describes any type of attack that is comprised of two different, smaller attacks. For example, an attack that goes after Outlook clients and then sets up a bootleg music server on the victim machine is classified as a mixed threat attack.
TCP/IP Hijacking TCP/IP hijacking, or session hijacking, is a problem that has appeared in most TCP/ IP-based applications, ranging from simple Telnet sessions to Web-based e-commerce applications. To hijack a TCP/IP connection, a malicious user must first have the ability to intercept a legitimate user’s data, and then insert himself or herself into that session much like a MITM attack. A tool known as Hunt (www.packetstormsecurity.org/ sniffers/hunt/) is very commonly used to monitor and hijack sessions. It works especially well on basic Telnet or FTP sessions. A more interesting and malicious form of session hijacking involves Web-based applications (especially e-commerce and other applications that rely heavily on cookies to maintain session state). The first scenario involves hijacking a user’s cookie, which is normally used to store login credentials and other sensitive information, and using that cookie to then access that user’s session. The legitimate user will simply receive a “session expired” or “login failed” message and probably will not even be aware that anything suspicious happened. The other issue with Web server applications that can lead to session hijacking is incorrectly configured session timeouts. A Web application is typically configured to timeout a user’s session after a set period of inactivity. If this timeout is too large, it leaves a window of opportunity for an attacker to potentially use a hijacked cookie or even predict a session ID number and hijack a user’s session. To prevent these types of attacks, as with other TCP/IP-based attacks, the use of encrypted sessions are key; in the case of Web applications, unique and pseudorandom session IDs and cookies should be used along with SSL encryption. This makes it harder for attackers to guess the appropriate sequence to insert into connections, or to intercept communications that are encrypted during transit.
Null Sessions Null sessions are unauthenticated connections. When someone attempts to connect to a Windows machine and does not present credentials, they can potentially successfully connect as an anonymous user, thus creating a Null session. Null sessions present vulnerability in that once someone has connected to a machine there is a lot to be learned about the machine. The more that is exposed about the machine, the more ammunition a hacker will have to attempt to gain
276 CHAPTER 6 Network Security
further access. For instance, in Windows NT/2000 content about the local machine SAM database was potentially accessible from a null session. Once someone has obtained information about local usernames, they can then launch a brute force or dictionary attack in an attempt to gain additional access to the machine. Null session can be controlled to some degree with registry hacks that can be deployed out to your machines, but the version of Windows operating system will dictate what can be configured for null session behavior on your machine.
IP Spoofing The most classic example of spoofing is IP spoofing. TCP/IP requires that every host fills in its own source address on packets, and there are almost no measures in place to stop hosts from lying. Spoofing, by definition, is always intentional. However, the fact that some malfunctions and misconfigurations can cause the exact same effect as an intentional spoof causes difficulty in determining whether an incorrect address indicates a spoof. Spoofing is a result of some inherent flaws in TCP/IP. TCP/IP basically assumes that all computers are telling the truth. There is little or no checking done to verify that a packet really comes from the address indicated in the IP header. When the protocols were being designed in the late 1960s, engineers didn’t anticipate that anyone would or could use the protocol maliciously. In fact, one engineer at the time described the system as flawless because “computers don’t lie.” There are different types of IP spoofing attacks. These include blind spoofing attacks in which the attacker can only send packets and has to make assumptions or guesses about replies, and informed attacks in which the attacker can monitor, and therefore participate in, bidirectional communications. There are ways to combat spoofing, however. Stateful firewalls usually have spoofing protection whereby they define which IPs are allowed to originate in each of their interfaces. If a packet claimed to be from a network specified as belonging to a different interface, the packet is quickly dropped. This protects from both blind and informed attacks. An easy way to defeat blind spoofing attacks is to disable source routing in your network at your firewall, at your router, or both. Source routing is, in short, a way to tell your packet to take the same path back that it took while going forward. This information is contained in the packet’s IP Options, and disabling this will prevent attackers from using it to get responses back from their spoofed packets. Spoofing is not always malicious. Some network redundancy schemes rely on automated spoofing to take over the identity of a downed server. This is because the networking technologies never accounted for the need for one server to take over for another. Technologies and methodologies exist that can help safeguard against spoofing of these capability challenges. These include: ■■ ■■
Using firewalls to guard against unauthorized transmissions. Not relying on security through obscurity, the expectation that using undocumented protocols will protect you.
Network Ports, Services, and Threats 277
■■
Using various cryptographic algorithms to provide differing levels of authentication.
Subtle attacks are far more effective than obvious ones. Spoofing has an advantage in this respect over a straight vulnerability exploit. The concept of spoofing includes pretending to be a trusted source, thereby increasing the chances that the attack will go unnoticed. Test Day Tip Knowledge of TCP/IP is really helpful when dealing with spoofing and s equence attacks. Having a good grasp of the fundamentals of TCP/IP will make the attacks seem less abstract. Additionally, knowledge of not only what these attacks are, but how they work, will better prepare you to answer test questions.
If the attacks use just occasional induced failures as part of their subtlety, users will often chalk it up to normal problems that occur all the time. By careful application of this technique over time, users’ behavior can often be manipulated.
Exercise 4 ARP Spoofing Address Resolution Protocol (ARP) spoofing can be quickly and easily done with a variety of tools, most of which are designed to work on UNIX OSes. One of the best all-around suites is a package called dsniff. It contains an ARP spoofing utility and a number of other sniffing tools that can be beneficial when spoofing. To make the most of dsniff you’ll need a Layer 2 switch into which all of your lab machines are plugged. It is also helpful to have various other machines doing routine activities such as Web surfing, checking POP mail, or using Instant Messenger software. 1.
To run dsniff for this exercise, you will need a UNIX-based machine. To download the package and to check compatibility, visit the dsniff Web site at www. monkey.org/~dugsong/dsniff.
2.
After you’ve downloaded and installed the software, you will see a utility called arpspoof. This is the tool that we’ll be using to impersonate the gateway host. The gateway is the host that routes the traffic to other networks.
3.
You’ll also need to make sure that IP forwarding is turned on in your kernel. If you’re using *BSD UNIX, you can enable this with the sysctl command (sysctl –w net.inet.ip.forwarding=1). After this has been done, you should be ready to spoof the gateway.
4.
arpspoof is a really flexible tool. It will allow you to poison the ARP of the entire local area network (LAN), or target a single host. Poisoning is the act of
278 CHAPTER 6 Network Security
t ricking the other computers into thinking you are another host. The usage is as follows: home# arpspoof –i fxp0 10.10.0.1
This will start the attack using interface fxp0, and will intercept any packets bound for 10.10.0.1. The output will show you the current ARP traffic. 5.
Congratulations, you’ve just become your gateway.
You can leave the arpspoof process running, and experiment in another window with some of the various sniffing tools which dsniff offers. Dsniff itself is a jack-ofall-trades password grabber. It will fetch passwords for Telnet, FTP, HTTP, Instant Messaging (IM), Oracle, and almost any other password that is transmitted in the clear. Another tool, mailsnarf, will grab any and all e-mail messages it sees, and store them in a standard Berkeley mbox file for later viewing. Finally, one of the more visually impressive tools is WebSpy. This tool will grab Universal Resource Locator (URL) strings sniffed from a specified host, and display them on your local terminal, giving the appearance of surfing along with the victim. You should now have a good idea of the kind of damage an attacker can do with ARP spoofing and the right tools. This should also make clear the importance of using encryption to handle data. Additionally, any misconceptions about the security or sniffing protection provided by switched networks should now be alleviated thanks to the magic of ARP spoofing!
Man-in-the-Middle Attacks As you have probably already begun to realize, the TCP/IP protocols were not designed with security in mind and contain a number of fundamental flaws that simply cannot be fixed due to the nature of the protocols. One issue that has resulted from IPv4’s lack of security is the MITM attack. To fully understand how a MITM attack works, let’s quickly review how TCP/IP works. TCP/IP was formally introduced in 1974 by Vinton Cerf. The original purpose of TCP/IP was not to provide security; rather, it was to provide a high-speed, reliable, communication network links. A TCP/IP connection is formed with a three-way handshake. As seen in Figure 6.4, a host (Host A) that wants to send data to another host (Host B) will initiate communications by sending a SYN packet. The SYN packet contains, among other things, the source and destination IP addresses as well as the source and destination port numbers. Host B will respond with a SYN/ACK. The SYN from Host B Figure 6.4 prompts Host A to send another ACK and A Standard TCP/IP Handshake the connection is established.
Network Ports, Services, and Threats 279
If a malicious individual can place himself between Host A and Host B, for example compromising an upstream router belonging to the ISP of one of the hosts, he or she can then monitor the packets moving between the two hosts. It is then possible for the malicious individual to analyze and change packets coming and going to the host. It is quite easy for a malicious person to perform this type of attack on Telnet sessions, but, the attacker must first be able to predict the right TCP sequence number and properly modify the data for this type of attack to actually work—all before the session times out waiting for the response. Obviously, doing this manually is hard to pull off; however, tools designed to watch for and modify specific data have been written and work very well. There are a few ways in which you can prevent MITM attacks from happening, like using a TCP/IP implementation that generates TCP sequence numbers that are as close to truly random as possible.
Replay Attacks In a replay attack, a malicious person captures an amount of sensitive traffic, and then simply replays it back to the host in an attempt to replicate the transaction. For example, consider an electronic money transfer. User A transfers a sum of money to Bank B. Malicious User C captures User A’s network traffic, then replays the transaction in an attempt to cause the transaction to be repeated multiple times. Obviously, this attack has no benefit to User C, but could result in User A losing money. Replay attacks, while possible in theory, are quite unlikely due to multiple factors such as the level of difficulty of predicting TCP sequence numbers. However, it has been proven that the formula for generating random TCP sequence numbers, especially in older OSes, isn’t truly random or even that difficult to predict, which makes this attack possible. Another potential scenario for a replay attack is this: an attacker replays the captured data with all potential sequence numbers, in hopes of getting lucky and hitting the right one, thus causing the user’s connection to drop, or in some cases, to insert arbitrary data into a session. As with MITM attacks, the use of random TCP sequence numbers and encryption like SSH or Internet Protocol Security (IPSec) can help defend against this problem. The use of timestamps also helps defend against replay attacks.
Denial of Service Even with the most comprehensive filtering in place all firewalls are still vulnerable to DoS attacks. These attacks attempt to render a network inaccessible by flooding a device such as a firewall with packets to the point that it can no longer accept valid packets. This works by overloading the processor of the firewall by forcing it to attempt to process a number of packets far past its limitations. By performing a DoS attack directly against a firewall, an attacker can get the firewall to overload its buffers and start letting all traffic through without filtering it. If a technician is alerted to an attack of this type, they can block the specific IP address that the attack is coming from at their router.
280 CHAPTER 6 Network Security
Distributed Denial of Service An alternative attack that is more difficult to defend against is the DDoS attack. This attack is worse, because it can come from a large number of computers at the same time. This is accomplished either by the attacker having a large distributed network of systems all over the world (unlikely) or by infecting normal users’ computers with a Trojan horse application, which allows the attacker to force the systems to attack specific targets without the end user’s knowledge. These enduser computers are systems that have been attacked in the past and infected with a Trojan horse by the attacker. By doing this, the attacker is able to set up a large number of systems (called zombies) to perform a DoS attack at the same time. This type of attack constitutes a DDoS attack. Performing an attack in this manner is more effective due to the number of packets being sent. In addition, it introduces another layer of systems between the attacker and the target, making the attacker more difficult to trace.
Domain Name Kiting Domain name kiting is when someone purchases a domain name and then soon after deletes the registration only to immediately reregister it. Because there is normally a 5-day registration grace period offered by many domain name registrars’, domain kiters will abuse this grace period by canceling the domain name registrations to avoid paying for them. This way they can use the domain names without cost. Because the grace period offered by registrars allows the registration of a domain name to be canceled without cost or penalty as long as the cancellation comes within 5 days of the registration, you can effectively “own” and use a domain name during this short timeframe without actually paying for it. It has become relatively easy to drop a domain name and claim the refund at the end of the grace period and by taking advantage of this process abusers are able to keep the registrations active on their most revenue-generating sites by cycling through cancellations and an endless refresh of their choice domain name registrations. As no cost is involved in turning over the domain names, domain kiters make money out of domains they are not paying for.
Domain Name Tasting Another concept that is very similar to domain name kiting is called domain name tasting. The two are similar in that they are both the abuse of domain names and the grace period associated with them. Domain name tasters register a domain name to exploit the Web site names for profit. Domain name investors will register groups of domain names to determine which namespaces will generate revenue through search engine queries and pay-per-click advertising mechanisms. They will often register typos of legitimate business sites hoping for human error to land Internet travelers on their Web sites, which in turn increases their bottom line. If it is determined that a specific domain name is not returning profit for the tasters then they will simply drop the domain name, claim a refund, and continue on to the next group of names.
Network Design Elements and Components 281
DNS Poisoning DNS poisoning or DNS cache poisoning occurs when a server is fed altered or spoofed records that are then retained in the DNS server cache. Once the DNS cache on a server has been “poisoned” in this fashion, because servers use their cache as the first mechanism to respond to incoming requests, all additional queries for the same record will be responded to with the falsified information. Attackers can use this method to redirect valid requests to malicious sites. The malicious sites may be controlled by the offender and contain viruses or worms that are distributed, or they may simply offensive sites already in existence on the Internet. For example, imagine if your child were to type in www.barbie.com and instead of connecting to a pretty pink site with Barbie dolls and Barbie games ends up on an adult pornographic Web site. DNS poisoning is a real threat that can be reduced by taking a few security precautions. First, by ensuring that your DNS server is up to date on patches and updates for known vulnerabilities you will help to ensure the safety of your DNS cache. Also, by taking advantage of Secure DNS whenever possible and employing digital signatures you will help to reduce the threat of DNS poisoning.
ARP Poisoning ARP is a broadcast-based protocol that functions at Layer 2 of the OSI model. Its purpose is to map a known IP address to its corresponding Media Access C ontrol (MAC) address for a packet to be properly addressed. A MAC address is a unique number assigned to network interface cards (NICs) by their manufacturers. ARP poisoning occurs when a client machine sends out an ARP request for another machine’s MAC address information and is sent falsified information instead. The spoofed ARP message allows the attacker to associate a MAC address of their choosing to a particular IP address, which means any traffic meant for that IP address would be mistakenly sent to the attacker instead. This opens the door for numerous attack mechanisms to be employed. Once the data has been intercepted, the attacker could choose to modify the data before forwarding it, which is called a man-in-the-middle attack or even launch a DoS attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway.
Network Design Elements and Components When you are designing a network it is a good idea to have security in mind from the beginning. As you piece things together to meet your needs, there is a good probability that security will be among the things you must consider. Understanding the components and elements used in network design and how they work together is a good first step to building an effective design. In this section, we will discuss the following components of network design: ■■
DMZs
■■
Subnets
282 CHAPTER 6 Network Security
■■
VLANs
■■
Network Access Translation
■■
Network Access Control/Network Access Protection
■■
IP Telephony
Although differing components can be effectively used together, in some instances they need to be used completely separately from each other. You must imagine the different pieces that make up a network as discrete network segments holding systems that share common requirements. They are sometimes called security zones and some of these common requirements can be: ■■
The types of information the zone handles
■■
Who uses the zone
■■
What levels of security the zone requires to protect its data
Exam Warning A security zone is defined as any portion of a network that has specific security concerns or requirements. Intranets, extranets, DMZs, and VLANs are all security zones.
It is possible to have systems in a zone running different OSes, such as Windows Vista and NetWare 6.5. The type of computer, whether a PC, server, or mainframe, is not as important as the security needs of the computer. For example, there is a network that uses Windows 2003 servers as domain controllers, Domain name system (DNS) servers, and Dynamic Host Control Protocol (DHCP) servers. There are also Windows XP Professional clients and NetWare 6.5 file servers on the network. Some users may be using Macintosh computers running OS X or OS 9, while others may be running one or more types of Linux or UNIX. This is an extremely varied network, but it may still only have one or two security zones. The key is that the type of a computer and its operating system are not as important with regards to security zones and where the machines may fall. Each of these components helps to make up your network topology and if used correctly can assist you in creating a safe and effective network design. For example, suppose you have an e-commerce application that uses Microsoft’s Internet Information Server (IIS) running a custom Active Server Page (ASP) application, which calls on a second set of servers hosting custom COM+ components, which in turn interact with a third set of servers that house an Structured Query Language (SQL) 2005 database. Figure 6.5 provides an example of this concept. This is a fairly complex example, but helps illustrate the need for differing security topologies on the same network. Under no circumstances should COM+ servers or SQL 2005 servers be exposed to the Internet directly—they should be protected by placing them behind a strong security solution. At the same time, you do not
Network Design Elements and Components 283
Figure 6.5 The Complex N-tier Arrangement
want to leave IIS servers exposed to every hacker and script kiddie out there, so they should be placed in a DMZ or behind the first firewall or router. The idea here is to layer security so that a breach of one set of servers such as the IIS servers does not directly expose COM+ or SQL servers. In the early days of business Internet connectivity, the concept of security zones was developed to separate systems available to the public Internet from private systems available for internal use by an organization. A device called a firewall was utilized to separate the zones. Figure 6.6 shows a visual representation of the basic firewall concept. Many of these early firewalls had only basic abilities and usually functioned only as a packet filter. Packet filters rely on ACLs. ACLs allow the packet filter to be configured to block or allow traffic based on attributes such as IP address and source and destination port. Packet filters are considered stateless, while more advanced modern firewalls are considered to be stateful. Regardless of what type of firewall you are working with, most provide the ability to: ■■
■■
Block traffic based on certain rules. The rules can block unwanted, unsolicited, spurious, or malicious traffic (Figure 6.3). Mask the presence of networks or hosts to the outside world. Firewalls can also ensure that unnecessary information about the makeup of the internal network is not available to the outside world.
■■
Log and maintain audit trails of incoming and outgoing traffic.
■■
Provide additional authentication methods.
284 CHAPTER 6 Network Security
Figure 6.6 A Basic Firewall Installation
Figure 6.7 A Sample Firewall Rule Set
As you can see in Figure 6.7, you have quite a lot of flexibility when creating firewall rules. If you examine the row across the top of the image, you will notice the different components that we can configure when creating a new firewall rule. For instance, source and destination columns allow you to specify the source and destination IP addresses; the action column indicates what to do with traffic that matches a particular rule, the time column allows you to specify when the rule is in effect, and so on. When firewalls are processing rules they will typically move through the rule set from top to bottom, looking for a match for the traffic they are processing. Once a match is found the action in the matching rule will be performed on the data packets. The last rule in the firewall configuration is oftentimes a catch all type of rule, so if the data doesn’t match any other rule, it will match the
Network Design Elements and Components 285
last rule which is normally a drop or deny rule. So for instance, the last rule in the image shows a source and destination of ANY, which indicates all traffic will meet this rule. The action says drop, which means all traffic that has matched this rule will be immediately dropped. Some newer firewalls include more advanced features, such as integrated VPN applications that allow remote users to access local systems through a secure, encrypted tunnel. Some firewalls have integrated IDSes in their product and can make firewall rule changes based on the detection of suspicious events happening at the network gateway. (IDS products and their use are covered later in this chapter.) These new hybrid technologies have much promise and make great choices for creating a “defense in depth” strategy, but remember that the more work the firewall is doing to support these other functions, the more chance there is that these additional tools may impact the throughput of the firewall device.
Notes from the Field Using a Defense-in-Depth Strategy The defense-in-depth strategy specifies the use of multiple layers of network security. In this way, you avoid depending on one single protective measure deployed on your network. In other words, to eliminate the false feeling of security because you implemented a firewall on your Internet connection, you should implement other security measures such as an IDS, auditing, and biometrics for access control. You need many levels of security (hence, defense in depth) to be able to feel safe from potential threats. A possible defense-in-depth matrix with auditing included could look like the graphic in Figure 6.8.
In addition, when a number of these features are implemented on any single device, it creates a wide opportunity for a successful attacker if that device is ever compromised. If one of these hybrid information security devices is chosen, it is important to stay extra vigilant about applying patches and to include in the risk mitigation planning how to deal with a situation in which this device falls under the control of an attacker. Although the installation of a firewall or hybrid device protects the internal systems of an organization, it does nothing to protect the systems that are made available to the public Internet. A different type of implementation is Figure 6.8 needed to add basic protection for those A Graphical Representation of Defense in systems that are offered for public use. Depth
286 CHAPTER 6 Network Security
Thus enters the concept of the DMZ. The servers that are located in the DMZ reside outside of the protected internal network. We will discuss DMZs in more detail later in the chapter. The rest of the internal network is called the intranet, which means a private internal network. The intranet, therefore, is every part of a network that lies on the inside of the last firewall from the Internet. Figure 6.9 gives an example of an intranet. Test Day Tip Risk mitigation, according to the Project Management Institute (PMI), seeks to reduce the probability and/or impact of a specific risk below an acceptable threshold. For more information on risk and project management, see the PMI online at www.pmi.org.
Test Day Tip The terminology can be confusing to beginners. One might think the internal network would be the Internet, but this is not the case. An Internet (including the global Internet) refers to communications between different networks, while the intranet refers to communications within a network. It may help to use a comparison: interstate commerce refers to business transacted across state lines (between different states), while intrastate commerce refers to business transacted within one state.
It is expected that all traffic on the intranet will be secure and safe from the prying eyes on the Internet. It is the network security professional’s job to make sure that this happens. Although a security breach of a DMZ system can be costly to a company, a breach that occurs inside an intranet could be extraordinarily costly and damaging. If this happens, customers and business partners might lose faith in
Figure 6.9 A Simple Intranet Example
Network Design Elements and Components 287
the company’s ability to safeguard sensitive information, and other attackers will likely make the network a favorite target for future attacks. To ensure that all traffic on the intranet is secure, the following issues should be addressed: ■■
■■
■■
■■
■■
■■
■■
■■
Make sure that the firewall is configured properly to stop attack attempts at the firewall. There are many different opinions on how to do this, but the majority of security professionals agree that you should start with a deny all or “block everything” mentality and then open the firewall on a case-by-case basis, thereby only allowing specific types of traffic to cross it (regardless of which direction the traffic is flowing). It’s important to remember that each open port and service offers the attacker an additional path from which he may potentially target the network. Make sure that the firewall is configured properly to prevent unauthorized network traffic, such as file sharing programs (for example, BitTorrent, Gnutella, or Morpheus) from being used on the internal network. Make sure the firewall will watch traffic that egresses or leaves the network from trusted hosts, and ensure that it is not intercepted and altered en route; steps should also be taken to try to eliminate spoofing from attackers. Make sure that the antivirus software is in use and up to date. Consider implementing an enterprise-level solution, consisting of a central server responsible for coordinating and controlling the identification and collection of viruses on your network. Educate users on the necessity of keeping their computers logged out when not in use. Implement IPSec on the intranet between all clients and servers to prevent eavesdropping; note that more often than not, the greatest enemy lies on the inside of the firewall. Conduct regular, but unannounced, security audits and inspections. Be sure to closely monitor all logs that are applicable. Do not allow the installation of modems or unsecured wireless access points on any intranet computers. Do not allow any connection to the Internet except through the firewall and proxy servers, as applicable.
Of course, there are literally hundreds of other issues that may need to be addressed but these are some of the easiest ones to take care of and the most commonly exploited ones. Note All of the Internet security measures listed here should be used at your discretion, based on what is available and what meets the business needs of your company. You can use any one of these, all of these, or continue with an almost infinite list of applied security measures that are covered in this book.
288 CHAPTER 6 Network Security
Extranets are a special implementation of the intranet topology. Creating an extranet allows for access to a network or portions of the network by trusted customers, partners, or other users. These users, who are external to the network—they are on the Internet side of the firewalls and other security mechanisms—can then be allowed to access private information stored on the internal network that they would not want to place on the DMZ for general public access. The amount of access that each user or group of users is allowed to have to the intranet can be easily customized to ensure that each user or group gets what they need and nothing more. Additionally, some organizations create extranets to allow their own employees to have access to certain internal data while away from the private network. Note You must have a functional intranet setup before attempting to create an extranet.
The following is an example of how two companies might each choose to implement an extranet solution for their mutual benefit. Company A makes door stoppers and has recently entered into a joint agreement with Company B. Company B makes cardboard boxes. By partnering together, both companies are hoping to achieve some form of financial gain. Company A is now able to get cardboard boxes (which it needs to ship its product) made faster, cheaper, and to exact specification; Company B b enefits from newfound revenue from Company A. Everybody wins and both companies are very happy. After some time, both companies realize that they could streamline this process even more if they each had access to certain pieces of data about the other company. For example, Company A wants to keep track of when its cardboard boxes will be arriving. Company B, on the other hand, wants to be able to control box production by looking at how many orders for door stoppers Company A has. What these two companies need is an extranet. By implementing an extranet solution, both companies will be able to get the specific data they need to make their relationship even more profitable, without either company having to grant full, unrestricted access to its private internal network. Figure 6.10 depicts this extranet solution. Users attempting to gain access to an extranet require some form of authentication before they are allowed access to resources. The type of access control implemented
Figure 6.10 A Simple Extranet Example
Network Design Elements and Components 289
can vary, but some of the more common include usernames/passwords and digital certificates. Once an extranet user has been successfully authenticated, they can gain access to the resources that are allowed for their access level. In the previous example, a user from Company B’s production department might need to see information about the number of door stoppers being ordered, while a user from Company A’s shipping department might need to see information detailing when the next shipment of boxes is expected. Exam Warning Be able to readily define an extranet. You must know the difference between the Internet, intranet, and extranet.
What Is a DMZ? In computer security, the DMZ is a “neutral” network segment where systems accessible to the public Internet are housed, which offers some basic levels of protection against attacks. The term “DMZ” is derived from the military and is used to describe a “safe” or buffer area between two countries where, by mutual agreement, no troops or war-making activities are allowed. In the next sections we will explore this concept in more detail.
DMZ Design There are usually strict rules regarding what is allowed within a zone. When applying this term to the IT security realm, it can be used to create DMZ segments in usually one of two ways: ■■ ■■
Layered DMZ implementation Multiple interface firewall implementation
In the first method, the systems that require protection are placed between two firewall devices with different rule sets, which allow systems on the Internet to connect to the offered services on the DMZ systems, but prevents them from connecting to the computers on the internal segments of the organization’s network (often called the protected network). The second method is to add a third interface to the firewall and place the DMZ systems on that network segment (Figure 6.11). As an example, this is the
Figure 6.11 A Multiple Interface Firewall DMZ Implementation
290 CHAPTER 6 Network Security
way Cisco PIX firewalls are designed. This design allows the same firewall to manage the traffic between the Internet, the DMZ, and the protected network. Using one firewall instead of two lowers the costs of the hardware and centralizes the rule sets for the network, making it easier to manage and troubleshoot problems. Currently, this multiple interface design is a common method for creating a DMZ segment. In either case, the DMZ systems are offered some level of protection from the public Internet while they remain accessible for the specific services they provide to external users. In addition, the internal network is protected by a firewall from both the external network and the systems in the DMZ. Because the DMZ systems still offer public access, they are more prone to compromise and thus they are not trusted by the systems in the protected network. A good first step in building a strong defense is to harden the DMZ systems by removing all unnecessary services and unneeded components. The result is a bastion host. This scenario allows for public services while still maintaining a degree of protection against attack. Exam Warning Hosts located in a DMZ are generally accessed from both internal network clients and public (external) Internet clients. Examples of DMZ bastion hosts are DNS servers, Web servers, and FTP servers. A bastion host is a system on the public side of the firewall, which is exposed to attack. The word bastion comes from a sixteenth-century French word, meaning the projecting part of a fortress wall that faces the outside and is exposed to attackers.
The role of the firewall in all of these scenarios is to manage the traffic between the network segments. The basic idea is that other systems on the Internet are allowed to access only the services of the DMZ systems that have been made public. If an Internet system attempts to connect to a service not made public, the firewall drops the traffic and logs the information about the attempt (if configured to do so). Systems on a protected network are allowed to access the Internet as they require, and they may also access the DMZ systems for managing the computers, gathering data, or updating content. In this way, systems are exposed only to attacks against the services that they offer, and not to underlying processes that may be running on them. The systems in the DMZ can host any or all of the following services: ■■
■■
Internet Web Site Access IIS or Apache servers that provide Web sites for public and private usage. Examples would be www.microsoft.com or www. netserverworld.com. Both of these Web sites have both publicly and privately available contents. FTP Services FTP file servers that provide public and private downloading and uploading of files. Examples would be the FTP servers used by popular download providers at www.downloads.com or www.tucows.com. FTP is designed for faster file transfer with less overhead, but does not have all of the special features that are available in HTTP, the protocol used for Web page transfer.
Network Design Elements and Components 291
Exam Warning Remember that FTP has significant security issues in that username and password information is passed in clear text and can easily be sniffed.
■■
■■
■■
E-mail Relaying A special e-mail server that acts as a middleman of sorts. Instead of e-mail passing directly from the source server to the destination server (or the next hop in the path), it passes through an e-mail relay that then forwards it. E-mail relays are a double-edged sword and most security professionals prefer to have this function disabled on all publicly accessible e-mail servers. On the other hand, some companies have started offering e-mail relaying services to organizations as a means of providing e-mail security. DNS Services A DNS server might be placed in the DMZ to point incoming access requests to the appropriate server with the DMZ. This can alternatively be provided by the Internet Service Provider (ISP), usually for a nominal extra service charge. If DNS servers are placed in the DMZ, it is important to be careful and ensure that they cannot be made to conduct a zone transfer (a complete transfer of all DNS zone information from one server to another) to any server. This is a common security hole found in many publicly accessible DNS servers. Attackers typically look for this vulnerability by scanning to see if port TCP 53 is open. When you are placing a DNS server into the DMZ, it is often a good idea to examine the usage of split horizon DNS. Split horizon DNS is when there are two authoritative sources for your domain namespace, and the contents of the databases differ depending on whether the server is serving internal or external queries. Split horizon DNS adds security to the environment because the external database that may reside in the DMZ would only contain records that would be appropriate to expose, while the internal database would be protected on the LAN. Intrusion Detection The placement of an IDS system (discussed later in this chapter) in the DMZ is difficult and depends on the network requirements. IDSes placed in the DMZ will tend to give more false positive results than those inside the private internal network, because of the nature of Internet traffic and the large number of script kiddies out there. To reduce the larger number of false positives, as the administrator you must perform IDS tuning. IDS tuning is the process of adjusting the settings on your IDS system so that it is more appropriately configured to recognize normal traffic patterns in your environment. This allows the system to better detect truly unusual traffic circumstances for your network and alert you less frequently for false positives. Still, placing an IDS on the DMZ can give administrators early warning of attacks taking place on their network resources.
The rise of e-commerce and the increased demand of online transactions have increased the need for secure architectures and well-designed DMZs. E-commerce requires more attention to be paid to securing transaction information that flows
292 CHAPTER 6 Network Security
between consumers and the sites they use, as well as between e-commerce businesses themselves. Customer names, addresses, order information, and especially financial data need greater care and handling to prevent unauthorized access. This greater care is accomplished through the creation of the specialized segments mentioned earlier (which are similar to the DMZ) called security zones. Other items such as the use of encryption and the use of secure protocols like SSL and transport layer security (TLS) are also important when designing a more secure architecture. Security requirements for storing customer information and financial data are different from the requirements for storing routine, less sensitive information that businesses handle. Because this data requires processing and much of the processing is done over the Internet, more complicated network structures must be created. Many organizations choose to implement a multiple segment structure to better manage and secure their different types of business information. This multisegment approach allows flexibility, because new segments with specific purposes and security requirements can be easily added to the model. In general, the two segments that are widely accepted are as follows: ■■
A segment dedicated to information storage
■■
A segment specifically for the processing of business information
Each of these two new segments has special security and operability concerns above and beyond those of the rest of the organizational intranet. In reality, everything comes down to dollars—what is it going to cost to implement a security solution versus what will it cost if the system is breached by attackers. Thus, the value of raw data is different than the value of the financial processing system. Each possible solution has its pluses and minuses, but in the end a balance is struck between cost versus expected results. Thus, the creation of different zones (segments) for different purposes. Note that in this example the Web and e-mail servers would likely receive the least amount of spending and security measures, which is not to say that they will be completely ignored, they just would not receive as much as the financial servers might. Creation of multiple segments changes a network structure to look like the drawing in Figure 6.12. Remember that by adding additional zones you are also adding additional overhead. In this scenario all traffic must traverse firewall rules to move between zones. The diagram shown in Figure 6.9 includes the following two new zones: ■■
The data storage network
■■
The financial processing network
The data storage zone is used to hold information that the e-commerce application requires, such as inventory databases, pricing information, ordering details, and other nonfinancial data. The Web servers in the DMZ segment serve as the interface to the customers; they access the servers in the other two segments to gather the required information and to process the users’ requests.
Network Design Elements and Components 293
Figure 6.12 A Modern e-commerce Implementation
When an order is placed, the business information in these databases is updated to reflect the real-time sales and orders of the public. These business-sensitive database systems are protected from the Internet by the firewall, and they are restricted from general access by most of the systems in the protected network. This helps to protect the database information from unauthorized access by an insider or from accidental modification by an inexperienced user. Test Day Tip You will not need to know how an e-commerce DMZ is set up to pass the Security+ exam; however, it is important to know this information for real-world security work.
The financial information from an order is transferred to the financial processing segment. Here, the systems validate the customer’s information and then process the payment requests to a credit card company, a bank, or a transaction clearinghouse.
294 CHAPTER 6 Network Security
After the information has been processed, it is stored in the database for batch transfer into the protected network, or it is transferred in real time, depending on the setup. The financial segment is also protected from the Internet by the firewall, as well as from all other segments in the setup. This system of processing the data in a location separate from the user interface creates another layer that an attacker must penetrate to gather financial information about customers. In addition, the firewall protects the financial systems from access by all but specifically authorized users inside a company. Access controls also regulate the way network communications are initiated. For example, if a financial network system can process credit information in a store-and-forward mode, it can batch those details for retrieval by a system from the protected network. To manage this situation, the firewall permits only systems from the protected network to initiate connections with the financial segment. This prevents an attacker from being able to directly access the protected network in the event of a compromise. On the other hand, if the financial system must use real-time transmissions or data from the computers on the protected network, the financial systems have to be able to initiate those communications. In this event, if a compromise occurs, the attacker can use the financial systems to attack the protected network through those same channels. It is always preferable that DMZ systems not initiate connections into more secure areas, but that systems with higher security requirements initiate those network connections. Keep this in mind as you design your network segments and the processes that drive your site. Test Day Tip The phrase store-and-forward refers to a method of delivering transmissions in which the messages are temporarily held by an intermediary before being sent on to their final destination. Some switches and many e-mail servers use the store-and-forward method for data transfer.
Exam Warning DMZ design is covered on the Security+ exam. You must know the basics of DMZ placement and what components the DMZ divides.
In large installations, these segments may vary in placement, number, and/or implementation, but this serves to generally illustrate the ideas behind the process. An actual implementation may vary from this design. For example, an administrator may wish to place all the financial processing systems on the protected network. This is acceptable as long as the requisite security tools are in place to adequately secure the information. Other possible implementations include segmenting business information off an extension of the DMZ as well as discrete DMZ segments for development and testing. Specific technical requirements will impact actual deployment, so administrators may find that what they currently have in place on a network
Network Design Elements and Components 295
(or the need for a future solution) may deviate from the diagrams shown earlier. The bottom line is to ensure that systems are protected. Some common problems do exist with multiple-zone networks. By their very nature they are complex to implement, protect, and manage. Firewall rule sets are often large, dynamic, and confusing, and the implementation can be arduous and resource intensive. Creating and managing security controls such as firewall rules, IDS signatures, and user access regulations is a large task. These processes should be kept as simple as possible without compromising security or usability. It is best to start with denyall strategies and permit only the services and network transactions required to make the site function, and then carefully manage the site’s performance making small changes to the access controls to more easily manage the rule sets. Using these guidelines, administrators should be able to quickly get the site up and running without creating obvious security holes in the systems. Exam Warning The concept of a denial all strategy will be covered on the Security+ exam. A denial all strategy means that all services and ports are disabled by default, and then only the minimum level of service is activated as a valid business case is made for each service.
As a site grows and offers new features, new zones may have to be created. The abovementioned process should be repeated for creating the rule sets governing these new segments. As always, it is important to audit and inspect any changes and keep backups of the old rule sets in case they are needed again.
The Future of DMZs As long as services are hosted onsite in environments and the services have a need for accessibility from the Internet or from other organizations, the DMZs of the world will continue to be designed and deployed. Exam Warning Make sure that you know the definitions and the differences between a firewall and a DMZ.
Subnets A subnet is a group of computers that have been logically grouped together and assigned a common network address. Subnets can be arranged in many ways in the network environment, and the one thing to understand is that a machine’s IP address dictates what subnet it is a member of. For the subnet to function appropriately all machines on the same subnet must be connected via the same Switch or Hub backbone and share the same network prefix in their IP address. A group of machines on the same subnet are able to send network traffic among them in just a single hop, and routers are used to pass network traffic between subnets and form the basis of subnet boundaries.
296 CHAPTER 6 Network Security
VLANs A VLAN can be thought of as the equivalent to a broadcast domain. Test Day Tip A broadcast domain consists of a group of nodes (computers) that receive Layer 2 broadcasts sent by other members of the same group. Typically, broadcast domains are separated by creating additional network segments or by adding a router. Do not confuse broadcast domains with collision domains. Collision domains refer specifically to Ethernet networks. The area of network cabling between Layer 2 devices is known as a collision domain. Layer 2 devices typically include switches that rely on the physical address (MAC address) of computers to route traffic.
VLANs are a way to segment a network, as discussed earlier. When thinking of a VLAN, think of taking a switch and physically cutting it into two or more pieces with an axe. Special software features found in newer, more expensive switches, allow administrators to physically split one physical switch into multiple logical switches, thus creating multiple network segments that are completely separate from one another. The VLAN is thus a logical local area network that uses a basis other than a physical location to map the computers that belong to each separate VLAN (for example, each department within a company could comprise a separate VLAN, regardless of whether or not the department’s users are located in physical proximity). This allows administrators to manage these virtual networks individually for security and ease of configuration. Let’s look at an example of using VLANs. There is an Engineering section consisting of 14 computers and a Research section consisting of 8 computers, all on the same physical subnet. Users typically communicate only with other systems within their respective sections. Both sections share the use of one Cisco Catalyst 2950 switch. To diminish the size of the necessary broadcast domain for each section, the administrator can create two VLANs, one for the Engineering section and one for the Research section. After creating the two VLANs, all broadcast traffic for each section will be isolated to its respective VLAN. But what happens when a node in the Engineering section needs to communicate with a node in the Research section? Do the two systems connect from within the Catalyst 2950 switch? No; this cannot occur because the two sections have been set up on two different VLANs. For traffic to be passed between VLANs (even when they are on the same switch) a router must be used. Figure 6.13 graphically depicts the previous example of splitting one switch into two VLANs. Note that two switches can also be split into two VLANs or more, depending on the need. The following example shows how to split two switches into multiple VLANs with each VLAN acting as its own physically separated network segment. In reality, many more VLANs can be created; they are only limited by port density (the number of ports on a switch) and the feature set of the switch’s software.
Network Design Elements and Components 297
Figure 6.13 Using VLANs to Segment Network Traffic
Each VLAN functions like a separate network due to the combination of hardware and software features built into the switch itself. Thus, the switch must be capable of supporting VLANs to use them. The following are typical characteristics of VLANs when implemented on a network: ■■
■■
■■
■■
Each VLAN is the logical equivalent of a physically separate network as far as traffic is concerned. A VLAN can span multiple switches, limited only by imagination and the capabilities of the switches being used. Trunks carry the traffic between each switch that is part of a VLAN. A trunk is defined as a point-to-point link from one switch to another switch. The purpose of a trunk is to carry the traffic of multiple VLANs over a single link. Cisco switches, for example, use the Cisco proprietary interswitch link (ISL) and IEEE 802.1Q protocol as their trunking protocols.
Exam Warning Know that VLANs implement security at the switch level. If you are not on the same VLAN as another user on your network and access is not allowed, you can secure communications from such hosts.
A complete description of VLANs beyond the scope of the Security+ exam can be found at www.ciscopress.com/articles/article.asp?p=29803&rl=1. The IEEE 802.1Q standard can be downloaded at www.ieee802.org/1/pages/802.1Q.html.
Network Address Translation NAT was developed because of the explosive growth of the Internet and the increase in home and business networks—the number of available IP addresses was simply not enough. A computer must have an IP address to communicate with other computers on the Internet. NAT allows a single device, such as a router, to act as an agent between the Internet and the local network. This device or router provides a pool
298 CHAPTER 6 Network Security
of addresses to be used by your local network. Only a single, unique IP address is required to represent this entire group of computers. The outside world is unaware of this division and thinks that only one computer is connected. Common types of NAT include: ■■ ■■
■■
Static NAT Used by businesses to connect Web servers to the Internet Dynamic NAT Larger businesses use this type of NAT because it can operate with a pool of public addresses. Port Address Translation (PAT) Most home networks using DSL or cable modems use this type of NAT.
NAT is a feature of many routers, firewalls, and proxies. NAT has several benefits, one of which is its ability to hide the IP address and network design of the internal network. The ability to hide the internal network from the Internet reduces the risk of intruders gleaning information about the network and exploiting that information to gain access. If an intruder does not know the structure of a network, the network layout, the names and IP address of systems, and so on, it is very difficult to gain access to that network. NAT enables internal clients to use nonroutable IP addresses, such as the private IP addresses defined in RFC 1918, but still enables them to access Internet resources. The three ranges of IP addresses RFC 1918 reserved includes: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
NAT can be used when there are many internal private IP addresses and there are only a few public IP addresses available to the organization. In this situation, the company can share the few public IP addresses among all the internal clients. NAT can also aid in security as outsiders cannot directly see internal IP addresses. Finally, NAT restricts traffic flow so that only traffic requested or initiated by an internal client can cross the NAT system from external networks. When using NAT, the internal addresses are reassigned to private IP addresses and the internal network is identified on the NAT host system. Once NAT is configured, external malicious users are only able to access the IP address of the NAT host that is directly connected to the Internet, but they are not able to “see” any of the internal computers that go through the NAT host to access the Internet.
Damage and Defense Deploying a NAT Solution NAT is relatively easy to implement, and there are several ways to do so. Many broadband hardware devices (cable and DSL modems) are called cable/DSL “routers,” because they allow you to connect multiple computers. However, they are actually combination modem/NAT
Network Design Elements and Components 299
Figure 6.14 NAT Hides the Internal Addresses
devices rather than routers, because they require only one external (public) IP address. You can also buy NAT devices that attach your basic cable or DSL modem to the internal network. Alternatively, the computer that is directly connected to a broadband modem can use NAT software to act as the NAT device itself. This can be an add-on software program or the NAT software that is built into some OSes. For example, Windows XP and Vista include a fully configurable NAT as part of its routing and remote access services. Even older versions of Microsoft products such as Windows 98SE, Me, and 2000 Professional include a “lite” version of NAT called Internet connection sharing (ICS). For a quick, illustrated explanation of how NAT works with a broadband connection, see the HomeNetHelp article at www.homenethelp.com/web/explain/about-NAT.asp.
When NAT is used to hide internal IP addresses (see Figure 6.14), it is sometimes called a NAT firewall; however, do not let the word firewall give you a false sense of security. NAT by itself solves only one piece of the security perimeter puzzle. A true firewall does much more than link private IP addresses to public ones, and vice versa.
Head of the Class Public and Private Addressing Certain IP address ranges are classified as private IP addresses, meaning they are not to be routed on the Internet. These addresses are intended only for use on private internal
300 CHAPTER 6 Network Security
networks. There are three groups of private IP addresses under the IPv4 standard as outlined here: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) The network segment shown in Figure 6.11 uses private IP addresses on the internal network from the 192.168.5.x subnet. The allowable addresses in this subnet would then be 192.168.5.1 through 192.168.5.254. The 192.168.5.255 address is considered to be a broadcast address—one that would be used if a computer needed to send a transmission to all other computers on that subnet. Typically, the gateway or router will occupy the first address in a given range (as is the case in Figure 6.11), where the router has been assigned the address of 192.168.5.1 on its LAN interface. For a complete discussion on private IP addresses, see RFC 1918 at ftp://ftp.rfc-editor. org/in-notes/rfc1918.txt. The IANA maintains a current listing of all IPv4 IP address range assignments at www.iana.org/assignments/ipv4-address-space. You can also examine all of the special IPv4 IP address assignments at ftp://ftp.rfc-editor.org/in-notes/rfc3330.txt.
Network Access Control/Network Access Protection As seen in this chapter, hardening is an important process. Another way to harden the network is to use network access control (NAC). As a brief aside, there’s a bit of semantics that need to be dealt with. NAC is a technology and concept that has existed for several years. When Microsoft began to look at including a similar feature in Windows Vista and Windows Server 2008 they chose the term network access protection (NAP). The bottom line is that both NAC and NAP achieve the same goal—ensuring that the endpoint system is a valid system and meets specific health requirements (patches, anti-virus protection, system settings, and so forth) to be allowed on the network according to a defined policy. For the sake of this section we will use the term NAC in its most generic sense rather than based on a specific vendor’s interpretation. There are several different incarnations of NAC available. These include infrastructure-based NAC, endpoint-based NAC, and hardwarebased NAC.
1. Infrastructure-based NAC requires an organization to be running the most current hardware and OSes. OSes, such as Microsoft Vista, have the ability to perform NAC.
2. Endpoint-based NAC requires the installation of software agents on each network client. These devices are then managed by a centralized management console.
3. Hardware-based NAC requires the installation of a network appliance. The appliance monitors for specific behavior and can limit device connectivity should noncompliant activity be detected.
Network Design Elements and Components 301
NAC offers administrators a way to verify that devices meet certain health s tandards before they’re allowed to connect to the network. Laptops, desktop computers, or any device that doesn’t comply with predefined requirements, can be prevented from joining the network or can even be relegated to a controlled network where access is restricted until the device is brought up to the required security standards.
Telephony One area that is often overlooked in the IT security field is telecommunications. A company’s business can be just as easily disrupted by having its telecommunications disabled as it can by having its computer network disabled. That makes this an important area to be aware of when developing an overall security plan. Typically, most small companies use a small number of dedicated telephone lines for both incoming and outgoing calls, which keeps the responsibility of providing telephone service on the service provider. In larger companies, however, having dedicated lines for hundreds or thousands of employees is both inefficient and expensive. The solution to this problem is to install a Private Branch eXchange (PBX), which is a device that handles routing of internal and external telephone lines. This allows a company to have a limited number of external lines and an unlimited (depending on the resources of the PBX) number of internal lines. By limiting the number of external lines, a company is able to control the cost of telephone service while still providing for the communications needs of its employees. For example, a company may have 200 internal lines or extensions but only 20 external lines. When an employee needs to communicate outside of the company, one of the external lines is used, but when two employees communicate via the telephone system, the routing is done completely by the PBX and no external lines are used. PBX systems offer a great cost benefit to large companies, but they also have their own vulnerabilities. Many PBXs are designed to be maintained by an off-site vendor, and therefore have some method of remote access available. This can be in the form of a modem or, on newer models, a connection to a LAN. The best practice is to disable these remote access methods until the vendor has been notified that they need to perform maintenance or prepare an update. This limits the susceptibility to direct remote access attacks. PBXes are also vulnerable to DoS attacks against their external phone lines. There is also the possibility of them being taken over remotely and used to make unauthorized phone calls via the company’s outgoing lines. Voicemail capability can also be abused. Hackers who specialize in telephone systems, called phreakers, like to take control over voicemail boxes that use simple passwords, and change the passwords or the outgoing messages. Many smaller organizations are now using PBXes for telephony needs. This is due to the availability of cheap or free PBX systems running software released under the GPL license. An example of this is the Asterisk open source PBX available at www. asterisk.org/. With the high availability of this type of software at low costs, it is
302 CHAPTER 6 Network Security
natural for smaller companies to adopt these solutions. Software like this suffers from the same types of vulnerabilities as standard PBXes if not properly configured; therefore it should be closely examined as a security risk.
Summary of Exam Objectives In today’s networking world, networks no longer have to be designed the same way. There are many options available as to how to physically and logically design a network. All of these options can be used to increase the security of the internal network by keeping untrusted and unauthorized users out. The usage of DMZs to segment traffic into a protected zone between external and internal firewalls helps prevent attacks against your Internet facing servers. A NAT device can be used to hide the private intranet from the public Internet. NAT devices work by translating all private IP addresses into one or more public IP addresses, therefore making it look as if all traffic from the internal network is coming from one computer (or a small group of computers). The NAT device maintains a routing table of all connection requests, and therefore is able to ensure that all returning packets get directed to the correct originating host. Extranets can be established using VPN tunnels to provide secure access to intranet resources from different geographic locations. VPNs are also used to allow remote network users to securely connect back to the corporate network. To additionally reduce the risk in your environment application and service hardening should be considered. Be familiar with the required ports for various services, so that you can uninstall or disable unused services that will reduce unnecessary exposure. Include evaluation of network services such as DNS and DHCP, and specific types of application services such as e-mail, databases, NNTP servers, and others. IDSes are used to identify and respond to attacks on the network. Several types of IDSes exist, each with its own unique pros and cons. Which type you choose depends on your needs, and ultimately on your budget. An IPS is a newer type of IDS that can quickly respond to perceived attacks. Honeypots are advanced IDSes that can intelligently respond to attacks, actually enticing the attacker to select them over other real targets on the network. Honeypots can be used to distract attackers from real servers and keep them occupied while you collect information on the attack and the source of the attack. After an attack has occurred, the most important thing to do is to collect all of the evidence of the attack and its methods. You will also want to take steps to ensure that the same type of attack cannot be successfully performed on the network in the future.
Exam Objectives Fast Track General Network Security ■■
Eliminate unused and unnecessary protocols and services to limit exposure to attacks.
Exam Objectives Frequently Asked Questions 303
■■ ■■
Create and build strong ACLs for control of devices and network operations. Keep up with device-specific hotfixes, patches, and firmware upgrades to maintain high availability and security.
Network Security Tools ■■
■■
■■
Intrusion Detection Systems can be deployed to alert administrators of unusual or suspicious activity on the network. Honeypots and honeynets can be useful tools to redirect the attention of attacks to decoy systems to prevent damage to production components. Firewalls can be deployed to segment the network and add additional security with firewall rules.
Network Ports, Services, and Threats ■■
■■
■■
Follow best practices for hardening specific application-type servers such as e-mail, FTP, and Web servers. Be aware of common network threats and take measures to prepare for them. Application-specific fixes, patches, and updates are used in addition to OS and NOS fixes.
Network Design Elements and Components ■■ ■■
■■
Create DMZs and establish security zones in your network design to isolate. VLANs are virtual local area networks that are used to logically group machines that may not be on the same physical network. NAT is a method used to map internal private IP addresses to external addresses, thus reducing the number of required external addresses.
Exam Objectives Frequently Asked Questions Q: What protocols should I eliminate? A: This depends on your system needs. Unnecessary protocols often include NetBEUI, IPX/SPX, and NetBIOS dependent functions. Do not forget to evaluate the underlying protocols, such as ICMP and IGMP, for removal as well. Q: Is network security really important? A: This depends on your environmental needs. In some circumstances security is highly regarded and a large amount of money and effort will be put into securing the environment. In other companies security is lower on the importance list and isn’t given as much consideration.
304 CHAPTER 6 Network Security
Q: What is NAT? A: NAT is when you map external IP addresses to internal IP addresses. One benefit of utilizing NAT is that an organization can reduce its requirement for public IP addresses. Q: What is a proxy server? A: A proxy server is a device that sits between the Internet and the intranet and funnels traffic. It can provide access control and also document caching. Depending on the proxy server implementation they oftentimes have the capability to cache Web page content as well which makes browsing common sites faster, and they can publish internal Web site content to the Internet. Q: How do I find out which port numbers are used by a specific application? A: One of the easiest ways is to consult product documentation when it is available, but other ways include examining listening ports on the machine, utilizing a packet sniffer to capture data transmitted by the application, and viewing the configuration information in the application.
Self Test
1. Your company is considering implementing a VLAN. As you have studied for you Security+ exam, you have learned that VLANs offer certain security benefits as they can segment network traffic. The organization would like to set up three separate VLANs in which there is one for management, one for manufacturing, and one for engineering. How would traffic move for the engineering to the management VLAN? A. The traffic is passed directly as both VLANs are part of the same collision domain. B. The traffic is passed directly as both VLANs are part of the same broadcast domain. C. Traffic cannot move from the management to the engineering VLAN. D. Traffic must be passed to the router and then back to the appropriate VLAN.
2. You have been asked to protect two Web servers from attack. You have also been tasked with making sure that the internal network is also secure. What type of design could be used to meet these goals while also protecting all of the organization? A. Implement IPSec on the Web servers to provide encryption. B. Create a DMZ and place the Web server in it while placing the intranet behind the internal firewall.
Self Test 305
C. Place a honeypot on the internal network. D. Remove the Cat 5 cabling and replace it with fiber-optic cabling.
3. You have been asked to put your Security+ certification skills to use by examining some network traffic. The traffic was from an internal host whose IP address falls into an RFC 1918 range and you must identify the correct address. Which of the following should you choose? A. 127.0.0.1 C. 129.12.14.2 B. 10.27.3.56 D. 224.0.12.10
4. You have been running security scans against the DMZ Web server and have obtained the following results. The Web server is also the externally facing DNS server. How should these results be interpreted? C:\>nmap -sT 192.168.1.2 Starting nmap V. 3.91
Interesting ports on (192.168.1.2): (The 1,598 ports scanned but not shown below are in state: filtered)
Port
State
Service
53/tcp
Open
DNS
80/tcp
Open
http
111/tcp
Open
sun rpc
Nmap run completed –1 IP address (1 host up) scanned in 409 s. A. Port 80 and 53 are expected but TCP port 111 should not be open B. Port 80 and 111 should not be open but TCP port 53 should be open C. UDP port 80 should be open to the DMZ D. TCP port 25 should be open to the DMZ
5. You have been asked to use an existing router and utilize it as a firewall. Management would like you to use it to perform address translation and block some known bad IP addresses that previous attacks have originated from. With this in mind, which of the following statements are accurate? A. You have been asked to perform NAT services B. You have been asked to set up a proxy C. You have been asked to set up stateful inspection D. You have been asked to set up a packet filter
6. Which security control can best be described by the following? Because normal user behavior can change easily and readily, this security control system is prone to false positives where attacks may be reported based on changes to the norm that are “normal,” rather than representing real attacks.
306 CHAPTER 6 Network Security
A. Anomaly-based IDS B. Signature-based IDS
C. Honeypot D. Honeynet
7. You have been asked to install a SQL database on the intranet and recommend ways to secure the data that will reside on this server. While traffic will be encrypted when it leaves the server, your company is concerned about potential attacks. With this in mind, which type of IDS should you recommend? A. A network-based IDS with the sensor placed in the DMZ B. A host-based IDS that is deployed on the SQL server C. A network-based IDS with the sensor placed in the intranet D. A host-based IDS that is deployed on a server in the DMZ
8. Your network is configured to use an IDS to monitor for attacks. The IDS is network-based and has several sensors located in the internal network and the DMZ. No alarm has sounded. You have been called in on a Friday night because someone is claiming their computer has been hacked. What can you surmise? A. The misconfigured IDS recorded a positive event B. The misconfigured IDS recorded a negative event C. The misconfigured IDS recorded a false positive event D. The misconfigured IDS recorded a false negative event
9. You have installed an IDS that is being used to actively match incoming packets against known attacks. Which of the following technologies is being used? A. Stateful inspection C. Anomaly detection B. Protocol analysis D. Pattern matching
10. You have been reading about the ways in which a network-based IDS can be attacked. Which of these methods would you describe as an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time? A. Evasion C. Session splicing B. IP fragmentation D. Session hijacking 11. You have been asked to explore what would be the best type of IDS to deploy at your company site. Your company is deploying a new program that will be used internally for data mining. The IDS will need to access the data mining application’s log files and needs to be able to identify many types of attacks or suspicious activity. Which of the following would be the best option? A. Network-based IDS that is located in the internal network B. Host-based IDS
Self Test Quick Answer Key 307
C. Application-based IDS D. Network-based IDS that has sensors in the DMZ 12. You are about to install WinDump on your Windows computer. Which of the following should be the first item you install? A. LibPcap C. IDSCenter B. WinPcap D. A honeynet 13. You must choose what type of IDS to recommend to your company. You need an IDS that can be used to look into packets to determine their composition. What type of signature type do you require? A. File-based C. Content-based B. Context-based D. Active 14. You have decided to implement split horizon DNS. You install two instances of DNS, and place one in the DMZ and one in the LAN. Which of these two DNS servers will become authoritative for your domain namespace? A. Both the DMZ- and the LAN-based servers will be authoritative for your domain namespace B. Only the LAN-based DNS C. Only the DMZ-based DNS D. Neither, the ISP is the only one who can be authoritative for a domain namespace 15. One of your servers has a host-based IDS installation in place. The system has been generating many false positives and you would like to examine the network traffic that is going to and from the server. Which of the following tools is going to be able to successfully capture this data off the wire for you to analyze? A. A protocol analyzer C. An NIDS system B. An IDS snuffler D. A protocol stealer
Self Test Quick Answer Key 1. 2. 3. 4. 5.
D B B A D
6. 7. 8. 9. 10.
A B D D C
11. 12. 13. 14. 15.
C B C A A
This page intentionally left blank
Chapter
Wireless Networks
7
E x a m o b j e c tiv e s in this c hapt e r Wireless Network Design.................................................................................................... 310 Service Set ID Broadcast..................................................................................................... 315 Wireless Security Standards................................................................................................ 316 Rogue APs ......................................................................................................................... 325 Data Emanation................................................................................................................... 326 Bluetooth ........................................................................................................................... 327
Introduction This chapter thoroughly discusses what you need to know about wireless technologies for the Security+ exam, as well as the knowledge needed to be an efficient security analyst. The widespread popularity and use of wireless networks and technologies have grown tremendously over the last few years. This is a technology that is only going to increase and become more prevalent in the coming years. Although wireless solutions continue to evolve and spread, the security of such systems is not always the first thought of the developer. Ensuring the security of such systems has become paramount in both public and private sectors. Wireless networks can be very insecure if specific measures are not taken to properly manage them; however, securing them is not impossible. Note Although the concepts of wireless in this chapter go above and beyond what is covered under the Security+ exam, it is our belief that as a security analyst you will need to know this information as you progress forward. Therefore, we have highlighted the areas you will definitely be expected to know for the Security+ exam. Be sure you have a good grasp of wireless technologies for the exam, specifically concerning wireless network designs, issues with weak encryption, and vulnerabilities.
309
310 CHAPTER 7 Wireless Networks
Wireless Network Design This section covers the basics of wireless network design and architectures. Before delving too deeply into the design of wireless systems it’s a good idea to first review some wireless communication basics. Wireless networks, like their wired counterparts, rely on the manipulation of electrical charge to enable communication between devices. Changes or oscillations in signal strength from zero to some maximum value (amplitude) and the rate of those oscillations (frequency) are used singularly or in combination with each other to encode and decode information. Two devices can communicate with each other when they understand the method(s) used to encode and decode information contained in the changes to the electrical properties of the communications medium being used. A network adapter can decode changes in the electric current it senses on a wire and convert them to meaningful information (bits) that can subsequently be sent to higher levels for processing. Likewise, a network adapter can encode information (bits) by manipulating the properties of the electric current for transmission on the communications medium (in the case of wired networks, this would be the cable).
Wireless Communications The primary difference between wired and wireless networks is that wireless networks use a special type of electric current known as radio frequency (RF), which is created by applying alternating current to an antenna to produce an electromagnetic field (EM). Devices for broadcasting and reception use the resulting RF field. In the case of wireless networks, the medium for communications is the EM field, the region of space that is influenced by electromagnetic radiation. (Unlike audio waves, radio waves do not require a medium such as air or water to propagate.) As with wired networks, amplitude decreases with distance, resulting in the degradation of signal strength and the capability to communicate. However, the EM field is also dispersed according to the properties of the transmitting antenna, and not tightly bound as is the case with communication over a wire. The area over which the radio waves propagate from an electromagnetic source is known as the fresnel zone. Note A fresnel zone calculator is available at www.firstmilewireless.com/calc_fresnel.html.
Like the waves created by throwing a rock into a pool of water, radio waves are affected by the presence of obstructions and can be reflected, refracted, diffracted, or scattered, depending on the properties of the obstruction and its interaction with the radio waves. Reflected radio waves can be a source of interference on wireless networks. The interference created by bounced radio waves is called multipath interference. When radio waves are reflected, additional wave fronts are created. These different wave fronts may arrive at the receiver at different times and be in phase or out
Wireless Network Design 311
of phase with the main signal. When the peak of a wave is added to another wave (in phase), the wave is amplified. When the peak of a wave meets a trough (out of phase), the wave is effectively cancelled. Multipath interference can be the source of hard-to-troubleshoot problems. In planning for a wireless network, administrators should consider the presence of common sources of multipath interference. These include metal doors, metal roofs, water, metal vertical blinds, and any other source that is highly reflective to radio waves. Antennas may help to compensate for the effects of multipath interference, but they must be carefully chosen. Many wireless access points (APs) have two antennas for precisely this purpose. However, a single omnidirectional antenna may be of no use at all for this kind of interference. Another source of signal loss is the presence of obstacles. Although radio waves can travel through physical objects, they are degraded according to the properties of the object they travel through. For example, a window is fairly transparent to radio waves, but may reduce the effective range of a wireless network by 50 to 70 percent, depending on the presence and nature of the coatings on the glass. A solid core wall can reduce the effective range of a wireless network by up to 90 percent or greater. EM fields are also prone to interference and signal degradation by the presence of other EM fields. In particular, 802.11 wireless networks are prone to interference produced by cordless phones, microwave ovens, and a wide range of devices that use the same unlicensed Industrial, Scientific, and Medical (ISM) or Unlicensed National Information Infrastructure (UNII) bands. To mitigate the effects of interference from these devices and other sources of electromagnetic interference, RF-based wireless networks employ spread spectrum technologies. Spread spectrum provides a way to “share” bandwidth with other devices that may be operating in the same frequency range. Rather than operating on a single, dedicated frequency such as is the case with radio and television broadcasts, wireless networks use a “spectrum” of frequencies for communication.
Spread Spectrum Technology Conceived of by Hedy Lamarr and George Antheil in 1940 as a method of securing military communications from jamming and for eavesdropping during WWII, spread spectrum defines methods for wireless devices to use to send a number of narrowband frequencies over a range of frequencies simultaneously for communication. The narrowband frequencies used between devices change according to a randomappearing, but defined pattern, allowing individual frequencies to contain parts of the transmission. Someone listening to a transmission using spread spectrum would hear only noise, unless their device understood in advance what frequencies were used for the transmission and could synchronize with them. Two methods of synchronizing wireless devices are as follows: ■■
Frequency hopping spread spectrum (FHSS)
■■
Direct sequence spread spectrum (DSSS)
312 CHAPTER 7 Wireless Networks
Frequency Hopping Spread Spectrum As the name implies, FHSS works by quickly moving from one frequency to another according to a pseudorandom pattern. The frequency range used by the frequency hop is relatively large (83.5 MHz), providing excellent protection from interference. The amount of time spent on any given frequency is known as dwell time and the amount of time it takes to move from one frequency to another is known as hop time. FHSS devices begin their transmission on one frequency and move to other frequencies according to a predefined pseudorandom sequence and then repeat the sequence after reaching the final frequency in the pattern. Hop time is usually very short (200 to 300 µs) and not significant relative to the dwell time (100 to 200 ms). In general, the longer the dwell time, the greater the throughput and the more susceptible the transmission is to narrowband interference. The frequency hopping sequence creates a channel, allowing multiple channels to coexist in the same frequency range without interfering with each other. As many as 79 Federal Communications Commission (FCC)-compliant FHSS devices using the 2.4-GHz ISM band can be colocated together. However, the expense of implementing such a large number of systems limits the practical number of colocated devices to well below this number. Wireless networks that use FHSS include HomeRF and Bluetooth, both of which operate in the unlicensed 2.4-GHz ISM band. FHSS is less subject to EM interference than DSSS, but usually operates at lower rates of data transmission (usually 1.6 Mbps, but can be as high as 10 Mbps) than networks that use DSSS.
Direct Sequence Spread Spectrum DSSS works somewhat differently. With DSSS, the data are divided and simultaneously transmitted on as many frequencies as possible within a particular frequency band (the channel). DSSS adds redundant bits of data known as chips to the data to represent binary 0s or 1s. The ratio of chips to data is known as the spreading ratio: the higher the ratio, the more immune is the signal to the interference, because if part of the transmission is corrupted, the data can still be recovered from the remaining part of the chipping code. This method provides greater rates of transmission than FHSS, which uses a limited number of frequencies, but fewer channels in a given frequency range. DSSS also protects against data loss through the redundant, simultaneous transmission of data. However, because DSSS floods the channel it is using, it is also more vulnerable to interference from EM devices operating in the same range. In the 2.4- to 2.4835-GHz frequency range employed by 802.11b, DSSS transmissions can be broadcast in any one of 14 22-MHz wide channels. The number of center-channel frequencies used by 802.11 DSSS devices depends on the country. For example, North America allows 11 channels operating in the 2.4-to 2.4835-GHz range, Europe allows 13, and Japan allows 1. Because each channel is 22-MHz wide, they may overlap each other. Of the 11 available channels in North America, only a maximum of three (1, 6, and 11) may be used concurrently without the use of overlapping frequencies.
Wireless Network Design 313
Test Day Tip When comparing FHSS and DSSS technologies, it should be noted that FHSS networks are not inherently more secure than DSSS networks, contrary to popular belief. Even if the relatively few manufacturers of FHSS devices were not to publish the hopping sequence used by their devices, a sophisticated hacker armed with a spectrum analyzer and a computer could easily determine this information and eavesdrop on the communications.
Wireless Network Architecture The seven-layer open systems interconnect (OSI) networking model defines the framework for implementing network protocols. Wireless networks operate at the physical and data link layers of the OSI model. The physical layer is concerned with the physical connections between devices, such as how the medium and low bits (0s and 1s) are encoded and decoded. Both FHSS and DSSS are implemented at the physical layer. The data link layer is divided into two sublayers, the Media Access Control (MAC) and Logical Link Control (LLC) layers. The MAC layer is responsible for the following: ■■
Framing data
■■
Error control
■■
Synchronization
■■
Collision detection and avoidance
The Ethernet 802.3 standard, which defines the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) method for protecting against data loss as a result of data collisions on the cable, is defined at this layer.
Head of the Class Nitty Gritty Details Wireless networks and wireless networking, in general, are tested on the Security+ exam; the current revision has more wireless content that the original version and when the exam changes in the future, the Security+ exam wireless content will continue to grow as the networking world and corporate enterprises embrace more of the technology. Unfortunately, we (the authors of this book) have to balance our goal of providing a broad education with providing the specific knowledge needed to pass the Security+ exam. The explanation of wireless, how it works, and what you can do with it, is strictly background information to further your understanding of the technology. Security+ exam questions are not based on FHSS and DSSS technologies, so if this information seems overly technical, do not panic! It is important, however, to know this information as a security analyst. It is our mission to teach you everything you need to know to transition from the Security+ exam to the real world of security analysts.
314 CHAPTER 7 Wireless Networks
CSMA/CD and CSMA/CA In contrast to Ethernet 802.3 networks, wireless networks defined by the 802.11 standard do not use CSMA/CD as a method to protect against data loss resulting from collisions. Instead, 802.11 networks use a method known as Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). CSMA/CD works by detecting whether a collision has occurred on the network and then retransmitting the data in the event of such an occurrence. However, this method is not practical for wireless networks because it relies on the fact that every workstation can hear all the other workstations on a cable segment to determine if there is a collision. In wireless networks, usually only the AP can hear every workstation that is communicating with it (for example, workstations A and B may be able to communicate with the same AP, but they may be too far apart from each other to hear their respective transmissions). Additionally, wireless networks do not use full-duplex communication, which is another way of protecting data against corruption and loss as a result of collisions. Note APs are also referred to as wireless access points. This is a more precise term that differentiates them from other network APs (such as dial-in remote APs) but in this chapter, we will use the acronym AP to avoid confusion with the Wireless Application Protocol (WAP).
CSMA/CA solves the problem of potential collisions on the wireless network by taking a more active approach than CSMA/CD, which kicks in only after a collision has been detected. Using CSMA/CA, a wireless workstation first tries to detect if any other device is communicating on the network. If it senses it is clear to send, it initiates communication. The receiving device sends an acknowledgment (ACK) packet to the transmitting device indicating a successful reception. If the transmitting device does not receive an ACK, it assumes a collision has occurred and retransmits the data. However, it should be noted that many collisions can occur and that these collisions can be used to compromise the confidentiality of Wired Equivalent Privacy (WEP) encrypted data. CSMA/CA is only one way in which wireless networks differ from wired networks in their implementation at the MAC layer. For example, the Institute of Electrical and Electronics Engineers, Inc. (IEEE) standard for 802.11 at the MAC layer defines additional functionality, such as virtual collision detection, roaming, power saving, asynchronous data transfer, and encryption. The fact that the WEP protocol is defined at the MAC layer is particularly noteworthy and has significant consequences for the security of wireless networks. This means that data at the higher levels of the OSI model, particularly Transmission Control Protocol/Internet Protocol (TCP/IP) data, is also encrypted. Because much of the TCP/IP communications that occur between hosts contain a large amount of frequently repeating and well-known patterns, WEP may be vulnerable to known plaintext attacks, although it does include safeguards against this kind of attack.
Service Set ID Broadcast 315
Service Set ID Broadcast The 802.11 standard provides for two modes for ad hoc and infrastructure wireless clients to communicate. The ad hoc mode is geared for a network of stations within communication range of each other. Ad hoc networks are created spontaneously between the network participants. In infrastructure mode, APs provide more permanent structure for the network. An infrastructure consists of one or more APs as well as a distribution system (that is, a wired network) behind the APs that tie the wireless network to the wired network. Figures 7.1 and 7.2 show an ad hoc network and an infrastructure network, respectively. 802.11 Traffic can be subdivided into three parts: ■■
Control frames
■■
Management frames
■■
Data frames
Control frames include such information as Request to Send (RTS), Clear to Send (CTS), and ACK messages. Management frames include beacon frames, probe request/response, authentication frames, and association frames. Data frames are 802.11 frames that carry data, which is typically considered network traffic, such as IP encapsulated frames. All this communication requires that systems have a means to distinguish different wireless networks from one another; the 802.11 standard defines the Service Set Identifier (SSID). The SSID is considered the identity element that “glues” various components of a wireless local area network (LAN) together. Traffic from wireless clients that uses one SSID can be distinguished from other wireless traffic using a different
Figure 7.1 Ad Hoc Network Configuration
316 CHAPTER 7 Wireless Networks
Figure 7.2 Infrastructure Network Configuration
SSID. Using the SSID, an AP can determine which traffic is meant for it and which is meant for other wireless networks. Unless otherwise configured to block such activity, wireless networks will regularly broadcast their SSID. This is known as an SSID broadcast. Although SSID broadcast can be disabled, the SSID is still needed to direct packets to and from the AP, which basically means that it is still discoverable to an attacker with the right tools. The Security+ test candidate should realize that disabling the SSID for a network that is not for public use is a good idea, but also understand that hiding the SSID is not true security. It is really more of security by obscurity.
Wireless Security Standards The IEEE 802.11 standard covers the communication between wireless LAN (WLAN) components. RF poses challenges to privacy in that it travels through and around the physical objects. Because of the nature of the 802.11 wireless LANs, the IEEE
Wireless Security Standards 317
working group implemented a mechanism to protect the privacy of the individual transmissions, known as the WEP protocol. Because WEP utilizes a cryptographic security countermeasure for the fulfillment of its stated goal of privacy, it had the added benefit of becoming an authentication mechanism. This benefit is realized through a shared-key authentication that allows for encryption and decryption of wireless transmissions. Up to four keys can be defined on an AP or a client, and they can be rotated to add complexity for a higher security standard in the WLAN policy. WEP was never intended to be the absolute authority in wireless security and quickly became an example of how not to design a Cryptographic Security Protocol. The IEEE 802.11 standard stated that WEP should provide for the same amount of protection as a wired network. However, this provides only a basic level of privacy, and it was quickly determined that WEP had some fatal flaws. Because of the flaws in WEP, recommendations were quick to circulate that in cases that required higher degrees of security, other mechanisms should be utilized such as authentication, access control, password protection, and virtual private networks (VPNs). It is important to review the effect of key size on the overall security of WEP as an illustration of one of its major weaknesses.
Security of 40-Bit versus 104-Bit Keys One of WEP’s key weaknesses was a flaw in the combination of the initialization vector (IV) and the WEP secret key as used in the Key Scheduling Algorithm of the RC4 cipher. This flaw was quickly identified by Scott Fluhrer, Itsik Mantin, and Adi Shamir in their article “Weaknesses in the Key Scheduling Algorithm of RC4.”1 Using this information Adam Stubblefield, John Ionnadis, and Aviel Rubin showed in their article, “Using the Fluhrer, Mantin and Shamir Attack to Break WEP”2 how weak the WEP algorithm was and how easily it can be broken. It didn’t matter whether you used 40-bit or 104-bit WEP keys (the extra 24 bits were provided by the IV), WEP was a seriously flawed security algorithm. To a nontechnical person it may seem that a message protected with a 128-bit encryption scheme would be twice as secure as a message protected with a 64-bit encryption scheme. However, this is not the case with WEP. Since the same IV vulnerability exists with both encryption levels, they can be compromised within similar time limits. With 64-bit WEP, the network administrator specifies a 40-bit key—typically 10 hexadecimal digits (0 through 9, a through f, or A through F). A 24-bit IV is appended to the 40-bit key, and the RC4 key scheme is built from these 64 bits of data. This same process is followed in the 128-bit scheme. The administrator specifies a 104-bit key—this time 26 hexadecimal digits (0 through 9, a through f, or A through F). The 24-bit IV is added to the beginning of the key, and the RC4 key schedule is built. Because the vulnerability stems from capturing predictably weak IVs, the size of the original key does not make a significant difference in the security of the encryption. This is due to the relatively small number of total IVs possible under the current WEP specification. Currently, there are a total of 16,777,216 possible IV keys. Because every frame or packet uses an IV, this number can be exhausted within hours on a busy network. If the WEP key is not changed within a strictly defined period of
318 CHAPTER 7 Wireless Networks
time, all possible IV combinations can be intercepted off of an 802.11b connection, captured, and made available for cracking within a short period of time. This is a design flaw of WEP, and bears no correlation to whether the wireless client is using 64-bit WEP or 128-bit WEP. Improvements in the 802.11 standard have helped make wireless communication more secure. It is critically important to keep abreast of vendor-related software fixes and changes that improve the overall security posture of a wireless LAN. With data security enabled in a closed network, the settings on the client for the SSID and the encryption keys must match the AP when attempting to associate with the network or it will fail. The next few paragraphs discuss Wi-Fi Protected Access (WPA) and WPA2 and their relation to the functionality of the 802.11 standard, including a standard definition.
WPA and WPA2 The issues with WEP were cause enough for concern that the WiFi Alliance created a certification program for its replacements, WPA and WPA2. These improvements were needed to address the serious weaknesses in the way in which WEP was implemented. WPA was designed to meet these short-term needs of wireless security as a stopgap measure. One big change between WEP and WPA was the advancement of Temporal Key Integrity Protocol (TKIP). TKIP increases the IV from 24 bits to 48 bits. WPA was designed to also use a different secret key for each packet and also featured Message Integrity Code (MIC) that was designed to detect invalid packets. WPA was effective in that it was designed as a stopgap measure until a completely new replacement could be approved and released. This replacement was WPA2 (802.11i). WPA2 implemented all the elements that were requirements of the Wi-Fi Alliance and as specified in 802.11i. The standard took so long to be released that it was branded WPA-2 even though it uses a completely different method of security. WPA2 includes Robust Security Network (RSN) support. RSN includes added protection for ad hoc networks, key caching, and preroaming authentication. WPA2 uses AES with key sizes of up to 256 bits.
Wireless Application Protocol The WAP is an open specification designed to enable mobile wireless users to easily access and interact with information and services. WAP is designed for hand-held digital wireless devices such as mobile phones, pagers, two-way radios, smartphones, and other communicators. It works over most wireless networks and can be built on many operating systems (OSes) including PalmOS, Windows CE, JavaOS, and others. The WAP operational model is built on the World Wide Web (WWW) programming model with a few enhancements and is shown in Figure 7.3. WAP browsers in a wireless client are analogous to the standard WWW browsers on computers. WAP uniform resource locators (URLs) are the same as those defined for traditional networks and are also used to identify local resources in the WAPenabled client. The WAP specification added two significant enhancements to the
Wireless Security Standards 319
Figure 7.3 Wireless Application Protocol (WAP) 2.0 Architecture Programming Model
above-mentioned programming model: push and telephony support (Wireless Telephony Application [WTA]). WAP also provides for the use of proxy servers, as well as supporting servers that provide functions such as public key infrastructure support, user profile support, and provisioning support.
Wireless Transport Layer Security Wireless Transport Layer Security (WTLS) is an attempt by the WAP Forum to introduce a measure of security into WAP. The WTLS protocol is based on the Transport Layer Security (TLS) protocol that is itself a derivative of the Secure Sockets Layer (SSL) protocol. However, several changes were made to these protocols to adapt them to work within WAP. These changes include the following: ■■
Support for both datagram- and connection-oriented protocols
■■
Support for long round-trip times
■■
Low bandwidth, limited memory, and processor capabilities
WTLS is designed to provide privacy as well as reliability for both the client and the server over an unsecured network and is specific to applications that utilize WAP. These applications tend to be limited by memory, processor capabilities, and lowbandwidth environments.
Authentication There are two authentication methods in the 802.11 standard: ■■
Open authentication
■■
Shared-key authentication
320 CHAPTER 7 Wireless Networks
Open authentication is more precisely described as device-oriented authentication and can be considered a null authentication—all requests are granted. Without WEP, open authentication leaves the WLAN wide open to any client who knows the SSID. With WEP enabled, the WEP secret key becomes the indirect authenticator. The open authentication exchange, with WEP enabled, is shown in Figure 7.4. The shared-key authentication process shown in Figure 7.5 is a four-step process that begins when the AP receives the validated request for association. After the AP receives the request, a series of management frames are transmitted between the stations to produce the authentication. This includes the use of the cryptographic mechanisms employed by WEP as a validation. The four steps break down in the following manner:
1. The requestor (the client) sends a request for association.
2. The authenticator (the AP) receives the request, and responds by producing a random challenge text and transmitting it back to the requestor.
3. The requestor receives the transmission, encrypts the challenge with the secret key, and transmits the encrypted challenge back to the authenticator.
Figure 7.4 Open Authentication
Wireless Security Standards 321
4. The authenticator decrypts the challenge text and compares the values against the original. If they match, the requestor is authenticated. However, if the requestor does not have the shared key, the cipher stream cannot be reproduced, therefore the plaintext cannot be discovered, and theoretically the transmission is secured.
One of the greatest weaknesses in shared-key authentication is that it provides an attacker with enough information to try and crack the WEP secret key. The challenge, which is sent from authenticator to requestor, is sent in the clear. The requesting client then transmits the same challenge, encrypted using the WEP secret key, back to the authenticator. An attacker who captures both of these packets now has two pieces of a three-piece puzzle: the cleartext challenge and the encrypted ciphertext of that challenge. The algorithm RC4 is also known. All that is missing is the secret key. To determine the key, the attacker may simply try a brute force search of the potential key space using a dictionary attack. At each step, the attacker tries to decrypt the encrypted challenge with a dictionary word as the secret key. The result is then compared against the authenticator’s challenge. If the two match, then the secret key has been determined. In cryptography, this attack is termed a known-plaintext attack and is the primary reason why shared-key authentication is actually considered slightly weaker than open authentication.
Figure 7.5 Shared-Key Authentications
322 CHAPTER 7 Wireless Networks
Test Day Tip Although the Security+ exam does not cover the authentication process in great detail, it is important to remember the two authentication mechanisms in the 802.11 standard: open and shared-key.
802.1x Authentication To address the weaknesses in WEP, several vendors (including Cisco and Microsoft) adopted the IEEE 802.1x authentication mechanism for wireless networks. The IEEE 802.1x standard was created for the purpose of providing a security framework for port-based access control that resides in the upper layers of the protocol stack. The most common method for port-based access control is to enable new authentication and key-management methods without changing current network devices. The benefits that are the end result of this work include the following: ■■ ■■
■■
■■
There is a significant decrease in hardware cost and complexity. There are more options, allowing administrators to pick and choose their security solutions. The latest and greatest security technology can be installed and should still work with the existing infrastructure. You can respond quickly to security issues as they arise.
Exam Warning 802.1x typically is covered in the access control, authentication, and auditing sections of the Security+ exam, but is relevant to wireless networks because of the fact that it is quickly becoming the standard method of securely authenticating on a wireless network. Also, do not confuse 802.1x with 802.11x.
When a client device connects to a port on an 802.1x-capable AP, the AP port determines the authenticity of the devices. Before discussing the workings of the 802.1x standard, the following terminology must be defined: ■■ ■■
■■
■■
■■
Port A port is a single point of connection to a network. Port access entity (PAE) This entity controls the algorithms and protocols that are associated with the authentication mechanisms for a port. Authenticator PAE This enforces authentication before allowing access to resources located off of that port. Supplicant PAE This tries to access the services that are allowed by the authenticator. Authentication server This is used to verify the supplicant PAE. It decides whether or not the supplicant is authorized to access the authenticator.
Wireless Security Standards 323
Figure 7.6 EAP over LAN (EAPoL) Traffic Flow
■■
■■
Extensible Authentication Protocol Over LAN (EAPoL) 802.1x defines a standard for encapsulating Extensible Authentication Protocol (EAP) messages so that they can be handled directly by a LAN MAC service. 802.1x tries to make authentication more encompassing, rather than enforcing specific mechanisms on the devices. Because of this, 802.11x uses EAP to receive authentication information. Extensible Authentication Protocol Over Wireless (EAPoW) When EAPoL messages are encapsulated over 802.11 wireless frames, they are known as EAPoW.
The 802.1x standard works in a similar manner for both EAPoL and EAPoW. As shown in Figure 7.6, the EAP supplicant (in this case, the wireless client) communicates with the AP over an “uncontrolled port.” The AP sends an EAP Request/Identity to the supplicant and a Remote Authentication Dial-In User Service (RADIUS)-AccessRequest to the RADIUS access server. The supplicant then responds with an identity packet and the RADIUS server sends a challenge based on the identity packets sent from the supplicant. The supplicant provides its credentials in the EAP-response that the AP forwards to the RADIUS server. If the response is valid and the credentials validated, the RADIUS server sends a RADIUS-Access-Accept to the AP, which then allows the supplicant to communicate over a “controlled” port. This is communicated by the AP to the supplicant in the EAP-success packet.
User Identification and Strong Authentication With the addition of the 802.1x standard, clients are identified by username, not by the MAC addresses of the devices. This design not only enhances security, but also streamlines the process of authentication, authorization, and accountability for the network. 802.1x was designed to support extended forms of authentication using password methods (such as one-time passwords, or GSS_API mechanisms like Kerberos) and nonpassword methods (such as biometrics, Internet Key Exchange [IKE], and smart cards).
324 CHAPTER 7 Wireless Networks
Mutual Authentication 802.1x and EAP provide for a mutual authentication capability. This makes the clients and the authentication servers mutually authenticating end points, and assists in the mitigation of attacks from man-in-the-middle (MITM) types of devices. Any of the following EAP methods provide for mutual authentication: ■■
■■
■■
TLS It requires that the server supply a certificate and establish that it has possession of the private key. IKE It requires that the server show possession of a preshared key or private key (this can be considered certificate authentication). GSS_API (Kerberos) It requires that the server can demonstrate knowledge of the session key.
Per-Packet Authentication EAP can support per-packet authentication and integrity protection, but it is not extended to all types of EAP messages. For example, negative ACK and notification messages cannot use per-packet authentication and integrity. Per-packet authentication and integrity protection works for the following (packet is encrypted unless otherwise noted): ■■
TLS and IKE derive session key
■■
TLS ciphersuite negotiations (not encrypted)
■■
IKE ciphersuite negotiations
■■
Kerberos tickets
■■
Success and failure messages that use a derived session key (through WEP)
Note EAP was designed to support extended authentication. When implementing EAP, dictionary attacks can be avoided by using nonpassword-based schemes such as biometrics, certificates, smart cards, and token cards. Using a password-based scheme should require the use of some form of mutual authentication so that the authentication process is protected against dictionary attacks.
Test Day Tip It is helpful to write out a table showing the various authentication methods used in 802.11 networks (for example, open authentication, shared-key authentication, and 802.1x authentication) with the various properties each of these authentication methods require. This will help keep them straight in your mind when taking the test.
Rogue APs 325
Rogue APs Another clever attack can be accomplished using rogue APs. If an attacker can put together an AP with enough strength, end users may not be able to tell which AP is the authorized one that they should be using. In fact, most will not even know that another is available. Using this technique, an attacker is able to receive authentication requests and information from the end workstation regarding the secret key and where they are attempting to connect. Rogue APs can also be used to attempt to break into more tightly configured wireless APs. Utilizing tools such as AirSnort and WEPCrack requires a large amount of data to be able to decrypt the secret key. A hacker sitting in a car in front of a house or office is noticeable, and thus will generally not have enough time to finish acquiring sufficient information needed to break the key. However, if an attacker installs a tiny, easily hidden machine in an inconspicuous location, it could be there long enough to break the key and possibly act as an external AP into the wireless network it has hacked. Attackers who wish to spoof more than their MAC addresses have several tools available. Most of the tools available are for use in a UNIX environment and can be found through a simple search for “ARP Spoof” at http://packetstormsecurity.com. With these tools, hackers can easily trick all machines on a wireless network into thinking that the hacker’s machine is another valid machine. Through simple sniffing on the network, an attacker can determine which machines are in high use by the workstations on the network. If the attacker then spoofs the address of one of these machines, they might be able to intercept much of the legitimate traffic on the network. AirSnort and WEPCrack are freely available. Although it would take additional resources to build a rogue AP, these tools run from any Linux machine. Once an attacker has identified a network for attack and spoofed their MAC address to become a valid member of the network, they can gain further information that is not available through simple sniffing. If the network being attacked is using Secure Shell (SSH) to access the hosts, stealing a password might be easier than attempting to break into the host using an available exploit. By Address Resolution Protocol (ARP) spoofing the connection with the AP to be that of the host from which the attacker wants to steal the passwords, an attacker can cause all wireless users who are attempting to SSH into the host to connect to the rogue machine instead. When these users attempt to sign in with their passwords, the attacker is able to, first, receive their passwords, and second, pass on the connection to the real end destination. If an attacker does not perform the second step, it increases the likelihood that the attack will be noticed, because users will begin to complain that they are unable to connect to the host.
Damage and Defense Bad Karma Rogue APs are only one of the threats a security professional must deal with. A new and more advanced attack is known as Karma. Karma further demonstrates the danger of
326 CHAPTER 7 Wireless Networks
ireless computing. Karma exploits a common vulnerability in Windows. When a Windows w system wakes up from standby it probes the network for preferred/trusted networks to which it can connect. Karma doesn’t send out beacons like a regular AP advertising its presence. Karma simply passively monitors the airwaves listening for wireless client probes that are looking for a particular AP and it responds when it detects a probe. When Karma responds to the client, it spoofs the request and pretends to be the sought-after AP. Karma simply mimics a host AP and lures unsuspecting Wi-Fi users into connecting.
Data Emanation Wireless systems are more vulnerable to attacks than wired systems. Data emanation is one such vulnerability. Emanation is simply something that is emitted or radiated. Data emanation is a problem not only with 802.11 wireless networks but also with all types of wired and wireless equipment. Almost all activities dealing with computers or across a network involve data emanation. Consider the Cathode Ray Tube (CRT), a wireless keyboard, a Bluetooth headset, and a cordless mouse. Each of these devices is at risk for some type of data emanation. Research on this problem began back in the 1950s under the TEMPEST project. This project was designed to look at hardening devices to prevent emanations from items such as keyboards and CRTs. These early studies focused on ways to prevent interception of signals from systems that could be transmitting or holding sensitive information. One early technique was the Faraday cage. A Faraday cage is an enclosure made out of a specific type of copper wire, which can be fashioned into an enclosure to block radio waves. When a Faraday cage is used, no electromagnetic radiation can enter or leave the item or equipment enclosed. Other techniques used to prevent data emanation include jamming or noise generators, and control zones. Jamming is nothing more than the deliberate radiation of electromagnetic energy to disrupt the enemy’s ability to intercept or send radio signals. Noise generators transmit broadcasting their own interference. Finally, there are control zones. A control zone is designed to block radio signals; as such it is really nothing more than a rather large Faraday cage used to block electromagnetic radiation. As an example, you may have secure equipment in one area of the building but have this area enclosed with a Faraday cage, and for added protection, place several noise generators outside the control zone. To guard against these attacks the security professional must understand that eavesdropping and data decode is a complicated attack that requires specialized equipment and a large amount of effort. While the government was actively involved in shielding against such attacks, others were looking for ways to launch emanation attacks. One example of this is Van Eck phreaking. This attack uses special equipment to pick up signals from computer devices by monitoring and decoding emanations.
Summary of Exam Objectives 327
Bluetooth Bluetooth uses the same 2.4 GHz frequency that the IEEE 802.11b wireless networks use, but, unlike those networks, Bluetooth can select from up to 79 different frequencies within a radio band. Bluetooth is a short range protocol that includes three classes, namely, 1 m, 10 m, and 100 m. Unlike 802.11b networks where the wireless client can only be associated with one network at a time, Bluetooth networks allow clients to be connected to seven networks at the same time. However, one of the main reasons that Bluetooth never succeeded like the 802.11b standard did is because of its low-bandwidth capabilities and a lack of range. Bluetooth, by its very design, is not intended for the long ranges or high data throughput rates that 802.11 wireless networks have. This is largely due to the fact that the hop rate of Bluetooth devices is about 1600 hops per second with an average of a 625-µs dwell time, thus producing exceptionally more management overhead than 802.11. Although this exceptionally high hop rate does tend to make Bluetooth resistant to narrow band interference, it has the undesirable side effect of causing disruption of other 2.4-GHz-based network technologies, such as 802.11b and 802.11g. This high hop rate causes all-band interference on these 802.11 networks and can, in some cases, completely prevent an 802.11 wireless network from functioning. Bluetooth has been shown to be vulnerable to attack. One exploit is Bluejacking. Although not a true attack, Bluejacking allows an individual to send unsolicited messages over Bluetooth to other Bluetooth devices. Bluejacking occurs when the attacker sends a virtual business card (vCard) to a target device over the Object Exchange (OBEX) protocol. A bluejack attack can include the sending of text, images, or sounds. Another attack is known as Bluesnarfing. Bluesnarfing is the theft of data, calendar information, or phone book entries. This means that no one within range should be able to make a connection to your Bluetooth device and download any information they want without your knowledge or permission. Finally there is Bluebugging, which uses the Bluetooth protocol to establish a serial connection to the device. This allows access to full control over the phone. Such an attack could allow the attacker to place calls to any number without the phone owner’s knowledge. There are many tools for the attacker to use to launch various types of Bluetooth attacks. Tools like Carwhisper, http://trifinite.org/ trifinite_stuff_carwhisperer.html, is one such example. This tool allows an attacker to send or receive audio from a Bluetooth-enabled automobile.
Summary of Exam Objectives Wireless LANs are attractive to many companies and home users because of the increased productivity that results from the convenience and flexibility of being able to connect to the network without using wires. WLANs are especially attractive as they can reduce the cost of having to install cabling to support users on the network.
328 CHAPTER 7 Wireless Networks
For these and other reasons, WLANs have become very popular in the past few years. However, WLAN technology has often been implemented poorly and without due consideration being given to the security of the network. For the most part, these poor implementations result from a lack of understanding of the nature of wireless networks and the measures that can be taken to secure them. WLANs are inherently insecure because of their very nature: they radiate radio signals containing network traffic that can be viewed and potentially compromised by anyone within the range of the signal. With the proper antennas, the range of WLANs is much greater than is commonly assumed. Many administrators wrongly believe that their networks are secure because the interference created by walls and other physical obstructions combined with the relative low power of wireless devices will contain the wireless signal sufficiently. Often, this is not the case. There are different types of wireless networks that can be potentially deployed including HomeRF, Bluetooth, 802.11b, and 802.11a. The most common type of WLAN used today is based on the IEEE 802.11g standard. The 802.11b standard defines the operation of WLANs in the 2.4 to 2.4835 GHz unlicensed ISM band. 802.11b devices use DSSS to achieve transmission rates of up to 11 Mbps. All 802.11b devices are half-duplex devices, which means that a device cannot send and receive at the same time. In this, they are like hubs and therefore require mechanisms for contending with collisions when multiple stations are transmitting at the same time. To contend with collisions, wireless networks use CSMA/CA. The 802.11a and 802.11g standards define the operation of wireless networks with higher transmission rates. The 802.11a devices are not compatible with 802.11b, because they use frequencies in the 5-GHz band. Furthermore, unlike 802.11b networks, they do not use DSSS. 802.11g uses the same ISM frequencies as 802.11b and is backward-compatible with 802.11b devices. The 802.11 standard defines the 40-bit WEP protocol as an optional component to protect wireless networks from eavesdropping. WEP is implemented in the MAC sublayer of the data link layer (layer 2) of the OSI model. WEP is insecure for a number of reasons. The first is that, because it encrypts well-known and deterministic IP traffic in layer 3, it is vulnerable to plaintext attacks. That is, it is relatively easy for an attacker to figure out what the plaintext traffic is (for example, a DHCP exchange) and compare that with the ciphertext, providing a powerful clue for cracking the encryption. Another problem with WEP is that it uses a relatively short (24-bit) IV to encrypt the traffic. Because each transmitted frame requires a new IV, it is possible to exhaust the entire IV key space in a few hours on a busy network, resulting in the reuse of IVs. This is known as IV collisions. IV collisions can also be used to crack the encryption. Furthermore, IVs are sent in the clear with each frame, introducing another vulnerability. The final stake in the heart of WEP is the fact that it uses RC4 as the encryption algorithm. The RC4 algorithm is well known, and recently it was discovered that it uses a number of weak keys. AirSnort and WEPCrack are two well-known open-source tools that exploit the weak key vulnerability of WEP.
Exam Objectives Fast Track 329
Although WEP is insecure, it does potentially provide a good barrier, and its use will slow down determined and knowledgeable attackers. WEP should always be implemented. The security of WEP is also dependent on how it is implemented. Because the IV key space can be exhausted in a relatively short amount of time, static WEP keys should be changed on a frequent basis. The best defense for a wireless network involves the use of multiple security mechanisms to provide multiple barriers that will slow down attackers, making it easier to detect and respond to attacks. This strategy is known as defense-in-depth. Securing a wireless network should begin with changing the default configurations of the wireless network devices. These configurations include the default administrative password and the default SSID on the AP. The SSID is a kind of network name, analogous to a Simple Network Management Protocol (SNMP) community name or a VLAN ID. For wireless clients to authenticate and associate with an AP, they must use the same SSID as the one in use on the AP. It should be changed to a unique value that does not contain any information that could potentially be used to identify the company or the kind of traffic on the network. By default, SSIDs are broadcast in response to beacon probes and can be easily discovered by site survey tools such as NetStumbler and Windows XP. It is possible to turn off SSID on some APs. Disabling SSID broadcasts creates a “closed network.” If possible, SSID broadcasts should be disabled, although this will interfere with the capability of Windows XP to automatically discover wireless networks and associate with them. However, even if SSID broadcasts are turned off, it is still possible to sniff the network traffic and see the SSID in the frames. Wireless clients can connect to APs using either open system or shared-key authentication. While shared-key authentication provides protection against some denial of service (DoS) attacks, it creates a significant vulnerability for the WEP keys in use on the network and, therefore, should not be used.
Exam Objectives Fast Track Wireless Network Design ■■
■■
■■
The most predominant wireless technologies consist of WAP and IEEE 802.11 WLAN. WEP is the security method used in IEEE 802.11. WLANs and WTLS provide security in WAP networks. WEP provides for two key sizes: 40 bit and 104 bit. These keys are concatenated to a 24-bit IV to provide either a 64-bit or 128-bit key for encryption.
■■
WEP uses the RC4 stream algorithm to encrypt its data.
■■
802.11 networks use two types of authentication: open system and shared-key.
■■
To protect against some rudimentary attacks that insert known text into the stream to attempt to reveal the key stream, WEP incorporates a checksum in each frame. Any frame not found to be valid through the checksum is discarded.
330 CHAPTER 7 Wireless Networks
■■ ■■
■■
■■
■■
■■
■■
■■
Used on its own, WEP does not provide adequate WLAN security. WEP must be implemented on every client as well as on every AP to be effective. WEP keys are user definable and unlimited. They do not have to be predefined and they can and should be changed often. Wireless communication relies on radio frequencies that are susceptible to electromagnetic interferences (EMI) and radio frequency interferences (RFI). Spread Spectrum technologies reduce the effects of EMI and RFI. An ad hoc wireless network is created when two or more wireless devices are connected. In an ad hoc network there is no AP. FHSS is used in Bluetooth and Home RF wireless networks. It transmits RF signals by using rapid frequency switching. It has a frequency range of 2.4 GHz and has limited transmission speeds from 1.6 to 10 Mbps. DSSS uses a wide band of frequency. DSSS is faster and more secure than FHSS. It uses a frequency range from 2.4 to 2.4835 GHz and is used in most 802.11b networks. In a wireless network, the AP is known as the authenticator and the client is known as the supplicant.
Service Set ID Broadcast ■■ ■■
■■
There are two types of 802.11 network modes: ad hoc and infrastructure. Ad hoc 802.11 networks are peer-to-peer in design and can be implemented by two clients with wireless network cards. The infrastructure mode of 802.11 uses APs to provide wireless connectivity to a wired network beyond the AP.
Wireless Security Standards ■■
■■
■■
WEP is considered weak encryption and is no longer considered acceptable for use in any situation. Stronger versions have since been released, which include WPA and WPA2 (802.11i). One big change between WEP and WPA was the advancement of TKIP. TKIP increases the IV from 24 bits to 48 bits. WPA was designed to also use a different secret key for each packet and also featured MIC that was designed to detect invalid packets. The WAP is an open specification designed to enable mobile wireless users to easily access and interact with information and services.
Exam Objectives Frequently Asked Questions 331
Rogue APs ■■
■■
■■
A rogue access point is nothing more than a wireless AP that has been installed on a corporate network without the permission of the company. Rogue access points may have been installed as an accident or on purpose. In such situations the real threat is that an attack now has a link from outside the company to its internal network. Rogue access points can also be set up to allow for man-in-the-middle attacks.
Data Emanation ■■
■■
■■
Data emanation deals with the leakage of electronic signals. Every CRT, wireless keyboard, mouse, Bluetooth headset, and so forth, emit wireless signals. Early work on emanation was done by the U.S. government under the TEMPEST program. Techniques to protect against emanation include shielding, white noise, and control zones.
Bluetooth ■■ ■■
■■
■■
■■
Bluetooth is a short range communication technology. Bluetooth is widely used by cell phone manufacturers to allow communication between phones and headsets and receivers built into automobiles. Bluetooth can also be used to communicate with other devices such as printers and used to share data. Bluetooth is subject to two primary types of attacks: Bluejacking and Bluesnarfing. Bluejacking allows an attacker to send unsolicited messages to the victim, whereas Bluesnarfing allows the attacker to steal information from the victim’s phone. Bluebugging allows the attacker to take control of a victim’s phone, which, in turn could be used to make calls from the user’s phone.
Exam Objectives Frequently Asked Questions Q: How can I protect my wireless network from eavesdropping by unauthorized individuals? A: Because wireless devices are half-duplex devices, you cannot wholly prevent your wireless traffic from being listened to by unauthorized individuals. The only defense against eavesdropping is to encrypt layer 2 and higher traffic whenever possible.
332 CHAPTER 7 Wireless Networks
Q: Are wireless networks secure? A: By their very nature and by definition, wireless networks are not secure. They can, however, be made relatively safe from the point of view of security through administrative effort to encrypt traffic, to implement restrictive methods for authenticating and associating with wireless networks, and so on. Q: Why should I do frequent site surveys? A: A site survey will reveal the presence of unauthorized APs. Some of these APs could be placed to facilitate a MITM attack or to gain access to the physical network from a safe location. However, the unauthorized APs could have been purchased and implemented by departmental staff without your knowledge but with no malicious intent. Wireless networks are relatively inexpensive and easy to set up. It is natural for people to desire to implement technology they think will make their lives easier without waiting for knowledgeable staff in the IT department to implement it for them. Even if your company does not have a wireless network, it may be a good idea to conduct wireless site surveys to protect your wired network if you suspect there is a likelihood of employees installing their own APs to increase their productivity. Q: My AP does not support the disabling of SSID broadcasts. Should I purchase a new one? A: Disabling SSID broadcasts adds only one barrier for the potential hacker. Wireless networks can still be made relatively safe even if the AP does respond with its SSID to a beacon probe. Disabling SSID broadcasts is a desirable feature. However, before you go out and purchase new hardware, check to see if you can update the firmware of your AP.The AP vendor may have released a more recent firmware version that supports the disabling of SSID broadcasts. If your AP does not support firmware updates, consider replacing it with one that does. Q: Why is WEP insecure? A: WEP is insecure for a number of reasons. The first is that 24-bit IV is too short. Because a new IV is generated for each frame and not for each session, the entire IV key space can be exhausted on a busy network in a matter of hours, resulting in the reuse of IVs. Second, the RC4 algorithm used by WEP has been shown to use a number of weak keys that can be exploited to crack the encryption. Third, because WEP is implemented at layer 2, it encrypts TCP/IP traffic, which contains a high percentage of well-known and predictable information, making it vulnerable to plaintext attacks. Q: How can I prevent unauthorized users from authenticating and associating with my AP? A: There are a number of ways to accomplish this. You can configure your AP as a closed system by disabling SSID broadcasts and choosing a hard-to-guess
Self Test 333
SSID. You can configure MAC filtering to allow only those clients that use valid MAC addresses access to the AP. You can enable WEP and shared-key authentication. However, all of these methods do not provide acceptable levels of assurance for corporate networks that have more restrictive security requirements than are usually found in small office/home office environments. For corporate environments that require a higher degree of assurance, you should configure 802.1x authentication.
Self Test
1. WEP uses which of the following encryption standards? A. AES C. RC4 B. ECC D. DES
2. The medium for communications in a wireless system is A. Cabling C. Antenna B. Access point D. EM field
3. The area over which the radio waves propagate from an electromagnetic source is known as the A. Control zone C. Footprint B. Fresnel zone D. Wavelength
4. Wireless devices that are communicating directly to each other without an AP are said to be operating in what mode? A. Peer-to-client mode C. Independent mode B. Ad hoc mode D. Infrastructure
5. Which of the following is not a valid class for Bluetooth? A. Class 0 C. Class 2 B. Class 1 D. Class 3
6. Why is a site survey performed? A. Distribute wireless WEP/WPA/WPA2 keys B. Find and remove unwanted access locations C. Plan the design and topology of a wired network D. Record current wireless signal strength and suggest improvements
7. Tools like NetStumbler are primarily used for A. Wireless intrusion detection B. Site surveys C. Sniffing and decoding emanations from a CRT D. Attacking wireless systems
334 CHAPTER 7 Wireless Networks
8. TEMPEST is best defined as A. A method used to attack wired networks B. A means to attack wireless networks C. A passive sniffing tool D. A tool used to set up a rogue AP
9. Sending unsolicited messages over Bluetooth is defined as A. Bluecrashing C. Karma B. Bluejacking D. Bluesnarfing
10. Which type of attack is best defined by the unauthorized access of information from a wireless device through a Bluetooth device? A. Bluecrashing C. Karma B. Bluejacking D. Bluesnarfing 11. Which of the following is the most effective approach against detecting rogue APs? A. Enforce the use of static addressing B. Perform yearly site surveys C. Develop a policy that prohibits the installation of unauthorized APs D. Install wireless intrusion detection systems 12. Van Eck phreaking is best defined as A. Attacks against phone systems B. A random signal with a flat power spectral density C. To eavesdrop on the contents of the monitor using its electronic emissions D. A special enclosure that acts as an EM capacitor 13. Sometimes a DoS attack can be unintentional. If your home wireless network is having intermittent problems in the afternoon and the evenings, the most likely issue is which of the following? A. The AP is malfunctioning and should be replaced B. Someone is attacking your network with a VOID 11 DoS attack C. The wireless network is not configured correctly D. Your cordless phone is using the same frequency as the wireless network and whenever someone calls or receives a call the phone jams the wireless network 14. James is worried about the security of the wireless network and as such has disabled SSID broadcasts. James has now made the statement that his wireless network cannot be hacked. How should you respond?
References 335
A. Sniffing the SSID is not possible once the SSID broadcast has been d isabled B. Once broadcast has been disabled, sniffing the SSID is only possible with specialized expensive equipment C. James is correct only if 128-bit WEP has been enabled D. Even with SSID turned off someone can still sniff the network 15. Which of the following about 802.11a is correct? A. 802.11a and 802.11b work on the same frequencies B. 802.11g uses DSSS C. 802.11a and 802.11b are incompatible D. 802.11a has a maximum speed of 11 Mbps
Self Test Quick Answer Key 1. 2. 3. 4. 5.
C D B B A
6. 7. 8. 9. 10.
D B C B D
11. 12. 13. 14. 15.
D C D D C
References 1. Fluhrer S, Mantin I, Shamir A. Weaknesses in the Key Scheduling Algorithm of RC4. Cisco Systems/Weizmann Institute; 2001 [cited 26 June 2009]. Available from: http://www.drizzle. com/~aboba/IEEE/rc4_ksaproc.pdf. 2. Stubblefield A, Ionnadis J, Rubin A. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. ATT Labs; 2001 [cited 26 June 2009]. Available from: http://www.simovits.com/archive/ break_wep.pdf.
This page intentionally left blank
PART
Access Control
3
This page intentionally left blank
Chapter
Network Access
8
E x a m o b j e c tiv e s in this c hapt e r General Network Access..................................................................................................... 340 Access Control Methods and Models.................................................................................... 349 Access Control Organization................................................................................................ 357 Logical Access Control Methods.......................................................................................... 360 Physical Access Security Methods....................................................................................... 363
Introduction The Security+ exam identifies their third domain as access control. This encompasses quite a few areas of Information Technology (IT) security knowledge and requires that you have a very solid understanding of what access control is, what the elements of access control are, and how it all works together. To cover all this material, we will be breaking it up into two sections. The first (covered in this chapter) is network access and all the elements associated with general network access control. The next chapter will be all about authentication. While we will absolutely be touching on authentication in this chapter, the next will be a “deeper dive” into all of the types of authentication mechanisms and how they work. With that in mind, in this chapter, we’ll be going over general access control, industry best practices for access control, how access control works and is organized, and logical and physical access methods. All this will be done with an eye toward being as vendor agnostic as possible. There are some topics that are specific to one vendor or another, and where that is appropriate, it will be called out. The Access Control portion of the Security+ exam counts for 17 percent of your overall score. That marks it as the third most critical portion of the exam. This should in no way diminish the importance of understanding access control and how to implement access control best practices. After all, if there is no access control, there is no point to network security.
339
340 CHAPTER 8 Network Access
General Network Access When you are working with information security, the heart and soul of security is controlling access to objects. All other security measures and techniques are pointless if the objects they are meant to protect have no access controls. The Security+ exam requires that you know and understand access control as well as all the relationships between access control and other security concepts. Gaining access to network resources is based on identifying yourself, proving that you are you, requesting access, and being granted the requested access. In this chapter, we will be covering some level of detail around authentication (with more detail in the following chapter) as well as covering the subject of access control in depth. We will also be delving into the concepts of identity versus authentication and their differences.
Access Control So what is access control? Access control encompasses the security controls, processes, or procedures whereby access to specific objects is either granted or denied based on preestablished policies or rules. Access control is made up of many different parts but at its roots it is a very simple concept. The goal of access control is to allow objects to be accessed by those authorized to access it (and limit the manner in which it is accessed) while denying access to those who are not authorized. To understand access control, you must first break it down to its individual parts. First, there are the objects that need to be accessed. We refer to these objects as Access Control Objects as they are objects which need to have access to them controlled in some manner. By object, we are referring not only to data, but also to hardware devices, data networks, and even buildings. When working with information security, almost anything can be considered an access control object. The next part of access control is Access Control Subjects. These are the users, programs, and processes which are requesting permission to access control objects. It is these access control subjects that must be identified, authenticated, and either granted or denied access to the access control objects. The final part of access control is the procedures, processes, and controls in place to verify the authenticity of the request and the identity of the access control subject, and determine the levels of access that the subject should be granted to the object. These are called Access Control Systems and interface directly with the access control objects and access control subjects. When all three parts of access control are combined, you have an overall security approach that determines what should be accessed by whom and at what level. It is upon this foundation that all information security is really based. A diagram of how all this ties together is shown in Figure 8.1. Access control can be implemented in many different ways, all of which have the end result of controlling access to data, systems, or hardware.
General Network Access 341
■■
■■
■■
■■
■■
Physical (that is, biometric device to secure a door) Hardware (that is, a dedicated firewall) Software (that is, built-in application security) Policy (that is, a workplace security policy) Network (that is, secure networking protocols)
In this chapter, we will be going over the parts of access control and delving into how they work together. Different access control systems will be discussed as well as how they are implemented and how they operate.
Figure 8.1 Access Control
Access Control Models Most access control systems are based on several basic access control models. These models define the operating parameters for the access control system and define the manner in which they operate. The access control model also defines the way that permissions are set on access control objects and how authorization is handled in the access control system. There are several access control models that we are going to go over in this section. These are the major models that you’ll run into in the field and are the models you are expected to understand to pass the Security+ exam. Studying these models also gives you a good understanding of the basis for access control models in general and you should be able to understand the concepts behind any proprietary access control model quickly and easily. Before we cover the individual access control models, there are some authoritative reference books on the subject of access controls that need to be mentioned. The first is the “Department of Defense Trusted Computer System Evaluation Criteria” book or the “Orange” book. It is called the Orange book based on the color of the spine in its printed form. This set of guidelines provides the necessary information necessary to classify the security rating of systems and define the degree of trust that they earn. Using Orange book guidelines, there are four primary grades (A to D) with varying levels in each grade designated by a number. For example, some prior versions of Microsoft Windows can earn a C2 grade with the correct patches and hardening procedures performed. Table 8.1 shows the available grades and levels as well as some examples of systems earning each level.
342 CHAPTER 8 Network Access
Table 8.1 Orange Book Levels Grade
Levels
Definition
Examples
A
A1
Verified protection
Boeing SNS, Honeywell SCOMP
B
B1, B2, B3
Mandatory access control
ACF2 or Top-Secret, Trusted IRIX
C
C1, C2
Discretionary access control
DEC VMS, Windows NT Server, Novell NetWare, Trusted Solaris
D
None
Minimal security— evaluated and failed
PalmOS, MS-DOS
There are several problems with the Orange book definitions that don’t work well with current information systems. First, the Orange book requires that the system be configured as stand alone. No network connectivity can be allowed. That really makes the system rather difficult to be practical. In addition, it can take anywhere from 1 to 2 years to certify a system. In this day of constant technology upgrades, that means that by the time a product is certified, it’s outdated. Also, any new patches, service packs, or changes to the product break the certification and require that the system get reevaluated. On top of this, applying for the certification is expensive. There is an upgrade to the Orange book available called the “Red” book. Again, this is due to the spine color of its original printed form (known as the Rainbow series). The Red book is actually two separate books that work together to extend the Orange book’s guidelines to include network systems. The two books which make up the Red book are “Trusted Network Interpretation of the TCSEC” and “Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation.” I much prefer calling them the Red book, myself. The Red book provides guidelines on how the concepts and guidelines from the Orange book can be applied to network environments. The guidelines within this book are as strict as the Orange book itself, but it is at least designed to work with networked environments. The Orange and Red books were superseded in 2005 by the Common Criteria for IT Security Evaluation, also known as the Common Criteria (CC). This is an international standard (ISO 15408) for computer security which incorporates many of the requirements included in the Orange and Red books as well as the Information Technology Security Evaluation Criteria (ITSEC) European standard and Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) from Canada. Using the CC, software and hardware can be certified at a variety of Evaluation Assurance Levels (EAL) similar to those available with the Orange and Red books. These levels range from EAL1 through EAL7. Using these criteria, Microsoft Windows Vista and Windows Server 2008 were graded as EAL1, the first level of certification. With this information in mind, let’s move on to the access control models themselves.
General Network Access 343
The formal models of access control are theoretical applications of access control methods. These do not specify specific methods of controlling access but rather specific guidelines that should be followed. They work best with static environments and are difficult to implement within dynamic systems that are constantly changing such as those in most enterprise environments. The documentation on how these models are supposed to be implemented is very limited and does not give any specific examples. However, the formal models do provide a good baseline to start from when designing access control systems. By ensuring that the guidelines within the formal model most closely related to your needs are followed, you ensure that you’ve got a strong foundation on which to build the rest of the access control system.
Clark–Wilson The Clark–Wilson formal model was written as a paper titled “A Comparison of Commercial and Military Computer Security Policies” for the IEEE Symposium on Research in Security and Privacy in 1987 and updated in 1989 by David D. Clark and David R. Wilson (http://theory.stanford.edu/~ninghui/courses/Fall03/papers/clark_ wilson.pdf). This model is similar to Biba as it addresses integrity. The Clark–Wilson model is designed to not only address access to objects, but also to ensure integrity by specifying guidelines for processes which occur using the access control object. One of the most important guidelines to come out of Clark–Wilson is that of segregation of duties or separation of duties. The principle of segregation of duty states no single person should perform a task from beginning to end but that the task should be divided among two or more people to prevent fraud by one person acting alone. This ensures the integrity of the access control object by securing the process used to create or modify the object.
Bell–La Padula David E. Bell and Len J. La Padula wrote the Bell–La Padula formal access control model in 1973 as a paper titled “Secure Computer Systems: Mathematical Foundations” for use in government and military applications (www.albany.edu/acc/ courses/ia/classics/belllapadula1.pdf). This formal model specifies that all access control objects have a minimum security level assigned to it so that access control subjects with a security level lower than the security level of the objects are unable to access the object. Does this sound familiar? The Bell–La Padula formal model is what the mandatory access control (MAC) model is based on. MAC follows the guidelines of the Bell–La Padula formal model very closely, so if you understand MAC, you understand the Bell–La Padula formal model.
Biba The Biba formal model was written as a paper titled “Integrity Considerations for Secure Computer Systems” by K.J. Biba in 1977 and is unique as it was the first formal model to address integrity. The Biba model bases its access control on levels
344 CHAPTER 8 Network Access
of integrity. The Biba policy consists of three primary rules. The first rule specifies that a subject cannot access objects that have a lower level of integrity than the access control subject has. The second rule states that access control subjects cannot modify objects that have a higher level of integrity than their current integrity levels. The last rule specifies that an access control subject may not request services from subjects that have a higher integrity level.
Authentication Models and Components Authentication is defined as a process through which specific information is proven and verified. It is through the process of authentication that any form of access information is verified to be true. In the physical world, this could be the keyway of a door lock verifying that the correct key has been inserted or that the correct fingerprint has been scanned. Authentication can occur with either the access control object or the access control subject and is controlled by the access control system. For example, when a user requests access to a file on a remote server, the access control system could require both the user and the remote server to be authenticated prior to allowing the user to access the file. When you identify yourself to an access control system, you are effectively telling it who you are. This identification can come in a variety of forms and can be as simple as typing in your name or as complex as providing DNA for scanning purposes. We’ll cover identification in a little more detail later. But just because you say you are someone doesn’t mean that you are telling the truth. The purpose of authentication is to ensure that the identity presented is accurate. Of course, the flip side of that is that the authentication process is responsible for ensuring that the person pretending to be you is found out before they are granted access to anything! Authentication is basically the transfer of some form of information that proves that you are who you say you are. This can be in many different forms, but there are three basic types under which all the different forms of authentication fall. ■■
Something you know
■■
Something you have
■■
Something you are
We will examine each of these and their advantages and disadvantages. In addition to these three primary types of authentication, there are also combinations of these types which are much more secure and difficult to crack. We will go through several of these combinations as well and discuss how they increase the overall security of the access control system.
Something You Know The “something you know” authentication type basically relies on the access control subject to memorize and know specific facts that can be used to prove who
General Network Access 345
they are. For example, this type of authentication includes passwords, personal identification numbers (PINs), facts about the subject’s life or family, code words, and so forth. All these require the subject to know a specific fact and respond with it when requested. The most popular among these as it relates to IT security is a password. In a good access control system, passwords are required to gain access to any access control object. The advantage to passwords is that they are very common and easy to use. There are several different types of passwords and these are shown in Table 8.2. For a password to be easy to remember, it must be something that the user can relate to and understand. Any combination of symbols, letters, and numbers will work for a password, but the more secure the password is in this manner, the easier it is for the user to forget. This leads to the problem where the user writes down his or her passwords. Going through a typical office building, more than 20 percent of the users will typically have their passwords written down somewhere in the vicinity of their computers. This is a major security problem and one that is battled at almost every office building in the world. Based on this, the users typically choose their own password rather than having one randomly generated, and they generally make it a password that is easy for them to remember. Most users will use their birthdays, names, or favorite pet’s name, and so forth for their password as that makes it easy for them to remember. Unfortunately, this also makes their passwords fairly easy to guess. A major disadvantage of password authentication comes into play after an intruder obtains the password in some manner. This type of authentication can be repudiated meaning that there is no proof that it is actually the password owner who is using the password. Using combinations of authentication types, which we will go over later in this section, typically solves this problem. Because passwords are still something that must be used in current access control systems, there are several best practices that will help make the passwords as secure as possible. First, use words that are easy to remember (so it is not tempting to write them down) but are difficult to guess. In addition, replacing letters in the words with
Table 8.2 Password Types Password Type
Definition
Cognitive
Cognitive data that the user knows such as mother’s maiden name or favorite color
Dynamic
Passwords that change upon each consecutive login
One Time
Passwords that are only valid for a single use and are thereafter useless
Passphrase
A password based on a group of words or phrase
Static
A “normal” password which is only changed on request and remains the same otherwise
346 CHAPTER 8 Network Access
numbers or symbols will help by adding another layer of difficulty when trying to crack the password. Ensure that none of the following are used in the password: ■■
Names
■■
Important dates
■■
Phone numbers
■■
Words (in any language) which could be found in a dictionary
■■
Simple words such as “password” or “computer”
By following these recommendations, you will be able to create strong passwords that are difficult to crack and impossible to guess.
Something You Have The “something you have” authentication type relies on some form of authentication that the access control subject physically has. This could be anything from a driver’s license to authenticate them as a valid driver of vehicles to an ATM card used to authenticate them to their bank. Several other examples of this type of authentication are as follows: ■■
Smart cards
■■
Proximity cards
■■
Identification tokens
■■
Keys
■■
Identification badges
■■
Passports
■■
Transponders
All these are forms of identification that an access control subject would have to physically have available to be authenticated. They are also known as “physical tokens” because they represent a physical form of data which can be used for access control. If the access control subject doesn’t have the physical form of identification or token, they simply are not authenticated. The security offered by this type of authentication has the disadvantage of being repudiated, similar to the “something you know” type of authentication. However, it does offer a few advantages. First of all, no one can guess or crack a physical form of identification. Second, since there is nothing to memorize, there is nothing for the user to write down and breach the security in this manner. The disadvantage of this type of authentication is that the physical form of identification can be stolen. Because it can be repudiated, no one can prove that the person using it is actually the person who is authorized to do so. Also, some physical forms of authentication can be copied or cloned which can result with more than
General Network Access 347
one person having a copy. Most secure physical forms of identification have controls in place which make them difficult to copy or clone, but with enough perseverance, it can be done.
Something You Are The “something you are” authentication type is a relatively new type of authentication coming into the IT world. Although it has been around for several years, it is only now that this type of authentication is becoming affordable enough to be commonly implemented. This authentication type is known as biometrics and is based on the science of identifying people based on their physical characteristics. The science of biometrics is based on the concept that while many people share common traits, there are certain traits that are unique to almost every individual on the planet. It is by detecting and measuring these traits that biometric authentication works. Some of these measurable traits that are commonly used for authentication are as follows: ■■
Fingerprints
■■
Signatures
■■
Eye characteristics
■■
Facial characteristics
■■
Voiceprints
■■
DNA
All these traits are detectable, measurable, and generally unique to every individual. A biometric system is designed to scan for one or more of these traits and compare the measure of the trait being scanned against a database of prescanned measurements. By doing so, the biometric system is able to authenticate the access control subject if they are in the database of allowed subjects. This system has many advantages over the other authentication types. No one can guess or crack a password, as there isn’t one. There is nothing that can be stolen or copied aside from actual body parts of the person being scanned. It is very difficult to duplicate any of the measured characteristics being used by the biometric system. Biometric authentication does have some very serious disadvantages as well. The cost of biometrics is going down, but it is still the most expensive authentication type in use. The hardware and software necessary to provide accurate authentication is very expensive and difficult to maintain. In addition, as the biometric authentication is still relatively new to the field of information security, there are many learning curve problems to overcome with both the manufacturers and the administrators. An excellent example of this is the identification and response to false positives and false negatives. These are situations in which either the biometric scanner authenticates someone that should not have been or does not authenticate someone who
348 CHAPTER 8 Network Access
should have been. Most administrators want to have a 0 percent false positive rate and the users want to have a 0 percent false negative rate. With most biometric hardware and software, this is an impossible goal so a middle ground must be met. This can be very difficult to do. One of the greatest disadvantages to the biometric authentication type is that of privacy. Most people do not want to have information as private as their DNA sitting out in a computer database just so they can gain access to something. This is an understandable concern. In addition, with the facial characteristics recognition aspect of biometric authentication, there comes into play the possibility of your every movement or action being tracked remotely by camera. Many people consider this a paranoid point of view, but it is a valid privacy concern that many individuals have. These concerns must be addressed within any authentication type that is implemented. A good authentication type is completely useless if the end users refuse to make use of it.
Notes from the Field The Dawn of Biometrics We’re working in a very exciting time in the realm of information security. Biometric technology has been around for many years, but only now is it becoming reliable and affordable enough to be implemented as a common authentication method. Every few months, a new device comes out on the market using this technology to improve security. With this advanced technology in hand, we can do a great deal to increase system security while making obtaining access easier for our users. The day is coming where a user will simply sit down at their desk and be identified by their smell and behavior through biometric devices. If the companies creating these devices can alleviate the privacy concerns that many people have about biometrics, there is no end to the uses of biometric technology.
Authentication Type Combinations These three basic types cover the main types of authentication. In addition, the three types of authentication can be combined to provide even greater security. These combinations are called factors of authentication. A two-factor authentication method would make use of two of the three types of authentication. Threefactor authentication uses all three types of authentication and is considered the strongest form of authentication. Some examples of authentication type combinations are requiring that a PIN be entered in combination with a 6-digit code displayed on an authentication token or requiring a password, smart card, and fingerprint scan to enter a secure area. These combinations provide more security than any of the three authentication types can provide by themselves. By using these combinations, you can increase the security of an access control system and lower the risk caused by the disadvantages of the individual access control types.
Access Control Methods and Models 349
Identity There is a lot of confusion about the role identification plays in access control and how it differs from authentication. The Security+ exam requires that you understand identification and authentication as well as the differences between them. Identification is basically the concept of saying that you are a specific access control subject. This process can be as simple as saying, “Hi, I’m Peaches Perry” or as complex as presenting a sample of your DNA for a biometric scan. Note that identification is just the act of presenting yourself as the access control subject, nothing more. It does not involve proving that you are who you say you are. That is where we get into authentication. So the difference between identification and authentication is just proof. With identification, you are identifying yourself as a specific access control subject whereas with authentication, you take the next step and prove that you are the access control subject that you say you are. Both play an integral part in access control and you can’t have one without the other. However, they are two distinct terms that are not synonymous and the Security+ exam expects you to know that.
Access Control Methods and Models We have already covered some of the formal models used with access control, but there are concepts and derivatives of those formal models that require more in-depth analysis. In this section, we will be going over some of the key concepts associated with access control methods and models. Some of these directly relate to the formal models, so expect some repetition; however, the concepts themselves stand alone and can be implemented without implementing a full formal model.
Implicit Deny The concept of implicit deny or deny by default is very common in the security industry. This concept basically says that if something is not explicitly allowed, it is denied. Most access control lists (ACLs) use this as the last processed rule to ensure that any access requests that fall outside the defined criteria are not allowed. In some cases, you have to manually add an implicit deny to the end of your access control list (ACL) in the event that this is not done automatically. When specifying an implicit deny ACL, it may also be a good idea to log the incoming request. This will allow for future analysis to determine if additional ACL entries need to be defined to handle common requests which keep triggering the implicit deny rule. This log data can also be used as part of an intrusion detection/prevention system to find trends in the logged behavior to identify scans or intrusion attempts.
Separation of Duties The first concept that we’ll go over is that of separation (or segregation) of duties. This is a very important security concept especially as it relates to fraud. We talked
350 CHAPTER 8 Network Access
about this a little in the section covering the Clark–Wilson formal model. Separation of duties is the concept that no one person should handle a transaction from beginning to end. Instead, some parts of a transaction should be executed by one person, whereas other parts of the transaction should be executed by someone else entirely. Let’s go over an example to illustrate why this is so important. Imagine an organizational structure at a small business such as a convenience store. Typically there will be a clerk who handles the day-to-day transactions at the register. There will also be a manager of some type who has different responsibilities. Some of the duties the clerk may be responsible for are stocking the shelves, selling products, and cleaning the store. The manager may be responsible for depositing the daily till into the bank, ordering products, and paying the clerk. With this separation of duties, each employee is responsible for specific tasks. Now what if it were arranged differently? What if the clerk were responsible for all aspects of the purchasing transaction from beginning to end? They would order the products, stock them, sell them, and then deposit the money in the bank. That still isn’t a problem if the clerk is honest. However, if they’re not, there is no longer any protection against them stealing money, products, or both. The same argument could be made about the manager. Separation of duties allows for a basic level of fraud prevention by providing some checks and balances organizationally. The same principle applies in many areas and is actually one of the basic tenets of the antitrust lawsuits, which are common for large organizations. When one entity controls too many portions of a transaction, there is increased risk that the transaction can be manipulated in the favor of the entity that has control over it. Separation of duties can help prevent this by establishing lines of segregation between elements of the transaction.
Least Privilege The principle of least privilege is very simple, but incredibly important. The concept here is to provide the lowest amount of access to an access control object necessary for the access control subject to perform their task. For example, if a developer needed to see log data on a system to troubleshoot a problem, you would grant them read-only access to the specific log files they need to see. You would not grant write access as this could allow them to remove log entries when they shouldn’t or overwrite the log file to hide the problem. You would also not grant access to files other than the log files as the other files may store data that the developer should not see. This has the unfortunate side effect of causing the access control subject to have to go through the steps of requesting access to what they need every time their roles, or the tasks that they need to perform change. This is made more difficult by the fact that a typical end user may not know what they need access to in order to do their job. For example, they may request access to a specific file but not the directory containing other files that the first file is linked to.
Access Control Methods and Models 351
This also applies to access across systems. For example, if you have a network printer set up and do not restrict access to the print resource, you can run into issues where large print jobs are mistakenly sent to the incorrect printer causing the actual users of that resource to be unable to use it. This basically means that by leaving access to the print resource unrestricted you have enabled a simple type of denial of service attack to be performed. Consequently, there is often a balance struck here where the access control subject is granted access to the access control objects that they need now or may need in the foreseeable future. In general, you should always attempt to maintain the principle of least privilege by granting the access control subject the most appropriate access to the access control object possible.
Job Rotation Job rotation is the concept of personnel changing job roles at a scheduled time into a different role. There are several reasons behind this such as increasing education across the personnel, allowing for people to experience different parts of a company and how it functions, increased job satisfaction through change, and scheduled changes due to changes in leadership (terms in public offices). All these reasons lead to changing the job role for personnel and raise new security concerns because of it. Going back to separation of duties, it might initially seem that job rotation violates this principle since personnel could be in roles which would allow them to perform a transaction end-to-end. What prevents this from being a concern is that each role in job rotation would only be held by a single individual at one time, not multiple roles at the same time. This adds more overhead from the access control perspective as the access control system must be able to handle shifts in job roles as well as ensuring that access permissions are changed rather than added to. An example for this would be where a loan agent is scheduled to change roles as part of the company’s job rotation policy and take a position doing underwriting. When the agent prepares to change roles, they will probably put in an access request to be granted access to the files, systems, and privileges used by the underwriting group. If the person controlling the user’s access is not watchful, it could be possible that the additional underwriting access would be added to the user’s account without removing the loan agent access. This would inadvertently give the user permissions to both initiate a loan and approve it which would violate the principle of separation of duties. It is important for you to be aware of job rotation and what its impacts to access control are. Be cognizant of how job rotation could lead to difficulties in ensuring that other security principles are adhered to. The Security+ exam expects you to understand these concepts and how they apply to access control.
MAC MAC is based on sensitivity levels rather than ACLs on objects and is frequently used by government systems. In MAC, the security administrator gives every access
352 CHAPTER 8 Network Access
control object and access control subject a sensitivity level and the object owner or system user cannot change this sensitivity level. Based on the sensitivity levels of the access control objects, the access control system decides how all data will be shared and the data are restricted to the access control subjects with the required matching sensitivity label. For example, if an object has a sensitivity label of topsecret, an access control subject with a label of secret will be unable to access the object. The following example illustrates the level of control possible. When using MAC, if a file has a certain level of sensitivity (or context) set, the system will not allow certain users, programs, or administrators to perform operations on that file. Think of setting the file’s sensitivity higher than that of an e-mail program. You can read, write, and copy the file as desired, but without an access level of root, superuser, or administrator, you cannot e-mail the file to another system, because the e-mail program lacks clearance to manipulate the file’s level of access control. For example, this level of control is useful in the prevention of Trojan horse attacks, since you can set the access levels appropriately to each system process, thus severely limiting the ability of the Trojan horse to operate. The Trojan horse would have to have intimate knowledge of each of the levels of access defined on the system to compromise it or make the Trojan horse viable within it. MAC is considered to be a more secure access control model than discretionary access control (DAC) as every subject and object must have a label assigned to it. This model ensures that if a subject is not authorized to access data with a specific sensitivity label, they will not be able to access it. This works well in a strictly defined hierarchy such as the military where subjects are simply not authorized to access any information that is above their level in the hierarchy. Access control systems using MAC are able to gain an Orange Book B-level rating if the access control system meets all the criteria specified in the Orange book. Access control systems using DAC are unable to attain this level due to the additional security requirements which MAC fills. The major disadvantage to MAC is that it is extremely difficult to implement. There is a great deal of administration involved, as every object must be assigned a sensitivity level by the administrator when it is created. It is also very difficult to program applications to work with MAC due to the way objects are created and used. For example, the guidelines for MAC require that any data or information with a sensitivity level higher than the object that the data are going to be placed in should be restricted from completing the operation. This logic is very difficult to work with when designing applications. In addition, whenever output is generated from the data in an object, the output media itself (print job, diskette, CD, and so forth) must be labeled with the same sensitivity level. This makes MAC very difficult to work with which is the primary reason that it is not implemented in most corporate environments. The total cost of ownership for MAC is not justified for most business purposes. To review briefly, MAC is ■■
Nondiscretionary The control settings are hard-coded and not modifiable by the user or owner
Access Control Methods and Models 353
■■
Multilevel Control of access privileges is definable at multiple access levels
■■
Label-based May be used to control access to objects in a database
■■
Universally Applied Applied to all objects
DAC The DAC model is the most common access control model in use. This model bases security on the identity of the access control subject. Every access control subject has specific permissions applied to it and based on these permissions has some level of authority. This access control model is called discretionary because individual users or applications have the option of specifying access control requirements on specific access control objects that they own. In addition, the permission to change these access control requirements can also be delegated as a permission. As assigning access control permissions to the access control object is not mandatory, the access control model itself is considered discretionary. Basically, the owner of the access control object is allowed to decide how they want their data protected or shared. Any system using DAC is considered Orange Book C-level at best. DAC is not eligible for A-level or B-level. The primary use of DAC is to keep specific access control objects restricted from users who are not authorized to access them. The system administrator or end user has complete control over how these permissions are assigned and can change them at will. DAC allows for a distributed access control system to be used as the owner of the access control object has the ability to change the access control permission on objects without regard to a central authority. Also, centralized access control systems can be used with this as a single authoritative point of authorization with the permissions still being applied at the object level. The ability to use different types of access control systems with this model gives it a great deal of flexibility. As previously mentioned, this is a very common access control model. It is used in UNIX, Windows, Novell NetWare, Linux, and many other network operating systems (NOSes). These systems use an ACL to set permissions on access control objects. These ACLs are basically a list of user IDs or groups with an associated permission level. Every access control object has an ACL, even if it is left at the default after the object is created. The operating systems vary in the way the permissions are defined in the ACL, but the Security+ exam is not vendor specific and does not require you to know how each operating system uses these. However, you are required to know the basic types of permissions that are defined. These are detailed in Table 8.3 along with a definition of what they mean. Exam Warning While the Security+ exam is not vendor specific and takes a general perspective of information security, you do need to know how DAC works and that many common NOSes use DAC with ACLs as part of their access control security.
354 CHAPTER 8 Network Access
Table 8.3 ACL Permissions Permission
Definition
Read
Allows the access control subject to read the data contained in the object
Write
Allows the access control subject to write data to the object
Create
Allows the access control subject to create new objects
Execute
Allows the access control subject to execute the code within the object
Modify
Combination of Read and Write, may also include Create and Execute
Delete
Allows the access control subject to delete the object
Rename
Allows the access control subject to rename the object
List
Allows the access control subject to list the contents of a directory— only applicable to directories
No access
Explicitly denies the access control subject access to the object
It is important to understand that DAC is assigned or controlled by the owner rather than being hard-coded into the system. DAC does not allow the fine level of control available with MAC but requires less coding and administration of individual files and resources. To summarize, DAC is ■■
■■
■■
Discretionary Not hard-coded and not automatically applied by the OS/ network operating system (NOS) or application Controllable Controlled by the owner of the object (file, folder, or other types) Transferable The owner may give control away
Exercise 1 Viewing DAC Settings Almost all current NOSes allow administrators to define or set DAC settings. UNIX and Linux accomplish this either by way of a graphical user interface (GUI) or at a terminal window as the superuser creating changes to the settings using the chmod command. Windows operating systems set DAC values using Windows Explorer. For this exercise, you will view the DAC settings in Windows Vista. To start, open Windows Explorer. Navigate to the %systemroot%\System32 folder (where %systemroot% is the folder Windows Vista is installed in). Highlight this folder’s
Access Control Methods and Models 355
name and select Properties. Select the Security tab; you should see a window as shown in Figure 8.2. Notice that the creator owner account is granted full control permission for this folder. Check the access settings for other users and groups that are defined on your machine. You should notice that the system has full control but that various other access settings are in place for different types of access permissions. Within the Windows OS, this is the area that allows you to control and modify the DAC settings for your resources. Similar DAC settings are in place for all files and folders stored on New Technology File System (NTFS) partitions, as well as all objects that exist within Active Directory and all Registry keys. A similar function is available in most Figure 8.2 other OSes. As mentioned, UNIX and Viewing the DAC Settings on a Folder Linux use the chmod process to control access through DAC. NetWare also has a file access system in place that is administered by the administrator (who has “Supervisor” rights).
Role-Based Access Control (RBAC) RBAC can be described in different ways. The most familiar process is a comparison or illustration using the “groups” concept. In Windows, UNIX/Linux, and NetWare systems, the concept of groups is used to simplify the administration of access control permissions and settings. When creating the appropriate groupings, you have the ability to centralize the function of setting the access levels for various resources within the system. We have been taught that this is the way to simplify the general administration of resources within networks and local machines. However, although the concept of RBAC is similar, it is not the exact same structure. With the use of groups, a general level of access based on a user or machine object grouping is created for the convenience of the administrator. However, when the group model is used, it does not allow for the true level of access that should be defined, and the entire membership of the group gets the same access. This can lead to unnecessary access being granted to some members of the group. RBAC allows for a more granular and defined access level, without the generality that exists within the group environment. A role definition is developed and defined for each job in an organization, and access controls are based on that role. This allows for centralization of the access control function, with individuals or processes being
356 CHAPTER 8 Network Access
classified into a role that is then allowed access to the network and to defined resources. This type of access control requires more development and cost but is superior to MAC in that it is flexible and able to be redefined more easily. RBAC is easier to understand using an example. Assume that there is a user at a company whose role within the company requires access to specific shared resources on the network. Using groups, the user would be added to an existing Figure 8.3 group which has access to the resource RBAC Inheritance and access would be granted. RBAC on the other hand would have you define the role of the user and then allow that specific role access to whatever resources are required. If the user gets a promotion and changes roles, changing their security permissions is as simple as assigning them to their new role. If they leave the company and are replaced, assigning the appropriate role to the new employee grants them access to exactly what they need to do their job without trying to determine all the appropriate groups that would be necessary without RBAC. In addition, there is a hierarchy within RBAC whereby some roles can inherit permissions that are granted to another role. For an example, take a look at Figure 8.3. Based on this illustration, you can see how roles can be inherited. In this example, the Office Assistant role has access to only the patient’s contact information. The Medical Doctor role has permission to view the patient’s medical records. However, since the Medical Doctor role inherits the permissions of the Office Assistant role, the patient’s contact information is accessible as well. The Medical Specialist has been explicitly granted access to all patient information and therefore has access not only to the contact information and medical records, but also anything else in the patient’s files. In a good RBAC implementation, there is also the ability to block inheritance. There are instances where, for security reasons, you would want to limit privileges in the access control hierarchy. For example, in a banking situation, you would want to have someone in the Bank Teller role have access to balance out his or her register at the end of the day. In addition, you would want to have someone in the Floor Supervisor role to have access to verify that the teller’s balance matches the actual money shown in the final count. However, you really wouldn’t want the Floor Supervisor to be able to balance the register as well otherwise the organization would be open to fraud from a single person. This would be a violation of the principle of least privilege that we discussed earlier. You can combat this by blocking inheritance in the hierarchy. Test Day Tip The best way to think of RBAC is to look at it like an organizational chart. Every person has a specific position and job function and the access control model mimics this organizational structure.
Access Control Organization 357
With RBAC, there is less administrative work than MAC as any objects created by a subject can be accessed by other subjects with the same role in the organization. This behavior can also be overridden in most access control systems using RBAC to increase security. In summary, RBAC is ■■ ■■
■■
■■
Job Based The role is based on the functions performed by the user Highly Configurable Roles can be created and assigned as needed or as job functions change More Flexible Than MAC MAC is based on very specific information, whereas RBAC is based on a user’s role in the company, which can vary greatly More Precise Than Groups RBAC allows the application of the principle of least privilege, granting the precise level of access required to perform a function
Exam Warning Be careful! RBAC has two different definitions in the Security+ exam. The first is defined as Role-Based Access Control. A second definition of RBAC that applies to control of (and access to) network devices is defined as Rule-Based Access Control. This consists of creating ACLs for those devices and configuring the rules for access to them.
Access Control Organization When working with access control, it’s typically easiest to control access by groups of access control subjects instead of applying security on an individual level. These access control subjects would, of course, have to have some common factor which would allow them to be grouped together such as sharing a job role, working in the same department, or even being located in the same building. By applying access controls on groups of access control subjects, an administrator can make their job a little easier while still applying good security practices.
Security Groups Because a company may have hundreds or thousands of users on a network or system, it would be an administrative nightmare to maintain access control over every single account. To make management easier, groups can be used to assemble user accounts together and define access control as a batch. For example, let’s say a network administrator wanted branch office managers to have the ability to backup data on servers and workstations in their individual locations. The administrator could modify the account of every manager, or add each of these accounts to a Backup Operators group, which has the necessary permissions to backup data. By modifying the access control of one group, the access of each account that is a member of that group would also be affected.
358 CHAPTER 8 Network Access
User accounts and groups may be local to a computer or server or have the ability to connect to servers on a network. This allows administrators to control what a user or group can do on a specific machine or on the network as a whole. This is particularly useful when they want users to have different levels of access on individual machines and the network. Network OSes like Novell NetWare also have the ability to control access through roles. Roles are similar to groups, as they can be used to control the access of numerous users as a batch. If a number of users have a similar role in an organization, the administrator can associate them with a role created on the network OS. The role would have specific access to resources such as drive mappings or other privileges unique to this role. For example, department managers might have similar duties in an organization and wish to access a shared directory for storing data that all the managers would need. You could create a role and associate each of the manager’s accounts with this role. When the managers log-in, they would have the same access to the shared directory and any other privileges provided through the role. Exam Warning Remember that users should only receive the minimum amount of access to perform their jobs. If users receive more than this, they can accidentally or intentionally cause damage to systems and data. This is especially true if users are added to administrator groups, which give them complete access and control over everything.
Security Controls Security controls refer to the access control mechanisms that we put into place to mitigate security risks. There are three levels of security controls that are typically put into place: ■■
Preventative
■■
Detective
■■
Corrective
Each of these refers to the time frame around access control breaches. Preventative security controls are there to prevent a security breach. These would be the controls put into place to authenticate users or control their access to resources. Detective security controls are intended to detect when a security breach happens and get details on the breach. This can be as simple as a log showing a failed log-on attempt due to an incorrect password or as complex as a network intrusion detection system. The key factor for this security control is all about detecting a problem. The last level of security controls is corrective controls. These types of controls are put into place to fix a problem after it has occurred and has been detected. Going with the previous example, a corrective control for failed authentication attempts
Access Control Organization 359
would be to lock an account to prevent further attempts until the lock is cleared. This could also be a network intrusion prevention system where not only are issues detected, but action is taken to stop the intrusion. Implementing security controls is part of what every security professional does on a daily basis, but you need to be aware of this specific terminology for the Security+ exam. You should also be able to categorize different activities into the appropriate levels of security controls.
File Resources Despite the emphasis on group-based access permissions, a much higher level of security can be attained in all operating platforms by individually assigning access permissions. Administratively, however, it is difficult to justify the expense and time involved in tracking, creating, and verifying individual access permissions for thousands of users trying to access thousands of individual resources. RBAC is a method that can be used to accomplish the goal of achieving the status of least privileged access. It requires more design and effort to start the implementation but develops a much higher level of control than does the use of groups. Good practice indicates that the default permissions allowed in most OS environments are designed for convenience, not security. For this reason, it is important to be diligent in removing and restructuring these permissions. Applying important security concepts such as the principle of least privilege to file resources can help to prevent users from gaining access to data that they should not have as well as ensuring the integrity of the data. From the perspective of organization, some general guidelines can be used to group access to specific file resources together to aid in easier administration. Most functional areas in an organization need to share files within that functional area. Consequently, any file resources used in this shared area should be secured to provide access to those people in that area and only those people. For example, you wouldn’t want people in the human resource department to access files in the finance department. Typically, there will also be a need to share some data across the entire organization or across specific business units. The same logic applies; grant access to those groups of file resources to the people who need it and deny access to those who don’t.
Print Resources The organization of print resources is often forgotten from a security perspective. Print devices may not be considered critical to most organizations, but they are important and incorrectly applying access controls to print resources can cause problems. For example, if print resources are inadequately secured, they can be hijacked and used to obtain a great deal of information about an organization. In addition to external risks, internal problems can occur due to incorrectly secured or assigned print resources. Imagine the issues that could arise when the human resource department goes to print some salary information and the print job goes to the wrong printer.
360 CHAPTER 8 Network Access
Print resources can be organized by a few different criteria, again in the interest of making administration easier. Some of the most common methods are to organize based on physical location, functional area, or job role. Sometimes a combination of all three is used to provide for more precise access controls. Regardless of the grouping used to organize the application of security to print resources, you should be cognizant of the issues that can arise with poor security as it relates to print resources and be able to describe how to adequately secure and organize these access control objects.
Logical Access Control Methods Access control can be broken up into two primary methods, logical and physical. In this section, we will be going over logical access control methods and we’ll cover physical access control a little later. Logical access control involves applying access controls to logical entities such as data or the ability to perform a certain action on a computer. This differs from physical access control methods in that physical access control deals with limiting the ability to physically interact with an entity. Logical access control involves a lot of the concepts that we’ve already gone over as well as a few others that we’ll discuss in detail. Most IT security professionals focus a great deal of time and effort around implementing security on logical entities so that it tends to be the primary focus of most security exams including the Security+ exam.
ACLs ACLs are lists of permissions associated with access control objects. Access control subjects are listed in the ACL as well as the level of permission that the subject is granted to the object. For example, an ACL for a file named “test.txt” could have the user ID “JEREMY” listed with an access level of “read” as well as a separate entry for “CHRISTINA” with an access level of “read/write.” This would give “JEREMY” the ability to read the file, but not write to it, whereas “CHRISTINA” could perform both actions. This is all part of the DAC model as ACLs are enforced on a discretionary basis rather than being mandated by the operating system. As previously mentioned, MAC requires the definition of sensitivity levels on the access control subjects and objects to define the access level to be granted. ACLs make no use of sensitivity levels of the access control subjects and basically provide access in the exact manner defined through the rules laid out in the ACL. Another feature of ACLs is that it is possible to grant an ACL rule, which allows the access control subject to modify the ACL for the object. ACLs can typically be associated with single files, full directories, disks, ports, or any other type of access control object based on the capabilities of the access control system. There is also typically an implicit deny associated with ACLs to prevent access from being granted to access control subjects when they fall outside the defined criteria.
Logical Access Control Methods 361
Group Policies Group policies are a feature of the Microsoft Active Directory technology that allows for logical access control based on groupings of access control subjects. The access control subjects are organized by site, organizational unit (OU), or domain. After you group the access control subjects, a Group Policy Object (GPO) can be defined. A GPO controls many elements of a user’s system access, including Registry settings, auditing, software installation, and Internet Explorer settings. This GPO is created as a template that can then be applied to the groups previously defined. When a user is authenticated and granted access to a Windows workstation, the GPOs applicable to that user are pulled from the authenticating server and applied. In addition, the workstation will poll for new GPOs assigned to the user on a regular basis using a random delay between the ranges of 90 and 120 min. Any changes found between the previously applied GPOs and the new GPOs will be applied to the workstation at that time. Windows Vista further expanded the functionality available with GPOs by allowing a more granular level of control over the system Registry using ADMX files. This newer format for performing Registry-level changes increases the flexibility and power of the GPOs for user workstations.
Domain Policies Domain policies are GPOs that are defined at the domain level within Microsoft Active Directory. GPOs, once defined, can be linked to Sites, Domains, or Organizational Units (OUs). The GPOs defined at each of these levels as well as locally are always applied in the following order:
1. Local
2. Site
3. Domain
4. OU
GPOs at each level are applied with each having the ability to overwrite the previous GPO unless forced otherwise. This allows for setting specific security policies such as password expiration and required password length at the domain level overriding conflicting settings at the local level. Inheritance plays a very important role in the use of GPOs within Windows environments. While GPOs are applied in the order listed above, there are options available to make exceptions. These are the “Block Policy Inheritance” and “No Override/ Enforced” options. “Block Policy Inheritance” prevents the GPOs at higher levels (such as Domains) from being inherited by lower levels. The “No Override” option has recently been renamed to “Enforce” and prevents lower levels from overriding higher level settings.
362 CHAPTER 8 Network Access
In the order of precedence, “Enforce” wins over “Block Inheritance.” This means that if you set up a GPO at the domain level requiring a 14-character password and have the “Enforce” parameter set, it cannot be overridden at the OU level with an eight-character password requirement.
Time of Day Restrictions Another form of logical access control is use of Time of Day restrictions. This is often used in the home environment to ensure that children are unable to use a computer outside their allowed hours, but it actually began in corporate environments. Similar to the way a time-lock safe works, time of day restrictions prevent specific applications or systems from being used outside of specific hours. Some situations where this can be useful would be to restrict the size of a print job allowed to be processed during working hours or to prevent a bank teller workstation from being accessed after the bank is closed. Both these situations are valid, but from the security perspective, the second is probably more applicable. Time of day restrictions can also apply at the data level wherein you may want to ensure that a batch process can only access a file containing sensitive data after a process has run which masks elements of that data. Regardless of the reasoning, restricting access to logical entities to specific time frames can be useful to IT security personnel.
Account Expiration When you are dealing with access control, the most common task is granting access to access control objects. The second most common is removing access. This can be required due to a variety of reasons including account revocation, changes in roles, and account expiration. Often it makes sense for an account to only be valid for a specific duration. For example, an account might only be active for a contractor for the duration of their contract. Or an account allowing remote system access might only be valid during the term of a support contract. In cases such as this, it is logical to specify a specific duration of validity to access that has been granted and automatically revoke that access when the duration expires. Of course, the option is always there to extend the expiration date if needed.
Logical Tokens Logical tokens are basically strings of values that can be used in lieu of a password to gain access to access control subjects. This concept allows for systems external to the client and server to be responsible for authenticating the user and then to pass along a token indicating that the user has been authenticated to the system which then authorizes access to the access control object. This mechanism is familiar to most security professionals as it is the method used by Kerberos to authenticate users. Kerberos will be discussed in detail in the next chapter.
Physical Access Security Methods 363
Most frequently, logical tokens are used to prevent passwords from being sent directly from an access control subject to the access control system. Instead, the password is sent to a third party and a token issued in return which takes the place of a password when the access control subject then uses the access control system. When working with logical tokens, there are a few requirements that must be met in order for this mechanism to be effective. First, there must be a trusted third party who authenticates the access control subject and provides the token. This third party must be trusted by both the access control subject and the access control system responsible for the access control object(s) in question. Next, there must be a method defined by the third party for creating tokens, which allows for the access control system being issued the token to validate its authenticity. This can be done by decrypting the token using a previously shared key, revalidating the token with the third-party system, or some other similar technique. Lastly, there must be a set of policies in place that determine important things such as how long a token is valid and how it can be revoked. With these policies in place, there are rules defining the use of the tokens, and they can then be applied to improve the security of the processes associated with the logical tokens.
Physical Access Security Methods When people consider computer and network security, the focus revolves around accounts, passwords, file permissions, and software that limits and monitors access. However, even though a user’s account has been denied access to files on a server, what is to stop that user from opening files directly at the server instead? Worse yet, what is to prevent them from stealing the server’s hard disk? Issues like these are why physical security is so important to the protection of data and equipment. Physical security involves protecting systems from bodily contact. It requires controlling access to hardware and software so that people are unable to damage devices and the data they contain. If people are unable to have physical access to systems, they will not be able to steal or damage equipment. Physical security also limits or prevents their ability to access data directly from a machine or create additional security threats by changing account or configuration settings. Physical security also requires protecting systems from the environmental conditions within a business. Environmental conditions such as floods, fires, electrical storms, and other natural disasters can result in serious losses to a business. These conditions can also leave a business exposed to situations such as power outages, leakage of data due to poor shielding, and other potential threats. Without strong physical security in place, unauthorized persons can access information in a variety of ways. When designing physical security, the first step is to identify what needs to be protected and what it needs to be protected from. Inventories should be made of servers, workstations, network connectivity devices, and other equipment within an organization. Not all equipment is at risk from the same threats. For example, a workstation at a receptionist’s desk is vulnerable to members of the public who may be able to
364 CHAPTER 8 Network Access
view what is on the monitor or access data when the receptionist steps away. Equipment is also vulnerable to accidental or malicious damage, such as when a user or visitor accidentally knocks a computer off a desk or spills something on a keyboard. A server locked in the server room would not be subject to the same type of threats as the receptionist’s workstation, since access to the room is limited to members of the IT staff. Because the level of risk varies between assets and locations, risks must be evaluated for each individual device. When designing security, it is important to strike a balance between the cost of security and the potential loss—you do not want to pay more for security than the equipment and data are worth. Servers are costly and may contain valuable data, so a higher level of security is needed to protect them. On the other hand, an old computer in the Human Resources department that is used for keyboarding tests given to prospective employees needs little or no protection. When determining value, it is important to not only consider the actual cost of something, but how difficult it is to replace or what the cost to the organization’s credibility would be. Although certain data may be of relatively low cost value, it may still be important to a company and difficult to replace. For example, a writer may have the only copy of a book on his hard disk. Because it has not been published, the actual value of the book is minimal, and the cost of creating the book is limited to the time it took the writer to type the material. However, if the hard disk crashed and the book was lost, it would be difficult to replace the entire book. Even if the writer rewrote the book, it would be unlikely that the new version would be identical to the original. By determining the difficulty in replacing data, you are better able to determine its nonmonetary or potential value. Losses to credibility are even more difficult to quantify. For example, imagine that a listing of 10 credit card numbers is stolen from your company. Assuming that only $500 in purchases went through on each card before they were deactivated for fraud, there would sum a total of $5,000 in losses. However, the loss to your company’s credibility would be immense if the loss were made public. Hundreds of current or potential customers may choose not to use your company due to a lack of trust. Consequently, all the potential transactions of those customers must be taken into account to determine the full impact of the loss. Another point to remember is that equipment is often devalued yearly for tax purposes, making it seem that the equipment has no worth after a certain time period. If this is the only measurement of worth, security may be overlooked in certain areas, because the equipment does not seem to have any reasonable value. However, older systems may be vital to an organization, because they are used for important functions. For example, a small airport may use older systems for air traffic control such as takeoffs, landings, and flying patterns of aircraft. Because these older systems are essential to normal operations, they are more valuable than a new Web server that hosts a site with directions to the airport. When determining value, you must look at the importance of the equipment as well as its current monetary value. When creating measures to protect systems, it is important to note that threats are not limited to people outside the company. One of the greatest challenges to
Physical Access Security Methods 365
physical security is protecting systems from people within an organization. Corporate theft is a major problem for businesses, because employees have easy access to equipment, data, and other assets. Because an employee’s job may require working with computers and other devices, there is also the possibility that equipment may be damaged accidentally or intentionally. Physical security must not only protect equipment and data from outside parties, but also those within a company. A good way to protect servers and critical systems is to place them in a centralized location. Rather than keeping servers in closets throughout a building, it is common for organizations to keep servers, network connectivity devices, and critical systems in a single room. Equipment that cannot be stored in a centralized location should still be kept in secure locations. Servers, secondary routers, switches, and other equipment should be stored in cabinets, closets, or rooms that are locked, have limited access, are air-conditioned, and have other protective measures in place to safeguard equipment.
Test Day Tip Reviewing Physical Security Even if the physical security of a location is suitable when a server was installed, it may not be at a later date. In an office environment, people will move to different offices, renovations will be made to facilities, and equipment will be moved. Even though a server was initially placed in a secure location, the server could be moved or the location could become insecure as changes are made. Unfortunately, many of the decision makers in a company may be unaware of the importance of physical security for network equipment and make changes without considering implications. In a large organization where much of the network administration is done remotely, IT staff may be unaware that such changes have even occurred. For example, in one organization, I saw numerous problems with physical security. During construction to a reception area, the server was moved from a closet behind the reception desk area to the center of an unlocked room. Another server closet became a catchall area and would be unlocked to allow people to store equipment, office supplies, and their coats and boots in the winter. When renovations occurred at another location, the server was moved to a closet in a washroom area. This would have been bad enough, except that it was later designated a public washroom, and employees who accessed the closet would occasionally forget to lock it. Perhaps even worse, when an architecture firm was hired to evaluate the facility problems and determine what was needed in a new or renovated facility, they appeared to ignore the specifications made by IT staff and forgot to include a server room and any locations for network equipment. This happened not just once, but twice. The cold, hard fact is that (unless there’s a problem) few people care about the physical security of a server and other network equipment, so it is up to IT staff to perform reviews. Part of the indifference lies in advertising of “zero administration” and heightened security in operating systems (OSes), leading some people to believe that the need for network administration and physical security has lessened. Another contributing factor is that most
366 CHAPTER 8 Network Access
people have computers and even home networks, so they consider themselves peers to the expertise of IT staff and feel they can effectively make these decisions that ultimately compromise security. To help with these problems, policies should also be created that include strict measures against those who compromise physical security. However, while curbing these mindsets can be frustrating, the only people-problem that IT staff can immediately fix is with themselves. Because so much work can be done remotely, the physical presence of IT staff visiting an off-site location is generally minimal. If a server is moved, or the physical security of where it is located is compromised, IT staff won’t notice the problem until long after it has occurred. It is important for routine reviews to be made of assets like servers and other network equipment, inclusive to their locations in an organization, and whether they are physically secure.
Access Lists and Logs Access lists are basically preauthorized lists of people who are allowed to enter an area. Think of it as similar to the list of celebrities that a bouncer will let in to a private party. Only the specific people on the list will be allowed entry. Just like most elements of access control, the visitor must first prove his/her identity using some form of identification to be allowed in assuming that they are not recognized by sight. This is not a very secure manner of controlling access to buildings as it is not a very complicated process to fabricate a false identification card. All a potential intruder would need to know is the name of someone who is likely to be on the list and fabricate an ID to match. Access logs require anyone entering a secure area to sign in before entering. When visitors require entry, such as when consultants or vendor support staff need to perform work in a secure room, an employee of the firm must sign the person in. In doing so, the employee vouches for the credibility of the visitor and takes responsibility for this person’s actions. The access log also serves as a record of who entered certain areas of a building. Entries in the log can show the name of a visitor, the time this person entered and left a location, who signed them in, and the stated purpose of the visit. Even after a visitor has been given access to an area, a member of the organization should accompany him/her whenever possible. Doing so ensures that the visitor stays in the areas where they are permitted. It also provides a measure of control to ensure that the visitor does not tamper with systems or data while they are there.
Hardware Locks One of the easiest methods of securing equipment is the simplest: keep it behind a locked door. There are a variety of different locks that can be used. Some locks require metal keys to open them, much like those used to unlock the front door of a home. Other types may be programmed and have keypads requiring a PIN or card key to open them. With these more advanced locks, features may be available that
Physical Access Security Methods 367
allow logging of anyone who enters the area, which is useful for monitoring who entered a secure area at a particular time. If unable to store servers or other equipment in a dedicated server room, consider storing them in a locked closet, rack, or cabinet. By locking the equipment up, employees and visitors to a site will not be able to access it without authorization. If equipment is stored in a centralized server room or a locked closet, it is important that all sides of the room or closet are secure. Windows should be locked and alarmed, if possible, so that anyone climbing through will be stopped or detected. Air vents can also provide a route into a room, so any large vents should be bolted shut with grates. Even seemingly obscure routes should be blocked or secured. Intruders may be able to crawl into a room through the area between a false ceiling and the real ceiling or the space between a raised floor and the concrete beneath. Thus, walls surrounding the room should be extended to reach the real ceiling. Even walls may not provide real security, when you consider that someone could break through weak drywall to enter a “secure” area. If the need for security justifies the cost, vault rooms constructed of concrete, metal, or other materials that are difficult to penetrate can be built. In more common situations, the server room can be positioned beside other secure areas or in areas that use cinder blocks or bricks for walls. When designing a physical security plan, make sure that the walls, ceiling, and floor are secure. Test Day Tip Remember that physical security includes all sides of a room, the walls, ceiling, and floor. Even if most of these are secure, leaving one side of the room insecure can provide an avenue of penetration. Looking at the room this way will also help to identify where security lapses exist and what security measures should be implemented.
ID Badges ID badges are identification cards issued to individuals who need access to a specific location. These badges will often include a photograph of the individual as well as other identifying information such as their name or a badge number. They may also include a magnetic strip or a radio frequency identification (RFID) tag, which allows for storage of additional data or identification that the badge is genuine. There may be policies in place at a company that requires ID badges to be worn at all times when on the premises. This is one manner of ensuring that only authorized individuals are onsite at the facility. Anyone without an ID badge could potentially be an intruder and quickly identified due to the lack of the identifying badge. There are, of course, some challenges with relying solely on ID badges for security at a site. If the ID badges do not include a photo, they can easily be stolen and used by unauthorized personnel. In addition, there are logistics that must be considered when implementing an ID badge system such as ensuring that a process exists for visitors with no badge, handling of stolen or lost badges, and temporary badges for personnel who forget their badge. Badges with no magnetic strip or imbedded chip
368 CHAPTER 8 Network Access
for identification can be easily forged, and even those with these features can be duplicated with a little effort. That’s not to say that ID badges are a bad idea or should not be used. Just be aware that your physical access control mechanism should not rely on ID badges alone. You should always plan on having multiple layers of security around critical or confidential systems and information. ID badges may be one element of that security plan and should be considered any time that physical access to a premises is being restricted.
Door Access Systems Door access systems have increased in complexity from simple locks to complex systems that perform elements of access control such as authentication and logging of entry/exit. With the increased complexity comes increased security as well as increased management needs. It is no longer a matter of just duplicating keys and handing them out. Management of door access systems now includes having to detail out how a person (access control subject) is going to identify himself/herself, how to authenticate them, and how to authorize their access to the room or building in question (access control object). These door access systems come in two major types, stand-alone or centrally managed. Stand-alone door access systems typically have a small imbedded electronic system built into them which allows the administrator to set up all the rules of access control such as who has access to the door during which time periods. A stand-alone door access system is only concerned with the one door that it has to protect and does not share data with any other door access systems. As soon as you increase the number of door access systems to two or more, the complexity of managing these stand-alone systems becomes increasingly difficult. At that point, you must either manually maintain synchronization between the systems or set different rules for each (also manually). The solution to this is to use a centralized door access system. With this type of system, a central computer is responsible for performing the access control necessary across multiple door access systems. This allows for simpler centralized administration of the door access systems but has its own drawbacks. In the event of a failure of the centralized system, it is possible that multiple door access systems will stop working correctly. Some systems work around this by maintaining a copy of the centralized server’s rules in the memory of each local door access system so that if the central system fails, they can continue functioning using the last update they received until the problem is corrected. This works well from the perspective of keeping things running, but can be a security problem as revoked IDs will still work on systems with cached data until they receive a new rule set from the central server. Even with the most stringent physical security in place, there are ways of bypassing these methods and gaining access. One of the simplest methods is tailgating, or piggybacking, in which an unauthorized person follows an authorized person into a secure area. Regardless of whether a person has to use a key, PIN, card key, biometrics, or other methods to open a door and enter, all a second person needs to
Physical Access Security Methods 369
do is follow him or her through the door. Even if the first person notices the security breach, he may feel uncomfortable challenging the person who’s tailgating, and not bother asking the person to provide identification, get out, or go back and use his own key or access to enter. Intruders piggybacking on another person’s access can be a real security challenge, because any existing security measures are rendered useless even though they’re functioning properly. It is especially common if the authorized person knows the tailgater, such as when management, a coworker, or others who are visually recognized are piggybacking. It’s common to see one person use a key card to enter a building and several others follow their way in. However, even in these cases, you cannot be 100 percent sure that one of them has been dismissed from the company, under a disciplinary action (such as suspension), or is a contractor whose contract has ended. Even if the person legitimately works for the company, allowing them to piggyback their way into a server room could result in equipment being knocked over, sensitive documents (such as administrator passwords) being seen, or other problems. Human nature can cause significant problems for any security measures you put in place, and there is no easy way of dealing with it. Policies can be implemented that prohibit allowing anyone to enter an area unless they have used their own security access method (that is, key, access card, PIN, and so forth), with procedures on what to do if someone does sneak in behind a person (such as challenging the person to produce ID, notifying security personnel, and so forth). However, most employees are neither trained nor willing to confront or physically remove a person from the premises, so often, the policy may be ignored for personal safety reasons or because it is emotionally uncomfortable. After all, no one wants to ask their boss to get out of the building or room because they snuck in the door. This makes education one of the best methods of combating the problem. Employees should be educated that tailgating is a security issue, that policies exist that make a person responsible for those permitted access, and that allowing an unauthorized person access could result in disciplinary actions (including termination of employment). Although this won’t completely eliminate tailgating, it will limit the number of people who attempt or allow security breaches.
Mantrap A mantrap in a security context is basically a method used for physically trapping a person if they fail to be properly authenticated. It often takes the form of a small room with two doors. After gaining entry through the first door, there are specific criteria which must be met for the second door to open. The first of these is typically that the first door is closed. This prevents the person entering the mantrap from leaving if they fail to pass the other criteria necessary to enter the second door. The other criteria are all based on the authentication mechanisms in use for the facility and can include entry of a code, biometric verification, physical recognition, or any combination of these. Failure to authenticate would lead to the person attempting to gain entry being stuck in the mantrap until released. Typically, some
370 CHAPTER 8 Network Access
sort of alarm is associated with authentication failures so as to ensure that security personnel are aware that someone has been isolated in the mantrap.
Video Surveillance Chaperoning someone who has been given clearance to an area is not always possible or desirable. For example, if you have hired an outside party to install equipment that is needed for Internet access, you may not want to stand beside the installer for an extended period of time. However, workers can be monitored in high security locations using video cameras to provide electronic surveillance. This provides a constant eye and allows for review of their actions if an incident occurs.
Summary of Exam Objectives In this chapter, we looked at a number of topics covered in the access control domain of the Security+ exam. The objectives we have covered are all critical to your understanding of IT security in general and especially as they relate to this exam. By understanding each concept, you will have a strong foundation in the areas of network access that you will be tested on. As we looked at access control, we found that there were three distinct parts of access control: access control objects, access control subjects, and access control systems. The combination of these three parts gives us access control. This access control can be implemented using a number of different access control models and can be graded by older criteria such as the Orange book or new criteria such as the CC. Among these models are the Clark–Wilson, Bell–La Padula, and Biba formal models. We also talked about authentication models and how authentication works. Authentication differs from identification by the simple mechanism of proof. Presenting proof by one of the authentication types such as something you know, something you have, or something you are establishes that you are authenticating versus simply identifying yourself. Remember, of course, that each type of proof is considered a factor of authentication and can be combined to create a multifactor authentication type. When going over access control methods and models, we covered some very important concepts that really apply to every task in the security industry. The ideas behind implicit denial, separation of duties, principle of least privilege, and job rotation all play a part in increasing security or reducing risks in a secure environment. We also talked about mandatory, discretionary, and role-based access control with a focus on how they differ. Each applies in its own place and this is something you should be highly aware of. Access control is easiest to apply if the access control subjects or objects are organized in some way. This can be done using things like security groups for users or security controls around file and print resources. Any type of organization can decrease the administrative effort necessary to secure resources, but it should
Exam Objectives Fast Track 371
always be noted that if a grouping is too generic, it is difficult to get granular enough on the security permissions assigned to the groups. There must be a careful balance between ease of administration and granularity of control. When going over logical access control methods, we discussed how ACLs work and how DACs such as ACLs differ from MAC. We also spent some time discussing some Microsoft Active Directory-specific features, specifically group and domain policies. Remember that there is a hierarchical order of application for GPOs, and naturally, there are exceptions to always keep in mind. Other types of logical access control methods include time of day restrictions, account expiration, and logical tokens. Each of these plays a role in access control and you should understand how each works. Lastly, we went over the often forgotten part of IT security, physical access. There are different ways to justify the design and costs of physical security, but in general, the same rules apply to physical security as they do to any other security design. The cost isn’t just the amount of money stolen but the loss to credibility, loss of corporate secrets, and breach of trust to the company’s clients. To that end, using things such as access lists and logs, hardware locks, ID badges, door access systems, mantraps, and video surveillance can all help to increase the physical security of your site. All these items that we’ve gone over have an effect on the access control that you as a security professional are responsible for. Always keep in mind the best practices that we’ve discussed, not only when taking the Security+ exam, but also in the real world. It is part of our role as security professionals to do everything we can to maintain the integrity, confidentiality, and availability of the systems that we are responsible for. Following best practices such as these and maintaining a secure environment is a big part of fulfilling that responsibility.
Exam Objectives Fast Track General Network Access ■■ ■■
■■
■■
Access control is comprised of access control subjects, objects, and systems. Some access control formal models include Clark–Wilson, Bell–La Padula, and Biba. Authentication means presenting proof in the form of something you know, something you have, or something you are (or a combination of these). The difference between identification and authentication is that of proof.
Access Control Methods and Models ■■
■■
Implicit deny, separation of duties, the principle of least privilege, and job rotation are all methods of access control that can improve security and reduce risk. MAC is nondiscretionary, multilevel, label-based, and universally applied.
372 CHAPTER 8 Network Access
■■ ■■
DAC is discretionary, controllable, and transferable. Role-based access control is job-based, highly configurable, more flexible than MAC, and more precise than groups.
Access Control Organization ■■
■■
■■
Security groups are ways to organize access control subjects into logical groups to make security administration easier. Security controls are access control mechanisms that mitigate security risks and can be preventative, detective, or corrective. Grouping of file and print resources (access control subjects) can also be done to ease the efforts of administration.
Logical Access Control Methods ■■ ■■
■■
■■
ACLs are part of DAC and list permissions for access control subjects. Group policies and domain policies are elements of Microsoft Active Directory that allow for security rules to be enforced on access control subjects in a logical manner. Other logical access controls include time of day restrictions, account expiration, and logical tokens. Logical tokens are strings of values which are used in lieu of a password to gain access to access control objects.
Physical Access Security Methods ■■
■■
■■
Physical security is very important but is very expensive often requiring cost justification based on loss estimations including loss of products, money, credibility, corporate secrets, and trust. Physical security should be continually reviewed to ensure that it is current and effective. Access lists and logs, hardware locks, ID badges, door access systems, mantraps, and video surveillance are all elements of physical access security.
Exam Objectives FREQUENTLY ASKED QUESTIONS Q: What is the difference between access controls and authentication? They seem to be the same. A: Access controls set the condition for opening the resource. This could be the time of day, where the connection originates, or any number of conditions.
Exam Objectives Frequently Asked Questions 373
Authentication verifies that the entity requesting the access is verifiable and who the entity is claiming to be. Q: I am implementing an access control system using biometrics. Is biometrics reliable enough to use or should I combine this with something else? A: Biometric authentication is fairly reliable, but it is still best to combine this with some other form of identification from the user. It is typical in most biometric installations to use a combination of the biometric data and a password or PIN. This would give you a multifactor access control system. Q: Why are password policies important in an access control system? It would be a lot easier to just tell the users to pick passwords that are difficult to guess. A: Unfortunately, to maintain a secure system, you cannot rely on the users to know what a secure password is or use one. By implementing an access control policy, you ensure that passwords are more secure and improve the overall security of the access control system. Q: When working with accounts, at what point should the account be deleted? A: Accounts should only be deleted if there are no data associated with the account that needs to be retained, no database records are tied to the account, and there is no need for a new person to fill the position previously occupied by the original user. Typically, it is best to just disable accounts, but deletions can and should be done occasionally based on these criteria. Q: I ran a test against my access control system using a dictionary/brute force password cracker and most of the passwords were compromised within a few minutes. What should I do? A: You need to change your access control policy to require more secure passwords. For the passwords to be compromised that quickly, the passwords had to be very simple or contain common words. Implementing a better access control policy can help alleviate this risk. Q: The idea of RBACs seems very complicated. Wouldn’t it be easier just to use groups? A: Easier, yes. More secure, no! RBACs allow much finer control over which users get access. This is backward from the conventional teaching that had us use the groups to ease administrative effort. Q: When using DAC, what is the best way to apply permissions so that data are protected but users can still perform their job functions? A: Always use the principle of least privilege. Apply the permissions at the lowest level in the directory hierarchy possible and allow the users to access the data at that point. It is always a good idea to restrict access to the minimum necessary to do a job.
374 CHAPTER 8 Network Access
Q: When separating duties, shouldn’t a manager have access to do anything their employee can do? A: In some cases, yes, when the roles permit it. In other cases, no. If the employee has the responsibility of entering a transaction, and the manager has the responsibility of approving it, the manager should probably not be able to enter the transaction. This prevents a single person from performing an entire transaction from start to finish, which can reduce the possibility of fraud. It does make things more complex from a business perspective, but depending on the criticality of the tasks can mitigate a lot of risk. Q: Why isn’t MAC used more frequently than DAC if it’s more secure? A: Mainly because it’s very difficult to design and administer. When using MAC, sensitivity levels must be assigned to every access control object with similar labels on every access control subject. This makes a system very secure if implemented correctly, but takes a lot of time and effort to administer. In most cases, the administration and implementation costs are considered to be more than the value of the additional security. Q: Putting file and print resources into groups seems to make them a lot easier to manage. Is this a good idea? A: It often makes sense to group certain file and print resources together. In some cases, you can group all printers on a floor together and simply allow all users on that floor to have access to that group. Where you run into trouble is when you then have to change that due to specific requirements. For e xample, if there is one group on the floor who purchased a color laser printer and they don’t want other users printing there due to the cost of supplies, you now have to change your security to group those users together and isolate access to that printer to those users. This type of thing happens a lot, but there is still benefit to be found in grouping resources because it really does cut down on the amount of administrative overhead versus managing each object individually. Q: When defining an ACL, why should I include an implicit deny at the end? Won’t the DAC using the ACL do that automatically? A: Most DAC systems do an implicit deny by default, but it is not guaranteed. It is always best to add the implicit deny just to be 100 percent certain that requests falling outside the rules in the ACL are denied. This also makes the ACL more clear to others who look over it in the future to troubleshoot problems. Q: When working with domain policies, why is the local policy applied before any other policy?
Self Test 375
A: There are multiple reasons for this. One is so that there can be a default policy set applied if the system is unable to access the network to get GPOs. Another is so that changes to the local security policy can be overridden by GPOs defined by the administrator in the event that they have been changed by the user to be less restrictive. Q: When using logical tokens, what prevents a token from being hijacked and used by an unauthorized user? A: This is typically a part of the design of the access control system using logical tokens. In most cases, tokens only have a short time to live and it is difficult to replay them before they expire. In others, a sequence number is incorporated into the token and if the tokens are sent with the wrong sequence number they fail. The mechanisms differ based on the access control system, but there should always be some sort of mechanism to prevent token reply. This is, of course, something you should ensure before using a token-based system. Q: If access logs are being kept for a facility, should those be made available to the IT security personnel? A: This depends on the circumstances and the policies of the company. In most organizations, the IT security group is responsible for gathering information in the event of a security breach. This may or may not include physical access logs. Often, there is a facilities group that has the same charge in the physical security realm and each group may individually supply data to a legal group or auditor who processes it. Q: I don’t understand why IT security professionals should care about physical security. Isn’t that someone else’s job? A: In a lot of cases, yes, someone else is responsible for physical security. But consider a situation where IT assets or data are stolen due to a breach in physical security. If the group who handles the physical security was not properly advised or informed about what asset or data were being stored in that location, it could be considered a failure on the IT security side. Our role is to protect the systems and data that we’re responsible for and that protection should extend outside the logical realm when necessary.
Self Test
1. When you are using DAC systems with ACLs, what permission or privilege gives users the ability to read and write to an access control object? A. Write C. Execute B. Create D. Modify
376 CHAPTER 8 Network Access
2. When you are using MAC, how is permission to access control objects controlled after a user has been authenticated? A. By ACLs B. By sensitivity levels C. By identification D. By user role
3. How does role-based access control differ from DAC? A. Role-based access control requires that permissions be configured on every object and DAC does not B. Role-based access control uses the ID of the user to help determine permissions to objects and DAC does not C. Role-based access control uses the position of the user in the organization structure to determine permissions for objects and DAC does not D. Role-based access control requires that every object have a sensitivity label and DAC requires that every object have an ACL
4. The Bell–La Padula formal model for access control is most similar to which access control model? A. DAC B. MAC C. Role-Based Access Control D. Clark–Wilson Access Control
5. The Clark–Wilson formal access control model specifies a very important guideline related to account administration. What is this guideline and what does it mean? A. Principle of least privilege Grant all the rights and permissions necessary to an account, but no more than what is needed. B. Account administration Work hand-in-hand with the human resources or personnel office of the company to ensure that accounts can be authorized and created when employees are hired and immediately destroyed when they are dismissed. C. Segregation of duties No single person should perform a task from beginning to end, but the task should be divided among two or more people to prevent fraud by one person acting alone. D. Access control Provide access control subjects the ability to work with access control objects in a controlled manner.
Self Test 377
6. When you are performing account administration, the principle of least privilege is an important guideline to apply. Why is this principle so important? A. Applying the principle of least privilege ensures that permissions are broken up based on job functions which can prevent fraud B. Applying the principle of least privilege ensures that an access control policy is in place which can increase security by requiring frequent password changes C. Applying the principle of least privilege ensures that users are guaranteed a minimum level of access to the access control objects that they need to work with which provides assurance in the form of availability D. Applying the principle of least privilege ensures that users do not have more permission to an access control object than is necessary which can prevent users from accessing more than they should
7. When you are administering access control objects in a MAC system, what is an important part of an administrator’s duty? A. Declassifying data when necessary B. Removing ACLs when necessary C. Deleting inactive accounts regularly D. Replacing expired access control tokens when necessary
8. You have been brought in as a security consultant for a programming team working on a new operating system designed strictly for use in secure government environments. Part of your role is to help define the security requirements for the operating system and to instruct the programmers in the best security methods to use for specific functions of the operating system. What method of access control is most appropriate for implementation as it relates to the security of the operating system itself? A. MAC C. RBAC B. DAC D. All of the above
9. You are designing the access control methodology for a company implementing an entirely new IT infrastructure. This company has several hundred employees, each with a specific job function. The company wants their access control methodology to be as secure as possible due to recent compromises within their previous infrastructure. Which access control methodology would you use and why? A. RBAC because it is job-based and more flexible than MAC B. RBAC because it is user-based and easier to administer C. Groups because they are job-based and very precise D. Groups because they are highly configurable and more flexible than MAC
378 CHAPTER 8 Network Access
10. You have been brought in to analyze the overall security strength of a banking organization. As part of your analysis, you work with the existing security administrator to see what issues she has to deal with on a daily basis. She receives a help desk ticket stating that a teller issued a credit to his own account then authorized the credit so that he was able to prevent bouncing a check. According to the human resources department who called in the ticket, he said that he planned on removing the credit later after he got paid. The security administrator made a change to the security policies around one of the following areas. If she analyzed the issue correctly, which area did she change the policy for? A. System logging to capture events similar to this in the future B. Separation of duties to prevent a teller from issuing and authorizing a credit C. System scanning to test other areas of the software for vulnerabilities similar to this D. Log analysis to ensure that future events like this are flagged for follow-up. 11. Both identification and authentication play a role in access control. When analyzing a security infrastructure, you are tasked with documenting which elements of their security fall into identification versus authentication. Which option below correctly identifies these elements? A. Identification: ID Badge, PIN, User ID B. Identification: Fingerprint, User ID, Password C. Authentication: Password, PIN, Visual ID Verification D. Authentication: PIN, Fingerprint, Password 12. You are consulting for a small organization which does retail services. As part of your role, you must outline a security infrastructure and justify its cost to executives. Your biggest concern is around the lack of security in their point of sale system. Because credit cards are used for transactions in the point of sale system and it can be easily compromised, how would you justify the cost of an upgrade to executives? A. Note the merits of the new system including how much faster it can process transactions, how much easier it is to integrate with other systems, and its support for faster hardware B. Show what can happen with a real-time demonstration of how easily their current system can be compromised C. Present the merits of enterprise security and design a full enterprise architecture with appropriate intrusion, detection, and access controls to work around the limitations of the existing point of sale system D. Present an analysis of the pros and cons of upgrading including the potential cost of lost credibility in the event that the existing system is compromised
Self Test Quick Answer Key 379
13. You are working on an existing Windows Active Directory implementation. A problem has been identified where users are able to keep their passwords for 90 days instead of the company mandated 30-day policy. You’ve looked at the GPO defined at the domain level and the password expiration is set for 30 days. What could be the problem? A. A policy at the OU level is setting the expiration for 90 days B. A policy at the site level is setting the expiration for 90 days C. A policy at the local level is setting the expiration for 90 days D. A policy at the domain level is set for “Enforce” 14. When implementing a security infrastructure in an organization, you are tasked with designing their ACLs. Specifically, you must define how some firewall rules are set up. What principle or method would you want to make sure to include in your design? A. Separation of duties B. Principle of least privilege C. Implicit deny D. Block inheritance 15. You are working with an access control mechanism which uses logical tokens to validate user access requests. When a user presents his ID and token to the secured resource, he is granted access, but it is read-only rather than the read-write access he was expecting. Where should you look first for the cause? A. Have the user confirm that he is using the right password B. Ensure that the third-party authentication service is working properly C. Check the security permissions on the access control object D. Check to see if the token has been revoked
Self Test Quick Answer Key 1. 2. 3. 4. 5.
D B C B C
6. 7. 8. 9. 10.
D A A A B
11. 12. 13. 14. 15.
C D A C C
This page intentionally left blank
Chapter
Network Authentication
9
E x a m o b j e c tiv e s in this c hapt e r Authentication Methods....................................................................................................... 383 Authentication Systems....................................................................................................... 388
Introduction Security+ is a security fundamentals and concepts exam. No security concepts exam would be complete without questions on access control, authentication, and auditing (AAA). AAA comprises the most basic fundamentals of work in the Information Technology (IT) security field, and AAA is critical to understand for any IT security practitioner. In this chapter, you will study CompTIA’s test objectives for Section 1, “General Security Concepts.” You will be introduced to network authentication and its finer details, as well as the concepts and terminology that will be explored and developed in later chapters.
Introduction to AAA AAA is a set of primary concepts that aid in understanding computer and network security as well as access control. These concepts are used daily to protect property, data, and systems from intentional or even unintentional damage. AAA is used to support the confidentiality, integrity, and availability (CIA) security concept, in addition to providing the framework for access to networks and equipment using Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS/TACACS+). A more detailed description of AAA is discussed in Request for Comments (RFC) 3127, which can be found at http://tools.ietf.org/html/rfc3127. This RFC contains an evaluation of various existing protocols against the AAA requirements and can help you understand the specific details of these protocols. The AAA requirements themselves can be found in RFC 2989 located at http://tools.ietf.org/html/rfc2989.
381
382 CHAPTER 9 Network Authentication
Head of the Class Clarification of Two Key Acronyms It is important to understand the acronyms used in the Security+ exam. For purposes of the Security+ exam, two specific abbreviations need to be explained to avoid confusion. For general security study and the Security+ exam, AAA is defined as access control, authentication, and auditing. Do not confuse this with Cisco’s implementation and description of AAA, which is authentication, auditing, and accounting. Although similar in function and usage, the Security+ exam uses the first definition. The second abbreviation requiring clarification is CIA. For purposes of the Security+ exam, CIA is defined as confidentiality, integrity, and availability. Other literature and resources such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) guidelines may refer to CIA as confidentiality, integrity, and authentication.
What is AAA? AAA is a group of processes used to protect the data, equipment, and confidentiality of property and information. As mentioned earlier, one of the goals of AAA is to provide CIA. CIA can be briefly described as follows: ■■
Confidentiality The contents or data are not revealed
■■
Integrity The contents or data are intact and have not been modified
■■
Availability The contents or data are accessible if allowed
AAA consists of three separate areas that work together. These areas provide a level of basic security in controlling access to resources and equipment in networks. This control allows users to provide services that assist in the CIA process for further protection of systems and assets.
Notes from the Field Access and Authentication The difference between access control and authentication is a very important distinction, which you must understand to pass the Security+ exam. Access control is used to control the access to a resource through some means. This could be thought of as a lock on a door or a guard in a building. Authentication, on the other hand, is the process of verifying that the person trying to access whatever resource is being controlled is authorized to access the resource. In our analogy, this would be the equivalent of trying the key or having the guard check your name against a list of authorized people. So in summary, access control is the lock and authentication is the key.
Access Control Access control can be defined as a policy, software component, or hardware component that is used to grant or deny access to a resource. This can be an advanced
Authentication Methods 383
component such as a Smart Card, a biometric device, or network access hardware such as routers, remote access points such as remote access service (RAS), and virtual private networks (VPNs), or the use of wireless access points (WAPs). It can also be file or shared resource permissions assigned through the use of a network operating system (NOS) such as Microsoft Windows with Active Directory or UNIX systems using Lightweight Directory Access Protocol (LDAP), Kerberos, or Sun Microsystem’s Network Information System (NIS) and Network Information System Plus (NIS+). Finally, it can be a rule set that defines the operation of a software component limiting entrance to a system or network.
Authentication Authentication can be defined as the process used to verify that a machine or user attempting access to the networks or resources is, in fact, the entity being presented. For this chapter, nonrepudiation is the method used (time stamps, particular protocols, or authentication methods) to ensure that the presenter of the authentication request cannot later deny they were the originator of the request. In the following sections, authentication methods include presentation of credentials (such as a username and password, Smart Card, or personal identification number [PIN]) to a NOS (logging on to a machine or network), remote access authentication, and a discussion of certificate services and digital certificates. The authentication process uses the information presented to the NOS (such as username and password) to allow the NOS to verify the identity based on those credentials.
Auditing Auditing is the process of tracking and reviewing events, errors, access, and authentication attempts on a system. Much like an accountant’s procedure for keeping track of the flow of funds, you need to be able to follow a trail of access attempts, access grants or denials, machine problems or errors, and other events that are important to the systems being monitored and controlled. In the case of security auditing, you will learn about the policies and procedures that allow administrators to track access (authorized or unauthorized) to the network, local machine, or resources. Auditing is not enabled by default in many NOSes, and administrators must often specify the events or objects to be tracked. This becomes one of the basic lines of defense in the security and monitoring of network systems. Tracking is used along with regular reading and analysis of the log files generated by the auditing process to better understand if the access controls are working.
Authentication Methods Authentication, when looked at in its most basic form, is simply the process used to prove the identity of someone or something that wants access. This can involve highly complex and secure methods, which may involve higher costs and more time, or can be very simple. For example, if someone you personally know comes to your
384 CHAPTER 9 Network Authentication
door, you visually recognize them, and if you want them to enter, you open the door. In this case, you have performed the authentication process through your visual recognition of the individual. All authentication processes follow this same basic premise; that we need to prove who we are or who the individual, service, or process is before we allow them to use our resources. Authentication allows a sender and receiver of information to validate each other as the appropriate entities with which they want to work. If entities wishing to communicate cannot properly authenticate each other, there can be no trust in the activities or information provided by either party. Only through a trusted and secure method of authentication can administrators provide for a trusted and secure communication or activity.
One-Factor One-factor authentication methods as simple methods as username and password combinations have been used for authenticating purposes for many years. Most OSes have had some form of local authentication that could be used if the OS was designed to be used by multiple users. Windows, Novell Netware, UNIX, and Linux have all had local authentication paths early in their development. Although this is the most common authentication method, it is not without its problems. From a security standpoint, it is important to understand that the first line of defense of a system is the creation and maintenance of a password policy that is enforced and workable. You need to both implement and enforce the policy to ensure that this rudimentary protection is in place in your network. Most OSes have methods of utilizing username/password policies. Password policies that require a user-created password that is less than 6 characters long are generally regarded as having a low (or no) security level. Password policies that require between 8 and 13 characters are regarded as a medium security level. Policies requiring 14 or more characters are regarded as a high security level. These security levels are based on the difficulty of discovering the password through the use of dictionary and brute force attacks. Additionally, all password policies, regardless of password length, should require that an acceptable password contain a combination of the following: ■■
Uppercase and lowercase alphabetic characters
■■
Numbers
■■
Special characters
■■
No dictionary words
■■
No portion of the username in the password
■■
No personal identifiers should be used including birthdays, social security number, pet’s name, and so on
To achieve the medium security level, implement the use of eight characters, including uppercase and lowercase, numbers, and special characters. For high security,
Authentication Methods 385
implement the medium security settings, and enforce the previous settings plus no dictionary words and no use of the username in the password. Be aware that the higher the number of characters or letters in a password, the more chance exists that the user will record the password and leave it where it can be found. Most policies work at about the eight-character range, and require periodic changes of the password as well as the use of special characters or numbers. The simplest form of authentication is the transmission of a shared password between entities wishing to authenticate each other. This can be as simple as a secret handshake or a key. As with all simple forms of protection, once knowledge of the secret key or handshake is disclosed to nontrusted parties, there can no longer be trust in who is using the secrets. Many methods can be used by an unauthorized person to acquire a secret key, from tricking someone into disclosing it, to high-tech monitoring of communications between parties to intercept the key as it is passed between parties. However the code is acquired, once it is in a nontrusted party’s hands, it can be used to falsely authenticate and identify someone as a valid party, forging false communications, or utilizing the user’s access to gain permissions to the available resources. Original digital authentication systems shared a secret key across the network with the entity with which they wanted to authenticate. Applications such as Telnet and File Transfer Protocol (FTP) are examples of programs that simply transmit the username and password in cleartext to the party they are authenticating. Another area of concern is Post Office Protocol 3 (POP3) e-mail, which, in its default state, sends the complete username and password information in cleartext, with no protection. The problem with this method of authentication is that anyone who monitors a network can possibly capture a secret key and use it to gain access to the services or to attempt to gain higher privileged access with your stolen authentication information. What methods can be used to provide a stronger defense? As discussed earlier, sharing a handshake or secret key does not provide long lasting and secure communication or the secure exchange of authentication information. This has led to more secure methods of protection of authentication mechanisms. The following sections examine a number of methods that provide a better and more reliable authentication process.
Notes from the Field Cleartext Authentication Cleartext (non-encrypted) authentication is still widely used by many people who receive their e-mail through POP3. By default, POP3 client applications send the username and password unprotected in cleartext from the e-mail client to the server. There are several ways of protecting e-mail account passwords, including connection encryption. Encrypting connections between e-mail clients and servers is the only way of truly protecting your e-mail authentication password. This prevents anyone from capturing your password or any e-mail you transfer to your client. Secure Sockets Layer (SSL) is the general method used to encrypt the connection stream from the e-mail client to a server.
386 CHAPTER 9 Network Authentication
Authentication POP (APOP) is used to provide password-only encryption for e-mail authentication. It employs a challenge/response method (defined in RFC 1725) that uses a shared time stamp provided by the authenticating server. The time stamp is hashed with the username and the shared secret key through the MD5 algorithm. There are still some problems with this process. The first is that all values are known in advance except the shared secret key. Because of this, there is nothing provided to protect against a brute force attack on the shared key. Another problem is that this security method attempts to protect a password, but does nothing to prevent anyone from viewing e-mail as it is downloaded to an e-mail client. Some brute force crackers, including POP, Telnet, FTP, and Hypertext Transfer Protocol (HTTP), can be found at http://packetstormsecurity.nl/Crackers/ and can be used as examples for this technique.
Two-Factor Two-factor authentication can be implemented with a combination of something you have (for example, automatic teller machine [ATM] cards) and something you know (a PIN). To misuse your authentication credentials in a two-factor authentication scheme like an ATM, they must acquire your ATM card and the PIN number. The authentication could be implemented in a simple form such as magnetic strip cards as currently used in many bank ATMs or more sophisticated token cards (available in the form of key fobs with constantly changing numbers). Token technology is a method that can be used in networks and facilities to authenticate users. These tokens are not the access tokens that are granted during a logon session by the NOS, rather they are physical devices used for the randomization of a code that can be used to assure the identity of the individual or service that has control of them. Tokens provide an extremely high level of authentication because of the multiple parts they employ to verify the identity of the user. Token technology is currently regarded as more secure than most forms of biometrics, because impersonation and falsification of the token values is extremely difficult. Token authentication can be provided by way of either hardware- or softwarebased tokens. Let’s take a look at the multiple pieces that make up the process for authentication using token technology. To start with, you must have a process to create and track random token access values. To do this, you normally utilize at least two components. They are: ■■ ■■
A hardware device that is coded to generate token values at specific intervals A software or server-based component that tracks and verifies that these codes are valid
To use this process, the token code is entered into the server/software monitoring system during setup of the system. This begins a process of tracking the token values, which must be coordinated. A user wishing to be authenticated visits the machine or resource they wish to access, and enters a PIN number in place of the
Authentication Methods 387
usual user logon password. They are then asked for the randomly generated number currently present on their token. When entered, this value is checked against the server/software system’s calculation of the token value. If they are the same, the authentication is complete and the user can access the machine or resource. Some vendors have also implemented a software component that can be installed on portable devices, such as handhelds and laptops, which emulate the token device and are installed locally. The authentication process is the same; however, the user enters the token value into the appropriate field in the software, which is compared to the required value. If correct, the user may log on and access the resource. Vendors such as RSA Security offer products and solutions such as SecurID to utilize these functions. Others implement processes that involve the use of OneTime Password Technology, which often uses a pregenerated list of secured password combinations that may be used for authentication, with a one-time use of each. This provides for a level of randomization, but in its basic implementation is not as random as other token methods.
Three-Factor Three-factor authentication—commonly known as multifactor authentication—is the process in which we expand on the traditional requirements that exist in a single factor authentication like a password. To accomplish this, multifactor authentication will use another item for authentication in addition to or in place of the traditional password. Use of similar authentication mechanisms repetitively may not be classified as multifactor authentication. The implementation should utilize three independent authentication mechanisms available. Following are the four possible types of factors that can be used for multifactor authentication. ■■
A password or a PIN can be defined as a “something you know” factor.
■■
A token or Smart Card can be defined as a “something you have” factor.
■■
■■
A thumbprint, retina, hand, or other biometrically identifiable item can be defined as a “something you are” factor. Voice or handwriting analysis can be used as a “something you do” factor.
For example, most password-based single authentication methods use a password. In multifactor authentication methods, you might enhance the “something you know” factor by adding a “something you have” factor or a “something you are” factor. A Smart Card or token device can be a “something you have” factor. Multifactor authentication can be extended, if desired, to include such things as handwriting recognition or voice recognition. The benefit of multifactor authentication is that it requires more steps for the process to occur, thus adding another checkpoint to the process, and therefore stronger security. For instance, when withdrawing money from the bank with a debit card (“something you have”) you also have to have the PIN number (“something you know”). This can be a disadvantage if the
388 CHAPTER 9 Network Authentication
number of steps required to achieve authentication becomes onerous to the users and they no longer use the process or they attempt to bypass the necessary steps for authentication. To summarize, multifactor authentication is more secure than other methods, because it adds steps that increase the layers of security. However, this must be balanced against the degree to which it inconveniences the user, because this may lead to improper use of the process.
Single Sign-on Single sign-on (SSO) is a process in which we simplify the access to different systems by authenticating the user once. SSO needs to be implemented with stringent policies with access control and authorization mechanisms and group policies to ensure simplification does not result in compromise in security. In a corporate scenario, a user may have to log on to the local directory services for authentication, a mail service may require another password, client-server applications such as CRM or ERP may need authentication, and several other software applications may incorporate different authentication procedures. Apart from reducing the password fatigue it may result in increased productivity and simplified management when the disparate software systems can work with a centralized authentication service for a one-time authentication of the users. SSO can be implemented through various NOS including Microsoft Windows 2003 (Internet Authentication Services, IAS), Microsoft Windows 2008 (Network Policy Server, NPS), and Linux systems using Kerberos or through non-OS implementations such as RSA Enterprise Single Sign-On (ESSO) solutions.
Authentication Systems From a simple user authentication to the local domain services to that of sophisticated online banking systems, various authentication systems are adopted by the organizations. As the need for complex security arises, additional layers of security are added to the rudimentary system of username and password. Operating systems and a pplications develop vulnerabilities and hackers come up with innovative methods to circumvent the design of the security. Introducing a hardware element sometimes is considered a higher level of security as one has to get hold of both the hardware (such as token card) and exploit the vulnerabilities of the system to break-in. In this section, we’ll discuss about RADIUS, Kerberos, and LDAP authentication services, authentication protocols including Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), 802.1x methods and implementations that offer powerful accounting tools such as TACACS+. To begin with, we’ll discuss about authentication policies that are used to granularly control the access methods and type of authentication protocols remote users need to comply with to access the resources.
Authentication Systems 389
Remote Access Policies and Authentication Remote users may connect to the network through dial-in services using a modem and analog line by dialing in to the organization’s modem pool connected to a dial-in server, or through VPN client software configured on their laptops or remote desktops to connect to the corporate VPN server (often a Firewall with VPN component as in Case of Check Point, Watchguard, Juniper SSG, or Cisco ASA appliances or dedicated VPN concentrators). Even wireless clients connecting through the WAPs can be defined as a remote user and restrictions can be applied on them. In summary, any user outside the physical LAN can be defined as a remote user and access policies can be applied. Authentication servers refer to the directory services (discussed later in this chapter) before the users are authenticated. However, remote access policies go beyond just authenticating the user. These policies define how the users can connect to the network. You may also grant or deny the permission to dial-in, based on the credentials presented by the remote users. A remote access policy defines the conditions, remote access permissions, and creates a profile for every remote connection made to the corporate network. Through remote access policies you can define the following: ■■
Grant or deny dial-in based on connection parameters such as type and time of the day
■■
Authentication protocols (PAP, CHAP, EAP, MS-CHAP)
■■
Validation of the caller ID
■■
Call back
■■
Apply connection restrictions upon successful authorization
■■
Create remote user/connection profile
■■
Assign a static IP or dynamic IP from the address pool defined for remote users
■■
Assign the user to a group to apply group policies
■■
Configure remote access permission parameters
■■
Define encryption parameters (for a remote access VPN client)
■■
Control the duration of the session including maximum time allowed and idle time before the connection is reset
Remote Access Policies can be configured in Microsoft Windows 2003 through IAS, in Windows 2008 through NPS, and in Linux variants through FreeRADIUS.
Biometrics Biometric devices can provide a higher level of authentication than, for example, a username/password combination. However, although they tend to be relatively
390 CHAPTER 9 Network Authentication
secure, they are not impervious to attack. For instance, in the case of fingerprint usage for biometric identification, the device must be able to interpret the actual presence of the print. Early devices that employed optical scans of fingerprints were fooled by fogging of the device lenses, which provided a raised impression of the previous user’s print as it highlighted the oils left by a human finger. Some devices are also subject to silicon impressions or fingerprinting powders that raise the image. Current devices may require a temperature or pulse sense as well as the fingerprint to verify the presence of the user, or another sensor that is used in conjunction with the print scanner, such as a scale. Biometrics used in conjunction with Smart Cards or other authentication methods lead to the highest level of security.
RADIUS Users need a centralized entity to handle authentication. Initially, RADIUS was created by Livingston Enterprises to handle dial-in authentication. Then its usage broadened into wireless authentication and VPN authentication. RADIUS is the most popular of all the AAA servers, including TACACS, TACACS+, and DIAMETER. A RAS must be able to authenticate a user, authorize the authenticated user to perform specified functions, and log (that is, account for) the actions of users for the duration of the connection. When users dial into a network, RADIUS is used to authenticate usernames and passwords. A RADIUS server can either work alone or in a distributed environment (known as distributed RADIUS), where RADIUS servers are configured in a tiered ( hierarchical) structure. In a distributed RADIUS environment, a RADIUS server forwards the authentication request to an enterprise RADIUS server using a protocol called Proxy RADIUS. The enterprise RADIUS server handles verification of user credentials and responds back to the service provider’s RADIUS server. One of the reasons that RADIUS is so popular is that it supports a number of protocols including: ■■
Point-to-Point Protocol (PPP)
■■
Password Authentication Protocol (PAP)
■■
Challenge Handshake Authentication Protocol (CHAP)
The Authentication Process RADIUS authentication consists of five steps (Figure 9.1):
1. Users initiate a connection with an Internet service provider (ISP) RAS or corporate RAS. Once a connection is established, users are prompted for a username and password.
2. The RAS encrypts the username and password using a shared secret, and passes the encrypted packet to the RADIUS server.
Authentication Systems 391
Figure 9.1 The RADIUS Authentication Process
3. The RADIUS server attempts to verify the user’s credentials against a centralized database.
4. If the credentials match those found in the database, the server responds with an access-accept message. If the username does not exist or the password is incorrect, the server responds with an access-reject message.
5. The RAS then accepts or rejects the message and grants the appropriate rights.
RADIUS Implementation Various options are available for the organizations planning to implement RADIUS. Some commercial software for enterprises and ISPs, bundled RADIUS appliances, or open source products such as FreeRADIUS (www.freeradius.org) may be considered for deployment. Figure 9.2 shows a Juniper Networks Steel-Belted RADIUS implementation for server. Figure 9.3 shows Odyssey Access Client at the client side. A standard Juniper Networks Steel-Belted RADIUS deployment includes: ■■
■■
■■
Installation of the RADIUS server on a chosen software platform (available for SBR EE for Windows® XP/2003, Sun Solaris 9/10 [SPARC], and 32-bit versions of Red Hat Enterprise Linux ES 4.0/5). Configure RADIUS clients (routers, switches, or WAPs) providing the RADIUS server details (normally the server IP and a shared secret). Install Odyssey Access clients on the client laptop (available for Microsoft Windows 2000, Windows XP, and Windows Vista operating systems, Microsoft Windows Mobile 5, Windows Mobile 3, Windows CE 4.2 and CE 5, and Windows 2003 for Pocket PC, Red Hat Enterprise Linux [RHEL] 3 and 4, and Apple Mac OS X v ersion 10.4.x operating system).
■■
Configure Authentication Protocols and Policies on the RADIUS server (Figure 9.2).
■■
Configure authentication parameters on the client side (Figures 9.3 and 9.4).
392 CHAPTER 9 Network Authentication
Figure 9.2 Configuring Authentication Policies on a Steel-Belted RADIUS Server
Figure 9.4 Figure 9.3 Configuring Odyssey Access Clients
Configuring Authentication P rotocol on an Odyssey Access Client
Authentication Systems 393
Note The Security+ exam does not have product specific questions. However, it’s a good practice to download evaluation versions of commercially available RADIUS products or open source tools to practice the concepts.
Vulnerabilities Certain “flavors” of RADIUS servers and Web servers can be compromised by buffer-overflow attacks. A buffer-overflow attack occurs when a buffer is flooded with more information than it can hold. The extra data overflows into other buffers and areas of program memory. The code injected through a buffer overflow attack may then be executed by the system and can result in exploitation of the target system.
Head of the Class Sometimes You Just Get Lucky… Once we lock a door, curiosity leads someone to try and see what is behind it. This is the “cat-and-mouse game” that is network security. Many vulnerabilities found in network security are discovered by hackers trying to access systems they are not authorized to use. Sometimes, “white-hat” hackers—security consultants hired to test system vulnerabilities— discover vulnerabilities in their testing. Unlike “black-hat” hackers, whose intentions are malicious, and “gray-hat” hackers, whose intentions are not malicious, “white-hat” hackers generally work with companies to fix issues before they become public knowledge. In 2001, RADIUS buffer-overflow attacks were discovered by Internet Security Systems while testing the vulnerabilities of the wireless networks.
Kerberos Kerberos (currently Kerberos v5-1.6.3) is used as the preferred Network Authentication Protocol in many medium and large environments, to authenticate users and services requesting access to resources. Kerberos is a network protocol designed to centralize the authentication information for the user or service requesting the resource. This allows authentication of the entity requesting access (user, machine, service, or process) by the host of the resource being accessed through the use of secure and encrypted keys and tickets (authentication tokens) from the authenticating Key Distribution Center (KDC). It allows for cross-platform authentication and is available in many implementations of various NOS. Kerberos is very useful in the distributed computing environments currently used, because it centralizes the processing of credentials for authentication. Kerberos utilizes time stamping of its tickets, to help ensure they are not compromised by other entities, and an overall structure of control that is called a realm. Some platforms use the defined terminology, while others such as Windows 2003 or Windows 2008 use their domain structure to implement the Kerberos concepts.
394 CHAPTER 9 Network Authentication
Kerberos is described in RFC 1510, which is available on the Web at www.ietf. org/rfc/rfc1510.txt?number=1510. Developed and owned by the Massachusetts Institute of Technology (MIT), information about the most current and previous releases of Kerberos is available on the Web at http://web.mit.edu/Kerberos. Let’s look at how the Kerberos process works, and how it helps secure authentication activities in a network. First, let’s look at Figure 9.5, which shows the default components of a Kerberos v5 realm: As can be seen in Figure 9.5, there is an authentication server requirement (the KDC). In a Kerberos realm, whether in a UNIX-based or Windows-based OS, the authentication process is the same. For this purpose, imagine that a client needs to access a resource on the resource server. Look at Figure 9.6 as we proceed, to follow the path for the authentication, first for logon, then at Figure 9.7 for the resource access path. As seen in Figure 9.6, two events are occurring as credentials are presented (password, Smart Card, biometrics) to the KDC for authentication. This is due to the dual role of the KDC. It acts as both an Authentication Server and as a Ticket Granting Server. First, the authentication credential is presented to the KDC where it is authenticated using the Authentication Server mechanism. Second, the KDC issues a Ticket Granting Ticket (TGT) through the Ticket Granting Server mechanism that is associated with the access token while you are actively logged in and authenticated. This TGT expires when you (or the service) disconnect or log off the network, or after it times out. The Kerberos administrator can alter the expiry timeout as needed to fit the organizational needs, but the default is 1 day (86,400 s). This TGT is cached locally for use during the active session.
Figure 9.5 Kerberos Required Components
Authentication Systems 395
Figure 9.6 Authentication Path for Logon Access in a Kerberos Realm
Figure 9.7 Resource Access in a Kerberos Realm
Figure 9.7 shows the process for resource access in a Kerberos realm. It starts by presenting the previously granted TGT to the authenticating KDC. The authenticating KDC returns a session ticket to the entity wishing access to the resource. This session ticket is then presented to the remote resource server. The remote resource server, after a ccepting the session ticket, allows the session to be established to the resource.
396 CHAPTER 9 Network Authentication
Kerberos uses a time stamp and we need to understand where and when the time stamp is used. The time stamp is used to limit the possibility of replay or spoofing of credentials. Replay is the capture of information, modification of the captured information, and retransmission of the modified information to the entity waiting to receive the communication. If unchecked, this allows for impersonation of credentials when seeking access. Spoofing is the substitution of addressing or authentication information to try to attain access to a resource based on information acceptable to the receiving host, but not truly owned by the sender. The initial time stamp refers to any communication between the entity requesting authentication and the KDC. Normally, this initial time period will not be allowed to exceed 10 min if based on the MIT Kerberos software default. Microsoft’s Kerberos implementation has a 5-min time delta. If clocks are not synchronized between the systems, the credentials (tickets) will not be granted if the time differential exceeds the established limits. Session tickets from the KDC to a resource must be presented within this time period or they will be discarded. The session established between the resource server and the requesting entity is also time-stamped, but generally lasts as long as the entities’ logon credential is valid. This can be affected by system policies such as logon hour restrictions, which are defined in the original access token. TGT tickets are not part of the default 5-min period, rather they are cached locally on the machine and are valid for the duration of the logged-on session.
LDAP Directory services are used to store and retrieve information about objects, which are managed by the service. On a network, these objects can include user accounts, computer accounts, mail accounts, and information on resources available on the network. Because these objects are organized in a directory structure, you can manage them by accessing various properties associated with them. For example, a person’s account to use the network would be managed through such attributes as the user’s username, password, times the user is allowed to log on, and other properties of the user’s account. By using a directory service to organize and access this information, the objects maintained by the service can be effectively managed. The concept of a directory service can be somewhat confusing, until you realize that you’ve been using them for most of your life. A type of directory that’s been around longer than computers is a telephone directory, which organizes the account information of telephone company customers. These account objects are organized to allow people to retrieve properties like the customer’s name, phone number, and address. Directory services shouldn’t be confused with the directory itself. The directory is a database that stores data on the objects managed through directory services. To use our telephone directory example again, consider that the information on customer accounts can be stored in a phonebook or electronically in a database. Regardless of whether the information is accessed through an operator or viewed online using a 411 service, the directory service is the process of how the data is accessed.
Authentication Systems 397
The directory service is the interface or process of accessing information, while the directory itself is the repository for that data. Directory services are used by many different network OSes to organize and manage the users, computers, printers, and other objects making up the network. Some of the directory services that are produced by vendors include: ■■
■■
■■
Active Directory, which was developed by Microsoft for networks running Windows 2000 Server, Windows 2003 Server, or Windows 2008. eDirectory, which was developed by Novell for Novell NetWare networks. Previous versions for Novell NetWare 4.x and 5.x were called Novell Directory Services (NDS). OpenLDAP, which was developed by Apple for networks running Mac OS X Servers.
To query and modify the directory on Transmission Control Protocol/Internet Protocol (TCP/IP) networks, the LDAP can be used. LDAP is a protocol that enables clients to access information within a directory service, allowing the directory to be searched and objects to be added, modified, and deleted. LDAP was created after the X.500 directory specification that uses the Directory Access Protocol (DAP). Although DAP is a directory service standard protocol, it is slow and somewhat complex. LDAP was developed as an alternative protocol for TCP/IP networks because of the high overhead and subsequent slow response of heavy X.500 clients, hence the name lightweight. Because of the popularity of TCP/IP and the speed of LDAP, the LDAP has become a standard protocol used in directory services. LDAP services are used to access a wide variety of information that’s stored in a directory. On a network, consider that the directory catalogs the name and information on every user, computer, printer, and other resource on the network. The information on a user alone may include their username, password, first name, last name, department, phone number and extension, e-mail address, and a slew of other attributes that are related to the person’s identity. The sheer volume of this data requires that LDAP directories are effectively organized, so that the data can be easily located and identified in the directory structure.
LDAP Directories Because LDAP is a lightweight version of DAP, the directories used by LDAP are based on the same conventions as X.500. LDAP directories follow a hierarchy, much in the same way that the directories on your hard drive are organized in a hierarchy. Each uses a tree-like structure, branching off of a root with containers (called organizational units [OUs] in LDAP; analogous to folders on a hard drive) and objects (also called entries in LDAP’s directory; analogous to files on a hard drive). Each of the objects has attributes or properties that provide additional information. Just as a directory structure on a hard disk may be organized in different ways, so can the hierarchy of an LDAP directory. On a network, the hierarchy may be organized in a number
398 CHAPTER 9 Network Authentication
of ways, following the organizational structure, geographical location, or any other logical structure that makes it easy to manage the objects representing users, computers, and other resources. Because LDAP directories are organized as tree structures (sometimes called the Directory Information Tree [DIT]), the top of the hierarchy is called the root. The root server is used to create the structure of the directory, with OUs and objects branching out from the root. Because the directory is a distributed database, parts of the directory structure may exist on different servers. Segmenting the tree based on organization or division and storing each branch on separate directory servers increases the security of the LDAP information. By following this structure, even if one directory server is compromised, only a branch of the tree (rather than the entire tree) is compromised.
Organizational Units The hierarchy of an LDAP directory is possible because of the various objects that make up its structure. These objects represent elements of the network, which are organized using containers called OUs. Each OU can be nested in other OUs, similar to having subfolders nested in folders on your hard disk. In the same way the placement of folders on your hard disk makes a directory structure, the same occurs with OUs and objects in an LDAP directory. The topmost level of the hierarchy generally uses the Domain name system (DNS) to identify the tree. For example, a company named Syngress might use syngress.com at the topmost level. Below this, OUs are used to identify different branches of the organization or network. For example, you might have the tree branch off into geographical locations, like Paris, London, and Toronto, or use them to mimic the organizational chart of the company, and create OUs with names like Administration, Research, Technology, and so forth. Many companies will even use a combination of these methods, and use the OUs to branch out by geographical location, and then create OUs for divisions of the company within the OUs representing locations. To identify the OUs, each has a name that must be unique in its place in the hierarchy. For example, you can’t have two OUs named printers in a container named sales. As with many elements of the directory it is analogous to the directory structure of a hard disk where you can’t have two subfolders with the same name in the same folder. You can however have OUs with the same name in different areas of the hierarchy, such as having an OU named printers in the sales container and another OU named printers in an OU named service. The structure of the LDAP directory is not without its own security risks, as it can be a great source of information for intruders. Viewing the placement of OUs can provide a great deal of information about the network structure, showing which resources are located in which areas of the organization. If an administrator followed a particular scheme of designing the hierarchy too closely, a hacker could determine its structure using information about the organization. For example, companies often provide their organizational charts on the Internet, allowing people to
Authentication Systems 399
see how the company is structured. If an administrator closely followed this chart in designing a hierarchy, a hacker could speculate how the LDAP directory is laid out. If the hacker can gain access to the directory using LDAP queries, he or she could then use this information to access objects contained in different OUs named after departments on the chart. Using naming conventions internal to the company (such as calling a London base of operations district1) or using some creativity in naming schemes (such as calling an OU containing computer accounts WK instead of workstations) will make the hierarchy’s structure less obvious to outsiders. Although using the organizational chart of a company and geographical locations can be used as a basis for designing the hierarchy, it should not be an easy-to-guess blueprint of the directory and network infrastructure.
Objects, Attributes, and the Schema As mentioned earlier, entries in the directory are used to represent user accounts, computers, printers, services, shared resources, and other elements of the network. These objects are named, and as we discussed with OUs, each object must have a name that’s unique to its place in the namespace of the hierarchy. Just as you can’t have two files with the same name in a folder on your hard disk, you can’t have two objects with the same name in an OU. The name given to each of these objects is referred to as a common name, which identifies the object but doesn’t show where it resides in the hierarchy. The common name is part of the LDAP naming convention. Just as a filename identifies a file, and a full pathname identifies its place in a directory structure, the same can be seen in the LDAP naming scheme. The common name identifies the object, but a distinguished name can be used to identify the object’s place in the hierarchy. An example of a distinguished name is the following, which identifies a computer named DellDude that resides in an OU called marketing in the tacteam. net domain: DN: CN = DellDude, OU = Marketing, DC = tacteam, DC = net The distinguished name is a unique identifier for the object and is made up of several attributes of the object. It consists of the relative distinguished name, which is constructed from some attribute(s) of the object, followed by the distinguished name of the parent object. Each of the attributes associated with an object is defined in the schema. The schema defines the object classes and attribute types, and allows administrators to create new attributes and object classes specific to the needs of their network or company. For example, a “supervisor” attribute in a user account might contain the name of the user’s manager, whereas a “mail” attribute would contain the user’s e-mail address. Object classes define what the object represents (that is, user, computer, and so forth), and a list of what attributes are associated with the object. Because LDAP is binary, to view the attributes of an object, the information can be represented in LDAP data interchange format (LDIF). LDIF is used to show directory entries in an easy-to-follow format, and used when requests are made to add,
400 CHAPTER 9 Network Authentication
modify, or delete entries in the directory. The following is an LDAP directory entry with several attributes represented in LDIF: ■■
dn: cn = John Abraham, dc = syngress, dc = com
■■
cn: John Abraham
■■
givenName: John
■■
sn: Abraham
■■
telephoneNumber: 905 555 1212
■■
ext: 1234
■■
employeeID: 4321
■■
mail:[email protected]
■■
manager: Gary Byrne
■■
objectClass: organizationalPerson
As you can see by this entry, the attributes provide a wide degree of information related to the person represented by the object. By looking at this information, we can see contact information, employee identification numbers, the person’s manager, and other data. Other attributes could include the person’s social security number or social insurance number, home address, photo, expense account numbers, credit card numbers issued to the person, or anything else the company wished to include. Although this example reflects a user account, a similar wealth of information can be found in objects representing computers and printers (which would include IP addresses) and other resources on the network. As stated earlier, although useful to authorized users, it is also useful for unauthorized intruders who could use the information for identity theft, hacking specific computers, or any number of other attacks.
Securing LDAP LDAP is vulnerable to various security threats, including spoofing of directory services, attacks against the databases that provide the directory services, and many of the other attack types discussed in this book (for example, viruses, OS and protocol exploits, excessive use of resources and denial of service, and so forth). This isn’t to say that LDAP is completely vulnerable. LDAP supports a number of different security mechanisms, beginning from when clients initially connect to an LDAP server. LDAP clients must authenticate to the server before being allowed access to the directory. Clients (users, computers, or applications) connect to the LDAP server using a distinguished name and authentication credentials (usually a password). Authentication information is sent from the client to the server as part of a “bind” operation, and the connection is later closed using an “unbind” operation. Unfortunately, it is possible for users to make the connection with limited or no authentication, using either
Authentication Systems 401
anonymous or simple authentication. LDAP allows for anonymous clients to send LDAP requests to the server without first performing the bind operation. Although anonymous connections don’t require a password, simple authentication will send a person’s password over the network unencrypted. To secure LDAP, anonymous clients should be limited or not used, ensuring that only those with proper credentials are allowed access to the information. Optionally, the connection can use transport layer security (TLS) to secure the connection and protect any data transmitted between the client and server. LDAP can also be used over SSL, which extends security into the Internet. LDAPS is secure LDAP, which encrypts LDAP connections using SSL or TLS. Some of these types of services integrate as objects, such as PKI certificates, in the authentication process using Smart Card technologies, and in the extended properties of account objects so that they can support extra security requirements. To use SSL with LDAP, the LDAP server must have an X.509 server certificate. Additionally, SSL/TLS must be enabled on the server. Another issue that can impact the security of LDAP is packet sniffing. Packet sniffers are software that can capture packets of data from a network and allow a person to view its contents. If the information traveling over LDAP is unencrypted, the packets of data could be captured, and analysis of the packets could provide considerable information about the network. In addition to using encryption, ports can be blocked to prevent access from the Internet. LDAP uses TCP/UDP port 389 and LDAPS uses port 636. By blocking these ports from the Internet, it will prevent those outside of the internal network from listening or making connections to these ports. The challenge with using a protocol such as LDAP is that the connectivity must be facilitated through a script or program. These types of scripts must indicate the location of the objects within the directory service to access them. If the administrator wants to write a quick, simple script, this means that the name of the directory service and the names and locations of the objects that are being accessed must each be placed in the script and known prior to the script being written. If they need to access a different object, they usually need to rewrite the script or develop a much more complex program to integrate the directory services. Even so, compare scripting to native access with queries and interactive responses, and the value of a homogenous network with a single directory service is revealed. In a homogenous network, there is no need to logically connect two directory services with a script. This greatly reduces the time and effort involved in administering the network. Homogenous networks are unusual at best. With multiple types of network OSes, desktop OSes, and infrastructure OSes available today, it is likely that there will be multiple systems around. It follows that they all must be managed in different ways. LDAP-enabled Web servers can handle authentication centrally, using the LDAP directory. This means the users will only need a single login name and password for accessing all resources that use the directory. Users benefit from SSO to allow access to any Web server using the directory, or any password-protected Web page or site that uses the directory. The LDAP server constitutes a security realm, which is used to authenticate users.
402 CHAPTER 9 Network Authentication
Another advantage of LDAP security for Web-based services is that access control can be enforced based on rules that are defined in the LDAP directory instead of the administrator having to individually configure the OS on each Web server. There are security programs available, such as PortalXpert Security, which can be used with LDAP to extend enforcement of the security policies that are defined by the LDAP directory to Web servers that are not LDAP enabled, and provide rolebased management of access controls. Note For more detailed information about LDAP security issues, see the white paper titled “Introduction to Security of LDAP Directory Services” by Wenling Bao at the SANS Institute Web site at www.giac.org/certified_professionals/practicals/gsec/0824.php.
Password Authentication Protocol PAP is the simplest form of authentication for a remote access. This method was used earlier to authenticate users using username and passwords. The user provides username and passwords for authentication that is received by the access server and upon successful validation the server sends an ack for acknowledgment or a nack for failed authentication. This method is also known as a two-way handshake. PAP transmits the username and password in ASCII without any encryption. PAP was replaced with CHAP to provide more security.
Challenge Handshake Authentication Protocol One of the methods that can be used to protect information when using remote access to a resource is the CHAP. CHAP is a remote access authentication protocol used in conjunction with PPP to provide security and authentication to users of remote resources. You will recall that PPP replaced the older Serial Line Internet Protocol (SLIP). PPP not only allows for more security than SLIP, but also does not require static addressing to be defined for communication. PPP allows users to use dynamic addressing and multiple protocols during communication with a remote host. CHAP is described in RFC 1994, available at www.ietf.org/rfc/rfc1994. txt?number=1994. The RFC describes a process of authentication that works in the following manner: CHAP is used to periodically verify the identity of the peer using a three-way handshake. This is done upon initial link establishment and may be repeated anytime after the link has been established.
1. After the link establishment phase is complete, the authenticator sends a “challenge” message to the peer.
2. The peer responds with a value calculated based on an ID value, a random value, and the password using a “one-way hash” function such as MD5.
Authentication Systems 403
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection should be terminated.
4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3.
CHAP operates in conjunction with PPP to provide protection of the credentials presented for authentication, and to verify connection to a valid resource. It does not operate with encrypted password databases, and therefore is not as strong a protection as other levels of authentication. The shared secrets may be stored on both ends as a cleartext item, making the secret vulnerable to compromise or detection. CHAP may also be configured to store a password using one-way reversible encryption, which uses the one-way hash noted earlier. This provides protection to the password, because the hash must match the client wishing to authenticate with the server that has stored the password with the hash value. CHAP is better than PAP, however, because PAP sends passwords across the network in cleartext.
TACACS/TACACS+ RADIUS is not the only centralized RAS. TACACS is also used in authenticating remote users. TACACS has gone through three major “generations,” TACACS, XTACACS, and TACACS+. For the Security+ exam, you need to know about TACACS and TACACS+.
TACACS As stated previously, TACACS is the “old man” of centralized remote access authentication. TACACS was first developed during the days of ARPANET, which was the basis for the Internet. TACACS is detailed in RFC 1492, which can be found at httwww.cis. ohio-state.edu/cgi-bin/rfc/rfc1492.html. Although TACACS offers authentication and authorization, it does not offer any accounting tools. As mentioned earlier, a good RAS must fit all the criteria of the AAA model. Similar to RADIUS, a dial-up user connects to a RAS that prompts the user for their credentials. The credentials are then passed to the TACACS server, which either permits or denies access to the network.
TACACS+ Cisco decided to develop a proprietary version of TACACS known as TACACS+. The driving factor behind TACACS+ was to offer networking professionals the ability to manage all remote access components from a centralized location. TACACS+ is also credited with separating the AAA functions. TACACS+ is considered proprietary because its packet formats are completely different from those in TACACS or XTACACS, making TACACS+ incompatible with previous versions. Unlike previous versions of TACACS that used one database for all AAA, TACACS+
404 CHAPTER 9 Network Authentication
uses individual databases for each. TACACS+ was the first revision to offer secure communications between the TACACS+ client and the TACACS+ server. TACACS+ uses TCP as its transport and continues to gain popularity because it is easy to implement and reasonably priced. Exam Warning Make sure that you understand the difference between TACACS and TACACS+. The most important thing to remember is that TACACS uses UDP as its transport protocol while TACACS+ uses TCP. Also, TACACS+ is a proprietary version owned by Cisco.
Vulnerabilities The largest vulnerability in TACACS+ is the comparative weakness of the encryption mechanism. It’s possible for someone with physical network access to capture an authentication request from a client and manipulate it. This request would be accepted by the server; the encrypted reply would be sent but because the cleartext of that reply would be known, breaking the encryption would be a fairly simple task. Even worse, the encryption used in TACACS+ is based on a shared secret that is rarely changed, so a compromise at any point would ultimately expose future compromises. It is, therefore, a very good idea to regularly change the shared secrets used by TACACS+ clients. One of the biggest complaints regarding TACACS+ is that it does not offer protection against replay attacks. Replay attacks occur when a hacker intercepts an encrypted packet and impersonates the client using the information obtained from the decrypted packet. When files are sent over a network using TCP/IP, they are split into segments suitable for routing. This is known as packet sequencing. At the receiving end, the TCP/IP organizes the file into its original format before it was sent. Packet sequencing (along with time stamping) is the general method of preventing replay attacks; however, TACACS+ sessions always start with a sequence number of 1. If a packet cannot be reorganized in the proper sequence at the receiving end, the entire message (or file) is unusable. Other common weaknesses of TACACS+ include: ■■
■■
■■
■■
Birthday Attacks The pool of TACACS+ session IDs is not very large, therefore, it is reasonable that two users could have the same session ID. Buffer Overflow Such as RADIUS and TACACS+ can fall victim to buffer-overflow attacks. Packet Sniffing The length of passwords can be easily determined by “sniffing” a network. Lack of Integrity Checking An attacker can alter accounting records during transmission because the accounting data is not encrypted during transport.
Authentication Systems 405
Head of the Class Decisions to be Made: RADIUS versus TACACS+ Both RADIUS and TACACS+ get the job done. Both provide exceptional user authentication, both are transparent to the end user, and both have their share of problems. Specifically, the two issues that differentiate them are separation of duties and the need for reliable transport protocols. In terms of separation of duties, RADIUS lumps all of the AAA functions into one user profile, whereas TACACS+ separates them. We know that TACACS+ uses TCP for its transport protocol. Both RADIUS and TACACS, on the other hand, use UDP. If reliable transport and sensitivity to packet disruption is important, TACACS+ is the better fit.
Mutual Authentication Mutual authentication is a process where both the requestor and the target entity must fully identify themselves before communication or access is allowed. This can be accomplished in a number of ways. You can share a secret or you can use a DiffieHellman key exchange that provides a more secure method of exchange that protects the secret being used for the verification and authentication process. Another method that can be used for mutual authentication is the use of certificates. To verify the identities, the certificate authority (CA) must be known to both parties, and the public keys for both must be available from the trusted CA. This is occasionally used with SSL, where both the server and the client have certificates and each is used to confirm the identity of the other host. One area that uses the mutual authentication process is access of a user to a network via remote access or authentication via a RADIUS server. This case requires the presence of a valid certificate to verify that the machine is the entity that is allowed access to the network. For instance, early implementations of Windows-based RAS servers had the ability to request or verify a particular telephone number to try to verify the machine location. With the development of call forwarding technologies, however, it became apparent that this was no longer satisfactory. Mutual authentication allows you to set secure parameters and be more confident that communication is not being intercepted by a man-in-the-middle (MITM) attacker or being redirected in any way. Mutual authentication provides more secure communications by positively identifying both sides of a communication channel. However, it is often difficult or costly to implement. An example of this is in the online banking industry. Online banks use SSL certificates to confirm that the site the customer is communicating with is indeed the site they are expecting. With mutual authentication, this confirmation would be expanded so that the online banking site is certain that the user accessing an account is actually who they say they are. Setting up mutual authentication in this manner would involve requiring each user to obtain a certificate from a CA trusted by the online bank. Instructing the user on how to accomplish this would
406 CHAPTER 9 Network Authentication
be a daunting task. And what if they need to access their account from a different system? If the certificate is based on their home computer, they may need to obtain another certificate for use on a second system. Additional complexities such as lost certificates and the use of shared systems would also apply. With these complexities, mutual authentication is not implemented as frequently as it probably should be to ensure secure communications. Many security implementations such as IPsec or 802.1x as well as others provide the option of using mutual authentication, but it is up to the entities implementing the security to choose whether or not they will use that option. 802.1x and Extensible Authentication Protocol (EAP) provide for a mutual authentication capability. This makes the clients and the authentication servers mutually authenticating end points and assists in the mitigation of attacks from MITM types of devices. Any of the following EAP methods provide for mutual authentication: ■■
■■
■■
TLS requires that the server supply a certificate and establish that it has possession of the private key. Internet Key Exchange (IKE) requires that the server show possession of a preshared key or private key (this can be considered certificate authentication). GSS_API (Kerberos) requires that the server can demonstrate knowledge of the session key.
802.1x Methods The IEEE 802.1x standard was created for the purpose of providing a security framework for port-based access control that resides in the upper layers of the protocol stack. The most common method for port-based access control is to enable new authentication and key management methods without changing current network devices. The benefits that are the end result of this work include the following: ■■ ■■
■■
■■
There is a significant decrease in hardware cost and complexity. There are more options, allowing administrators to pick and choose their security solutions. The latest and greatest security technology can be installed and should still work with the existing infrastructure. You can respond quickly to security issues as they arise.
Exam Warning 802.1x typically is covered in the AAA sections of the Security+ exam, but is relevant to wireless networks because of the fact that it is quickly becoming the standard method of securely authenticating on a wireless network. Also, do not confuse 802.1x with 802.11x. When a client device connects to a port on an 802.1x-capable AP, the AP port determines the authenticity of the devices. Figure 9.8 shows a typical 802.1x authentication process.
Authentication Systems 407
Figure 9.8 802.1x Authentication Process
Before discussing the workings of the 802.1x standard, the following terminology must be defined: ■■ ■■
■■
■■
■■
■■
■■
Port A single point of connection to a network. Port Access Entity (PAE) controls the algorithms and protocols that are associated with the authentication mechanisms for a port. Authenticator PAE enforces authentication before allowing access to resources located off of that port. Supplicant PAE tries to access the services that are allowed by the authenticator. Authentication Server is used to verify the supplicant PAE. It decides whether or not the supplicant is authorized to access the authenticator. Extensible Authentication Protocol Over LAN (EAPoL) 802.1x defines a standard for encapsulating EAP messages so that they can be handled directly by a LAN MAC service. 802.1x tries to make authentication more encompassing, rather than enforcing specific mechanisms on the devices. Because of this, 802.1x uses EAP to receive authentication information. Extensible Authentication Protocol Over Wireless (EAPoW) When EAPoL messages are encapsulated over 802.11 wireless frames, they are known as EAPoW.
The 802.1x standard works in a similar fashion for both EAPoL and EAPoW. As shown in Figure 9.9, the EAP supplicant (in this case, the wireless client) communicates
408 CHAPTER 9 Network Authentication
Figure 9.9 EAP Over LAN (EAPoL) Traffic Flow
with the AP over an “uncontrolled port.” The AP sends an EAP Request/Identity to the supplicant and a RADIUS-Access-Request to the RADIUS access server. The supplicant then responds with an identity packet and the RADIUS server sends a challenge based on the identity packets sent from the supplicant. The supplicant provides its credentials in the EAP-Response that the AP forwards to the RADIUS server. If the response is valid and the credentials validated, the RADIUS server sends a RADIUS-Access-Accept to the AP, which then allows the supplicant to communicate over a “controlled” port. This is communicated by the AP to the supplicant in the EAP-Success packet.
Head of the Class So What Exactly Are 802.1x and 802.11x ? Wireless provides convenience and mobility, but also poses massive security challenges for network administrators, engineers, and security administrators. Security for 802.11 networks can be broken down into three distinct components: ■■
The authentication mechanism
■■
The authentication algorithm
■■
Data frame encryption
User Identification and Strong Authentication With the addition of the 802.1x standard, clients are identified by username, not by the MAC addresses of the devices. This design not only enhances security, but also streamlines the process of authentication, authorization, and accountability (AAA)
Authentication Systems 409
for the network. 802.1x was designed to support extended forms of authentication using password methods (such as one-time passwords, or GSS_API mechanisms such as Kerberos) and nonpassword methods (such as biometrics, IKE, and Smart Cards).
Dynamic Key Derivation The IEEE 802.1x standard allows for the creation of per-user session keys. Wireless Encryption Protocol (WEP) keys do not have to be kept at the client device or at the AP when using 802.1x. These WEP keys are dynamically created at the client for every session, thus making it more secure. The Global key, similar to a broadcast WEP key, can be encrypted using a Unicast session key, and then sent from the AP to the client in a much more secure manner.
IEEE 802.11w The IEEE 802.11b standard is severely limited because it is available only for the open and shared-key authentication scheme which is nonextensible. To address the weaknesses in the authentication mechanisms, several vendors (including Cisco and Microsoft) adopted the IEEE 802.1x authentication mechanism for wireless networks. The IEEE 802.11 standard is focused more on wireless LAN connectivity than on verifying user or station identity. Because wireless can potentially scale very high in the sheer number of possible users, it is important to consider a centralized way to have user authentication. However, as the management frames are unprotected malicious attacks are still a possibility. The IEEE 802.11w is a proposed amendment to the existing 802.11 standards to increase the security. This project is known as Protected Management Frames addressing the security of management frames. The 802.11w defines enhancements for integrity, authenticity, and confidentiality of the data and ensure protection from replay attacks.
Extensible Authentication Protocol EAP was originally defined under RFC 2284 and then redefined under the Internet Engineering Task Force (IETF) Internet draft dated September 13, 2002. EAP is an authentication protocol designed to support several different authentication mechanisms. It runs directly over the data link layer and does not require the use of Internet Protocol (IP). Note You can read more on the IETF Internet draft on EAP at www.potaroo.net/ietf/ids/ draft-ietf-pppext-rfc2284bis-06.txt.
EAP comes in several different forms: ■■ ■■
■■
EAP over IP (EAPoIP) Message Digest Algorithm/Challenge-Handshake Authentication Protocol (EAPMD5-CHAP) EAP-TLS
410 CHAPTER 9 Network Authentication
■■
EAP-TTLS
■■
RADIUS
■■
Cisco EAP-FAST
Each form of EAP has its own characteristics, but for the purpose of the Security+ exam you will only need to know what it is and its different formats.
Per-Packet Authentication EAP can support per-packet authentication and integrity protection, but it is not extended to all types of EAP messages. For example, negative acknowledgment (NACK) and notification messages cannot use per-packet authentication and integrity. Per-packet authentication and integrity protection works for the following (packet is encrypted unless otherwise noted): ■■
TLS and IKE derive session key
■■
TLS ciphersuite negotiations (not encrypted)
■■
IKE ciphersuite negotiations
■■
Kerberos tickets
■■
Success and failure messages that use a derived session key (through WEP)
Note EAP was designed to support extended authentication. When implementing EAP, dictionary attacks can be avoided by using non-password-based schemes such as biometrics, certificates, OTP, Smart Cards, and token cards. Using a password-based scheme should require the use of some form of mutual authentication so that the authentication process is protected against dictionary attacks.
Test Day Tip It is helpful to write out a table showing the various authentication methods used in 802.11 networks (for example, open authentication, shared-key authentication, and 802.1x authentication) with the various properties each of these authentication methods require. This will help to keep them straight in your mind when taking the test.
Notes from the Field Vulnerabilities 802.1x is not without its share of vulnerabilities. The WEP uses a stream cipher known as the RC4 encryption algorithm. A stream cipher operates by expanding a short key into a key stream. The sender combines the key stream with the original message (known as the
Authentication Systems 411
plaintext message) to produce ciphertext. The receiver has a copy of the same key and uses it to generate an identical key stream. The receiver then applies the key to the ciphertext and views the plaintext message. This mode of operation makes stream ciphers vulnerable to attacks. If an eavesdropper intercepts two ciphertexts encrypted with the same key stream, they can obtain the eXclusive OR (XOR) of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. One such vulnerability was discovered by the Fluhrer, Mantin, and Shamir group. The attack (known as the Fluhrer, Mantin, and Shamir attack) is exploited because of the key scheduling algorithm of RC4. There are certain weak keys that allow for statistical determination of the keys when those keys are used. The Fluhrer, Mantin, and Shamir attack involves guesswork and creativity, because you have to guess the first byte of plaintext data being transmitted. When data is encrypted before transmission, a piece of data called the initialization vector (IV ) is added to the secret key. Fluhrer, Mantin, and Shamir discovered that the IV was transmitted in the clear, and they recovered the 128-bit secret key used in a production network. There are also tools available for download on the Internet, which can be used to exploit the vulnerabilities of WEP. Two of the most common tools are AirSnort and WEPCrack.
Protected EAP Protected Extensible Authentication Protocol (PEAP) is a member of the family of EAP. PEAP uses TLS to create an encrypted channel between the client supplicant and the RADIUS server. PEAP provides additional security for the client-side EAP authentication protocols, such as EAP-MS-CHAPV2, that can operate through the TLS encrypted channel. PEAP is used as an authentication method for 802.11 wireless and wired client computers, but is not supported for VPN or other remote access clients. Security and ease of deployment make PEAP a popular choice for authentication. The advantages of PEAP are as follows: ■■
■■
■■
■■
Windows 2008, Windows Server 2003, Windows 2000, Windows XP, and Pocket PC 2002 offer support for PEAP (either natively or with a system update), so there is no need for you to install third-party client software. NPS in Windows 2008 and IAS in Windows 2003 is the Microsoft implementation of the RADIUS Protocol. Windows 2000 Server and Windows Server 2003 support PEAP, so there is no need to install third-party RADIUS software. PEAP uses a TLS channel to protect the user credentials. Other password-based methods (such as LEAP and EAP-MD5) do not create a TLS-channel and are exposed to offline dictionary attacks on the user credentials. Using the TLS channel from the client to the authentication server, PEAP offers end-to-end protection, not just over the wireless data link. This is particularly important when a mobile user is using a public network to access a private
412 CHAPTER 9 Network Authentication
network. For non-TLS schemes (LEAP and EAP-MD5), the password is exposed to attack on the wireless link and across the public network. ■■
■■
■■
■■
■■
■■
■■
■■
PEAP supports any EAP compatible methods. PEAP is also defined as an extensible authentication method that can embrace new EAP authentication schemes as they become ratified. Microsoft Windows PEAP supports passwords and certificate authentication and allows any EAP-based method provided by partners to be used within PEAP. Within the TLS channel, PEAP hides the EAP type that is negotiated for mutual client/server authentication. This helps to prevent an attacker from injecting packets between the client and the network AP. Also, because each packet sent in the TLS channel is encrypted, the integrity of the authentication data can be trusted by the PEAP client and server. PEAP offers strong protection against the deployment of unauthorized wireless APs because the client verifies the RADIUS server’s identity before proceeding ahead with further authentication or connectivity. The wireless AP is unable to decrypt the authentication messages protected by PEAP. PEAP offers highly secure keys that are used to encrypt the data communications between the clients and wireless AP. New encryption keys are derived for each connection and are shared with authorized wireless APs accepting the connection. Unauthorized wireless APs are not provided with the encryption keys. PEAP does not require the deployment of certificates to wireless clients. Only the PEAP server (authentication server) needs to be assigned a certificate. The PEAP server certificate can be managed using an internal certification authority (CA) product, or acquired from a certificate management company, such as VeriSign and Thawte. Password-based schemes rely on strong passwords to help defend against bruteforce hacking. With PEAP, although you should still follow best practices for strong passwords and management, users’ credentials are not exposed to the same attack, because their credentials are protected by TLS. Microsoft offers native support for PEAP so that a user can use the same logon credentials for all network connections and applications. PEAP integrates seamlessly with Microsoft Windows domain policy, Group Policy, and logon scripts. This means that PEAP by default transparently uses the same logon credentials you type when you first log into your network.Alternatively, you can specify that PEAP authentication should use different logon credentials, if you are not concerned about preserving the “single logon” experience for your users. Non-TLS schemes (EAP-FAST and EAP-MD5) do not support single logon, logon scripts, or Group Policy. Authentication schemes for which there are no standards or publicly available specifications will not receive rigorous peer security review. PEAP is an
Summary of Exam Objectives 413
open standard supported under the security framework of the IEEE 802.1x specification. ■■
■■
■■
PEAP offers security and efficiency when used with roaming wireless devices. Authentication latency is frequently a concern with wireless networks, because users may need to reconnect to a network through a number of AP devices as they roam. As a result, it is valuable to be able to quickly perform re-authentication. PEAP supports this capability through the TLS session resumption facility, and any EAP method running under PEAP can take advantage of it. PEAP provides support for EAP authentication methods such as EAP-TLS and EAP-MS-CHAPV2 that can perform computer authentication. The PEAP protocol specifies an option of hiding a user’s name known as identity privacy.
Summary of Exam Objectives In this chapter, you worked on concepts tested in the Security+ exam relating to general security concepts security domain. According to the latest CompTIA Security+ exam objectives, about 30 percent of exam objectives are from the abovementioned concepts including various methods of authentication. You should be able to identify and differentiate various authentication methods based on the features presented. We started with discussion on remote access policies. Remote access policies define the clients’ access methods, protocols before authentication, and access permissions upon successful authentication. We reviewed the concepts of authentication factors such as one-factor, two-factor, and multifactor. We also viewed the concept of using third-party authentication tools such as multifactor authentication, which can be provided by the use of a PIN and identification card, token technologies, and the use of biometrics. Authentication protocols are chosen based on the applications, complexity, and level of security needs. Kerberos provides access through secure encrypted keys and issuance of tickets. CHAP validates the identity of the clients through three-way handshake (challenge, response, success or failure). RADIUS is the most popular of all the AAA servers, which include RADIUS, TACACS, and TACACS+. Although TACACS offers authentication and authorization, it does not offer any accounting tools. TACACS+ is credited with separating the AAA functions. We learned the differences between RADIUS, TACACS, and TACACS+. TACACS+ uses TCP as its transport instead of UDP. Mutual authentication is a process where both the requestor and the target entity must fully identify themselves before communication or access is allowed. The IEEE 802.1x methods are also covered by the communications security domain of Security+ exam objectives. We also reviewed Extension Authentication Protocol and P rotected EAP. This, in addition to the topics covered by
414 CHAPTER 9 Network Authentication
Chapter 7, covers Security+ exam objectives on wireless network technology and concepts.
Exam Objectives Fast Track Authentication Methods ■■
■■
■■
■■
One-factor authentication is the simplest form of authentication through usernames and passwords. Two-factor authentication involves token cards and PIN as in the case of bank ATM cards. Three-factor or multifactor authentication involves additional authentication mechanisms such as biometrics. SSO is the process of authenticating the user once and allowing access to multiple independent software applications.
Authentication Systems ■■
■■
■■ ■■
■■ ■■
■■
■■
■■ ■■
■■
Remote access policies define the clients’ access methods, protocols before authentication, and access permissions upon successful authentication. Biometrics is used with devices that have the ability to authenticate something you already have, such as a fingerprint or retinal image. RADIUS is an acronym of Remote Access Dial-In User Service. RADIUS is the most popular of all the authentication, authorization, and accounting (AAA) servers. RADIUS supports a number of protocols including PPP, PAP, and CHAP. Kerberos is a multiplatform authentication method that requires tickets (tokens) and a KDC. It exists as a realm in most platforms and is utilized in the domain environment in Windows Active Directory structures. Directory services are used to store and retrieve information about objects, which are managed by the service. LDAP services are used to access a wide variety of information that’s stored in a directory. All popular NOS implement directory services similar to LDAP. CHAP offers a three-way handshake mechanism (challenge, response, and accept/reject). CHAP can utilize a shared secret, and uses a one-way hash to protect the secret. CHAP is more secure than PAP, as PAP transmits the password in cleartext.
Exam Objectives Frequently Asked Questions 415
■■ ■■
■■
RADIUS and TACACS use UDP, and TACACS+ uses TCP Mutual authentication consists of using various methods to verify both parties to the transaction to the other. 802.1x uses EAP for passing messages between the supplicant and the authen ticator.
Exam Objectives Frequently Asked Questions Q: What is the difference between access controls and authentication? They seem to be the same. A: Access controls set the condition for opening the resource.This could be the time of day, where the connection originates, or any number of conditions. Authentication verifies that the entity requesting the access is verifiable and who the entity is claiming to be. Q: How do I choose a suitable authentication factor from various authentication factors available? A: Based on the applications you use and the level of security you want to provide you should choose the authentication factor. One-factor is simple and less secure. It uses passwords only. Two-factor introduces a further level of security by token cards and PIN. Multifactor authentication involves biometrics, voice recognition, or such higher levels of security. Cost implication and ease of roll-out in large scale need to be considered in addition to security concerns while choosing multifactor authentication mechanisms. Q: What are the devices that can be configured as RADIUS clients? A: Various network devices including routers, switches, and WAPs can be configured as RADIUS clients. Q: TACACS or TACACS+? Please advise A: TACACS+ is a proprietary Cisco protocol. It uses TCP.TACACS uses UDP and does not offer accounting tools. When your network is predominantly Cisco you may consider TACACS+. All aspects of AAA are offered by TACACS+. Q: What are the factors that influence PEAP deployment? A: PEAP uses TLS to create an encrypted channel between the client supplicant and the RADIUS server. PEAP provides additional security for the client-side EAP authentication protocols, such as EAP-MS-CHAPV2, that can operate through the TLS encrypted channel. When you need to implement a higher level of security and are looking for a wide range of NOS platforms for deployment you may want to consider PEAP.
416 CHAPTER 9 Network Authentication
Self Test
1. You are acting as a security consultant for a company wanting to decrease their security risks. As part of your role, they have asked that you develop a security policy that they can publish to their employees.This security policy is intended to explain the new security rules and define what is and is not a cceptable from a security standpoint as well as defining the method by which users can gain access to IT resources. What element of AAA is this policy a part of? A. Authentication C. Access control B. Authorization D. Auditing
2. One of the goals of AAA is to provide CIA. A valid user has entered their ID and password and has been authenticated to access network resources. When they attempt to access a resource on the network, the attempt returns a message stating,“The server you are attempting to access has reached its maximum number of connections.”Which part of CIA is being violated in this situation? A. Confidentiality C. Availability B. Integrity D. Authentication
3. You are performing a security audit for a company to determine their risk from various attack methods. As part of your audit, you work with one of the company’s employees to see what activities he or she performs during the day that could be at risk. As you work with the employee, you see him or her perform the following activities: Log in to the corporate network using Kerberos Access files on a remote system through a Web browser using SSL Log into a remote UNIX system using SSH Connect to a POP3 server and retrieve e-mail Which of these activities is most vulnerable to a sniffing attack? A. Logging in to the corporate network using Kerberos B. Accessing files on a remote system through a Web browser using SSL C. Logging into a remote UNIX system using SSH D. Connecting to a POP3 server and retrieving e-mail
4. You are reading a security article regarding penetration testing of various authentication methods. One of the methods being described uses a timestamped ticket as part of its methodology. Which authentication method would match this description? A. Certificates C. Kerberos B. CHAP D. Tokens
Self Test 417
5. You are a security consultant for a large company that wants to make its intranet available to its employees via the Internet.They want to ensure that the site is as secure as possible.To do this, they want to use multifactor authentication.The site uses an ID and password already but they want to add security features that ensure that the site is indeed their site, not a spoofed site, and that the user is an authorized user. Which authentication technology supports this? A. Certificates B. CHAP C. Kerberos D. Tokens
6. You are developing a password policy for a company. As part of the password policy, you define the required strength of the password. Because of the security requirements for the company, you have required a minimum length of 14 characters, the use of uppercase and lowercase alphabetic characters, the use of numbers, and the use of special characters. What else should you require? A. No dictionary words allowed in the password B. No portion of the username allowed in the password C. No personal identifiers allowed in the password D. All of the above
7. You have been asked to help a company implement multifactor authentication.They want to make sure that the environment is as secure as possible through the use of biometrics. Based on your knowledge of authentication, you understand that biometrics falls under the “something you are” category. Which other category should be used with the biometric device to provide the highest level of security? A. Something you know B. Something you have C. Something you do D. All of the above
8. You are attempting to query an object in an LDAP directory using the distinguished name of the object.The object has the following attributes: cn: 4321 givenName: John sn: Doe telephoneNumber: 905 555 1212 employeeID: 4321 mail: [email protected] objectClass: organizationalPerson
418 CHAPTER 9 Network Authentication
Based on this information, which of the following would be the distinguished name of the object? A. dc=nonexist, dc=com B. cn=4321 C. dn: cn=4321, dc=nonexist, dc=com D. [email protected]
9. You are creating a new LDAP directory, in which you will need to develop a hierarchy of OUs and objects.To perform these tasks, on which of the following servers will you create the directory structure? A. DIT B. Tree server C. Root server D. Branch server
10. When you are using LDAP for authentication in an internetworking environment, what is the best way to ensure that the authentication data is secure from packet sniffing? A. Use LDAP to keep all passwords encrypted when transmitted to the server B. Use LDAP over SSL/TLS to encrypt the authentication data C. Require that the clients use strong passwords so that they cannot easily be guessed D. Use LDAP over HTTP/S to encrypt the authentication data 11. Which password attack will take the longest to crack a password? A. Password guessing B. Brute force attack C. Dictionary attack D. All attacks are equally fast 12. The company you are working for has decided to do something to make their workstations more secure.They have decided to give all users a Smart Card for use with system logins. Which factor of authentication is utilized with this new requirement? A. Something you know B. Something you have C. Something you are D. Something you do
Self Test Quick Answer Key 419
13. Choose the correct set of terms: When a wireless user, also known as the ___________ wants to access a wireless network, 802.1x forces them to authenticate to a centralized authority called the ____________. A. Authenticator; supplicant B. Supplicant; authenticator C. Supplicant; negotiator D. Contact; authenticator 14. One of the biggest differences between TACACS and TACACS+ is that TACACS uses _________ as its transport protocol and TACACS+ uses _________ as its transport protocol. A. TCP; UDP B. UDP;TCP C. IP;TCP D. IP; UDP 15. EAP is available in various forms including: A. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco LEAPEAP-FAST B. EAPoIP, EAP-TLS, EAP-MPLS, RADIUS, EAP-FAST C. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco PEAP D. EAPoIP, EAP-TLS, EAP-TTLS, Kerberos, EAP-FAST
Self Test Quick Answer Key 1. 2. 3. 4. 5.
C C D C A
6. 7. 8. 9. 10.
D D C C B
11. 12. 13. 14. 15.
B B B B A
This page intentionally left blank
PART
Assessments and Audits
4
This page intentionally left blank
CHAPTER
Risk Assessment and Risk Mitigation
10
TER
E x a m o b j e c tiv e s in this c hapt e r Conduct Risk Assessments and Implement Risk Mitigation��������������������������������������������������� 423 Use Monitoring Tools on Systems and Networks������������������������������������������������������������������ 430
Introduction Risk assessment and risk mitigation involve a wide variety of activity. Risk assessment falls into two primary categories: qualitative and quantitative. Qualitative risk assessments are more general in nature where the assessment team conducts interviews and discussions with stakeholders regarding their opinion of where system risks lie in a network and the impact of those risks to the business as a whole. Quantitative risk assessments are more tangible in that they involve conducting vulnerability assessments as well as analysis of the results gathered to define the overall risk to a network from a particular threat. In its simplest form, risk mitigation involves taking the results of the analysis (whether qualitative or quantitative) and then developing a plan of action to either directly remediate the risk or to transfer the risk somewhere else (as in the case of risk transfer through insurance). In this chapter, we will focus on qualitative risk assessment through vulnerability assessment. In addition, we will look at some of the monitoring tools available and how logging and auditing fit into the overall process of risk assessment. The exam objectives of this chapter test your knowledge of risk assessments and analysis methodologies, including documentation, measurability, and repeatability. It will also test your knowledge of risk mitigation strategies used in defining security requirements, and finally modeling risk bases assessments and control requirements.
Conduct Risk Assessments and Implement Risk Mitigation Risk assessments are a critical tool in ensuring clients, and your internal needs, are being met in regards to security. Often enough, laws and regulations will mandate
423
424 CHAPTER 10 Risk Assessment and Risk Mitigation
you to have periodic risk assessments performed. The Healthcare Information Privacy and Portability Act (HIPAA) is often a driving need as well as the Gramm–Leach– Bliley Act (GLBA). By conducting these risk assessments, you can help uncover any weakness you may have within your information technology (IT) infrastructure, procedures, policies, or business applications. The goal of a risk assessment is to test everything possible, and to create a report that will be read by your management and customers, showing what was performed, what was discovered, and how issues were addressed. In many cases, risk assessments are carried out using vulnerability assessment tools. The concept is that vulnerabilities are directly related to overall risk. These tools do not consider the impact to risk of poor policies, standards, and procedures and are beyond the scope of this discussion.
Vulnerability Assessment Tools The most common vulnerability assessment tool utilized is a port scanner. Port scanners are used to search a network for open ports. This is often the most basic of tools utilized by IT, security staff, and third-party organizations to review the security of their networks both internally and externally. A port scan is used to scan hosts and other network devices for listening ports. To portsweep is to scan multiple hosts for listening ports. Common port scanning software includes Nmap, Scanmetender, Supercan, and NHS Nohack Scanner.
Vulnerability Scanners Vulnerability scanners are designed to map systems for weaknesses. They can often perform port scanning as well as checking for any applications that may be running. Vulnerability scanners also run reports to show what information they can determine about the system, such as the operating system (OS), service pack level, or applications installed and/or running on the host. Based on that information, the scanner may attempt to exploit a known vulnerability to verify that it is actually there or just look for a specific response to input that is known to exploit a vulnerability (this is typically not done by “friendly” scans). Additional information regarding vulnerability scans: http://windowsitpro.com/ article/articleid/43888/vulnerability-scanners.html
Protocol Analyzers Protocol analyzers are a vital part of a network administrator’s and security administrator’s tools kit. Protocol analyzers can monitor the traffic on a network and expose data and protocols that are being passed along the wire.
Exercise 1 Packet Sniffing One of the operations performed in security monitoring and analysis is packet sniffing—the analysis of network traffic and packets being transmitted to and
Conduct Risk Assessments and Implement Risk Mitigation 425
from the equipment. This involves using appropriate software to intercept, track, and analyze the packets being sent over the network. In this exercise, you are going to do some packet sniffing and detection work. The steps you use will give you the opportunity for first-hand experience on what has been discussed so far about authentication. Analysis of the traffic on your network provides you with the opportunity to detect unwanted and unauthorized services, equipment, and invaders in your network. Many products exist that allow you to analyze the traffic on your network. A number of these are proprietary. For example, Microsoft provides Network Monitor on Windows-based server products for use by administrators and server operators to examine network traffic to and from individual machines. A higher-powered version is available in other Microsoft products, including System Management Server (SMS) v. 2003 R2. (SMS is System Center Configuration Manager 2007.) Products are also available from vendors such as Fluke Networks, Network Associates Sniffer Pro product line, and Agilent’s Advisor product. Best of all, there are free products. To try this exercise, use any of the above products or one of the following: ■■
ettercap http://ettercap.sourceforge.net/
■■
Wireshark www.wireshark.org
This exercise is described using the free tool, Ettercap. Let’s get started by verifying the presence of cleartext passwords that are sent on networks daily. Perform the following steps to set up for the exercise. 1.
Download and install your tool of choice. Note that Ettercap and Wireshark are available for most platforms as either built binaries or can be installed from source code.
2.
Find and note the following information: your POP3 server’s fully qualified domain name (FQDN) or Internet Protocol (IP) address, a valid username for that server, and a valid password for that server.
3.
Launch the application you are using (these notes are for Ettercap).
4.
In Ettercap, after you have launched the application with the –G option and are at the initial screen (see Figure 10.1), click Sniff and select the Unified sniffing option.
5.
Choose to monitor the appropriate network interface if you have more than one interface configured. In Windows, pick the actual network adapter, not the Network Device Interface Specification Wide Area Network virtual connection.
6.
You can then click Start and select Start sniffing.
7.
Your display should now begin to detect and record the network activities on your local area network (LAN).
426 CHAPTER 10 Risk Assessment and Risk Mitigation
Figure 10.1 The Ettercap Main Screen
To capture the traffic with your e-mail server, you can do either of the following (note this assumes that you are using either POP3 or IMAP4 as your mail user agent [MUA] download protocol): 1.
Launch your e-mail application and retrieve your e-mail from the POP3/IMAP4 server.
2.
Using Telnet, connect to port 110 (POP3) on your e-mail server’s IP address, and enter USER <username> and PASS <password> to log in to the e-mail server. Enter quit to exit and return to Ettercap.
3.
After you have authenticated manually or retrieved your e-mail, change to the Ettercap window, click Start and select Stop sniffing.
4.
Click View and select Connections. This will bring up the list of connections captured by Ettercap. Find the line in the Ettercap display that matches the POP3 server that you connected to and double-click it. This will bring up a display showing the captured data from your client and from the server. Sample output can be seen in Figure 10.2.
Notice that Ettercap has captured the username and password that you entered or that your e-mail program sent to the e-mail server. Because you use POP3 (or
Conduct Risk Assessments and Implement Risk Mitigation 427
Figure 10.2 Ettercap Packet Capture
IMAP4) these credentials have been sent and received in cleartext, and thus are readable by anyone actively monitoring the network either in LAN or at the connection at the e-mail server. As indicated, unless you have taken steps to secure this traffic, these passwords are not protected during this process.
Open Vulnerability and Assessment Language The Open Vulnerability and Assessment Language (OVAL) is a language to determine the presence of vulnerabilities and confirmation of problems on a computer system. Prior to OVAL, there was no common means for system administrators to determine if software vulnerabilities existed or if patches were installed on local systems. The language standardizes the three main steps of assessments, which are as follows:
1. Representing configuration information systems for testing
2. Analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, and so forth)
3. Reporting the results as the assessment
428 CHAPTER 10 Risk Assessment and Risk Mitigation
OVAL is not a vulnerability scanner, but instead is an open language to determine whether software vulnerabilities exist. OVAL also allows vendors and administrators to collaborate to develop additional definitions. Some of the benefits of using OVAL include the following: ■■ ■■
■■
■■
OVAL is restricted to publicly known configuration issues and vulnerabilities. OVAL definitions help users determine the presence of vulnerabilities or configuration issues on systems before they can be exploited. You must have root-level or system administrator access to employ the vulnerability information in an OVAL definition. The availability of the detailed technical information about vulnerabilities or configuration issues in OVAL definitions reduces the need for releasing exploit code to the public.
For more information see the main OVAL Web site at http://oval.mitre.org/
Password Crackers One aspect of a vulnerability assessment is to run a password cracker to test the strength of user and administrator passwords in a network environment. Password crackers range from the old L0phtCrack (originally a freely available tool which later became a commercial product) to the open source John the Ripper. Initially developed on the UNIX operation system, John the Ripper combines a number of password crackers into a single application. It offers the use of the dictionary attack as well as a brute force attack. The dictionary attack uses a wordlist file containing words commonly found in a dictionary. John also keeps a dictionary of previously cracked passwords stored in a hash form in a file called john.pot. If John cannot crack the passwords in a given file using either the dictionary attack or by finding a matching hash in the john.pot, then it will switch to a brute force attack. The brute force mode goes through as many texts as possible, hashing them and then comparing it to the input. This particular attack can take a long time to run as it is used to crack passwords not commonly found in dictionaries. For further information and download, see: www.openwall.com/john/
John the Ripper In the following sample output, John the Ripper is being run using the wordlist (the –w flag) password.lst against the password file pass.txt. The target file must match a specific format for John to be able to identify the password correctly. The format can be anything from the UNIX password file format, the shadow file, a Windows security accounts manager (SAM) format, to a simple file where the username and password are separated by a semicolon. If the target system splits the password file into an /etc/password and an /etc/shadow where the actual passwords are stored in the /etc/shadow, John includes a utility called unshadow to merge the two files together.
Conduct Risk Assessments and Implement Risk Mitigation 429
root@0[john-1.6.37]# cat pass.txt user:AZl.zWwxIh15Q root@0[john-1.6.37]# john -w:password.lst pass.txt Loaded 1 password hash (Traditional DES [24/32 4K]) example (user) guesses: 1 time: 0:00:00:00 100% c/s: 752 trying: 12345 - pookie
Elcomsoft Password Auditor Elcomsoft Password Auditor is a commercial password auditing tool used by Administrators to determine the strength of passwords, as well as exposing insecure passwords. Elcomsoft Password Auditor can do the following:
1. Test the strength of user passwords
2. Recover passwords
3. Use brute force and dictionary methods, as well as others
L0phtCrack L0phtCrack is a password auditing and recovery application. The most recent version of the application (L0phtCrack 6) is used to test password strength. It can also be used to recover Microsoft Windows passwords by using brute force as well as dictionary attacks. It also uses a concept called rainbow tables, which is a lookup table to recover plaintext passwords from hash function output. In essence, a rainbow table is a big one-to-one mapping of a password to the hash output that is stored in a password file or the Windows SAM database. All possible password combinations have their hashes calculated and then stored in either a database or a simple text file making lookups easy and eliminating the need for brute force calculations of passwords.
Network Mapping Tools Network mapping tools are used by administrators to discover and ensure what devices are on their network. These tools enable you to map out the network, discover any new devices as well as any potential security holes due to unauthorized applications and services. System and network scanning, when viewed from the context of a security system specialist or security administrator, is the use of appropriate technologies to detect and repair potential areas of vulnerability within a network or a system. This effort involves tools that are used to evaluate potential or real problems that could lead to a security breach. Among these you may see or use tools that have the following capabilities: ■■
Check the strength of and compliance with password policies
■■
Measure the capability to access networks from an outside or foreign network
430 CHAPTER 10 Risk Assessment and Risk Mitigation
■■
■■
Provide analysis of known security vulnerabilities in network operating systems (NOSes) or hardware devices Test the responses of a system to various scenarios that could lead to denial of service (DoS) or other problems such as a system crash
System scanning is useful in a number of different areas. In addition to scanning for security weaknesses, it can be used to test the capability and performance of monitoring tools such as intrusion detection systems (IDS) to correctly identify common attacks. Although the primary emphasis is to provide security, you also have an obligation under the concepts of authentication, authorization, and accountability (AAA) and the confidentiality, integrity, and availability (CIA) triads, to provide system availability and dependability. Use of the appropriate network and machine monitoring tools can help to detect and eliminate congestion and traffic problems on the network, high processor loads, or other deviances in system performance as well as bad or failing components. This can provide alerts to potential problems that may accompany other types of activity. There are a number of security scanning options available and a list of some of these can be found at http://sectools.org. Along with the ability to evaluate and mount attacks against systems, you must also use tools that are appropriate to the NOS that you are using, clients you are operating, and the devices you use to communicate on the networks. As you scan, you are searching for known problems that exist in each of these areas and detailing the potential for harm to your systems. Use these tools to proactively check and repair these vulnerabilities and to provide a stable and problem-free environment. There are many benefits to being proactive in the system and network scanning area. It is much better to spot trends and to track them in relation to potential attacks or DoS attacks than to be taken unaware. Vigilance, good planning, and use of the tools can eliminate many of the security issues that occur. Remember that a high percentage of attacks or problems in systems come from inside networks. Scan and be informed.
Use Monitoring Tools on Systems and Networks Many large networks employ some form of ongoing monitoring or diagnostic routine to continually keep administrators aware of the status of the network and allow for proactive corrective actions to potential problems. This can be done with monitoring software or with dedicated devices located on the network. In large network configurations, some network administrators may leave a remotely accessible sniffer attached to a switch. This allows the administrator to span the ports on the switch and remotely sniff the network traffic. This is a great tool for network administrators, but if an intruder were to access this system, they could potentially gather data from anywhere in the network. If a device like this is left accessible on the network, it is best to use a strong password to access the device. In addition, using an encrypted session to communicate with the device will prevent eavesdropping on the sniffing session.
Use Monitoring Tools on Systems and Networks 431
Another common device generally left attached to networks is some form of iagnostic equipment. This can range from a simple meter for checking cable d lengths to more advanced equipment capable of diagnosing network problems. Some of the better diagnostic equipment can be remotely accessed and controlled through Transmission Control Protocol/Internet Protocol (TCP/IP). Again, this is an extremely useful tool for network administrators, but the data available from this tool can be very dangerous in the hands of an intruder. The same security practices apply to these devices. Strong passwords and encrypted sessions should always be the default strategy when dealing with network monitoring or diagnostic equipment that is remotely accessible. The vulnerabilities associated with these devices are generally limited to the ability of intruders to gather data. With the data that can be gathered from these devices, an intruder can get enough information to cause unlimited damage to a network or gather a great deal of confidential information. What is the single best security policy for these devices? If possible, do not connect them until they are needed. Exam Day Tip Remember that sniffing a network is a passive attack but can provide a huge amount of information that can later be used for active attacks.
Workstations The term workstation basically refers to any computer system that the end users of a network work on, assuming that the end users do not use servers for their normal dayto-day work. Workstations are typically one of the most vulnerable devices attached to a network. Flaws or bugs in all workstation OSes provide ample opportunity for attackers to gain remote access to systems, to copy data from the workstations, or to monitor the traffic and gather passwords for access to more systems. In addition, workstations are more vulnerable simply because there are typically more workstations on a network than any other network device. The sheer quantity of workstations makes it more difficult to ensure that they are all as secure as possible. The protocols used by workstations present another possible vulnerability. Since most networks today operate using TCP/IP as the primary protocol, the TCP/IP stack of the workstations is vulnerability. There are many exploits available that cause stack overflows or cause a workstation to be unable to communicate effectively on the network. A DoS attack using malformed TCP/IP packets can cause a workstation to be unable to communicate and can also overload the system to the point that it becomes nonfunctional. In addition, workstations using the Windows OS usually have additional ports open for using NetBIOS, which is used for file and printer sharing as well as many other aspects unique to Windows network. NetBIOS can introduce vulnerabilities that could allow attackers to remotely access files on the workstation. Even if the shares on a system are password-protected, they can be hacked as NetBIOS has many weaknesses. Administrators should always be careful of open shares on the system and follow appropriate guidance in securing NetBIOS as well as other file-sharing
432 CHAPTER 10 Risk Assessment and Risk Mitigation
protocols. Workstations may also be vulnerable to man-in-the-middle attacks or hijacked sessions. These attacks allow an attacker to monitor or control communications between the workstation and another system. Other exploit functions of the OS are provided through external libraries or other software, which is likely to be running on a workstation. A good example is the Web browser. Windows includes Internet Explorer (IE) as a part of the OS. Other browser software includes Firefox, Opera, Safari, Google Chrome, and the older Mozilla browser. The browser has become a favorite medium of attack against a system. A typical scenario where the Web browser is the medium of attack against a system includes an end user going to a Web site that contains malicious code or malware. The malware exploits vulnerability found in the browser. If the code is successful one possible outcome could be remote access to the system. Some recently exploited vulnerabilities focus on the way that the OS or ancillary software handles specific files such as images or Vector Markup Language (VML) messages. These attacks use vulnerabilities discovered in external library files, which can cause the OS or application to modify the way they behave due to certain data being processed through the library files. An example of this type of attack can be seen in Exercise 2.
Exercise 2 Performing a Simple Metasploit Attack For this exercise, you will be using one of the many freely available exploit programs to perform an attack. Metasploit is an excellent penetration testing application that allows you to very quickly and easily generate an attack against a vulnerable host. Although Metasploit does have the capability to check hosts for specific vulnerabilities, it is generally faster to use a separate scanning tool to find vulnerable systems on your network and then to use Metasploit to test them. Metasploit can be found at www.metasploit. org. For this exercise, we will be using version 3.0 beta 3 (see Figure 10.3).
Figure 10.3 Metasploit Main Screen
Use Monitoring Tools on Systems and Networks 433
Figure 10.4 Metasploit Ready Screen
The specific exploit used in this example uses a vulnerability found in Winamp version 5.12 and uses the IE browser in conjunction with a Winamp playlist. More details on this exploit can be found at www.securityfocus.com/ bid/16410.
Figure 10.5
1.
After downloading the application, install it and open the MSFConsole (see Figure 10.4).
2.
Run the following Metasploit commands:
Exploited Winamp Playlist
■■
Use windows/browser/winamp_playlist_unc
■■
set PAYLOAD windows/shell_bind_tcp
■■
Run the exploit against the specified IP address. It will attempt to search for known exploits against that IP address.
3.
At this point, your test exploit is ready to test. Assuming that you have Winamp 5.12 installed and associated with playlist (.pls) files, you should be able to browse to the uniform resource locator (URL) shown in the Metasploit console window and see the effects of the exploit using IE. Winamp should start automatically and show a playlist (see Figure 10.5).
4.
So how can we tell that the payload was delivered? The windows/shell_bind_ tcp payload by default opens a listening port on TCP port 4444 for incoming
434 CHAPTER 10 Risk Assessment and Risk Mitigation
Figure 10.6 Open Command Shell on Target System
connections. By connecting to this port using Telnet we can open a command shell to the target system (see Figure 10.6). The largest security concern in relation to workstations is the end user. End users always have local access (the ability to work at the local console) to their workstation, which can cause some big security problems, ranging from changing a password to something a hacker can easily guess, to inadvertently opening e-mails with viruses or Trojan horse applications running. Java viruses exploit weaknesses inherent to the way that Web browsers and Java virtual machines (JVMs) allow Java code to perform low-level functions on a system with very little security. There will never be a foolproof solution to this security problem. The best way to help deter issues like this is to train the end user. Having a formal security policy (Chapter 12) in place specifying exactly what users can and cannot do with the company’s workstation is also very important. Locking down a user’s access to their workstation also helps. Windows workstations can have security policies applied that limit the user’s access to critical system files as well as restrict the ability to install or run unauthorized software. Using a well written and up-to-date antivirus software will help combat the ability of an end user from spreading a virus throughout the network. Another critical aspect of workstation security is to make sure that the OSes or software applications always have the latest security patches in place. Often a vendor will release security patches that address individual vulnerabilities so technicians will be able to apply them faster, rather than having to wait for a full ser-vice pack.
Use Monitoring Tools on Systems and Networks 435
Test Day Tip It is important to understand the differences between workstations and servers. You should know that workstations are typically used by a single local user and are designed to support fast front-end processing. Servers are designed to support a large number of remote users and provide fast back-end processing and file sharing.
Intrusion Detection Systems An IDS is designed to monitor network access points for hostile activities. These systems typically trigger on events by referencing network activity against an attack signature database. If a match is made, an alert takes place and the event is logged for future reference. Creating and maintaining the attack signature database is the most difficult part of working with IDS technology. It is important to always keep the IDS updated with the latest signature database provided by the vendor as well as updating the database with the signatures found in testing. Exam Warning The Security+ exam expects you to understand the different types of IDSes, what they are used for, and how they can help protect your network.
In practice, most commercial environments use some combination of network-, host-, and/or application-based IDS systems to observe what is happening on the network while also monitoring key hosts and applications more closely. Exam Warning You must be able to clearly describe the differences between the three types of IDS systems. Go back over them until you know them very well.
It’s also important to understand that an IDS can operate in one of four states. These include the following: ■■
Positive An attack occurred and the IDS detected it.
■■
Negative No attack occurred and none was detected.
■■
■■
False Positive No attack occurred yet the IDS believes that one did occur and triggered an alert. False Negative An attack occurred yet was not detected.
These states are not all the same. The goal of the security professional who is tuning an IDS is to configure it in such a way that legitimate attacks are detected and false alarms do not occur. In reality, this is not always so easy as it can take a lot of time and effort to get an IDS properly set up. If configured incorrectly, there may be too many false positives so that administrators become desensitized and begin to ignore the alarms. There is even a worse condition in that the IDS may be misconfig-
436 CHAPTER 10 Risk Assessment and Risk Mitigation
ured so that false negatives occur. In this condition, an attack that has happened may never be detected. IDSes may also be distinguished by their differing approaches to event analysis. Some IDSes primarily use a technique called signature detection. This resembles the way many antivirus programs use virus signatures to recognize and block infected files, programs, or active Web content from entering a computer system, except that it uses a database of traffic or activity patterns related to known attacks, called attack signatures. Indeed, signature detection is the most widely used approach in commercial IDS technology today. Another approach is called anomaly detection, which uses rules or predefined concepts about “normal” and “abnormal” system activity (called heuristics) to distinguish anomalies from normal system behavior and to monitor, report on, or block anomalies as they occur. Some IDSes support limited types of anomaly detection; most experts believe this kind of capability will become part of how more IDSes operate in the future. The pros and cons of whether to run a signature-based IDS system or an anomaly based IDS are detailed below. ■■ ■■
■■
■■ ■■
■■
Signature-based IDS Pros A signature-based IDS examines ongoing traffic, activity, transactions, or behavior for matches with known patterns of events specific to known attacks. As with antivirus software, a signature-based IDS requires access to a current database of attack signatures and some way to actively compare and match current behavior against a large collection of signatures. Except when entirely new, uncataloged attacks occur, this technique works extremely well. Cons Signature databases must be constantly updated, and IDSes must be able to compare and match activities against large collections of attack signatures. If signature definitions are too specific, a signature-based IDS may miss variations on known attacks. (A common technique for creating new attacks is to change existing known attacks rather than to create entirely new ones from scratch.) Signature-based IDSes can also impose noticeable performance drags on systems when current behavior matches multiple (or numerous) attack signatures, either in whole or in part. Anomaly based IDS Pros An anomaly based IDS examines ongoing traffic, activity, transactions, or behavior for anomalies on networks or systems that may indicate attack. The underlying principle is the notion that “attack behavior” differs enough from “normal user behavior” that it can be detected by cataloging and identifying the differences involved. By creating baselines of normal behavior, anomaly based IDS systems can observe when current behavior deviates statistically from the norm. This capability theoretically gives anomaly based IDSes the capability to detect new attacks that are neither known nor for which signatures have been created. Cons Because normal behavior can change easily and readily, anomaly based IDS systems are prone to false positives, where attacks may be reported based
Use Monitoring Tools on Systems and Networks 437
on changes to the norm that are “normal,” rather than representing real attacks. Their intensely analytical behavior can also impose heavy processing overheads on systems they are running. Furthermore, anomaly based systems take a while to create statistically significant baselines (to separate normal behavior from anomalies); they are relatively open to attack during this period. Attack signatures consist of several components used to uniquely describe an attack. The signature is a kind of detailed profile that is compiled by doing an analysis of previous successful attacks. An ideal signature would be the one that is specific to the attack, while being as simple as possible to match with the input data stream (large complex signatures may pose a serious processing burden). Just as there are varying types of attacks, there must be varying types of signatures. Some signatures define the characteristics of a single IP option, perhaps that of an Nmap portscan, whereas others are derived from the actual payload of an attack. Most signatures are constructed by running a known exploit several times, monitoring the data as it appears on the network, and looking for a unique pattern that is repeated on every execution. This method works fairly well at ensuring that the signature will consistently match an attempt by that particular exploit. Remember, the idea is for the unique identification of an attack, not merely the detection of attacks. Exam Warning Signatures are defined as a set of actions or events that constitute an attack pattern. They are used for comparison in real time against actual network events and conditions to determine if an active attack is taking place against the network. The drawback of using attack signatures for detection is that only those attacks for which there is a released signature will be detected. It is important that the signature database be kept updated.
A computing system, in its most basic abstraction, can be defined as a finite state machine, which literally means that there are only a specific predefined number of states that a system may attain. This limitation hinders the IDS, in that it can be well armed at only a single point in time (in other words, as well armed as the size of its database). This poses several problems such as the following:
1. How can one have foreknowledge of the internal characteristics that make up an intrusion attempt that has not yet occurred? You cannot alert on attacks you have never seen.
2. There can be only educated guesses that what has happened in the past may again transpire in the future. You can create a signature for a past attack after the fact, but that is no guarantee you will ever see that attack again.
3. An IDS may be incapable of discerning a new attack from the background white noise of any network. The network utilization may be too high, or many false positives cause rules to be disabled.
4. The IDS may be incapacitated by even the slightest modification to a known attack. A weakness in the signature matching process, or more fundamentally,
438 CHAPTER 10 Risk Assessment and Risk Mitigation
a weakness in the packet analysis engine (packet sniffing/reconstruction) will thwart any detection capability. The goals of an attacker in relation to IDS evasion are twofold:
1. To evade detection completely
2. To use techniques and methods that increase the processing load of the IDS sensor significantly
As more methods are employed by attackers on a wide scale, more vendors will be forced to implement more complex signature matching and packet analysis engines. These complex systems will undoubtedly have lower operating throughputs and will present more opportunities for evasion. The paradox is that the more complex a system becomes, the more opportunities there are for vulnerabilities. Some say the ratio for bugs to code may be as high as 1:1000 or even a ratio of 1:10,000 may exist. With these sorts of figures in mind, a system of increasing complexity will undoubtedly lead to new levels of increased insecurity. Finally, advances in IDS design have led to a new type of IDS, called an intrusion prevention system (IPS). An IPS is capable of responding to attacks when they occur. This behavior is desirable from two points of view. For one thing, a computer system can track behavior and activity in near-real time and respond much more quickly and decisively during the early stages of an attack. Since automation helps hackers mount attacks, it stands to reason that it should also help security professionals fend them off as they occur. For another thing, an IPS can stand guard and run 24 hours per day/7 days per week, but network administrators may not be able to respond as quickly during off hours as they can during peak hours. By automating a response and moving these systems from detection to prevention they actually have the capability to block the incoming traffic from one or more addresses from which an attack originates. This allows the IPS the capability to halt an attack in process and block future attacks from the same address. Exam Warning To eliminate confusion on the Security+ exam about the differences etween an IDS and an IPS, remember that an IPS is designed to be a preventive control. b When an IDS identifies patterns that may indicate suspicious activities or attacks, an IPS can take immediate action that can block traffic, blacklist an IP address, or even segment an infected host to a separate virtual LAN (VLAN) that can only access an antivirus server.
Popular Commercial IDS Systems Literally hundreds of vendors offer various forms of commercial IDS implementations. The most effective solutions combine network- and host-based IDS implementations. Likewise, most such implementations are primarily signature-based, with only limited anomaly based detection capabilities present in certain specific products or solutions. Finally, most modern IDSes include some limited automatic response capabilities, but these usually concentrate on automated traffic filtering, blocking, or disconnects as a
Use Monitoring Tools on Systems and Networks 439
last resort. Although some systems claim to be able to launch counterstrikes against attacks, best practices indicate that automated identification and trackback capabilities are the most useful aspects that such facilities provide and are therefore most likely to be used.
Head of the Class Weighing IDS Options In addition to the various IDS and IPS vendors mentioned in the following list, judicious use of a good Internet search engine can help network administrators identify more potential suppliers than they would ever have the time or inclination to investigate in detail. That is why we also urge administrators to consider an alternative: deferring some or all of the organization’s network security technology decisions to a special type of outsourcing company. Known as managed security services providers (MSSPs), these organizations help their customers select, install, and maintain state-of-the-art security policies and technical infrastructures to match. For example, Guardent is an MSSP that includes comprehensive firewall IDSes and IPSes among its various customer services; visit www.guardent.com for a description of the company’s various service programs and offerings.
A huge number of potential vendors can provide IDS and IPS products to companies and organizations. Without specifically endorsing any particular vendor, the following products offer some of the most widely used and best-known solutions in this product space: ■■
■■
■■
■■
■■
Cisco Systems This is best known for its switches and routers, but offers significant firewall and intrusion detection products as well (www.cisco.com). The premier product in the IDS market is the Cisco IPS (formerly known as NetRanger). In addition, Cisco provides IDS/IPS capabilities in its router software as well as its Adaptive Security Appliance firewall products. GFI LANguard This is a family of monitoring, scanning, and file integrity check products that offer broad intrusion detection and response capabilities (www.gfi.com/languard/). IBM’s Internet Security Systems (ISS) division This offers a family of enterprise-class security products called RealSecure that includes comprehensive intrusion detection and response capabilities (www.iss.net). McAfee This offers the IntruShield IPS systems that can handle gigabit speeds and greater (www.mcafee.com). Sourcefire This provides a commercial IDS and IPS that is based on the open source IDS engine, Snort. Sourcefire comes in a software version as well as a hardware appliance. In addition, Sourcefire also takes the advancements it makes in the core IDS engine and makes it available in the open source Snort engine.
440 CHAPTER 10 Risk Assessment and Risk Mitigation
Head of the Class Getting Real Experience Using an IDS One of the best ways to get some experience using IDS tools like TCPDump and Snort, is to check out one of the growing number of bootable Linux OSes. Since all of the tools are precompiled and ready to run right off the CD, you only have to boot the computer to the disk. One good example of such a bootable disk is Backtrack. This CD-based Linux OS actually has over 300 security tools that are ready to run. Learn more at www.backtrack.org.
A clearinghouse for Internet service providers (ISPs) known as ISP-Planet offers all kinds of interesting information online about MSSPs, plus related firewall, virtual private network, intrusion detection, security monitoring, antivirus, and other security services. For more information, visit any or all of the following URLs: ■■
■■
■■
■■
■■
■■
ISP-Planet Survey: Managed Security Service Providers, participating provider’s chart, www.isp-planet.com/technology/mssp/participants_chart.html. Managed firewall services chart, www.isp-planet.com/technology/mssp/firewalls_ chart.html. Managed virtual private networking chart, www.isp-planet.com/technology/ mssp/ services_chart.html. Managed intrusion detection and security monitoring, www.isp-planet.com/ technology/mssp/monitoring_chart.html. Managed antivirus and managed content filtering and URL blocking, www.ispplanet.com/technology/mssp/mssp_survey2.html. Managed vulnerability assessment and emergency response and forensics, www.isp-planet.com/technology/mssp/mssp_survey3.html.
By implementing the following techniques, an IDS can fend off expert and novice hackers alike. Although experts are more difficult to block entirely, the following techniques can slow them down considerably: ■■
■■
■■
Breaking TCP connections by injecting reset packets into attacker connections that cause the attacks to fall apart. Deploying automated packet filters to configure routers or firewalls to block the offending traffic. This technique will stop most attacks cold—even DoS or distributed denial of service (DDoS) attacks. This works for attacker addresses and for protocols or services under attack (by blocking traffic at different layers of the Advanced Research Projects Agency [ARPA] or Open System Interconnection [OSI] networking model). Deploying automated disconnects for routers, firewalls, or servers can halt all activity when other measures fail to stop attackers (as in a DDoS attack situation, where filtering would only work effectively on the ISP side of an Internet link).
Logging and Auditing 441
■■
Actively pursuing reverse domain name system (DNS) lookups or other ways of attempting to establish hacker identity is a technique used by some IDSes, generating reports of malicious activity to all ISPs in the routes used between the attacker and the target. Because such responses may themselves raise legal issues, experts recommend obtaining legal advice before repaying hackers in kind.1
Head of the Class Getting More Information on IDS For quick access to a great set of articles and resources on IDS technology, visit www. searchsecurity.techtarget.com and search for intrusion detection. There are several good articles to be found on this topic including, but not limited to the following: ■■
■■
■■
“Intrusion Detection: A Guide to the Options” at www.techrepublic.com/article_guest. jhtml?id=r00620011106ern01.htm “Intrusion-detection Systems Sniff Out Security Breaches” at http://searchsecurity. techtarget.com/originalContent/0,289142,sid14_gci802278,00.html “Recommendations for Deploying an Intrusion-detection System” at http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci779268,00.html
Logging and Auditing Auditing provides methods for tracking and logging activities on networks and systems, and links these activities to specific user accounts or sources of activity. In the case of simple mistakes or software failures, audit trails can be extremely useful in restoring data integrity. They are also a requirement for trusted systems to ensure that the activity of authorized individuals can be traced to their specific actions, and that those actions comply with the defined policy. They also allow for a method of collecting evidence to support any investigation into improper or illegal activities.
Auditing Systems Auditing of systems must occur with a thorough understanding of the benefits of the process. As you create your auditing procedures, you are trying to develop a path and trail system in the logging of the monitored events that allows you to track usage and access, either authorized or unauthorized. To do this, you must consider the separation of duties that improves security and allows for better definition of your audit policies and rules. To assist in catching mistakes and reducing the likelihood of fraudulent activities, the activities of a process should be split among several people. This process is much like the role-based access controls (RBAC) concepts discussed earlier. This
442 CHAPTER 10 Risk Assessment and Risk Mitigation
segmentation of duties allows the next person in line to possibly correct problems simply because they are being viewed with fresh eyes. From a security point of view, segmentation of duties requires the collusion of at least two people to perform any unauthorized activities. The following guidelines assist in assuring that the duties are split so as to offer no way other than collusion to perform invalid activities. ■■
■■
■■
No access to sensitive combinations of capabilities A classic example of this is control of inventory data and physical inventory. By separating the physical inventory control from the inventory data control, you remove the unnecessary temptation for an employee to steal from inventory and then alter the data so that the theft is left hidden. Prohibit conversion and concealment Another violation that can be prevented by segregation is ensuring that there is supervision for people who have access to assets. An example of an activity that could be prevented if properly segmented follows a lone operator of a night shift. This operator, without supervision, could copy (or “convert”) customer lists and then sell them to interested parties. There have been instances reported of operators actually using the employer’s computer to run a service bureau. The same person cannot both originate and approve transactions When someone is able to enter and authorize their own expenses, it introduces the possibility that they might fraudulently enter invalid expenses for their own gain.
These principles, whether manual or electronic, form the basis for why audit logs are retained. They also identify why people other than those performing the activities reported in the log should be the ones who analyze the data in the log file. In keeping with the idea of segmentation, as you deploy your audit trails, be sure to have your log files sent to a secure, trusted location that is separate and nonaccessible from the devices you are monitoring. This will help ensure that if any inappropriate activity occurs, the person who performs it cannot falsify the log file to state the actions did not take place.
Head of the Class How Much Is Too Much? When auditing is enabled for a system, it is very important to strictly define exactly what it is that you are auditing. Do you need to see all successful and failed authentication attempts? How about success file access attempts? Do you need to know about every file or only confidential ones? If you audit too much, you will receive a huge amount of data that may be unusable. Finding actual events in this data could be like looking for a needle in a haystack. However, not auditing enough could cause you to miss capturing important information that you need. Strike a very careful balance when defining your auditing policies to ensure that you capture all of the relevant data without overloading yourself with useless information.
Logging and Auditing 443
Exercise 3 Configuring Auditing in Microsoft Windows During the discussion of using auditing as a method to track access attempts within systems, it was mentioned that you must define an audit policy that reflects the needs of your organization and the need to track access in your system. This process is used to configure the types of activity or access you wish to monitor. For this exercise on auditing, you will be using either Windows 2003 (any version) or Windows XP Professional. When configuring auditing in Windows 2003 or Windows XP, it must be configured at the local machine level, unless the machine is a member machine participating in an active directory domain, in which case the Auditing policy may be configured at the domain level through the use of Group policy. This also applies to auditing on domain controllers if they are configured at the local security settings level. The settings applied to domain controllers at the local security level are not automatically applied to all domain controllers unless they are configured in the Default Domain controller policy in active directory. To start the audit process, you must access the local security policy Microsoft Management Console (MMC) in Administrative Tools. This is reached through Start | Programs | Administrative Tools | Local Security Policy. When you have opened the tool, navigate to Local Policies | Audit Policy; you should see a screen as shown in Figure 10.7.
Figure 10.7 The Audit Policy Screen
444 CHAPTER 10 Risk Assessment and Risk Mitigation
Next, double-click the Audit Logon Events item, which will open the Properties screen shown in Figure 10.8. Select both check boxes to enable auditing of both successful and failed logon events. When auditing logon events you are logging events requiring credentials on the local machine. Note that the first auditing choice is “Audit account logon events.” In this selection, auditing is tracked only for those asking for authentication through accounts that are stored on this machine, such as with a domain controller. The setting being used tracks all requests with an exchange of authentication information on the local machine where it is configured. As shown in Figure 10.9, the security setting condition has changed to reflect your choices. Your screen should also reflect that you are now auditing “Success and Failure for Logon Events.” Following successful initialization of auditing, you must test the settings to make sure the system is performing the auditing tasks that have been set up. For this exercise, log off your machine, then attempt to log on using credentials that you know do not exist or using an incorrect password. Then, log back on correctly and return to the exercise. Proceed to Event Viewer in the Administrative Tools folder by traversing Start | Programs | Administrative Tools | Event Viewer. Double-click Security; you should see a screen similar to the one shown in Figure 10.10. Note that we have
Figure 10.8 Selecting the Appropriate Item for Auditing
Logging and Auditing 445
Figure 10.9 Auditing Conditions Enabled and Defined
audited and recorded both success and failure events, noted by the key and lock icons. Highlight a Failure Audit event, as shown, and then double-click the item. After double-clicking a Failure Audit item, you will see a screen similar to the one depicted in Figure 10.11. Note that in this particular case, an unknown user (Sam) tried to log on and was unsuccessful. The auditing process is working, and detected the attempted breach. Now that you have successfully implemented auditing, do not forget that auditing is useless if you never review the logs and records it generates. Auditing is also capable of tracking access by processes, applications, and users to other objects within a particular environment. You should define a strong audit policy that checks access and authentication to critical files, and randomly checks other resources to detect trends and attacks and limit their damage. The logging features provided on most networks and systems involve logging known or partially known resource event activities. Although these logs are sometimes used for analyzing system problems, they are also useful for finding security issues through processing the log files and checking for both valid and invalid system activities.
446 CHAPTER 10 Risk Assessment and Risk Mitigation
Figure 10.10 The Security Event Window in Event Viewer
Figure 10.11 A Logon/Logoff Failure Event Description
Logging and Auditing 447
Most modern database applications support some level of transaction log detailing the activities that occurred within the database. This log can then be used to rebuild the database or to create a duplicate database at another location. Providing this detailed level of database logging consumes a great deal of drive space. This intense logging is not needed for most applications. Generally, you will only have basic informative messages utilized in system resource logging unless additional audit details are enabled. A great deal of information on logging and log analysis can be found at www. loganalysis.org. Additionally more information on log analysis can be found in the Syngress books Security Log Management: Identifying Patterns in the Chaos and Microsoft Log Parser Toolkit.
Damage and Defense Read Those Logs! One of the major problems with auditing is the simple fact that many network administrators do not have time to read and analyze the log files on a regular basis. Auditing provides us with the ability not only to provide a chronological path of access or attack but also to spot trends of unauthorized activity so that they can be blocked before they can do any damage. Unfortunately, many organizations do not devote the time to examine audit logs until after an attack. Good maintenance and procedures regarding the analysis of the log files will benefit your security efforts. This may seem a daunting task when a large amount of log data is concerned. Tools have been developed which can help with this such as Microsoft Log Parser or other free tools geared toward this purpose. By analyzing the log files for patterns or specific data, you can reduce the time required to review the log files. The difference between looking through logs line-by-line versus scanning the logs for suspicious activity can be the hours of time savings.
There are four possible DNS event levels that can be configured in the Microsoft DNS server. The level of events is controlled through the DNS server properties (see Figure 10.12). These levels are as follows:
1. No events
2. Errors only
3. Errors and warnings
4. All events
In addition, debug logging can be turned on for the Microsoft DNS server software. This is disabled by default, and it is recommended that you only use it when trying to resolve a specific DNS error (see Figure 10.13). Debug events can be logged to a log file rather than the Event Viewer.
448 CHAPTER 10 Risk Assessment and Risk Mitigation
Figure 10.12
Figure 10.13
Configuring Event Levels in the Microsoft DNS Server
Debug Logging
System Logs
Figure 10.14 System Log Properties
System logs are critical, as they will provide information on what is occurring on a Windows system. One key concern is the amount of space the system logs take up. To ensure that you don’t run out of space in your system logs, set your system logs to overwrite as needed. This prevents the log file from filling up and ensures that you are always collecting the most recent events. Also set the size of your log to an appropriate value. Figure 10.14 is an example of setting up your system log properties. System logs and audit logs in Windows are based on settings within your Domain Security Policy. There, you can set your Audit Policy, Security Options, and many other Active Directory settings. Figure 10.15 is an example of the audit policy logs.
Logging and Auditing 449
Figure 10.15 Audit Policy Logs
Figure 10.16 Performance Logs
Performance Logs Performance logs provide insight as to how your server is performing (see Figure 10.16). The performance of a system can be affected by OS components, applications as well as other executables running on the system. Performance logs capture point in time statistics providing specific variables at specific points in time. This enables a system
450 CHAPTER 10 Risk Assessment and Risk Mitigation
administrator to correlate system performance with specific events as they occur. For example, if a large Central Processing Unit spike occurs during a certain time, you can correlate that event to a specific application such as the antivirus running and scanning files being uploaded to the machine. Understanding how a system performs, and why, is the key to knowing what a system can do and what they are protecting.
Access Logs Access logs require anyone entering a secure area to sign in before entering. When visitors require entry, such as when consultants or vendor support staff need to perform work in a secure room, an employee of the firm must sign the person in. In doing so, the employee vouches for the credibility of the visitor and takes responsibility for this person’s actions. The access log also serves as a record of who entered certain areas of a building. Entries in the log can show the name of a visitor, the time this person entered and left a location, who signed them in, and the stated purpose of the visit. Even after a visitor has been given access to an area, a member of the organization should accompany them whenever possible. Doing so ensures that the visitor stays in the areas where they are permitted. It also provides a measure of control to ensure that the visitor does not tamper with systems or data while they are inside the premises. Chaperoning someone who has been given clearance to an area is not always possible or desirable. For example, if you have hired an outside party to install equipment that is needed for Internet access, you may not want to stand beside the installer for an extended period of time. However, workers can be monitored in high security locations using video cameras to provide electronic surveillance. This provides a constant eye, and allows for review of their actions if an incident occurs. Alarm is another method of notifying people of unauthorized access. Alarms can be put on doorways, windows, and other entrances, and set to go off if someone enters an area and fails to follow proper procedures. If someone enters an incorrect PIN number to unlock a door, or opens a door without deactivating the alarm properly, a noise will sound or a signal will be sent to a person or company that monitors the alarms. Additionally, any number of added defenses can be used to sense entry into a secured location. Motion detectors can be used to sense any movement in a room, heat sensors can be used to detect body heat, and weight sensors can be used to detect the added weight of a person on the floor. Although such elaborate methods may not be needed everywhere within a building, they are viable solutions to detecting unauthorized entries. Computers can also be configured to prevent unauthorized access by locking them with passwords. Computers can provide screensavers with password protection, so that anyone without the password is unable to access the system. For example, Novell NetWare servers provide a password-protected screensaver that can be activated by entering the command SCRSAVER ACTIVATE from the server prompt. To deactivate the password, the user needs to enter a username and password with sufficient privileges. Windows computers also provide password protection on screensavers, which prevents access to the machines while the owner or designated
Logging and Auditing 451
Figure 10.17 Password-Protected Screensavers Can Be Configured through the Screen Saver Tab of the Windows Display Properties
user is away. As can be seen in Figure 10.17 and Exercise 4, setting up password protection is a relatively simple process. Although the steps may vary, passwordprotected screensavers can also be installed and used on many different OSes, including Apple and Linux.
Exercise 4 Preventing Access to a Computer Using Password-Protected Screensavers 1.
From the desktop select Start | Settings | Control Panel.
2.
When the Control Panel opens, double-click the item labeled Display.
3.
When the Display applet appears, click the Screen Saver tab, and then select the On resume, password protect checkbox.
4.
When the computer enters screen saver mode, press the Spacebar. A dialog box will appear prompting you for your password. Enter the password of the user who is currently logged in, to unlock the machine.
As Internet access has become common in organizations, monitoring Web sites that have been visited has also become common. Firewalls are not only used to prevent unauthorized access to the internal network from the Internet but also enable organizations to monitor what their employees are accessing on the Internet. Companies can check firewall logs to determine what sites an employee visited, how long they
452 CHAPTER 10 Risk Assessment and Risk Mitigation
spent there, what files they downloaded, and other information that the employee may consider private. Again, since the Internet access is provided through the company and is therefore their property, the company should inform users through the privacy policy of their privilege to investigate how employees are using this resource. For more information about privacy policy, see Chapter 15, “Legislation and Organizational Policies.”
Audits The need for periodic audits is critical to the security of any organization. Putting a security plan in place, with security hardware and configuration to protect your company’s investment and property is not enough. Unless you have a bulletproof change management and untouchable verification process, your team may make a mistake and inadvertently configure a piece of critical equipment incorrectly. Periodic security audits are critical to a company’s security. Audits reveal any security flaws or the need for your company to update any standards and technical configurations. Third-party audits are also recommended on a periodic basis. The frequency of the audits depends on many factors including internal company policy as well as external regulatory requirements. Conducting periodic third-party, nonbiased analyses of your security systems ensures you, your clients, your business partners, and any regulatory organization or agency that your network security is set up properly and being monitored appropriately. Your company’s relationship with third-party security auditors should be similar to your relationship to your attorney: do not lie to them—they are your allies and will help you secure you network and company’s data.
Summary of Exam Objectives The exam objectives in relation to risk assessments and risk mitigation are as follows. Understand the:
1. Benefits of risk assessments and why you should perform them
2. Tools you can use to monitor your system, and the benefits they offer
3. Advantages of risk mitigation tools, and what they prevent; and
4. Auditing and logging: what they can show you and how to configure
Exam Objectives Fast Track Conduct Risk Assessments and Implement Risk Mitigation ■■
You must conduct risk assessments because a third-party assessment may be required by law.
Exam Objectives Frequently Asked Questions 453
■■
■■
■■
■■
You need to conduct risk assessments to provide an outside perspective of your security, to ensure you are constantly looking to improve your security, adjust to new vulnerabilities, and to keep sure that your procedures are being followed. Risk mitigation keeps your systems secure and allows you to have confidence and monitor the security in place for your systems. It, as the names states, mitigates your risk of known vulnerabilities. The key to risk mitigation is to keep it updated, to keep up with changing vulnerabilities. You should know what risk assessments are commonly done, what are risk mitigation benefits, and what you should keep on the look out for, while implementing such tools.
Use Monitoring Tools on Systems and Networks ■■
■■
■■
You should carry out vulnerability assessments yourself, using common tools available either for free or at low cost. These vulnerability assessments will allow you to view what vulnerabilities may be present. Use monitoring tools on systems and networks. These tools must be known by you in efforts to continuously monitor your networks and systems. You should know Simple Network Management Protocol (SNMP) and syslog, Windows auditing and performance logs, and how to configure each one of them to track information.
Exam Objectives Frequently Asked Questions Q: I want to implement access control for a system that needs to be extremely secure, and includes mission critical applications. What should I use … Mandatory Access Control (MAC), Discretionary Access Control, or RBAC? A: MAC is the only method of the three that is considered to be of highest strength. It is suitable for systems that need to be extremely secure, such as those that use mission critical applications. With MAC, every account and object is associated with groups and roles that control their level of security and access. Q: I work for a small company that only has one facility, so storing backup tapes at another site is not an option. What can I do to keep the backup tapes safe in case of a disaster? A: There are many options for storing backup tapes offsite. A safety deposit box could be rented at a bank to store the backup tapes, or a firm that provides storage facilities for backups could be hired. When deciding on a
454 CHAPTER 10 Risk Assessment and Risk Mitigation
storage facility, ensure that it is secure and has protection against fires and other disasters. You do not want to store your backups in a location that has a higher likelihood of risk than your own facilities. Q: Is OVAL a vulnerability scanner? A: OVAL is not a vulnerability scanner, but instead it is an open language to determine whether software vulnerabilities exist. OVAL also allows vendors and administrators to collaborate to develop definitions Q: What is a Pro of an anomaly based IDS? A: An anomaly based IDS examines ongoing traffic, activity, transactions, or behavior for anomalies on networks or systems that may indicate an attack. The underlying principle is the notion that “attack behavior” differs enough from “normal user behavior” that it can be detected by cataloging and identifying the differences involved. By creating baselines of normal behavior, anomaly based IDS systems can observe when current behavior deviates statistically from the normal behavior. This capability theoretically gives anomaly based IDSes the capability to detect new attacks that are neither known nor for which signatures have been created. Q: What are the four options for DNS logging? A: 1. No events 2. Errors only 3. Errors and warnings 4. All events
Self Test
1. You are the security officer of a company, and you have been asked to implement an employee security program. Where would you start? A. Security scan B. Security policy C. Security audit D. Lock down access for everyone
2. IDS stands for A. Intrusion directive system B. Implosion detection system C. Intrusion detection system D. Intuitive detection system
Self Test 455
3. A con of a signature-based IDS system would be A. Takes a while to create statistically significant baselines B. Can also impose noticeable performance drags on systems signatures C. Can observe when current behavior deviates statistically from the norm D. Requires access to a current database of attack signatures and some way to actively compare and match current behavior against a large collection of signatures
4. GLBA stands for A. Georgia Liability Behavior Act C. Gilbert Lessons Biohazard Act B. Gramm Liability Behavior Act D. Gramm–Leach–Bliley Act
5. Vulnerability scanners are designed to A. Map systems for weaknesses B. Monitor the traffic on a network and expose data and protocols that are being passed along the wire C. Never attempt to exploit a known vulnerability D. Detect exploited systems and warn the administrator about them
6. When you are configuring auditing within Microsoft Windows, where do you set up the auditing? A. MMC C. Certificates B. Computer management D. Local security settings
7. You have identified a number of risks to which your company’s assets are exposed, and you want to implement policies, procedures, and various security measures. In doing so, what will be your objective? A. Eliminate every threat that may affect the business B. Manage the risks so that the problems resulting from them will be minimized C. Implement as many security measures as possible to address every risk that an asset may be exposed to D. Ignore as many risks as possible to keep costs down
8. Network mapping tools are used to discover and ensure what devices are on your network. Which of the following wouldn’t be checked by such a tool? A. The responses of DoS attacks B. The strength of passwords C. Missing patches installed on your server D. The ability to access a network from the outside
456 CHAPTER 10 Risk Assessment and Risk Mitigation
9. Segmentation of duties does not require A. The collusion of at least three people to perform any unauthorized activities B. Access to sensitive combinations of capabilities C. Prohibiting conversion and concealment D. The same person to both originate and approve transactions
10. What level is not available in DNS logging? A. Errors only C. Warnings only B. Errors and warnings D. None of the above 11. What objective is not part of risk assessment and risk mitigation? A. Advantages of risk mitigation tools B. Auditing and logging C. Password hacking D. Tools you can use to monitor your system 12. You have decided that you are going to have an audit performed within your organization. What are the things not to consider? A. External regulatory requirements B. Your last external audit C. Internal policies D. Change control procedures 13. An investigator arrives at a site where all of the computers involved in the incident are still running. The first responder has locked the room containing these computers but has not performed any additional tasks. Which of the following tasks should the investigator perform? A. Tag the computers as evidence B. Conduct a search of the crime scene, and document and photograph what is displayed on the monitors C. Package the computers so that they are padded from jostling that could cause damage D. Shut down the computers involved in the incident 14. IDS can operate in one of four states. Which state is defined as an attack occurred, yet it was not detected? A. Positive B. Negative C. False positive D. False negative
References 457
15. What is the goal of a risk assessment? A. To test the basic strength of your systems and create a report for your executive team B. To test everything possible and create a report for your executive team C. To test everything possible and to create a report that will be read by your management and customers, showing what was performed, what was discovered, and how issues were addressed D. To test everything possible and to create a report that shows you have no issues and will be read by your management and customers
Self Test Quick Answer Key 1. 2. 3. 4. 5.
B C B D A
6. 7. 8. 9. 10.
D B C A C
11. 12. 13. 14. 15.
C B D D C
References 1. Littlejohn D, Tittel E. Scene of the cybercrime. New York: Syngress Press; 2008.
This page intentionally left blank
PART
Cryptopgraphy
5
This page intentionally left blank
Chapter
General Cryptographic Concepts
11
E x a m o b j e c tiv e s in this c hapt e r General Cryptography.......................................................................................................... 462 Encryption Algorithms......................................................................................................... 477 Protocols��������������������������������������������������������������������������������������������������������������������������� 482 Cryptography in Operating Systems������������������������������������������������������������������������������������� 494
Introduction Cryptography—from the Greek kryptos, meaning “hidden, secret,” and grapho, meaning “I write”—is the science and practice of secret communications. Because of many overlaps between merely hiding information and making it possible to determine whether or not information has been tampered with, both integrity and confidentiality are significant elements of cryptography. Cryptography strikes a number of emotions in the heart of the reader—because it has elements of extremely complex mathematics, it can be viewed as somewhat dry and dull; because it frequently requires the reader to accept that certain operations are secure, or slow to compute, it can be viewed as requiring a suspension of disbelief.There is also an element of fear that goes along with accepting that cryptography makes the statement that you accept the possibility that you will lose access to the data you are protecting (if you lose your keys, or if the encrypted data is corrupted, for instance) and that this is the price of fully ensuring that your data is protected. In this chapter, we will introduce you to the most important current cryptographic techniques that you will encounter in the course of your computing endeavors. We will use pictures to make things clear and allegory where it aids understanding. We will start with a set of basic cryptographic knowledge—a “primer,” if you will—and then proceed to demonstrate some of the algorithms that use those cryptographic bases. Then, we will discuss the protocols that wrap the algorithms up and provide for a mechanism in which to communicate about cryptographic algorithms, and we will finish with a discussion of cryptography’s uses in modern operating systems and applications.
461
462 CHAPTER 11 General Cryptographic Concepts
Cryptography has a rich history, and we shall occasionally refer back to some great moments in secret communications, not because they are covered in the exam so much as because we hope they are interesting to the reader.
General Cryptography Locks and keys have been used for centuries to keep items—and communications— hidden. In many locks in the physical world, it is possible to close the lock without having the key (or the code, for a combination lock). Other locks require a key to lock them, that key also being required to unlock them. There are analogous mechanisms in the online world, except that the terminology is different. Locking and unlocking are not common terms in cryptography— instead, we talk of “encrypting” data to turn it from readable into unreadable and “decrypting” data to go from unreadable to readable. Locks are now “algorithms” or methods by which encryption is done, and keys, thankfully, are still represented by the term “keys.” The two kinds of encryption (same key, different key) are referred to as symmetric and asymmetric, respectively.
Symmetric Key Cryptography As you’ve probably guessed, since “symmetric” means, in one meaning, that two sides are in balance, or equal, symmetric key cryptography is the use of one key to both encrypt and decrypt, and the encryption algorithm is sometimes the same as the decryption algorithm. A simple example is the “Caesar” cipher, in which letters are shifted by a number of characters. The number of the shift is the key, and the operation is a shift to the right to encrypt and a shift to the left to decrypt. Many children used code wheels to create their own Caesar cipher texts and challenged others to break their codes. For instance, if the message we wanted to secretly communicate (the “plain text”) was “THERE ARE THREE PEOPLE TO SEE CAESAR” and the shift was 8, the letter T would be replaced by B (when a shift takes us to Z, we wrap around to A), H becomes P, and so on to give the encrypted message known as “cipher text” as follows: THERE ARE THREE PEOPLE TO SEE CAESAR BPMZM IZM BPZMM XMWXTM BW AMM KIMBIZ
There are several obvious disadvantages to this encryption method, which make it a very easy cipher to break. ■■
■■
The “key space” (number of possible unique keys) is short—you only need to try 26 shifts in all. There’s a lot of Ms in the cipher text, because that’s what E becomes in this cipher—and E is the most common letter in the English language. This is a basic form of the analysis technique known as “frequency analysis.”
General Cryptography 463
■■
Because spaces and other punctuation characters are not altered, we may be able to use those to give some idea of the meaning of the document or the placement of particular words (any communication between these Romans is liable to mention Caesar, so look for a 6-letter word and see if its second and penultimate letters are the same).
Modern symmetric ciphers are designed to avoid these and several other weaknesses—a cipher should have a large enough key space that decrypting it using “brute force” (trying every possible key) would, on average, take many times longer than the plain text’s useful life. A cipher should generally have the same chance of encrypting a character to any other character so that frequency analysis is impractical, and all characters in the message should be subject to encryption. The big problem that faces any symmetric key cipher is that their simplest use requires that the key be shared—a “shared secret”—between the two parties in the cipher. In some senses, that is to be expected, because the encrypted text is itself a secret that is shared between sender and recipient. However, if the sender has multiple recipients, he will need to generate multiple keys to be sure that each recipient sees only those messages meant for him. This is not a problem unique to the digital world—to use the physical world analogy, I talk about the story of the Queen’s Jewels, which is such an old story to me now that I can’t remember if it’s historically accurate, or merely one of the interpretations of A lexandre Dumas’ Three Musketeers. In the story, the Queen must send jewels to a sympathizer without the possibility that they are intercepted along the route. She finds a strong box and secures it with a padlock to which only she has the key. The box is then sent to the sympathizer; he doesn’t have the key to unlock the box, but he adds his padlock to the box so that it is doubly locked. The box is then returned to the Queen, who unlocks and removes her padlock, before sending it on to the sympathizer, who unlocks his padlock and finally opens the box. The end result: the jewels have been received with the knowledge that they could not have been intercepted along the way. Similarly, in the digital world, many cryptographic operations are associative and commutative—meaning that they can be performed in any order and still produce the same result. If the encryption and decryption processes are both associative and commutative, for instance, you can take a message, encrypt it with key K1, encrypt it again with key K2, decrypt it with K1, and decrypt it with K2 to perform the same process as in the “Queen’s Jewels” story above. The obvious drawback to this solution is that the message is sent three times before it is finally decrypted and at each of these transmissions could be intercepted and subjected to cryptanalysis. Because cryptanalysis is best done on long, nonrandom texts, the solution to this problem is to create a shared key, which is sent using the “Queen’s Jewels” technique, and then use the shared key to encrypt the actual text to be sent. This shared key, which is valid for one session only and then discarded, is known as a “session key.” The exchange of the shared session key is unsurprisingly known as a “key exchange.”
464 CHAPTER 11 General Cryptographic Concepts
Asymmetric Key Cryptography Clever as these solutions may be, there are still some problems to overcome with symmetric key cryptography—the most notable is that the sender has no way to verify the identity of the recipient. Asymmetric key cryptography helps to solve that issue. A British invention of the 1970s, “nonsecret encryption” provided for asymmetric key cryptography, in which a pair of unequal (hence “asymmetric”) keys is created. [The British government held the discovery of “nonsecret encryption” as a state secret until 1997, so it is fortunate that American researchers later independently discovered and published their own public key algorithms.] For each pair of keys in asymmetric cryptography, one key is held privately, the other is published. They are referred to as the “private key” and the “public key,” respectively. The public key can be given out freely without compromising the private key at all. A sender can encrypt a message using the receiver’s public key, and be sure that it can only be decrypted using the related private key—which means that the encrypted message can then only be read by the holder of the private key. As long as the public key is trusted to be associated with the intended recipient and the private key has not been exposed, only the intended recipient will be able to decrypt the message. The one common drawback with asymmetric key cryptography is that it is computationally expensive. This is mostly because of the size of the keys involved, which have to be much larger than keys providing similar protection strength for symmetric cryptography; first, because they are mathematically derived rather than simply randomly assigned; second, because these keys are longer lived and must survive against sustained attack for longer; third, because the public key is deliberately exposed and needs to be resistant to attempts to brute-force guess the associated private key. Because asymmetric key cryptography is so slow to perform, it is generally used sparingly—for instance, in an encrypted communication, the public/private key pairs will generally be used only to establish and prove claimed identities and to exchange information used to calculate a shared session key. The shared session key is then used with a symmetric encryption algorithm to provide encrypted data transport with less impact to processing time. In asymmetric encryption, encryption is generally performed using the public key, and decryption is generally performed using the private key—this is easy to remember, because encrypting data is something anyone should be able to do, but decrypting is an operation reserved only for the targeted recipient. The exception to this is in digital signatures, as we shall see later.
Hashes and Applications In cooking, a hash is when perfectly good meat and vegetables are sliced, diced, and otherwise rendered into small portions that bear no obvious resemblance to their original selves, save that their flavor can be recognized. In cryptography, a hash is when a piece of plain text is sliced, diced, and otherwise rendered into a small “digest” or “hash” that bears no obvious resemblance to the original text, except that the same text will always produce the same hash.
General Cryptography 465
You will often hear hash algorithms described as being based on mathematical “one way functions”—these are functions that are relatively easy to calculate going forward, but the inverse of the function is such a complex procedure that it is significantly harder to reverse the function than it would be to simply try every single possible input against the function to try and match its result. There are a couple of reasons to generate hashes: ■■
■■
■■
A hash can serve as a check that a document is untampered—if the sender and the recipient agree on the hash of a transferred document, they each possess the same document. Note that there are several “checksumming” algorithms that perform roughly this same task but without providing the cryptographic rigor described below. A cryptographic hash may serve as a placeholder for a document—a proof that you possess, or once possessed, the document whose hash you have calculated. As noted below, it should be practically impossible to calculate the hash without having the original document. A cryptographic hash can be used to verify a piece of information that is too sensitive to store—for instance, a password or a credit card number. If you send me a password when you first create your account and I store its hashed value, the next time you send me your password I can hash what you send me and verify that it matches the value I have stored.
Cryptographic hashes are required to possess a few specific properties to be useful: ■■
It must be practically impossible to reconstruct the original data from the hash
■■
Two similar documents must produce vastly different hashes
■■
■■
It must be practically impossible to construct two pieces of data that generate the same hash Computing the hash must be a quick process
By “practically impossible,” of course, we mean that the time taken to achieve the goal must be far, far longer than the duration in which the goal is useful. Care should be taken when using a hash for calculating a digest of small pieces of data—for passwords or credit cards, for instance. An attacker with access to the hash codes may be able to mount a bulk attack against the entire database at once, unless appropriate care is taken. Typically, the addition of a random component, known as a “salt,” to each piece of data being hashed will protect against this kind of bulk attack—that way, two users with the same password will not have the same hash. Storing the salt with the hashed value is necessary to ensure that the hash can be regenerated when checking the hash. There are a number of hash functions in common use that the Security+ Objectives require you to know about. The algorithms below are all based around manipulation of bits, repeated several times over to make reversal of the algorithm difficult, and
466 CHAPTER 11 General Cryptographic Concepts
to make the time required to do brute-force analysis (repeatedly trying to create the result from different inputs) infeasibly long.
Secure Hash Algorithm Algorithms in cryptography are often given either generic names or names based on the last names of the algorithm’s inventors. This is an example of the first naming scheme—“Secure Hash Algorithm” (SHA)—and it is the name for a series of algorithms that each were selected by the National Institute of Standards and Technology (NIST) to provide standardized cryptographic hash functions for widespread public use. SHA-0 and SHA-1 each produce a 160-bit “digest” from any input message up to 2^64-1 bits in length. SHA-2 is a family of hash functions that provide output digests in a number of different lengths—224, 256, 384, and 512. SHA-3 has not yet been selected at the time of writing but will be chosen from a public competition between entries submitted by a number of cryptographers. The winner is scheduled to be announced in 2012. The competition to create a SHA-3 standard was inspired by several advances in the cryptanalysis of SHA-0 and SHA-1, which are now significantly weaker than they were originally designed to be. New cryptographic designs that are required to use hashing should not use SHA-0 or SHA-1 but should use SHA-2 and have configurable extension points that would allow the addition and use of SHA-3 when it is finally selected and implemented.
Message Digest 5 Another generic name is Message Digest 5 (MD5)—there are others from its stable, particularly MD2 and MD4. All these Message Digest algorithms are known to have collision-resistance flaws which could result in the creation of two documents that have the same hash. This has been demonstrated in a number of interesting ways, including the creation of two X.509 certificates, one benign, and the other quite definitely malign in nature—because the signature that identifies the certificate is built from a hash, and particular certificate authorities (CAs) were still signing using the MD5 hash, the two certificates appeared genuine because the first was genuinely signed and the second evaluated to the same MD5 hash. It is strongly recommended that instead of MD5, a different hashing algorithm such as any of the SHA-2 family is used for new cryptographic designs. Again, it is recommended that any system you create or purchase, that uses cryptographic hashes at its base, should have extension points allowing the addition and use of stronger hashes at a later date as they are developed.
LANMAN Many hashes are created for specific purposes or are proprietary. One such hash is the one created for the LAN Manager product from Microsoft and 3Com. The LAN Manager, LANMAN or LM, Hash is frequently used as an example of a hash that has long
General Cryptography 467
outlived its ability to protect against attack but has survived in use simply because there are so many old systems that use it, and it is therefore considered by some to be too risky to turn off, because applications that still use it may break. Such applications include older versions of Windows and non-Windows implementations of the server Message Block protocol used for network file sharing. The LM Hash uses an encryption algorithm at its base—this is not unusual. It is relatively common to build a key from the clear text to be hashed, then use that key to encrypt some chosen fixed text (usually zeros) to produce a hash. In the case of the LM Hash, the encryption algorithm used is Data Encryption Standard (DES), which we shall describe later. When an LM Hash is created from a password (as that is the designated purpose of the LM Hash), the password is converted to uppercase, padded with nulls to make it 14-bytes long, and then broken into two parts of up to 7 bytes each. Each of these 7-byte parts is used to generate a DES key, which is used to encrypt a fixed string (the string is “KGS!@#$%”—the programmer’s initials followed by the shifted numbers from 1 to 5 on a U.S. keyboard). The two 8-byte values produced in this way are concatenated to give a 16-byte value that is the final result—the LM Hash of the password. If you’ve been paying close attention so far, you’ve probably spotted some of the problems with this—the biggest is that the 16-byte LM Hash is really two independent 8-byte hashes, each of which can be calculated separately; the second part is likely to be built from fewer than seven characters (simply because users will tend to choose the shortest passwords allowed) with fixed known characters (nulls) making up the remainder of the key. There is no salt involved in the creation of the LM Hash, and so a collection of LM Hashes can be attacked en masse—by creating the LM Hash of likely passwords, and then comparing the calculated hashes with all the hashes in storage. Another problem with the lack of salt is that two users sharing the same password can be discovered and that tables of possible LM Hash values and their password equivalents can be generated and compared against any system’s stored hash values. The bright side of this picture is that such bulk attacks require bulk access to databases of LM Hashes. These are not readily available in most systems—although there are specialist tools that can access this data, they generally require complete unfettered physical access to a system with the password database on board. Physically securing your data center and any Active Directory Domain Controllers is the best way to prevent abuse of LM Hashes if you still need to keep them in use. Better still is to remove the LM Hashes completely and the ability to generate them. Windows Vista and Windows server 2008 no longer generate these hashes by default, and earlier versions of Windows can be configured to avoid the use of LM Hashes, too.
NT LAN Manager The replacement of the original LanManager Hash function was achieved with the NT LAN Manager (NTLM) protocol, which provides the ability to authenticate a user against either the LM Hash or the new “NT Hash.” Where possible, disabling the LM
468 CHAPTER 11 General Cryptographic Concepts
Hash at the Domain Controller means that the NTLM protocol will only use the NT Hash to verify authentication attempts. The NT Hash is an MD4 hash of the user’s password—it is a true hash, and it uses the full Unicode character set available to Windows, where the LM Hash used only a limited subset of the US-ASCII character set. As such, it is less susceptible to bruteforce guessing, or bulk cracking, if the passwords are strong. The NT Hash is still not salted, and as a result, if you have physical access to a system, or otherwise have administrator access allowing you to read the password hashes, you can tell if two users have the same password, because they will have the same hash.
Digital Signatures Digital signatures represent a combination of cryptographic hashes and asymmetric encryption. One of the most frequently asked questions by novice developers of cryptographic applications is how to encrypt using the private key or decrypt using the public key—both of these operations are often forbidden by cryptographic frameworks. The reason is to prevent applications from accidentally using keys inappropriately and thereby posting freely decryptable text across a network. If you think a while about what it would mean to have a piece of data encrypted using a user’s private key, you may be able to guess how someone might like to do this. Encrypting data with your private key does not protect it against interception— your public key is supposed to be public, and so you must assume that your attacker has a copy of it. So any data encrypted with your private key must be either public already or protected in some other way. By encrypting data with your private key, however, you make it clear that the file was encrypted by you. It’s like putting your thumbprint, seal, or signature on the file. But remember how we said that asymmetric key cryptography is slow and expensive? If the document file is at all large, signing it by encrypting the whole file will take a long time, as will verifying the signature by decrypting it. Additionally, it would be handy if we could uncouple the verification of a signature from the document itself—perhaps if we want to read the document without verifying its signature, or spending a lot of time on decryption. Instead, a digital signature is created by creating a cryptographic hash of the document to be signed and then encrypting the hash with the private key of the signer. This has several benefits—a single document can be signed by multiple parties, signature of any document is fast, a signature can be sent or held separately from a document or along with it. And because the hash is encrypted using the sender’s private key, any recipient can verify that it came from the sender, because only the sender’s public key will decrypt the signature and turn it into the hash of the document. A digital signature based on a poor quality hash or encryption algorithm carries forward those quality problems to the signed document—so, for instance, it might prove possible to create a new document, similar to the original, but with important
General Cryptography 469
elements changed, and which generates the same hash value. This would mean that the signature of the original document would also verify the forgery. [For those of you wondering how a digital signature can be created when the cryptography library prevents encryption using the private key, there are separate functions for signing data, which will calculate the hash and encrypt it with the private key to produce the signature.]
Certificates A certificate that you hang on your wall lists a limited set of qualities about you— claims that you make—and confirms them by the presence of a signature of a reputable body (see Figure 11.1). Similarly, a digital certificate lists a set of claimed qualities about the person, organization, or computer identified in the certificate and confirms those claims by the presence of a digital signature of a reputable body. It ties those claims to a public/ private key pair so that the user of the private key can be verified as the subject of the claims in the certificate. The subject of a certificate, the person, organization, or computer about which the certificate holds details is known as the Subject. The reputable body that signs the certificate is known as the Issuer. The standard for digital certificates is the ITU-T X.509 certificate standard. There are a number of different versions of this certificate standard, at the time of writing
Figure 11.1 Comparing a Paper Certificate to an X.509 Certificate
470 CHAPTER 11 General Cryptographic Concepts
version 1 up to version 3, each adding features over the last. X.509 is a standard for Public Key Infrastructure in general and covers other topics such as certificate revocation lists (CRLs) and certificate path validation rules. The X.509 standard specifies the binary representation of a certificate, and there are numerous standards for exchanging the certificate in various forms—for crossplatform use, distinguished encoding rules (DER) encoding should be used when exporting a certificate to a text-based medium (for instance, when the import process is via a text field in a browser); public key cryptography standards (PKCS) #12 encoding (Personal Information Exchange [PFX]) should be used when including the private key along with the certificate. Certificates are public objects and possess only public pieces of information— whenever you see documents that talk about removing the private key from the certificate, they are missing the point. A certificate may be considered as being paired with a private key, dependent on a private key, related to a private key, but when you package the private key with the certificate, it is no longer just a certificate. It is then something else—a certificate store or a PFX/PKCS#12 file. A typical certificate contains a list of information about its Subject, provided by the Subject when requesting the certificate, and verified by the Issuer when signing it (see Figure 11.2). Some important fields are ■■ ■■
■■
■■
■■
Version—0, 1, or 2 representing versions 1, 2, or 3. Serial number—this number is generated by the Issuer and should generally be an unpredictable number for greatest security. Many Issuers are still configured to issue serial numbers in sequence. The serial number only has meaning to the Issuer, as a means of tracking individual certificates that might be issued to the same name or with the same key. Issuer and Subject names—these aren’t “names” as you or I would recognize them—they are generally entries in a hierarchical directory, such as “CN = www. whitehouse.gov, S = DISTRICT OF COLUMBIA, OU = Office of Administration, O = Executive Office of the President, L = Washington, C = US.” For most automated processes, it is enough that the “CN” entry should match the name that is being verified, whether it’s a Web site address, or an e-mail address, or some other value. Valid From and Valid To dates—these are dates during which the use of the private key to represent the subject of the certificate is to be considered valid. This is not the same as saying that the certificate is not usable after that date. For instance, if I digitally sign a document in 2009 and you want to verify that signature in 2030, you will need a reliable means to check the certificate relating to the document—which is the certificate that was valid in 2009. Certificates never truly go away, they expire, or are revoked (see the PKI chapter for more on certificate expiration and revocation). Public key—this is effectively one-third of the point of a certificate—remember that a certificate is a list of claims, signed by a reputable authority, and which ties the use of a public/private key pair to those claims.
General Cryptography 471
Figure 11.2 A Typical Digital Certificate
There are several other possible attributes and claims that can be present in a certificate, but these are probably the most important.
Single Most certificates in current use are what the CompTIA Security+ Objective refers to as single certificates—single in the sense that they are independent of any certificates other than their Issuer’s. The word “single” does not imply single use—these certificates may be used for a single purpose or multiple purposes indicated by values known as “Key Usage” and “Enhanced Key Usage” values. The “Key Usage” value is a set of bits that can be on or off, meaning any of the values listed in Table 11.1. The Enhanced Key Usage values are stored as hierarchical numeric values—Object Identifiers (OIDs)—in a format called ASN.1. Unless you’re seriously into numbers as
472 CHAPTER 11 General Cryptographic Concepts
Table 11.1 Key Usage Values Key Usage Value
With This Value Set, The Public Key Can Be Used For:
digitalSignature
Verifying digitally signed documents
nonRepudiation
Verifying the claim that an action being performed is approved by the certificate’s owner
keyEncipherment
Encrypting a key for transport
dataEncipherment
Encrypting data other than keys for transport
keyAgreement
Exchanging information used to create a shared key
keyCertSign
Verifying a signature on a certificate
cRLSign
Verifying a signature on a certificate revocation list (see the PKI chapter)
encipherOnly
Encrypting data during a key exchange—requires keyAgreement to be set
decipherOnly
Decrypting data during a key exchange—requires keyAgreement to be set
Table 11.2 Common OIDs OID Value
Name
Meaning
1.3.6.1.5.5.7.3.1
serverAuth
server authentication (usually SSL/ TLS)
1.3.6.1.5.5.7.3.2
clientAuth
client authentication (usually SSL/ TLS)
1.3.6.1.5.5.7.3.3
codeSigning
Code signature
1.3.6.1.5.5.7.3.4
e-mailProtection
E-mail signature and encryption
1.3.6.1.5.5.7.3.8
timeStamping
Marking a document’s presence in time
1.3.6.1.5.5.7.3.9
ocspSigning
OCSP signature
a form of entertainment, you won’t really need to understand much of the format of the OID, but to give you a flavor of some of these usages, we list the common ones in Table 11.2. Be prepared for the prospect that many of the certificates you encounter may have been issued under rules drafted before the related Enhanced Key Usage was defined, so for instance, the certificate for www.whitehouse.gov does not have “server authentication” in its list of Enhanced Key Usages!
General Cryptography 473
Dual sided “Dual-sided certificate” is a term you will only encounter in the CompTIA Security+ Objectives and documents derived from them. The more usual term for this is a “dual key pair” or “dual key certificates.” Two key pairs and two certificates are generated. One certificate and its related key pair is used for encryption, the other is used for data signing (and nonrepudiation) purposes. The key pair used for signing is generated and held by the user and is not stored in any kind of key management system outside the user’s control. The key pair used for encryption may be backed up in a key management system for later recovery. The theory behind dual key pairs is that it allows enterprise use of certificates to cover two scenarios:
1. Data encryption, with the ability for later recovery of encrypted data in the absence of the user, by use of the restored key from key management
2. Peruser strong identification, with the ability to assert that any action approved by the user can be acknowledged by a document signed by that user’s certificate
To do these with one certificate and key pair alone would be impossible, since the requirement for recovery of the encrypting private key would conflict with the requirement for secrecy of the signing private key. This is particularly valuable in enterprises, where it is important to recover documents after an employee has left the company, but where it is still important to rely on the assurance that only the employee herself/himself could have digitally signed documents. Implementation of a dual key scheme could be performed by process alone, with each user remembering to request two certificates using appropriate templates, but when there is operating system and application support for dual key certificate schemes, it is much less likely that a user will forget to protect their signing key.
Confidentiality, Integrity, and Availability—For All Your Security Needs Practitioners of information security rely on a number of different taxonomies to ensure that they cover their system’s security needs entirely. One of the simplest such groupings available is Confidentiality, Integrity, and Availability (CIA) (see Figure 11.3). (We would add logging/monitoring/auditing as the fourth unit that binds these together but that fourth unit is not generally aided by cryptographic technology.) A security solution should generally be assessed as to how well it fits each, and all, of these three categories. Let’s look at what cryptography can achieve for us here.
Confidentiality Confidentiality addresses a system’s ability to keep information hidden from those people, systems, and processes that are not meant to see it.
474 CHAPTER 11 General Cryptographic Concepts
Figure 11.3 The CIA Triangle
Obviously, cryptography has a lot to say about this, particularly in the matter of encryption. Encryption is the process of taking a readable document and producing from it a document that is unreadable unless you possess a proper key to decrypt it. That provides confidentiality, but confidentiality is not an on/off switch that you either have or don’t. As we shall see later, there are various degrees to which an encryption technique will protect data from an attacker, and advances in mathematics, and quantum computing, continually threaten to make sudden changes to the degree of confidentiality that is conferred. Hashes, too, contribute to confidentiality in that they can be used to store a verifying code for passwords and other information that should not be stored but will later need to be verified.
Integrity Integrity addresses a system’s ability to ensure—and to prove—that information being processed is the result of the application of approved processes to the original data. What this means is that data cannot be modified without approval or where it is modified that such modifications are detected. This is clearly the territory of hashes and digital signatures—hashes for those cases when the hash itself is unlikely to be modified and digital signatures when there is a possibility of such modification or when you want to track who had the information at its last modification.
Availability Availability addresses a system’s ability to be present and to provide data to its approved users.
General Cryptography 475
It is often considered to be the reverse side of confidentiality—if I encrypt a ocument and then throw away the key, the document is very definitely confidend tial, but it is not available any more. However, availability also has a relationship with integrity—if a system maintains its integrity to such a degree that no data can be modified, that too is a reduction in the availability of the data. For cryptography, availability generally refers to the correct implementation of key and certificate management and of the availability of cryptographic algorithms across the community of users. After all, it would hardly make sense to encrypt e-mail messages if the recipient didn’t use the same encryption algorithms as you, or if the keys required to decrypt those messages were tied to physical items (such as smartcards and readers) that were not available at the place those e-mails were supposed to be read.
Nonrepudiation Nonrepudiation is a component of information security that tries to remove the possibility that someone could perform an action and then later claim that was not truly them, but someone using their name without permission. An example would be someone who buys products from an online store using their credit card, and receives the product, but then claims that they did not actually authorize the card to be used for that purchase, and demands their money back. This is an example of the customer repudiating the transaction and is a significant problem with modern day credit card transactions. Because every transaction requires the credit card number be given to every vendor, it is very easy for a card holder to claim that they did not approve of a transaction, and because of legal requirements to combat fraud, credit card providers will force a refund, even when the vendor can show that products were shipped to the card holder’s address. A signature on a purchase request goes some way to preventing this—then the purchase request becomes a legal document confirming that the products were indeed ordered by the person whose signature is on the purchase request. In much the same way (but of course, much stronger), a digital signature can be used as proof that the owner of the key associated with the signature approved of, or at least was aware of, a document or an action. [How do you sign an action? You don’t—you sign a document approving an action and you demonstrate that processes are in place that would prevent the action from occurring without a signed approval.]
Comparative Strength of Algorithms When comparing cryptographic algorithms, whether discussing encryption techniques or digital signatures, we often want to know how strong the algorithms are. In much of the discussion above, we have talked about encryption, or hashing, or signing, as if those processes were Boolean operations—that they either do or do not, encrypt, hash, or sign the documents involved. That’s true, for the most part, any algorithm that encrypts “strongly enough” is as useful as any other algorithm that encrypts strongly enough and any algorithm that does not do so is very difficult to realistically describe as “encryption.”
476 CHAPTER 11 General Cryptographic Concepts
However, as mathematical techniques for cryptanalysis improve, the “strong enough” bar moves ever upward. An encryption algorithm’s strength is measured as the number of operations it takes, on average, to decrypt the data without knowing the key. At its introduction, the algorithm’s strength should be proportional to half the number of possible keys. So, an algorithm with 64-bit key length begins life with a theoretical strength proportional to ½264 –that’s 263. As long as the algorithm is complex enough to provide that level of protection, it is as strong as its original design. This strength algorithm would be described as having 64-bit strength. Mathematical advances in optimization of the algorithm’s decryption processes sometimes make it possible to “shortcut” some, or many, of the steps—a typical advance would reduce the complexity of the algorithm to 250 operations—significantly below the designed strength. That may still be above the strength required by your use of the algorithm, and as long as the “current best” optimizations do not bring the algorithm’s strength below the required strength, it is still usable. Making this more complex is the requirement that you make these decisions for the future—when encrypting a document, you typically want it to be secure for more than just until the end of the week, and so you have to make an estimate as to what mathematical developments are likely over the next year or two, and possibly over the next decade or more. Just as encryption algorithms are ranked by the number of operations required to produce a valid decryption without knowing the key, and this is balanced against the size of the key, so too hash functions are ranked by the number of operations required to produce a colliding document in one of the three scenarios that hash functions are designed to protect against—discovering a document based on its hash, creating a colliding document based on a hash, and creating a pair of colliding documents (two documents usually that share large portions and change in only a small area and which generate the same value when hashed). Choosing the strength of encryption and hash algorithms by the number of bits in their keys or outputs is not a significant measure, except when comparing two algorithms of the same family—for instance, comparing SHA-256 against SHA-512. The latter is, at least in theory, 2256 times stronger than the former. Comparing asymmetric key algorithm strengths against symmetric key algorithms is particularly difficult. Because asymmetric keys are generated, whereas symmetric keys are chosen from a completely random space, there is already a significant difference between key sizes. According to RSA, for instance, the strength of a 1024-bit RSA key is roughly equivalent to the strength of an 80-bit symmetric key; the relationship is not linear—for more information, see www.rsa.com/rsalabs/node.asp?id=2004.
Key Management When proposing cryptography-based solutions to my customers, I find it’s best to get past the fear factor with a simple mantra—I choose “Encryption is used when we would rather risk destroying the data, than risk it falling into the wrong hands.” It’s something that’s worth repeating over and over to remind yourself that data loss is
Encryption Algorithms 477
what encryption is all about—both in the sense of “loss as destruction,” and “loss as exposure.” Obviously, to maintain availability, as we discussed earlier, it is important to consider how to handle the inadvertent loss of a key, or how to prevent it, and how to manage a key’s life cycle. The first question you should ask related to any key (this applies as much to a symmetric key as it does to the private key of a public/private key pair) is whether it is acceptable for anyone other than the key holder to be able to have access to the key. The initial reaction is to say “no, of course not”—but that may ignore the possibility that the key holder may deliberately or accidentally destroy the key. If the key’s purpose is to identify the user, and you may need to point to use of the key as proof of the user’s involvement, then the answer is quite definitely that you do not want anyone other than the user to have access to that key. Such a key should be stored only in the users’ private certificate store, ideally on a smart card or other hardware device subject to antitampering protection. The life cycle of such a key follows from creation through use, renewal, and finally to either revocation or expiration. It is the simplest of key life cycles. Other keys may require the ability to be recovered on behalf of the key owner, or in some cases, on behalf of the organization to which the key owner belongs—for instance, to decrypt files after an employee has left the company. The life cycle on such a key goes from creation, archive and distribution, through use, renewal and possible recovery, and finally heads to revocation or expiration. You will read more in Chapter 12 on how keys are generated, archived in key escrow, and revoked through CRLs or Online Certificate Status Protocol (OCSP) requests and responses.
Encryption Algorithms There are a number of encryption algorithms available for use and more are created over time. This list is by no means complete but represents some of the more important algorithms at the time of writing and covers the requirement for the CompTIA Security+ Objectives.
DES DES is another of those generic names that indicates it comes out of NIST. The DES algorithm uses a 56-bit key, and as you would expect from something with such a small key size, it is a symmetric key encryption algorithm—asymmetric keys are usually more than a thousand bits in length. It is also a “block” encryption algorithm, meaning that it encrypts in blocks—in DES’ case, a block is 64 bits—one block at a time. While block ciphers are not in themselves designed to encrypt streams of data, it is possible to use what is known as a “mode of operation” to encrypt a stream using the block cipher. Modes of operation,
478 CHAPTER 11 General Cryptographic Concepts
such as Cyclic Block Chaining (CBC) or Cipher Feedback (CFB), are beyond the scope of the Security+ Objectives, but the interested reader should have no difficulty finding documentation to read. Although it is technically beyond the scope of this document, the simple ingenuity of output feedback (OFB) is worth discussing, particularly as it pertains to creating a stream cipher from any block cipher. In OFB, the block cipher is used, with the encryption key, to encrypt a random value known as an “Initialization Vector (IV).” The resulting block of encrypted bits is used as a key stream to encrypt the plain text stream, by combining the two streams using an XOR operation. Whenever a new block of the key stream is needed, the previous block of the key stream is encrypted again using the block cipher and key. The IV will need to be known to decrypt the stream at the receiving end, and it is often sent in clear text at the start of the communication (see Figure 11.4).
Figure 11.4 The Overview of OFBs Operation
Encryption Algorithms 479
A stream cipher created using OFB has the advantage that, as described in the Queen’s Jewels earlier, a stream can be encrypted by a sender, encrypted again by the recipient, decrypted by the sender, and then decrypted by the recipient so that a symmetric key algorithm can be used to protect data without sharing a key. The decryption process is exactly the same as the encryption process except that the cipher text is used as input and the plain text is created as output.
Triple DES As the name implies, “Triple DES” (3DES) is an algorithm built from three applications of the DES algorithm. Rather than the obvious process of running the DES encryption three times, 3DES first encrypts using DES and the first key, then decrypts using the second key, and finally encrypts using the third key. This method was chosen in large part so that a hardware implementation of 3DES could be used to also implement DES by setting all three keys to the same 56-bit value. When applying an encryption algorithm more than once to a set of data, it’s important to do some heavy-duty cryptanalysis on the result to ensure that the repeated application of the algorithm does not cause leakage of information that could be used to decrypt. As you can see from the Caesar cipher we discussed above, in some encryption algorithms, the process of encrypting with two keys is the same as encrypting with one key. Worse, in some contexts (such as when the two keys add up to 26 in the Caesar example), the repeated application of the encryption algorithm leads to less security (or none) than the application of one key alone. 3DES has had much cryptanalysis thrown at it, and as a result, we can be fairly confident that it is more secure than DES. By using a different key at each stage, 3DES starts with triple the theoretical security of DES, and triple the key size, at 168 bits. A speed optimization may be to use a 112-bit key such that the first DES cycle and the third DES cycle use the same 56 bits as keys—this allows optimization of the internal state of the first and third DES cycles.
RSA RSA, named after Rivest, Shamir, and Adleman, its inventors, is the name of a company whose focus is on public key infrastructure and cryptography, as well as the name of an asymmetric cryptography algorithm, which is why we encounter this abbreviation in this section on cryptographic algorithms. Because the RSA algorithm relies on mathematical operations—particularly exponentiation—it is possible to apply it to any size of input, although there are some measures required in implementing the algorithm to ensure that small input does not cause an easy time guessing the plain text. A padding scheme is always used to ensure that there is some significant randomness in the input. At the other end of the scale, too large an input to the RSA algorithm is a bad idea also, as the RSA algorithm can be quite slow. As such, the RSA algorithm—and most asymmetric key cryptographic algorithms—will generally be used only to encrypt an
480 CHAPTER 11 General Cryptographic Concepts
exchange of a suitable symmetric key for a stream or block cipher to be used for bulk encryption.
Advanced Encryption Standard With Advanced Encryption Standard (AES), we return to the land of the generically named symmetric key block cipher, as the AES comes to us from another NIST competition to develop a good encryption algorithm, this time to replace DES as it became clear that DES was approaching a time when it would be easy to crack using relatively inexpensive hardware. AES was the name NIST gave to the winner of the competition, which was previously called “Rijndael,” an amalgam of the names of its two designers, Joan Daemen and Vincent Rijmen. The AES cipher is actually a specialization of the Rijndael cipher, as the AES cipher has a block size of 128 bits, whereas the Rijndael cipher can have any block or key size from the selection of 128, 160, 192, 224, and 256 bits. The AES cipher supports key sizes of 128, 192, or 256 bits. The cipher is often known by its name and the number of bits of key—for instance, AES-128 and AES-256 are often supported ciphers and refer to AES with 128-bit and 256-bit keys, respectively.
Elliptic Curve Cryptography Elliptic Curve Cryptography is another mathematically based technique for cryptographic operations, rather than being based in bitwise logic, and like RSA, can essentially be used with any size of key. The bit strength of Elliptic Curve encryption is theorized to be roughly half the size of the key—so a 256-bit elliptic curve cryptography (ECC) key has strength of about 128 bits, compared with an RSA key for the same strength, which would need to be 3072 bits in length. Ironically, Elliptic Curves are also used in integer factorization techniques that make RSA seem likely to have a reduced life span. So, Elliptic Curves are causing the demise of the very encryption scheme that they are being used to replace. Elliptic Curves are relatively recent but have so far survived very well against cryptanalysis.
One-Time Pads One-time pads are the perfect encryption method and have been mathematically proven to be so. They are, unfortunately, very impractical. The way a one-time pad works is that a stream of random characters (the one-time pad) is generated (see Figure 11.5) and distributed securely between the sender and recipient. The stream must be of at least the same size as the stream to be encrypted. When it is time to send the encrypted traffic, the plain text is combined with the stream of random characters, usually using a simple XOR combination, to generate cipher text. At the recipient’s end, the cipher text is decrypted by reversing the process.
Encryption Algorithms 481
Obviously, the biggest flaw with this method of encryption is that the stream of random numbers or bits has to be shared between two people while remaining secret. Transferring a stream of bits securely is the problem that encryption is designed to solve, and here, we are solving it by requiring that you first transfer a stream of bits securely. That is only going to work if the threat to secrecy that you are trying to solve is reduced at the time or place that you exchange the random bit stream for the one-time pad. For instance, if you meet your recipient once a year, and generate the one-time pad at that time, you can exchange secret data later, when you and your recipient are separated by significant distances and Figure 11.5 perhaps one or two eavesdroppers. Image of a Tear-Off Pad with Random Other flaws with one-time pads in Numbers practical use involve the problem of whether you can truly generate random bit streams, how to cope with the prospect that you do not know how many messages of what length you will be sending, and there are known issues with synchronizing if you get out of sync on the bit stream. The S/Key protocol avoids much of this difficulty by using a single key to generate a one-time pad. The key is encrypted multiple times under the user’s control, and the result of that encryption is given to the authenticating party. The user can then authenticate by providing a value that, when encrypted once, results in the value held by the authenticating party. The authenticating party then holds the value the user gave them as the check value for the next time the user needs to authenticate. This is not truly the same as the theoretical one-time pad with its perfect security, as the strength of the authentication is limited by the size of the original key and the strength of the encryption protocol.
Transmission Encryption General-purpose encryption algorithms are often adapted to fit specific uses. Two such protocols that the CompTIA Security+ Objectives specifically call out are Wired Equivalent Privacy (WEP) and Temporal Key Integrity Protocol (TKIP), both invented to protect IEEE 802.11 wireless network traffic (also known as “Wi-Fi”).
WEP WEP is particularly worth knowing about, if for no other reason than it is an object lesson in the old maxim “don’t write your own cryptography unless you are a cryptography expert,” along with its corollary, “you are not a cryptography expert.”
482 CHAPTER 11 General Cryptographic Concepts
When the 802.11 standard for wireless networking was introduced, the only option to include privacy on the wireless traffic was WEP. As its name implies, the goal was to give you the sort of protection for your traffic that you would expect if you were connecting through a wire. That’s essentially marketing hyperbole, of course, because a wire presents significant privacy for your traffic—especially if you can see the wire from end to end. Because there is money to be made in offering different strengths of encryption, WEP was offered in two strengths—64 bit and 128 bit. A later 256-bit version was offered by some vendors. The WEP encryption algorithm used a 24-bit random IV and added to it the key bits generated by the user. For that reason, the 64-bit encryption used 40 bits of key, the 128-bit encryption used 104 bits of key, and the 256-bit encryption used 232 bits of key. These key bits were generally entered as hexadecimal values. The key and IV are used for an RC4 stream cipher, which requires generating a key stream that is then combined using the XOR operation to encrypt or decrypt data. Obviously, the first major flaw with this algorithm is that 40 bits of keying material is really very small, particularly on a busy wireless network, where a large amount of traffic can be intercepted and analyzed in a small time. Because the key in use for this transmission was not changed during the transmission, nor was there any key negotiation, it became clear that WEP could be cracked, and eventually in less than a minute, by forcing the Access Point to generate large amounts of error traffic. Even with the 128- or 256-bit versions of the WEP algorithm, however, the 24-bit IV led to the repeating of encrypted data, which allows an attacker to deduce the key stream, and forge data that the Access Point will accept as genuine.
TKIP While WEP was being broken by attackers, the Wi-Fi Alliance approved a subsequent TKIP. TKIP was approved as a part of the Wi-Fi Protected Access protocol (WPA). TKIP uses RC4 as well but has several advantages over WEP—most notably, each data packet is encrypted using a different key, and instead of merely concatenating the IV and the key, TKIP combines them using a key mixing function. TKIP also uses a sequence counter, so that replay attacks fail, as the sequence counter is different when the replay attack is attempted. WPA2, an update to WPA, also allows the use of AES as the basis of an encryption protocol instead of RC4.
Protocols You will no doubt have noticed by now that one common theme to all these cryptographic algorithms is that they are ephemeral. Their useful life span is measured in years, rarely decades. By comparison, Web browsers have been around for about a decade and a half; the underlying protocols of the Internet, Transmission Control Protocol (TCP) and Internet Protocol (IP), have been around for over three decades, essentially
Protocols 483
unchanged in that time, and with no plans to provide a complete replacement—even when IPv6 is widely deployed, the TCP on top of it, and much of the IP technology, remains unaltered, as will the use of HTTP for Web browsing. Particularly because of the constantly changing list of reliable cryptographic algorithms, but also because it makes good engineering sense, the first thing that needs to be done when deciding to use cryptography is to agree between sender and recipient on a choice of cryptographic algorithm and to exchange keying information where necessary. This process of agreement prior to exchange is defined in a “protocol” specification—just as in real life, a protocol is the set of agreed upon rules by which work is done rather than the doing of the work itself.
Cryptographic Protocols Some protocols are interactive between the two parties—where each side will say “here’s what I can do,” and between them they will choose a common cryptographic method that they will use for their communication. Other protocols are declarative in that the creator of the encrypted content will essentially say “here’s some content, encrypted using XYZ algorithm”; the reader of such a piece of data will either support or not support the algorithm defined in the protocol. There are some specific protocols that the CompTIA+ Security Objectives have asked for you to be aware of.
Secure Sockets Layer/ Transport Layer Security Secure Sockets Layer (SSL), or Transport Layer Security (TLS), refers to essentially the same protocol but in different versions. SSL was originally invented by Netscape, the makers of the Web browser Netscape Navigator, as a means to allow credit card transactions to be carried out securely over the World Wide Web. Other browsers adopted SSL so that they too could perform secure credit card transactions. As we discussed earlier, advising against creating your own cryptography, SSL 2 had some flaws that needed correcting; while Netscape produced SSL 3 to correct these flaws, Microsoft also developed its own private communication technology (PCT) standard, also correcting the flaws in SSL 3. These two competing standards, of course, had their own flaws, although these flaws were considerably less significant than the flaws in SSL 2. In an effort to achieve a harmony of standards, as well as to address the flaws in SSL 3, Netscape allowed for automatic and royalty-free licensing of the SSL 3 protocol, and worked with members of the Internet Engineering Task Force (IETF) to produce a new unified standard based on SSL 3, and with lessons learned from SSL and PCT. This new standard is called TLS, and although it is a new name, it is functionally a logical development from SSL. In fact, the version number embedded in a TLS 1.0 stream is “3.1,” essentially declaring that a TLS-capable client is actually an SSL 3.1 client. TLS was first publicly defined in the IETF document Request for Comments (RFC) 2246, which can be found at http://tools.ietf.org/html/rfc2246—the current version
484 CHAPTER 11 General Cryptographic Concepts
at time of writing is TLS 1.2, which is available at http://tools.ietf.org/html/rfc5246. Those RFCs are linked for informational purposes only—RFCs in general are not easy to read, and the TLS RFCs are no exception. If you want to understand SSL or TLS in any depth—and particularly if you need to design or implement solutions based on SSL or TLS—I would recommend reading Eric Rescorla’s book “SSL and TLS—Designing and Building Secure Systems.” From this point on, I will refer to TLS, but you should consider that most of what I describe in TLS will also apply to SSL. TLS was designed as an extra layer on top of TCP/IP, but underneath an application, so as to make it easy to add TLS to an existing application. This means that TLS is divided into three sections—negotiation, communication, and closure. Four sections, if you count the inclusion of error information. TLS is not completely a “black box” addition—there are some subtleties to developing an SSL/TLS compliant program—as such, you should be careful when choosing TLS programs to ensure that the developers thoroughly understood the protocol before beginning development. The description below is of the process of a basic TLS session using a version at or after SSL 3.0. Some messages are the same with SSL 2, but since SSL 2 has been deprecated for over a decade and is deemed “noncompliant” by industry standards such as PCI DSS, it is not worthwhile discussing SSL 2’s behavior. We will begin with a discussion of the negotiation process, which follows Figure 11.6. The negotiation, or handshake, portion of TLS begins with one party behaving a server and the other acting a client. The TLS client starts by sending a clientHello message, which tells the server the highest version of TLS that it supports, and a list of the cryptographic algorithms— called Cipher Suites—it supports. The clientHello also contains a freshly generated random number (to be used later, in generating a shared key), an optional session ID, and a list of Compression Suites. Compression, if chosen, obviously must be performed before encryption and after decryption, because encrypted data should not have any recognizable patterns that would enable compression. The server responds with a serverHello, indicating one Cipher Suite that it has chosen from the list offered by the Figure 11.6 client and one Compression Method. The serverHello also contains a random A Normal SSL Handshake
Protocols 485
number generated by the server, an optional session ID, as well as the highest version number of TLS that is supported by the server and the client. After the serverHello message, it sends a Certificate message, identifying itself to the client. The certificate message consists of a list of X.509 certificates, representing a chain from the first certificate (representing the server itself) up to a root that the client is asked to trust. The chain is optional and may be absent if the server expects that the client already has its Issuer installed as a trusted certificate. Finally, the server sends a serverHelloDone message, which indicates only that the server has nothing more to say. Now the client sends a clientKeyExchange message, containing its half of the key exchange. There are two supported key exchange methods, RSA and Diffie Hellman. In the RSA method, a further random number, known as the Pre Master Secret, is encrypted by using the server’s public key (from the Certificate message), and this is used (along with the previous client and server random numbers) to generate a shared “master secret” and further keying material used by client and server and the Cipher Suite negotiated between them. At this point, each side has all the material it needs to start encrypting using the shared key, and to indicate this, the client and the server will send a ChangeCipherSpec message and a Finished message, which simply indicates that all traffic from this point forward will be encrypted and possibly compressed using the negotiated Cipher Suite and Compression Suite. After the ChangeCipherSpec message, the first encrypted message is sent—a Finished message, that contains a hash of the previous handshake messages sent by the sender. This is to ensure that the client and server can verify that they received exactly the handshake messages that were originally sent. Once the TLS connection has been made and the session has been negotiated, further traffic is sent as a series of TLS data records, each of which is prefixed with 5 bytes of clear text—one byte for the record type value, two for the TLS version (in every TLS record), and two for the length of the record. The remaining bytes in the record are encrypted, and when decrypted consist of the data, a keyed Hashed Message Authentication Code (HMAC) summarizing the data traffic in this TLS connection so far, and padding values to allow data of different lengths to match the block size if a block cipher is chosen as the Cipher Suite. Termination of the TLS connection is often ignored in applications that use TLS— and this is safe for protocols where both parties can reliably tell if all data has been successfully transmitted based on the data alone, for instance, if there is a content length field, or an encoding that allows the end of data to be signaled in stream. For protocols where it is important to tell the difference between a deliberate but unexpected closure of the TCP stream and an attacker’s injection of a “FIN” flag to close the stream, the closing party should always send a Close Notify alert, and the receiver should check for this and complain if it is not received before the TCP stream is closed. The Close Notify message is one of a range of Alert messages that can be sent to signal errors. For full details of these Alerts, please refer to the RFC or the SSL and TLS book referenced earlier. There are two other forms of TLS negotiation you should be aware of. The first is a simpler form of negotiation, used when resuming an existing session (see Figure 11.7).
486 CHAPTER 11 General Cryptographic Concepts
In this case, the client sends a clientHello containing the session ID that it received in the serverHello when it previously established the session. If the server approves (indicating this by returning the same session ID in a new serverHello message), the server will send a ChangeCipherSpec and Finished message to which the client responds with its own ChangeCipherSpec and Finished message—as shown in Figure 11.7. The master secret and the key information built from it remain the same as negotiated at the beginning of the session, with new client and server random values to prevent replay attacks. The other TLS negotiation worth considering is for mutual authentication—where the previous negotiations contain a Certificate message only from the server; for a mutual authentication sequence, the server will request a certificate from the client by sending a Certificate Request handshake message. The client, if it has a suitable certificate, will Figure 11.7 send it in a Certificate message and will SSL Resume Handshake prove its ownership of the certificate by sending a Certificate Verify message, which is a string signed by the private key associated with the client’s selected certificate. A diagram of SSL mutual authentication is shown in Figure 11.8.
HTTP versus HTTPS versus S-HTTP
Figure 11.8 An SSL Mutual Authentication Handshake
The usual use case for TLS still remains the one for which it was originally designed: that of protecting World Wide Web transactions over HTTP. HTTP itself is a text-based protocol, which makes debugging and analysis by humans easy, but also makes theft of data in transit by humans and machines alike even easier. HTTPS is the most native possible implementation of TLS with HTTP, and served for many years as the model for how TLS should be used. A new port was reserved—443 for HTTPS versus port 80 for HTTP—and all connections to that port would be considered to be using TLS from the moment they connected (and
Protocols 487
therefore, starting with a serverHello message) until such time as the HTTPS connection was terminated, leading to the implicit closure of the TLS connection. S-HTTP, by contrast, does not use TLS at all but instead treats each HTTP request and response as an individual message to be protected using the Cryptographic Messaging Syntax (CMS) encapsulation protocol. This allows each request and response to be signed or encrypted, according to options specified on each resource available from the Web server. Of course, with such flexibility and individual control comes the price that S-HTTP is difficult to administer. HTTPS is sufficient for most sites and as such is the protocol most commonly used for providing protected content across the Web.
Other Protocols with TLS Many other TCP-based protocols have added options to use TLS to protect their content over the years—Simple Mail Transfer Protocol (SMTP), Lightweight Directory Access Protocol (LDAP), and Network News Transfer Protocol (NNTP) use a STARTTLS command to indicate a request from the client to use TLS, and FTP uses an “AUTH TLS” command with options to indicate whether commands, data, or both are clear or encrypted.
Secure/Multipurpose Internet Mail Extensions Secure/Multipurpose Internet Mail Extensions (S/MIME) offers signing and encryption of e-mail messages in a similar way to the S-HTTP protocol—in S/MIME, the components being signed or encrypted are the MIME parts of the message. Again, CMS is used with some minor modifications to fit the CMS protocol in with MIME. By using detached signatures, where one MIME part containing clear text is signed to provide a separate MIME part containing its signature, S/MIME signed messages can be sent without worrying about whether or not the recipient is capable of displaying or interpreting S/MIME messages. A recipient who is unable to process the S/MIME part will simply see the text message without the ability to verify the signature on the message. Because S/MIME messages are sent across a transport medium that does not allow for both endpoints to be connected and communicating at the same time, an S/MIME encrypted exchange usually starts with an unencrypted message signed by the sender’s certificate. This message includes a SMIMECapabilities attribute, which describes the preferred encryption protocols supported by its sender. The recipient of this first message now has all the ingredients needed to respond with encrypted data—a certificate, with which the message was signed and which can be used to encrypt the Content Encryption Key (CEK) in their response. Comparing S/MIME with SMTP/TLS provides an even greater contrast than between HTTPS and S-HTTP. Remember that SMTP mail transport is often achieved over multiple hops, and with the possibility that not all hops are active at any one time. As a result, SMTP/TLS can only secure one link at a time—it is possible that even if you connect to your local SMTP server using TLS, it may not necessarily connect to
488 CHAPTER 11 General Cryptographic Concepts
the next SMTP server in the chain with any protection whatever. S/MIME, on the other hand, provides protection on the message at all points from sender to recipient—it even protects the message from the SMTP servers that carry it! So, while S-HTTP is generally seen as too much of a good thing to be implemented, and HTTPS is chosen as the default, in e-mail, S/MIME is generally chosen over SMTP/TLS, because S/MIME protects the mail itself, rather than the transport of the mail across a single link.
Secure Shell Secure Shell (SSH) was invented in 1995 in an attempt to prevent password-sniffing attacks on the rlogin and Telnet protocols commonly used for shell (console) access to UNIX systems. Since then, SSH has developed into more than just a shell access tool, and operates as a secured network layer, equivalent in many ways to SSL and TLS. There are some significant differences that are worth commenting on: ■■
■■
■■
■■
While TLS sits as a thin layer between the application and the transport layer (usually TCP), SSH essentially provides its own transport layer on top of TCP. Applications can be made to execute through an SSH tunnel, without any change to the application—though this can be problematic for applications using protocols such as FTP, which opens different ports throughout the communication. The usual method of tunneling FTP over SSH is to tunnel only the command connection (control channel) through encrypted SSH and to allow the data to continue to flow unprotected on regular ports. SSH authenticates using public and private keys but does not take advantage of a PKI to verify trust. Trust is assigned one host at a time, by the client user accepting an offered public key as being associated with the host to which the client is asked to connect and by the client checking that key every time it connects. This can make the deployment of SSH time-consuming in an enterprise environment, where trust would be indicated in TLS by adding a trusted enterprise root certificate to issue all enterprise-owned certificates. However, because each connection is initially confirmed by a human being, this can be seen as avoiding the problems encountered in making a TLS connection to a server whose CNAME does not generally match its host name. SSH is generally provided along with a small suite of applications—the SSH client/server application itself to replace rlogin and Telnet; the SFTP application to replace FTP; the SCP application to copy files securely and utilities to manage the relationship between public keys and trusted partner hosts. Although these replace existing applications, they generally do not work the same as those applications and cannot be treated as drop-in replacements. SSH is popular among Linux/UNIX users and mostly spreads out from the community of open source admirers. Microsoft Windows does not natively support SSH nor does Microsoft offer any SSH implementations or toolkits, which can
Protocols 489
make it difficult to ask for your partners to use SSH-based protocols if they are Microsoft-heavy environments. ■■
While SSH has recently become an IETF documented standard with RFC documents, some aspects are still not standardized or fully documented—particularly, SFTP has never been standardized, and interoperability can be problematic as a result, with different implementations expecting slight differences in behavior. FTPS (File Transfer Protocol over Transport Layer Security) by comparison has been an RFC standard since 2005.
SSH and SSL are often compared, but while they both achieve the aim of secure communications protected by public key authentication, they do so in different ways. When assessing the need to protect communications, both options should be considered, depending on who you are connecting to and what the communications will focus on.
IPsec IPsec, by contrast to SSH and SSL, works below the transport layer and above the IP packet layer. By adding IPsec rules to your connections, you can allow any application that uses an IP-based protocol (even UDP apps!) to take advantage of the security offered by IPsec. IPsec contains two security mechanisms for general data—Authentication Header (AH) and Encapsulating Security Payload (ESP). The other part of IPsec, Internet Key Exchange (IKE), operates before communication protected by AH or ESP, to establish a Security Association (SA) between two hosts, negotiating between those hosts to authenticate, as well as to agree on encryption methods and keys. IKE can authenticate parties and establish encryption keys by using public keys or by using a preshared key (PSK)—this would be a passphrase or other secret combination of characters that is communicated outside the connection between the systems to be connected and must be the same on each of the two hosts. A PSK can be created for several connections, and PSKs between different connections should be different to avoid possibility of confusion or spoofing of traffic. Each IKE negotiation results in two SAs, one inbound and one outbound, at each host. Obviously, one host’s inbound SA will match the other host’s outbound SA and vice versa. The SA consists of an IP address, a Security Parameters Index (SPI), and the key associated with the SA. The SPI is simply a random number generated by the host that created its associated key and along with the IP address of that host can be viewed as an index into the database of SAs. IKE operates over UDP, on port 500, and negotiates using a number of different methods (as described above—public key encryption, X.509-based certificate signing, or PSKs) to exchange nonces—random numbers—that are used to generate keys for the actual data protection (see Figure 11.9). Once the IKE exchange has taken place between two hosts, the actual traffic can be started. It is a common myth that with IPsec, all traffic is encrypted—this is only true for traffic protected by ESP. When using IPsec to segment networks (such that a shared network can be broken up into several virtually separated networks
490 CHAPTER 11 General Cryptographic Concepts
of IPsec-supported computers), the AH protocol is all that is required to achieve such authentication. AH operates as IP protocol number 51 (thus is neither UDP nor TCP and does not have an associated port number) and inserts a header into each protected data packet containing the SPI of the negotiated SA to which this packet is associated, a Sequence Number to prevent replay attacks, and an integrity check value (ICV), which is generally a keyed MAC of the AH header (excluding the ICV) and any data following it (see Figure 11.10). This allows each packet to be verified independently of any other packets Figure 11.9 (other than the key exchange performed A Sample of IKE Operation by IKE). ESP operates as IP protocol number 50, and its IP header contains the SPI of the connection, a Sequence Number to prevent replay attacks, encrypted payload data (the IP packet that has been encrypted), encrypted padding to align the payload data with block sizes for block ciphers, an encrypted Next Header value, and an ICV just as in AH protocol. The Next Header value refers to the header inside the payload data rather than a header following the ESP header—there usually is no such following header, but the decrypted payload data can be considered to be the logically following data. Authentication is technically optional for ESP, but practically it would be unwise to operate ESP without authentication, as this provides encryption but no verification of identity in either direction. Without authentication, you would know that there would be no eavesdroppers between you and the endpoint to which you are communicating—but how would you know that the endpoint is not an eavesdropper engaged in a man-in-the-middle attack? The ICV in ESP protects the integrity of the contents of the ESP header (payload data included) except for the ICV itself (see Figure 11.11). Comparing IPsec to the protocols we have discussed before, it is clear that there are some advantages and some disadvantages. ■■
■■
IPsec authenticates hosts to one another and cannot authenticate users. This can be an advantage or a disadvantage, depending on how you need to authenticate. Obviously, there are numerous authentication methods that authenticate users and which can be run over the top of IPsec. IPsec protects any application, without that application being aware of its being protected. This means you do not have to get special versions of your application that support I Psec—but it does mean that the application t ypically is unaware that it is being protected, so the application cannot
Protocols 491
Figure 11.10
Figure 11.11
An AH Header Format
ESP Header Format
enerally make decisions to throw away its own protection measures if they g are u nnecessary. ■■
■■
■■
IPsec requires that routers accept and pass protocols 50 and 51—some routers are not configured (or configurable) to do so. IPsec builds its ICV, and creates its SA, over values that include the IP address of each host—this makes it difficult to use across a Network Access Translation (NAT) router. To deal with this, an encapsulation known as NAT-Tunneling (NAT-T) was developed. This has been criticized for revealing internal IP addresses, but there is really no way around that when NATs are in use. IPsec ESP can operate either in Transport mode, in which it uses addresses on the local network, or in Tunnel mode, in which the source and destination IP addresses inside are from different physical—and logical—networks than those that are carrying the outer packets. As we shall see later, this Tunnel mode is used for creating virtual private networks (VPNs).
IPv6, if you choose to deploy it, offers some advantages to IPsec users. First, all IPv6-capable systems are required to support IPsec. Additionally, because there are no NAT devices for IPv6 (they are not necessary), there is no need to use NAT-T when carrying IPsec traffic. This may make it easier to adopt IPsec in future.
VPNs VPNs offer the allure of being physically present in one location, while behaving as if attached to the local network of a different location entirely. To truly be a VPN, the traffic shared among devices on the VPN must be protected so as to provide confidentiality, integrity, and authentication (see Figure 11.12). Confidentiality satisfies the privacy aspect that implies outsiders should not be able to see traffic, integrity satisfies the privacy aspect that outsiders should not be able to change or prevent the network traffic, and authentication satisfies the aspect of privacy that says you have to be able to distinguish between insiders and outsiders.
492 CHAPTER 11 General Cryptographic Concepts
Point-to-Point Tunneling Protocol Point-to-Point Tunneling Protocol (PPTP) is the oldest of the VPNs under consideration here and unsurprisingly is the least fully featured or secure by itself. Described in RFC 2637, it is a relatively simple encapsulation of the Pointto-Point Protocol (PPP) over an existing TCP/IP connection. It consists of two connections (perhaps more in multilink environments, although this is less common today)—the control connection is a TCP connection to port 1723 and the IP tunnel connection is carried over the Generic Routing Encapsulation (GRE) protocol, carrying the user’s data itself. PPTP connections can be established in either direction, although it is more Figure 11.12 common in the TCP/IP case for a client A VPN in Use to initiate the connection—the call-back scenario was more commonly supported for dial-up access to systems. The control connection is established first, and a StartConnection-Request message is sent, which the other party responds to with a StartConnection-Reply message. Once the control connection itself has been established using these messages, the client sends an Incoming-Call-Request message to the server, requesting that a tunnel connection be created. The server responds with an Incoming-Call-Reply message, which the client needs to acknowledge with an Incoming-Call-Connect message. These Incoming-Call messages negotiate a pair of random Call ID numbers associated with each end of the connection—these Call IDs uniquely identify traffic in the GRE tunnel, so that the same tunnel can contain multiple Call IDs, in case multiple users need to make VPN connections to the same server. The GRE data traffic then can begin and consists simply of PPP packets encapsulated in the GRE header. The Call ID is included in the Key field of the GRE header, along with the packet’s length, an optional Sequence Number, and acknowledgment number. Closure begins with a Stop-Connection-Request, which the other party responds to with a Stop-Connection-Reply, after which the TCP connection between client and server is severed. To prevent resources being used by an inactive session, a “keepalive” or echo packet is sent periodically—if the keepalive has not been received or responded to in 60 s, either side may disconnect the TCP connection and discard any further traffic through the GRE protocol for that connection. As you can tell from the description, this is a very simple protocol and does not consider security in itself. Security requirements of PPTP are left to the PPP portion of the traffic.
Protocols 493
PPTP connections can be authenticated through the PPP layer using Microsoft’s MCHAP (Microsoft Challenge Handshake Authentication Protocol) or the EAP-TLS protocol. Encryption can be provided by the Microsoft Point-to-Point Encryption (MPPE) protocol, which is based on RC4 with session keys of 40-bit, 56-bit, or 128-bit length. Because PPTP is so simple, it is frequently implemented, even in non-Microsoft operating systems such as Mac OS X and Linux. As a simple protocol, it is ideal for small low-power devices, such as mobile phones and personal digital assistants (PDAs). PPTP’s biggest failing, besides its passing of security considerations to the underlying PPP protocol, is that it uses a protocol (GRE) other than TCP or UDP, which may be blocked at firewalls, NATs, and routers.
Layer 2 Tunneling Protocol Layer 2 Tunneling Protocol (L2TP) was defined originally in RFC 2661, with the current version, L2TPv3, defined in RFC 3931. The name refers to the fact that Layer 2 (the same layer as Ethernet) traffic is tunneled over UDP, a Layer 4 Protocol. Unlike PPTP, L2TP uses one data stream only on UDP port 1701. L2TP packets are divided between control and data by a flag in the header. Because L2TP operates over UDP, it has to implement its own acknowledgment and retransmission mechanisms for the control messages it uses. Like PPTP, L2TP uses PPP to encapsulate data traffic that is sent across the tunnel, and connections or “calls” are created and torn down over the implied circuit created by the UDP traffic to port 1701 at the server. The server responds to whatever port the client sent its UDP messages from—this may be port 1701, but is generally a random port number. Instead of connections and calls, L2TP sets up tunnels and sessions, for similar purposes. The L2TP negotiation consists of data exchanged over UDP, beginning with a Start-Control-Connection-Request, containing a Tunnel ID used by the initiator to identify its end of the connection. The recipient responds to this with a Start-ControlConnection-Reply, containing its own Tunnel ID, and acknowledging the Tunnel ID of the initiator. The initiator then sends a Start-Control-Connection-Connected message, indicating that it accepts the Tunnel ID from the recipient. Just as in the PPTP case, the negotiation continues from this point to establish a Call, beginning with an Outgoing-Call-Request, followed by an Outgoing-Call-Reply. These messages contain the session IDs to which this call is associated, as well as a Remote End ID value (also known in some documentation as the Assigned Call ID), which is a unique identifier for the call being attempted. A final Outgoing-Call-Connected message completes the handshake, and data can flow, marked with the Tunnel IDs and Call ID to ensure that it can be uniquely distinguished from other traffic. Again, as in the PPTP case, there is a message to disconnect a call and a message to disconnect a tunnel—these are the Call-Disconnect-Notify and Stop-Control-Connection-Notification messages. If it sounds like L2TP is PPTP with a few different names, that’s because L2TP was designed to include the best features of PPTP and Cisco’s Layer 2 Forwarding (L2F) protocol.
494 CHAPTER 11 General Cryptographic Concepts
Figure 11.13 L2TP/IPsec Packet Showing Multiple Levels of Encapsulation
L2TP’s main usability benefit comes in its use of a single pseudoconnection over a protocol that is forwarded by most routers, UDP. L2TP’s biggest security benefit also comes from the use of a well-defined protocol—Ipsec. L2TP is most often used as a VPN by combining it with Ipsec ESP so that VPN traffic is encapsulated in five layers (see Figure 11.13):
1. PPP
2. L2TP
3. UDP
4. IPsec ESP
5. IP
Although this might sound confusing, the L2TP/IPsec VPN is a common method of maintaining trusted and encrypted connections from machine to machine across uncontrolled external networks.
Cryptography in Operating Systems Most of our discussion to date has been about cryptography in transit—talking about how to protect data sent across the network. This is because it has often been assumed that the network is the most unsafe environment for private data. With increased use of laptops, third-party data centers, and hard drive backup storage, it has become clear that protecting data “in flight” should include protecting that data in storage on the operating system. Over the years, this has seen a number of developments in encryption technologies, leading to the widespread deployment of cryptography within most enterprises.
File and Folder Encryption The first application of encryption to stored data was that of file and folder encryption. In many cases, this encryption is carried out in a rather manual and ad hoc manner— running an application to encrypt a file, then running the companion decryption
Cryptography in Operating Systems 495
application when the file was needed to be edited. For folders, often an archiving utility was used that would compress and store a folder (or a set of files) into the archive file, which was encrypted. The Zip format is one example of an archive format that supported encryption of its compressed archives, initially using RC4 encryption, and in current incarnations using the AES algorithm with 128 or 256 bits. With Windows 2000, Microsoft added a more automated approach to file and folder encryption by adding its Encrypting File System (EFS) to the file system used in Windows—New Technology File System (NTFS). EFS has continually been added to in subsequent releases of the operating system, with new encryption algorithms such as AES replacing the original DES and 3DES and new options for encryption and recovery of encrypted files. A file is encrypted either when it is moved into, or created in, a directory that has been flagged as “encrypted” or when the file itself is flagged for encryption. When first encrypted, a file is protected so that only its owner and the system’s Data Recovery Agents (DRA) can access it. There may be zero or more DRAs, but the default is for the local administrator account, or in a domain environment, the first domain controller’s administrator account to own the DRA key. Once a file has been encrypted in EFS, it can be made available to other users by adding them to the list of allowed users (see Figure 11.14).
Figure 11.14 Adding Allowed Users to an EFS File
496 CHAPTER 11 General Cryptographic Concepts
The process of encrypting a file in EFS begins with the creation of a random File Encryption Key (FEK), which is the key for the symmetric algorithm used to encrypt the data of the file (see Figure 11.15). This FEK is itself encrypted by using the public keys of each user who has been added to the list of allowed users, with one encrypted copy of the FEK for each user. These encrypted FEKs are stored in the metadata for the file in a file attribute called $EFS. Note that allowing access to the FEK is not related to the NTFS permissions on the file—a Figure 11.15 user must have appropriate NTFS access EFS Using an FEK to Encrypt a File permissions to read and write the $EFS attribute or the encrypted bits of the file itself, but can only do so if they possess a private key that allows them to decrypt the FEK. Particularly worth noting is that while EFS-encrypted files are not decrypted to disk when they are opened by applications, any process that involves reading from the files and writing them out again will generally remove the encryption. Copying an EFS-encrypted file within a local system retains the encryption, as long as the target directory is NTFS. Copying an EFS-encrypted file across the network results in the decrypted contents of the file being transmitted over the network and then re-encrypted on its arrival.
E-mail As we have already discussed, encryption of e-mail is generally performed in one of two ways—either by encrypting the network connection using SMTP STARTTLS or POP3-over-TLS or by encrypting the message itself using a protocol such as S/MIME. Encrypting the connection between mail client and mail server—or more properly, the mail user agent (MUA) and the mail transport agent (MTA)—is particularly useful when the authentication method chosen is that of a simple username and password. By encrypting the connection itself, a user makes it impossible for anyone listening in on the network stream to read their password. Encrypting and/or signing the message itself allows for that message to be encrypted and signed while it sits in storage, allowing the message to remain protected for the foreseeable life of the message. Again, as with file and folder encryption, it is possible to copy data out of an encrypted message and save it to an unencrypted format. Preventing this copying of encrypted content to a plain text version would require the use of a digital rights management (DRM) technology.
Cryptography in Operating Systems 497
Whole Disk Encryption The first “portable” computer I ever used weighed 23½ pounds; as computers get lighter and lighter (my current laptop is 5½ pounds), they get easier to steal. As they get smaller and smaller, they get easier to lose. One reporter for Newsweek even complained that he cannot find his laptop and thinks it was thrown out with the recycled newspapers by his wife. Perhaps he should not put his laptop in a manila envelope even if that’s what they do in the commercials. Laptops are an easy target for thieves, as they are quick to steal, and often have significant monetary value not only in themselves as a free computer, but also in the data they contain, as personal details and bank information can raise a high price on the black market. To reduce the cost of this threat to their organization’s data, most enterprises have taken to requiring encryption of their laptops’ hard drives. Rather than rely on EFS and a user’s individual preferences as to which documents are secret, and which should be publicly available, these enterprises choose to encrypt the entire hard drive as a complete unit. As with EFS, the data itself is encrypted using a common cryptographic algorithm, such as AES (with a 128-bit or 256-bit key), and an algorithm that chooses a predictable IV for each block of the hard drive. This allows for individual blocks on the hard drive to be read from and written to randomly without having to store an extra value with each block, which would dramatically reduce the hard drive’s available space. In Microsoft’s implementation for Windows Vista and Windows server 2008, called BitLocker, the key that is used for this encryption is known as the Full Volume Encryption Key (FVEK). This FVEK is stored at several places throughout the disk to cope with the possible catastrophe of damage to the disk, and each place it is stored, it is encrypted using extra keying material chosen by the user. This keying material may be a large binary key stored on a USB key, or a key derived from a password or passphrase, or a combination of both. One final possibility for encrypting the FVEK for its storage on disk is the use of a Trusted Platform Module (TPM) chip—a specialized piece of cryptographic hardware which is designed to hold secret keys and to use them to decrypt data upon request without revealing the key. The longest portion of the encryption process is that of initial encryption (also any eventual full decryption or full reencryption in the case of a compromised key), where the entire disk must be read, encrypted, and written again. During this process, the disk can still be used—the initial encryption will only encrypt those blocks that are not already encrypted, and any write access to areas of the disk that have not yet been encrypted will cause encryption to occur naturally, ahead of the full disk encryption scan. Once a disk has been encrypted, the overhead of encrypting and decrypting data is minimal—typically much less than 10 percent. This is because the encryption or decryption of one block can be done while waiting for the next block to be read from, or written to, the disk.
498 CHAPTER 11 General Cryptographic Concepts
You should note that Microsoft’s BitLocker is far from being the only technology for Whole Disk Encryption—there are many solutions from companies such as Pretty Good Privacy (PGP) and Utimaco, as well as open source solutions such as TrueCrypt. However, they all work very similarly to BitLocker in that there is a key, an encryption algorithm, and an algorithm for choosing an IV by the physical location on disk of a block; the key is protected by a user’s choice of keying material, and once this keying material has been provided, and the volume encryption key is in memory, the rest of the operating system behaves as if the drive is fully decrypted.
TPM As we briefly mentioned above, the TPM is a relatively recent addition to a computer’s arsenal and is a specialized, tamper-resistant, hardware device designed to engage in a few simple cryptographic operations. As with most cryptographic systems, the TPM has a single root key called the storage root key (SRK), which is strongly protected inside the TPM, and is used to protect all the other keys the TPM device handles. In addition to the SRK, the operating system can request a number of other key pairs to be generated and encrypted (or “wrapped”) with the SRK such that the private key is only available inside the TPM for decryption or signing operations. In addition to wrapping a key, the TPM can “seal” the key such that it can only be used in the event that a number of system measurements (selected at the time of sealing) are the same that they were when the key was sealed. These system measurements include the BIOS code and settings stored in the computer’s firmware, as well as the boot sector of the disk. By carefully writing BIOS and boot code to exploit this sealing against system measurements, it is possible to ensure that a boot environment has not been modified since it was created and to use that assurance to decrypt a volume encryption key for Full Volume Encryption. In this way, the presence of an unaltered BIOS, boot disk, and TPM can itself be used as the source of keying material for a disk encryption suite such as BitLocker to ensure that the system is only able to boot if it has not been tampered with. This protects, in large part, against laptop thieves who either attempt to read the hard drive without the system being booted normally or who try to modify the operating system as a method of gaining access to the encrypted hard drive. Use of a TPM and Full Disk Encryption is not sufficient to guarantee complete protection against theft; however, a thief could still boot the operating system and use a network exploit, or DMA-based interface such as FireWire, to attack the running operating system through its external ports, and gain access to the decrypted hard drive in that manner. For this reason, a well-protected laptop is one that has full disk encryption that relies on both a TPM and some form of external keying material, such as a passphrase or a USB key. The last component in this scenario is a well-trained user, who knows to keep the USB key separate from the laptop, to not write down the passphrase and store it with the laptop, and to turn off, or hibernate, the computer when leaving it in an environment where there is a risk of theft.
Exam Objectives Fast Track 499
For the most part, of course, a laptop thief is likely only to wipe the system completely to sell it to a trusting buyer, so most laptop thefts are unlikely to cause a breach of data protection—however, because there is a chance of such a breach, and the cost to reputation of having to admit to that breach possibility is so great, encryption is a cheap way to ensure that data is not only protected, but is seen to be protected.
Summary OF EXAM OBJECTIVES In this chapter, we have given you a brief introduction to many of the cryptographic concepts, algorithms, protocols, and applications that are in widespread use today. We discussed the difference between symmetric key (or secret key) and asymmetric key (or public key) cryptography and the strengths and weaknesses of each technique. The use of hashes, and specifically the SHA, MD5, LANMAN, and NTLM hashes, were discussed, along with how the use of asymmetric key encryption of a hash with a private key leads to the concept of a digital signature. On the digital signature, we built the concept of a certificate and identified the difference between a single certificate and a dual-sided certificate. Next, we addressed how the use of cryptography applies to the classical security triangle of CIA before moving on to address the way that digital signatures and encryption could lead to a nonrepudiation solution, allowing a user to demonstrate that they could not deny authorizing a document. Comparing the strength of algorithms was our next point of discussion, along with the key management techniques that are necessary to ensure that encrypted data have maximum appropriate availability. To ensure that you have a thorough grounding in the most commonly used encryption algorithms, we then discussed specific algorithms, namely, DES, 3DES, RSA, AES, Elliptic Curve Cryptography, and one-time pads. Building on those algorithms, we covered the application of cryptography to cryptographic protocols, starting with the wireless protocols WEP and TKIP, and then leading into the more general network protocols, SSL/TLS, S/MIME, SSH, and IPsec. IPsec led us in to the concept of a VPN, with the assistance of IPsec being very useful in securing the two protocols PPTP and L2TP. Finally, we discussed the use of cryptography in operating systems and storage, particularly relating to file and folder encryption, e-mail, Whole Disk Encryption, and the TPM hardware component.
Exam Objectives Fast Track General Cryptography ■■
Asymmetric key cryptography and symmetric key cryptography offer different benefits and difficulties while they each protect data from being seen by unauthorized third parties.
500 CHAPTER 11 General Cryptographic Concepts
■■
■■
Cryptographic hash algorithms use one-way functions to create a uniformsized “digest” of a message, with the properties that two similar documents will produce vastly dissimilar hashes, and that it is computationally infeasible to produce two documents with the same hash or one document that will produce a given hash. Combining asymmetric key cryptography with hashes to produce digital signatures enables the creation of signed documents such as X.509 certificates, which are used to allow trusted third parties to assert identity claims on behalf of the certificate’s subject.
Encryption Algorithms ■■
■■
■■
Block ciphers encrypt fixed-size blocks at one time—they can either be used with fixed-sized blocks, or padding, or using a chaining technique such as OFB, CBC, or CFB to create a stream cipher. Stream ciphers encrypt streams of data, as many bytes at a time as you need— usually, a stream cipher generates a key stream, which appears random, and is combined with the data to be encrypted or decrypted, usually using the bitwise XOR operation. Wireless Transmission Protocols have progressed from the use of WEP, which can be broken in seconds, to the use of AES, in WPA2, which has not yet been broken.
Protocols ■■
■■
■■
SSL and TLS are two different names for versions of the same basic underlying protocol, which is commonly used in secured Web transactions today. SSL/TLS make use of X.509 certificates for authentication and key exchange, symmetric key cryptography for stream encryption, and keyed HMACs for integrity. S-HTTP and S/MIME protect the individual messages so that they may be protected in storage as well as in transit, whereas HTTPS and SMTP-TLS protect only the communication channel between endpoints. Combining IPsec with L2TP results in a secure VPN between a client and a VPN server so that the client behaves as if it was directly connected to the same network as the VPN server.
Cryptography in Operating Systems ■■
EFS provided natively in Microsoft Windows since early versions of Windows NT server provides automatic file-level encryption that allows for sharing between multiple users and recovery through the use of a DRA. The same
Exam Objectives Frequently Asked Questions 501
f unctionality can be had for other operating systems by using third-party applications and tools. ■■
■■
Whole Disk Encryption allows for protection of data held in storage on a laptop’s hard drive even after the laptop is stolen. A TPM allows measurements of the BIOS, boot sector, and other components’ configuration to be used as keys to unlock encrypted drives and other secrets.
Exam Objectives Frequently Asked Questions Q: Are the public and private keys interchangeable? A: Not generally, but it should depend on the algorithm. The public and private keys are developed using different algorithms from one another, and it may be possible to derive the public key from the private key. Because the public and private keys are used for different operations, they are often designed to have different mathematical properties. Q: What are the separate operations that a public or private key can be used for? A: The public key is used for encryption and for verifying signed hashes; the private key is used for decryption and for signing hashes. While verification of a signed hash is technically a decryption operation and signing a hash is technically an encryption operation, it is best to think of these as separate from general encryption and decryption, because of the fixed sizes of hashes. Q: Why does a digital signature encrypt a hash of the document rather than the whole document? A: There are a couple of reasons—first, the cryptographic algorithms have been analyzed for signing a hash rather than a large document, and second, the encryption process is slow on large files, whereas calculating the hash is fast. Q: Why are the symmetric and asymmetric key sizes so drastically different for the same strength? A: Symmetric keys can essentially be picked entirely at random, but creating an asymmetric key requires generating it from the random source and a large number of mathematical restrictions, which will build up the size of the key as required. Q: Why are so many of these algorithms based on block encryption rather than stream encryption? A: Because encryption algorithms and hash algorithms are often designed to swap and manipulate bits that are separated from one another by more than
502 CHAPTER 11 General Cryptographic Concepts
8 bits, they work well on wider numbers of bits than a simple stream cipher would do. As we discussed earlier, there are several proven techniques for creating a stream cipher from a block cipher, so it really doesn’t matter which you use for many operations. Q: You describe one-time pads as the “perfect” encryption method—why is that? A: A stream cipher’s design mimics the creation of a series of random bits and the combination of those bits with the plain text to create cipher text. A onetime pad doesn’t just mimic that, it perfectly is that—a one-time pad is a series of random bits that can be combined with the plain text to create cipher text. Q: Both WEP and TKIP use RC4—if WEP can be broken, why isn’t TKIP broken yet? A: WEP made many mistakes that TKIP hasn’t copied—TKIP repeatedly cycles keys, it uses a large and random IV, and it takes active protection methods against a detected attacker. Q: Your diagram shows a negotiation for client certificates or mutual authentication, but this is not the behavior I observe on my Web server when I enable client certificates. Why is this? A: Microsoft’s Internet Information server (IIS) and possibly others do not do the simplest version of this exchange when they connect. By default (and the behavior can be changed to work as in the diagram for better performance), IIS will first complete an SSL handshake without asking for a certificate from the client, and then, if client certificates are enabled, it will request a renegotiation with the client, during which it will perform a client authentication handshake. Q: You mention the use of a keyed HMAC to provide integrity for the TLS traffic—I thought the traffic was encrypted, doesn’t that provide integrity enough? A: No—without the HMAC, it would be possible for an attacker to flip a bit (or several bits) in the stream, if the attacker knew that flipping those bits would cause an interesting effect. Remember that with the way that stream ciphers are generated, a single bit in the plain text stream is represented by a single bit in the cipher text stream, and a change to that bit in one stream will be indicated by a change to the bit in the other stream. The stream will decrypt, and the decryption routine will not detect any failure, although the bit(s) selected by the attacker will have been flipped. Unless there is additional verification of the content of the stream, the attacker could change the stream unnoticed.
Exam Objectives Frequently Asked Questions 503
Q: Are there other VPN types than PPTP and L2TP? A: Yes—in recent years, SSL VPNs have become successful. These VPNs work over an SSL-encrypted TCP connection, usually using the HTTPS protocol, because this protocol is typically allowed through all firewalls. Other VPN technologies include IPsec Tunnel mode VPN, although this is often difficult to manage because of routing and NAT problems; and in future versions of Windows, the DirectAccess “VPN-less” connection makes use of IPv6, IPsec, and a number of different Tunneling protocols. Q: I have tried adding users to a file using EFS, but one user doesn’t have a public key to add, and the other, although he does have a key, can’t access the file even though I have added him. Why is that? A: The first user does not have a public key because he has not yet requested a key pair. You can enable autoenrollment on the domain controller to make the user register a key pair when he next logs on or you can ask him to encrypt a file for himself that will create a key pair. The second user does not have NTFS rights that allow him to read the file and its associated $EFS stream. Check the NTFS rights assigned to this file. Q: When I backup a file from an EFS-encrypted folder, is it still encrypted in the backup? What about backing up from an encrypted hard drive? A: Most backup software will recognize EFS-encrypted files and store them with their encryption intact. It takes more effort to try and find a key that would allow them to decrypt the file before backing it up. Backing up from a hard drive that has Whole Disk Encryption applied to it is different—the backup tool cannot “see” the hard drive’s encryption, once the system has been booted, and so the files backed up are backed up in clear text, as if the disk encryption did not exist. Q: What happens if my TPM chip gets destroyed or I move my encrypted hard drive to another motherboard? Have I lost my data? A: Encryption systems based on the TPM chip will all have some means of recovering the data that must be used if any of the BIOS or boot sector measurements have changed or if the TPM chip is unable to decrypt the appropriate key. BitLocker, for instance, has its own recovery mode where the user will be asked to enter a recovery key, which was generated at encryption time (and which the user was strongly encouraged to save, print, and store away in a safe place). In Active Directory domain environments, the recovery key can be stored in Active Directory for later recall by desktop support staff.
504 CHAPTER 11 General Cryptographic Concepts
Self Test
1. What cryptographic properties should a strong symmetric cipher have? A. The number of bits in the key should be large so as to discourage bruteforce cracking B. Encryption should be slow so as to discourage brute-force cracking C. Bits in the cipher text should never be the same value as the corresponding bit in the plain text D. The same plain text should always generate the same cipher text E. The cipher should prevent the use of keys chosen by poor random number generators
2. Which key is used to decrypt traffic encrypted using an asymmetric cipher? A. The sender’s public key B. The recipient’s public key C. The sender’s private key D. The recipient’s private key E. A negotiated shared secret
3. What technique improves the protection given by a cryptographic hash of small data? A. Signing the hash with a private key B. Padding the data with null bytes to match the block size of the hash algorithm C. Prefixing the small data with a random value prior to hashing it D. Repeating the data two or more times
4. What is the process required to digitally sign a document? A. Calculate a hash of the document and encrypt the hash with the recipient’s public key B. Calculate a hash of the document and encrypt the hash with the sender’s private key C. Encrypt the document with the recipient’s public key and attach a hash to the document D. Encrypt the document with the sender’s private key and attach a hash to the document E. Encrypt the document and its hash with a shared secret key negotiated through public key exchange
5. Why is a digital signature not simply performed by encrypting the entire document using the sender’s private key? Select one or more answers.
Self Test 505
A. Because it would be slow on large documents B. Because encryption of large amounts of data with the private key could expose information about the private key C. Because nobody has carried out cryptanalysis on this method D. Because not all the document is important enough to encrypt E. Because encrypting the whole document would be more likely to create a colliding hash
6. How should you encrypt an X.509 digital certificate to protect it in normal use? A. Use the RSA encryption algorithm with a key derived from the certificate’s private key B. Use the DES encryption algorithm with a shared secret key that will be published for certificate users to fetch C. Use the base64 encoding scheme D. No encryption is necessary for normal use of a certificate
7. When verifying a certificate from the Web site “www.whitehouse.gov/”, which of the following Subject names would be correct matches? A. CN = www.whitehouse.gov, S = District of Columbia, OU = Office of Administration, O = Executive Office of the President, L = Washington, C=US B. www.whitehouse.gov C. www.whitehouse.gov/ D. CN = www.whitehouse.gov E. CN = *.gov
8. Between which dates should you keep a certificate on file? A. From the Valid-From date until the Valid-To date B. From the Valid-From date until the certificate is revoked or expires, whichever is the sooner C. For all dates during which you intend to use the certificate to verify or decrypt protected data D. From the day it first appears in a revocation list, until the Valid-To date
9. In a dual-sided certificate, what private keys should be retained by the issuing organization for later recovery? Choose one. A. No private keys should ever be held by anyone but the owner B. The signing key C. The decrypting key D. Both the signing and the decrypting key
506 CHAPTER 11 General Cryptographic Concepts
10. One-time pads would be the perfect source of a key stream for symmetric encryption—but what makes them impractical? Choose one or more answers. A. Their length B. The secrecy required to exchange and protect them C. Transcription errors when reading from the paper of the pad D. The fact that you can only use them once 11. I am sending a document by e-mail to a client that must remain protected through its transmission to the client, but which I want the client to be able to read, print, or distribute once the client has received it. Which protocol or protocols would achieve this? A. S/MIME B. S-HTTP C. SMTP with STARTTLS D. FTP over TLS. E. All of the above 12. With which key is an EFS-protected file encrypted? A. The shared FEK B. The file creator’s private key C. A key made from combining the file creator’s public key with the FEK D. The FEK after it has been encrypted with the file creator’s public key 13. By roughly how much does Whole Disk Encryption reduce the available storage space? A. 5 percent B. 10 percent C. Three or four disk sectors D. It depends on the block size of the encryption algorithm 14. What is the difference between TPM “Wrap” and “Seal”? A. The “wrap” operation will allow a key to be used at any time; the “seal” operation will allow a key to be used only when system measurements match those present at the time of sealing the key B. The “wrap” operation allows a key to be revealed if the system measurements match those at its creation; the “seal” operation never allows a key to be revealed but may allow it to be used C. The “wrap” operation uses symmetric cryptography keys; the “seal” operation uses asymmetric keys D. The “seal” operation is designed not to leak the key, the “wrap” operation may leak the key under some attacks
Self Test Quick Answer Key 507
15. What are the necessary components to fully protect a laptop using Whole Disk Encryption? A. A TPM or similar key operation component B. A well-trained user C. External key material—for example, a USB stick or a passphrase D. A BIOS and boot sector that support the use of encryption and the TPM E. All of the above
Self Test Quick Answer Key 1. 2. 3. 4. 5.
A and D D C B A, B, C, D
6. 7. 8. 9. 10.
D A, D C C A and B
11. 12. 13. 14. 15.
A A C A E
This page intentionally left blank
CHAPTER
Public Key Infrastructure
12
E x a m o b j e c tiv e s in this c hapt e r PKI Overview��������������������������������������������������������������������������������������������������������������������� 510 Components of PKI������������������������������������������������������������������������������������������������������������� 516 Registration����������������������������������������������������������������������������������������������������������������������� 531 Recovery Agents���������������������������������������������������������������������������������������������������������������� 531 Implementation������������������������������������������������������������������������������������������������������������������ 533 Certificate Management����������������������������������������������������������������������������������������������������� 534
Introduction Computer networks have evolved in recent years to allow an unprecedented sharing of information between individuals, corporations, and even national governments. The need to protect this information has also evolved, and network security has consequently become an essential concern of most system administrators. Even in smaller organizations, the basic goal of preventing unauthorized access while still allowing legitimate information to flow smoothly requires the use of more and more advanced technology. That being stated, all organizations today rely on networks to access information. These sources of information can range from internal networks to the Internet. Access to information is needed, and this access must be configured to provide information to other organizations that may request it. When we need to make a purchase, for example, we can quickly check out vendors’ prices through their Web pages. In order not to allow the competition to get ahead of our organization, we must establish our own Web page for the advertising and ordering of our products. Within any organization, many sites may exist across the country or around the globe. If corporate data is available immediately to employees, much time is saved. In the corporate world, any time saved is also money saved. Public key infrastructure (PKI) is the method of choice for handling authentication issues in large enterprise-level organizations today. This chapter addresses the complex issues involved in planning a certificate-based PKI. We’ll provide an overview of the basic terminology and concepts relating to the PKI and you’ll learn
509
510 CHAPTER 12 Public Key Infrastructure
about public key cryptography and how it is used to authenticate the identity of users, computers, and applications/services. We’ll discuss different components of PKI, including private key, public key, and a trusted third party (TTP) along with the role of digital certificates and the different types of certificates (user, machine, and application certificates). You’ll learn about certification authorities (CAs), the servers that issue certificates, including both public CAs and private CAs and we will discuss the CA hierarchy and how root CAs and subordinate CAs act together to provide for your organization’s certificate needs. Finally, we’ll discuss the role of the key recovery agent and how it works in your environment.
PKI Overview The rapid growth of Internet use has given rise to new security concerns. Any company that does not configure a strong security infrastructure is literally putting the company at risk. An unscrupulous person could, if security were lax, steal information or modify business information in a way that could result in major financial disaster. To protect the organization’s information, the middleman must be eliminated. Cryptographic technologies such as PKI provide a way to identify both users and servers during network use. The primary function of the PKI is to address the need for privacy throughout a network. For the administrator, there are many areas that need to be secured. Internal and external authentication, encryption of stored and transmitted files, and e-mail privacy are just a few examples. PKI is the underlying cryptography system that enables users or computers that have never been in trusted communication before to validate themselves by referencing an association to a TTP. Once this verification is complete, the users and computers can now securely send messages, receive messages, and engage in transactions that include the interchange of data. PKI is used in both private networks (intranets) and on the World Wide Web (the Internet). It is actually the latter, the Internet, that has driven the need for better methods for verifying credentials and authenticating users. Consider the vast number of transactions that take place every day over the Internet—from banking to shopping to accessing databases and sending messages or files. Each of these transactions involves at least two parties. The problem lies in the verification of who those parties are and the choice of whether to trust them with your credentials and information. Note Cryptography refers to the process of encrypting data; cryptanalysis is the process of decrypting, or “cracking” cryptographic code. Together, the two make up the science of cryptology.
PKI Encryption Before we continue to discuss how PKI works today, it is perhaps helpful to understand the term encryption and how PKI has evolved. The history of general cryptography
PKI Overview 511
almost certainly dates back to almost 2000 B.C. when Roman and Greek statesmen used simple alphabet-shifting algorithms to keep government communication private. Through time and civilizations, ciphering text played an important role in wars and politics. As modern times provided new communication methods, scrambling information became increasingly more important. World War II brought about the first use of the computer in the cracking of Germany’s Enigma code. In 1952, President Truman created the National Security Agency (NSA) at Fort Meade, Maryland. This agency, which is the center of U.S. cryptographic activity, fulfills two important national functions: it protects all military and executive communication from being intercepted, and it intercepts and unscrambles messages sent by other countries. Although complexity increased, not much changed until the 1970s, when the NSA worked with Dr. Horst Feistel to establish the Data Encryption Standard (DES) and Whitfield Diffie and Martin Hellman introduced the first Public Key Cryptography Standard (PKCS). Diffie-Hellman (DH) algorithms are still in use today for things such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Internet Protocol Security (IPsec). Another major force in modern cryptography came about in the late 1970s. Rivest, Shamir, Adelman (RSA) Labs, founded by Ronald Rivest, Adi Shamir, and Leonard Adleman, furthered the concept of key cryptography by developing a technology of key pairs, where plaintext that is encrypted by one key can be decrypted only by the other matching key. There are three types of cryptographic functions. The hash function does not involve the use of a key at all, but it uses a mathematical algorithm on the data to scramble it. The secret key method of encryption, which involves the use of a single key, is used to encrypt and decrypt the information and is sometimes referred to as symmetric key cryptography. An excellent example of secret key encryption is the decoder ring you may have had as a child. Any person who obtained your decoder ring could read your “secret” information. There are basically two types of symmetric algorithms. Block symmetric algorithms work by taking a given length of bits known as blocks. Stream symmetric algorithms operate on a single-bit at a time. One well-known block algorithm is DES. Windows 2000 uses a modified DES and performs that operation on 64-bit blocks using every eighth-bit for parity. The resulting ciphertext is the same length as the original cleartext. For export purposes, the DES is also available with a 40-bit key. One advantage of secret key encryption is the efficiency with which it takes a large amount of data and encrypts it quite rapidly. Symmetric algorithms can also be easily implemented at the hardware level. The major disadvantage of secret key encryption is that a single key is used for both encryption and decryption. There must be a secure way for the two parties to exchange the one secret key. In the 1970s, this disadvantage of secret key encryption was eliminated through the mathematical implementation of public key encryption. Public key encryption, also referred to as asymmetric cryptography, replaced the one shared key with each user’s own pair of keys. One key is a public key, which is made available to everyone and is used for the encryption process only. The other key in the pair, the private key, is available only to the owner. The private key cannot be determined as a result of the public key’s being openly available. Any data that is encrypted by a public key
512 CHAPTER 12 Public Key Infrastructure
can be decrypted only using the private key of the pair. It is also possible for the owner to use a private key to encrypt sensitive information. If the data is encrypted using the private key, then the public key in the pair of keys is needed to decrypt the data. DH algorithms are known collectively as shared secret key cryptographies, also known as symmetric key encryption. Let’s say we have two users, Greg and Matt, who want to communicate privately. With DH, Greg and Matt each generate a random number. Each of these numbers is known only to the person who generated it. Part one of the DH function changes each secret number into a nonsecret, or public, number. Greg and Matt now exchange the public numbers and then enter them into part two of the DH function. This results in a private key—one that is identical to both users. Using advanced mathematics, this shared secret key can be decrypted only by someone with access to one of the original random numbers. As long as Greg and Matt keep the original numbers hidden, the shared secret key cannot be compromised.
Head of the Class Modern Cryptography 101 Thanks to two mathematical concepts, prime number theory and modulo algebra, most of today’s cryptography encryption standards are considered intractable—that is, they are unbreakable with current technology in a reasonable amount of time. For example, it might take 300 linked computers over 1,000 years to decrypt a message. Of course, quantum computing is expected to someday change all that, making calculations exponentially faster and rendering all current cryptographic algorithms useless—but we won’t worry about that for now. First, for an explanation of the modulo operator, let’s go back to elementary school where you first learned to do division. You learned that 19/5 equals 3 with a remainder of 4. You also probably concentrated on the 3 as the important number. Now, however, we get to look at the remainder. When we take the modulus of two numbers, the result is the remainder—therefore 19 mod 5 equals 4. Similarly, 24 mod 5 also equals 4 (can you see why?). Finally, we can conclude that 19 and 24 are congruent in modulo 4. So how does this relate to cryptography and prime numbers? The idea is to take a message and represent it by using a sequence of numbers. We’ll call the sequence xi. What we need to do is find three numbers that make the following modulo equation possible: (xe)d mod y = x. The first two numbers, e and d, are a pair and are completely interchangeable. The third number, y, is a product of two very large prime numbers (the larger the primes, the more secure the encryption). Prime number theory is too complex for an in-depth discussion here, but in a nutshell, remember that a prime number is only divisible by the number 1 and itself. This gives each prime number a “uniqueness.” Once we have found these numbers (although we won’t go into how because this is the really deep mathematical part), the encryption key becomes the pair (e, y) and the decryption key becomes the pair (d, y). Now it doesn’t matter which key we decide to make public and which key we make private because they’re interchangeable!
PKI Overview 513
PKI Standards It should be apparent from the many and varied contributing sources to PKI technology that the need for management of this invaluable set of tools would become paramount. If PKI, like any other technology set, continued to develop without standards of any kind, then differing forms and evolutions of the technology would be implemented ad hoc throughout the world. Eventually, the theory holds that some iteration would render communication or operability between different forms impossible. At that point, the cost of standardization would be significant, and the amount of time lost in productivity and reconstruction of PKI systems would be immeasurable. Thus, a set of standards was developed for PKI. The PKCS are a set of standard protocols issued for securing the exchange of information through PKI. The list of these standards was actually established by RSA laboratories—the same organization that developed the original RSA encryption standard—along with a group of participating technology leaders that included Microsoft, Sun, and Apple. Here is a list of active PKCS. You will notice that there are gaps in the numbered sequence of these standards, and that is due to the retiring of standards over time since they were first introduced. ■■
■■
■■
■■
■■
PKCS #1: RSA Cryptography Standard Outlines the encryption of data using the RSA algorithm. The purpose of the RSA Cryptography Standard is in the development of digital signatures and digital envelopes. PKCS #1 also describes a syntax for RSA public keys and private keys. PKCS #3: Diffie-Hellman Key Agreement Standard Outlines the use of the DH Key Agreement, a method of sharing a secret key between two parties. The secret key used to encrypt ongoing data transfer between the two parties. Whitefield Diffie and Martin Hellman developed the DH algorithm in the 1970s as the first public asymmetric cryptographic system (asymmetric cryptography was invented in the United Kingdom earlier in the same decade, but was classified as a military secret). DH overcomes the issue of symmetric key system, because management of the keys is less difficult. PKCS #5: Password-based Cryptography Standard A method for encrypting a string with a secret key that is derived from a password. The result of the method is an octet string (a sequence of 8-bit values). PKCS #8 is primarily used for encrypting private keys when they are being transmitted between computers. PKCS #6: Extended-certificate Syntax Standard Deals with extended certificates. Extended certificates are made up of the X.509 certificate plus additional attributes. The additional attributes and the X.509 certificate can be verified using a single public-key operation. The issuer that signs the extended certificate is the same as the one that signs the X.509 certificate. PKCS #7: Cryptographic Message Syntax Standard The foundation for Secure/Multipurpose Internet Mail Extensions (S/MIME) standard. It is also
514 CHAPTER 12 Public Key Infrastructure
c ompatible with privacy-enhanced mail (PEM) and can be used in several different architectures of key management. ■■
■■
■■
■■
■■
PKCS #8: Private-key Information Syntax Standard Describes a method of communication for private-key information that includes the use of publickey algorithm and additional attributes (similar to PKCS #6). In this case, the attributes can be a distinguished name (DN) or a root CA’s public key. PKCS #9: Selected Attribute Types Defines the types of attributes for use in extended certificates (PKCS #6), digitally signed messages (PKCS #7), and private-key information (PKCS #8). The PKI verification process is based on the use of keys, unique bits of data that serve one purpose: identifying the owner of the key. Every user of PKI actually generates or receives two types of keys: a public key and a private key. The two are actually connected and are referred to as a key pair. As the name suggests, the public key is made openly available to the public while the private key is limited to the actual owner of the key pair. Through the use of these keys, messages can be encrypted and decrypted, allowing data to be exchanged securely (this process will be covered in a few sections later in this chapter). PKCS #10: Certification Request Syntax Standard Describes a syntax for certification request. A certification request consists of a DN, a public key, and additional attributes. Certification requests are sent to a CA, which then issues the certificate. PKCS #11: Cryptographic Token Interface Standard Specifies an application program interface (API) for token devices that hold encrypted information and perform cryptographic functions, such as Smart Cards and Universal Serial Bus (USB) pigtails. PKCS #12: Personal Information Exchange Syntax Standard Specifies a portable format for storing or transporting a user’s private keys and certificates. Ties into both PKCS #8 (communication of private-key information) and PKCS #11 (Cryptographic Token Interface Standard). Portable formats include diskettes, Smart Cards, and Personal Computer Memory Card International Association (PCMCIA) cards. On Microsoft Windows platforms, PKCS #12 format files are generally given the extension .pfx. PKCS #12 is the best standard format to use when exchanging private keys and certificates between systems.
Test Day Tip On the day of the test, do not concern yourself too much with what the different standard numbers are. It is important to understand why they are in place and what PKCS stands for.
PKI Solutions The use of PKI on the World Wide Web is so pervasive that it is likely that every Internet user has used it without even being aware of it. However, PKI is not simply limited to the Web; applications such as Pretty Good Privacy (PGP) also leverage the
PKI Overview 515
basis of PKI technology for e-mail protection; File Transfer Protocol (FTP) over SSL/ TLS uses PKI, and many other protocols have the ability to manage the verification of identities through the use of key-based technology. Companies such as VeriSign and Entrust exist as trusted third-party vendors, enabling a world of online users who are strangers to find a common point of reference for establishing confidentiality, message integrity, and user authentication. Literally millions of secured online transactions take place every day leveraging their services within a PKI. Technology uses aside, PKI fundamentally addresses relational matters within communications. Specifically, PKI seeks to provide solutions for the following: ■■
Proper authentication
■■
Trust
■■
Confidentiality
■■
Integrity
■■
Nonrepudiation
Using the core PKI elements of public key cryptography, digital signatures, and certificates, you can ensure that all these equally important goals can be met successfully. The first goal, proper authentication, means that you can be highly certain that an entity such as a user or a computer is indeed the entity he, she, or it is claiming to be. Think of a bank. If you wanted to cash a large check, the teller will more than likely ask for some identification. If you present the teller with a driver’s license and the picture on it matches your face, the teller can then be highly certain that you are that person—that is, if the teller trusts the validity of the license itself. Because the driver’s license is issued by a government agency—a TTP—the teller is more likely to accept it as valid proof of your identity than if you presented an employee ID card issued by a small company that the teller has never heard of. As you can see, trust and authentication work hand in hand. When transferring data across a network, confidentiality ensures that the data cannot be viewed and understood by any third party. The data might be anything from an e-mail message to a database of social security numbers. In the last 20 years, tremendous effort has been spent trying to achieve data confidentiality. In fact, the entire scientific field of cryptology is devoted to ensuring confidentiality (as well as all the other PKI goals). As important as confidentiality is, however, the importance of network data integrity should not be underestimated. Consider the extreme implications of a patient’s medical records being intercepted during transmission and then maliciously or accidentally altered before being sent on to their destination. Integrity gives confidence to a recipient that data has arrived in its original form and hasn’t been changed or edited. Finally we come to nonrepudiation. A bit more obscure than the other goals, nonrepudiation allows you to prove that a particular entity sent a particular piece of data. It is impossible for the entity to deny having sent it. It then becomes extremely difficult for an attacker to masquerade as a legitimate user and then send malevolent data across the network. Nonrepudiation is related to, but separate from authentication.
516 CHAPTER 12 Public Key Infrastructure
Components of PKI In today’s network environments, key pairs are used in a variety of different functions. Technologies such as virtual private networks (VPNs), digital signatures, access control (SSH), secure e-mail (PGP and S/MIME), and secure Web access (SSL) each includes an implementation of PKI for managing trusted communications between a host and a client. Although PKI exists at some level within the innards of several types of communications technologies, its form can change from implementation to implementation. As such, the components necessary for a successful implementation can vary depending on the requirements, but in public key cryptography there is always: ■■
A private key
■■
A public key
■■
A TTP
Because a public key must be associated with the name of its owner, a data structure known as a public key certificate is used. The certificate typically contains the owner’s name, their public key and e-mail address, validity dates for the certificate, the location of revocation information, the location of the issuer’s policies, and possibly other affiliate information that identifies the certificate issuer with an organization such as an employer or other institution. In most cases, the private and public keys are simply referred to as the private and public key certificates, and the TTP is commonly known as the CA. The CA is the resource that must be available to both the holder of the private key and the holder of the public key. In practice, the use of the PKI technology goes something like this: two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair consisting of a public key and a private key. If Dave wants Dixine to send him an encrypted message, he first transmits his public key to Dixine. She then uses Dave’s public key to encrypt the message. Fundamentally, because Dave’s public key was used to encrypt, only Dave’s private key can be used to decrypt. When he receives the message, only he is able to read it. Security is maintained because only public keys are transmitted—the private keys are kept secret and are known only to their owners. Figure 12.1 illustrates the process. RSA-derived technology in its various forms is used extensively today. For example, Windows Server 2008 uses it for such things as Kerberos authentication and S/MIME. In the communication illustrated in Figure 12.1, a public key was used to encrypt a message and the corresponding private key was used to decrypt. If we invert the process, a private key can be used to encrypt and the matching public key to decrypt. This is useful, for example, if you want people to know that a document you wrote is really yours. If you encrypt the document using your private key, then only your public key can decrypt it. If people use your public key to read the document and they are successful, they can be certain that it was “signed” by your private key and is therefore authentic. RSA can be used to create these “digital signatures” (see Figure 12.2).
Components of PKI 517
Figure 12.1 The Concept of Using Public/Private Keys for Data Exchange
Whether to use centralized or decentralized key management depends on the size of the organization. With decentralized key management, the private key can be assumed to belong only to its intended owner; with centralized key management, there is a possibility for abuse of other users’ private keys by the administrators of the central key store. However, with decentralized key management, key recovery is left up to the individual user to consider, and this can result in the inadvertent loss (destruction) of keys, usually at the time when they are needed most. Whether using centralized management
Figure 12.2 Digital Signatures and Data Encryption Using Public/Private Key Pairs in Practice
518 CHAPTER 12 Public Key Infrastructure
or decentralized management for keys, a secure method of storing those keys must be designed. Entire hierarchies can exist within a PKI to support the use of multiple CAs. In addition to CAs and the public and private key certificates they publish, there are a collection of components and functions associated with the management of the infrastructure. As such, a list of typical components required for a functional PKI may include but is not limited to the following: ■■
Digital certificates
■■
Certification authorities
■■
Certificate revocation lists (CRL)
■■
Recovery agents
In the sections that follow, we will explore each of these topics in greater detail.
Digital Certificates In PKI, a digital certificate is a tool used for binding a public key with a particular owner. Before we delve into the inner workings of a digital certificate, let’s discuss what a certificate actually is in layman’s terms. A great comparison is a driver’s license. Consider the information listed on a driver’s license: ■■
Name
■■
Address
■■
Date of birth
■■
Photograph
■■
Signature
■■
■■ ■■
Social security number (or another unique number such as a state issued license number) Expiration date Signature/certification by an authority (typically from within the issuing state’s government body)
The information on a state license photo is significant because it provides crucial information about the owner of that particular item. The signature from the state official serves as a trusted authority for the state, certifying that the owner has been verified and is legitimate to be behind the wheel of a car. Anyone, like an officer, who wishes to verify a driver’s identity and right to commute from one place to another by way of automobile need only ask for and review the driver’s license. In some cases, the officer might even call or reference that license number just to ensure it is still valid and has not been revoked.
Components of PKI 519
A digital certificate in PKI serves the same function as a driver’s license. Various systems and checkpoints may require verification of the owner’s identity and status and will reference the TTP for validation. It is the certificate that enables this quick hand-off of key information between the parties involved. Certificates are created by a TTP called a CA, which may also be called a certificate authority. CAs are systems that create, distribute, store, and validate digitally created signature and identity verification information about machines, individuals, and services. This CA may be a commercially available service point, such as Verisign or Thawte. A CA can also be created within an enterprise to manage and create certificates that are used only within an organization or with trusted partners. A certificate from a reputable provider indicates that the server being accessed is legitimate. CAs may also grant certificates for software signing. This process indicates to the individual downloading the software that it has been manufactured or written by the specified individual or company. The path for the certificate should be verifiable and unbroken. This indicates a high probability that the software has not been tampered with since it was originally made available for download. Additionally, certificates may be used in processes such as data encryption or in network protocols requiring their use, such as IPSec, when the sending and receiving machines must be verifiable.
Exercise 1 Reviewing a Digital Certificate Let’s take a moment to go on the Internet and look at a digital certificate. 1.
Open up your Web browser, and go to www.syngress.com
2.
Select a book and add it to your cart.
3.
Proceed to the checkout.
4.
Once you are at the checkout screen, you will see a padlock in your browser. In Internet Explorer 7, this will be to the right of the address box; older browsers place the padlock in the bottom right of the window frame. Open the certificate properties. In Internet Explorer 7, you do this by clicking on the padlock and selecting View Certificates from the prompt; older browsers generally let you double-click on the padlock.
5.
Move around the tabs of the Properties screen to look at the different information contained within a certificate.
X.509 The information contained in the certificate is actually part of the X.509 certificate standard. X.509 is actually an evolution of the X.500 directory standard. Initially intended to provide a means of developing easy-to-use electronic directories of people
520 CHAPTER 12 Public Key Infrastructure
that would be available to all Internet users, it became a directory and mail standard for a very commonly known mail application: Microsoft Exchange 5.5. The X.500 directory standard specifies a common root of a hierarchical tree although the “tree” is inverted: the root of the tree is depicted at the “top” level while the other branches—called containers—are below it. Several of these types of containers exist with a specific naming convention. In this naming convention, each portion of a name is specified by the abbreviation of the object type or a container it represents. For example, a CN before a username represents it is a common name; a C precedes a country; and an O precedes organization. These elements are worth remembering as they will appear not only in discussions about X.500 and X.509, but they are ultimately the basis for the scheme of Microsoft’s premier directory service, Active Directory. X.509 is the standard used to define what makes up a digital certificate. Within this standard, a description is given for a certificate as allowing an association between a user’s DN and the user’s public key. The DN is specified by a naming authority (NA) and used as a unique name by the CA who will create the certificate. A common X.509 certificate includes the information shown in Table 12.1 and Figures 12.3 and 12.4.
Public Keys Because the PKI identification process is based on the use of unique identifiers known as keys, each person using PKI creates two different keys, a public key and a
Table 12.1 X.509 Certificate Data Item
Definition
Serial number
A unique identifier
Subject
The name of the person or company that is being identified, sometimes listed as “Issued To”
Signature algorithm
The algorithm used to create the signature
Issuer
The trusted authority that verified the information and generated the certificate, sometimes listed as “Issued By”
Valid from
The date the certificate was activated
Valid to
The last day the certificate can be used
Public key
The public key that corresponds to the private key
Thumbprint algorithm
The algorithm used to create the unique value of a certificate
Thumbprint
The unique value of every certificate, which positively identifies the certificate. If there is ever a question about the authenticity of a certificate, check this value with the issuer.
Components of PKI 521
Figure 12.3
Figure 12.4
A Windows Server 2008 Certificate Field and Values
A Windows Server 2008 Certificate Field and Values (cont.)
private key. These keys are mathematically related such that things encrypted with one key can then be decrypted with the other—they are commonly referred to as a key pair. Public keys are generally transported and stored in digital certificates. The public key is openly available to the public, while only the person the keys were created for has the private key. The utilization of these key pairs for public key cryptography brings major security technologies to the desktop. The network now is provided with the ability to allow users to safely: ■■
Transmit over insecure channels
■■
Store sensitive information on any commonly used media
■■
Verify a person’s identity for authentication
■■
Prove that a message was generated by a particular person
■■
Prove that the received message was not tampered with in transit
Algorithms based on public keys can be used for all these purposes. The most popular public key algorithm is the standard RSA, which is named after its three inventors: Rivest, Shamir, and Adleman. The RSA algorithm is based on two prime numbers with more than 200 digits each. A hacker would have to take the ciphertext and the public key and factor the product of the two primes. As computer processing time increases, the RSA remains secure by increasing the key length, unlike the DES algorithm, which has a fixed key length. Public key algorithms provide privacy,
522 CHAPTER 12 Public Key Infrastructure
authentication, and easy key management, but they encrypt and decrypt data slowly because of the intensive computation required. RSA has been evaluated to be from 10 to 10,000 times slower than DES in some environments, which is a good reason not to use public key algorithms for bulk encryption.
Private Keys Imagine what would happen if you left a wallet on a counter in a department store and someone took it. You would have to call your credit card companies to close out your accounts, you would have to go to the Department of Motor Vehicles (DMV) to get a duplicate license, you would have to change your bank account numbers, and so forth. Now, imagine what would happen if a company put all of their private keys into a publicly accessible FTP site. Basically, once hackers discovered that they could obtain the private keys, they could very easily listen to communications between the company and clients and decrypt and encrypt messages being passed. This may sound simple, the public key is public, and a private key is kept secret, but it is common for individuals to make the mistake of sending their private keys to others to decrypt files. Also some users have been known to carefully guard their public key, which is an unnecessary precaution. The bottom line is: never share your private key with anyone. It is yours alone, and when used to identify you, can only identify you if you are the only person who has ever held that key. Taking this a step further, imagine what could happen if a root CA key was not stored in a secure place; all of the keys that used the CA as their root certificate would have to be invalidated and regenerated. So, how to store private keys in a manner that guarantees their security? Not storing them in a publicly accessible FTP folder is just a start. There are also several options for key storage, most falling under either the software storage category or the hardware storage category.
Notes from the Field A Compromised Root CA Keeping a root CA’s private keys secure should be priority number one in PKI security. The work that goes into revoking and replacing a compromised root CA key is tremendous. Not only does the root CA have to be revoked and recreated, but so do any certificates created by a subordinate CA now suspect of being compromised. Also, the revocation of the root CA’s key must be communicated to anyone who has ever trusted the root CA.
A private key could be stored very naively on an operating system (OS) by creating a directory on a server and using permissions (NTFS in Windows) to lock access to the directory. The issue is that storing private keys in this way relies on the security of the OS and the network environment itself. Anyone with physical access to these systems could easily fetch these keys from their files.
Components of PKI 523
Say that you are the senior administrator for a company. You have a higher access level than all of the other administrators, engineers, and operators in your company. You create a directory on one of the servers and restrict access to the directory to you and the Chief Information Officer (CIO). However, Joe is responsible for backups and restores on all of the servers. Joe is the curious type, and decides to look at the contents that are backed up each night onto tape. Joe notices the new directory you created, and wants to see what is in there. Joe can restore the directory to another location, view the contents within the directory, and obtain a copy of the private keys. As a security administrator, you can handle this problem in two different ways. First, you can enable auditing for the network OS. Auditing file access, additions, deletions, and modifications, can track this type of activity within the network. Likewise, permissions for the backup operator can be limited to backup only, and require another party (such as the network administrator) to perform recoveries. That’s why most software key storage schemes encrypt the private keys, using some form of password or key prior to granting access. The password protecting the private key is either prompted for when the key is needed, or the key is encrypted using a key derived from the user’s logon password, such that a user’s keys all become available when he or she is logged on, and are unavailable when he or she is logged off, or to another person who is logged on. Exam Warning In a Windows Server 2008 PKI, a user’s public and private keys are stored under the user’s profile. For the administrator, the public keys would be under Documents and Settings\Administrator\System Certificates\My\Certificates and the private keys would be under Documents and Settings\Administrator\Crypto\RSA (where they are double encrypted by Microsoft’s Data Protection API or DPAPI). Although a copy of the public keys is kept in the registry, and can even be kept in Active Directory, the private keys are vulnerable to deletion. If you delete a user profile, the private keys will be lost!
If a specific key is needed for a background process (e.g., a service or a daemon), the key can be encrypted using a machine-based secret. In Windows, this secret can be further protected by using the SYSKEY utility. SYSKEY is a utility that was originally developed to encrypt the local SAM database on Windows NT 4.0 machines. It was made available with Windows NT 4.0 SP3. There is another risk involved with the software storage of private keys. You granted access to yourself and the company CIO, Phil. Phil has a bad habit of leaving his computer without logging out or locking the screen via a screen saver. Dave, the mail clerk, can easily walk into Phil’s office and look at all of the files and directories that Phil has access to, thereby accessing the directory where the private keys are stored. This type of attack is known as a lunchtime attack. The best fix for lunchtime attacks is user education. Teaching users to properly secure their workstation when not in use prevents many types of security breaches, including lunchtime attacks.
524 CHAPTER 12 Public Key Infrastructure
Damage and Defense Lunchtime Attacks Lunchtime attacks are one of the most common types of internal attacks initiated by employees of an organization. But, they are also one of the easiest attacks to defend against. Most OSes (Windows, Linux, and so forth) offer the ability to automatically lock desktops through screensavers that activate after a brief period of inactivity. For those companies with “Phils” who constantly leave their computers unlocked, this is an easy way to reduce the amount of lunchtime attacks. There are other appropriate technological protections against this type of attack, such as the use of locking screensavers and short timeouts; the physical access security on machines carrying sensitive certificates; even the use of radio identifiers so as to lock a workstation when its user is away from it for more than a few seconds.
It is generally accepted that software storage is not a reliable means of storing highsecurity private keys. To overcome the issues of software storage, hardware storage modules (HSMs) were created. HSMs, such as Smart Cards, PCMCIA cards, and other hardware devices, store private keys and handle all encryption and decryption of messages so that the key does not have to be transmitted to the computer. (Using magnetic media is really the equivalent of software key storage with an offline file store, and should not be thought of as hardware storage of keys.) Keeping the keys off of the computer prevents information about the keys from being discovered in computer memory. Smart Cards are the most flexible method of storing personal private keys using the hardware storage method. Because Smart Cards are normally about the size of a credit card, they are easily stored and can resist a high level of physical stress. Smart Cards are also not very expensive. Unlike a credit card that has a magnetic strip, Smart Cards store information using microprocessors, memory, and contact pads for passing information. Exam Warning Make sure that you understand what an HSM is and why a Smart Card is the most popular form of these modules.
For banks, defense institutions, and other extremely high-security environments, there is often a need to retain keys in an HSM that has very high-security requirements. In such an HSM, all keys can be generated and kept inside the module, and tampering with the module will result in the destruction of all keying material onboard. It can be very expensive to generate new root keys and distribute them, but if your certificate server is capable of signing several million dollars’ worth of transactions, it’s cheaper to do the wholesale replacement of the contents of your PKI than it is to have a key exposed to a malicious intruder (or a malicious insider). Hardware security models are very expensive. Keeping private keys stored in technologically and physically secure locations must be your first priority when dealing with PKI. Many people take private keys for corporate root CAs completely offline (with modern virtualization techniques, you
Components of PKI 525
can create the entire root CA on a bootable USB stick and store it in a safe), store them in a secure place (such as a safe or an offsite storage company), and use them only when they need to generate a new key for a new intermediate CA. However, there is another method of protecting private keys, a process known as escrow.
Certificate Authority By definition, a CA is an entity (computer or system) that issues digital certificates of authenticity for use by other parties. With the ever-increasing demand for effective and efficient methods to verify and secure communications, our technology market has seen the rise of many trusted third parties into the market. If you have been in the technology field for any length of time, you are likely familiar with many such vendors by name: VeriSign, Entrust, Thawte, GeoTrust, DigiCert, and GoDaddy are just a few. Although these companies provide an excellent and useful resource for both the IT administrator and the consumer, companies and organizations sometimes require a way to establish their own certificate authorities. In a third-party, or external PKI, it is up to the third-party CA to positively verify the identity of anyone requesting a certificate from it. As an administrator, you also have the option of creating a trusted internal CA—possibly eliminating the need for an external third party. With a Windows Server 2008 CA, the CA verifies the identity of the user requesting a certificate by checking that user’s authentication credentials (using Kerberos or NTLM). If the credentials of the requesting user check out, a certificate is issued to the user. When the user needs to transmit his or her public key to another user or application, the certificate is then used to prove to the receiver that the public key inside can be used safely. Within an organization several options exist for building this trust relationship. Each of these begins with the decisions made around selecting and implementing certificate authorities. With regard to the Microsoft implementation of PKI, there are at least four major roles or types of certificate authorities to be aware of: ■■
Enterprise CA
■■
Standard CA
■■
Root CA
■■
Subordinate CA
Believe it or not, beyond this list at least two variations exist: intermediate CAs and leaf CAs, each of which is a type of subordinate CA implementation. An enterprise CA is tied into Active Directory. To deploy an enterprise CA Active Directory is required. In fact, a copy of the server’s own CA certificate is stored in Active Directory. Perhaps the biggest difference between an enterprise CA and a stand-alone CA is that the enterprise CAs use Kerberos or NTLM authentication to validate users and computers before certificates are issued, whereas stand-alone CAs require human intervention to approve certificate requests. Using Kerberos or NTLM provides additional security
526 CHAPTER 12 Public Key Infrastructure
to the PKI because the validation process relies on the strength of the protocol, and not a human administrator. Additionally, enterprise CAs use templates that can be used to issue every type of certificate. There are also several downsides to an enterprise CA. In comparison to a standalone CA, enterprise CAs are more difficult to maintain and require a much more in-depth knowledge about Active Directory and authentication. There are two ways to view PKI trust models: single CA and hierarchical. In a single CA model PKIs are very simplistic; only one CA is used within the infrastructure. Anyone who needs to trust parties vouched for by the CA is given the public key for the CA. That single CA is responsible for the interactions that ensue when parties request and seek to verify the information Figure 12.5 for a given certificate. See Figure 12.5. A Single CA Model In a hierarchical model, a root CA functions as a top-level authority over one or more levels of CAs beneath it. The CAs below the root CA are called subordinate CAs. Root CAs serve as a trust anchor to all the CAs beneath it and to the users who trust the root CA. A trust anchor is an entity known to be trusted without requiring that it be trusted by going to another party, and therefore can be used as a base for trusting other parties. Because there is nothing above the root CA, no one can vouch for its identity; it must create a self-signed certificate to vouch for itself. With a self-signed certificate, both the certificate issuer and the certificate subject are exactly the same. Being the trust anchor, the root CA must make its own certificate available to all of the users (including subordinate CAs) that will ultimately be using that particular root CA. Hierarchical models work well in larger hierarchical environments, such as large government organizations or corporate environments. Often, a large organization also deploys a registration authority (RA, covered later in this chapter), directory services, and optionally time stamping services in an organization leveraging a hierarchical approach to PKI. In situations where different organizations are trying to develop a hierarchical model together (such as post acquisition or merger companies or those that are partnered for collaboration), a hierarchical model can be very difficult to establish as both parties must ultimately agree upon a single trust anchor. When you first set up an internal PKI, no CA exists. The first CA created is known as the root CA, and it can be used to issue certificates to users or to other CAs. As mentioned earlier, in a large organization there usually is a hierarchy where the root CA is not the only certification authority. In this case, the sole purpose of the root CA is to issue certificates to other CAs to establish their authority.
Components of PKI 527
Any certification authority that is established after the root CA is a subordinate CA. Subordinate CAs gain their authority by requesting a certificate from either the root CA or a higher level subordinate CA. Once the subordinate CA receives the certificate, it can control CA policies and/or issue certificates itself, depending on your PKI structure and policies. Sometimes, subordinate CAs also issue certificates to other CAs below them on the tree. These CAs are called intermediate CAs. In most hierarchies, there is more than one intermediate CA. Subordinate CAs that issue certificates to end users, server, and other entities but do not issue certificates to other CAs are called leaf CAs.
Certificate Revocation List (CRL) It is sometimes necessary to revoke a person’s (or company’s) certificate before the expiration date. Usually, revocation occurs when: ■■
■■
A company changes ISPs, if its certificate was based on its ISP’s Domain name server (DNS) or its IP address rather than the company’s own DNS name, or if the ISP had access to the private key. A company moves to a new physical address, so that the address information in the certificate becomes incorrect.
■■
The contact listed on a certificate has left the company.
■■
A private key has been compromised or is lost.
Test Day Tip Do not get tripped up by a question about a certificate being revoked. The thing to remember is that crucial information in the certificate has changed or the key has been compromised.
When a certificate revocation request is sent to a CA, the CA must be able to authenticate the request with the certificate owner; otherwise, anyone could revoke your certificate. Certificate owners are not the only ones who can revoke a certificate. A PKI administrator can also revoke a certificate, without authenticating the request with the certificate owner. A good example of this is in a corporate PKI, where certificates should be revoked immediately upon termination of an employee. Once the CA has authenticated the revocation request, the certificate is revoked and notification is sent out. A PKI user needs to check the status of a company’s or person’s certificate to know when it has been revoked. There are two methods of checking the revocation status of certificates: CRLs and the Online Certificate Status Protocol (OCSP). The X.509 standard requires that CAs publish CRLs. In their simplest form, a CRL is a published form listing the revocation status of certification that the CA manages. There are several forms that revocation lists may take, but the two most noteworthy are simple CRLs and delta CRLs. A simple CRL is a container that holds a list of revoked certificates with the name of the CA, the time the CRL was published, and when the next CRL will be published.
528 CHAPTER 12 Public Key Infrastructure
It is a single file that continues to grow over time. The fact that only information about the certificates is included and not the certificate itself helps to manage the size of a simple CRL. Simple CRL characteristics are as follows: ■■ ■■
■■ ■■
A simple CRL is a container that holds the list of revoked certificates. A simple CRL also contains the name of the CA, the time and date the CRL was published, and when the next CRL will be published. A simple CRL is a single file that continues to grow over time. The fact that only information about the certificate is included and not the certificate itself limits the size of a simple CRL container.
Delta CRLs can handle the issues that simple CRLs cannot—size and distribution. Although simple CRLs contain only certain information about a revoked certificate, it can still become a large file. How, then, do you continually distribute a large file to all parties that need to see the CRL? The solution is in delta CRLs. In an environment leveraging delta CRLs, a base CRL is sent to all end parties to initialize their copies of the CRL. Afterwards, updates known as deltas are sent out on a periodic basis to inform the end parties of any changes. Exam Warning The means to differentiate between a suspended key and a revoked key is to check the reason for revocation. If the certificate appears in a CRL as a Certification Hold, it is suspended and not revoked. Think “drivers license”—if it is revoked, you are not getting it back. If it is suspended, you may get it back after a specific period of time.
When a PKI entity verifies a certificate’s validity, that entity checks the CRL before giving approval. The question is: how does a client know where to check for the list? The answer is the CDPs, or CRL Distribution Points. CDPs are locations on the network to which a CA publishes the CRL; in the case of an enterprise CA under Windows Server 2008, Active Directory holds the CRL, and for a stand-alone, the CRL is located in the certsrv\certenroll directory. Each certificate has a location listed for the CDP, and when the client views the certificate, it then understands where to go for the latest CRL. Figure 12.6 shows the extensions tab of the CA property sheet, where you can modify the location of the CDP. CRLs are normally configured with a publication interval (the most frequent intervals chosen are 1 week for full CRLs and 1 day for Delta CRLs). Clients cache the CRL for this period of time, and then check the CDP again when the period expires. If an updated CDP does not exist or cannot be located, the client automatically assumes that all certificates are invalid. Another method of verifying the state of a certificate is called the OCSP. OCSP was defined to help PKI certificate revocation get past the limitations of using CRL schemes. OCSP returns information relating only to certain certificates that have been revoked. With OCSP, there is no need for the large files used in a CRL to be transmitted.
Components of PKI 529
With OCSP a query is sent to a CA regarding a particular certificate over transport protocols such as Hypertext Transfer Protocol (HTTP). Once the query is received and processed by the CA, an OCSP responder replies to the originator with the status of the certificate, as well as information regarding the response. An OCSP response consists of: ■■
■■
■■
■■
The status of the certificate (“good,” “revoked,” or “unknown”) The last update on the status of the certificate The next time the status will be updated The time that the response was sent back to the requestor
One of the most glaring weaknesses of OCSP is that it can only return information on a single certificate, and it does not attempt to validate the certificate for the CA that issued it.
Figure 12.6 Extensions Tab of the CA Property Sheet
Key Escrow If you have ever owned a home, you are familiar with the term “escrow.” In terms of owning a home, an escrow account is used to hold monies that are used to pay things like mortgage insurance, taxes, homeowners insurance, and so forth. These monies are held in a secure place (normally by the mortgage company) where only authorized parties are allowed to access it. Key escrow works in the same way. When a company uses key escrow, they keep copies of their private key in one or more secured locations where only authorized persons are allowed to access them. A simple key escrow scheme would involve handing a copy of your keys to an escrow company, who would only divulge the keys back to you (or your successor in the organization you represent), upon presentation of sufficient credentials. In a more advanced key escrow scheme, there may be two or more escrow agencies. The keys are split up and one half is sent to the two different escrow companies. Using two different escrow companies is a separation of duties, preventing one single escrow company from being able to compromise encrypted messages using a client’s key set. Under certain circumstances, a designated third party may need to be able to gain access to data that has been encrypted using a PKI infrastructure. The term
530 CHAPTER 12 Public Key Infrastructure
key escrow is used to describe the agreement between the owner of encryption keys and a TTP. The third party is given access to the decryption keys. Sometimes the third party is represented by government, and other times the relationship may be between employee and employer, but regardless of the parties involved, someone being able to gain access to protected data raises concerns. Ideally the circumstances considered to be acceptable and appropriate for usage of shared encryption keys by the third party have been clearly outlined and defined. A good example of this may be the involvement of an employee in litigation. If an employee’s involvement in litigation is considered acceptable for the use of the key escrow, then the employer can use the key escrow to retrieve the data required. One of the largest issues with this process comes back to validating key access. The technology doesn’t offer any way to perform credential validation or validate that requirements have been met to gain access to the keys. Much of the process in key escrow utilization comes back to human involvement and it is this interaction that throws uncertainty into the mixture. You are only ever as secure as your weakest link, so having to depend on the human factor to validate the usage of the key escrow allows room for potentially unauthorized access. Test Day Tip Remember that separation of duties, when referring to escrow, focuses on requiring two or more persons to complete a task.
Key escrow is a sore spot with many people and companies, because many proposed key escrow schemes are designed to allow a government or law-enforcement authority to have access to keys. Depending on your level of trust in the government, this is either a sensible method to allow prosecution of criminals who encrypt, or it’s a way in which the government can have all of our commercial secrets in their hand, or something in between. In 1995, the U.S. government required that all parties keep copies of their key pairs with a key escrow company. Almost immediately, conspiracy theorists began questioning the government’s intentions for requiring the use of key escrows. Eventually, the U.S. government decided to avoid a battle, and dropped the requirement.
Head of the Class Big Brother Key escrow is not the only reason the government was questioned about its intentions regarding encryption. In 1993, the U.S. Congress was trying to pass the idea of implementing a special encryption chip, known as the Clipper Chip, in all electronic devices made inside of the United States. The Clipper Chip was controversial because the encryption algorithm used, SkipJack, was a classified algorithm and was never scrutinized by the public computing community. Once again, there was an uproar. Once again, the government pulled back.
Recovery Agents 531
The general fear was that because the government was controlling the encryption format, they could track and decrypt every communication session established through the use of the Clipper Chip. There were also concerns about the strength of SkipJack. What little information there was about SkipJack included the fact that it used an 80-bit key, which is easily broken. Although there are apparent down sides to escrow, it serves a useful purpose. For example, key escrow provides investigators with the ability to track criminal activity that is taking place via encrypted messages. Key escrow is also a method of archiving keys, providing the ability to store keys securely offsite.
Registration Some PKI implementations use one or more RAs. An RA is used to take some of the burden off of the CA by handling verification of credentials prior to certificates being issued. In a single CA model, a RA can be used for verifying the identity of a subscriber, as well as setting up the preliminary trust relationship between the CA and the end user. An RA is generally an out-of-band service provider, whose task is usually to verify identity documentation before confirming that a CA may issue a certificate. The RA is usually a physical outlet, at which a party will present itself, its documentation, and its certificate request. The RA verifies the physical documentation, ensures that it matches the information in the certificate request, and that the documentation is sufficient to prove the identity claimed by the desired certificate. The RA typically also takes payment on behalf of itself and the CA, and on the basis of complete identification and payment, will request the CA to issue the requested certificate. RAs are found in stand-alone or hierarchical models where the workload of the CA may need to be offloaded to other servers. Exam Warning Make sure you understand the difference between a CA and a RA. You will need to know when a RA would be used within a PKI.
Recovery Agents Sometimes it is necessary to recover a lost key. One of the problems that often arises regarding PKI is the fear that documents will become lost forever—irrecoverable because someone loses or forgets his private key. Let’s say that employees use Smart Cards to hold their private keys. If a user was to leave his Smart Card in his or her wallet that was left in the pants that he or she accidentally threw into the washing machine, then that user might be without his private key and therefore incapable of accessing any documents or e-mails that used his existing private key. Many corporate environments implement a key recovery server solely for the purpose of backing up and recovering keys. Within an organization, there typically
532 CHAPTER 12 Public Key Infrastructure
is at least one key recovery agent. A key recovery agent has the authority and capability to restore a user’s lost private key. Some key recovery servers require that two key recovery agents retrieve private user keys together for added security. This is similar to certain bank accounts, which require two signatures on a check for added security. Some key recovery servers also have the ability to function as a key escrow server, thereby adding the ability to split the keys onto two separate recovery servers, further increasing security. A key recovery solution, however, is not easy to implement and requires several steps. The basic method follows:
1. Create an account to be used for key recovery.
2. Create a new template to issue to that account.
3. Request a key recovery certificate from the CA.
4. Have the CA issue the certificate.
5. Configure the CA to archive certificates using the Recovery Agents tab of the CA property sheet (shown in Figure 12.7).
6. Create an archive template for the CA.
Each of these steps requires many substeps, but can be well worth the time and effort. It is worth noting again that key recovery is not possible on a stand-alone CA, because a stand-alone cannot use templates. It is also worth noting that only encryption keys can be recovered—private keys used for digital signatures cannot. Sometimes it may be necessary to recover a key from storage. One of the problems that often arises regarding PKI is the fear that documents will be unrecoverable, because someone loses or forgets his private key. Let’s say that employees use Smart Cards to hold their private keys. Drew, one of the employees, accidentally left his wallet in his pants and it went through the wash, Smart Card and all. If there is no method of recovering keys, Drew would not be able to access any documents or e-mail that used his existing private key. Now that the contents of Drew’s wallet have been destroyed, he is going to have to get his license, credit cards, and other items replaced. For him to get a new license, Drew is going to have to be able to prove his identity to the DMV. He Figure 12.7 may need to bring his social security card, birth certificate, passport, and so forth to Recovery Agents Tab of the CA Property Sheet prove he is who he says he is. Because the in Windows 2008
Implementation 533
DMV is a trusted authority, they are going to make sure that Drew is who he claims to be before they will issue him another license. CAs and recovery servers also require certain information before they allow a key to be recovered. This is known as key recovery information (KRI). KRI usually consists of: ■■ ■■
The name of the key owner Information verifying that the person requesting key recovery is authorized to recover the key on behalf of that key owner
■■
The time that the key was created
■■
The issuing CA server
Once the CA (or the key recovery agent) verifies the KRI, the key recovery process can begin.
Implementation Certificates are used more frequently since the development and expansion of Internet-based transactions has grown. X.509 is an ITU-T standard for PKI, and X.509 certificates are now used for Web-based authentication for access to remote systems and for encryption of information on local machines. They are also used for directory services access in various OSes, Smart Cards, digital signatures for e-mail, and encrypting e-mail. Additionally, they may be used for authentication when implementing a secure network protocol such as IPSec to protect data transmission within systems. Certificates can be installed via the Web browser on client machines to identify and authenticate users. In some OSes, such as Windows 2003 and Windows 2008, certificates can be mapped to user accounts in Active Directory, and then associated with the access tokens generated by the OS when the user logs on, making the local installation of the certificate optional on the workstation are being used. Web servers must have a Web server certificate installed to participate in SSL. Exam Warning Remember that the certificates must be issued from a verifiable and identifiable CA. This can be a commercial entity, such as Verisign or Thawte, or a stand-alone or enterprise CA within your organization. The path to the CA must be unbroken, or the certificate may be viewed as invalid. A compromised or physically unsecured CA will require recreation of your entire PKI infrastructure.
Multiple aspects of the certificate may be verified including the certificate expiry date, the domain associated with the certificate, and the validity of the CA. It is
534 CHAPTER 12 Public Key Infrastructure
important to note that if the software verifying the certificate is not configured to trust the CA, the certificate will be considered invalid.
Certificate Management Now that you know what a digital certificate is and what it is comprised of, what exactly can a digital certificate be issued for? And how do we manage them as administrators? Remember that different entities have different security requirements, so management and usage in different environments will vary. For example, users want a digital certificate for securing e-mail (either encrypting incoming e-mail or signing outgoing e-mail), Syngress wants a digital certificate for their online store, and a video hardware manufacturer wants a digital certificate they can use to verify that their hardware drivers have passed stringent verification tests and can be trusted. All three want to secure their information, and all three can use digital certificates to meet their need. Certificates and keys, just like drivers’ licenses and credit cards, have a life cycle. Different factors play into the life cycle of a particular key or certificate. Many things can happen to affect the usable life span of a key—they may become compromised or their certificates may be revoked or destroyed. Certificates also have an expiration date. Just like a license or credit card, a certificate is considered valid for a certain period of time. Once the end of the usable time for the certificate has expired, the certificate must be renewed or replaced. Mechanisms that play a part in the life cycle of a certificate are as follows: ■■
Centralized versus decentralized key management
■■
Storage of private keys
■■
Key escrow
■■
Certificate expiration
■■
Certificate revocation
■■
Certificate suspension
■■
Key recovery
■■
Certificate renewal
A CA can issue a certificate for a number of different reasons, but must indicate exactly what the certificate will be used for. The set of rules that indicates exactly how a certificate may be used (what purpose it can be trusted for, or perhaps the community for which it can be trusted) is called a certificate policy. The X.509 standard defines certificate policies as “a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.” The certificate policy is a plaintext document that is assigned a unique object identifier (OID) so that anyone can reference it. There are many standard certificate policies, but there may be more developed as time goes on.
Certificate Management 535
If a certificate is issued for a public key, and the certificate policy states that this certificate can be used for document signing, you should not be allowed to encrypt data using that public key. Even if you were able to do so, the recipient would likely not be able to decrypt it. Different PKI implementations use different types of key management. A business enterprise often uses centralized key management, with all of the private keys generated and held by a central system. Older implementations of PGP used decentralized key management, because the keys are contained in a PGP user’s key ring and no one entity is superior over another. Hierarchical CA models generally use decentralized key management, where the keys are generated and managed by the intended owner of the private key. Whether to use centralized or decentralized key management depends on the size of the organization. With decentralized key management, the private key can be assumed to belong only to its intended owner; with centralized key management, there is a possibility for abuse of other users’ private keys by the administrators of the central key store. However, with decentralized key management, key recovery is left up to the individual user to consider, and this can result in the inadvertent loss (destruction) of keys, usually at the time when they are needed most. Whether using centralized management or decentralized management for keys, a secure method of storing those keys must be designed. As mentioned earlier, some key recovery servers can break up the key recovery process between multiple key recovery agents. This type of key recovery security is known as m of n control. m of n works by splitting the PIN between n number of key recovery agents, then reconstructing the PIN only if m number of recovery agents provide their individual passwords. n must be an integer greater than 1 and m must be an integer less than or equal to n. Going back to the example of Drew, let’s say that we are using the m of n control and we have three separate key recovery agents. To be able to recover Drew’s private key, at least two of the key recovery agents must be present. If Drew arrives in the office before the key recovery agents, he has to wait for two of the three to arrive. If only one of the key recovery agents tried to recover Drew’s key under m of n control, the recovery process would be denied. Sometimes it becomes necessary to suspend a user’s certificate. A suspension usually happens because a key is not going to be used for a period of time. For example, if a company previously used a shopping cart tool for purchasing merchandise, but became unhappy with its current online store and is rebuilding it, they could have their CA suspend their certificate and keys. The reason this is done is to prevent the unauthorized use of keys during an unused period. Eventually, although the certificate is in a suspended mode, it must either be revoked or reactivated, or it will simply expire. The same status checking methods used for revocation apply to the suspension of certificates. CAs use CRLs and OCSP to allow for the status of suspended certificates to be reviewed. The difference is that the reason for revocation is listed as Certification Hold instead of the typical revocation reasons (such as change in owner information, compromised keys, and so forth).
536 CHAPTER 12 Public Key Infrastructure
Summary OF EXAM OBJECTIVES This chapter examined some of the common cryptography algorithms and concepts that help to apply cryptography in situations where it is necessary and effective. We discussed the concepts behind cryptography as well as different usages of it including confidentiality, integrity, authentication, and nonrepudiation. Confidentiality is the idea that information should only be accessible by those with a “need to know.” Authentication is the act of verifying that a person or process is whom they claim to be, integrity means that a message has remained unmodified because the author sent it, and nonrepudiation is a corollary of integrity that prevents an author from denying that a message or part of its contents were sent. Some of these concepts also tie into the discussions of digital signatures. Digital signatures are a public key cryptography application that uses the concepts of confidentiality, integrity, and nonrepudiation to create an accountable messaging system. PKI components include a public key, a private key, and a TTP. Digital signatures issued by CA are used to port keys and are at the center point of PKI deployments. A certificate authority can be deployed in multiple models including an enterprise, standard, root or subordinate. PKI and key management can be difficult topics to understand, mainly because PKI is such a robust mechanism and there are so many safeguards in place to protect key pairs. However, these are the same reasons why PKI is widely implemented throughout the connected world. Some of the key points regarding PKI include the PKI identification process. It is based on the use of unique identifiers, which are also known as keys. Each person using the PKI creates two different keys, a public key and a private key. The public key is openly available to the public, while the private key is only known by the person for whom the keys were created. Through the use of these keys, messages can be encrypted and decrypted for transferring messages in private. To use PKI, you must possess a digital certificate. Much like a driver’s license, a digital certificate holds crucial information about the key holder. Information stored in a digital certificate includes: ■■
Serial number
■■
Subject
■■
Signature algorithm
■■
Issuer
■■
Valid from
■■
Valid to
■■
Public key
■■
Thumbprint algorithm
Exam Objectives Fast Track 537
Of course, there must be a checks-and-balances system for managing certificates and associated keys. This issue is addressed through the key management life cycle. Security professionals have to resolve questions regarding centralized versus decentralized key management; how keys will be stored for both online use and key archival. They also have to decide how a company will or will not use key escrow. Certificate management also includes maintenance duties and decisions must be made involving components such as certificate expiration, certificate renewal, certificate revocation, and key destruction. PKI is a robust solution with many components that need to be addressed. Understanding the components and the associated standards, protocols, features, and uses of PKI will help to ensure a smooth integration with the environment.
Exam Objectives Fast Track PKI Overview ■■
PKI stands for public key infrastructure and it is utilized to protect privacy in a network environment
■■
PKI is governed by PKCS
■■
DES and DH are encryption algorithms utilized within PKI infrastructures
Components of PKI ■■
A certificate authority is the issuing component in a PKI infrastructure
■■
PKI utilizes a public and a private key pair
■■
Keys are stored and ported through the usage of digital certificates
Registration ■■ ■■
■■
A RA handles authentication prior to issuing a certificate An RA can be used to set up the trust relationship between a CA and the end user or workstation An RA can also be used to take payment once authentication has taken place
Recovery Agents ■■ ■■
■■
Recovery key agents are used to recover a user’s lost key Recovery servers can be configured to require KRI before allowing key recovery to take place Key recovery servers can also function as key escrow servers
538 CHAPTER 12 Public Key Infrastructure
Implementation ■■
Certificates are frequently used in SSL implementations
■■
Certificates can be utilized for user authentication purposes
■■
The key to a successful PKI implementation lies in choosing a trusted and verifiable CA
Certificate Management ■■
■■ ■■
Each certificate issued is intended and formatted for a particular purpose. Certificates have many usages and the issuing CA must indicate intended usage in the certificate itself Certificate policies dictate how certificates may be used A PKI infrastructure can be deployed in centralized or decentralized models, each with different implications
Exam Objectives Frequently Asked Questions Q: What does PKI stand for? A: Public key infrastructure Q: What are some common uses of a PKI infrastructure? A: Confidentiality, nonrepudiation, data integrity, and authentication Q: What are some benefits of using a publicly trusted CA? A: Because a public CA is already trusted by many devices and OSes, there is less work for the administrator to do to establish the chain of trust. Also, by utilizing a public CA the workload of managing and maintaining the CA servers is outsourced. A main disadvantage of utilizing a public CA is the cost assosciated with purchasing certificates. Q: What are some benefits of using an internal CA? A: Zero cost is the primary benefit. When a company deploys a PKI infrastructure they are able to create and issue certificates for no cost. A public CA typically will charge on a per certificate basis. Also, by hosting an internal CA the corporation has control over what type of certificates may be issued as well as when they expire. Q: What is key escrow? A: Key escrow is when the responsibility of the recovery keys for an organization is shared with a TTP.
Self Test 539
Q: When might key recovery be required? A: If data is encrypted and the original key pair used for encryption is no longer available then key recovery would be required to recover the encrypted content. Q: Do I have to purchase SSL certificates from an external CA? A: No, a certificate that can be used for SSL can be issued from an internal CA. However, if Internet-based users will be accessing the Web site they will not trust the internal root CA by default. When accessing the Web site users will experience pop-ups questioning the validity of the issuing CA, and asking the user if the issuing CA is trusted. It is a good idea to consider selecting a CA that is trusted by the user base that will be accessing the site. When it comes to Internet-facing sites this will typically be a public CA such as VeriSign or Thawte. Q: What is a CRL? A: A certificate revocation list. A CRL is a list of certificates kept by the issuing CA of certificates that have been revoked and are no longer considered valid.
Self Test
1. You are applying for a certificate for the Web server for your company. Which of these parties would you not expect to be contacted in the process? A. A registration authority B. A leaf CA C. A key escrow agent D. A root CA
2. What portion of the information in your certificate should be kept private? A. All of it. It is entirely concerned with your private information. B. None of it. There is nothing private in the certificate. C. The thumbprint that uniquely identifies your certificate D. The public key listed in the certificate
3. In creating a key recovery scheme that should allow for the possibility that as many as two of the five key escrow agents are unreachable, what scheme is most secure to use? A. Every escrow agent gets a copy of the key. B. m of n control, where m is 3 and n is 5
540 CHAPTER 12 Public Key Infrastructure
C. Every escrow agent gets a fifth of the key, and you keep copies of those parts of the key so that you can fill in for unreachable agents. D. Keep an extra copy of the key with family members, without telling them what it is.
4. What statement best describes the transitive trust in a simple CA model? A. Users trust certificate holders, because the users and the certificate holders each trust the CA. B. Users trust certificate holders, because the users trust the CA, and the CA trusts the certificate holders. C. Certificate holders trust users, because the certificate holders trust the CA and the CA trusts its users. D. Users trust certificate holders, because the certificate holders have been introduced to the users by the CA.
5. In a children’s tree-house club, new members are admitted to the club on the basis of whether they know any existing members of the club. What form of PKI would be most analogous to this? A. A hierarchical CA model C. A simple CA model B. A chain of trust D. A web of trust
6. In a hierarchical CA model, which servers will use self-signed certificates to identify themselves? A. Root CAs D. Subordinate CAs B. Intermediate CAs E. All CAs C. Leaf CAs
7. Where would you search to find documentation on the formats in which certificates and keys can be exchanged? A. ITU X.500 standards B. Internet Requests for Comment (RFCs) C. PKCS D. ITU X.509 standards E. Internet Drafts
8. Which of the following certificate lifecycle events is best handled without revoking the certificate? A. The contact e-mail address for the certificate changes to a different person. B. The certificate reaches its expiry date.
Self Test 541
C. The company represented by the certificate moves to a new town in the same state. D. The certificate’s private key is accidentally posted in a public area of the Web site.
9. If you are following best PKI practices, which of the following would require a certificate to be revoked? A. The private key is destroyed in an unfortunate disk crash. B. The certificate has been found circulating on an underground bulletin board. C. The private key was left on a laptop that was stolen, then recovered. D. A new certificate is generated for the same private key.
10. Which is an example of m of n control? A. A personal check book for an individual B. A business check book, requiring signatures of two principals C. A locked door with a dead-bolt D. A bank vault with a time lock that allows opening at three separate times within a week 11. Which statement is true about a CRL? A. A CRL may contain all revoked certificates, or only those revoked since the last CRL. B. A CRL is published as soon as a revocation is called for. C. A CRL only applies to one certificate. D. A CRL lists certificates that can never be trusted again. 12. Your company receives a list of certificates in a CRL. Which certificates in this list should not be permanently marked as untrustworthy? A. Certificates for which you own the private key B. Certificates whose name matches those under your company’s domain C. Those marked as “Certification Hold” D. None—all certificates in a CRL are permanently untrustworthy 13. When exchanging encrypted information with a trusted partner by e-mail, what information do you need to exchange first? A. Your certificates B. Your private keys C. The expected size of the data to be sent D. Web site addresses
542 CHAPTER 12 Public Key Infrastructure
14. An attacker has broken into your SSL-secured Web server, which uses a certificate held in local software storage, and defaced it. Do you need to revoke the certificate? A. Yes. Software storage is no protection against hackers, and the hacker may now have the private key in his possession. B. No. The hacker would have needed to know the key’s password to sign anything. C. No. The hacker cannot use the key to sign data once the Web server has been repaired. D. Yes. The hacker may have used the key to sign information that others may continue to trust. 15. A certificate from your company was revoked after its private key was exposed. Now that a new certificate has been generated using a new key pair, what should you do with the old key pair? A. Use the key pair to generate a new certificate under a different name B. Destroy the key pair C. Deregister the old certificate D. Use the private key to sign your own CRL
Self Test Quick Answer Key 1. 2. 3. 4. 5.
D B B B D
6. 7. 8. 9. 10.
A C B C B
11. 12. 13. 14. 15.
A C A D B
PART
Organizational Security
6
This page intentionally left blank
CHAPTER
Redundancy Planning
13
E x a m o b j e c tiv e s in this c hapt e r Alternate Sites ................................................................................................................... 545 Redundant Systems............................................................................................................. 548 Redundant Arrays of Inexpensive Disks................................................................................ 551 Spare Parts ........................................................................................................................ 552 Backup Generator............................................................................................................... 554 Uninterruptible Power Supply.............................................................................................. 554
Introduction As we’ll see in the next chapter, any number of disasters can put a company at risk of not being able to do business. Fires, blizzards, earthquakes, or something as simple as a primary server failing could threaten the capability of an organization to function. An important part of protecting a business from potential threats is redundancy planning. Redundancy planning refers to looking at potential threats to the capability of an organization to do business and a network’s capability to function, and implements measures that reduce the risk to a minimum. As we’ll see in the sections that follow, this involves setting up facilities to use if a disaster occurs, installing duplicate systems that take over if the primary systems fail, and using devices that will provide power and other functions in cases of emergency.
Alternate Sites Alternate sites are important to certain companies, so they can experience minimal downtime or almost no downtime at all. In a disaster, it’s possible that the facilities, servers, or other network devices are damaged or destroyed. In such a case, the company would require a temporary location in which data can be restored to servers, and business functions can resume. Without such a facility, the company would need to find a new business location, purchase new equipment, set it up, and then go live. The time that it would take to do this could be so long that the disaster could put them
545
546 CHAPTER 13 Redundancy Planning
out of business. Alternate sites get the business up-and-running quicker, allowing the business to continue running until their existing facilities are repaired or a new permanent site is established. As we’ll see in the sections that follow, there are different types of alternate sites that can be used, with each having its own benefits and drawbacks. They are as follows: ■■ ■■
■■
Hot site This is a site that has everything needed and is ready to go live. Warm site This is a site in which some equipment and services need to be set up, and data needs to be restored from backups before going live. Cold site This is a site that is the least expensive to maintain but requires the most amount of preparation before going live.
Creating alternate or backup sites can take considerable planning. Companies need to identify what equipment needs to be available, and how fast they need backup systems to go live after a disaster. When deciding on appropriate locations for such sites, it is important that they be in different geographical locations. If the alternate site is not at a significant distance from the primary site, it can fall victim to the same disaster. Imagine having an alternate site across the road from a company when an earthquake occurs. Both sites would experience the same disaster, so now there would be no alternate site available to resume business. However, you don’t want the alternate site so far away that it will significantly add to downtime. If the information technology staff needs to travel long distances to get to the site, this can increase the downtime and result in additional losses. Designate a site that is close enough to work from, but not so near that it will become a major issue when a disaster occurs.
Notes from the Field September 11 and Business Continuity The terrorist activities of September 11, 2001, which resulted in the destruction of the World Trade Center in New York City, caused many companies to seriously consider their business continuity plans. Companies may have planned for a localized disaster (such as a fire) affecting their business, but the decimation caused as a result of airliners slamming into the buildings was something no one had accounted for. A large-scale disaster resulting in the loss and inaccessibility of employees, facilities, and other assets wasn’t something that many considered. According to a report by the U.S. Securities and Exchange Commission entitled Summary of “Lessons Learned” from Events of September 11 and Implications for Business Continuity, the businesses that did have alternate sites had them too close to their primary facility. As a result, when the twin towers collapsed and the area was shut down for the emergency, they were cut off from their alternate sites that were in nearby buildings. For further information on the findings of the U.S. Securities and Exchange Commission, you can visit www.sec.gov/divisions/marketreg/lessonslearned.htm.
Alternate Sites 547
Hot Site A hot site is a facility that has the necessary hardware, software, phone lines, and network connectivity to allow a business to resume normal functions almost immediately. This can be a branch office or data center, but it must be online and connected to the production network. A copy of data is held on a server at that location, so little or no data is lost. Replication of data from production servers may occur in real time, so that an exact duplicate of the system is ready when needed. In other instances, the bulk of data is stored on servers, so only a minimal amount of data needs to be restored. This allows business functions to resume very quickly, with almost zero downtime. A hot site is the optimum solution in a disaster. However, while every company would like a hot site for their alternate site, companies may decide against them due to budget concerns. The hot site has equipment that matches the configuration of the production network, which means that any changes to equipment need to be duplicated at the alternate site. However, if the business expects significant losses (in terms of money and customers) from the network going down for any great length of time, a hot site would be seen as a necessary investment.
Warm Site A warm site is not as equipped as a hot site, but it has part of the necessary hardware, software, and other office needs to restore normal business functions. Such a site may have most of the equipment necessary, but it will still need work to bring it online and support the needs of the business. With such a site, the bulk of data will need to be restored to servers, and additional work (such as activating phone lines or other services) will need to be done. No data is replicated to the server, so backup tapes must be restored so that data on the servers is recent. Warm sites cost less than hot sites, which makes them an attractive alternative. However, they also lack a number of the features required for them to go online quickly. Unlike a hot site, a duplicate of the data is not held on servers. The alternate site may be used as a facility to store backups of data from production servers, which are used in a disaster to restore data to the warm site’s servers. To delay matters further, the site may require additional equipment before it can go live. Because hot sites allow an immediate switchover, it can be up in hours, but a warm site may require days of setup.
Cold Site A cold site requires the most work to set up, as it is neither online nor part of the production network. It may have all or part of the necessary equipment and resources needed to resume business activities, but installation is required and data needs to be restored to servers. Additional work (such as activating phone lines and other services) will also need to be done. The major difference between a cold site and hot site is that a hot site can be used immediately when a disaster occurs, whereas a cold site must be built from scratch.
548 CHAPTER 13 Redundancy Planning
A cold site is the least expensive type of alternate site, but isn’t an option for companies that can’t afford to wait for servers and equipment to be set up. Generally, this is an empty facility that has some network capabilities, but doesn’t have any servers or other network equipment. In a disaster, the company would need to purchase equipment, or scavenge and salvage their own equipment from other offices. This can mean that the company is unable to resume business for weeks. Also, because the site can’t be tested prior to its use, there may be significant issues with equipment not working properly and having poor initial performance. Test Day Tip The exam will expect you to know the difference between cold, warm, and hot sites. Don’t get too stressed out trying to remember all of the features of each site. A quick and dirty way of keeping them straight is to remember that a hot site is active and functional, a cold site is offline and nonfunctional, and a warm site is an intermediate.
Redundant Systems A single point of failure can be the heel of Achilles that brings down a system. Imagine a single road with a bridge that provides the only way to enter or exit a town. If the bridge fell down, no one would be able to enter or leave the town. Just like the bridge, which provides a single point of failure that can cut off people from the outside world, a single point of failure in a system can sever the capability of a company to perform normal business functions. High availability is the capability of a network to keep systems operating and to keep services available in the event of an outage. How this is provided is through redundant systems and fault tolerance. Redundancy is a duplication of services and systems. If the primary method used to store data, transfer information, or other operations fails, then a secondary method is used to continue providing the services. Fault tolerance refers to a systems capability to continue working in the event of such a failure. If one component stops working, it will fail over to another component. This ensures that systems are always available in one way or another, with minimal downtime so that people are not prevented from doing their jobs. By providing high availability to a network, the business is able to continue functioning with minimal impact from a system failure. Test Day Tip Don’t get confused between the terms high availability, redundancy, and fault tolerance. High availability means that things are up-and-running most of the time, regardless of a problem. Redundancy means that services and systems are duplicated, so if one goes down, the other can still be used. Fault tolerance means the capability of a system to continue working even if a component or service fails. These terms will probably appear on your exam, so you should be familiar with each of them.
Redundant Systems 549
Servers There are many ways of providing fault tolerance and redundancy in servers, which involves duplicate components or duplicate servers. For example, a server may have multiple network cards installed on it, so that if one of the cards fails, the data on that server can still be accessed through the second card. A server that provides important services or runs critical programs may use a failover server. The failover server duplicates the services and data of the primary server, and checks at regular intervals that the primary server is running. If the failover server doesn’t receive a response during one of these checks, it will then take over the role of the primary server and provides services to users. From the user’s point of view, there is little to no breakdown in service. Many operating systems (OSes) provide the capability to cluster servers together. Server clusters are groups of independent servers that are connected together, so that if one fails the others will continue to provide the services. Windows Server, Novell Open Enterprise Server, and Linux support clustering, and are often used for servers providing file and print services, applications, databases, or messaging. In the event of a failure, a user’s request for a resource is redirected from the failed server to another server that is still operating. As seen in Figure 13.1, each of the servers runs independently on the network but is connected together. Each server handles its own local resources and has a copy of the services and applications that run on other servers in the cluster. In many clusters, the servers share a single disk system, and appear on the network as a single entity. When a user makes a request for a resource, it is sent to the cluster. If one of these servers failed, the others in the cluster would still function and be able to take over processing requests from the network, and provide services. This is invisible to the user, who would be unaware that a failure event occurred. There are two forms of server clusters that can be used on a network: active/ active and active/passive. An active/active cluster has all of the servers actively responding to requests, so that if one server fails, all of the other servers in the cluster can continue processing requests. This type of cluster provides high availability, because in the event of a failure, there is no loss in the availability of services. An active/passive cluster has servers that are only used if the active server fails. In this type of cluster, the active server processes the requests, whereas the other only becomes active if the first one fails. When a failure occurs, the passive node then begins taking over the role of responding to requests, until such time that the original server’s issue has been taken care Figure 13.1 Server Clustering of and can become active again.
550 CHAPTER 13 Redundancy Planning
Exam Warning Remember that server clusters provide fault tolerance and redundancy, allowing users to continue making requests to servers even if one of the servers in the cluster fails. An active/active cluster provides high availability because all of the servers are regularly responding to requests. This isn’t true in an active/passive cluster, where the passive server becomes active only when the primary server fails.
Connections Redundancy is often found in networks, such as when multiple links are used to connect sites on a wide area network (WAN). Network lines may be used to connect two sites, with a separate network line set up in case the first link goes down. If this first link fails, the network can be switched over to use the second link. In other instances, additional lines may be set up in other ways to provide redundancy. For example, site A is connected to site B, which is connected to site C. These two links connect the three sites together, but if either of them fails, one of the sites will be unable to communicate with the others, and vice versa. To provide high availability, a third link can be set up between sites A and C. As shown in Figure 13.2, the additional link allows the three sites to communicate with one another if any one link fails. Exam Warning Multiple connections between sites allow a network to function, even if one of the links between the sites fails. If a connection between one site and another failed, the lower priority link could then be used to transfer data.
Internet Service Provider Many companies depend on Internet connectivity almost as much as network connectivity. In some cases, such as e-commerce businesses, they depend on it more. A redundant Internet Service Provider (ISP) can be used to provide connectivity when an organization’s primary ISP’s service becomes unavailable. The link to the secondary ISP can be configured as a low-priority route, whereas the primary ISP is advertised as high priority. Such a configuration will have users using the primary ISP for normal usage, but automatically switching over to the lowpriority connection, when the first one fails. If a secondary ISP is not desired, the Figure 13.2 administrator should ensure that the ISP uses two different points of presence. Multiple Connections Used to Provide A point of presence is an access point to Redundancy on a Network
Redundant Arrays of Inexpensive Disks 551
the Internet, therefore having multiple points of presence will allow access to the Internet if one goes down.
Redundant Arrays of Inexpensive Disks Data is a commodity of any business, so it’s important to ensure that it is always available to those who need it. Redundant arrays of inexpensive disks (RAID) technology was developed to prevent the loss of data and/or improve the performance. RAID provides several methods of writing data across multiple disks, and writing to several disks at once. Rather than losing a single disk and all the information, administrators can replace the damaged disk and regenerate the data quickly. When determining which level of RAID to use, it is important to remember that some RAID levels only increase performance, some only prevent loss of data, but not all will do both. The different levels of RAID available include the following: ■■
■■
■■
■■
■■
■■
■■
RAID 0 (Disk striping) In this level, the data is written (striped) across two or more disks, but no copies of the data are made. This improves the performance because the data is read from multiple disks, but there is no fault tolerance if a disk fails. RAID 0+1 (Disk striping with mirroring) This level combines the features of RAID 0 and RAID 1. It allows four or more disks to be used as a set, but provides full redundancy and the same fault tolerance as RAID 5. RAID 1 (Mirroring or duplexing) In this level, the data that is written to one disk is also written to another, so that each drive has an exact copy of the data. In other words, the data of one disk is a mirror image of the other. Additional fault tolerance is achieved by using separate disk controllers for each disk, which is called duplexing. If one of the disks fails or (in the case of duplexing) a controller fails, the data can still be available through the other disk in the pair. Because data from one disk is mirrored to another, a minimum of two disks must be used to implement RAID 1. Novell Netware systems commonly use mirroring for fault tolerance. RAID 1+0 This level is also referred to as RAID 10. This level of RAID uses both striping and mirroring. In using this method, the disks are configured as a striped set of mirrored subsets or a mirrored set of striped subsets. RAID 2 This level is similar to RAID 0, except that error correction codes are used for drives that do not have built-in error detection. RAID 3 In this level, the data is striped across three or more drives, but one drive is used to store the parity bits for each byte that is written to the other disks. When a disk fails, it can be replaced and the data can be restored to it from the parity information. If two or more disks in the set fail, data cannot be recovered. RAID 4 This level is similar to RAID 3, but stripes the data in larger blocks. As with RAID 3, if one disk fails, data can be recovered. However, if more than
552 CHAPTER 13 Redundancy Planning
one disk fails, data cannot be recovered. Three or more hard disks are required to implement RAID 4. ■■
■■
■■
■■
■■
RAID 5 (Disk striping with parity) In this level, the data is striped across three or more disks, but parity information is stored across multiple drives. It is a preferred method for fault tolerance on Windows servers. RAID 5+1 This level uses a combination of methods to achieve fault tolerance. RAID 5+1 uses mirroring (or duplexing) and block striping with distributed parity. RAID 6 This level is similar to RAID 5 except that it uses two parity blocks that are distributed across all of the disks in the striped set. RAID 10 This level allows four or more drives to be used in an array, and has data striped across them with the same fault tolerance as RAID 1. RAID 53 This level allows a minimum of five disks to be used in an array, but provides the same fault tolerance as RAID 3.
RAID is available through hardware or software. Hardware RAID generally supports more levels of RAID, and provides higher performance. This type of RAID can also support hot swapping (discussed in the next section), in which a disk can be removed from the server without having to take the server down. Software RAID is provided through OSes, such as Windows. When RAID is provided through the software, the levels of RAID supported may be limited. For example, Windows servers will only support RAID 0, 1, and 5. RAID levels 0, 1, 3, and 5 are most commonly implemented, with others rarely found on networks. Also, it takes a higher toll on the system, as RAID functions must run through the OS running on the machine. Because of this, hot swapping is often unsupported, so you will need to take down the system to replace a disk. Test Day Tip RAID 0, 1, 3, and 5 are the most commonly used levels of RAID. Although there are other levels of RAID that could possibly be used on a network, these four RAID levels are the ones most likely to appear on your exam. Focus studying on RAID 0, 1, 3, and 5.
Spare Parts Spare parts refer to additional hardware components that are necessary for servers or other network devices to operate. If a network card or power supply on a server failed, having an extra component on hand makes it possible to replace the defective part and get the server up-and-running. By having the parts stored on the site, you don’t need to spend time ordering a replacement for the faulty component and waiting for it to be delivered. Determining how many spare parts are necessary for your organization will often depend on how critical it is for there to be little to no wait time to replace the faulty components. It is possible for a company to have an extra part for every component, but
Spare Parts 553
this is obviously expensive. By having one extra component for all of the ones used on servers, you can replace a faulty component on one server at any given time. Another strategy is to use the N + 1 equation, where N is the number of components. For example, if you had six servers that were of the same model, you would have seven (6 + 1) of each of the power supplies, network cards, and so forth that are used in those servers. Hardware components may provide features that improve the ease and speed of replacing faulty hardware. The following allow you to replace a faulty component without having to completely shut down the system: ■■
Hot swap
■■
Warm swap
■■
Hot spare
Hot swapping refers to the ability to replace hardware components without having to shut down the computer. If a component fails, you don’t need to power off the machine. As we mentioned earlier, when we discussed RAID, a hard disk or other hardware that supports hot swapping can be inserted or removed while the computer remains online, meaning that there is no interruption to service. Warm swapping is similar to hot swapping, as the computer doesn’t need to be completely shut down. However, the computer does need to be put into a suspended state (such as hibernate) while the hardware is being inserted or removed. This means that any services that a server provides are temporarily suspended while the work is being done. Once the faulty component has been replaced, the system is taken out of a suspended state, allowing normal operations to resume. Test Day Tip Remember that hot swapping doesn’t require powering down the computer, or even setting it into a suspended state. Think of universal serial bus devices that you can insert and remove without any changes to the state of the computer, when you think of hot swapping. Warm swapping also doesn’t require completely shutting down the computer, but does require putting the computer into a suspended state.
A hot spare is different from the earlier methods, as it doesn’t require physically removing and inserting a spare part in the case of a failure. It is a redundant component that is used in situations when the system needs to fail over. A hot spare is installed on the system, but isn’t used until the primary component fails. When the component fails, the system might be configured to detect this and automatically switch over to the hot spare. For example, additional drives may be used in a RAID array and held in standby mode. Once a failure occurs, these additional drives are taken out of standby mode and become actively used. Exam Warning Don’t confuse a hot spare with some of the other “hot” topics we’ve discussed in this chapter. A hot spare is installed in the computer, and is only used when the primary component fails.
554 CHAPTER 13 Redundancy Planning
Backup Generator Even if administrators are comfortable with the internal measures that they have taken to protect data and other assets, outside sources may still have an impact on systems. Utility companies supply essential services, such as electricity and communication services. In some disasters, such as major storms or earthquakes, these services may become unavailable. Without them, servers and other vital systems are left without power, and unable to phone for assistance to bring them back online when power is restored. To continue doing normal business functions, administrators need to implement equipment that will provide these services when the utility companies cannot. When power is out for lengthy periods of time, additional measures may be necessary to supply electricity to equipment. Power generators can run on gasoline, kerosene, or other fuels for an extended time, and provide energy to a building. Certain power outlets may be connected to the generator, so that any systems plugged into these outlets will receive power when normal power is lost.
Damage and Defense Providing Power to a Power Generator In August 2003, a major power outage affected parts of the United States and Ontario, Canada. An estimated 45 million Americans and 10 million Canadians were left without power for a day. Because of preparation for Y2K a few years before and other factors, a number of homes and businesses had various kinds of power generators. Unfortunately, people who owned gas generators and didn’t have a supply of gasoline on hand were faced with a surprising fact: gas pumps were electrically powered. Gas stations affected by the blackout had no way of powering the pumps to get the gas out of the ground, and had to close (even though there were plenty of potential customers driving around looking for fuel). Preparing for a disaster requires identifying risks, and one of those risks is not having fuel to power a backup generator. Fuel used for backup generators should be stored in a secure facility that won’t pose a danger of fire or other types of ignition. If a power outage occurs, this fuel can be used to start up and run the generator. Without this fuel, you could be one of the many people looking at a nonfunctioning gas pump, wondering how you’re going to get fuel to run your generator.
Uninterruptible Power Supply Uninterruptible power supplies (UPSes) are power supplies that can switch over to a battery backup when power outages occur. Multiple devices can be plugged into a UPS similar to a power bar, and the UPS generally provides such functions as surge protection and noise filtering. When a drop in voltage occurs, the UPS detects it and switches over to battery backup. Components plugged into the UPS can then receive
Exam Objectives Fast Track 555
power for a limited amount of time (often ranging from 10 to 45 min), until normal power is restored or the system can shut down properly. This does not allow you to continue normal business functions, but it will protect data from corruption caused by sudden losses of power and improper shutdowns. Exam Warning UPSes are used for short-term power, whereas backup generators are designed for providing power for longer periods of time.
Summary of Exam Objectives In this chapter, we discussed a number of methods for providing redundancy of systems and preparing for potential threats that could impact on the capability of an organization to function. In cases where the business’s facility or networking capabilities are damaged or destroyed, alternate sites can be used. These sites can take various amounts of preparation to get up-and-running. Hot sites take little work to get online and have a copy of data on servers, warm sites require restoring backed-up data to servers and may require some equipment, while cold sites must be made from scratch. Redundant systems can also be used to reduce the impact of potential threats, by having duplicate components or systems available in case one fails. This can include having servers clustered on a network, having spare components available to install or bring online when a failure occurs, or implementing RAID. These ensure that the servers have high availability, can fail over, or allow data to be restored if a disaster occurs. Because power is so important to a business, methods of providing power during an outage must also be available on a network. UPSes can be used to provide power for short periods of time, allowing a computer to be shut down gracefully. For longer periods of power outages, backup generators can be used to provide power for hours or days at a time. Together, redundancy in systems protects a business from a wide variety of threats. They allow systems to continue functioning throughout a disaster and allow companies to continue doing business.
Exam Objectives Fast Track Alternate Sites ■■
■■
Alternate sites should be identified to provide an area where business functions can be restored. There are three options for alternate sites: hot, warm, and cold. A hot site is a facility that has the necessary hardware, software, phone lines, and network connectivity to allow a business to resume normal functions almost immediately.
556 CHAPTER 13 Redundancy Planning
■■
■■
A warm site is not as equipped as a hot site, but has part of the necessary hardware, software, and other office needs to restore normal business functions. A cold site requires the most work to set up, as it is neither online nor part of the production network. It may have all or part of the necessary equipment and resources needed to resume business activities but installation is required and data needs to be restored to servers.
Redundant Systems ■■
■■
■■
■■
■■
■■
■■
■■
High availability is the capability of a network to keep systems operating and services available in the event of an outage. It is provided through redundant systems and fault tolerance. Redundancy is a duplication of services and systems. If the primary method used to store data, transfer information, or other operations fails, then a secondary method is used to continue providing services. Fault tolerance refers to the capability of a system to continue working in the event of such a failure. If one component stops working, it will fail over to another component. Server clusters are groups of independent servers that are connected together, so that if one fails, the others will continue to provide the services. In an active/active cluster, all of the servers are actively responding to requests. If one fails, there is no loss of availability because the other servers are already processing the requests. In an active/passive cluster, one server actively responds to requests, whereas the other becomes active and processes requests only if the first one fails. Companies may use more than one ISP, so that they can switch to the secondary ISP in the case of a failure. ISPs may provide more than one point of presence to ensure fault tolerance. A point of presence is an access point to the Internet. Multiple points of presence will allow access to the Internet if one goes down.
Redundant Arrays of Inexpensive Disks ■■
■■
■■
There are different levels of RAID that can be implemented, each with unique characteristics that provide increased performance and/or fault tolerance. RAID 0 is disk striping, in which data is written across two or more disks, but no copies of the data are made. RAID 0+1 allows four or more disks to be used as a set, but provides full redundancy and the same fault tolerance as RAID 5.
Exam Objectives Fast Track 557
■■
■■
■■
■■
■■
■■
■■
RAID 1 is mirroring or duplexing, in which data written to one disk is also written to another, so that each drive has an exact copy of the data. RAID 2 is similar to RAID 0, except that error correction codes are used for drives that do not have built-in error detection. RAID 3 involves data being striped across three or more drives, but one drive is used to store the parity bits for each byte that is written to the other disks. RAID 4 is similar to RAID 3, but stripes data in larger blocks. Three or more hard disks are required to implement RAID 4. RAID 5 is disk striping with parity, in which data is striped across three or more disks, but parity information is stored across multiple drives. RAID 10 allows four or more drives to be used in an array and has data striped across them with the same fault tolerance as RAID 1. RAID 53 allows a minimum of five disks to be used in an array but provides the same fault tolerance as RAID 3.
Spare Parts ■■
■■
■■
■■
Spare parts refer to additional hardware components that are necessary for servers or other network devices to operate. Hot swapping refers to the ability to replace hardware components without having to shut down the computer. Warm swapping requires the computer to be put in a suspended state while a component is being inserted or removed. A hot spare is different from the previous methods, as it doesn’t require physically removing and inserting a spare part in the case of a failure.
Backup Generator ■■
■■
■■
Even if administrators are comfortable with the internal measures that they have taken to protect data and other assets, outside sources may still have an impact on systems. Preparing for a disaster requires identifying risks, and one of those risks is not having fuel to power a backup generator. Fuel used for backup generators should be stored in a secure facility that won’t pose a danger of fire or other types of ignition. Backup generators are used to ensure that the business can continue functioning for longer periods of time after a power outage. As long as a company has enough fuel for the generator, it could be used to power the business for days at a time.
558 CHAPTER 13 Redundancy Planning
Uninterruptible Power Supply ■■
■■
■■
UPSes are power supplies that can switch over to a battery backup, when p ower outages occur. UPSes can be used to ensure a business can continue functioning for a limited time after a power outage. UPSes are used for short-term power, whereas backup generators are designed for providing power for longer periods of time.
EXAM OBJECTIVES Frequently Asked Questions Q: My company would like to have an alternate site available to use in cases of emergency, but our budget doesn’t allow renting an extra facility. How can we have an alternate site on a low budget? A: If your company has branch offices, you could look at having an alternate site designated at one of those facilities. If this isn’t an option, you could develop a partnership with another business in a different location. Each organization would have their own servers and network equipment stored in the other company’s server room. If one of your facilities became unavailable due to a disaster, you could then bring the servers at the other location online and resume business functions. Q: We want systems to be protected in the case of a power outage, but we can’t afford to install UPSes on every machine in the company. What can we do to protect systems from power outages? A: If protecting every machine with a UPS isn’t an option, select the most critical systems to be plugged into a UPS. This would include servers, networking devices, and computers used for crucial business purposes. Q: I’ve implemented RAID for fault tolerance through my Windows OS, but I still have to shut down the system to remove and replace a failed hard disk. Is there any way to implement RAID and not have to shut down the server when a disk needs replacing? A: RAID can be implemented through hardware, which can support hot swapping, in which a disk can be removed from the server without having to take it down. RAID takes a higher toll on the system, as RAID functions must run through the OS running on the machine. Because of this, hot swapping is often unsupported through the OS, which is why you must take down the system to replace a disk.
Self Test 559
Self Test
1. Your company wants to set up an alternate site that can be used if a disaster damages servers or the network. A copy of the data will be held on servers at this location, with replication data from production servers being copied to it. Which of the following sites will you implement? A. Hot site C. Warm site B. Cold site D. Hot spare
2. Your company wants to set up an alternate site that can be used if a disaster damages servers or the network. The company has budgeted to have servers, some furniture, and other necessary equipment set up onsite. In the event of a disaster, these servers can be brought online. The site will also be used for storage, having backup tapes of the production servers stored there. This not only makes it cheaper, not having to pay a security company for storage of tapes, but also allows the data to be restored to servers quickly if a disaster occurs. What kind of site is this? A. Hot site C. Warm site B. Cold site D. Hot spare
3. Your company wants to set up an alternate site that can be used if a disaster damages servers or the network. Due to budget concerns, it doesn’t have the capabilities to provide much funding. Which of the following is the least expensive type of alternate site to implement? A. Hot site B. Cold site C. Warm site D. Hot spare
4. You are deciding on appropriate locations for a cold site that will be used in case of a disaster. You decide to set up the cold site in a nearby facility, which is used by the company to store equipment and office supplies. The building has an old Halon system for fire suppression in key areas, has air conditioning in all areas, and is dry. Should a disaster occur, the members of the organization will simply move down the street and set up operations at this location. Based on the features and location of the site, is it suitable to set up a cold site? A. The facility is a perfect location for a cold site. B. The fire suppression system, air conditioning, and other environmental conditions make it unsuitable for a cold site. C. The physical proximity to the company makes it unsuitable for a cold site. D. The fact that it is not part of the production network makes it unsuitable for a cold site.
560 CHAPTER 13 Redundancy Planning
5. A service runs on a network server that users access with an application on their workstations. The application is used to process requests and access data in a database. If the server or service fails, you still want users to be able to access this data. What method of fault tolerance will you use so that network users can still continue to work? A. Install two network cards on the server, so that if one card fails, users can still access the data through the second card B. Use server clustering to provide fault tolerance C. Implement RAID D. Connect the server to a UPS
6. You have decided to set up server clustering on your network, so that there is no loss of availability to data. Which of the following will you use? A. Active/active clustering, so that all of the servers are able to become active if one of them fails B. Active/active clustering, so that all of the servers are actively processing the requests C. Active/passive clustering, so that if the active server fails, the passive server will become active and begin the processing of requests D. Active/passive clustering, so that all of the servers are actively processing the requests
7. Your company relies on the Internet to make sales and run an e-commerce site. If the Internet was unavailable to users, it could cost the organization significant sales, and possibly result in a loss of customers. Which of the following are options that you could implement to ensure there is no loss of Internet connectivity to the network? Choose all that apply. A. Ensure that the ISP uses two different points of presence B. Use multiple links across the WAN of your network so that connectivity is always available if one of the links fails C. Use a redundant ISP. Configure the normal ISP as a high-priority connection, and the redundant ISP as low-priority connection D. Use a redundant ISP. Configure the redundant ISP as a high-priority connection, and the normal ISP as low-priority connection
8. You have decided to implement a RAID for fault tolerance, and want data to be striped across multiple disks with parity information stored on multiple drives. Which of the following levels of RAID will you use? A. RAID 0 C. RAID 3 B. RAID 1 D. RAID 5
Self Test 561
9. You have decided to implement disk duplexing on a Novell Netware server. You want the server to have 800 GB of storage space. How many of the following disks would you need to provide this amount of storage? A. Four 200 GB hard disks C. Four 400 GB hard disks B. Two 400 GB hard disks D. One 800 GB hard disk
10. You have a server that you plan to use to store backup files from other servers. An application backs up the data from these other servers and will store them on the backup server. Because of its purpose, fault tolerance isn’t an issue, but high performance is important. Which level of RAID will you use? A. RAID 0 B. RAID 3 B. RAID 1 D. RAID 5 11. You have decided to purchase spare hardware components that you can replace on a server without having to shut down the computer. Which of the following is being used? A. Hot swapping B. Warm swapping C. Hot spare D. Hot site 12. You have purchased a spare hardware component that you can replace on a computer when it is put into a suspended state. Which of the following is being used? A. Hot swapping C. Hot spare B. Warm swapping D. Hot site 13. You have purchased a hardware component that is installed in a server, and it remains inactive until a fault occurs and it is needed. Once the primary component fails, the system switches over to this secondary component. Which of the following is being used? A. Hot swapping C. Hot spare B. Warm swapping D. Hot site 14. You have been experiencing intermittent brownouts and blackouts that can last upwards of a few minutes and are concerned that power outages will result in data being lost as the computers suddenly shutdown improperly. Which of the following can you use for these temporary outages? A. UPS C. Power bar B. Line conditioner D. Backup generator
562 CHAPTER 13 Redundancy Planning
15. You are developing a disaster recovery plan, and you are concerned that blackouts could cause power outages that could last hours or even days. To address the risk of this happening, which of the following should you implement in your company? A. UPS C. Power bar B. Line conditioner D. Backup generator
Self Test Quick Answer Key 1. 2. 3. 4. 5.
A C B C B
6. 7. 8. 9. 10.
D A, and C D C A
11. 12. 13. 14. 15.
A B B A D
CHAPTER
Controls and Procedures
14
E x a m o b j e c tiv e s in this c hapt e r Environmental Controls...................................................................................................... 563 Implementing Disaster Recovery and Incident Response Procedures................................... 570
Introduction Life is filled with risks. There is always the chance that a fire can break out, someone may try and gain unauthorized information or access, or (depending on your location) an earthquake, tornado, or blizzard could happen. The potential threats can be diverse. However, just as you have insurance on your car and smoke detectors in your house, security-minded organizations make efforts to protect their assets, including equipment, facilities, and the people who work for them from coming to harm. When you think of securing systems from harm, you might initially think of hackers and viruses. However, the environment where your equipment resides can cause equal or greater damage. Servers, switches, and other devices in server rooms and other locations can have poor heating, air conditioning, or other factors that damage equipment. As we’ll discuss in this chapter, protecting equipment from environmental factors is of vital importance to keeping things up-and-running. When a disaster does occur, it’s important that Information Technology (IT) staff and other members of an organization know what to do. As we discussed in Chapter 13, alternate sites and other measures may be implemented beforehand in preparation of a disaster. As we’ll see in this chapter, the ability to respond to incidents and recover from a disaster relies on preparation and having the proper procedures in place.
Environmental Controls Even with educated users and all critical systems locked behind closed doors, equipment and data are still at risk if the environment beyond those locked doors is insecure. Environment refers to the surroundings in which the computers and other equipment reside. If an environment is insecure, data and equipment can be
563
564 CHAPTER 14 Controls and Procedures
damaged. To prevent the environment from affecting a system’s safety and capability to function, the following elements should be considered: ■■
Fire suppression
■■
Temperature
■■
Humidity
■■
Airflow
■■
Electrical and other types of interference
■■
Electrostatic discharge (ESD)
In the sections that follow, we’ll discuss how equipment and data can be damaged by these various elements and discuss various measures that you can implement to safeguard them.
Fire Suppression Fire is a major risk in any environment that contains a lot of electrical equipment, so fire suppression systems must be put in place to protect servers and other equipment. Because problems with moisture and flooding can damage or destroy equipment, water sprinklers are not an option in server rooms or other areas storing devices. Other problems may occur if the fire suppression system releases foam that damages equipment, creates significant smoke when putting out a fire, or causes other potential problems that can result in collateral damage. When choosing a fire suppression system, it is important to choose one that will put out a fire but not destroy the equipment in the process. These are often referred to as clean agent fire extinguishing systems. Halon is a fire suppressant often found in older facilities. When a fire occurred, this chemical would be dumped into the room at high pressure, removing necessary elements needed to work with the oxygen and fuel the fire. Halon 1301, made by DuPont, worked by having bromine combine with the hydrogen released by the fire, effectively removing it from the air. Because the oxygen and hydrogen were no longer able to work together, the fire would be extinguished. Although it worked, it was found to be damaging to the ozone and was banned from new installations of fire suppression systems. This means that once an older system dumps its existing load of halon to put out a fire (or some unfortunate soul accidentally sets off the system), the company must now pay to install a completely different fire system that doesn’t have adverse effects. There are many different alternatives to halon, which can be used safely without negative impacts on the environment. These include the following: ■■
Inergen (IG-541) A combination of three different gases: nitrogen, argon, and carbon dioxide. When released, it lowers the oxygen content in a room to the point that the fire cannot be sustained.
Environmental Controls 565
■■
■■
■■
Heptafluoropropane (HFC-227ea) A chemical agent that is also known as FM-200. This agent is released as a gas suppressing the fire but has been found not to be harmful to persons in the room. Trifluromethane (FE-13) A chemical originally developed by DuPont as a refrigerant but commonly used in new fire suppression systems. FE-13 molecules absorb heat, making it impossible for the air in the room to support combustion. It is considered to be one of the safest clean agents. Carbon Dioxide Systems A popular method of fire suppression, as carbon dioxide reduces the oxygen content to the point where the atmosphere can no longer support combustion.
When deciding on a fire suppression system, it is important to examine whether it will damage equipment or is toxic to people when the fire suppression system is deployed. Exam Warning Remember that halon isn’t manufactured anymore, so fire suppressants used in new systems use other chemicals to put out a fire without damaging equipment.
Detection Systems Before a fire suppressant becomes activated, the signs of a fire must be detected. There are several types of devices that will detect the signs of fire, which in turn should then activate the fire suppressant system in a server room or other location where equipment resides. These are as follows: ■■
■■
■■
Smoke detection is the most common method of detecting a fire. One that you may have in your home uses an optical (photoelectric) detector, which uses a light sensor. As smoke passes in front of the beam of light, it disrupts the beam and sets off the alarm. There are also other types of smoke alarms that sample the air to check for smoke particles, and others that are designed to check for high levels of carbon monoxide and carbon dioxide. Heat detection is used to monitor the temperature levels of a room. When the temperature increases at a rapid rate or reaches a set temperature threshold, the alarm is triggered. Flame detection is used to detect the movement of flames or certain types of energy (that is, ultraviolet and infrared) that indicates a fire has occurred.
Exam Warning The three indicators of fire used by detection systems are smoke, heat, and flame. Once these systems detect a fire, the fire suppression system is activated.
566 CHAPTER 14 Controls and Procedures
HVAC HVAC is an acronym for heating, ventilation, and air conditioning. It is the control system used to control humidity, temperature, and air flow. The environment in server rooms and other areas where sensitive equipment resides needs to have controlled conditions to operate properly. If temperatures or humidity are too high or too low, it can damage the equipment and result in the loss of data. If a computer overheats, components inside it can be permanently damaged. Although the temperature of the server room may feel comfortable to you, the inside of a computer can be as much as 40° F warmer than the air outside the case. The hardware inside the case generates heat, raising the interior temperature. Computers are equipped with fans to cool the power supply, processor, and other hardware so that temperatures do not rise above 110° F. If these fans fail, the heat can rise to a level that destroys the hardware. Computers are also designed to allow air to flow through the machine, keeping the temperature low. If the airflow is disrupted, temperatures can rise. For example, say you removed an old adapter card that was no longer needed by a computer. Because you did not have a spare cover, there is now an opening where the card used to be. Because air can now pass through this hole, you might expect that this would help to cool the hardware inside, but airflow is actually lost through this opening. Openings in the computer case prevent the air from circulating inside the machine as it was designed to, causing temperatures to rise. Test Day Tip Remember that HVAC stands for heating, ventilation, and air conditioning, which is the climate control system that’s necessary for server rooms and other areas where equipment is used or stored. Because computers and other sensitive equipment can be damaged by changes in temperature, humidity, and other environmental factors, it is important that an HVAC system is always operating properly.
A common problem with computers is when fans fail, causing increases in temperature within the case. These fans may be used to cool the processor, power supply, or other components. As with other causes of temperature increases, the machine may not fail immediately. The computer may experience reboots, “blue screens of death,” memory dumps, and other problems that occur randomly. To determine whether increases in temperature are the cause of these problems, you can install hardware or software that will monitor the temperature and inform you of increases. When the temperature increases above a normal level, you should examine the fans to determine if this is the cause. Variations in temperature can also cause problems. If a machine experiences sudden changes in temperature, it can cause hardware problems inside the machine. Heat makes objects expand, whereas cold makes these same objects contract. When this expansion and contraction occurs in motherboards and other circuit boards, chip creep (also known as socket creep) can occur. As the
Environmental Controls 567
circuit boards expand and contract, it causes the computer chips on these boards to move until they begin to lose contact with the sockets in which they are inserted. When the chips lose contact, they are unable to send and receive signals, resulting in hardware failure. To prevent problems with heat and cold, it is important to store servers and other equipment in a temperature-controlled environment. Keeping machines in a room that has air conditioning and heat can keep the temperature at a cool level that does not fluctuate. To assist in monitoring temperature, alarms can be set up in the room to alert you when the temperature exceeds 80° F. Other alarms can be used that attach to the servers, automatically shutting them down if they get too hot. ESD is another threat to equipment, as static electricity can damage hardware components, so they cease to function. If unfamiliar with ESD, think of the times when you have walked over a dry carpet and received a shock when you touched someone. The static electricity builds up, and electrons are discharged between the two objects until both have an equal charge. When you receive a shock from touching someone, the discharge is around 3000 volts. To damage a computer chip, you only need a discharge of 20 or 30 volts. Humidity levels can increase ESD. If the humidity in a room is below 50 percent, the dry conditions create an atmosphere that allows static electricity to build up. This creates the same situation as mentioned above. A humidity level that is too high can also cause ESD, as water particles that conduct electricity can condense and stick to hardware components. Not only can this create ESD problems, but if the humidity is very high, the metal components may rust over time. To avoid humidity problems, keep the levels between 70 and 90 percent. Installing humidifiers and dehumidifiers to, respectively, raise and lower the level of humidity can be used to keep it at an acceptable point. Poor air quality is another issue that can cause problems related to ESD and temperature. As mentioned earlier, fans in a machine circulate air to cool the components inside. If the air is of poor quality, dust, smoke, and other particles in the air will also be swept inside the machine. Because dust and dirt particles have the capability to hold a charge, static electricity can build up, be released, and build up again. The components to which the dust and dirt stick are shocked over and over again, damaging them over time. If the room is particularly unclean, dust and dirt can also build up on the air intakes. Because very little air can enter the case through the intake, temperatures rise, causing the components inside the machine to overheat. Vacuuming air intakes and installing an air filtration system in rooms with critical equipment can improve the quality of air and avoid these problems.
Damage and Defense Protecting Equipment from ESD When working on equipment, you should take precautions to prevent ESD. ESD wristbands and mats can ground you, so you do not give the components a shock. An ESD wristband is a strap that wraps around your wrist with a metal disc on it. A wire is attached to this metal
568 CHAPTER 14 Controls and Procedures
disc, whereas the other end has an alligator clip that can be attached to an electrical ground. An ESD mat is similar but has two wires with alligator clips attached to them. One wire is attached to an electrical ground, whereas the other is attached to the computer you are working on. When you place the computer on the mat, the computer becomes grounded and any static charge is bled away.
Shielding Shielding refers to materials that are used to prevent data signals from being affected by external sources. This not only applies to wireless data escaping outside of an office but also pertains to external signals or interference affecting data being carried along cables. Data transmitted on wireless technologies is inherently insecure and requires additional measures to secure that data. If equipment used to transmit and receive data from these devices is placed too close to exterior walls, wireless transmissions can leak outside of an office area. This may enable others outside of the office to connect to the network or intercept data, using a packet sniffer and other equipment that can be purchased from any store selling computer products. This is why encrypting all data on a wireless network is so important. The encryption prevents unauthorized individuals who access the signal from deciphering any of the data. Aside from moving antennas away from exterior walls, shielding can also be used to prevent wireless transmissions from escaping a building or office area. Shielding blocks signals from escaping but may also have the unwanted effect of blocking cellular communications. Not only can communications signals leak out of a prescribed area but unwanted signals can also leak in and interfere with communications. Thus, shielding is also necessary to prevent data from being damaged in transmission from radio frequency interference (RFI) and electromagnetic interference (EMI). RFI is caused by radio frequencies emanating from microwaves, furnaces, appliances, radio transmissions, and radio frequency-operated touch lamps and dimmers. Network cabling can pick up these frequencies much as an antenna would, corrupting data traveling along the cabling. EMI is caused by electromagnetism generated by heavy machinery such as elevators, industrial equipment, and lights. The signals from these sources can overlap those traveling along network cabling, corrupting the data signals so that they need to be retransmitted by servers and other network devices. When EMI and RFI cause interference, it is called noise. To prevent data corruption from EMI and RFI, computers and other equipment should be kept away from electrical equipment, magnets, and other sources. This will minimize the effects of EMI and RFI because the interference will dissipate, as it travels over distance. When cabling travels past sources of EMI and RFI, a higher grade of cabling should be used, which has better shielding and can protect the wiring inside from interference. Shielded twisted-pair (STP) is a type of cabling that uses a series of individually wrapped copper wires encased in a plastic sheath. Twisted-pair can be unshielded or shielded. When the cabling is STP, the wires are protected with foil wrap for extra shielding.
Environmental Controls 569
Coaxial cable is commonly used in cable TV installations but can also be found on networks. This type of cabling has a solid or stranded copper wire surrounded by insulation. A wire mesh tube and a plastic sheath surround the wire and insulation to protect it. Because the wire is so shielded from interference, it is more resistant to EMI and RFI than twisted-pair cabling. Although each of the cabling we’ve discussed so far involves data being transmitted across copper wires, this is not the case for fiber-optic cable. Data is transmitted as light along the glass or plastic in the cabling, so it is not affected by electromagnetic or RFI. This makes fiber optics an ideal alternative for areas where interference may impede or corrupt the transmission of data. Network performance should always be considered when deciding what type of cable to use. Different types of cable allow data to travel at different speeds and to maximum lengths before devices must be used to lengthen transmission distances. The varying specifications for different types of coaxial, unshielded twisted-pair (UTP), and STP cable are shown in Table 14.1. In looking at this table, you will notice that each of the different types of cabling has a maximum length. This is because as the data travels over the line, it will slowly degrade. Attenuation is the decrease of a signal’s strength over the length of a cable. Because the signal’s power weakens over distance, devices must be used to boost the signal strength or different cable that is more resistant to attenuation and supports greater lengths should be used. Another issue with cabling is crosstalk, which is a term used to describe when a signal from one channel or circuit interferes with another. In cabling where there are multiple wires close together, there is a chance that the signals from one wire can cause interference with another wire. Because the signal from one wire is essentially jumping over to the other wire, creating distortion can corrupt data. When installing cabling, it is important that the cable is not easily accessible to unauthorized people. If an intruder or malicious user accesses the cable used on a network, they can tap the wire to access data traveling along it, or the cabling can be physically damaged or destroyed. Cable should not be run along the outside of walls or open areas where people may come into contact with it. If this cannot be avoided,
Table 14.1 Specifications for Networks Using Different Cabling Type of Network Cable
Maximum Length
Maximum Speed
100BaseT (STP/UTP)
100 m
10 Mbps
10Base2 (Coaxial (Thinnet))
185 m
10 Mbps
10Base5 (Coaxial (Thicknet))
500 m
10 Mbps
100BaseTX (STP/UTP)
100 m
100 Mbps
100BaseT4 (STP/UTP)
100 m
100 Mbps
570 CHAPTER 14 Controls and Procedures
then the cable should be contained within tubing or some other protective covering that will prevent accidental or malicious actions from occurring.
Head of the Class Fiber-Optics Are Immune to EMI and RFI An alternative to copper cabling and wireless technologies is using fiber-optic cabling, in which data is transmitted by light. Fiber-optic cable has a core made of light-conducting glass or plastic, surrounded by a reflective material called cladding. A plastic sheath surrounds all this for added protection. Because the signal is transmitted via light, data that travels along fiber-optic cable is not affected by interference from electromagnetism or radio frequencies. This makes it an excellent choice for use in areas where there are sources of EMI or RFI. One way or another, fiber-optic cabling has become a common element in many networks. If it is a small company, then most of the internal network will probably be made up of cabling that uses some form of copper wiring (that is, UTP, STP, or coaxial). However, even in this situation, Internet access is probably provided to users on the network, meaning they will connect out to a backbone that uses fiber optics. In larger companies, it has been increasingly common to connect different locations together using fiber-optic cabling. If buildings are connected together with fiber optics, it doesn’t mean that copper cabling isn’t present on the network. UTP (or some other cabling) will generally be used within buildings to connect computers to the network or connect networks on different floors together. Because of this, EMI and RFI will still be an issue.
Implementing Disaster Recovery and Incident Response Procedures After the events of September 11, 2001, the widespread effects of a disaster became evident. Equipment, data, and personnel were destroyed, staggering amounts of money were lost by individual businesses, and the economic ripples were felt internationally. Although some companies experienced varying levels of downtime, some never recovered and were put out of business. Although this was an extreme situation, a disaster recovery plan is used to identify such potential threats of terrorism, fire, flooding, and other incidents and provide guidance on how to deal with such events when they occur. In the same way that natural disasters can negatively affect a company, the actions of people can cause incidents that could damage data and equipment. These incidents can occur as a result of employees accidentally or maliciously deleting data, intrusions of the system by hackers, viruses and malicious programs that damage data, and other events that cause downtime or damage. To deal with the various incidents and disasters that can affect an organization, procedures need to be in place so that professionals within the company can deal
Implementing Disaster Recovery and Incident Response Procedures 571
with them. These procedures can reduce confusion in a disaster, protect resources, and/or be used to follow best practices that allow a suspect behind an incident to be prosecuted at a later time.
Disaster Recovery Preparation for disaster recovery begins long before a disaster actually occurs. Backups of data need to be performed daily to ensure data can be recovered, plans need to be created that outline what tasks need to be performed by whom, and other issues need to be addressed as well. Although it is hoped that such preparation is never needed, it is vital that a strategy is in place to deal with incidents. The disaster recovery plan should identify as many potential threats as possible and include easy-to-follow procedures. When discussing disaster recovery plans in greater detail, a plan should provide countermeasures that address each threat effectively.
Disaster Recovery Plan Disaster recovery plans are documents that are used to identify potential threats and outline the procedures necessary to deal with different types of threats. When creating a disaster recovery plan, administrators should try to identify all the different types of threats that may affect their company. For example, a company in California would not need to worry about blizzards, but it would need to be concerned about earthquakes, fire, flooding, power failures, and other kinds of disasters. Once the administrators have determined what disasters their company could face, they can then create procedures to minimize the risk of such disasters. Disasters are not limited to acts of nature but can be caused through electronic methods. For example, denial-of-service (DoS) attacks occur when large numbers of requests are sent to a server, which overloads the system and causes legitimate requests for service to be denied. When an e-commerce site experiences such an attack, the losses can be as significant as any natural disaster. Risk analysis should be performed to determine what is at risk when a disaster occurs. This should include such elements of a system as follows: ■■
Loss of data
■■
Loss of software and hardware
■■
Loss of personnel
Software can be backed up, but the cost of applications and operating systems (OSes) can make up a considerable part of a company’s operating budget. Thus, copies of software and licenses should be kept off-site so that they can be used when systems need to be restored. Configuration information should also be documented and kept off-site so that it can be used to return the system to its previous state. Additional hardware should also be available. Because hardware may not be easily installed and configured, administrators may need to have outside parties involved.
572 CHAPTER 14 Controls and Procedures
They should check their vendor agreements to determine whether they provide on-site service within hours or days, as waiting for outsourced workers can present a significant bottleneck in restoring a system. Personnel working for a company may have distinct skill sets that can cause a major loss if that person is unavailable. If a person is injured, dies, or leaves a company, his or her knowledge and skills are also gone. Imagine a network administrator getting injured in a fire, with no one else fully understanding how to perform that job. This would cause a major impact to any recovery plans. Thus, it is important to have a secondary person with comparable skills who can replace important personnel, documentation on systems architecture and other elements related to recovery, and clear procedures to follow when performing important tasks. When considering the issue of personnel, administrators should designate members who will be part of an Incident Response Team and who will deal with disasters when they arise. Although we’ll discuss incident response in greater detail later in this chapter, members should have a firm understanding of their roles in the disaster recovery plan and the tasks they will need to perform to restore systems. A team leader should also be identified, so a specific person is responsible for coordinating efforts. Recovery methods discussed in the plan should focus on restoring the most business-critical requirements first. For example, if a company depends on sales from an e-commerce site, restoring this server would be the primary focus. This would allow customers to continue viewing and purchasing products while other systems are being restored. Another important factor in creating a disaster recover plan is cost. As discussed in Chapter 13, hot, warm, and cold sites require additional cost such as rent, purchasing hardware that may not be used until a disaster occurs (if one ever does), stock office supplies and other elements that allow a business to run properly. This can present a dilemma; you do not want to spend more money on preparation than it would cost to recover from a disaster, but you also do not want to be overly frugal and not be able to restore systems in a timely manner. Finding a balance between these two extremes is the key to creating a disaster recovery plan that is affordable and effective.
Backup Techniques and Practices Backing up data is a fundamental part of any disaster recovery plan. When data is backed up, it is copied to a type of media that can be stored in a separate location. The type of media will vary depending on the amount of data being copied but can include digital audio tape (DAT), digital linear tape (DLT), compact disks (CDR/ CD-RW) and DVDs, or a folder location on a separate server. If data is destroyed unintentionally, it can be restored as if nothing had happened. When making backups, the administrator needs to decide what data will be copied to alternative media. Critical data, such as trade secrets that a business relies on to function, and other important data crucial to a business’ needs must be backed up. Other data, such as temporary files, applications, and other data, may not be backed up as they can easily be reinstalled or missed in a backup. Such decisions, however, will vary from company to company.
Implementing Disaster Recovery and Incident Response Procedures 573
Once the administrator has decided on what information needs to be backed up, they can determine the type of backup that will be performed. Common backup types include the following: ■■
■■
■■
■■
Full backup backs up all data in a single backup job. Generally, this includes all data, system files, and software on a system. When each file is backed up, the archive bit is changed to indicate that the file was backed up. Incremental backup backs up all data that was changed since the last backup. Because only files that have changed are backed up, this type of backup takes the least amount of time to perform. When each file is backed up, the archive bit is changed. Differential backup backs up all data that has changed since the last full backup. When this type of backup is performed, the archive bit is not changed, so data on one differential backup will contain the same information as the previous differential backup plus any additional files that have changed. Copy backup makes a full backup but does not change the archive bit. Because the archive bit is not marked, it will not affect any incremental or differential backups that are performed.
Because different types of backups will copy data in different ways, the methods used to back up data vary between businesses. One company may do daily full backups, whereas another may use a combination of full and incremental backups (or full and differential backups). As will be seen in later sections, this affects how data is recovered and what tapes need to be stored in alternative locations. Regardless of the type used, however, it is important that data are backed up on a daily basis so that large amounts of data will not be lost in the event of a disaster. Test Day Tip Make sure you know the difference between the different types of backups you can perform. The backup types are full, incremental, differential, and copy. Each of these may be used for different purposes and can affect whether the archive bit is reset on a file.
Rotation Schemes It is important to keep at least one set of backup tapes off-site so that all the tapes are not kept in a single location. If backup tapes were kept in the same location as the servers that were backed up, all the data (on the server and the backup tapes) could be destroyed in a disaster. By rotating backups between a different set of tapes, data is not always being backed up to the same tapes, and a previous set is always available in another location. A popular rotation scheme is the Grandfather-Father-Son (GFS) rotation, which organizes rotation into a daily, weekly, and monthly set of tapes. With a GFS backup schedule, at least one full backup is performed per week, with differential or incremental
574 CHAPTER 14 Controls and Procedures
Table 14.2 Sample Backup Schedule Used in a Week Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
None
Full backup
Differential
Differential
Differential
Differential, with week’s tapes moved off-site
None
backups performed on other days of the week. At the end of the week, the daily and weekly backups are stored off-site, and another set is used through the next week. To understand this better, assume a company is open Monday through Friday. As shown in Table 14.2, a full backup of the server’s volume is performed every Monday, with differential backups performed Tuesday through Friday. On Friday, the tapes are moved to another location, and another set of tapes is used for the following week. Because it is too expensive to continually use new tapes, old tapes are reused for backups. A tape set for each week in a month is rotated back into service and reused. For example, at the beginning of each month, the tape set for the first week of the previous month would be rotated back into service and used for that week’s backup jobs. Because one set of tapes is used for each week of the month, this means that most sets of tapes are kept off-site. Even if one set were corrupted, the setup tapes for the previous week could still be used to restore data. In the GFS rotation scheme, the full backup is considered the “Father” and the daily backup is considered the “Son.” The “Grandfather” segment of the GFS rotation is an additional full backup that is performed monthly and stored off-site. The Grandfather tape is not reused but is permanently stored off-site. Each of the Grandfather tapes can be kept for a specific amount of time (such as a year) so that data can be restored from previous backups, even after the Father and Son tapes have been rotated back into service. If someone needs data restored from several months ago, the Grandfather tape enables a network administrator to retrieve the required files. A backup is only as good as its capability to be restored. Too often, backup jobs are routinely performed, but the network administrator never knows whether the backup was performed properly until the data needs to be restored. To ensure that data is being backed up properly and can be restored correctly, administrators should perform test restores of data to the server. This can be as simple as attempting to restore a directory or small group of files from the backup tape to another location on the server.
Off-Site Storage Once backups have been performed, administrators should not keep all the backup tapes in the same location as the machines they have backed up. After all, a major reason for performing backups is to have the backed-up data available in case of a disaster. If a fire or flood occurred and destroyed the server room, any backup tapes in that room would also be destroyed. This would make it pointless to have gone through the work of backing up data. To protect data, the administrator should store the backups in a different location so that they will be safe until they are needed.
Implementing Disaster Recovery and Incident Response Procedures 575
Off-site storage can be achieved in a number of ways. If a company has multiple buildings, such as in different cities, the backups from other sites can be stored in one of those buildings and the backups for servers in that building can be stored in another building. If this is not possible, there are firms that provide off-site storage facilities. The key is to keep the backups away from the physical location of the original data. When deciding on an off-site storage facility, administrators should ensure that it is secure and has the environmental conditions necessary to keep the backups safe. They should also ensure that the site has air conditioning and heating, as temperature changes may affect the integrity of data. The facility should also be protected from moisture and flooding and have fire protection. The backups need to be locked up, and policies in place of who can pick up the data when needed. Exam Warning Backups are an important part of disaster recovery, so it is possible there will be a question or two dealing with this topic. Remember that copies of backups must be stored in off-site locations. If the backups are not kept in off-site storage, they can be destroyed with the original data in a disaster. Off-site storage ensures backups are safe until the time they are needed. Data are only as good as its capability to be restored. If it cannot be restored, the work performed to maintain backups was pointless. The time to ensure that backups can be restored is not during a disaster. Test restores should be performed to determine the integrity of data and to ensure that the restore process actually works.
Secure Recovery Recovering from a disaster can be a time-consuming process with many unknown variables. If a virus, intruder, or other incident has adversely affected a small amount of data, it can be relatively simple to restore data from a backup and replace the damaged information. However, when disasters occur, hardware may be destroyed also, making it more difficult to restore the system to its previous condition. Dealing with damaged hardware will vary in complexity, depending on the availability of replacement equipment and the steps required when restoring data to the network. Some companies may have additional servers with identical configurations to damaged ones, for use as replacements when incidents occur. Other companies may not be able to afford such measures or do not have enough additional servers to replace damaged ones. In such cases, the administrator may have to put data on other servers and then configure applications and drive mappings so the data can be accessed from the new location. Whatever the situation, administrators should try to anticipate such instances in their disaster recovery plan and devise contingency plans to deal with such problems when they arise.
Secure Recovery Restoration Administrators also need to determine how data will be restored from backups. There are different types of backups that can be performed. Each of these take differing
576 CHAPTER 14 Controls and Procedures
lengths of time to restore and may require additional work. When full backups are performed, all the files are backed up. As a backup job can fit on a single tape (or set of tapes), administrators only need to restore the last backup tape or set that was used. Full backups will back up everything, so additional tapes are not needed. Incremental backups take the longest to restore. Incremental backups contain all data that was backed up since the last backup, thus many tapes may be used since the last full backup was performed. When this type of backup is used, administrators need to restore the last full backup and each incremental backup that was made since. Differential backups take less time and fewer tapes to restore than incremental backups. Because differential backups back up all data that are changed since the last full backup, only two tapes are needed to restore a system. The administrator needs to restore the tape containing the last full backup, and the last tape containing a differential backup. Because different types of backups have their own advantages and disadvantages, the administrators will need to consider what type of backup is suitable to their needs. Some types of backups take longer than others to backup or restore, so they need to decide whether they want data backed up quickly or restored quickly when needed. Table 14.3 provides information on different aspects of backup types. Even if data has been backed up, it doesn’t mean that it can be restored. You don’t want to be caught in a situation where you find that the data stored on backup tapes or other media can’t be recovered. It is possible that even though the backup program you’re using appears to be backing up data correctly, data is not being stored properly (if at all). To ensure backed up data can be recovered, test restores should occasionally be performed. By restoring a series of files to a server, you can ensure that the data can be restored when it’s actually needed. Once these files are restored, you should open them to determine whether the restored data is corrupted.
Incident Response No matter how secure you think your network is, there may come a time when a security breach or disaster occurs. When such problems do occur, an incident response policy provides a clear understanding of what decisive actions will be taken and who will be responsible for investigating and dealing with problems. Without one, significant time may be lost trying to decide what to do and how to do it. Incidents can be any number of adverse events affecting a network or computer system or violations of existing policy. They can include but are not limited to unauthorized access, denial or disruptions of service, viruses, unauthorized changes to systems or data, critical system failures, or attempts to breach the policies and/or security of an organization. Because few companies have the exact same services, hardware, software, and security needs, the types of incidents an organization may face will often vary from business to business.
Implementing Disaster Recovery and Incident Response Procedures 577
Table 14.3 Factors Associated with Different Types of Backups Type of Backup
Speed of Making the Backup
Speed of Restoring the Backup
Disadvantages of Backup Type
Daily full backups
Takes longer than sing full backups u with either incremental or differential backups
Fastest to restore, as only the last full backup is needed
Takes considerably longer to backup data, as all files are backed up
Full backup with daily incremental backups
Fastest method of backing up data, as only files that have changed since the last full or incremental backup are backed up
Slowest to restore, as the last full backup and each incremental backup made since that time needs to be restored
Requires more tapes than differential backups
Full backup with daily differential backups
Takes longer to backup data than incremental backups
Faster to restore than incremental backups, as only the last full backup and differential backup is needed to perform the restore
Each time a backup is performed, all data modified since the last full backup (including that which was backed up in the last differential backup) is backed up to tape. This means that data contained in the last differential backup is also backed up in the next differential backup
A good incident response policy outlines who is responsible for specific tasks when a crisis occurs. It will include such information as follows: ■■
■■
■■
Who will investigate or analyze incidents to determine how they occurred and what problems are faced because of it? Which individuals or departments are to fix particular problems and restore the system to a secure state? How certain incidents are to be handled and references to other documentation.
Including such information in the incident response policy ensures that the right person is assigned to a particular task. For example, if the Webmaster was responsible for firewall issues and the network administrator performed backups of data, you would assign each of them tasks relating to their responsibilities in the incident
578 CHAPTER 14 Controls and Procedures
response policy. Determining who should respond and deal with specific incidents allows you to restore the system to a secure state more quickly and effectively. Incident response policies should also provide information on how to deal with problems when they occur or provide references to procedures. As mentioned earlier, procedures should be clearly defined so that there is no confusion as to how to deal with an incident. Once an incident has been dealt with, the Incident Response Team should determine ways to ensure the same incident will not happen again. Simply resolving the crisis but not changing security methods increases the likelihood that the same incident may occur again in the exact same manner. Taking a proactive approach to future incidents decreases the chance of recurring problems.
Incident Response Teams Incident Response Teams are IT professionals used to handle incidents that occur in a company and may be formed in a number of ways. Some organizations use the people who have on-call duties and are used to respond to any problems that users may encounter or with the network after hours. Because these people are training and have the experience to troubleshoot and handle situations after hours, and generally are selected from a group of IT staff with diverse duties, many companies select them as the obvious choice for responding to incidents as a group. Other companies may form a formal team of selected individuals, whereas others create them as needed based on the type of incident being encountered. In responding to an incident, the team should be trained in best practices and proper procedures. In an incident, they will go through a process of the following steps: ■■
Identification
■■
Investigation
■■
Repair
■■
Documentation
The identification phase is where the Incident Response Team identifies the type of incident occurring. They may have been alerted by an intrusion detection system (IDS) on the network, which monitors for signs of intrusion attempts. The team will determine what is affected, the scope of the incident, and whether an attack is coming from internal or external sources. Once the incident has been verified and identified, investigation is the next step in the team’s process. It is at this point that logs, information from programs that monitor the network and computer affected by the incident, and other sources of information are reviewed. From this, it can be determined whether an incident is actually occurring (that is, a false positive from an IDS), whether it is a random incident (such as someone scanning a port), or whether it is part of a widespread attack. The team analyzes what has occurred and is impacted by an intrusion or other incident, so they can then move to the next step of controlling the situation and repairing the damage.
Implementing Disaster Recovery and Incident Response Procedures 579
Once a system has been compromised, it must be repaired. If an intrusion has occurred, the way that the unauthorized person got into the system needs to be secured to prevent further damage. In cases of a virus or worm, antivirus software may be used to remove it. In some cases, such as a DoS attack, they may simply need to reboot the server. The level of work at this stage is determined by what kind of incident they are dealing with, and what must be done to regain control. Once control has been reestablished and the system is secure again, they will need to determine whether any files need to be restored from backups, whether damaged applications need to be reinstalled, and whether software needs to be upgraded or settings need to change to prevent similar attacks. Documentation is the final step in the process of incident response. It is here that all the information that was gathered in the previous steps is written as a permanent record of the incident. This can be used as reference if similar attacks occur, can be used to evaluate the team’s performance, and may also be used if criminal charges or civil suits are filed against the person(s) responsible for the attack.
Forensics Computer forensics is the application of computer skills and investigation techniques for the purpose of acquiring evidence. It involves collecting, examining, preserving, and presenting evidence that is stored or transmitted in an electronic format. Because the purpose of computer forensics is its possible use in court, strict procedures must be followed for evidence to be admissible. Even when an incident isn’t criminal in nature, forensic procedures are important to follow. You may encounter incidents where employees have violated policies. These actions can result in disciplinary actions (up to and including termination of employment). Actions against the disciplined employee must be based on sound evidence to protect the company from a lawsuit for wrongful termination, discrimination, or other charges. If such a suit is filed, your documentation will become evidence in the civil trial. For example, an employee may have violated a company’s acceptable use policy and spent considerable time viewing pornography during work hours. By using forensic procedures to investigate the incident, you will create a tighter case against the employee. Because every action you took followed established guidelines and acquired evidence properly, the employee will have a more difficult time arguing the facts. Also, if during your investigation you find illegal activities (such as possession of child pornography), then the internal investigation becomes a criminal one. Any actions you took in your investigation would be scrutinized, and anything you found could be evidence in a criminal trial. As we’ll see in the sections that follow, there are a number of standards that must be met to ensure that evidence isn’t compromised and that information has been obtained correctly. If you don’t follow forensic procedures, judges may deem evidence inadmissible, defense lawyers may argue its validity, and the case may be damaged significantly. In many cases, the only evidence available is that which exists in a digital format. This could mean that the ability to punish an offender rests with your abilities to collect, examine, preserve, and present evidence.
580 CHAPTER 14 Controls and Procedures
Note Legal differences exist between how a private citizen and law enforcement will gather evidence. There are stricter guidelines and legislation controlling how agents of the government may obtain evidence. Because of this, evidence that’s collected before involving law enforcement is less vulnerable to being excluded in court. Constitutional protection against illegal search and seizure apply to government agents (such as police) but may not apply to private citizens. Before a government agent can search and seize computers and other evidence, a search warrant, consent, or statutory authority (along with probable cause) must be obtained. This doesn’t apply to private citizens, unless he or she is acting as an “agent of the government” and is working under the direction or advice of law enforcement or other government parties. Although fewer restrictions apply to private citizens, forensic procedures should still be followed. By failing to follow forensic procedures, the evidence may be lost or unusable. The procedures outlined in this section will help to preserve the evidence and will help to ensure the evidence is considered admissible in court.
Awareness As with any security issue, the first issue that needs to be dealt with is promoting awareness. Often, users of a system are the first to notice and report problems. If someone notices a door to a server room is unlocked, you want that person to notify someone so the door can be locked. The same applies to issues that are criminal or breach corporate policy or violate security in some other way. Until the proper parties are notified, computer forensic examinations cannot be performed because those in a position to perform them do not know a problem exists. Management and employees need to be aware of the need to support computer forensic examinations. Funding needs to be available for tools and ongoing training in examination procedures or to hire outside parties to perform the investigation. If law enforcement is called in whenever there is an incident, then there are no direct costs, but there is still the need of cooperation with investigators. Because digital evidence may be damaged or destroyed by improper handling or examination, management must also be aware that considerable time may be involved to effectively investigate an incident. Vital systems or facilities might be unavailable while evidence is being gathered, and it might be necessary for equipment to be removed from service to be examined and stored as evidence until a criminal case has reached its conclusion. Because personnel may need to be interviewed and employees may be unable to do their jobs for periods of time, managers may become impatient and hinder the investigation by attempting to rush it along and get people back to work. The goal of management should be to assist the investigation in any way possible, and an atmosphere of cooperation should be nurtured to make the investigation proceed quickly and effectively. To address how a company should handle intrusions and other incidents, it is important that a contingency plan is created. The contingency plan will address how the company will continue to function during the investigation, such as when
Implementing Disaster Recovery and Incident Response Procedures 581
critical servers are taken offline during forensic examinations. Backup equipment may be used to replace these servers or other devices so that employees can still perform their jobs and (in such cases as e-commerce sites) customers can still make purchases. The goal of any investigation is to avoid negatively impacting the normal business practices as much as possible.
Conceptual Knowledge Computer forensics is a relatively new field that emerged in law enforcement in the 1980s. Since then, it has become an important investigative practice for both police and corporations. It uses scientific methods to retrieve and document evidence located on computers and other electronic devices. By retrieving this information, it may result in the only evidence available to convict a culprit or enhance more traditional evidence obtained through other investigative techniques. Computer forensics uses specialized tools and techniques that have been developed over the years and are accepted in court. Using these tools, digital evidence may be retrieved in a variety of ways. Electronic evidence may reside on hard disks and other devices, even if it has been deleted, so it’s no longer visible through normal functions of the computer or hidden in other ways. Forensic software can reveal this data that is invisible through normal channels and restore it to a previous state. Test Day Tip Forensics has four basic components: evidence must be collected, examined, preserved, and presented. The tasks involved in forensics will either fall into one of these groups or be performed across most or all of them. A constant element is the need for documentation so that every action in the investigation is recorded. When taking the test, remember the four basic components and that everything must be documented.
Understanding Because any evidence may be used in possible criminal proceedings, thorough documentation cannot be stressed enough. Documentation provides a clear understanding of what occurred to obtain the evidence, and what the evidence represents. No matter what role you play in an investigation, you must document any observations and actions that were made. Information should include the date, time, conversations pertinent to the investigation, tasks that were performed to obtain evidence, names of those present or who assisted, and anything else that was relevant to the forensic procedures that took place. Documentation may also be useful as a personal reference, should the need arise to testify in court. Because of the technical nature involved, you may need to review details of the evidence before testifying at trial. Without it, your memory may fail you at a later time, especially if a case doesn’t go to court until months or years later. These notes may also be referred to on the stand, but doing so will have them entered into evidence as part of the court record. As the entire document is entered into evidence, you should remember not to have notes dealing with other cases or
582 CHAPTER 14 Controls and Procedures
sensitive information about the company in the same document, as this will also become public record.
What Your Role Is Although law enforcement agencies perform investigations and gather evidence with the understanding that the goal is to find, arrest, prosecute, and convict a suspect, the motivation isn’t always clear in businesses. A network administrator’s job is to ensure the network is back up and running, whereas a Webmaster works to have an e-commerce site resuming business. With this in mind, why would computer forensics be important to these jobs? The reason is that if a hacker takes down a Web site or network, he or she may continue to do so until caught. Identifying and dealing with threats is a cornerstone of security, whether those threats are electronic or physical in nature. Even when police have been called in to investigate a crime, a number of people will be involved. Members of the IT staff assigned to an Incident Response Team will generally be the first people to respond to the incident and will then work with investigators to provide access to systems and expertise, if needed. Senior staff members should be notified to deal with the effects of the incident and any inability to conduct normal business. In some cases, the company’s Public Information Officer may be involved, if the incident becomes known to the media and is deemed newsworthy. If police aren’t called in and the matter is to be handled internally, then the Incident Response Team will deal with a much broader range of roles. Not only will team members deal with the initial response to the incident but will conduct the investigation and provide evidence to an internal authority. This authority may be senior staff, or in the case of a law enforcement agency, an Internal Affairs department. Even though no police may be involved in the situation, the procedures used in the forensic examination should be the same. When conducting the investigation, a person must be designated as being in charge of the scene. This person should be knowledgeable in forensics and directly involved in the investigation. In other words, just because the owner of the company is available, he or she should not be in charge if he or she’s computer illiterate and/ or unfamiliar with procedures. The person in charge should have authority to make final decisions on how the scene is secured and how evidence is searched, handled, and processed. There are three major roles that people may perform when conducting an investigation. These roles are as follows: ■■
First Responder
■■
Investigator
■■
Crime Scene Technician
As we’ll see in the paragraphs that follow, and shown in Figure 14.1, each of these roles has specific duties associated with them that are vital to a successful
Implementing Disaster Recovery and Incident Response Procedures 583
investigation. In certain situations, such as those involving an internal investigation within a company, a person may perform more than one of these roles.
First Responders The first responder is the first person to arrive at a crime scene. This doesn’t mean the janitor who notices a server is making funny noises and calls someone else to begin the investigation. Although someone like this is still important, as they become the complainant if they notify the appropriate parties, a first responder is someone who has the knowledge and Figure 14.1 skill to deal with the incident. The first Roles in a Computer Forensic Investigation responder may be an officer, security personnel, a member of the IT staff or Incident Response Team, or any number of other individuals. The first responder is responsible for identifying the scope of the crime scene, securing it, and preserving volatile evidence. Securing a scene is important to both criminal investigations and internal incidents, which both use computer forensics to obtain evidence. The procedures for investigating internal policy violations and criminal law violations are basically the same, except that internal investigations may not require the involvement of law enforcement. However, for the remainder of this discussion, we’ll address the incident as a crime that’s been committed. Identifying the scope of a crime scene refers to establishing its scale. What is affected and where could evidence exist? When arriving on the scene, it is the first responder’s role to identify which systems have been affected, as these will be used to collect evidence. If these systems were located in one room, then the scope of the crime scene would be the room itself. If it were a single server in a closet, then the closet would be the crime scene. If a system of networked computers were involved, then the crime scene could extend to several buildings. Once the crime scene has been identified, the first responder must then establish a perimeter and protect it. Protecting the crime scene requires cordoning off the area where evidence resides. Until it is established what equipment may be excluded, everything in an area should be considered a possible source of evidence. This includes functioning and nonfunctioning workstations, laptops, servers, handheld personal digital assistants (PDAs), manuals, and anything else in the area of the crime. Until the scene has been processed, no one should be allowed to enter the area, and people who were in the area at the time of the crime should be documented.
584 CHAPTER 14 Controls and Procedures
The first responder shouldn’t touch anything that is within the crime scene. Depending on how the crime was committed, traditional forensics may also be used to determine the identity of the person behind the crime. In the course of the investigation, police may collect DNA, fingerprints, hair, fibers, or other physical evidence. In terms of digital evidence, it is important for the first responder not to touch anything or attempt to do anything on the computer(s), as it may alter, damage, or destroy data or other identifying factors. Preserving volatile evidence is another important duty of the first responder. If a source of evidence is on the monitor screen, they should take steps to preserve and document it, so it isn’t lost. For example, a computer that may contain evidence may be left on and have programs opened on the screen. If a power outage occurred, the computer would shut down and any unsaved information that was in memory would be lost. Photographing the screen or documenting what appeared on it would provide a record of what was displayed and could be used later as evidence.
Investigator When investigators arrive on the scene, it is important that the first responder provide as much information to them as possible. If the first responder touched anything, it is important that the investigator be notified so that it can be added to a report. Any observations should be mentioned, as this may provide insight into resolving the incident. The investigator may be a member of law enforcement or the Incident Response Team. If a member of the Incident Response Team arrives first and collects some evidence and the police arrive or are called later, then it is important that the person in charge of the team hand over all evidence and information dealing with the incident. If more than one member of the team was involved in the collection of evidence, then documentation will need to be provided to the investigator dealing with what each person saw and did. A chain of command should be established when the person investigating the incident arrives at the scene. The investigator should make it clear that he or she is in charge so that important decisions are made or presented to him or her. As we’ll discuss in the next section, a chain of custody should also be established, documenting who handled or possessed evidence during the course of the investigation and every time that evidence is transferred to someone else’s possession. Once the investigation begins, anyone handling the evidence is required to sign it in and out so that there is a clear understanding of who possessed the evidence at any given time. Even if the first responder has conducted an initial search for evidence, the investigator will need to establish what constitutes evidence and where it resides. If additional evidence is discovered, the perimeter securing the crime scene may be changed. Either the investigator will have crime scene technicians begin to process the scene once its boundaries are established or the investigator will perform the duties of a technician. The investigator or a designated person in charge remains at the scene until all evidence has been properly collected and transported.
Implementing Disaster Recovery and Incident Response Procedures 585
Crime Scene Technician Crime scene technicians are individuals who have been trained in computer forensics and have the knowledge, skills, and tools necessary to process a crime scene. The technician is responsible for preserving evidence and will make great efforts to do so. The technician may acquire data from a system’s memory, make images of hard disks before shutting them down, and ensure that systems are properly shut down before transport. Before transporting, all physical evidence will be sealed in a bag and/or tagged to identify it as a particular piece of evidence. The information identifying the evidence is added to a log so that a proper inventory of each piece exists. Evidence is further packaged to reduce the risk of damage, such as from ESD or jostling during transport. Once transported, the evidence is then stored under lock and key to prevent tampering, until such time that it can be properly examined and analyzed. As you can see, the roles involved in an investigation have varying responsibilities, and the people in each role require special knowledge to perform it properly. Although the paragraphs above provide an overview of what’s involved, we still need to look at the specific tasks to understand how certain duties are carried out. Understanding these aspects of forensic procedure is not only vital to an investigation but also for success in the Security+ exam.
Chain of Custody Because of the importance of evidence, it is essential that its continuity is maintained and documented. A “chain of custody” must be established to show how evidence made it from the crime scene to the courtroom. It proves where a piece of evidence was at any given time and who was responsible for it. By documenting this, you can establish that the integrity of evidence wasn’t compromised. If the chain of custody is broken, it could be argued that the evidence fell into the wrong hands and may have been tampered with or that other evidence was substituted. This brings the value of evidence into question and could make it inadmissible in court. To prevent this from happening, policies and procedures dealing with the management of evidence must be adhered to. Evidence management begins at the crime scene, where it is bagged and/or tagged. When the crime scene is being processed, each piece of evidence should be sealed inside of an evidence bag. An evidence bag is a sturdy bag that has two-sided tape that allows it to be sealed shut. Once sealed, the only way to open it is to damage the bag, such as by ripping or cutting it open. The bag should then be marked or a tag should be affixed to it, showing the person who initially took it into custody. The tag would provide such information as a number to identify the evidence, a case number (which shows what case the evidence is associated with), the date and time, and the name or badge number of the person taking it into custody. A tag may also be affixed to the object, providing the same or similar information to what’s detailed on the bag. However, this should only be done if it won’t compromise the evidence in any manner.
586 CHAPTER 14 Controls and Procedures
Information on the tag is also written in an evidence log, which is a document that inventories all evidence collected in a case. In addition to the data available on the tag, the evidence log will include a description of each piece of evidence, serial numbers, identifying marks or numbers, and other information that’s required by policy or local law. The evidence log will also provide a log that details the chain of custody. This document will be used to describe who had possession of the evidence after it was initially tagged, transported, and locked in storage. To obtain possession of the evidence, a person will need to sign in and sign out evidence. Information is added to a chain of custody log to show who had possession of the evidence, when, and for how long. The chain of custody log will specify the person’s name, department, date, time, and other pertinent information. In many cases, the investigator will follow the evidence from crime scene to court, documenting who else had possession along the way. Each time possession is transferred to another person, it is written in the log. For example, the log would show the investigator had initial custody, while the next line in the log shows a computer forensic examiner took possession on a particular date and time. Once the examination is complete, the next line in the log would show the investigator again took custody. Even though custody is transferred back to the investigator, this is indicated in the log, so there is no confusion over who was responsible on any date or time. Note To reduce the length of the chain of custody and limit the number of people who will need to testify having possession of the evidence, you should try to limit the number of people collecting evidence. It is a best practice (whenever possible) to have only one person collecting all the electronic evidence. This may not always be practical in larger investigations, where numerous machines will need to be examined for possible evidence. However, even in these situations, you shouldn’t have more people than absolutely necessary having access to the scene and evidence contained within it.
Damage and Loss Control Damage and loss control is the process of attempting to reduce or minimize the impact of an incident. When an incident occurs, it is vital for members of the Incident Response Team to know what they should and shouldn’t do to prevent a problem from spreading (as in the case of a virus) or stop an attacker from causing further damage. Because systems can be complex, these procedures need to be documented before a problem occurs. Incident response policies should include information on what servers or systems should not be shut down or even touched. For example, if a hacker had gained access to the network, a person might disconnect the Internet connection, but this would also prevent anyone in the organization from accessing the Internet. If the company had an e-commerce site, such an action would bring business to a grinding halt. Similarly, if the organization used the Internet connection for virtual private networks
Implementing Disaster Recovery and Incident Response Procedures 587
(VPNs) to other networks or branch offices, it would prevent anyone connecting to files, databases, or other resources through the VPN. Providing information on what not to do is just as important as knowing what to do during an incident. Similarly, startup and shutdown procedures need to be available so that servers will start up and provide the same resources they did before being shut down. An example would be a server that was used for allowing Blackberry devices access to internal e-mail. If the e-mail server was shut down by a person, and he or she didn’t know that certain services needed to be manually restarted, it would prevent anyone using a Blackberry to have access to internal communications. By the time someone realized that the services hadn’t been restarted, critical information may not have reached a user who needed it.
Reporting/Disclosure Procedures on disclosing and reporting information about an incident should also be outlined in an incident response policy. When an incident occurs, it may be up to a public relations person within the company to decide whether a media release is issued about the incident or if it will be kept quiet. Beyond disclosing an incident to the public, there are also other organizations that may be contacted including the following: ■■
■■
■■
Operating system, application, or equipment manufacturer: if you believe the incident occurred due to vulnerabilities in a particular system, notifying the manufacturer of that software or hardware could help in having a security patch created to prevent the incident occurring again (to your company and others who use it). Computer Emergency Response Team (CERT) is located at Carnegie Mellon University and coordinates communication during computer security emergencies. By notifying CERT (www.cert.org), others can be made aware of the attack so that it doesn’t become widespread. Legal authorities: contacting local police about an attack can begin the process of having an attacker arrested when he or she is found.
Defending against Social Engineering Hacking may be done through expert computer skills, programs that acquire information, or an understanding of human behavior. This last method is called social engineering. When social engineering is used, hackers misrepresent themselves or trick a person into revealing information. Using this method, a hacker may ask a user for his or her password or force the user to reveal other sensitive information. Hackers using social engineering to acquire information will often misrepresent themselves as authority figures or someone in a position to help their victim. For example, a hacker may phone a network user and say that there is a problem with the person’s account. To remedy the problem, all the caller needs is the person’s
588 CHAPTER 14 Controls and Procedures
password. Without this information, the person may experience problems with his or her account or will be unable to access certain information. Because the person will benefit from revealing the information, the victim often tells the hacker the password. By simply asking, the hacker now has the password and the ability to break through security and access data. Social engineering often involves more subtle methods of acquiring information than simply asking for a password. In many cases, the hacker will get into a conversation with the user and slowly get the person to reveal tidbits of information. For example, the hacker could start a conversation about the Web site, ask what the victim likes about it, and determine what the person can access on the site. The hacker might then initiate a conversation about families and pets and ask the names of the victim’s family members and pets. To follow up, the hacker might ask about the person’s hobbies. Because many users make the mistake of using names of loved ones or hobbies as a password, the hacker may now have access. Although the questions seem innocuous, when all the pieces of information are put together, it can give the hacker a great deal of insight into getting into the system. In other cases, the hacker may not even need to get into the system because the victim reveals all the desired information. People enjoy when others take an interest in them and will often answer questions for this reason or out of politeness. Social engineering is not confined to computer hacking. A person may start a conversation with a high-ranking person in a company and get insider information about the stock market or manipulate a customer service representative at a video store into revealing credit card numbers. If a person has access to the information the hacker needs, then hacking the system is not necessary.
Phishing A variation of social engineering is phishing, or phising, in which a hacker uses e-mail to acquire information from the recipient. Because the hacker is fishing for information using the e-mail as bait, and hackers replaced “f” with “ph,” the term phishing was born. A hacker will send e-mail to groups of people, posing as some authoritative source, and request the recipient to provide specific information. Although this may be a single department or an entire company (as we’ll see in the next section), most often it is sent as spam across the Internet. For example, common e-mails on the Internet pose as banks or companies like eBay and request that people fill out a Hypertext Markup Language (HTML) form or visit a Web site to confirm their account information. The form asks for personal and credit card information, which can then be used to steal the person’s identity. The same technique can be used to pose as network administrators, human resources, or other departments of a company and request the recipient to confirm information stored in various systems. For example, it could ask them to provide their employment information (that is, name, position, department, Social Security number, and so forth), business information (that is, business accounts, credit card numbers, and so forth), or network information such as usernames and passwords. Although many people are educated in this technique, it succeeds, because out of the sheer number of people who are contacted, someone will eventually fall for the trick.
Implementing Disaster Recovery and Incident Response Procedures 589
Phishing is particularly effective in business environments because unlike banks or companies who don’t use e-mail to collect information over the Internet, businesses may actually contact departments through internal e-mail to acquire information. For example, finance departments have requested other departments provide information about their purchase accounts, credit cards, and other information, whereas human resource departments have requested updated information on employees. Because it takes knowledge to read the Multipurpose Internet Mail Extension (MIME) information and identify whether e-mail was sent internally or externally, a member of a department may be easily duped by phishing. To prevent such problems, it is important to educate users and implement policies to specify how such information is to be collected. This may include stages, such as sending out internal e-mails stating that on a specific date, a request for such information will be sent out. It is equally important that measures be taken to inform users what information is never requested, such as passwords.
Spear Phishing Spear phishing is a variation of phishing that involves targeting groups of people. Although normal phishing expeditions involve sending out thousands or even millions of e-mails in the hope a few people may respond and provide the requested information, spear phishing focuses on selected victims. These victims may work in the same organization, the same department of the company, or another group that they are all a part of. Spear phishing initially involves some research into the victims. The person behind the scam will attempt to acquire information about a targeted group. For example, by calling a company or looking at its Web site, you could find information on partners of the organization, vendors they deal with, and so forth. By looking on social networking sites like Facebook, you could find groups that provide information on people working at the same business. Such research not only allows you to determine whom you will target but whom you will pose as to get information. Once a target has been identified, an e-mail can be sent to the group that appears to come from a legitimate source. For example, if your target was everyone on a board of directors, you might send an e-mail that appears to come from a department within the organization. The e-mail may ask to click on a link, which takes them to a Web site where they are asked to enter personal information, provide trade secrets, enter corporate bank account numbers, or other sensitive data. Spear phishing is especially convincing because of the shared experience of the victims. If the victims talk to each other, they will all confirm that they received the same message, and some may even encourage others to do as the e-mail asks.
Pharming Although phishing attempts to trick users into clicking a link to go to a bogus Web site, pharming is another type of scam that involves using various methods to redirect users to a bogus site. Even if a user types the correct URL into the address bar
590 CHAPTER 14 Controls and Procedures
of his or her Web browser, the browser is automatically redirected to a different site that is designed to acquire personal or other sensitive information from the user. There are several different methods of redirecting users to a different Web site. The hosts file is a text file on computers that is used to resolve a host’s name to a specific Internet Protocol (IP) address. On machines running Windows NT and later, it is found in %systemroot%/system32/drivers/etc. As we can see in the lines that follow, the hosts file contains the IP address of the node and its friendly name: #Host file 127.0.0.1 LOCALHOST #Bogus Site 207.46.197.32 novell.com
In this example, the domain novell.com has the IP address for Microsoft’s Web site. If people using a computer with this hosts file were to enter the domain name into their Web browser, the name would be resolved to the IP address in the hosts file and the user would be sent to Microsoft’s site. Another method of redirecting Web site traffic is Domain name system (DNS) cache poisoning. Browsers use the DNS to resolve friendly names like www.novell. com to IP addresses like 130.57.5.25. The entries for these domains and IP addresses are stored in databases. As we saw with hosts files, changing the IP address for a site will cause traffic to go somewhere else. By modifying the DNS table in a server, someone entering a domain name into an application like a browser will be redirected. Even though a user has entered a legitimate Web site address, they are taken to a different site. Modifying DNS entries can be done on network servers or through Internet service providers (ISPs). Resourceful pharmers have also been known to trick ISPs into changing the DNS entries so that a domain name points to another location. Anyone using the ISP’s DNS servers is then redirected to the bogus site. To fool users into believing they have gone to the correct site, pharmers will make the bogus site look as much like a legitimate Web site as possible. For example, if people entering a bank’s Web site address in a browser were redirected to a bogus site, that site would have the bank’s logo and appear as much like the real site as possible. This will trick people visiting the site into believing nothing is amiss, so they enter their usernames, passwords, bank account, and any other information desired by the pharmer.
Hoaxes E-mail hoaxes are those e-mails sent around the Internet about concerned parents desperately searching for their lost children, gift certificates being offered from retail stores for distributing e-mails for them, and dangerous viruses that have probably already infected the user’s computer. There are a lot of different ways to separate hoaxes from real information. Most of the time, it comes down to common sense. If users receive e-mail that says it originated from Bill Gates who is promising to give $100 to everyone who forwards
Implementing Disaster Recovery and Incident Response Procedures 591
the e-mail, it is probably a hoax. The best rule of thumb is timeless—if something seems too good to be true, it probably is. If a user is still not sure of the validity of an e-mail message, there are plenty of sites on the Internet that specialize in hoaxes. One of the more popular sites is www.snopes.com. However, hoax e-mails have become such an issue that a number of organizations now provide a hoax or urban legend page on their sites, which offers explanations and warnings of inaccurate or outdated information being circulated about their company. Virus hoaxes are a little different. As we discussed in Chapter 1, virus hoaxes are warnings about viruses that do not exist. In these cases, the hoax itself becomes the virus because well-meaning people forward it to everyone they know. Some virus hoaxes are dangerous, advising users to delete certain files from their computer to “remove the virus,” when those files are actually very important OS files. In other cases, users are told to e-mail information such as their password (or password file) to a specified address, so the sender can “clean” the system of the virus. Instead, the sender will use the information to hack into the user’s system and may “clean” it of its valuable data. How do users know whether a virus warning is a hoax? Because users should never take a chance with viruses, the best place to go is to the experts—the antivirus companies. Most antivirus companies have information on their Web sites that list popular e-mail hoaxes. The most important thing to remember about e-mail hoaxes is to never follow any instructions within the e-mail that instructs users to delete a certain file or send information to an unknown party.
Shoulder Surfing Shoulder surfing is a method of obtaining passwords by watching what the person types on a keyboard, personal identification number (PIN) pad, or other device that’s used to enter a password. In other words, they’re staring over the person’s shoulder and watching what’s being entered. Shoulder surfing can happen in such situations as when someone is typing in a password, entering information on an online form, or punching in a PIN on a numerical keypad. Although the term often refers to someone physically being in the room and watching, some more high tech ways of obtaining this information can also be used. Security cameras, small cameras that can take digital video, or even binoculars can be used to watch what a person enters from a distance. Users should be aware to protect what they are entering on a keypad. By shielding a keypad as a PIN is entered or waiting for others to look away when passwords are typed, a user can protect what’s being entered. Companies can also use recessed keypads or have plastic shields installed on keypads to prevent unauthorized individuals from obtaining the password or PIN and using it for malicious purposes.
Dumpster Diving Dumpster diving is the process of physically digging through a victim’s trash in an attempt to gain information. Often it is easy to find client or product information, internal memos, and even password information that have been placed in wastebaskets.
592 CHAPTER 14 Controls and Procedures
In one famous example, a major clothing company had simply discarded photos and information about its upcoming clothing lineup. It didn’t take long for the carelessly discarded information to wind up in the hands of competitors, doing great damage to the victim company’s plans for a unique product launch. It is important to make sure that your organization has a method of securely disposing of the hard copies of confidential information. The reason that this method of breaching security remains popular is because it is so effective. In addition to the rotting refuse of people’s lunches, one can find discarded printouts of data, papers with usernames and passwords, test printouts that have IP address information, and even old hard drives, CDs, DVDs, and other media containing the information you’d normally have to hack the network to obtain. Even the most innocuous waste may provide a wealth of information. For example, printouts of e-mail will contain a person’s name, e-mail address, contact information, and other data that could be used for social engineering purposes. There are many solutions to resolving dumpster diving as a security issue. Dumpsters can be locked with a padlock to limit access, or they can be kept in locked garages or sheds until they’re ready for pickup. Companies can also implement a shredding policy so that any sensitive information is shredded and rendered unusable by anyone who finds it. This is especially important if the company has a recycling program, in which paper products are kept separate. If documents aren’t shredded, the recycling containers make it even easier to find information, as all the printouts, memos, and other documentation are isolated in a single container. Because discarded data are not always in paper form, companies also need to implement a strict hardware and storage media disposal policy so that hard disks are completely wiped and old CDs and DVDs containing information are destroyed. By obliterating the data before the media is disposed, and protecting the waste containers used afterwards, dumpster diving becomes difficult or impossible to perform. Test Day Tip Remember that disposing of sensitive information requires that you destroy the electronic and printed data as well. Throwing a piece of paper or hard disk in the garbage means that it is out of sight and out of mind but does not mean it is gone forever. Anyone retrieving documents or media from the trash may be able to view it. Once you remember that disposal and destruction goes hand-in-hand, you will find it easier to identify proper disposal methods when they are presented in test questions.
User Education and Awareness Training The best way to protect an organization from social engineering is through education. People reveal information to social engineers because they are unaware they are doing anything wrong. Often they do not realize they have been victimized, even after the hacker uses the information for illicit purposes. There are many ways of disseminating educational material, including posting information on a corporate intranet site, e-mailing newsletters with tips on securing information, and having the information
Exam Objectives Fast Track 593
taught in formal training classes. By teaching users how social engineering works and stressing the importance of keeping information confidential, they will be less likely to fall victim to social engineering.
Summary of Exam Objectives In this chapter, we discussed an array of different issues that can threaten an organization’s equipment, facilities, personnel, and other assets. Although many risks can negatively impact an organization’s security, there are also many methods of prevention. HVAC systems are used to control temperature, humidity, and airflow, thereby preventing sensitive equipment from being damaged. Fire detection and prevention systems can also be implemented to warn and extinguish fires without harming the equipment. Planning is the key to taking a proactive approach to possible threats. Disaster recovery plans provide procedures for recovering after a disaster occurs and provide insight into methods for preparing for the recovery should the need arise. Incident response plans are similarly used to provide insight as to how Incident Response Teams should handle incidents. These incidents can occur in the form of an employee accidentally or maliciously deleting data, intrusions of the system by hackers, viruses and malicious programs that damage data, and other events that cause downtime or damage. Because preparation begins long before an incident or disaster actually occurs, these plans address such issues as proper methods and procedures, so everyone knows what to do in emergency situations. Social engineering is another risk that organizations face. It relies on taking advantage of human behavior rather than technology. A user may be asked questions that reveal seemingly innocuous information that can be pieced together to obtain a person’s password, or using phishing to get the user to unwittingly reveal personal information and passwords. Such information can also be obtained through other methods, such as observing the user entering names and credit card numbers of passwords on the computer. Another low-tech method is to simply look in the company’s trash or recycling bins. This technique is called dumpster diving. The success of each of these methods relies on users being unaware that they’re doing anything wrong or how they can protect themselves. It’s because of this that user education and training is so important.
Exam Objectives Fast Track Environmental Controls ■■
■■
Environment refers to the surroundings in which the computers and other equipment reside. Fire suppression systems are used to put out fires without damaging servers and other equipment.
594 CHAPTER 14 Controls and Procedures
■■
■■
■■
■■
■■
■■ ■■
Fire detection systems will detect a fire by monitoring for heat, smoke, or fire. Smoke detection will monitor an area for the presence of smoke, heat detectors will monitor temperature increases, whereas flame detectors will monitor for the movement of flames or energy like ultraviolet or infrared. HVAC is an acronym for heating, ventilation, and air conditioning. It is the control system used to control humidity, temperature, and air flow. Shielding is used to prevent wireless signals leaking out of a specific area, which would enable unauthorized persons from intercepting the transmissions. It is also used in cabling to prevent unwanted external signals from interfering with data transmitted along the media. Such signals can corrupt data traveling along cabling. RFI is caused by radio frequencies. These frequencies emanate from a variety of sources, inclusive to microwaves, furnaces, appliances, radio transmissions, and radio frequency-operated touch lamps and dimmers. EMI is caused by electromagnetism, which can corrupt data and otherwise impair the successful transmission of data. EMI is generated by heavy machinery such as elevators, industrial equipment, and lights. Attenuation is the decrease of a signal’s strength over the length of a cable. Crosstalk is a term used to describe when a signal from one channel or circuit interferes with another.
Implementing Disaster Recovery and Incident Response Procedures ■■
■■
■■
■■
■■
■■
A disaster recovery plan identifies potential threats to an organization and provides procedures relating to how to recover from them. Backing up data is a fundamental part of any disaster recovery plan and business continuity. When data is backed up, it is copied to a type of media that can be stored in a separate location. Full backups will backup all data in a single backup job. When each file is backed up, the archive bit is changed to indicate that the file was backed up. Incremental backups will back up all data that was changed since the last backup. When each file is backed up, the archive bit is changed. Differential backups will back up all data that has changed since the last full backup. When this type of backup is performed, the archive bit is not changed, so data on one differential backup will contain the same information as the previous differential backup plus any additional files that have changed. Copy backups will make a full backup but do not change the archive bit. Because the archive bit is not marked, it will not affect any incremental or differential backups that are performed.
Exam Objectives Fast Track 595
■■
■■
■■
■■ ■■
■■
■■
■■
■■
■■
■■
■■
■■
GFS rotation organizes a rotation of backup tapes into a daily, weekly, and monthly set of tapes. Incidents can be any number of adverse events affecting a network or computer system or violations of existing policy. They can include but are not limited to unauthorized access, denial or disruptions of service, viruses, unauthorized changes to systems or data, critical system failures, or attempts to breach the policies and/or security of an organization. Incident Response Teams are IT professionals used to handle incidents that occur in a company. IDSes are used on networks to monitor for signs of intrusion attempts. Computer forensics is the application of computer skills and investigation techniques for the purpose of acquiring evidence. It involves collecting, examining, preserving, and presenting evidence that is stored or transmitted in an electronic format. The first responder is the first person to arrive at a crime scene and is responsible for identifying the scope of the crime scene, securing it, and preserving volatile evidence. In a computer forensic investigation, an investigator establishes a chain of command, conducts a search of the crime scene, and is responsible for maintaining the integrity of the evidence. Crime scene technicians are individuals who have been trained in computer forensics and have the knowledge, skills, and tools necessary to process a crime scene. A crime scene technician is responsible for preserving volatile evidence, duplicating data on disks and other media, shutting down systems for transport, and tagging, logging, packaging, and processing evidence. A chain of custody is used to monitor who has had possession of evidence at any point in time, from the crime scene to the courtroom. Social engineering is a potentially devastating technique based on lying to trick employees into disclosing confidential information. Phishing or phising is a variation of social engineering in which a hacker uses e-mail to acquire information from the recipient. Spear phishing is a variation of phishing that involves targeting groups of people, such as individuals who work in the same department or company. Pharming is a scam that involves redirecting traffic to a Web site to a different bogus site. By using DNS poisoning, changing host files, and other methods, a user who enters a legitimate Web site address is redirected to a different site that is designed to acquire personal or other sensitive information from the user.
596 CHAPTER 14 Controls and Procedures
■■
■■
■■
Hoaxes are e-mail messages or other methods of circulating inaccurate information about companies, false virus warnings, or other stories that can negatively impact a business. Shoulder surfing is a method of obtaining passwords by watching what the person types on a keyboard, PIN pad, or other device that’s used to enter a password. Dumpster diving is the practice of going through commercial or residential trash in search of information that may be important from either a criminal perspective or an investigative perspective.
EXAM OBJECTIVES Frequently Asked Questions Q: I work for a small company that only has one facility, so storing backup tapes at another site is not an option. What can I do to keep the backup tapes safe in case of a disaster? A: There are many options for storing backup tapes off-site. A safety deposit box could be rented at a bank to store the backup tapes, or a firm that provides storage facilities for backups could be hired. When deciding on a storage facility, ensure that it is secure and has protection against fires and other disasters. You do not want to store your backups in a location that has a higher likelihood of risk than your own facilities. Q: What can be done to guard against the dangers of social engineering? A: A policy forbidding the disclosure of information over the phone and e-mail is a good place to start. Warn employees that they need to be able to verify the identity of any person requesting information. Let them know that they will not be reprimanded for strictly enforcing this policy. Some employees worry that if a “boss” asks for information, they should give it immediately. Addition-ally, create an environment where information is obtained in appropriate ways rather than blindly over the telephone or via e-mail. Q: Is there any way to protect against dumpster diving? A: Having a policy in place that requires shredding of any discarded company documents will provide a decent amount of protection against dumpster diving. Remember, any document with employee names, phone numbers, or e-mail addresses could be potentially used against you by a social engineer.
Self Test
1. Your organization is planning on installing a new fire suppression system in a server room. The system must be able to successfully extinguish the fire
Self Test 597
without causing damage to the servers and other equipment in the room. Which of the following will you use? A. Water sprinkler system B. A system that releases a fine mist of water to extinguish the fire C. A system that uses halon to extinguish the fire D. A system that uses Inergen to extinguish the fire
2. You are planning to install a new fire detection system in a server room, which will monitor the area for specific types of energy that would indicate the presence of a fire. Which of the following types of fire detection methods will be used? A. Smoke C. Flame B. Heat D. Halon
3. The air conditioning in your server room has broken down, and temperatures are rising dramatically. Which of the following can result if this problem isn’t fixed as soon as possible? A. ESD C. HVAC B. Chip creep D. Shielding
4. New cable has been installed in an elevator shaft, allowing network cabling to run from the basement to all the floors in the building. To save money, cabling with very little shielding is used. After the new cabling is installed, you find that the servers are repeatedly resending data to computers on other floors. This is causing a performance issue, and users begin complaining that the network is slower than before. Which of the following kinds of interference is resulting from the installation of the new cable? A. EMI C. Noise B. RFI D. UTP
5. You are planning to install new cable between the floors of a building where there are a high number of sources for interference from industrial equipment and devices that transmit radio frequencies. Which of the following cable is the most effective against interference under these circumstances? A. UTP C. Fiber optic B. STP D. Coaxial
6. Data is degrading as it is transmitted down the length of cabling between two buildings. Which of the following is occurring? A. Attenuation C. EMI B. Crosstalk D. RFI
598 CHAPTER 14 Controls and Procedures
7. Data is being corrupted by a faulty cable, causing the signals from one wire to interfere with the signals on another wire. Which of the following is occurring? A. Attenuation C. EMI B. Crosstalk D. RFI
8. You receive a complaint from the network administrators of another company regarding an attempted hacking of their Web site. Their firewall logs show that the attempt came from an IP address from your company. Upon hearing the IP address, you find that this is the IP address of the proxy server belonging to your company. Further investigation on your part will be needed to identify who actually performed the attempted intrusion on the other company’s Web site. Who will you notify of this problem before starting the investigation? A. Media outlets to publicize the incident B. The Incident Response Team C. Users of the network to ensure they are aware that private information dealing with employees may need to be shared with the other company D. No one
9. You are designing a backup regime that will allow you to recover data to servers in the event of a disaster. Should a disaster occur, you want to use a backup routine that will take minimal time to restore. Which of the following types of backups will you perform? A. Daily full backups B. A full backup combined with daily incremental backups C. A full backup combined with daily differential backups D. A combination of incremental and differential backups
10. You are the administrator of a network that is spread across a main building and a remote site several miles away. You make regular backups of the data on your servers, which are centrally located in the main building. Where should you store the backup tapes so they are available when needed in the case of a disaster? A. Keep the backup tapes in the server room within the main building, so they are readily at hand. If a disaster occurs, you will be able to obtain these tapes quickly and restore the data to servers. B. Keep the backup tapes in another section of the main building. C. Keep the backup tapes in the remote site. D. Keep the backup tapes in the tape drives of the servers so that a rotation scheme can be maintained.
Self Test 599
11. You have created a backup regime as part of a disaster recovery plan. Each day, data on a server is backed up. After implementing it, you decide you want to make a separate backup of all data on the server but do not want it to interfere with the current backup jobs. Which of the following types of backups would you perform? A. Full backup C. Differential backup B. Incremental backup D. Copy backup 12. You are working in a server room and notice that someone has remotely accessed a server used for storing backups of data and is modifying files. You quickly realize that an unauthorized user has remote controlled the server and is hacking the system. To prevent any further damage to data, the file server is taken offline, and a member of the Incident Response Team who looks into these matters is called immediately. Which of the following roles have you fulfilled? A. First responder C. Crime scene technician B. Investigator D. Unauthorized user 13. A criminal is attempting to acquire information from people. In doing so, he sends out e-mails to a small group of individuals working in the finance department of your company. The e-mail appears to be from the bank your company uses. It has a link that takes the user to a Web site, where a form requests his or her name, department, bank account numbers, and other information. Which of the following social engineering methods is being used? Choose the best answer. A. Phishing C. Pharming B. Spear phishing D. Spaming 14. A member of the IT staff has just modified the hosts files on Windows XP computers on your network. After making this modification, you notice that a Web site commonly used by members of your organization’s staff looks somewhat different. You check the hosts file on a computer and realize that people are being redirected to a different site. Which of the following has occurred? A. Phishing C. Pharming B. Spear phishing D. Spaming 15. You are about to make configuration changes to a computer and log on to the workstation as the administrator. In doing so, you notice the user whose computer you’re working on is watching what you’re typing on the keyboard. Which of the following has occurred? A. Phishing C. Dumpster diving C. Shoulder surfing
D. Hoaxes
600 CHAPTER 14 Controls and Procedures
Self Test Quick Answer Key 1. 2. 3. 4. 5.
D C B A C
6. 7. 8. 9. 10.
A A B A C
11. 12. 13. 14. 15.
D A B B B
CHAPTER
Legislation and Organizational Policies
15
E x a m o b j e c tiv e s in this c hapt e r Secure Disposal of Systems............................................................................................... 602 Acceptable Use Policies.................................................................................................... 605 Password Complexity......................................................................................................... 607 Change Management...........................................................................................................610 Information Classification...................................................................................................610 Vacations ...............................................................................................................................612 Personally Identifiable Information......................................................................................614 Due Care ...............................................................................................................................616 Due Process ..........................................................................................................................617 Due Diligence ........................................................................................................................618 Service Level Agreements...................................................................................................618 User Education and Awareness Training............................................................................. 620 Security-Related HR Policies.............................................................................................. 625
Introduction In organizations, policies are used to outline rules and expectations, while procedures outline courses of action to deal with problems. These policies and procedures allow everyone to understand the organization’s views and values on specific issues, and what will occur if they are not followed. In some instances, additional rules may be required in the form of legislation that controls certain activities of the organization. For example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 defines requirements for protecting patient information during and after being transmitted electronically. Any hospital, doctor’s office, clinic, or other office that maintains patient information must comply with these requirements. In situations where the company must adhere to certain laws or standards that directly impact their area of business, the policies must be written to coexist with existing legislations.
601
602 CHAPTER 15 Legislation and Organizational Policies
A policy is used to address concerns and identify risks. For example, a policy may be created to deal with physical security to an office building and the potential threat of unauthorized access. It may state that members of the public are permitted in the lobby and front desk area, but points beyond this are for employees only. Through the policy, an issue that is pertinent to the organization is explained and dealt with. Well thought out plans provide information that is used to create a successful security system. Without them, organizations would find it difficult to deal with incidents when they occur, or avoid problems that can adversely affect a company. As a Security+ technician, you are expected to understand the fundamental concepts of different policies, procedures, and documentation that make up the foundation on which computer security is built.
Secure Disposal of Systems Nothing lasts forever. After a while, equipment becomes outdated and data is no longer needed. When this occurs, you need to determine what to do with it. You do not want people recovering data on hard disks that are thrown away, reading printed materials they find in the garbage, or acquiring other information that has been removed from service. Because of the sensitive nature of some data, a policy dealing with the safe disposal and destruction of data and equipment is necessary. The first step regarding disposal and destruction is deciding what needs to be disposed off and destroyed. Because data can become obsolete or is legally required to be removed after a period of time, certain data needs to be removed from a system. Organizations often incorporate a data retention policy, which outlines the period of time when data and printed records become obsolete. When files, records, or paperwork are destroyed, a policy dealing with disposal and destruction of data should be used. Such a policy can also be referred to when determining what to do with data that is destroyed daily, such as forms that are incorrectly filled out or corporate memos that are read but no longer needed. This policy provides clear guidelines of how an organization expects this material to be discarded. There are different options available for destroying paper documents. As we discussed in Chapter 14, you don’t want to simply throw out sensitive documents, as they can be pulled from the garbage and read. Smaller organizations may use shredders to cut up the documents into strips, while larger organizations may hire businesses that specialize in destroying paper documents. Banks, government institutions, law firms, and so forth often use these shredding companies, which are bonded and will pick up documents from a site and guarantee their destruction. Data can be destroyed in a number of ways, with some being more effective than others. If data is simply deleted, any number of data recovery or computer forensic tools can be used to restore the data. Even formatting the hard disk is not a suitable solution when you consider that certain tools and data recovery methods can still access the data. The only way to be certain that data cannot be recovered using software solutions is to overwrite it with other data.
Secure Disposal of Systems 603
Disk erasing software wipes the disk clean by erasing all of the files and overwriting the disk space with a series of ones and zeros. In doing so, every sector of the disk is overwritten, making the data unrecoverable. If anyone attempted to recover data on the disk, they wouldn’t be able to retrieve anything because the data is completely destroyed. Shredder utilities such as Active@ Kill Disk (www.killdisk.com) are widely used to wipe the disks before they are disposed. Exam Warning Using a degausser, also called a bulk demagnetizer, can effectively destroy data stored on magnetic media such as backup tapes. Software can be used to overwrite data on hard disks so that it can’t be recovered, but some media may need to be completely destroyed (as in the case of CDs, DVDs, and so forth).
A degausser or bulk demagnetizer is a hardware that can be used to destroy data stored on magnetic media such as floppy disks and backup tapes. A degausser is a powerful magnet that erases all data from magnetic media so that no one can retrieve information from it. Hard disks can also have data erased with a degausser, performing a low-level format that erases all data from the disk. If there are concerns over particularly sensitive information being seen by outside sources, an additional measure of security is physically scarring or destroying the media. For floppy disks and backup tapes, this involves shredding the media into pieces. There are many paper shredders on the market that also provide the feature of inserting CDs and DVDs into it to totally destroy it, and other tools that will scrape the data layer off of the CD/DVD. For hard disks, you would open the hard drive, remove the platter inside, and physically scar or destroy it. Tools are also available for hard disks that will crush the hard disk, and that can punch the spindle and warp the platters of the disk. Acid can also be used to destroy magnetic media. From this, you can see that there are many options available for totally destroying media.
Retention/Storage As we mentioned earlier, policy regarding the retention of data decides how long a company will retain data before destroying it. If everyone kept every scrap of paper or record stored in a database, organizations would quickly run out of hard disk space and have rooms filled with paperwork. For this reason, administrators need to determine whether certain records should be destroyed after a series of months or years. A retention policy clearly states when stored data is to be removed. The length of time data is stored can be dictated by legal requirements or corporate decision-making. Using this policy, certain data will be kept for a specified length of time, so that it can be referred to if needed. For example, a police department will retain data related to a case for indeterminate lengths of time, so that it can be used if a person convicted of a crime appeals or if questions related to the case need to be addressed. Contrary to this are medical records, which a doctor’s office
604 CHAPTER 15 Legislation and Organizational Policies
will keep throughout the life of the patient. In other situations, data is kept for an agreed upon time and then destroyed, as when backed-up data is retained for a year to allow users the ability to restore old data for a specific use. Retention and storage documentation is necessary to keep track of data, so that it can be determined what data should be removed and/or destroyed once a specific date is reached. Such documentation can be as simple as backup logs, which list what was backed up and when. By referring to the date the data was backed up, administrators can determine if the necessary period of time has elapsed to require destruction of this data. Exam Warning An organization should have clear policies on how long data and documentation are to be retained, and how this is to be stored. These policies ensure that data isn’t destroyed too soon, and that it is stored in a safe and secure manner.
Destruction When a retention period is reached, data needs to be destroyed. Legal requirements or policy may dictate how data is to be destroyed. When destroying data, it is important to follow procedures that dictate how information is to be destroyed. Even if data is destroyed on magnetic media, additional actions may be needed to destroy the media itself. Destroying the hard disks, floppy drives, backup tapes, and other media on which data is stored ensures that unauthorized persons are unable to recover data. Standard methods of physically destroying magnetic media include acid, pulverization, and incineration. When destroying data or equipment that is outdated, it is important that a log is kept of what items have been destroyed, and when and how the destruction was accomplished. This provides a reference that also serves as proof that data and equipment were actually destroyed, should anyone request information on the status of the data or equipment. A log may also be required for legal or corporate issues, such as when audits of equipment are performed for tax or insurance reasons. When destroying equipment and data, it is important that logs, inventory, and documentation are subsequently updated. Failing to remove equipment from a systems architecture document and equipment inventory could be misleading and cause problems, as they would indicate that the old equipment is still part of the system. The same applies to data, as failing to indicate that backup tapes have been destroyed would provide false information in a backup inventory. Test Day Tip Remember that how data is destroyed is as essential to maintaining privacy as storing it securely. Procedures need to be established on how to properly dispose of equipment, destroy data, and consistently purge systems of information. It’s vital that outside individuals can’t access data after equipment is sold for auction or media is thrown away.
Acceptable Use Policies 605
Acceptable Use Policies An acceptable use policy establishes guidelines on the appropriate use of technology. It is used to outline what types of activities are permissible when using a computer or network, and what an organization considers proper behavior. Acceptable use policies not only protect an organization from liability, but also provide employees with an understanding of what they can and cannot do using company resources. In an organization, employees act as representatives of the company to the public. How they conduct themselves and the actions they perform reflect upon the organization and can either enhance or damage the reputation of the company. Because employees have greater access to clients and other members of the public through e-mail, Web pages, and other technologies, acceptable use policies are used to ensure that users conduct themselves appropriately. Acceptable use policies also restrict the types of Web sites or e-mail an employee is allowed to access on the Internet. When employees access pornography over the Internet, not only does it use up bandwidth and fill hard disk space on non–work-related activities, but it also creates an uncomfortable work environment for the other employees. Under the Civil Rights Act of 1964 and other legislation, a company can be liable for creating or allowing a hostile work environment. For this reason, businesses commonly include sections in their acceptable use policies that deal with these issues.
Damage and Defense Hostile Work Environments Work environments are considered hostile when the conduct of employees, management, or nonemployees becomes a hindrance to an employee’s job performance. A hostile work environment may exist when situations involving sexual harassment, discrimination, or other events that offend someone occur in the workplace. In terms of computers and the Internet, such situations may involve downloading and viewing pornographic or other offensive materials on company computers. If these materials are accessed through company computers and printed or distributed in the workplace, the company can be sued for creating a hostile work environment. Additional problems may occur if the materials that are accessed, printed, or distributed within the company are illegal. For example, it is illegal to produce, possess, send, or receive child pornography. If someone downloads such material, a crime has been committed. This means the computer equipment could be subject to seizure and forfeiture because it was used in the commission of the crime.
Beyond dealing with potentially offensive materials, acceptable use policies also deal with other online activities that can negatively impact network resources or sidetrack users from their jobs. For example, a user who installs game software or other technologies is often distracted from the duties they were hired to perform. These
606 CHAPTER 15 Legislation and Organizational Policies
distractions are activities the company did not intend to pay the user to perform. For this reason, restrictions on installing software and other technologies on company computers can be found in acceptable use policies. With many companies providing users with laptop computers, wireless handheld devices (such as Blackberry or Palm devices), cell phones, and other equipment, the propensity of employees to use these devices for their own personal use is a problem. For example, an employee may use a company’s wireless phone to call home, or use a laptop to pay their personal bills online. Acceptable use policies routinely include sections that restrict users from using equipment for their own personal use, home businesses, or other methods of financial gain. Acceptable use policies should also specify methods of how information can be distributed to the public to avoid sensitive information from being “leaked.” Imposing rules on the dissemination of information may include: ■■
Specifications that prohibit classified information from being transmitted via the Internet (for example, e-mail, short message service [SMS] or File Transfer Protocol [FTP]).
■■
Provisions on how content for the Web site is approved.
■■
Rules on printing confidential materials.
■■
Restricting who can create media releases, and so on.
Through these rules, important information is protected and employees have an understanding of what files they can or cannot e-mail, print, or distribute to other parties.
Head of the Class Enforcing Acceptable Use Policies It has become commonplace for organizations to require new employees to sign an acceptable use policy upon acquiring employment with a company. The acceptable use policy outlines computer business usage limitations and other expectations of a company. Having new employees sign this document serves as acknowledgment and understanding of the rules within the policy. By signing, employees enter into the agreement that violating the policy (such as by accessing data or systems without proper authorization, providing data that could be used for illegitimate endeavors, or other infractions) may lead to dismissal or even prosecution. However, signing the acceptable use policy does not absolve a company from responsibility or liability for an employee’s actions. The acceptable use policy could be used in court in the company’s defense, but it does not mean that they will not be found responsible for the employee’s actions. If the policy is not generally enforced, the courts could find that the company gave tacit approval of the employee’s behavior, making them vicariously liable for the employee’s actions. For example, an employee downloaded pornographic images from the Internet and then e-mailed them to a coworker who decided to sue the company for creating a hostile work
Password Complexity 607
environment. The signed acceptable use policy could be used in defense of the company, but the court may decide that because the company had never enforced the policy, they, in essence, created an environment that allowed this kind of behavior to occur.
Many organizations implement acceptable use policies as contracts between the company and the employee, and require workers to sign a copy of the policy to show that they agree to abide by it. Because schools teach computer skills in early grades, parents and guardians are routinely asked to sign such policies on behalf of minors. Through these contracts, organizations have justifiable reason to fire employees or (in the case of schools) expel students who violate the agreement. In extreme cases, it can be used as evidence for prosecution. Because the responsibility of adhering to the policy is placed on the person signing it, organizations can also use the signed acceptable use policy as part of their defense from litigation. For example, if an employee hacks a competitor’s Web site, a company could use the signed policy to show the onus of responsibility rests with the employee and not the company itself. What is the best way to enforce an acceptable use policy? Audits should be conducted on a regular basis, inclusive of audits of data stored in personal directories and local hard disks and audits of firewall and system logs, to determine what has been accessed. In cases where suspected breaches of policy have occurred, e-mail messages may also be audited. Because courts have generally held that employees have no reasonable expectation to privacy regarding data stored on computers belonging to a company, such audits can occur regularly and without warning. To ensure users are aware that these audits occur, and to inform them that the organization takes its acceptable use policy seriously, mention of such measures should be included in the policy.
Password Complexity Passwords are used to prevent unauthorized access to computers, networks, and other technologies by forcing anyone who wants access to provide specific information. Password management involves enacting policies that control how passwords are used and administered. Without good password management, security could be compromised by passwords that are easy to guess, repeatedly used, or have characteristics that make them insecure. Passwords act as a secret between the system and the person, allowing entry only to those with the correct password and denying entry to those who fail to provide one. Unfortunately, although the system can keep a secret, people often cannot. For example, a secretary may give a temporary employee his or her password so they do not have to go through the trouble of applying for additional access. Another may write a password down on a piece of paper and tape it to the monitor. In both of these cases, people obtain unauthorized access by sharing a password. Because of the importance of password protection, a policy should state that the users are responsible for their accounts and anything that is done with them.
608 CHAPTER 15 Legislation and Organizational Policies
Strong Passwords Even if a user is protective of their password, it can still be cracked through the use of tools or by simply guessing the password. Passwords that are words can be cracked using a dictionary hacking program, which goes through words found in a dictionary. In addition to this, hackers can easily guess names of family members, pets, or other interests. Strong passwords are more difficult to guess and cannot be cracked using dictionary hacks. Using a combination of two or more of the following keyboard character types can create strong passwords: ■■
Lower case letters (a through z)
■■
Upper case letters (A through Z)
■■
Numbers (0 through 9)
■■
Special characters (({}[],.<>;:’”?/|\`~!@#$%^&*()_–+=)
Strong passwords can still be cracked using a program that performs a brute force attack, which tries to determine the password using all possible combinations of characters in a password, but hacking a password in this manner can take a considerable amount of time. Longer passwords make it more difficult for brute force hackers to crack a password, so the policy should specify a minimum password length. For example, a policy may state that passwords must be at least 8 characters long. Test Day Tip Remember that password complexity makes it more difficult for a password to be cracked. It should consist of a combination of uppercase letters, lowercase letters, numbers, and/or special characters. Just in case someone has your password, the password should be changed at intervals (such as every 90 days) and not be reused for a period of time.
Password Changes and Restrictions Passwords should be changed after a set period of time, so that anyone who has a particular password will be unable to use it indefinitely and others will have more difficulty guessing it. A common recommendation is forcing users to change passwords every 45 or 90 days, at the most. Although changing it often is more secure, it will make it more difficult for users to remember their passwords. As with any security measure, you want authorized users to easily access the system and unauthorized users to find it difficult. For this reason, the time limit set should allow users to memorize their new passwords before forcing them to change. In addition to changing passwords, it is important that a policy states that passwords cannot be reused until a certain number of password changes have occurred. It does no good to force users to change their password and then allow them to change
Password Complexity 609
it back to the previous password again. If an old password has been compromised, a hacker could keep trying it until the user changes back to the old password. Password changes and not reusing old passwords are particularly important when strong passwords cannot be used. A good example would be a bankcard with a personal identification number (PIN) for accessing accounts through an automated teller machine (ATM). A PIN is a series of numbers, so combinations of alphanumeric and special characters are not possible. Another example might be a door lock to a server room, in which people type in a several-digit code on a keypad to unlock the door. When an authorized user enters the code, it is possible that unauthorized users could see it. Changing the numeric code on a regular basis prevents unauthorized users from utilizing a code they have seen others successfully use.
Using Passwords as Part of a Multifaceted Security System Because passwords are not always the most secure method of protecting a system, there are other methods that can be used to enhance security. For example, SecurID tokens are small components that can fit on a key ring and be carried by the user in their pocket. The token has a digital display that shows a number of changes at regular intervals. When a person logs into a SecurID server, they must enter the number on the token in addition to the appropriate username and PIN. Another method that may be suitable for a network’s security is biometric authentication. Biometric authentication uses a measurable characteristic of a person to control access. This can be a retinal scan, voiceprint, fingerprint, or any number of other personal features that are unique to a person. Once the feature is scanned, it is compared to a previous reading on file to determine whether access should be given. As with tokens, this method can be combined with passwords or other security methods to control access. Because of the expense of purchasing additional equipment and software, biometrics is generally used on high-security systems or locations. Exam Warning Passwords and passphrases are the most common method of authenticating users, but are not the most effective way of securing systems. In secure environments, they are often used with other security devices and methods.
Administrator Accounts Administrator passwords are another important issue that should be covered in a password policy, as anyone using an administrative account is able to make changes and access all data on a system. Because of the importance of this account, there should be limits on who knows the password to this account. If there are numerous people in Information Technology (IT) who perform administrator duties, they should have their own accounts with the minimum access needed to perform their tasks, and follow the same rules as other user accounts (for example, changing passwords
610 CHAPTER 15 Legislation and Organizational Policies
regularly, using strong passwords, and so forth). The password for the administrator account should be written down, sealed in an envelope, and stored in a safe. Should the administrator leave, or this account be needed, others in the IT staff can still use the account and make necessary system changes. Test Day Tip Remember that gaining access to an administrator account or elevating privileges to that of the administrator group is a primary goal in hacking systems. Administrator accounts have the widest scope of access, meaning that administrator passwords must be stringently protected.
Change Management Nothing stays the same and change is inevitable. These are the reasons why change documentation is so important. Change management is the process of planning and implementing changes in systems. As an IT department plans upgrades, replaces servers, deploys new software, and makes other proactive changes, documentation is created to control how these changes take place. Change control documentation provides information on changes that have been made to a system, and often provides back out steps that show how to restore the system to its previous state. Without this, changes made to a system could go unrecorded causing issues in the future. Imagine starting a job as the new network administrator, and finding that the only documents about the network were the systems architecture documentation that your predecessor created 7 years ago when the system was first installed. After years of adding new equipment, updating software, and making other changes, the current system would barely resemble its original configuration. If change documentation had been created, you would have had a history of those changes, which could have been used to update the systems architecture documentation. Change documentation can provide valuable information, which can be used when troubleshooting problems and upgrading systems. First, it should state why a change occurred. Changes should not appear to be for the sake of change but be for good reason, such as fixing security vulnerabilities, hardware no longer being supported by vendors, new functionality, or any number of other reasons. The documentation should also outline how these changes were made and detail the steps that were performed. At times, an administrator may need to justify what was done, or need to undo changes and restore the system to a previous state because of issues resulting from a change. In such cases, the change documentation can be used as a reference for backtracking the steps taken.
Information Classification In order for users to be aware of what information they can share with certain members of their organization, distribute to the public, or keep to themselves, a system
Information Classification 611
of classification must be used. If you have ever seen any military or spy movies, you are probably familiar with the concept of “classified documents.” You can use such a method to specify that certain documents are “top secret,” “classified,” or “for your eyes only” to control which documents are to be kept private and uncopied. In many cases, however, you will come up with your own system. A system of classification should be explained through a corporate policy, which defines the terms used and what they mean. When creating these classifications, the following levels should be included: ■■
Public or unclassified It can be viewed by people outside of the organization.
■■
Classified It is only for internal use, not for distribution to outside parties.
■■
■■
■■
■■
■■
Management only Only managers and supervisors can view the information. This can be further broken down so that only certain levels of management can view it. For example, certain information may be suitable for top management but not for supervisors of individual departments. Department specific People outside of a particular department do not view the information. Private or confidential This denotes that the information is only for the person to whom it was specifically sent. High security levels Levels, such as top secret or other classifications, that stress the importance of the information. For example, the secret recipe of a product would fall into this category, as leaking this information could ruin a company. Not to be copied Denotes that hard copies are not photocopied, and data files are not printed or copied to other media (such as floppy disk or USB flash drive).
By providing a scheme of classification, members of an organization are able to understand the importance of information and less likely to leak sensitive information. Incorporating such a scheme will also make other policies more understandable, as they can describe what information is being discussed. For example, a code of ethics could state that the private information of employees is classified and not to be shared with outside parties. This lessens the risk of sensitive data being shared with others, transmitted over insecure technologies, or other security risks.
Exam Warning Document management systems are increasingly used in organizations that need to maintain and track large stores of documents. Classification of these documents are important to ensuring that documents are not disseminated to unauthorized individuals, their importance is quickly understood by readers, and that information isn’t leaked by people who don’t understand whether the document contains classified information.
612 CHAPTER 15 Legislation and Organizational Policies
Some organizations may also require documents to be classified for certain s ystems to function as expected. For example, a growing number of organizations use Microsoft SharePoint to create document libraries to manage and share documents on a network. In such an environment, a user might create a document in Office 2007, and add it to the document library. In doing so, he or she would select a classification, which would be saved as a metadata property of the document. Other users who had access to documents with this classification could then view the document through a Web browser and (depending on their level of access) check it in and out, edit it, and so on. Without proper classification, an organization would be unable to effectively control access to certain types of documents, making it difficult for users to retrieve them. Note The Rainbow Series is a collection of books created by the National Computer Security Center, with each book dealing with a different aspect of security. Each of the books in the series has a different colored cover, which is why it is called the Rainbow series. The Orange book is the Trusted Computer System Evaluation Criteria (TCSEC), which establishes criteria used in grading the security offered by a system or product. The Red book is the Trusted Network Interpretation and is similar to the Orange book in that it establishes criteria used in grading security in the context of networks. These books are often referred to in the classification of systems and networks.
Vacations A common policy that organizations have deals with vacation time. Such policies dictate how and when an employee may take a vacation. Components of a mandatory vacation policy include: ■■
■■ ■■
How much time a person may have based on the number of years they’ve worked. Whether an employee can only take vacations at certain times of the year. If the employee must take all of their vacation time at once, or can split it up throughout the year.
Mandatory vacation policies exist for a number of reasons. Contracts may require specific amounts of time off from work. By having employees take time off of work, they tend to be able to do their jobs better when they get back. Another reason is to prevent employees from carrying their vacation time over to subsequent years. If an employee kept moving vacation days owed to them ahead to the next year, eventually they’d be able to take off months of paid leave before retiring. Such golden handshakes were common in previous decades, and caused issues with positions being unfilled, as the company was unable to hire a new person until the current person in the job retired.
Vacations 613
Before having individuals take time off of work, it is important to ensure that the job can still be performed without their presence. This means having multiple people trained in different tasks. Exam Warning Mandatory vacation policies are covered in the exam, so don’t skim over the information provided here believing it won’t appear on the test. Vacations are important as they have implications to the business, can be legislated or contractually agreed on, and have security requirements for ensuring that individuals are available to cover the duties of employees who are unavailable.
Separation of Duties Separation of duties ensures that tasks are assigned to personnel in a manner that no single employee can control a process from beginning to end. Separation of duties is a common occurrence in secure environments and involves each person having a different job, thus allowing each to specialize in a specific area. This provides a number of benefits to the security of an organization. In an organization that uses a separation of duties model there is less chance of people leaking information because of the isolated duties that each employee performs in contribution to the whole. If a user does not know something, they cannot discuss it with others. Because the needs of persons performing separate duties would not require the same access to the network and other systems, each person (or department) would have different security needs. In other words, the data of one person or department would not need to be viewed, deleted, or modified by another. A good example of this would be the Internal Affairs office of a police department, which investigates infractions of officers. Because other officers are being investigated, you would not want them having access to the reports and data dealing with their case. Doing so could jeopardize the integrity of that data. Another benefit of separating duties is that each person (or group of people) can become an expert in their job. Rather than trying to learn and be responsible for multiple tasks, they can focus their expertise on a particular area. This means, theoretically, you always have the best person available for a job. Separation of duties does not mean that there is only one person in an organization who can perform a specific duty, or that people are not accountable for their actions. It would be inadvisable to have only one person know a particular duty. If this were the case and that person were injured or left the company, no one else would be able to do that particular job. Thus, each task should be documented, providing detailed procedures on how to perform duties. Supervisors and managers should be aware of the duties of each subordinate so that they can coordinate jobs effectively. This is particularly important in crisis situations such as those involving disaster recoveries (discussed later in this chapter). By separating duties, each person is able to focus on their individual tasks, with each
614 CHAPTER 15 Legislation and Organizational Policies
fixing a piece of the problem. Not only does this provide a more effective method of dealing with a crisis, but it also allows the situation to be successfully resolved faster.
Personally Identifiable Information Privacy has become a major issue over the last few years, as the people who use technology are increasingly fearful of unauthorized persons or employers viewing personal information transmitted across networks, saved on machines, or stored in databases. People often have an expectation of privacy when using various technologies and are unaware that actual privacy may not exist. Personally identifiable information (PII) is private information that identifies you, members of your organization, and your clients. PII can be found in numerous places. It can exist in databases used by your company, directory services used in your network, and various other sources that contain names, phone numbers, addresses, credit card numbers, and so on. If such information became available to unauthorized users, it could result in embarrassment, liability, and possibly even criminal charges. Exam Warning PII falls hand-in-hand with privacy policies. Policies within the company should adhere to legislation that ensures personal data is secure.
Privacy Privacy policies spell out the level of privacy that employees and clients can expect, and an organization’s perspective of what is considered private information. Areas typically covered in a privacy policy are as follows: ■■
Unauthorized software
■■
E-mail
■■
Web site data
Although companies may voluntarily incorporate a privacy policy, some industries are required by law to maintain specific levels of privacy for client information. The HIPAA Act mandates hospitals, insurance companies, and other organizations in the health field to comply with security standards that protect patient information. The Gramm–Leach–Bliley (GLB) Act is another piece of legislation that mandates banks, credit unions, brokers, and other financial institutions to protect information relating to their clients. The GLB Act requires these institutions to inform clients of their policies regarding the information collected about them, and what will be shared with other organizations. If organizations that require privacy policies fail to comply with the legislation, they are in violation of federal or state laws.
Personally Identifiable Information 615
Privacy policies commonly state that an organization has the right to inspect the data stored on company equipment. This allows an organization to perform audits on the data stored on hard disks of workstations, laptops, network servers, and so forth. By performing these audits on a regular basis, an organization can determine if employee resources are wasted on non–work-related activities, or if network resources are being wasted on old data. For example, if an organization is considering purchasing an additional file server, performing an audit on their current file server may reveal that employees are using up hard disk space by saving outdated files, games, personal photos, duplicated data, and other items that can be deleted. Although employees may assume that the data stored in their personal directories on equipment that is issued to them is private, a privacy policy could state that the equipment and any data stored on it are the property of the organization. Privacy policies may also authorize such audits on the basis of searching for installations of pirated or unauthorized software. Pirated software is software that is not licensed for use by the person or company and can cause liability issues resulting in fines or prosecution. Unauthorized software may include such things as games or applications for personal use (photo software, online bill paying software, and so on) installed on workstations and laptops. Unauthorized software can cause a plethora of problems including causing conflicts with company software or containing viruses or Trojan horses. Trojan horses are applications that appear to be legitimate programs, such as a game or software that performs useful functions but contain code that perform hidden and/or unwanted actions. For example, an employee may install a calculator program that he/she has downloaded from the Internet, not knowing that it secretly sends data regarding the person’s computer or network to a hacker’s e-mail address. Not only can such programs reveal information about the system, but the (Trojan horse) may also acquire information from the network (such as sensitive information about clients). Just as data stored on a computer or network is considered the property of an organization, e-mail (another form of data) may also be considered corporate property. Privacy policies often state that e-mail sent or received through business e-mail addresses belongs to the organization and should not be considered private. The organization can then examine the e-mail messages, ensuring that the business e-mail account is being used properly. Although this seems like a blatant violation of personal privacy, consider how e-mail can be abused. A person can make threats, reveal sensitive information, harass, or perform any number of immoral and criminal actions while posing as a representative of an organization. The organization uses the privacy policy to ensure that each employee is representing the organization properly while using corporate e-mail. As Internet access has become common in organizations, monitoring Web sites that have been visited has also become common. Firewalls are used to prevent unauthorized access to the internal network from the Internet, but also enable organizations to monitor what their employees are accessing on the Internet. Companies can check firewall logs to determine what sites an employee visited, how long they spent there, what files they downloaded, and other information that the employee may consider private. Again, because the Internet access is provided through the company
616 CHAPTER 15 Legislation and Organizational Policies
and is therefore their property, the company should inform users through the privacy policy of their privilege to investigate how employees are using this resource. Companies may also stipulate the privacy of client information, or those with a presence on the Web may include or create a separate policy that deals with the privacy of a visitor to their Web site. In terms of actual clients (those people with whom a company does business), the policy should state what level of privacy a client can expect. This may include the protection of client information, including information on sales, credit card numbers, and so forth. In the case of law enforcement, this might include information on a person’s arrest record that cannot be concealed under the Public Information Act and Open Records laws, personal information, and other data. For both clients and visitors to Web sites, a company may stipulate whether information is sold to third parties, which may send them advertisements, spam, or phone solicitations.
Damage and Defense Ensuring a Policy Is Legal and Can be Enforced Once a policy is written, you need to ensure that leaders in the company will support it. Authorization needs to be acquired from management before the policy becomes active, so it is established that the company backs the policy and will enforce it if necessary. Having senior management sign off on a policy ensures that users will not be confused as to whether the policy is part of the company’s vision and will result in disciplinary actions if violated. The policy also needs to be reviewed by legal council to ensure that it does not violate any laws, and that its content and wording is not misleading or unenforceable in any way. For example, many countries have legislation dealing with privacy, so it is important that whatever privacy policy you create adheres to those laws if your business operates in those countries. As with other policies mentioned here, you should have legal counsel review your policy before publishing it to the Internet or internally.
Due Care Due care is the level of care that a reasonable person would exercise in a given situation and is used to address problems of negligence. Due care may appear as a policy or concept mentioned in other policies of an organization. Put simply, an organization and its employees must be careful with equipment, data, and other elements making up the electronic infrastructure. Irresponsible use can cause liability risks for an organization, or result in termination of a careless employee. Computer software and equipment is expensive, so employers expect staff members to take care when using it. Damage caused by irresponsible use can void warranties, meaning the company must pay for any repairs. Using assets in a way they were not intended, or breaching the recommendations or agreements established in the licensing or documentation (such as the owner’s manual), are considered irresponsible
Due Process 617
uses. For example, using security software for hacking purposes or using equipment to hold open a door would be considered irresponsible. Users are expected to take reasonable levels of care when using the equipment and software that is issued to them. What is considered reasonable often depends on the equipment or software in question, but generally involves following the recommendations and best practices included in the equipment or software’s documentation. Primarily, it involves using common sense and taking care of the assets as a reasonable person would. Maintaining equipment and software is not solely the responsibility of the user; employers must also acknowledge their part in due care. Technologies need to be maintained and updated regularly. For this reason, due care policies exist for the purpose of outlining who is responsible for taking care of specified equipment. This may be an IT staff member who ensures that users have the hardware, software, and access to resources to do their jobs properly. Because technology changes, the IT staff responsible for due care needs to determine the life spans of various technologies and upgrade them after specified periods of time. Due care also applies to data. Irresponsibly handling data can destroy it, unintentionally modify it, or allow sensitive information to fall into the possession of unauthorized users. It can also result in privacy issues. Irresponsibility on the part of a company can infringe on an employee’s right to privacy, such as when information in a personnel database or permanent record can be accessed without authorization. Irresponsibility on the part of users can also result in sensitive information becoming available to unauthorized parties, such as when a salesperson e-mails a client’s credit card information over the Internet to another department or person. As will be seen in the next section, privacy policies may also be a legislated requirement of conducting business in certain industries, such as those involving health care or finance. Reasonable efforts must be made to ensure the integrity of data, including regular checks for viruses, Trojan horse attacks, and malicious programs. Efforts must also be made to deal with the possibility of problems occurring, such as maintaining regular backups of data. By setting up proper procedures for protecting data and ensuring damaged data can be recovered, a system’s integrity and security are drastically enhanced. The methods of practicing due care can be found through the recommended or “best” practices offered by manufacturers of equipment, operating systems (OSes), and other software. For example, pushing the power button on a computer will shut it down, but may also corrupt data on the machine. OS manufacturers recommend that users shut down their OS in a specific way (such as by clicking Shut Down on the Windows Start menu). For users to follow best practices for using hardware and software, they must be educated in how to practice due care.
Due Process Due process is the act of notifying an employee being notified that he or she has violated existing policies of legislation, and also refers to the employee’s right to a fair and impartial inquiry into the incident. For example, if a person were accused of a
618 CHAPTER 15 Legislation and Organizational Policies
violation of an acceptable use policy, he or she might be notified verbally and/or in writing. In some organizations or military, a tribunal or court martial might be held to address the person’s misconduct. The inquiry into the policy violation must be impartial and fair, allowing the person to defend his or herself against the alleged offense. Due process ensures that the employee’s rights have not been violated. If his or her rights were violated, it is possible that the company itself would then face litigation.
Due Diligence Due diligence refers to the practices of an organization in identifying risks and implementing strategies to protect the assets of a company. Assets can include data, equipment, employees, and other elements that are of value to the company. By practicing due diligence, the company proves that it has taken reasonable steps to prevent an incident. A policy is just a piece of paper, until it is shown to be a set of standards and rules that are valued by the company. Organizations need to show that they are diligent in upholding their policies by sharing them with employees (so they are aware of the rules), keeping them up-to-date, and enforcing them when necessary. A company can be seen as negligent if they don’t take steps to ensure that policies addressing incidents are legally binding, topical, and are enforced when necessary. In some cases, employees may be found to have violated legislation, and third parties may become involved. For example, if an employee hacked a competitor’s Web site, the person could be criminally charged. In such a situation, the company might conduct a tribunal to dismiss the person, but should also call the police to notify them of the incident. By being forthcoming when criminal violations occur, the company can show further due diligence. In doing so, they can protect themselves from litigation. Test Day Tip Don’t get confused between due care, due process, and due diligence. Due care is used to show whether a reasonable level of care was given to protect data and equipment by an individual or company. Due process is the idea that laws and legal proceedings must be fair. Due diligence shows that the company has consistently maintained and enforced their policies. In cases where policy violations occur, a fair and impartial inquiry into the incident and a person’s misconduct is held. This protects the rights of the accused, and protects the company from litigation.
Service Level Agreements Service level agreements (SLAs) are agreements between clients and service providers that outline what services will be supplied, what is expected from the service, and who will fix the service if it does not meet an expected level of performance. In short, it is a contract between the parties who will use a particular service and the people who create or maintain it. Through an SLA, the expectations and needs of all parties are clearly defined so that no misunderstandings about the system will occur at a later time.
Service Level Agreements 619
An SLA is often used when an organization uses an outside party to implement a new system. For example, if a company wanted Internet access for all its employees, they might order a wide area network (WAN) link from an Internet service provider (ISP). An SLA would be created to specify expected amounts of uptime, bandwidth, and performance. The SLA could also specify who will fix certain problems (such as the T1 line going down), who will maintain the routers connecting the company to the Internet, and other issues related to the project. To enforce the SLA, penalties or financial incentives may be specified to deal with failing or exceeding the expectations of a service. Exam Warning The Security+ exam expects that you understand that an SLA is used to establish an agreement between customers and the service provider as to the services available, and the requirements and conditions in providing them. Remember that SLAs are not only used between companies and third parties, but also as a commitment between internal IT staff and the organization’s user base.
SLAs can also be used internally, specifying what users of the network can expect from IT staff and procedures relating to the network. ■■
■■
The SLA may specify that all equipment (such as printers, new computers, and so forth) must be purchased through the IT department. If this is not done, the IT staff is under no obligation to fix the equipment that is purchased improperly. An SLA may also be used to specify the services the organization expects the IT staff to provide, to support applications that are developed internally, or to address other issues related to the computers and network making up the organization’s electronic infrastructure.
An SLA often includes information on the amount of downtime that can be expected from systems, where customers will be unable to use a Web site, server, or other software and equipment. This information usually provides the expected availability of the system in a percentage format, which is commonly called the Number of Nines. As Table 15.1 shows, the Number of Nines can be translated into the amount of time a system may be down in a year’s time. If this estimate is longer than specified in the SLA, additional losses may be experienced because employees Table 15.1 Availability Expectations (Number of Nines) Percentage Availability (%)
Allowed Downtime per Year
99.9999
32 s
99.999
5.3 min
99.99
53 min
99.9
8.7 h
99.0
87 h
620 CHAPTER 15 Legislation and Organizational Policies
are unable to perform their jobs or customers are unable to purchase items from an e-commerce site. An SLA will also provide information on coverage of services and may include estimated costs and response times for various types of issues. For example, it may state that the IT department’s Help Desk is available for calls 24 h a day, 7 days a week. In other cases, it may state that someone from the IT department will respond within a specific number of hours. The response time will often depend on the amount of staffing in the IT department, and the type of request being made. For example, a small IT staff for a large company might respond within 24 to 48 h, while a better staffed IT department might respond within hours. If the IT department charges its services back to individual departments within the company, then it may give an hourly dollar amount for specific services. An SLA serves as a commitment to customers, and provides an understanding of what is expected. The document gives focus to the service providers, giving them a firm understanding as to what their roles and responsibilities are. It can also provide customers with a catalogue of various services provided by an IT department or other service provider. Because customers and service providers have an agreement of what’s provided, when, and (in some cases) how much it will cost, it can create a more positive relationship between the parties.
Head of the Class Don’t Reinvent the Wheel Many people attempt to create policies from scratch. They spend hours or even days trying to hammer out a new policy, trying to think of everything necessary to include in the document to avoid any legal issues or loopholes. When done, they can only hope that the policy and procedures within will hold up when a problem occurs. It is better to use a policy belonging to another organization as a template. The Internet is filled with examples of policies, which you can examine and use. For example, you can find policy templates at the SANS Institute’s Web site (www.sans.org/resources/policies/) that can assist you in making policies for your own organization. In some cases, you can also ask similar organizations for copies of their policies. By reviewing a similar policy, you can determine which elements are useful to your own policy, and you may also find other issues that should be included, but that you did not think of. Also, if you use a policy that has existed for a period of time, you can minimize the risk of your policy not living up to the challenge of real world issues.
User Education and Awareness Training Education and documentation is a vital part of any secure system. Knowledgeable users can be an important line of defense, as they will be better able to avoid making mistakes that jeopardize security, identify problems, and report them to
User Education and Awareness Training 621
the necessary persons. Proper documentation is imperative to security as good diagrams, well thought out procedures, quality knowledge bases, and other papers dealing with security can be the difference in solving problems quickly. The following sections look at a number of ways to create an environment that enhances security through these methods.
Communication Communication is important to educating users on different elements of a system, and allowing them to be able to contact you in case of problems. If no one can reach you, how will you know when problems occur? Similarly, if you do not have mechanisms in place to communicate with users, how will they have the information you want them to have? Communication is the key to understanding the issues users are facing when incidents occur, and getting information to the parties that need it. To deal with issues and convey what an organization expects from users, administrators need to create a system that promotes and supports good communication. The first step to creating good methods of communication is determining what methods are available. This differs from business to business, but multiple avenues of contacting people are always available. These may include: ■■
Internal or Internet e-mail
■■
Internal phone extensions, home phone numbers, and cell phone numbers
■■
Pagers
■■
Corporate intranets and public Web sites
■■
Internal mail (memoranda) and snail mail (public postal services)
■■
■■
Public folders and directories containing documents that can be viewed by users across the network Instant messaging, text messaging, SMS, and live chat
Once all of the methods available to communicate with users are identified, the administrator can decide which ones will be used and how. Obviously administrators will want to control the ways in which users can contact them. Although you wouldn’t want to provide your personal contact information to everyone, home phone numbers, cell phone numbers, and pager numbers can be provided to certain people in an organization. For example, administrators could provide dispatchers, management, or certain departments with these numbers, so they can be contacted when major incidents occur (such as hacking attempts, server crashes, and so forth). Providing contact information for IT staff ensures that incidents will not remain unattended and possibly grow worse before the next scheduled workday. In addition to having people provide notification, administrators can configure systems to automatically contact them. Some systems provide the ability to send out alerts when certain events occur (such as a system shutdown). The system can
622 CHAPTER 15 Legislation and Organizational Policies
send an e-mail message to specific e-mail addresses, or send out messages to alphanumeric pagers. In some cases, administrators may become aware of a problem and deal with it before any of the users on the network notice. Providing contact information for general users of a network is another positive component of a communicative environment. Users should have multiple methods of contacting IT staff, so they can acquire help and notify them of problems they are experiencing. This allows users to inform administrators of a seemingly minor problem that could grow into a major one. For example, a user may complain of specific symptoms his or her computer is experiencing that are indicative of a virus infestation. Early warning through users can catch such problems at an initial stage, before any real damage is done. There are many possible methods for users to contact IT staff. Help desks are commonplace in companies, providing a single phone extension that users can call when they are experiencing problems. A designated e-mail address and voicemail are other methods of enabling users to report problems. Methods of contacting a help desk should be advertised internally, through memos, internal e-mail, or on the corporate intranet. Signatures on e-mails can be used to provide alternative methods of contacting individual users. The signature is text or a graphic that is automatically added by the user’s e-mail client software to each message sent by a person. The signature can state the name of the sender, the company phone number, an extension, fax number, business address, e-mail address, and the URL of the public Web site, along with any other information a person specifies. Not only is this useful for internal users who need to respond immediately, but also for vendors and other people external to the company.
User Awareness Users cannot be expected to follow rules if they are not aware of them. Organizations sometimes make the mistake of imposing policies and procedures while failing to provide effective methods of sharing that information. This has the same effect as if the policies and procedures were never created. User awareness involves taking steps to make users conscious of and responsive to security issues, rules, and practices. To make users aware, administrators can use a number of the communications methods previously mentioned. For example, policies and procedures can be made available on a mapped drive that everyone has access to, allowing users to double-click on files to open and review read-only copies of the policies and procedures. A corporate intranet is another common method used to provide access to documentation and information on changes. This allows users to understand what is expected of them, and how they are supposed to carry out specific tasks. If users are kept informed, they will be more open to the rules imposed on them. If users are aware of the rules and practices but are unaware of their importance, they may view these methods as bothersome and not follow them adequately. For example, the administrator may implement a mandatory policy forcing users to change their passwords every 30 days to a new password that has not been used by them before. Users may balk at having to make such changes every month, especially at times when
User Education and Awareness Training 623
they forget their new passwords. If the administrator informs the users that this will protect their data and private information, they understand that doing so is in their best interest, and will be more willing to cooperate. Users should be made aware of how they can assist in security issues, so that mistakes made on a user level do not impact the network as a whole. They should know how to change their passwords to strong passwords, as discussed earlier in this chapter. They should also be aware that procedures must be followed when security changes are needed. A common problem in organizations is that users share passwords with one another to provide another person access to certain systems or data. By logging on as another person, an unauthorized user will appear as the actual user and be able to send e-mail, make mistakes, or perform malicious actions. Members of an organization must know that they are responsible for anything done with their accounts, and that security change requests must be made to the network administrator. It is also important that administrators inform users of events that do not require their active participation, but will impact them directly. When creating a secure environment, the administrator needs to perform upgrades on server software, update equipment, and other tasks that will affect the network. When the network is affected, the users are affected. Servers may be shut down for maintenance, generator tests might cause momentary losses of power, or other events can occur that affect a user’s ability to work. When performing such tasks, administrators should inform users, so they will know what is happening and can make arrangements to continue working. Bulk e-mail or broadcast messages should be sent to all users, informing them of what will occur and how long it will affect them. When users are involved and aware of what is going on, they are better able to deal with these events. An added benefit of informing users about when upgrades to software and hardware will occur is that they can provide information on problems that occur afterwards. At times, service packs and patches to software on a server can result in unexpected problems. If users are unaware that these changes have occurred, or if they are unaware of the need to report possible problems, the administrator may think that the update was successful and without incident when in effect it was not.
Education Educating users is the primary method of promoting user awareness and improving the skills and abilities of employees. When users are taught how and why certain activities need to be performed, they are generally more willing and better able to perform those tasks. In addition to enhancing work performance, education also provides the added benefit of lowering support costs, as users who are able to fix simple problems will not be as likely to call the help desk for assistance. In terms of security, users who know how to perform certain tasks properly are less likely to unknowingly put security at risk. Users who have an understanding of confidentiality and nondisclosure policies will not be as likely to reveal sensitive information, transmit classified data over the Internet, or provide access to unauthorized users. In addition, users who know how to change their passwords monthly know that
624 CHAPTER 15 Legislation and Organizational Policies
they should not use previously used passwords, and they understand that creating strong passwords will also make the system more secure. Because users are often the largest, least controlled variable in network security, education makes this variable more stable so that they are less likely to perform actions that compromise security. Educating users is commonly done through training sessions. This can be done in a classroom setting or one-on-one. In many other situations, training handouts are given to new hires that detail how certain actions are performed, and procedures that should be followed. These handouts can be referred to when needed, but may prove disastrous if this material falls into the wrong hands. In either case, a designated trainer or member of the IT staff teaches users the proper methods and techniques that should be used to perform their jobs. As will be seen in the next section, online resources can also be a practical approach to educating users.
Notes from the Field Educating People on What Not to Do With so many people having computers and Internet access at home, users of a company network not only need to be educated on what to do, but also on what not to do. Many users may have installed software, printers, or modified settings on their home PCs. In many cases, they will even use the same OS at home as is used at work. Because they have done certain tasks successfully at home, they may assume that they are able to, and have permission to perform the same actions on network computers at work. Because the systems may be locked down or have unique configurations, a user’s actions could cause the system to function in an unexpected manner (or not at all). Users must be taught that they are not allowed to perform certain actions on the Internet, use equipment for personal use, install software or hardware without permission, or perform any other actions restricted by policy. For example, a user owned a computer business outside of work. Because he felt he was an expert in computers, he decided to install software on a company machine, not realizing that it was locked down to prevent reconfiguration. Only part of the software installed before the installation failed. “Expert” that he was, he thought the problem was with that particular computer, so he proceeded to try installing it on other machines. The partial installations caused conflicts on these machines. When told of the problem, this person still did not comprehend why users were not allowed to install software. He argued that he should be given the administrator password so that he could install software and fix problems. Although the problem was partially ignorance, a larger issue was the arrogance and unwillingness to understand what he was not allowed to do. It is important to remember that in the wrong hands, a little knowledge can be a dangerous thing. Users can be dangerous if they have too much knowledge of a system, just as they can be if they have too little. If they have proper access, users may attempt to perform unauthorized actions using information that was passed along to them. Security is always a tradeoff, so administrators need to be careful as to what information they pass onto users of their network. As mentioned earlier in this chapter, security policies may be used to control a user’s actions by specifying what they can and cannot do on a system.
Security-Related HR Policies 625
Online Resources With the resources available on a local network, it would be remiss not to include them in the scheme of providing education and access to documentation. Policies, procedures, and other documentation should be available through the network, as it will provide an easy, accessible, and controllable method of disseminating information. For example, administrators can make a directory on a server accessible to everyone through a mapped drive, allowing members of an organization to view documents at their leisure. A directory that is only accessible to IT staff can also be used to provide easy access to procedures, which may be referred to when problems arise. By using network resources this way, members of an organization are not left searching for information or left unaware of its existence. Many companies utilize Web technologies internally to provide a corporate intranet for members of the organization. Sections of the internal Web site may be dedicated to a variety of purposes, for example, providing read-only copies of policies, procedures, and other documentation. A section of the site may even provide access to interactive media, so that users can train themselves by viewing PowerPoint presentations, AVI and MPEG movies, and other resources for self-training. IT staff and support specialists can also benefit from online resources. No one in the field of computer technology knows about every piece of software or hardware created. There are too many current and legacy systems to understand, so relying on the expertise of others is important. When in doubt, consulting resources on the Internet can be essential to solving problems correctly. Knowledge bases are databases that provide information on the features of various systems and solutions to problems that others have reported. For example, if a user were experiencing a problem with Microsoft software, they could visit their knowledge base at http://support.microsoft.com. If they were experiencing problems with Novell software, they could visit their knowledge base at http://support. novell.com. Many software and hardware manufacturers provide support sites that contain valuable information. Not using these sites when needed is a mistake. Manufacturers’ Web sites are also valuable to the security and effectiveness of a network and its systems, as they provide service packs and patches. Service packs and patches are software that fixes known problems and security vulnerabilities. Failing to install these may cause certain features to behave improperly, or leave a system open to attacks from hackers or viruses.
Security-Related HR Policies Human Resources (HR) departments deal with a large variety of issues and need to work closely with IT departments to ensure that the security needs are met. HR performs such tasks as hiring, firing, retirement, and transferring employees to different locations. HR also maintains personnel files of employees and may be responsible for assisting in the distribution of identification cards, key cards, and other items relating to security. Because of the tasks they each perform, it is important that good communication exists between HR and IT staff.
626 CHAPTER 15 Legislation and Organizational Policies
Upon hiring a person, HR may be responsible for issuing ID cards designed by IT staff, which are used to identify employees. This is important to physical security in the building, as the cards provide visual recognition of who is supposed to be in certain areas. HR may also be responsible for issuing key cards. When a person is hired or experiences a change in employment with an organization, HR needs to notify the network administrator so that network access can be administered accordingly. Without a proper HR policy, network administrators will be uninformed of changes and will be unable to perform these tasks. Adding or revoking passwords, privileges, and changes in a person’s employment status can affect the person’s security needs dramatically. A person may need to have a network account added, disabled, or removed, and other privileges (such as access to secure areas) may need to be modified. As will be seen in the following paragraphs, adding or revoking passwords, privileges, and other elements of security may need to occur under such circumstances as: ■■
Resignation
■■
Termination
■■
New hires
■■
Changes in duties or position within the company
■■
Investigation
■■
Leave of absence
HR plays an important role in the security, as they need to contact the IT staff immediately of a person’s employment status. When a person is hired, HR needs to contact the IT staff to set up a new network account and password for the person as well as the necessary privileges to access systems and data. In addition, the employee may need a corporate ID card, keycard, or other items necessary for the job. When a person’s employment is terminated, they either quit the company, or are suspended, or are under investigation, it is equally important to immediately remove any access they have to the system. Keeping a person’s account and password active allows them to continue to access systems and data. If a terminated person has an active keycard and ID, they are also able to enter secure locations. In both cases, the person will have the ability to cause massive damage to a company, so network accounts should be immediately disabled or deleted, and ID and keycards should be removed from the person’s possession or at least rendered inactive. Disabling accounts and passwords should also occur when a person is away from a job for extended periods of time. When people are away from the job on parental leave, sabbaticals, and other instances of prolonged absence, they do not need their accounts to remain active. To prevent others from using the person’s account while they are away, the account and password should be disabled immediately after the person leaves. When employees are hired, change jobs, or have modified duties, their needs for network access also change. When setting up network privileges, it is important
Summary of Exam Objectives 627
that employees only receive the minimum access necessary to do their jobs. Any additional access is a security risk, as they could purposefully or accidentally view, modify, or delete important data or improperly make changes to a system. A good method of determining what level of security a person needs is to match the new person’s security level to that of someone else in the same job, or to use the same settings as the employee that is being replaced by the new employee. It is also important to determine whether a person was issued any equipment that belongs to the company that should be returned. If a person was issued a laptop, wireless handheld device, mobile phone, pager, or other equipment, the items belong to the company and must be returned. Failure to do so could be considered theft, and may leave the former employee open to prosecution.
Code of Ethics Many companies have a code of ethics, or a statement of mission and values, which outlines the organization’s perspective on principles and beliefs that employees are expected to follow. Such codes generally inform employees that they are expected to adhere to the law, the policies of the company, and other professional ethics related to their jobs. As is the case with acceptable use policies, many companies require employees to sign a code of ethics as an agreement. Anyone failing to adhere to this code could face dismissal, disciplinary actions, or prosecution.
Summary of Exam Objectives Policies provide information on the standards and rules of an organization, and are used to address concerns and identify risks. They are used to provide a reference for members of an organization, and are enforced to ensure that they are followed properly. Procedures provide instructions on how policies are to be carried out and may also be used to inform users on how to perform certain tasks and deal with problems. When used in an organization, policies provide a clear understanding of what they expect from employees and how issues are to be handled. There are many different types of policies that may be used within an organization. An acceptable use policy establishes guidelines on the appropriate use of technology, a code of ethics outlines proper behavior, and privacy policies provide an understanding of the level of privacy employees and/or customers can expect from a company. Many other policies may also be created, based on the needs and expectations of the organization. It is important that employees are aware of these policies, so they understand their rights according to the policy and what is expected of them. User education and awareness provide people with the ability to perform actions securely, identify problems, and report issues to the necessary persons. Proper documentation should contain step-by-step procedures, diagrams, and other information necessary to perform tasks and solve problems. Different methods of communication
628 CHAPTER 15 Legislation and Organizational Policies
should be provided to allow users to contact the administrator when needed, or for the administrator to educate them on different issues. By implementing different methods of reaching users, the administrator can make them aware of problems and proper procedures.
Exam Objectives Fast Track ■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
Policies address concerns and identify risks, while procedures provide guidance on how these issues are to be addressed. Disposal and destruction policies address how data and equipment are to be properly disposed of or destroyed after they are no longer of use, outdated, or past a specified retention date. An acceptable use policy can be signed by employees and serve as a contract acknowledging how equipment and technology is to be properly used. Password management involves enacting policies that control how passwords are used and administered. Passwords are combinations of letters, numbers, and special characters that are used to authenticate a person logging onto a system. The more complex the password, the harder it is to crack. Strong passwords consist of a combination of lower case letters (a through z), upper case letters (A through Z), numbers (0 through 9), and special characters (({}[],.<>;:’”?/|\`~!@#$%^&*( )_−+=). Biometric authentication uses a measurable characteristic of a person to control access. This can be a retinal scan, voiceprint, fingerprint, or any number of other personal features that are unique to a person. Change documentation can provide valuable information, which can be used when troubleshooting problems and upgrading systems. Mandatory vacation policies are used to control how and when people are able to take off time from work. Separation of duties involves each person having a different job, thus allowing each to specialize in a specific area. It is a common occurrence in secure environments, as it ensures that the tasks are assigned to personnel in a manner that no single employee can control a process from beginning to end. PII is private information that identifies you, members of your organization, and your clients. Privacy policies address the level of privacy that employees and clients can expect, and an organization’s perspective of what is considered private information. Due care is the level of care that a reasonable person would exercise in a given situation and is used to address problems of negligence.
Exam Objectives Frequently Asked Questions 629
■■
■■
■■
■■
■■
■■
■■
Due process is the act of notifying an employee that he or she has violated existing policies of legislation and also refers to the employee’s right into a fair and impartial inquiry into the incident. Due diligence refers to the practices of an organization in identifying risks and implementing strategies to protect the data, equipment, and other assets of a company. SLAs are agreements between clients and service providers that outline what services will be supplied, what is expected from the service, and who will fix the service if it does not meet an expected level of performance. Classification is a scheme that allows members of an organization to understand the importance of information and is less likely to leak sensitive information. Educating users is the primary method of promoting user awareness, and improving the skills and abilities of employees. By teaching users how and why certain activities need to be performed, they are generally more willing and better able to perform those tasks. HR policies deal with issues related to employees. HR department perform such tasks as hiring, firing, retirement, and transferring employees to different locations, so it is important that policy stipulates that network administrators are informed of changes so proper changes can be made to user accounts. A code of ethics is a statement of mission and values, which outlines the organization’s perspective on principles and beliefs that employees are expected to follow.
Exam Objectives Frequently Asked Questions Q: I’m concerned that a user may be using e-mail for non–work-related use, and may be sending confidential information over the Internet. What policy would allow me to audit the content of his e-mail? A: A privacy policy can stipulate that corporate e-mail accounts are the property of the company, and any e-mail sent or received with these accounts can be audited at any time. Q: We are replacing the servers on our network and have formatted the hard disks. Isn’t this enough to remove the data, so that we can now dispose of the equipment? A: No. There are data recovery and forensic tools that can recover the data from a hard disk, even after you’ve formatted it. To ensure that data is completely removed, you should use software that will overwrite every sector of the disk. Q: When secretaries take a vacation, they tend to give their temporary replacement their password. They believe it is easier to simply share the password
630 CHAPTER 15 Legislation and Organizational Policies
than contact the network administrator. How can we maintain security with people sharing passwords like this? A: Contact HR and have them notify you when these users take their vacations. When the user goes on vacation, temporarily disable the person’s account. This will force the temporary employee to go through the procedure of getting proper access.
Self Test
1. You are developing a policy that will address that hard disks are to be properly erased using special software, and that any CDs or DVDs are to be damaged by scarring or breaking them before they are thrown away. It is the hope of the policy that any information that is on the media will not fall into the wrong hands after properly discarding them. What type of policy are you creating? A. Due care C. Acceptable use policy B. Privacy policy D. Disposal and destruction policy
2. An organization has just installed a new T1 Internet connection, which employees may use to research issues related to their jobs and send e-mail. Upon reviewing firewall logs, you see that several users have visited inappropriate sites and downloaded illegal software. Finding this information, you contact senior management to have the policy relating to this problem enforced. Which of the following policies would you recommend as applicable to this situation? A. Privacy policy C. HR policy B. Acceptable use policy D. SLAs
3. You are configuring OSes used in your organization. Part of this configuration involves updating several programs, modifying areas of the registry, and modifying the background wallpaper to show the company’s new logo. In performing these tasks, you want to create documentation on the steps taken, so that if there is a problem, you can reverse the steps and restore systems to their original state. What kind of documentation will you create? A. Change control documentation B. Inventory C. Classification D. Retention and storage documentation
4. You are concerned about the possibility of hackers using programs to determine the passwords of users. You decide to create a policy that provides
Self Test 631
information on creating strong passwords and want to provide an example of a strong password. Which of the following is the strongest password? A. Strong B. PKBLT C. ih8Xams! D. 12345
5. In your organization, users in similar positions often give each other their passwords. This is a common practice when a user goes on vacation and another user temporarily takes over that person’s job. There is a corporate policy that prohibits this practice, but it still goes on. Currently, users are required to use alphanumeric combinations for their passwords, but don’t have other restrictions on their passwords due to the previous network administrator’s belief that frequent changes will cause users to forget their passwords. Which of the following will you implement to prevent unauthorized users from indefinitely using known passwords? A. Set a policy that forces users to use strong passwords B. Set a policy that forces users to change their password once every 60 days C. Require users to use PINs D. Use SecureID tokens for remote logons, so that it requires users to enter a PIN that is synchronized with the server and changes frequently
6. Your organization uses its intranet to disseminate information to employees. Part of the intranet includes an employee database, so that users can look up the name, department, and phone extension of members of the organization. For morale purposes, birthdates of employees are available to view with this information, so that other employees can wish them a happy birthday. Employees also have the capability to post their own information on blogs allowing social networking between users. Users have used this information to post information on corporate softball tournaments, previous employment experience within the organization, and other information. Which of this information is PII that should be removed? A. Blogs B. Employee database information that provides the full name of employees C. Employee database information that provides the date of birth D. Employee database information that provides departments and work extensions
7. You are developing a new password policy for your company, and identifying elements that should be included to control unauthorized users guessing a user’s password. Which of the following will you include in your policy?
632 CHAPTER 15 Legislation and Organizational Policies
A. Allow users to change their passwords to something similar, so they are less likely to forget the new passwords B. Passwords should not expire after a specified number of days and can be reused C. Passwords should be used on their own, and not part of a multifaceted security system D. Passwords should automatically expire every 45 to 90 days
8. An organization has decided to implement a policy dealing with the disposal and destruction of data and other materials that may contain sensitive information. They have consulted you to determine what elements should be included in the policy. Which of the following will you tell them? A. Data on hard disks should be deleted before hard disks are disposed of B. Hard disks should be shredded before being disposed of C. Nonclassified materials, such as media releases, should be shredded before being disposed of D. Classified documents should be shredded before being disposed of
9. An employee complains that his or her coworker has pornography on his or her computer. Upon investigating, IT staff finds illegal pornography on the hard drive of his or her workstation. There is a concern that the employee who made the complaint may file a law suit against the company for it being a hostile workplace on these grounds. The company further tries to protect itself by calling the police and suspending the employee from work until an internal inquiry is conducted. Which of the following is being practiced here? A. Change control B. Due care C. Due diligence D. Due process
10. An employee has accessed a social networking site and made some complaints about his or her job on a blog. In doing so, he or she has violated an internal policy that prohibits the company’s equipment from being used for personal use. Because the policy has been violated, the person is told that he or she will need to go before an internal tribunal and is informed of his or her rights in the matter. Which of the following has been practiced? A. Change control C. Due process B. Due care D. Due diligence
Self Test 633
11. You are preparing to destroy a selection of CD-Rs that have been previously used to store sensitive data. Which of the following will you do to ensure that the data is destroyed? A. Delete the files and erase the data from the CDs B. Use a degausser C. Scrape the CD so the data layer is removed D. Throw away the CD 12. You are the administrator of a network running Novell NetWare and are having problems with a server’s ability to connect to other servers. The server was able to connect to the network before you installed a recent bug fix. After attempting to solve the problem, you decide to check and see if anyone else has had this problem. Where is the best place to find this information? A. The manual that came with the server B. The vendor’s Web site C. Service pack D. Microsoft knowledge base 13. Your organization wants to control the distribution of documents. In doing so, they plan to classify the documents so that only those who are specifically meant to view the documents are allowed to do so. In creating this system, which of the following would you use to specify that anyone internal to the organization can view the document, but limit public dissemination? A. Classified B. Unclassified C. Confidential D. Department specific 14. You are concerned about the possibility of sensitive information developed by your company being distributed to the public and decide to implement a system of classification. In creating this system, which of the following levels of classification would you apply to sensitive information that is not to be disseminated outside of the organization? A. Unclassified C. Public B. Classified D. External
634 CHAPTER 15 Legislation and Organizational Policies
15. Changes in the law now require your organization to store data on clients for 3 years, at which point the data are to be destroyed. When the expiration date on the stored data is reached, any printed documents are to be shredded and media that contains data on the client is to be destroyed. What type of documentation would you use to specify when data is to be destroyed? A. Disaster recovery documentation B. Retention policies and logs C. Change documentation D. Destruction logs
Self Test Quick Answer Key 1. 2. 3. 4. 5.
D B A C B
6. 7. 8. 9. 10.
C D D D C
11. 12. 13. 14. 15.
D B B B B
Appendix: Self Test Chapter 1: Systems Security Overview
1. You are analyzing the current security of your network and are concerned about the possibility that users will bypass authentication and gain greater permissions than they were given. What are the two major causes of privilege escalation? Choose all that apply. A. Bugs in software C. Backdoors B. Spyware D. BIOS Correct Answers and Explanations: A and C. Bugs in software and backdoors are two major causes for privilege escalation. Privilege escalation occurs when a user acquires greater permissions and rights than he or she was intended to receive. This can occur as a result of bugs (which are errors in code) or backdoors in software (which can bypass normal authentication). I ncorrect Answers and Explanations: Answer B is incorrect because Spyware is used to monitor a system and send data to a third party. Answer D is incorrect because the BIOS is low-level software on a computer that’s used for recognizing and configuring hardware on a computer and starting the machine.
2. A user reports that his machine frequently crashes, and that he believes someone has accessed his e-mail account with his password. He has performed an antivirus scan on his computer and it is clean. What other likely culprit is behind the attack? A. A worm C. A Rootkit B. A Trojan horse D. A logic bomb Correct Answer and Explanation: C. A rootkit, since they are designed to hide themselves from the OS and antivirus scans. I ncorrect Answers and Explanations: Answers A, B, and D are incorrect since they can all be detected by a virus scan.
635
636 Appendix: Self Test
3. You open a Microsoft Word document and notice that other files you have open suddenly close. When you reopen these files, you find that the information in them has been modified. The same behavior doesn’t occur when other programs are used. What type of virus has probably infected your system? A. Parasitic C. Boot sector B. Data file D. A logic bomb Correct Answer and Explanation: B. A data file virus can open, manipulate, and close data files. Data file viruses are written in macro languages and automatically execute when the legitimate program is opened. A well-known type of data file virus is a macro virus, which can be embedded in such files as Microsoft Office documents and spreadsheets. Incorrect Answers and Explanations: Answers A, C, and D are incorrect because the symptoms indicate a macro virus is at work. Answer A is incorrect because a parasitic virus infects executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged but appends to the host in such a way that the virus code is executed first. Answer C is incorrect because bootstrap sector viruses live on the first portion of the disk, known as the boot sector (this includes both hard disks and other removable media). This virus replaces either the programs that store information about the disk’s contents or the programs that start the computer. Answer D is incorrect because multipartite viruses combine the functionality of the parasitic virus and the bootstrap sector viruses by infecting either files or boot sectors.
4. A programmer has recently been fired from the organization. On the programmer’s next birthday, your server suddenly locks up. Upon investigating, you find that there have been numerous Registry changes, and system files have been deleted by a service created by the dismissed programmer. What has a ffected your system? A. Nothing. Programs often modify Registry settings. B. Link C. Boot sector D. Logic bomb Correct Answer and Explanation: D. A logic bomb is malware that is designed to execute and do damage when a condition is met. In this case, the program at fault is one that matches the birthday of a dismissed employee. The logic bomb can be a hidden function in a program that goes off on a specific date, when a command has or hasn’t been sent to it, or other conditions.
Chapter 1: Systems Security Overview 637
Incorrect Answers and Explanations: Answer A is incorrect because while programs may make Registry changes, there is no reason why it should have deleted system files. Answer B is incorrect because a link virus modifies the way an OS finds the program, and there is no indication that this has happened in this scenario. Answer C is incorrect because bootstrap sector viruses live on the first portion of the disk. In this scenario, it has been found that a service created by an employee has been used to modify the Registry and delete system files.
5. You have installed a new program on your computer. The software doesn’t cost anything, but it does display intermittent advertisements for products in a corner of the screen. After installing, you notice that there is a sudden increase in received data across your Internet connection, although there is no real increase in data being sent. You’re not using your Web browser, e-mail software, or other Internet applications, so you’re concerned whether the new program is sending data over the Internet. Which of the following has most likely been installed? A. Virus C. Adware B. Antivirus D. Worm Correct Answer and Explanation: C. Adware is a type of software that uses advertising to fund development, thereby allowing users to use the program for free. Incorrect Answers and Explanations: Answers A, B, and D are incorrect. No other problems appear to be occurring on the computer, so it is unlikely that it is a virus or worm. Antivirus software is used to protect against viruses, worms, and other malicious code, so this isn’t an issue. The application is displaying advertisements, which are likely being downloaded across the Internet, which explains the increase in received data across your Internet connection. There are no other indications that anything is amiss with the system.
6. What are good ways to protect against worms? (Select all that apply.) A. User education programs C. Timely software patches B. Correct firewall configuration D. Antivirus scans Correct Answers and Explanations: B and C. Firewalls can prevent ports like SQL and NetBIOS from being available and usable to worms. Most worms use known vulnerabilities, so timely patches will defend against them. Incorrect Answers and Explanations: Answer A is incorrect as worms do not require user intervention, and so user education doesn’t affect them. Answer D is incorrect as a worm is not resident, and so can only be detected in memory, where it already has infected the machine.
638 Appendix: Self Test
7. You receive an e-mail warning you about a virus, stating that if a Windows XP computer contains the file mstsc.exe, you have been infected with the virus. As such, you should delete that file and a series of others. In searching the Internet, you find information that this is a normal Windows file. What type of virus is this? A. Link C. Data file B. Companion D. Hoax Correct Answer and Explanation: D. The file mstsc.exe is used to connect to terminal servers or remote computers. This is a normal file on Windows computers. Because the warning provides instructions on how to remove a normal Windows file, it is a hoax virus. Hoax viruses are inauthentic warnings of viruses. I ncorrect Answers and Explanations: Answer A is incorrect. Link viruses function by modifying the way the OS finds a program, tricking it into first running the virus before the desired program. Answer B is incorrect because a companion virus creates a new program with the same name as an already existing legitimate program. It then tricks the OS into running the companion program, which delivers the virus payload. Answer C is also incorrect. A data file virus is a macro virus that automatically executes when a program is opened.
8. A user has a laptop computer that normally isn’t connected to the network. She complains that her computer has slowed down considerably, and certain programs on the machine no longer open. She ran her antivirus program, but it found nothing. You establish a remote connection to the computer so that you can view what’s installed on the laptop, and see that she has antivirus software installed and running. When you map a drive letter to the laptop and run the antivirus software on your computer, you find several viruses have infected the laptop. Why are you able to find the viruses but not her? A. The antivirus software on her laptop hasn’t been updated with the latest signature files. B. It is a hoax virus. C. You are getting a false positive. The virus must be on your machine and not the laptop, because you can’t scan mapped drives with antivirus software. D. She didn’t have antivirus software installed or running on her machine. Correct Answer and Explanation: A. The antivirus software on her laptop hasn’t been updated with the latest signature files. If the signature files haven’t been updated, it would be unable to detect any viruses that have been released since the last time it was updated.
Chapter 1: Systems Security Overview 639
I ncorrect Answers and Explanations: Answer B is incorrect because if it were a hoax, it would not be detected by antivirus software. Answer C is incorrect because you can scan a mapped drive with antivirus software. Answer D is incorrect because the scenario stated that she has antivirus software running.
9. You are configuring a firewall to block certain file types from being attached to incoming e-mail. When the e-mail reaches the firewall, you want these files to be removed from the e-mail, so that only the message reaches the user on your network. Which of the following file extensions are associated with executables that are commonly targeted by viruses and should be removed? Choose all that apply. A. .doc C. .exe B. .com D. .reg Correct Answers and Explanations: B and C. Files with the extension .exe and .com are executable files. Files with the .exe extension are executable binary files. These are programs that can be loaded into memory, and provide various functions and execute commands automatically or with user intervention. Files with the .com extension are command files that are binary executables, similar to files with the extension .exe. I ncorrect Answers and Explanations: Answers A and D are incorrect because they are not executables. Files with the extension .doc are Word documents. Although they may be infected with macro viruses, they are not executables. Files with the .reg extension are registry extracts, which contain settings that are applied to the Windows Registry.
10. Your company’s Web server suddenly gets tens of thousands of simultaneous requests for a Web page. After the Web server crashes, you restart the server and then take a look at the log files. You see that some of the requests came from your own network. What kind of attack has most likely happened? A. Rootkit C. Virus B. Botnet D. Worm Correct Answer and Explanation: B. Computers have been turned into zombie machines after being infected with bots. The bot herder can then send commands to these machines to make requests from a specific Web site, preventing the server from serving legitimate requests from Web site users. When you attempt to view who caused the attack, it will only show those who have been infected with the bot. I ncorrect Answers and Explanations: Answer A is incorrect because a rootkit is used to acquire elevated permissions to a computer. Answers C and D are incorrect because computers infected with a virus or worm wouldn’t make tens of thousands of computers suddenly visit a Web site.
640 Appendix: Self Test
11. You have purchased a used computer in an auction. When you power-on the computer, you are asked for a password before the OS even loads. Since you don’t have it, how will you clear the password so that you can start the computer and begin using it? A. Clear the password in the CMOS settings B. Flash the BIOS C. Press F10 or DEL on the keyboard D. There is nothing you can do if you don’t have the power-on password Correct Answer and Explanation: B. Flash the BIOS. By flashing the BIOS, you are erasing the existing settings by updating the BIOS software. I ncorrect Answers and Explanations: Answer A is incorrect because (although power-on passwords are set in the CMOS editor) you can’t start the CMOS editor until you’ve entered the power-on password. Answer C is incorrect because pressing keys on the computer won’t help in this situation, unless of course you’re entering the password. Answer D is incorrect because you can flash the BIOS to reset all of the settings, and clear the power-on password. 12. You have heard that upgrading the BIOS on a computer can help to fix any bugs and provide new features. You download a new BIOS version and begin the upgrade. Everything seems to go well, and you recycle the power on the computer. It doesn’t start but produces a blank screen. What is most likely the cause of the computer not starting? A. The wrong BIOS version was installed. B. There was a power outage during the upgrade. C. The CMOS editor needs to be reconfigured. D. You should never flash the BIOS as it will cause the computer to fail. Correct Answer and Explanation: A. The wrong BIOS version was installed. Flashing the BIOS with a version that was meant for another motherboard can cause all sorts of problems, including the BIOS not being able to start the computer. When flashing the BIOS, it is important that the correct version for your computer is used. I ncorrect Answers and Explanations: Answer B is incorrect because (although a power outage would cause the BIOS upgrade to fail) the scenario says that everything seemed to go well during the upgrade. Answer C is incorrect because correctly flashing the BIOS will clear any CMOS settings, restoring them to default settings. This wouldn’t affect the computer not starting. Answer D is incorrect because you can flash the BIOS to upgrade it.
Chapter 1: Systems Security Overview 641
13. Your company has started issuing USB flash drives to employees. Employees now use the devices to copy data from their home computers, insert them into computers used by other businesses, and so on. Members of the sales team and others who deal with outside organizations need this removable storage, so they can obtain copies of specifications, orders, and so on. In copying files from computers outside of your network, you’re concerned about viruses. Which of the following should you do to ensure that users can benefit from the functionality of their flash drives, while protecting the network from any viruses? A. Turn off autoplay on Windows computers used by your company B. Disable USB ports on any computers attached to your network C. Set write-protection on the flash drive so that viruses can’t be written to the device D. Create a policy that prohibits users from copying data outside of the organization to flash drives Correct Answer and Explanation: A. Turn off autoplay on Windows computers used by your company. This is the feature that will start any programs on media inserted into drives or USB ports automatically. Turning off the autoplay feature can prevent an infected program from being executed as soon as Windows reads the disk or device. In addition to this, any USB storage devices should be scanned with up-to-date antivirus software before any files are opened. I ncorrect Answers and Explanations: Answer B is incorrect because disabling the USB ports on network computers will prevent users from using the flash drives and any other USB devices. Answer C is incorrect because setting write protection will prevent files, as well as viruses from being written to the disk. If users know how to switch off write protection, the users can still use the flash drive, allowing files (including those that are infected with virus) to be copied onto the media. Answer D is incorrect because this will prohibit users from using the flash drives for work purposes. 14. You are planning to implement removable storage devices in your organization. Before doing so, your boss wants you to provide information on various types of removable media that users can use to read, write, and rewrite data to. Which of the following storage devices will you discuss? A. Hard disks C. DVD-R B. CD-R D. Flash memory card Correct Answer and Explanation: D. Flash memory cards can be used to store and transfer varying amounts of data. Memory cards have typically ranged from 8 to 512 MB, but new cards are capable of storing more than 8 GB of data.
642 Appendix: Self Test
Incorrect Answers and Explanations: Answer A is incorrect because hard disks are not removable media. Answers B and C are incorrect because a CD-R and DVD-R are Write Once, Read Multiple and aren’t capable of having data on them rewritten. 15. You need to migrate 40 GB of data from a hard disk to removable media. You want to ensure that all of the data is stored on a single disc or media. Which of the following will you use? A. Blu-Ray C. CD B. DVD D. Disk Correct Answer and Explanation: A. A single-layer Blu-Ray disc can store up to 25 GB of data, whereas a dual-layer Blu-Ray disc can store up to 50 GB of data. Incorrect Answers and Explanations: Answer B is incorrect because a DVD is capable of storing 4.7 to 17 GB of data. Answer C is incorrect because a data CD is only capable of storing 700 MB of data. Answer D is incorrect because a floppy disk is only capable of storing 1.44 MB of data.
Chapter 2: OS Hardening
1. You have a computer and through a portscan discover that port 25 is enabled. This computer is used for file and print services only. What should you do? A. Disable SMTP C. Disable IIS B. Disable POP D. Port 25 should be enabled Correct Answer and Explanation: The answer is A. Answer A is correct because the port for SMTP is 25. I ncorrect Answers and Explanations: Answer B is incorrect because POP is not on port 25; it’s usually 110. Answer C is incorrect because IIS will use port 80 and port 443 by default for HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS). Answer D is incorrect because port 25 has nothing to do with file and print services.
2. You have a computer and through a portscan discover that port 25 and port 80 are enabled. This computer is used for serving Web pages only. What should you do? A. Disable SMTP C. Disable IIS B. Disable POP D. Port 25 and 80 should be enabled orrect Answer and Explanation: The answer is A. Answer A is correct C because the port for SMTP is 25. I ncorrect Answers and Explanations: Answer B is incorrect because POP is not on port 25; it’s usually 110. Answer C is incorrect because this is
Chapter 2: OS Hardening 643
a Web server and port 80 should be open in order for IIS to serve Web pages. Answer D is incorrect because port 25 has nothing to do with file and print services.
3. You notice port scans on a Web server. The server processes both secure and insecure pages. What steps can you take to help secure the OS? A. Enable port 80, disable all other ports B. Enable port 443, disable all other ports C. Enable port 25, disable all other ports D. Enable port 80, 443, and 25, disable all other ports E. Enable port 80 and 443, disable all other ports orrect Answer and Explanation: The correct answer is E. Since Web C services use port 80 and 443, they should be enabled. I ncorrect Answers and Explanations: Answer A is incorrect because this would not allow users to browse secure pages. Answer B is incorrect because this would not allow users to browse nonsecure pages. Answer C is incorrect because port 25 is SMTP, which has nothing to do with browsing Web pages. Answer D is incorrect, since port 25 is SMTP, which has nothing to do with browsing Web pages. This would work; however, it would not result in a secure system since an unused port or service would be available.
4. What port does SNMP use? A. Port 80 B. Port 25
C. Port 161 D. Port 443
orrect Answer and Explanation: The answer is C. Answer C is correct C because SNMP uses port 161. I ncorrect Answers and Explanations: Answer A is incorrect, as this is the standard port for nonsecure Web pages. Answer B is incorrect, since port 25 is SMTP. Answer D is incorrect, as this is the standard port for secure Web pages.
5. As part of the overall OS hardening process, you are disabling services on a Windows server machine. How do you decide which services to disable? A. Disable all services, and then re-enable them one by one B. Research the services required and their dependencies, then disable the unneeded services C. Leave all services enabled, since they may be required at some point in the future D. Disable all workstation services
644 Appendix: Self Test
orrect Answer and Explanation: The correct answer is B. Answer B C makes the most sense, and this will result in the most secure system, while enabling only the services and dependencies needed. I ncorrect Answers and Explanations: A is incorrect. This may work; however, it will not result in the most secure system. Answer C is incorrect. This would result in a system that is not as secure as it could be. Services that are not being used could be left enabled, allowing more surface area for a hacker to attack. Answer D is incorrect. This would result in a system that is not as secure as it could be. Services that are not being used could be left enabled, allowing more surface area for a hacker to attack. Some of the workstation services may be required to perform the functions the server needs to perform.
6. You are configuring a server to be used for IIS. You have disabled all unused services. All access to the server will be through secure pages using HTTPS. What port should you enable? A. Port 80 C. Port 161 B. Port 25 D. Port 443 orrect Answer and Explanation: The correct answer is D. Port 443 is C the default port for secure Web pages. I ncorrect Answers and Explanations: Answer A is incorrect. Port 80 is generally used for nonsecure Web pages. Answer B is incorrect. Port 25 is used for SMTP, which is not required for secure Web pages. Answer C is incorrect. Port 161 is used for SNMP which is not required for secure Web pages.
7. Robby is preparing to evaluate the security on his Windows XP computer and would like to harden the OS. He is concerned as there have been reports of buffer overflows. What would you suggest he do to reduce this risk? A. Remove sample files B. Upgrade his OS C. Set appropriate permissions on files D. Install the latest patches orrect Answer and Explanation: The correct answer is D. Generally, C buffer overflows exploit flaws in the OS, which are usually fixed via security packages. I ncorrect Answers and Explanations: Answer A is incorrect. Sample files have nothing to do with buffer overflows. Answer B is incorrect. Upgrading the OS may fix the buffer overflow but introduce other problems. Answer C is incorrect. File permissions have nothing to do with buffer overflow issues. That said, however, it’s a good idea to set the appropriate file permissions on files.
Chapter 2: OS Hardening 645
8. Marissa is planning to evaluate the permissions on a Windows 2003 server. When she checks the permissions, she realizes that the production server is still in its default configuration. She is worried that the file system is not secure. What would you recommend Melissa do to alleviate this problem? A. Remove the anonymous access account from the permission on the root directory B. Remove the system account permissions on the root directory of the C: drive C. Remove the “everyone” group from the permissions on the root directory D. Shut down the production server until it can be hardened Correct Answer and Explanation: The correct answer is C. This is a good spot to start; it will prevent unauthenticated users from accessing files at will on the root directory. I ncorrect Answers and Explanations: Answer A is incorrect. This will not produce the desired result. Answer B is incorrect. The system account needs permission to the C:\ drive directory. Answer D is incorrect. The production server needs to be on to be hardened.
9. You have been asked to review the general steps used to secure an OS. You have already obtained permission to disable all unnecessary services. What should be your next step? A. Remove unnecessary user accounts and implement password guidelines B. Remove unnecessary programs C. Apply the latest patches and fixes D. Restrict permissions on files and access to the Registry orrect Answer and Explanation: The correct answer is A. Removing C unnecessary accounts will result in less attack surface available for a hacker to penetrate. By implementing strong passwords, you will also reduce the ability of a hacker to use a “simple” password breaking program to gain access. I ncorrect Answers and Explanations: Answer B is incorrect. While installing only programs that are necessary is a good guideline, removing the unnecessary account and implementing password guidelines should be the next step. Answer C is incorrect. While patching the server is a good idea, removing the unnecessary accounts and implementing password guidelines should be the next step. Answer D is incorrect. While restricting permissions on files and access to the Registry is a good idea, removing the unnecessary accounts and implementing password guidelines should be the next step.
646 Appendix: Self Test
10. Yesterday, everything seemed to be running perfectly on the network. Today, the Windows 2003 production servers keep crashing and running erratically. The only events that have taken place are a scheduled backup, a CD/DVD upgrade on several machines, and an unscheduled patch install. What do you think has gone wrong? A. The backup altered the archive bit on the backup systems B. The CD/DVDs are not compatible with the systems in which they were installed C. The patches were not tested before installation D. The wrong patches were installed orrect Answer and Explanation: The correct answer is C. All patches C should be tested before installing. I ncorrect Answers and Explanations: Answer A is incorrect. Backups will usually not cause this problem. Answer B is incorrect. CDs/DVDs will generally not cause this problem. Answer D is incorrect. The wrong patches will usually not install (in a Windows environment). 11. Debbie is reviewing open ports on her Web server and has noticed that port 23 is open. She has asked you what the port is and if it presents a problem. What should you tell her? A. Port 23 is no problem because it is just the Telnet client B. Port 23 is a problem because it is used by the Subseven Trojan C. Port 23 is open by default and is for system processes D. Port 23 is a concern because it is a Telnet server and is active orrect Answer and Explanation: The correct answer is D. Telnet is not C required for a Web server. I ncorrect Answers and Explanations: Answer A is incorrect; port 23 is for Telnet server, which is a security risk on a Web server. Answer B is incorrect; port 23 is for Telnet server, which is a security risk on a Web server. It is not used by Subseven Trojan. Answer C is incorrect; port 23 is for Telnet server, not system processes. 12. Monday morning has brought news that your company’s e-mail has been blacklisted by many Internet service providers (ISPs). Somehow your e-mail servers were used to spread spam. What most likely went wrong? A. An insecure e-mail account was hacked B. Sendmail vulnerability C. Open mail relay D. Port 25 was left open
Chapter 2: OS Hardening 647
orrect Answer and Explanation: The correct answer is C. Open mail C relay means other servers can use your server to relay messages (including spam). I ncorrect Answers and Explanations: Answer A is incorrect. This problem usually is from the server configuration allowing open mail relay. Answer B is incorrect. This problem usually is from the server configuration allowing open mail relay. Answer D is incorrect. This problem usually is from the server configuration allowing open mail relay. Port 25 being open means SMTP is installed and working (which you would expect on a mail server). 13. Management was rather upset to find out that someone has been hosting a music file transfer site on one of your servers. Internal employees have been ruled out as it appears it was an outsider. What most likely went wrong? A. Anonymous access C. No SSL B. No Web access control D. No bandwidth controls orrect Answer and Explanation: The correct answer is A. Anonymous C access means anyone can log in to an FTP server. I ncorrect Answers and Explanations: Answer B is incorrect. No Web access control has nothing to do with FTP servers. Answer C is incorrect. SSL is used to secure HTTPS traffic. Answer D is incorrect. Bandwidth controls are used to throttle bandwidth. 14. You have been given the scan below and asked to review it. Interesting ports on (18.2.1.88): (The 1263 ports scanned but not shown below are in state: filtered) Port 22/tcp 53/udp 80/tcp 110/tcp 111/tcp
State open open open open open
Service ssh dns http pop3 sun rpc
Your coworker believes it is a Linux computer. What open port led to that assumption? A. Port 53 C. Port 110 B. Port 80 D. Port 111 orrect Answer and Explanation: The correct answer is D. Port 111 would C generally be found on a Linux computer, but not a Windows computer. I ncorrect Answers and Explanations: Answer A is incorrect. Port 53 is used for DNS, which is used regardless of OS. Answer B is incorrect. Port 80 is used for HTTP Web traffic which is used regardless of OS. Answer C is incorrect. Port 110 is used for pop mail traffic, which is used regardless of OS.
648 Appendix: Self Test
15. During a routine check of a file server, you discover a hidden share someone created that contains 100 GB of music content. You discover the share was created on a drive that everyone has full control over. What steps should you take to ensure this doesn’t happen again? A. Define an acceptable use policy B. Remove full control from the “everyone” group C. Remove full control from the offending user D. Remove the files and the directory orrect Answers and Explanations: The correct answers are A, B, and C D. A, B, and D are correct because it’s important for employees to know that this behavior won’t be tolerated. Additionally, granting full control to shares to everyone is a bad idea, as people will do this sort of thing if not kept in check. Answer D is important, as music sharing is illegal and it’s important to protect your company from legal action. I ncorrect Answers and Explanations: Answer C is incorrect. This would not be enough to prevent another user for doing this in the future.
Chapter 3: Application Security
1. A user contacts you with concerns over cookies found on their hard disk. The user visited a banking site several months ago, and when filling out a form on the site, provided some personal information that was saved to a cookie. Even though this was months ago, when the user returned to the site, it displayed his name and other information on the Web page. This led the user to check his computer, and find that the cookie created months ago is still on the hard disk of his computer. What type of cookie is this? A. Temporary C. Persistent B. Session D. Tracking orrect Answer and Explanation: Answer C is correct. Persistent cookies C are created to store for a long-term basis, so the person doesn’t have to log in each time they visit, or to save other settings like the language you want content to be displayed in, your first and last name, or other information. I ncorrect Answers and Explanations: Answers A and B are incorrect, because temporary and session cookies are created on a temporary basis, and removed from the computer when the Web browser is shut down. Answer D is incorrect, because the user filled out a form on a banking site, and it is retrieving this information months later to display on a Web page when the user returns to the site. This is the behavior of a persistent cookie. Tracking cookies are different, because they are used to retain information on sites visited by a user.
Chapter 3: Application Security 649
2. Your company has recently installed IM software on computers throughout the network, to encourage better communication between departments. A user on a network has installed a packet sniffer, and is using it to attempt viewing IMs transmitted between users of the network. When the packet sniffer captures one of the packets from an IM session, which of the following will occur? A. The information from the IM session can’t be viewed because it is encrypted. B. The information from the IM session can be viewed because it is sent as cleartext. C. The message will be unreadable because IM only allows small messages to be sent, meaning that the entire message will be split between numerous packets. D. The message will be unreadable because the Short Message Service Center automatically encrypts every message sent over Short Message Service (SMS). orrect Answer and Explanation: Answer B is correct. The information C from the IM session can be viewed because it is sent as cleartext. By using a packet sniffer to monitor IM on a network, you can view what people are chatting about and other sensitive information, because the information is sent as cleartext messages without any encryption. I ncorrect Answers and Explanations: Answer A is incorrect, because IM messages are not encrypted. Answers C and D are incorrect, because the SMS is used on cell phones and other devices to send small electronic messages through a Short Message Service Center. SMS is different from the IM software installed on computers.
3. Which layer of the OSI model is the target of most Internet-based attacks? A. The network layer, directly above the data link layer B. The session layer directly above the transport layer C. The application layer directly above the session layer D. The application layer directly above the presentation layer orrect Answer and Explanation: Answer D is correct. The application C layer is the target of most Internet-based attacks. The application layer is the last layer of the OSI model and exists directly above the presentation layer. I ncorrect Answers and Explanations: Answers A and B are incorrect because they reference layers that are not the most attacked. Answer C is incorrect because the application layer does not reside above the session layer.
650 Appendix: Self Test
4. What does the term drive-by-download refer to? A. Downloading of Trojans from P2P networks B. Downloading Trojans from instant messaging applications C. Downloading mail attachments via an open mail relay D. Navigating to a Web site and having malicious code auto execute without your knowledge Correct Answer: Answer D is correct. I ncorrect Answers and Explanations: Answers A, B, and C refer to thirdparty applications/software other than the Web browser which is the prime method for drive-by-download attacks..
5. True or False, Cookie security is truly only at the mercy of the Web site administrator? Answer: False, although the Web site administrator is ultimately responsible for the information that is stored within cookies and if the cookie is sent to visitors’ Web browsers over encrypted channels it is not the only form of cookie security. Users can configure their Web browser to reject cookies from entrusted sites and filter on the type of cookies that will be downloaded and loaded.
6. Proper Input validation should be inclusive of which of the following checks? (Select all that apply) A. Data type B. Data length C. IP address of data transmission D. Name of the user submitting the data E. Range of values orrect Answers and Explanations: Answers A, B, and E are correct and C all pertain to ensure that the entered data is in a form that the application is expecting. I ncorrect Answers and Explanations: Answers C and D are related to authentication as opposed to data validation.
7. If P2P networks are to be used on corporate networks, which of the following steps does the best job of securing it? A. Configure P2P client to share files within a single directory and install and antivirus client on the all computers running P2P software B. Disable any open mail relays that are accessible from P2P clients C. Disable ActiveX, Java, and scripting within users’ Web browsers D. Disable any IM clients installed on the P2P clients
Chapter 3: Application Security 651
orrect Answer and Explanation: Answer A is correct and provides the C best protection against major P2P threats. Sharing a single file will help ensure sensitive user information is not leaked to P2P networks and installing antivirus clients on computers running P2P software will help ensure Trojans and worms originating from the P2P network are identified and blocked before they impact the user’s computer. I ncorrect Answers and Explanations: Answers B and D may help encase a computer running P2P software should it be compromised but does not help prevent the actual system compromise. Answer C involves technologies primarily used within Web browsers and not P2P clients.
8. Monday morning has brought news that your company’s e-mail has been blacklisted by many ISPs. Somehow your e-mail servers were used to spread spam. What most likely went wrong? A. An insecure e-mail account was hacked B. Sendmail vulnerability C. Open mail relay D. Port 25 was left open orrect Answer and Explanation: Answer C is the most likely answer for C a company being blacklisted. Traditionally spammers troll the Internet looking for open mail relays to distribute unsolicited mail messages. I ncorrect Answers and Explanations: Answers A, B, and D are related to missing patches and firewall rules that may be used by an attacker to gain unauthorized access to a mail server\relay and send spam; however, this is a much more difficult task when compared to Answer C.
9. Your developer contacts you for guidance on how to secure ActiveX controls he plans on using within his Web application. What advice would you provide him? A. Remind the developer to follow secure coding practice and sign the control before publishing B. Only transfer the control over SSL sessions to and from the Web browser C. Write the ActiveX control within Java D. Perform a Threat Model on the ActiveX control orrect Answers and Explanations: Answer A is correct. Following C securing coding practices will help prevent the existence of vulnerabilities within the code. Signing the control will allow the developer to ensure the control has not been tampered with after development and publication. I ncorrect Answers and Explanations: Answer B is incorrect. Securing ActiveX is all about secure coding practice. Only transfering the control over
652 Appendix: Self Test
SSL sessions does no good if the ActiveX control itself is not secure from scratch and signed appropriately before publishing. Answer C is incorrect as the language used to create an ActiveX control is not the largest security concern. Answer D is incorrect as performing a threat model will help identify vulnerabilities within the ActiveX control and countermeasures to be applied; however, a separate action of applying the threat model results is required to effectively secure the control. 10. Multiple user laptops have been compromised due to exploitation of vulnerabilities in Java applets downloaded from third parties. What should you do to secure Java and help prevent further reoccurring security incidents? (Select the best answer) A. Install the latest patches for all employee computers B. Install the latest patches for all employee computers and ensure employees only visit sites with proper input validation C. Install the latest patches for all employee computers and use Internet Explore security zones to restrict the permissions of downloaded Java applets D. Install the latest patches for all employee computers and use Internet Explore security zones to restrict the permissions of downloaded JavaScript orrect Answers and Explanations: Answer C is correct and is the best C answer because it addresses vulnerabilities within existing Java applets by installing the latest patches and configuring security zones to restrict their permissions assigned to Java will help with newly released zero day vulnerabilities. Incorrect Answers and Explanations: Answer A will ensure that presently downloaded Java applets have the latest patches as well as associated Java interpreters. However, this is not the best answer as it does not provide protection against zero day vulnerabilities that may affect third-party Java applets. Answer B is incorrect as Web sites not performing data input validation will have no impact on vulnerabilities within third-party Java applets. Answer D is incorrect because applying restrictions to downloaded JavaScript does not correctly address the security of downloaded Java applets. 11. You are tasked with creating a threat model for a new application your company is developing. Who should you include in the threat modeling process? A. A member of the corporate security team B. Members of the security team and upper management C. Members of the security team and middle management D. Members of the security team and members from all teams responsible for the design and operation of the application
Chapter 3: Application Security 653
orrect Answer and Explanation: Answer D is correct. To create an C accurate threat model you will need participation from all teams responsible for the design and operation of the targeted application. This representation will help ensure vulnerabilities from all operational aspects are identified. Incorrect Answers and Explanations: Answers A, B, and C are incorrect because they do not cover participation from all application design and operational teams. 12. You perform a security assessment of your company’s Web server and identify a cross-site scripting vulnerability. What recommendation can you provide to your company to correct the vulnerability? (Choose the best answer) A. Advise Web site users to ensure cookies are only transferred over secure connections B. Implement a policy mandating that Web site users disable ActiveX support within their Web browsers C. Implement a policy mandating that Web site users disable Java applet support within their Web browsers D. Advise the Web administrator to ensure all Web application data inputs are validated prior to processing orrect Answer and Explanation: Answer D is correct as the best way C to address cross-site scripting vulnerabilities is to validate data input. This would fix occurrences of XSS on ActiveX controls and Java applets downloaded to the client as well as any vulnerability located on server-side code within the application. I ncorrect Answers and Explanations: Answer A is incorrect; disabling cookies is not a countermeasure against XSS. Answers B and C are also incorrect as although XSS vulnerabilities may exist within downloaded Java applets or ActiveX controls, these controls are executed on the client and would not address the server side XSS vulnerability. 13. You push out a security hardening policy to corporate users and later receive complaints from users stating that they can no longer view business Web sites. What element of your security hardening policy is most likely the cause of the issue? A. Removal of open mail relays B. Disabling of ActiveX controls and Java applets C. Implementation of P2P client restrictions D. Implementation of IM client filtering orrect Answer and Explanation: Answer B is correct as ActiveX conC trols and Java applets directly affect client side application presentation.
654 Appendix: Self Test
Incorrect Answers and Explanations: Answer A is incorrect as mail relays would not affect the user’s ability to view Web pages. Answers C and D are incorrect as they have no relation to users not being able to view Web pages. 14. Which of the following is not a phase within the threat modeling process? A. Security objective definition D. Threat identification B. Application review E. Vulnerability identification C. Application decomposition F. Application vulnerability scan orrect Answer and Explanation: Answer F is not a phase within the C threat modeling process; alternatively it is a subcomponent that may fall within the vulnerability identification phase of the threat modeling process. 15. Bob is preparing to evaluate the security on his Windows XP computer and would like to harden the OS. He is concerned as there have been reports of buffer overflows.What would you suggest he do to reduce this risk? A. Remove sample files B. Upgrade his OS C. Set appropriate permissions on files D. Install the latest patches orrect Answer and Explanation: Answer D is correct. The best defense C against buffer overflows is to apply the appropriate patches or fixes to eliminate the buffer overflow condition. Incorrect Answers and Explanations: Answers A, B, and C are incorrect because removing sample files would not reduce the risk of buffer overflows. Upgrading the OS may fix the immediate buffer overflow, but is not a sustainable long-term strategy. Patches and hotfixes were designed to address this issue. Setting appropriate file permissions will not prevent a buffer overflow.
Chapter 4: Implementing System Security Applications
1. You have been asked to install a SQL database on the intranet and recommend ways to secure the data that will reside on this server. While traffic will be encrypted when it leaves the server, your company is concerned about potential attacks. With this in mind, which type of IDS should you recommend? A. A network-based IDS with the sensor placed in the De-Militarized Zone (DMZ) B. A host-based IDS that is deployed on the SQL server C. A network-based IDS with the sensor placed in the intranet D. A host-based IDS that is deployed on a server in the DMZ
Chapter 4: Implementing System Security Applications 655
Correct Answer and Explanation: B. Answer B is correct, because by selecting a host-based IDS system, which loads on the SQL server directly, you will be able to more readily monitor the SQL server and identify attacks targeting this particular machine. Incorrect Answers and Explanations: A, C, and D. Answer A is incorrect, because a network-based IDS in the DMZ would have difficulty identifying attacks targeting this SQL server specifically. Also, since this option places the sensor in the DMZ, visibility to a server in the LAN would be further restricted. Answer C is incorrect, because a network-based IDS has large amounts of traffic to scan through and the SQL server will not get the attention that it may require. In this case, the sensor would be placed on the intranet, putting it closer to the server that it will manage, but still not the ideal scenario for a single server monitoring. Answer D is incorrect, host-based IDS is loaded on a particular host for monitoring, and if loaded into the DMZ as suggested in this case would not be able to monitor the SQL server at all.
2. Which security control can best be described by the following? Because normal user behavior can change easily and readily, this security control system is prone to false positives where attacks may be reported based on changes to the norm that are “normal,” rather than representing real attacks. A. Anomaly based IDS C. Honeypot B. Signature-based IDS D. Honeynet Correct Answer and Explanation: A. Answer A is correct, because anomaly based IDS utilizes rules and network patterns of behavior to determine if an attack has occurred. When the traffic patterns change, the IDS may be confused and determine that the change in network behavior indicates an attack. Incorrect Answers and Explanations: B, C, and D. Answer B is incorrect, because signature-based IDS systems compare network traffic against signature files looking for matches in the traffic patterns. Changes in the normal network behavior would not cause these IDS types to generate false positives since they are simply checking traffic against a signature file, which would not be impacted by traffic pattern changes. Answer C is incorrect, because a honeypot does not trigger alerts based on legitimate user activity. An attack must target a honeypot directly for it to generate an alert. Answer D is incorrect, because a honeynet does not trigger alerts based on legitimate user activity. An attack must target a honeynet specifically for it to generate an alert.
3. Your network is configured to use an IDS to monitor for attacks. The IDS is network-based and has several sensors located in the internal network and the DMZ. No alarm has sounded. You have been called in on a Friday night because someone is claiming their computer has been hacked. What can you surmise?
656 Appendix: Self Test
A. The misconfigured IDS recorded a positive event B. The misconfigured IDS recorded a negative event C. The misconfigured IDS recorded a false positive event D. The misconfigured IDS recorded a false negative event Correct Answer and Explanation: D. Answer D is correct, because if a computer has been hacked and an IDS has not detected it, then a false negative has occurred. A false negative is when identification of an attack has failed, thus no event has been triggered or alarm has been sounded, but an event has actually occurred and was not caught. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because if a positive event had been detected, alarms would have been generated. Answer B is incorrect, because a negative event is a true negative event, when no hack attempt has occurred. This is not a negative event because a hack took place that the IDS failed to detect, which makes it a false negative, not a negative. Answer C is incorrect, because during a false positive event no security breach is taking place; however, alarms are sounded and the IDS believes that an unauthorized access attempt is taking place.
4. You have installed an IDS that is being used to actively match incoming packets against known attacks. Which of the following technologies is being used? A. Stateful inspection C. Anomaly detection B. Protocol analysis D. Pattern matching Correct Answer: D. Answer D is correct. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because stateful inspection is when a firewall is able to keep track of the network connection between two devices and apply block or allow for the connection, and not just for individual packets being transmitted. Answer B is incorrect, because protocol analysis is when data is captured from the network and then reviewed. Answer C is incorrect, because anomaly detection is when traffic is evaluated and determined to be normal based on a configured rule set. Patterns are not used during anomaly detection.
5. You have been reading about the ways in which a network-based IDS can be attacked. Which of these methods would you describe as an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time? A. Evasion C. Session splicing B. IP Fragmentation D. Session hijacking Correct Answer and Explanation: C. Answer C is correct, because typically IDS systems notice patterns of attack. By dividing data into multiple
Chapter 4: Implementing System Security Applications 657
packets and delivering these over time the IDS will have greater difficulty recognizing the attack. This technique is called session splicing. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because evasion is a general term used to refer to the behavior of attempting to bypass or evade an IDS. Answer B is incorrect, because IP fragmentation is the process of taking large IP packets and breaking them into smaller packets for transmission. There is multiple attack methods that exist utilizing fragmented IP packets, most of them are DoS attempts. Answer D is incorrect, because session hijacking is when an attacker manipulates a valid session to gain unauthorized access. These attacks have many forms, but one example is a man-in-the-middle attack, where the attack is positioned as a middle point between two valid sources and is intercepting and possibly manipulating data between the two entities.
6. You have been asked to explore what would be the best type of IDS to deploy at your company site. Your company is deploying a new program that will be used internally for data mining. The IDS will need to access the data mining application’s log files and needs to be able to identify many types of attacks or suspicious activity. Which of the following would be the best option? A. Network-based IDS that is located in the internal network B. Host-based IDS C. Application-based IDS D. Network-based IDS that has sensors in the DMZ Correct Answer and Explanation: C. Answer C is correct, because by deploying application-based IDS you can focus specifically on the log files of data mining application. Other types of IDS are typically broader in their scope and would be complex to figure and deploy. Since the need is to monitor activity pertinent to a particular application, application-based IDS is the best choice. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because a network-based IDS solution would cover well beyond just a single application, and would require complex configuration and tuning in order to reduce false positives. Since a single application is all that requires monitoring, this solution is too broad based on the needs and would make it difficult to pinpoint specific activity targeting the application. Answer B is incorrect, because host-based IDS will cover all activity on a particular host and not just on a particular application. Host-based IDS is narrower than network-based IDS, but still would contain much more content than required. Answer D is incorrect, because a network-based IDS solution in the DMZ would cover well beyond just a single application, and would require complex configuration and tuning in order to reduce false positives. Since
658 Appendix: Self Test
a single application is all that requires monitoring, this solution is too broad based on the needs and would make it difficult to pinpoint specific activity targeting the application. Also, the application is mentioned to be internal; thus, an IDS located in the DMZ would most likely not catch any suspicious traffic targeting this application.
7. You are a Microsoft engineer working on a new project. You need to configure a secure environment for systems and their users to perform networking functions. You want to achieve this through Windows Firewall. Which of the following correctly describes the MS recommended settings for this firewall service? A. The Windows Firewall service should be enabled for protecting all profiles on all incoming interfaces. B. The Windows Firewall service should be enabled for protecting all administrator profiles on all interfaces. C. The Windows Firewall service should be enabled for protecting all profiles on all public interfaces. D. The Windows Firewall service should be enabled for protecting all profiles on all interfaces. E. The Windows Firewall service should be enabled for protecting all standard user profiles on all private interfaces. Correct Answer and Explanation: D. Answer D is correct, because by protecting all profiles on all interfaces you have allowed the firewall to create a secure network scenario. Regardless of the user that is logged on, or the interface that is used, the firewall will be in place protecting the local machine. Incorrect Answers and Explanations: A, B, C, and E. Answer A is incorrect, because by only enabling the firewall on incoming interfaces, there may be interfaces left unprotected, thus allowing for the potential for a security breach. Answer B is incorrect, because by enabling the firewall alone on administrator profiles, when other users log onto the machine that are not administrators they will not be protected, thus allowing for the potential for a security breach. Answer C is incorrect, because by only enabling the firewall on public interfaces, there may be interface left unprotected, thus allowing for the potential for a security breach. Answer E is incorrect, because by only enabling the firewall on standard user profiles on private interfaces, when other users log onto the machine that are administrators they will not be protected, thus allowing for the potential for a security breach. Also, if standard users utilize interfaces that are not classified as private, then they will also be unprotected.
8. Dan is a user on your network. Computer policies prevent him from utilizing file sharing while he is connected to the company network but he needs to
Chapter 4: Implementing System Security Applications 659
be able to share files while he is working from home. What would you do to accomplish this request? A. Use the MMC with the Windows Firewall with Advanced Security snapin and change the private profile to allow incoming connections. B. Use the MMC with the Windows Firewall with Advanced Security snapin and change the public profile to allow incoming connections. C. Use the Windows Firewall from within the control panel to allow file sharing. D. Use the MMC with the Windows Firewall with Advanced Security snapin and change the domain profile to allow incoming connections. Correct Answer and Explanation: A. Answer A is correct, because working from a home network is considered a private network, so by changing the private profile to allow incoming connections, Dan will be able to share files while working from home. Incorrect Answers and Explanations: B, C, and D. Answer B is incorrect, because since Dan is working from home he will not be using the public profile. The public profile is used in public settings, like a wi-fi hot spot or other public location. Answer C is incorrect, because if inbound traffic is blocked allowing file sharing will not be effective. The specific profile in use must allow the inbound connections for file sharing to be successful. Answer D is incorrect, because if the user is not on the corporate network the domain profile will not be in use. So changes to the domain profile will not be in effect while the user is working from a home network.
9. Sam is a network administrator for a small company that has 15 Vista Business computers all joined to a domain. When checking the logs on the domain controller, he notices that there are errors communicating with one particular computer. When he checks the computer, it is able to access the Internet, file servers, and is able to communicate with the Domain Controller that was reporting the errors. What is the most likely cause of the errors? A. The Vista PC’s firewall profile is set to Public. B. The Vista PC’s firewall profile is set to Private. C. The Vista PC’s firewall profile is set to Domain. D. The Vista PC’s firewall profile is set to Block All Incoming Connections. Correct Answer and Explanation: A. Answer A is correct, because when the Vista firewall is set to Public outbound connections are not restricted, which explains why all attempts outbound from the machine are successful, but inbound traffic is restricted but not blocked, which explains why the domain controller is showing errors in attempting to connect to the PC, but connections to other locations in the network are error free. In order
660 Appendix: Self Test
to remedy this issue, change the Vista firewall configuration to change the profile setting to the Domain profile. Incorrect Answers and Explanations: B, C, and D. Answer B is incorrect, because setting the profile to Public will not allow the required traffic to a domain controller. The profile should be set to Domain to allow the proper connectivity. Answer C is incorrect, because if the firewall would have been set to Domain, then connectivity errors would not be occurring on the domain controller when trying to connect to this client. Answer D is incorrect, because blocking all incoming connections would not allow even exception traffic to enter the machine. All traffic inbound is blocked. 10. Your manager has asked you to install and configure a server to run the Cisco Security Agent Management Console. The server you choose has the following specs: Windows Server 2003 SP1, 1.2 Ghz processor, 2 GB memory, a 20 GB hard drive with two partitions, one with 4 GB of free space on an NTFS partition and one with 4 GB of free space on a FAT32 partition. What must you do to install the Management Console? A. Nothing, this configuration will support the CSA MC. B. You must add an additional 2 GB of memory. C. You must install Service Pack 2 for Windows Server 2003. D. You must add an additional hard drive with 9 GB of free space on an NTFS partition. Correct Answer and Explanation: D. Answer D is correct, because the Cisco Security Agent Management Console requires a minimum of 9 GB of free disk space. In this case, each disk drive only has 4 GB of free disk space, thus requiring an additional hard drive with a minimum of 9 GB of free disk space available to install the Cisco Security Agent Management Console. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because an additional hard drive is required on the machine for the Cisco Security Agent Management Console to be installed. Answer B is incorrect, because the minimum random access memory (RAM) requirement has already been met, so additional RAM is not necessary. Answer C is incorrect, because Windows Server 2003 SP1 is within the minimum requirements. SP2 is not required to run the Cisco Security Agent Management Console. 11. You are configuring some of the advanced features of the Windows XP firewall. You want to block the client machine from responding to pings. Which of the advanced setting types would you need to change to accomplish this? A. Network connection settings C. ICMP B. Security logging D. None of the above
Chapter 4: Implementing System Security Applications 661
Correct Answer and Explanation: C. Answer C is correct, because ICMP is the protocol that is used when a PING command is issued, received, and responded to. By blocking ICMP, the machine will not respond to pings because it will not receive the initial request for the ping. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because network connection settings allow you to manage the properties of your network cards, and not the ports coming into the host. Answer B is incorrect, because security logging will not change the ports that a particular host is listening to, and it only documents what is taking place on the host based on your auditing configuration settings. Answer D is incorrect, because there is a correct answer in the list. C is the correct answer. 12. You have decided to use a third-party pop-up blocker solution as opposed to the built-in Microsoft Internet Explorer pop-up blocker. You are looking at the Anti-Spy feature of the Yahoo! Toolbar. Which of the following is NOT one of the three available options for scanning? A. Scan at Launch C. Scheduled Scan B. Scan for Tracking Cookies D. Check for Updates on Startup Correct Answer and Explanation: C. Answer C is correct, because scheduled scan is not an option available from within the Yahoo! Toolbar. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because Scan at Launch is available with the Yahoo! Toolbar. Answer B is incorrect, because Scan for Tracking Cookies is available with the Yahoo! Toolbar. Answer D is incorrect, because Check for Updates on Startup is available with the Yahoo! Toolbar. 13. You are deciding between a behavior-based IDS and signature-based IDS. Which of the following are positive characteristics of signature-based IDS? A. Examines ongoing traffic B. Uses a database of current attack signatures C. Examines ongoing activity on the system D. All of the above Correct Answer and Explanation: D. Answer D is correct, because signature-based IDS uses a database of current attack signatures for comparison while it is reviewing traffic, as well as examining ongoing traffic and ongoing activity on the system. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because this is not the only positive characteristic of signature-based IDS. Answer B is incorrect, because this is not the only positive characteristic of signature-based IDS. Answer C is incorrect, because this is not the only positive characteristic of signature-based IDS.
662 Appendix: Self Test
14. A user contacts the helpdesk to gain assistance in unblocking port 39873, which is the customized port she has assigned to an application she runs. The client application must make an outbound connection on port 80, and then the server side responds on port 39873, which is currently being blocked inbound. In what type of product would the action of unblocking a port take place? A. Pop-up blocker C. Software firewall B. Port configuration tool D. Adware tool Correct Answer and Explanation: C. Answer C is correct, because a software firewall protects the local host from unauthorized traffic by monitoring local ports and protocols. By unblocking or white-listing the port will allow the server to respond on the correct port. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because a pop-up blocker prevents unauthorized windows from launching as a user browses the Internet. It does not examine ports, it just blocks pop-ups. Answer B is incorrect, because a port configuration tool is a fictional tool. Answer D is incorrect, because port blocking is typically not performed in adware tools. Adware tools may use ports to identify malicious adware, but they are not used to authorize particular ports on the client. Adware tools function to block adware on a host. 15. You have a user that has been calling to complain that as she is browsing the Internet she frequently receives a pop-up message asking her to install antivirus software. She states that she has gone through the install four times and she doesn’t understand why she is still receiving this message from time to time. She wants you to perform the installation to be sure it is being performed correctly and so that it will not have to be continually repeated. What could be happening on this user’s machine to create these circumstances? A. Her antivirus software is out-of-date, and she must renew it before the pop-ups for reinstall will stop. B. She had to be a local administrator on the machine for the install to complete successfully, and therefore she isn’t able to complete the install herself. C. The pop-up message was generated by the corporate antivirus server and was sent out mistakenly. You must correct the issue on the antivirus server. D. This user has adware on her machine and the pop-up to install antivirus is not an actual antivirus installation window. The user’s machine should be scanned and cleaned. Correct Answer and Explanation: D. Answer D is correct, because pop-up messages oftentimes will claim that your machine requires antivirus software or software that improves your network connection and that the
Chapter 5: Virtualization Technologies 663
user must click to install. These types of pop-ups are considered adware and can be malicious in nature, because they may carry Trojans or spyware to be installed once the user clicks the pop-up. Any type of repeating pop-ups that have not been generated by the administrator should prompt a scan and clean up on that machine immediately. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because whether or not her local software is out-of-date, it does not impact a pop-up of this type. The pop-ups pop up to be clicked upon and it is unimportant as to the status of the local antivirus software. Answer B is incorrect, because the pop-up is an unwanted threat, and whether the logged on user is or is not a local administrator on the local host is immaterial to the pop-up. Answer C is incorrect, because the pop-up seems to be triggered by browsing the Internet. Also, corporate antivirus installations will typically take place in a silent mode so as not to disturb the user. The fact that a pop-up is taking place on a reoccurring basis should tell you that this isn’t a routine administrative installation.
Chapter 5: Virtualization Technologies
1. You are the security administrator for Versa Corp. You have been assigned the task of creating a “honey pot” server on the company’s Internet DMZ. You have decided to use virtualization and a VM for this purpose. One of the best reasons for using a VM is A. VMs run Windows only and cannot have security template applied to them B. VMs can be rapidly restored when breached C. VMs cannot join the production Active Directory D. VMs are not vulnerable to viruses Correct Answer and Explanation: Correct answer is B. VMs can be rapidly restored if they are breached. By using the snapshot features or using a template, a new VM can quickly be restored to a known state without the breach that was detected. I ncorrect Answers and Explanations: Answer A is incorrect because VMs are just like physical machines and can have security templates applied to them the same as any physical server. Answer C is incorrect because a VM can join an Active Directory and can even be a domain controller. Answer D is incorrect because just like a physical server, virus attacks are capable of compromising the server.
2. Which is a benefit of virtualization? A. Lower operating system costs B. Reduced bandwidth requirements
C. Reduced hardware costs D. Reduced need for backups
664 Appendix: Self Test
orrect Answer and Explanation: Correct answer is C. Converting physiC cal servers to virtual servers allows consolidating on to a smaller number of physical servers. It is easily possible to between 7 and 35 VMs running on a single physical server. This is a significant cost reduction for hardware costs. I ncorrect Answers and Explanations: Answer A is incorrect because you still must license your operating systems running on the VMs. You may be able to realize some cost savings by leveraging advanced licensing from software vendors, but there are specific rules and limitations for these programs. Answer B is incorrect because the bandwidth requirements of the virtual servers will be similar to the physical server they replaced. Answer D is incorrect because VMs are easier to restore, but this does not remove the requirement that they be backed up using either traditional methods or a combination of snapshots and backups or replication.
3. You are the security administrator for Versa Corp. You need to have three VMs running on HP DL380 servers. There are IBM x3350 servers also running the same hypervisor and processor family with available resources. You have moved your VMs to the IBM servers. What should you do to configure your VMs to run on the IBM servers? A. Replace the network and RAID controller drivers on all the VMs immediately after powering them up B. Replace only the RAID controller drivers C. Replace only the network drivers D. Nothing orrect Answer and Explanation: Correct answer is D. VMs have the C same hardware drivers when running on the same hypervisor. The hypervisor isolates the VMs from differences in the physical hardware. Incorrect Answers and Explanations: Answers A, B, and C are incorrect because the VM never sees the physical network or RAID controllers. The hypervisor and the virtual drivers ensure that all the VMs see the same device drivers regardless of the physical resources.
4. You are the security administrator for Versa Corp. You have been tasked with designing a single server solution for the remote branch offices. You must have in your solution: A. A Linux-based firewall C. A domain controller B. A mail server in a DMZ D. A file server Correct Answer and Explanation: The system administrator has created a virtual host to run the necessary VMs and has asked you how you want the NICs connected to the virtual servers. You have provided him with the diagram shown in Figure 5.14.
Chapter 5: Virtualization Technologies 665
Firewall Server
Mail Server
Domain Controller
NIC 2
Production Network
Internal Switch
NIC 1
File Server
Figure 5.14 Connecting NICs to a Virtual Server
his solution T A. Fails to meet the requirements specified B. Exposes the virtual servers to the open Internet C. Prevents users from receiving their e-mail D. Meets all requirements he correct answer is D. By using both internal network connections and T managing the external physical NICs, all requirements have been met and a secure environment can be deployed to the remote office. I ncorrect Answers and Explanations: Answer A is incorrect because all requirements have been met. Answer B is incorrect because only the firewall is connected to NIC 1, which is connected to the Internet. There is no direct path to the Internet from any other server. Answer C is incorrect because the mail server is connected to the internal switch with the firewall. The firewall has its De-Militarized Zone (DMZ) ports connected to this internal switch. Users should be able to access their e-mail through NIC 2 to the firewall then be routed to the internal switch connected to the e-mail server.
5. A VM is hosted on a server you are going to retire. The host server is not connected to a SAN but is connected to a network. You have access to the administrator account. You need to move it to another host. The fastest way to accomplish this task is to
666 Appendix: Self Test
A. Locate the VM configuration file and the virtual hard disk file; use Service Control Point (SCP) to copy these files to the new server B. Locate the virtual disk file for the VM and use the backup solution to back up this file to tape; restore this file to the new server C. Locate the configuration file for the VM and use the backup solution to backup this file to tape; restore the configuration file to the new server D. Use SFTP to create a snapshot of the VM and copy it to the new server orrect Answer and Explanation: The correct answer is A. Because most C hypervisors are based on Linux, the root user account is typically prevented from using FTP for file transfers. Being based on Linux does not mean there is a full Linux OS. It is typically a specially tuned version that can support most of the TCP/IP protocols. SCP, secure copy, is part of the Secure Shell (SSH) implementation and is normally allowed because it has the limited functionality of only being able to securely transfer files. You must copy the configuration file and the virtual hard disk files to move the VM. Incorrect Answers and Explanations: Answer B is incorrect because it will take longer to backup the virtual hard disk file to tape than to use the network to copy the file to the new server. The virtual hard disk is also only part of the solution. If this is all you have, it is possible to create a new VM and attach the copied virtual hard disk file to recover the VM. Answer C is incorrect because the configuration file alone is not enough to move the VM to the new server. The tape solution is also a longer process than using the network to transfer the files. Answer D is incorrect because SFTP will not create a snapshot. This is Secure File Transfer Protocol for sending encrypted files via FTP.
6. You are the security administrator of Versa Corp. You have several “honey pot” virtual servers running on a physical host along with production virtual servers. You notice that one of them has been breached. You must move quickly to isolate this server. You need to maintain the server intact so it can be analyzed but must maintain the security of the organization. Which action will accomplish the required goals? A. Immediately log on to the affected server and shut it down; once shutdown, make a copy of the virtual hard disk file and export it to your laptop for analysis B. Immediately log on to the hypervisor console and disconnect the virtual network card; mount the ISO file for the analysis tools to the virtual DVD drive and install the analysis tools C. Immediately shutdown the physical host; disconnect all NICs from the physical host and load your security analysis tool to this server D. Immediately log on to the affected server and shut it down; disconnect the virtual hard disk from the virtual server and mount it to another virtual server running the analysis tools
Chapter 5: Virtualization Technologies 667
orrect Answer and Explanation: The correct answer is B. DisconnectC ing the virtual NIC will isolate the VM from the network without changing anything on the virtual server. Mounting the ISO file to the virtual DVD will allow you to load analysis tools onto this server. You can always access a VM from the hypervisor console of the physical host. This method is the best way to preserve the compromised server for analysis without compromising the security of the rest of the network. I ncorrect Answers and Explanations: Answer A is incorrect because shutting down the server may mask the compromise or payload of the attack. Making a copy and attaching it to your laptop could import the threat into the production network or otherwise infect your laptop. Answer C is incorrect because disconnecting the NICs from the physical host will disconnect the production VMs along with the infected VM. When this physical host is powered back up, the compromised virtual server is still there and connected to the network. Answer D is incorrect because connecting the virtual hard drive to another VM may also infect or compromise that VM. It may also alter the virtual hard drive and prevent a thorough analysis.
7. You are the security administrator of Versa Corp. You have recently noticed a lot of VMs on your physical hosts that are powered off or have not been accessed in over 2 weeks. You have decided to remove the powered down VMs. What is the best method of removing these VMs? A. Use the console for your hypervisor and delete the VM and its associated virtual hard disk B. Use the SAN console to remove the logical unit number (LUN) associated with each VM C. Notify the owners of the VM that you are going to remove them from the physical server; remove the virtual hard drive but leave the virtual server configuration file in case they need the server again later D. Use the hypervisor console to convert the VMs to templates in case they are needed again at a later date orrect Answer and Explanation: The correct answer is A. Using the C hypervisor console to remove the VM and its associated virtual hard drive will completely remove it from the physical host. If it is needed again, it will need to be recreated. It is a good practice to remove unused VMs to prevent potential security problems and to free resources on the physical hosts and the storage. I ncorrect Answers and Explanations: Answer B is incorrect because removing storage logical unit numbers (LUNs) will remove all the VMs loaded into that location. There may be running VMs in that storage location that you did not want to remove. Answer C is incorrect because while notifying the owners of the VMs is a good thing to do, removing the virtual hard
668 Appendix: Self Test
drive will destroy the data on the VM. The configuration file will not allow you to r ecreate the VM. Answer D is incorrect because converting a VM to a template will not remove it from the server.
8. You are the security administrator for Versa Corp. You have been asked to virtualize 10 security servers without altering their configurations. Your manager wants to retain the physical servers just in case there is a problem later. What is your best course of action to accomplish the assigned tasks? A. Build new VMs on the physical host to match the security servers, and once loaded, you copy the data files from each of the original server to the virtual servers; you leave the original servers online until the new servers are verified as working B. You copy the disk drives of the original servers to the SAN; once completed you create new VMs and attach the data on the SAN to the VM; you shut down the original servers C. You use a physical to virtual migration tool to copy the disk drives of the physical servers to the new VMs; once completed, you shut down the original server and power on the new virtual server D. You create a new VM and use a bulk copy utility to copy all the data from the source servers to the new VMs; when complete, you leave the original servers online until the new servers are verified orrect Answer and Explanation: The correct answer is C. Using a C physical to virtual migration tool copies all the configuration and settings to the virtual hard disk without altering the configuration of the source. Once complete, the original can be powered down and the new virtual server powered on. I ncorrect Answers and Explanations: Answer A in incorrect because just copying the data files will not get all the configuration information from the original server. Even if this did work, you would have two servers with the same name and IP address online at the same time. This would cause a conflict. Answer B is incorrect because merely copying the files to the SAN will not make them useable on the VMs. The data must be copied to the virtual hard disk, not just a folder on the SAN. Answer D is incorrect because just copying the file to the virtual hard disk may not allow them to be used by the new VM. You also left the original servers online so both a name and IP conflict would exist if the copy did work.
9. You are the security administrator for Versa Corp. You have recently moved the virtual hard disk file for the virtual firewall to the D drive on your physical host. When you try to start the VM you receive the message, “The virtual hard disk cannot be found.” What action should you take to correct the problem?
Chapter 5: Virtualization Technologies 669
A. Rename the virtual hard drive and try to restart the VM B. Edit the boot.ini file of the VM to point to the D drive C. Mount the virtual hard disk file to another VM and edit the /etc/hosts. allow file D. Edit the VM configuration file to point the path of the virtual hard disk to the D drive Correct Answer and Explanation: The correct answer is D. The VM configuration file contains the location of the virtual hard disk file. If you recently moved this file, you can edit this file to specify the new location. I ncorrect Answers and Explanations: Answer A is incorrect because renaming the virtual hard disk file will still not tell the configuration file where to find it. You would still need to edit the configuration file with the new path and file name to start the VM. Answer B is incorrect because you cannot edit the boot.ini file on the virtual hard disk. Even if you could, it still would not tell the configuration file where to find the virtual hard disk file. A nswer C is incorrect because this would also not tell the VM configuration file where the virtual hard disk file was located. 10. You are the security administrator for Versa Corp. Your manager has given you a new server to develop and test a new security design. You want to be able to test the performance and capabilities of both Windows and Linuxbased servers. You want to minimize the amount of time you spend building and rebuilding servers for testing. What is your best course of action to accomplish your goals? A. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; after the test, delete the VMs and recreate them for the next round of tests B. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; take snapshots of each server; configure each VM for your test; after the test, restore the VMs using the snapshots before the next round of tests C. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; convert each configured VM to a template; after the test, use the templates to recreate the VMs for the next round of tests D. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; after the test clone the VMs for the next round of tests Correct Answer and Explanation: The correct answer is B. Once the VMs are all created, taking a snapshot of them will allow you to quickly
670 Appendix: Self Test
revert back to a known good state without having to remove anything or reconfigure to get back to a clean state. You would simply apply the new configuration for the next round of tests. I ncorrect Answers and Explanations: Answer A is incorrect because this has a lot of additional work to create, configure, test, delete, recreate for each round of test configurations. You would spend most of your time reloading operating systems instead of testing security configurations. A nswer C is incorrect because once a VM is converted to a template it cannot be started. If you create templates from the basic VMs, you could use those templates to recreate the VMs. Answer D is incorrect because you are using a previous configuration to restart your tests. A clone maintains the settings of the VM being cloned. Your test would be skewed because previous configuration would still be present. 11. What is a benefit of application virtualization? A. Applications are executed on the local clients instead of the application server B. Applications are all Web based C. Only Windows clients can access the published applications D. Any device that can run the client can access the applications orrect Answer and Explanation: Answer D is correct. Any device that C can run the client software can access and run the published application. This is especially true of XenApp. There are clients for a wide variety of operating systems and processors. Incorrect Answers and Explanations: Answer A is incorrect because the application is executed on the server, not the client device. Answer B is incorrect because applications do not need to be Web based to function on a terminal server. Answer C is incorrect because Windows is only one of several operating systems that can have a Terminal Services or XenApp client loaded. 12. You are the security administrator for Versa Corp. You have several executives that travel with laptops. Your internal applications servers publish applications for all users and are maintained in a secure fashion. Your executives complain that they cannot run a necessary financial application while disconnected from the corporate network. These executives are rarely disconnected longer than 10 days at a time. What action can you perform to satisfy the executive request and still maintain security? A. Enable the Terminal Services Gateway and allow the executives to connect remotely using RDP over HTTPS B. Enable application streaming for the financial application and set a timeout on checked out applications for 2 weeks
Chapter 5: Virtualization Technologies 671
C. Load the financial application on the executive laptops and set a group policy to enable encryption on the data files D. Load the latest XenApp client and configure it to use the highest level of encryption when connecting to the application server Correct Answer and Explanation: The correct answer is B. Enabling application streaming and allowing the executives to check out the application will allow them to run when they are disconnected from the network. The timeout of 2 weeks will give the executives 14 days to connect back to the network before the application will stop working. This is well within the normal 10 days they travel. I ncorrect Answers and Explanations: Answer A is incorrect because while it is a secure method of delivering the application, it does not work when the executives are not connected to the network. Answer C is incorrect because loading the application on the laptops defeats the security policy by running sensitive application on individual desktops. Answer D is incorrect because the executives would still need to be connected to the network to access the applications and data. 13. You are the security administrator for Versa Corp. The company has decided to terminate the leased line T-1 between branch offices and the home office. All users use virtualized applications running on a terminal server to perform their daily work. All user files are located near the application servers. Each branch office is connected to the Internet using either a DSL line or a cable connection. Which action will allow users to continue working with the least amount of effort and still maintain the company’s security policy? A. Set up a Terminal Server Gateway with a SSL certificate; direct all users to connect using the URL of the gateway to access the application servers B. Have users create an Internet Protocol Security (IPSEC) tunnel to the application servers to continue working C. Have the users generate personal certificates and use them to access the firewall to gain access to the application servers D. Have the users load and configure the VPN client software for your firewall; then create a VPN connection to access the application servers to continue working Correct Answer and Explanation: The correct answer is A. The easiest method is to set up a Terminal Services Gateway and load a SSL certificate on it. Users can use their Web browser to connect to the application servers securely and continue working. I ncorrect Answers and Explanations: Answer B is incorrect because the application server may not support IPSEC and they would still need to get
672 Appendix: Self Test
past your firewall first. Answer C is incorrect because a personal certificate will not give them access through the firewall. They will only identify the user. Answer D is incorrect because while it might work it is considerably more work for both you and the users to gain access to the application servers. 14. You are the security administrator for Versa Corp. You have been asked to create 10 new VMs for a new development project. Each new VM needs have identical resources and configurations. You have a physical host running a hypervisor and connected to a SAN. What is the best method for accomplishing this task? A. Create a new VM and load and configure the operating system; take careful notes and configure each identically until you have all 10 VMs B. Create a new VM and load and configure the operating system; clone this VM nine more times and apply system customizations to each new VM C. Create a new VM and load and configure the operating system; copy the virtual hard drive to create the other nine servers D. Create a new VM and load and configure the operating system; use the SAN features to replicate the LUN to create the remaining servers orrect Answer and Explanation: The correct answer is B. Cloning the C first server and applying server customizations will generate 10 VMs with identical resources. You need to apply the server customizations to create unique System Identifiers (SID) for each VM. Incorrect Answers and Explanations: Answer A is incorrect because creating each VM individually will take significantly more effort than cloning. Because we are configuring each individually, it is possible that a mistake will be made with this many servers being needed. Answer C is incorrect because just copying the virtual hard drive will not create the VMs. You would still need to run server customizations to generate a unique name and SID. Answer D is incorrect because replicating the SAN LUN will not create the VMs. 15. You are the security administrator for Versa Corp. You currently have a physical host running a hypervisor. You have a VM running a firewall application. You have received a new version of the software and need to set it up and configure it with a minimum of disruption to the users. The best method to accomplish the task would be to A. Create a new VM and load the operating system and the new firewall software; connect it to the Test network; configure the software to match the production firewall; when testing is complete disconnect the virtual NIC on the production firewall from the Internet network and connect the new firewall to the Internet network
Chapter 6: Network Security 673
B. Create a new VM and load the operating system and the new firewall software; connect it to the Internet network; disconnect the virtual NIC on the production firewall from the Internet network and shut down the old firewall; configure the new firewall software C. Load the new firewall software on the production firewall; configure the software D. Create a snapshot of the production firewall; load the new firewall software on the production firewall; configure the software; if testing fails, you can reload the snapshot to restore the old configuration. orrect Answer and Explanation: Answer A is correct. Creating the new C VM and doing a fresh build of the operating systems and the new software will eliminate any current problems with the current server and allow for a completely fresh build. Connecting the new server to the Test network allows for testing without disruption of the users. Once complete, the virtual network can be connected to the Internet network and the old production firewall powered down. If a problem is discovered, the old server can be restarted. I ncorrect Answers and Explanations: Answer B is incorrect because users will be disrupted while the new firewall is being configured and tested. Answer C is incorrect because we are loading new software on a production firewall. This will cause a disruption with the users and there is no way to recover if there is a problem with the new software. Answer D is incorrect because it will cause a disruption with the users if there is a problem. We can always restore from the snapshot, but we would lose all the work that was done on the new software.
Chapter 6: Network Security
1. Your company is considering implementing a VLAN. As you have studied for your Security+ exam, you have learned that VLANs offer certain security benefits as they can segment network traffic. The organization would like to set up three separate VLANs in which there is one for management, one for manufacturing, and one for engineering. How would traffic move for the engineering to the management VLAN? A. The traffic is passed directly as both VLANs are part of the same collision domain. B. The traffic is passed directly as both VLANs are part of the same broadcast domain. C. Traffic cannot move from the management to the engineering VLAN. D. Traffic must be passed to the router and then back to the appropriate VLAN.
674 Appendix: Self Test
Correct Answer and Explanation: D. Answer D is correct, because VLANs are logical segmentations in the network that are configured at Layer 3, routers must be involved in routing traffic between separate VLANs. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because a collision domain exists at Layer 1 and VLANs exist at Layer 3. Collision domains occur when a data packet enters a network containing Level 1 devices, such as hubs and repeaters. When data is sent out on the media, these devices forward the data to all nodes on a particular segment flooding the network and thus creating a collision domain. Answer B is incorrect, because a broadcast domain exists at Layer 1 and a VLAN exists at Layer 3. A broadcast domain is another name for a collision domain. Collision domains occur when a data packet enters a network containing Level 1 devices, such as hubs and repeaters. When data is sent out on the media, these devices forward the data to all nodes on a particular segment flooding the network and thus creating a collision domain. Answer C is incorrect, because the rationale behind creating VLANs is typically to control traffic flow, but not to necessarily isolate it. VLANS are oftentimes created to segment the network in such a way that groups of machines that require frequent contact end up on the same VLANs. This functions to isolate broadcast traffic and in turn improves network effectiveness.
2. You have been asked to protect two Web servers from attack. You have also been tasked with making sure that the internal network is also secure. What type of design could be used to meet these goals while also protecting all of the organization? A. Implement IPSec on the Web servers to provide encryption. B. Create a DMZ and place the Web server in it while placing the intranet behind the internal firewall. C. Place a honeypot on the internal network. D. Remove the Cat 5 cabling and replace it with fiber-optic cabling. Correct Answer and Explanation: B. Answer B is correct, because a DMZ will provide layered architecture that allows for firewall protection from direct Internet access, as well as firewall protection which prevents direct access to any machine that is deployed on the intranet. Incorrect Answers and Explanations: A, C, and D. Answer A is incorrect, because IPSec encrypts the data to/from the client and the server, but it does not assist in ensuring that a particular part of the network, such as the internal network is secure. Answer C is incorrect, because a honeypot is used as a deterrent against attacks and is used to lure attacks to a designated target. If the internal network is accessible, there wouldn’t be anything in place to stop the same attacks from turning their attention on the internal network and creating a security breach. Answer D is incorrect, because
Chapter 6: Network Security 675
changing the cable type will result in faster transmission speeds, but offers no protection to the internal network.
3. You have been asked to put your Security+ certification skills to use by examining some network traffic. The traffic was from an internal host whose IP address falls into an RFC 1918 range and you must identify the correct address. Which of the following should you choose? A. 127.0.0.1 C. 129.12.14.2 B. 10.27.3.56 D. 224.0.12.10 Correct Answer and Explanation: B. Answer B is correct, because the three ranges of IP addresses RFC 1918 reserved are 10.0.0.0 to 10.255.255.255 (10/8 prefix), 172.16.0.0 to 172.31.255.255 (172.16/12 prefix), and 192.168.0.0 to 192.168.255.255 (192.168/16 prefix) and 10.27.3.56 falls within these ranges. Incorrect Answers and Explanations: A, C, and D. Answer A is incorrect, because 127.0.0.1 is reserved as the loopback address and does not fall within the RFC outlined ranges. Answer C is incorrect, because 129.12.14.2 does not fall within the RFC outlined ranges. Answer D is incorrect, because 129.12.14.2 does not fall within the RFC outlined ranges.
4. You have been running security scans against the DMZ Web server and have obtained the following results. The Web server is also the externally facing DNS server. How should these results be interpreted? C:\>nmap -sT 192.168.1.2 Starting nmap V. 3.91
Interesting ports on (192.168.1.2): (The 1,598 ports scanned but not shown below are in state: filtered) Port
State
Service
53/tcp
Open
DNS
80/tcp
Open
http
111/tcp
Open
sun rpc
map run completed –1 IP address (1 host up) scanned in 409 s. N A. Port 80 and 53 are expected but TCP port 111 should not be open B. Port 80 and 111 should not be open but TCP port 53 should be open C. UDP port 80 should be open to the DMZ D. TCP port 25 should be open to the DMZ
676 Appendix: Self Test
Correct Answer and Explanation: A. Answer A is correct, because the roles described as running on the server are Web services and DNS. Port 80 is typically used for Web services and port 53 is used for DNS. These ports are expected to be open because they are in use for specific services. Incorrect Answers and Explanations: B, C, and D. Answer B is incorrect, because port 80 must be open for Web services to function correctly. Answer C is incorrect, because UDP port 80 is not utilized for Web services or for DNS, which are the two services implemented on the server. Answer D is incorrect, because TCP port 25 is used for SMTP services. This server is not running SMTP services where it would require TCP port 25 to be open.
5. You have been asked to use an existing router and utilize it as a firewall. Management would like you to use it to perform address translation and block some known bad IP addresses that previous attacks have originated from. With this in mind, which of the following statements are accurate? A. You have been asked to perform NAT services B. You have been asked to set up a proxy C. You have been asked to set up stateful inspection D. You have been asked to set up a packet filter Correct Answer and Explanation: D. Answer D is correct, because a packet filter will evaluate each packet and either block or allow the traffic from reaching its destination based on the rules defined. In this case the packet filter would examine the packets for the bad IP addresses and the action taken on the packets would be to drop or block them. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because NAT is the process of mapping external to internal IP addresses, which is not being described here. Answer B is incorrect, because a proxy server functions as a middle device which passes information from a requesting client to a destination server, and then once a response is received from the server back to the proxy, the proxy passes the information back to the requesting client. Proxy servers can be used to speed up responses by caching content such as Web pages, and they can also be used for security purposes to keep the internal clients hidden from the external world. Answer C is incorrect, because stateful inspection is when a device, typically a firewall, keeps track of state of network connections. This allows the firewall to detect when packets have been modified or if they are not appropriate to be transmitted, but by only analyzing header information the firewall remains efficient.
6. Which security control can best be described by the following? Because normal user behavior can change easily and readily, this security control system is prone to false positives where attacks may be reported based on changes to the norm that are “normal,” rather than representing real attacks.
Chapter 6: Network Security 677
A. Anomaly-based IDS B. Signature-based IDS
C. Honeypot D. Honeynet
Correct Answer and Explanation: A. Answer A is correct, because anomaly-based IDS specifically looks for changes in behavior as a sign of intrusion behavior. The problem with this is that if user habits or behavior changes as a part of the normal trends in an organization, the IDS will detect the change and raise an alarm, thus generating false positives. Incorrect Answers and Explanations: B, C, and D. Answer B is incorrect, because signature-based IDS systems reply on signature files to detect attacks in the network. The user behavior is not considered or evaluated and thus would not have an impact on a signature-based IDS system’s attack perception. Answer C is incorrect, because a honeypot is used as a lure to distract attackers from valid network targets. Honeypots do not consider or evaluate user traffic and thus would not be impacted by changes in user behavior. They simply alert when attacked. Answer D is incorrect, because a honeynet is used as a lure to distract attackers from valid targets. Honeynets do not consider or evaluate user traffic and thus would not be impacted by changed in user behavior. They simply alert when attacked.
7. You have been asked to install a SQL database on the intranet and recommend ways to secure the data that will reside on this server. While traffic will be encrypted when it leaves the server, your company is concerned about potential attacks. With this in mind, which type of IDS should you recommend? A. A network-based IDS with the sensor placed in the DMZ B. A host-based IDS that is deployed on the SQL server C. A network-based IDS with the sensor placed in the intranet D. A host-based IDS that is deployed on a server in the DMZ Correct Answer and Explanation: B. Answer B is correct, because a host-based IDS system installed on the SQL server will give you the capability to configure the IDS to focus specifically on the application you desire to protect. Incorrect Answers and Explanations: A, C, and D. Answer A is incorrect, because a network-based IDS is a poor choice. Because a network-based IDS listens on the wire, there will be a lot more than just data from this specific application transversing the wire. This will make it more difficult for the administrator to focus in on the SQL server. Also, because traffic leaving the server will be encrypted, this presents a challenge for the network-based IDS system. Finally, this answer depicts the sensor being placed in the DMZ, and there is no indicator that the SQL database will transverse the DMZ, rendering the senor useless in protecting this specific application from internal
678 Appendix: Self Test
attacks. Answer C is incorrect because a network-based IDS is a poor choice. Because a network-based IDS listens on the wire, there will be a lot more than just data from this specific application transversing the wire. This will make it more difficult for the administrator to focus in on the SQL server. Also, because traffic leaving the server will be encrypted, this presents a challenge for the network-based IDS. Answer D is incorrect because even though a hostbased IDS is the correct choice, if the sensor for the IDS is placed on a server in the DMZ, this will not protect the SQL server in the intranet.
8. Your network is configured to use an IDS to monitor for attacks. The IDS is network-based and has several sensors located in the internal network and the DMZ. No alarm has sounded. You have been called in on a Friday night because someone is claiming their computer has been hacked. What can you surmise? A. The misconfigured IDS recorded a positive event B. The misconfigured IDS recorded a negative event C. The misconfigured IDS recorded a false positive event D. The misconfigured IDS recorded a false negative event Correct Answer and Explanation: D. Answer D is correct, because a false negative describes an event where an attack has occurred and no alarm has been raised. Essentially the IDS systems falsely responded in a negative manner by not sounding an alarm. Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because a positive event occurs when an attack is taking place and rightly an alarm is generated. In this case an attack was occurring, however, no alarm was generated which means that a positive event was not recorded. Answer B is incorrect, because a negative event occurs when no attack is in progress and no alarm is sounded. This is not the situation described. Answer C is incorrect, because a false positive occurs when an alarm is sounded in error. This happens when an IDS system mistakenly identifies legitimate traffic as a threat and in response generates alerts. This is not the situation described in this question.
9. You have installed an IDS that is being used to actively match incoming packets against known attacks. Which of the following technologies is being used? A. Stateful inspection C. Anomaly detection B. Protocol analysis D. Pattern matching Correct Answer and Explanation: D. Answer D is correct, because pattern matching or signature-based IDS systems monitor traffic and then compare it against known attacks to determine if an attack is occurring.
Chapter 6: Network Security 679
Incorrect Answers and Explanations: A, B, and C. Answer A is incorrect, because stateful inspection describes the method used by many firewalls to analyze the traffic stream to identify bad packets by analyzing header information. Answer B is incorrect, because protocol analysis describes the process of collecting packets from a network to analyze or inspect the packets at a later time. Answer C is incorrect, because anomaly detection is when an IDS system evaluates traffic patterns on a network, determines what is “normal” for that network, and then alerts when the traffic patterns change dramatically or suddenly. 10. You have been reading about the ways in which a network-based IDS can be attacked. Which of these methods would you describe as an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time? A. Evasion C. Session splicing B. IP fragmentation D. Session hijacking Correct Answer and Explanation: C. Answer C is correct, because session splicing is when attackers break up payloads and send them over a longer period of time in an attempt to bypass any IDS systems that may be deployed. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because evasion is the term used to refer to the modifications made by attackers to attack methods in an attempt to bypass IDS systems, and not a specific attack. Answer B is incorrect, because IP Fragmentation is the process of breaking IP packets into smaller datagrams. There are multiple attack methods which attempt to exploit IP Fragmentation, such as IP Fragment Overwrite, IP Fragment Overrun, and IP Fragment Buffer Full. Answer D is incorrect, because session hijacking is a man-in-the-middle attack that involves an attacker positioning themselves between the client and the server to intercept data and hijack the session. Session hijacking can also occur when a cookie or token is stolen and used by an attacker to participate in a session. 11. You have been asked to explore what would be the best type of IDS to deploy at your company site. Your company is deploying a new program that will be used internally for data mining. The IDS will need to access the data mining application’s log files and needs to be able to identify many types of attacks or suspicious activity. Which of the following would be the best option? A. Network-based IDS that is located in the internal network B. Host-based IDS C. Application-based IDS D. Network-based IDS that has sensors in the DMZ
680 Appendix: Self Test
Correct Answer and Explanation: C. Answer C is correct, because by selecting an application-based IDS system, which would be tailored for the specific application you will be able to more readily monitor the application and its components and identify application targeted attacks. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because a network-based IDS would encompass much more than a single application and it would be difficult to configure a network-based IDS to focus on a particular application when they are intended to monitor the broader scope of network traffic. Answer B is incorrect, because a host-based IDS system only focuses on a particular host and therefore may exclude components of a distributed application. Answer D is incorrect, because a networkbased IDS would encompass much more than a single application and it would be difficult to configure a network-based IDS to focus on a particular application when they are intended to monitor the broader scope of network traffic. Also, placing sensors in the DMZ would only be beneficial if the application had components deployed in the DMZ, but the network traffic to be analyzed in the DMZ would reach well beyond just the scope of a single application. 12. You are about to install WinDump on your Windows computer. Which of the following should be the first item you install? A. LibPcap C. IDSCenter B. WinPcap D. A honeynet Correct Answer and Explanation: B. Answer B is correct, because WinPcap is a prerequisite to the installation of WinDump. Incorrect Answers and Explanations: A, C, and D. Answer A is incorrect, because LibPcap is not a prerequisite for installing WinDump. Answer C is incorrect, because IDSCenter is not a prerequisite for installing WinDump. Answer D is incorrect, because a honeynet is not a prerequisite for installing WinDump. 13. You must choose what type of IDS to recommend to your company. You need an IDS that can be used to look into packets to determine their composition. What type of signature type do you require? A. File-based C. Content-based B. Context-based D. Active Correct Answer and Explanation: C. Answer C is correct, because content-based IDS systems can be configured to examine the contents of packets to determine their composition and will then take action based on the action configured in a matching rule set. Incorrect Answers and Explanations: A, B, and D. Answer A is incorrect, because a file-based IDS does not examine packet composition. Answer
Chapter 6: Network Security 681
B is incorrect, because a context-based IDS system does not examine packet composition. Answer D is incorrect, because an Active IDS does not examine packet composition. The idea with an Active IDS is that when an attack is detected the system will then move to stop the attack. 14. You have decided to implement split horizon DNS. You install two instances of DNS, and place one in the DMZ and one in the LAN. Which of these two DNS servers will become authoritative for your domain namespace? A. Both the DMZ- and the LAN-based servers will be authoritative for your domain namespace B. Only the LAN-based DNS C. Only the DMZ-based DNS D. Neither, the ISP is the only one who can be authoritative for a domain namespace Correct Answer and Explanation: A. Answer A is correct, because the concept of split horizons DNS is that multiple servers are authoritative for your domain namespace. The benefit in this is that the externally facing DNS can have a limited number of records, thus keeping internal records safe from harm, while still maintaining a matching namespace internally and externally in the organization. Incorrect Answers and Explanations: B, C, and D. Answer B is incorrect, because if only a single of the two servers was configured authoritative then the deployed model would not be split horizon DNS. With only the LAN-based DNS being authoritative, if the same namespace was in use internally and externally, the DMZ-based replica would potentially expose the internal records to the outside world. Answer C is incorrect, because if the DMZ-based DNS was the authoritative server for your domain namespace all records would be required to be registered in the DMZ and then replicated to the LAN-based instance. This would require firewall ports to be opened and configured as well as potentially expose the internal records to the outside world. Answer D is incorrect, because this statement is incorrect. Many companies house their DNS onsite. 15. One of your servers has a host-based IDS installation in place. The system has been generating many false positives and you would like to examine the network traffic that is going to and from the server. Which of the following tools is going to be able to successfully capture this data off the wire for you to analyze? A. A protocol analyzer C. An NIDS system B. An IDS snuffler D. A protocol stealer Correct Answer and Explanation: A. Answer A is correct, because a protocol analyzer is a tool utilized to capture data off the network. It can be
682 Appendix: Self Test
used to capture data and store it to analyze it at a later time, or it can be used to monitor real time data to and from a specific machine. Incorrect Answers and Explanations: B, C, and D. Answer B is incorrect, because an IDS snuffler does not exist, it is a fictional component. Answer C is incorrect, because an NIDS system is a network intrusion system. These systems are configured to detect network intrusions on the network and alert the administrator through configured alarms. Typically an NIDS system does not monitor a single host, but instead an entire network segment. Answer D is incorrect, because a protocol stealer is a fictional component.
Chapter 7: Wireless Networks
1. WEP uses which of the following encryption standards? A. AES C. RC4 B. ECC D. DES orrect Answer and Explanation: The correct answer is C. The RC4 C encryption algorithm is a symmetric stream cipher. This is the encryption that WEP is based on. I ncorrect Answers and Explanations: Answer A is incorrect, because AES is the advanced encryption standard and is used by 802.11i. Answer B is incorrect, because ECC is elliptic curve cryptosystem and is an asymmetric standard that is not used by WEP. Answer D is incorrect, because DES is data encryption standard and is not used by WEP.
2. The medium for communications in a wireless system is A. Cabling C. Antenna B. Access point D. EM field orrect Answer and Explanation: The correct answer is D. The medium C for communications in a wireless system is EM field, the region of space that is influenced by electromagnetic radiation. (Unlike audio waves, radio waves do not require a medium such as air or water to propagate.) I ncorrect Answers and Explanations: Answer A is incorrect, because cabling is used for a wired network. Answer B is incorrect, because an AP is the termination point of the signal. Answer C is incorrect, because an antenna is used by an AP as the device to emanate the EM field.
3. The area over which the radio waves propagate from an electromagnetic source is known as the A. Control zone C. Footprint B. Fresnel zone D. Wavelength
Chapter 7: Wireless Networks 683
orrect Answer and Explanation: The correct answer is B. The area over C which the radio waves propagate from an electromagnetic source is known as the fresnel zone. I ncorrect Answers and Explanations: Answer A is incorrect. Answer C is incorrect, because the footprint is the surface space occupied by a structure or device. Answer D is incorrect, because the wavelength is the distance (measured in the direction of propagation) between two points in the same phase in consecutive cycles of a wave.
4. Wireless devices that are communicating directly to each other without an AP are said to be operating in what mode? A. Peer to client mode C. Independent mode B. Ad-hoc mode D. Infrastructure orrect Answers and Explanations: The correct answer is B. The ad-hoc C mode is geared for a network of stations within communication range of each other. Ad-hoc networks are created spontaneously between the network participants. I ncorrect Answers and Explanations: Answers A and C are distracters. Answer D describes an infrastructure, which consists of one or more APs as well as a distribution system (that is, a wired network) behind the APs that tie the wireless network to the wired network.
5. Which of the following is not a valid class for Bluetooth? A. Class 0 C. Class 2 B. Class 1 D. Class 3 orrect Answer and Explanation: The correct answer is A. The class rating C of Bluetooth refers to the power class of the radio transmitter in the device. I ncorrect Answers and Explanations: Answer B is incorrect because Class 1 is one of three classes for Bluetooth. Class 1 devices have a range of 100 M. Answer C is incorrect, because Class 2 is another class for Bluetooth. Class 2 devices have a range of 10 M. Answer D is incorrect, because Class 3 is another class for Bluetooth. Class 3 devices have a range of less than 10 M.
6. Why is a site survey performed? A. Distribute wireless WEP/WPA/WPA2 keys B. Find and remove unwanted access locations C. Plan the design and topology of a wired network D. Record current wireless signal strength and suggest improvements Correct Answer and Explanation: The correct answer is D. The primary purpose of a site survey is to record current wireless signal strength and suggest improvements. Site surveys are used to map out the extent to
684 Appendix: Self Test
which wireless networks are visible outside the physical boundaries of the buildings in which their components are installed. Incorrect Answers: Answers A, B, and C are incorrect.
7. Tools like NetStumbler are primarily used for A. Wireless intrusion detection B. Site surveys C. Sniffing and decoding emanations from a CRT D. Attacking wireless systems orrect Answer and Explanation: The correct answer is B. The primary C use of tools like NetStumbler is that when used with wireless sniffers, they can be used in a site survey. Windows-based users would use NetStumbler and the UNIX/Linux-based user would use Kismet or Wireshark. I ncorrect Answers and Explanations: Answers A, C, and D are incorrect as NetStumbler is not used for wireless intrusion detection, decoding CRT-based data or attacking wireless systems. An example of NetStumbler is shown in Figure 7.7.
Figure 7.7 Clients Detected by NetStumbler
Chapter 7: Wireless Networks 685
8. TEMPEST is best defined as A. A method used to attack wired networks B. A means to attack wireless networks C. A passive sniffing tool D. A tool used to set up a rogue AP orrect Answer and Explanation: The correct answer is C. TEMPEST C was designed to look at hardening devices to prevent emanations form items such as keyboards and CRTs. It is not used to attack wired networks, wireless networks, or to set up a rogue AP.
9. Sending unsolicited messages over Bluetooth is defined as A. Bluecrashing C. Karma B. Bluejacking D. Bluesnarfing orrect Answer and Explanation: The correct answer is B. Sending unsoC licited messages over Bluetooth is defined as Bluejacking. Incorrect Answers and Explanations: Answer A is incorrect as bluecrashing is a distracter. Answer C, Karma is a wireless AP attack. Answer D is incorrect, as Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth device.
10. Which type of attack is best defined by the unauthorized access of information from a wireless device through a Bluetooth device? A. Bluecrashing C. Karma B. Bluejacking D. Bluesnarfing orrect Answer and Explanation: The correct answer is D. Bluesnarfing C is the unauthorized access of information from a wireless device through a Bluetooth device. I ncorrect Answers and Explanations: Answer A is incorrect as bluecrashing is a distracter. Answer B is incorrect as the sending of unsolicited messages over Bluetooth is defined as Bluejacking. Answer C, Karma is a wireless AP attack. 11. Which of the following is the most effective approach against detecting rogue APs? A. Enforce the use of static addressing B. Perform yearly site surveys C. Develop a policy that prohibits the installation of unauthorized APs D. Install wireless intrusion detection systems Correct Answer and Explanation: The correct answer is D. To prevent the installation of rogue APs, organizations should install wireless intrusion
686 Appendix: Self Test
detection systems that can detect and alert administrators to the presence of unauthorized APs. Static addressing would not prevent someone for installing an unauthorized AP. Yearly site surveys would allow an unauthorized AP to operate for a long period of time before detection. Policies are only deterrents and would do nothing to prevent the installation of the rogue AP. 12. Van Eck phreaking is best defined as A. Attacks against phone systems B. A random signal with a flat power spectral density C. To eavesdrop on the contents of the monitor using its electronic emissions D. A special enclosure that acts as an EM capacitor orrect Answer and Explanation: The correct answer is C. Van Eck phreakC ing is to eavesdrop on the contents of the monitor using its electronic emissions. I ncorrect Answers and Explanations: Answer A describes phone phreaking. Answer B describes white noise. Answer D describes a Faraday cage. 13. Sometimes a DoS attack can be unintentional. If your home wireless network is having intermittent problems in the afternoon and the evenings, the most likely issue is which of the following? A. The AP is malfunctioning and should be replaced B. Someone is attacking your network with a VOID 11 DoS attack C. The wireless network is not configured correctly D. Your cordless phone is using the same frequency as the wireless network and whenever someone calls or receives a call the phone jams the wireless network Correct Answer and Explanation: The correct answer is D. The problem is most likely that a cordless phone or other wireless devices is jamming the wireless signal because it uses the same frequency. This is becoming more and more common as cordless phone manufacturers use the same frequency as APs. 14. James is worried about the security of the wireless network and as such has disabled SSID broadcasts. James has now made the statement that his wireless network cannot be hacked. How should you respond? A. Sniffing the SSID is not possible once the SSID broadcast has been disabled B. Once broadcast has been disabled, sniffing the SSID is only possible with specialized expensive equipment C. James is correct only if 128-bit WEP has been enabled D. Even with SSID turned off someone can still sniff the network orrect Answer and Explanation: The correct answer is D. Answer C D is correct. It is possible to turn off SSID on some APs. Disabling SSID
Chapter 8: Network Access 687
broadcasts creates a “closed network.” If possible, SSID broadcasts should be disabled, although this will interfere with the capability of Windows XP to automatically discover wireless networks and associate with them. However, even if SSID broadcasts are turned off, it is still possible to sniff the network traffic and see the SSID in the frames. Incorrect Answers: Answers A, B, and C are incorrect. 15. Which of the following about 802.11a is correct? A. 802.11a and 802.11b work on the same frequencies B. 802.11g uses DSSS C. 802.11 a and 802.11b are incompatible D. 802.11a has a max speed of 11 Mbps Correct Answer: The correct answer is C. Incorrect Answers and Explanations: Answers A, B, and D are incorrect, because the 802.11a and 802.11g standards define the operation of wireless networks with higher transmission rates. The 802.11a devices are not compatible with 802.11b, because they use frequencies in the 5-GHz band. Furthermore, unlike 802.11b networks, they do not use DSSS. 802.11g uses the same ISM frequencies as 802.11b and is backward-compatible with 802.11b devices.
Chapter 8: Network Access
1. When using DAC systems with ACLs, what permission or privilege gives users the ability to read and write to an access control object? A. Write C. Execute B. Create D. Modify Correct Answer and Explanation: Answer D is correct. The “modify” permission allows users to both read and write to an access control object. Incorrect Answers and Explanations: Answer A is incorrect because the ability to write to an object does not imply the ability to read from the object. Answer B is incorrect because the ability to create new objects does not imply the ability to read or write to the new objects. Answer C is incorrect because the ability to execute an object does not imply the ability to read or write to the object.
2. When using MAC, how is permission to access control objects controlled after a user has been authenticated? A. By ACLs C. By identification B. By sensitivity levels D. By user role
688 Appendix: Self Test
Correct Answer and Explanation: Answer B is correct. Sensitivity levels such as “secret” or “top-secret” are used to control access to objects. Incorrect Answers and Explanations: Answer A is incorrect because ACLs are used by DAC, not MAC. Answer C is not correct because identification is a part of the authentication process and does not control access to objects. Answer D is incorrect because user roles are used in role-based access control, not MAC.
3. How does role-based access control differ from DAC? A. Role-based access control requires that permissions be configured on every object and DAC does not B. Role-based access control uses the ID of the user to help determine permissions to objects and DAC does not C. Role-based access control uses the position of the user in the organization structure to determine permissions for objects and DAC does not D. Role-based access control requires that every object have a sensitivity label and DAC requires that every object have an ACL Correct Answer and Explanation: Answer C is correct. Role-based access control uses the position of the user in the organization structure or their role to determine the user’s permissions. Incorrect Answers and Explanations: Answer A is incorrect because both role-based access control and DAC require that every object have permissions defined. Answer B is incorrect because DAC does use the ID of the user to determine their permissions. Answer D is not correct because rolebased access control does not use sensitivity labels.
4. The Bell–La Padula formal model for access control is most similar to which access control model? A. DAC C. Role-Based Access Control B. MAC D. Clark–Wilson Access Control Correct Answer and Explanation: Answer B is correct. The Bell–La Padula access control model specifies the use of sensitivity labels on every access control subject and object. MAC uses sensitivity labels in the same way. Incorrect Answers and Explanations: Answer A is incorrect because DAC does not use sensitivity labels as outlined in the Bell–La Padula formal access control model. Answer C is incorrect as role-based access control uses roles or positions for access control rather than sensitivity labels. Answer D is incorrect because Clark–Wilson is another formal access control model, but it is a guideline for access control relating to integrity.
Chapter 8: Network Access 689
5. The Clark–Wilson formal access control model specifies a very important guideline related to account administration. What is this guideline and what does it mean? A. Principle of least privilege Grant all the rights and permissions necessary to an account, but no more than what is needed. B. Account administration Work hand-in-hand with the human resources or personnel office of the company to ensure that accounts can be authorized and created when employees are hired and immediately destroyed when they are dismissed. C. Segregation of duties No single person should perform a task from beginning to end, but the task should be divided among two or more people to prevent fraud by one person acting alone. D. Access control Provide access control subjects the ability to work with access control objects in a controlled manner. Correct Answer and Explanation: Answer C is correct. The Clark–Wilson formal model provides guidelines related to segregation or separation of duties. Incorrect Answers and Explanations: Answer A is incorrect because the principle of least privilege is not part of the Clark–Wilson formal model. Answer B is incorrect because this definition is only part of the definition for account administration. Answer D is not correct because the Clark–Wilson formal model does not define access control itself, just manners in which access controls can be used.
6. When performing account administration, the principle of least privilege is an important guideline to apply. Why is this principle so important? A. Applying the principle of least privilege ensures that permissions are broken up based on job functions which can prevent fraud B. Applying the principle of least privilege ensures that an access control policy is in place which can increase security by requiring frequent password changes C. Applying the principle of least privilege ensures that users are guaranteed a minimum level of access to the access control objects that they need to work with which provides assurance in the form of availability D. Applying the principle of least privilege ensures that users do not have more permission to an access control object than is necessary which can prevent users from accessing more than they should Correct Answer and Explanation: Answer D is correct. By applying the principle of least privilege, you ensure that users are only able to access
690 Appendix: Self Test
what they specifically need and no more. This prevents users from being able to access data that they should not be able to access. Incorrect Answers and Explanations: Answer A is incorrect because this option describes role-based access control, not the principle of least privilege. Answer B is incorrect because the principle of least privilege has nothing to do with administrating an access control policy. Answer C is incorrect because the principle of least privilege does not provide for assurance.
7. When administering access control objects in a MAC system, what is an important part of an administrator’s duty? A. Declassifying data when necessary B. Removing ACLs when necessary C. Deleting inactive accounts regularly D. Replacing expired access control tokens when necessary Correct Answer and Explanation: Answer A is correct. Declassifying access control objects is an important part of an administrator’s duty. This involves changing the sensitivity label for the objects as needed. Incorrect Answers and Explanations: Answer B is incorrect because MAC systems do not use ACLs. Answer C is not correct because deleting inactive accounts is a function of account administration, not access control object administration. Answer D is incorrect because replacing expired tokens is also not a part of access control object administration.
8. You have been brought in as a security consultant for a programming team working on a new operating system designed strictly for use in secure government environments. Part of your role is to help define the security requirements for the operating system and to instruct the programmers in the best security methods to use for specific functions of the operating system. What method of access control is most appropriate for implementation as it relates to the security of the operating system itself? A. MAC C. RBAC B. DAC D. All of the above Correct Answer and Explanation: Answer A is correct. MAC works at the operating system level and best fits this security requirement. Incorrect Answers and Explanations: Answer B is incorrect because DAC does not meet government guidelines for a secure operating system. Answer C is not correct because role-based access control does not apply at the operating system level. Answer D is incorrect because answers B and C are incorrect.
Chapter 8: Network Access 691
9. You are designing the access control methodology for a company implementing an entirely new IT infrastructure. This company has several hundred employees, each with a specific job function. The company wants their access control methodology to be as secure as possible due to recent compromises within their previous infrastructure. Which access control methodology would you use and why? A. RBAC because it is job-based and more flexible than MAC B. RBAC because it is user-based and easier to administer C. Groups because they are job-based and very precise D. Groups because they are highly configurable and more flexible than MAC Correct Answer and Explanation: Answer A is correct. Role-based access control is more flexible than MAC and fits the job-based need specified in the scenario. Incorrect Answers and Explanations: Answer B is incorrect because RBAC is not user-based. Answer C is not correct because groups are not jobbased. Answer D is incorrect because while groups are highly configurable and more flexible than MAC, they do not fit the need of working with each user’s role.
10. You have been brought in to analyze the overall security strength of a banking organization. As part of your analysis, you work with the existing security administrator to see what issues she has to deal with on a daily basis. She receives a help desk ticket stating that a teller issued a credit to his own account then authorized the credit so that he was able to prevent bouncing a check. According to the human resources department who called in the ticket, he said that he planned on removing the credit later after he got paid. The security administrator made a change to the security policies around one of the following areas. If she analyzed the issue correctly, which area did she change the policy for? A. System logging to capture events similar to this in the future B. Separation of duties to prevent a teller from issuing and authorizing a credit C. System scanning to test other areas of the software for vulnerabilities similar to this D. Log analysis to ensure that future events like this are flagged for follow-up. Correct Answer and Explanation: Answer B is correct. The concept of separation of duties is intended to prevent events like this from occurring. Incorrect Answers and Explanations: Answer A is incorrect because while additional logging helps, it does not solve the root cause of the problem and prevent it from happening again. Answer C is not correct because system
692 Appendix: Self Test
scanning will not correct this problem. Answer D is incorrect because log analysis, while important, will not prevent this from happening. 11. Both identification and authentication play a role in access control. When analyzing a security infrastructure, you are tasked with documenting which elements of their security fall into identification versus authentication. Which option below correctly identifies these elements? A. Identification: ID Badge, PIN, User ID B. Identification: Fingerprint, User ID, Password C. Authentication: Password, PIN, Visual ID Verification D. Authentication: PIN, Fingerprint, Password Correct Answer and Explanation: Answer C is correct. A password, PIN, and verified visual ID are all proof that the person is who they say that they are. Incorrect Answers and Explanations: Answer A is incorrect because a PIN is proof of identity, not an identifier. Answer B is not correct because a password is also proof of identity, not an identifier. Answer D is incorrect because a fingerprint, until validated, is used as an identifier. 12. You are consulting for a small organization which does retail services. As part of your role, you must outline a security infrastructure and justify its cost to executives. Your biggest concern is around the lack of security in their point of sale system. Because credit cards are used for transactions in the point of sale system and it can be easily compromised, how would you justify the cost of an upgrade to executives? A. Note the merits of the new system including how much faster it can process transactions, how much easier it is to integrate with other systems, and its support for faster hardware B. Show what can happen with a real-time demonstration of how easily their current system can be compromised C. Present the merits of enterprise security and design a full enterprise architecture with appropriate intrusion, detection, and access controls to work around the limitations of the existing point of sale system D. Present an analysis of the pros and cons of upgrading including the potential cost of lost credibility in the event that the existing system is compromised Correct Answer and Explanation: Answer D is correct. The most compelling argument for mitigating the security vulnerability here is the potential lost customers and credibility in the event of a compromise of the system. Incorrect Answers and Explanations: Answer A is incorrect because while the system may be faster and have more features, that it not why you
Chapter 8: Network Access 693
are suggesting that it be upgraded. Answer B is not correct because while a demonstration may show your penetration testing abilities, it does not explain the impact of the vulnerabilities and what that means to the business. Answer C is incorrect because a full enterprise security architecture, while nice, is not necessary for a small organization using a simple point of sale system. 13. You are working on an existing Windows Active Directory implementation. A problem has been identified where users are able to keep their passwords for 90 days instead of the company mandated 30-day policy. You’ve looked at the GPO defined at the domain level and the password expiration is set for 30 days. What could be the problem? A. A policy at the OU level is setting the expiration for 90 days B. A policy at the site level is setting the expiration for 90 days C. A policy at the local level is setting the expiration for 90 days D. A policy at the domain level is set for “Enforce” Correct Answer and Explanation: Answer A is correct. Because the values in the GPO at the OU level are applied after those at the domain level, this policy can be overridden if “Enforce” is not set. Incorrect Answers and Explanations: Answer B is incorrect because the GPO at the domain level would override the setting at the site level by default. Answer C is not correct because the GPO at the domain level would override the setting at the local level by default. Answer D is incorrect because if this was set for “Enforce,” the domain policy would be taking effect. 14. When implementing a security infrastructure in an organization, you are tasked with designing their ACLs. Specifically, you must define how some firewall rules are set up. What principle or method would you want to make sure to include in your design? A. Separation of duties C. Implicit deny B. Principle of least privilege D. Block inheritance Correct Answer and Explanation: Answer C is correct. Any time that you are working with ACLs, you should define an implicit deny to ensure that access requests which fall outside the existing rules are denied by default. Incorrect Answers and Explanations: Answer A is incorrect because separation of duties does not apply to firewall ACLs in most cases. Answer B is not correct because while this should be applied to firewall configuration, it is not as critical as the implicit deny. Answer D is incorrect because block inheritance does not apply to firewall ACLs.
694 Appendix: Self Test
15. You are working with an access control mechanism which uses logical tokens to validate user access requests. When a user presents his ID and token to the secured resource, he is granted access, but it is read-only rather than the read-write access he was expecting. Where should you look first for the cause? A. Have the user confirm that he is using the right password B. Ensure that the third-party authentication service is working properly C. Check the security permissions on the access control object D. Check to see if the token has been revoked Correct Answer and Explanation: Answer C is correct. The authentication and token verification appears to be working. The issue is with the level of permission granted which implies that there is a problem with the permissions set on the access control object. Incorrect Answers and Explanations: Answer A is incorrect because the user must have had the correct password to be issued a token. Answer B is not correct because the third-party authentication service appears to have already done its job if the user has a token and it can be validated by the access control system. Answer D is incorrect because a revoked token would deny all access, not change the access level.
Chapter 9: Network Authentication
1. You are acting as a security consultant for a company wanting to decrease their security risks. As part of your role, they have asked that you develop a security policy that they can publish to their employees. This security policy is intended to explain the new security rules and define what is and is not acceptable from a security standpoint as well as defining the method by which users can gain access to IT resources. What element of AAA is this policy a part of? A. Authentication C. Access control B. Authorization D. Auditing Correct Answer and Explanation: C. Access control is defined as a policy, software component, or hardware component that is used to grant or deny access to a resource. Because this policy is defining how to access resources, it is considered part of access control. Incorrect Answers and Explanations: Answer A is incorrect because this type of written policy is not a part of the authentication process although they may explain the authentication as part of the policy. Answer B is incorrect because this type of written policy is not a part of the authorization process. In addition, authorization is not included in the acronym AAA per
Chapter 9: Network Authentication 695
CompTIA’s definition. Answer D is incorrect because this type of written policy is not part of the auditing process.
2. One of the goals of AAA is to provide CIA. A valid user has entered their ID and password and has been authenticated to access network resources. When they attempt to access a resource on the network, the attempt returns a message stating, “The server you are attempting to access has reached its maximum number of connections.” Which part of CIA is being violated in this situation? A. Confidentiality C. Availability B. Integrity D. Authentication Correct Answer and Explanation: C. Availability under CIA has not been assured because the resource is not available to the user after they have authenticated. Incorrect Answers and Explanations: Answer A is incorrect because confidentiality has not been breached in this scenario. Answer B is incorrect because integrity has not been breached in this scenario. Although the resource may not be available, that does not mean that the integrity of the data has been violated. Answer D is incorrect because authentication is not a component of CIA and the scenario describes that authentication has completed successfully.
3. You are performing a security audit for a company to determine their risk from various attack methods. As part of your audit, you work with one of the company’s employees to see what activities he or she performs during the day that could be at risk. As you work with the employee, you see him or her perform the following activities: Log in to the corporate network using Kerberos Access files on a remote system through a Web browser using SSL Log into a remote UNIX system using SSH Connect to a POP3 server and retrieve e-mail Which of these activities is most vulnerable to a sniffing attack? A. Logging in to the corporate network using Kerberos B. Accessing files on a remote system through a Web browser using SSL C. Logging into a remote UNIX system using SSH D. Connecting to a POP3 server and retrieving e-mail Correct Answer and Explanation: D. Connecting to a POP3 server sends the ID and password over the network in a nonencrypted format because of the use of cleartext authentication. This data (in addition to the e-mail content itself) is consequently vulnerable to being collected when sniffing the network.
696 Appendix: Self Test
Incorrect Answers and Explanations: A, B, C. Answer A is incorrect because logging into a network using Kerberos is secure from sniffing attacks due to encryption and timestamps. Answer B is incorrect because using SSL encrypts the connection so that it cannot be viewed by sniffing. Answer C is incorrect because using SSH encrypts the connection to the remote UNIX system.
4. You are reading a security article regarding penetration testing of various authentication methods. One of the methods being described uses a timestamped ticket as part of its methodology. Which authentication method would match this description? A. Certificates C. Kerberos B. CHAP D. Tokens Correct Answer and Explanation: C. Kerberos is the only access control method listed which uses time-stamped tickets. Incorrect Answers and Explanations: Answer A is incorrect because certificates do not use tickets although they are time-stamped. Answer B is incorrect because CHAP does not use time-stamped tickets as part of its methodology. Answer D is incorrect because tokens do not use tickets, although their numerical algorithms may be based on time stamps.
5. You are a security consultant for a large company that wants to make its intranet available to its employees via the Internet. They want to ensure that the site is as secure as possible. To do this, they want to use multifactor authentication. The site uses an ID and password already but they want to add security features that ensure that the site is indeed their site, not a spoofed site, and that the user is an authorized user. Which authentication technology supports this? A. Certificates C. Kerberos B. CHAP D. Tokens Correct Answer and Explanation: A. Certificates can be used not only to ensure that the site is the company’s Web site, but also that the user is an authorized user. The Web server can be configured to require client-side certificates. Incorrect Answers and Explanations: B, C, D. Answer B is incorrect because CHAP does not support two-way authentication in this manner. Answer C is incorrect because Kerberos can authenticate the user in a method similar to this, but could not serve to authenticate the server. Answer D is incorrect because tokens are used for one-way authentication.
6. You are developing a password policy for a company. As part of the password policy, you define the required strength of the password. Because of
Chapter 9: Network Authentication 697
the security requirements for the company, you have required a minimum length of 14 characters, the use of uppercase and lowercase alphabetic characters, the use of numbers, and the use of special characters. What else should you require? A. No dictionary words allowed in the password B. No portion of the username allowed in the password C. No personal identifiers allowed in the password D. All of the above Correct Answer and Explanation: D. All of the options listed are good requirements for a strong password. Because the security requirements are stringent enough to require the use of a 14-character password, you should ensure that the policy is as restrictive as possible in the other elements of password strength. Incorrect Answers and Explanations: Answer A is incorrect because, while this will help increase the strength of the password, it is not the strongest answer. Answer B is incorrect because, while this will help increase the strength of the password, it is not the strongest answer. Answer C is incorrect because, while this will increase the strength of the password, it is not the strongest answer. It should also be noted that all of the options except for this one can be enforced systematically whereas option C can only be enforced by policy.
7. You have been asked to help a company implement multifactor authentication. They want to make sure that the environment is as secure as possible through the use of biometrics. Based on your knowledge of authentication, you understand that biometrics falls under the “something you are” category. Which other category should be used with the biometric device to provide the highest level of security? A. Something you know C. Something you do B. Something you have D. All of the above Correct Answer and Explanation: D. All of these options have their own benefits and detriments. A combination of all of them in a multifactor authentication system would provide the highest level of security although it would be quite an inconvenience to the user. Incorrect Answers and Explanations: Answer A is incorrect because, while this is a valid solution for the multifactor authentication requirement, it is not the most secure solution. Answer B is incorrect because this too is not the most secure solution. Answer C is incorrect as well because any twofactor authentication method is not as secure as a four-factor authentication method.
698 Appendix: Self Test
8. You are attempting to query an object in an LDAP directory using the distinguished name of the object. The object has the following attributes: cn: 4321 givenName: John sn: Doe telephoneNumber: 905 555 1212 employeeID: 4321 mail: [email protected] objectClass: organizationalPerson Based on this information, which of the following would be the distinguished name of the object? A. dc = nonexist, dc = com B. cn = 4321 C. dn: cn = 4321, dc = nonexist, dc = com D. [email protected] Correct Answer and Explanation: C. dn: cn = 4321, dc = nonexist, dc = com. The distinguished name is a unique identifier for the object, and is made up of several attributes of the object. It consists of the relative distinguished name, which is constructed from some attribute(s) of the object, followed by the distinguished name of the parent object. Incorrect Answers and Explanations: Answer A is incorrect, because this identifies the root of the tree. Answer B is incorrect, because this identifies the common name of the object. Answer D is incorrect, because this is the user account’s e-mail address.
9. You are creating a new LDAP directory, in which you will need to develop a hierarchy of OUs and objects. To perform these tasks, on which of the following servers will you create the directory structure? A. DIT C. Root server B. Tree server D. Branch server Correct Answer and Explanation: C. The root server is used to create the structure of the directory, with OUs and objects branching out from the root. Because LDAP directories are organized as tree structures, the top of the hierarchy is called the root. Incorrect Answers and Explanations: Answer A is incorrect, because the DIT is the name given to the tree structure. Answers B and D are i ncorrect, because there is no such thing as a Branch server or Tree server in LDAP.
Chapter 9: Network Authentication 699
10. When using LDAP for authentication in an internetworking environment, what is the best way to ensure that the authentication data is secure from packet sniffing? A. Use LDAP to keep all passwords encrypted when transmitted to the server. B. Use LDAP over SSL/TLS to encrypt the authentication data. C. Require that the clients use strong passwords so that they cannot easily be guessed. D. Use LDAP over HTTP/S to encrypt the authentication data. Correct Answer and Explanation: B. Use LDAP over SSL/TLS to encrypt the authentication data. This will ensure that no LDAP authentication is performed unencrypted, so that anyone capturing the packets on the network will be able to read it easily. Incorrect Answers and Explanations: Answer A is incorrect, because LDAP doesn’t encrypt data transmitted between the client and server. Answer C is incorrect, because even though it is important to use strong passwords, it does not protect the authentication data from being captured by a packet sniffer. Answer D is incorrect, because HTTP/S is a protocol for transferring Web pages securely. 11. Which password attack will take the longest to crack a password? A. Password guessing C. Dictionary attack B. Brute force attack D. All attacks are equally fast Correct Answer and Explanation: B. Brute force tries most if not all combinations, so it takes the longest time. Incorrect Answer and Explanations: Answer A is incorrect because password guessing can be the fastest if correct guesses are used. Answer C is incorrect because a dictionary attack, if successful, only uses a very finite amount of tries. Answer D is incorrect because certainly different methods have different speeds. 12. The company you are working for has decided to do something to make their workstations more secure. They have decided to give all users a Smart Card for use with system logins. Which factor of authentication is utilized with this new requirement? A. Something you know C. Something you are B. Something you have D. Something you do Correct Answer and Explanation: B. A Smart Card is something you have, so this is the appropriate authentication factor.
700 Appendix: Self Test
Incorrect Answers and Explanations: A, C, D. Answer A is incorrect because a Smart Card does not necessarily require a password so the “something you know” factor does not apply. Answer C is incorrect because this factor relates to biometrics and therefore does not apply to Smart Cards. Answer D is incorrect because Smart Cards are a physical object, not an action, and therefore do not necessarily provide this factor. 13. Choose the correct set of terms: When a wireless user, also known as the ___________ wants to access a wireless network, 802.1x forces them to authenticate to a centralized authority called the ____________. A. Authenticator; supplicant C. Supplicant; negotiator B. Supplicant; authenticator D. Contact; authenticator Correct Answer and Explanation: B. Supplicant is the client that wants to access a wireless network and authenticator performs the authentication. Incorrect Answers and Explanations: A, C, D. Answer A is incorrect in order; Answer C is incorrect as there is no negotiator in the process. Answer D is incorrect as contact is not the right term used while defining authentication process. 14. One of the biggest differences between TACACS and TACACS+ is that TACACS uses _________ as its transport protocol and TACACS+ uses _________ as its transport protocol. A. TCP; UDP C. IP; TCP B. UDP; TCP D. IP; UDP Correct Answer and Explanation: B. TACACS is based on UDP and TACACS+ is based on TCP. Incorrect Answers: A, C, D. 15. EAP is available in various forms including: A. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco LEAPEAP-FAST B. EAPoIP, EAP-TLS, EAP-MPLS, RADIUS, EAP-FAST C. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco PEAP D. EAPoIP, EAP-TLS, EAP-TTLS, Kerberos, EAP-FAST Correct Answer and Explanation: A. EAP comes in several forms: EAP over IP (EAPoIP), Message Digest Algorithm/Challenge-Handshake Authentication Protocol (EAP-MD5-CHAP), EAP-TLS, EAP-TTLS, RADIUS, and Cisco LEAP. Incorrect Answers and Explanations: B, C, D. EAP-MPLS, Cisco PEAP, and Kerberos are not the EAP forms.
Chapter 10: Risk Assessment and Risk Mitigation 701
Chapter 10: Risk Assessment and Risk Mitigation
1. You are the security officer of a company, and you have been asked to implement an employee security program. Where would you start? A. Security scan C. Security audit B. Security policy D. Lock down access for everyone orrect Answer and Explanation: The answer is B. A nswer B is corC rect, because your first step must be a security policy. The remaining steps (excluding locking down access to everyone) will be follow-up steps after you write your policy. Your security policy is your starting point.
2. IDS stands for A. Intrusion directive system B. Implosion detection system
C. Intrusion detection system D. Intuitive detection system
Correct Answer: The correct answer is C.
3. A con of a signature-based IDS system would be A. Takes a while to create statistically significant baselines B. Signature-based IDSes can also impose noticeable performance drags on systems when current behavior matches multiple signatures C. Can observe when current behavior deviates statistically from the norm D. Requires access to a current database of attack signatures and some way to actively compare and match current behavior against a large collection of signatures Correct Answer: The answer is B. I ncorrect Answers and Explanations: Answer A is incorrect, because it is a con to an anomaly-based system. Answer C is incorrect, because it is a Pro to an anomaly-based system. Answer D is incorrect, because it is a Pro to a signature-based system.
4. GLBA stands for A. Georgia Liability Behavior Act B. Gramm Liability Behavior Act C. Gilbert Lessons Biohazard Act D. Gramm–Leach–Bliley Act Correct Answer: The answer is D.
702 Appendix: Self Test
5. Vulnerability scanners are designed to A. Map systems for weaknesses B. Monitor the traffic on a network and expose data and protocols that are being passed along the wire C. Never attempt to exploit a known vulnerability D. Detect exploited systems and warn the administrator about them Correct Answer: The answer is A. Incorrect Answers and Explanations: Answer B is incorrect, because it is a protocol analysis. Answer C is incorrect, because the scanner will attempt to exploit a known vulnerability. Answer D is incorrect, because packet sniffing is a protocol analysis tool.
6. When you are configuring auditing within Microsoft Windows, where do you set up the auditing? A. MMC C. Certificates B. Computer management D. Local security settings Correct Answer: The answer is D. I ncorrect Answers and Explanations: Answers A, B, and C are incorrect, because they are not where you are setting up auditing within Microsoft Windows. Unless you a part of a domain, you set up auditing within your Local Security Policy. For a domain, you would set it up in a Domain Security Policy.
7. You have identified a number of risks to which your company’s assets are exposed, and you want to implement policies, procedures, and various security measures. In doing so, what will be your objective? A. Eliminate every threat that may affect the business B. Manage the risks so that the problems resulting from them will be minimized C. Implement as many security measures as possible to address every risk that an asset may be exposed to D. Ignore as many risks as possible to keep costs down Correct Answer: The answer is B. I ncorrect Answers and Explanations: Answer A is incorrect, because you cannot expect to eliminate every threat to a business. Answer C is incorrect, because you shouldn’t throw all the security measures at a problem at once. Answer D is incorrect, because you will always have to focus on some risks rather than ignore them.
Chapter 10: Risk Assessment and Risk Mitigation 703
8. Network mapping tools are used to discover and ensure what devices are on your network. Which of the following wouldn’t be checked by such a tool? A. The responses of DoS attacks B. The strength of passwords C. Missing patches installed on your server D. The ability to access a network from the outside orrect Answer and Explanation: The answer is C. Answer C is correct, C because network mapping tools will not be able to tell what patches you need to install on your server. I ncorrect Answers and Explanations: Answer A is incorrect, because network mapping tools will test the responses of DOS attaches. Answer B is incorrect, because network mapping tools do check the strength of the passwords. Answer D is incorrect, because network mapping tools do measure the ability to access a network from the outside.
9. Segmentation of duties does not require A. The collusion of at least three people to perform any unauthorized activities B. Access to sensitive combinations of capabilities C. Prohibiting conversion and concealment D. The same person to both originate and approve transactions orrect Answer and Explanation: The answer is A. Answer A is correct, C because you need the collusion of at least two people. I ncorrect Answers and Explanations: Answers B, C, and D are incorrect, because these are all requirements of segmentation of duties.
10. What level is not available in DNS logging? A. Errors only C. Warnings only B. Errors and warnings D. None of the above orrect Answer and Explanation: The answer is C. Answer C is correct, C because you do not have the option of warnings only in DNS logging. I ncorrect Answers and Explanations: Answers A and B are incorrect, because these levels are available in DNS logging. 11. What objective is not part of risk assessment and risk mitigation? A. Advantages of risk mitigation tools B. Auditing and logging C. Password hacking D. Tools you can use to monitor your system
704 Appendix: Self Test
orrect Answer and Explanation: The answer is C. Answer C is correct, C because hacking into your system is not part of risk assessment and risk mitigation. I ncorrect Answers and Explanations: Answers A, B, and D are all part of risk assessment and mitigation. 12. You have decided that you are going to have an audit performed within your organization. What are the things not to consider? A. External regulatory requirements B. Your last external audit C. Internal policies D. Change control procedures orrect Answer and Explanation: The answer is B. Answer B is correct, C because when you are setting up external audit requirements, your last audit is irrelevant once you have made the decision. I ncorrect Answers and Explanations: Answer A, C, and D are all critical areas for the audit company to know. 13. An investigator arrives at a site where all of the computers involved in the incident are still running. The first responder has locked the room containing these computers but has not performed any additional tasks. Which of the following tasks should the investigator perform? A. Tag the computers as evidence B. Conduct a search of the crime scene, and document and photograph what is displayed on the monitors C. Package the computers so that they are padded from jostling that could cause damage D. Shut down the computers involved in the incident orrect Answer and Explanation: The answer is D. Answer D is correct, C because the first thing you should do is shut down the computer and limit any exposure to them. I ncorrect Answers and Explanations: The other tasks listed in answers A, B, and C are follow-up tasks. 14. IDS can operate in one of four states. Which state is defined as an attack occurred, yet it was not detected? A. Positive C. False positive B. Negative D. False negative
Chapter 11: General Cryptographic Concepts 705
orrect Answer and Explanation: The answer is D. Answer D is correct, C because a false negative indicates that an attack occurred and yet it was not detected. I ncorrect Answers and Explanations: Answer A is incorrect, because a positive state indicates that an attack occurred and the IDS detected it. Answer B is incorrect, because a negative state indicates that no attack occurred and none was detected. Answer C is incorrect, because a false positive state indicates that no attack occurred yet the IDS believes that one did occur and triggered an alert. 15. What is the goal of a risk assessment? A. To test the basic strength of your systems and create a report for your executive team B. To test everything possible and create a report for your executive team C. To test everything possible and to create a report that will be read by your management and customers, showing what was performed, what was discovered, and how issues were addressed D. To test everything possible and to create a report that shows you have no issues and will be read by your management and customers Correct Answer and Explanation: The answer is C. You wish to test everything you can, and make sure you show your customers as well as your executives what was done. You need to be honest and up front about issues that were discovered, and corrected.
Chapter 11: General Cryptographic Concepts
1. What cryptographic properties should a strong symmetric cipher have? A. The number of bits in the key should be large so as to discourage bruteforce cracking B. Encryption should be slow so as to discourage brute-force cracking C. Bits in the cipher text should never be the same value as the corresponding bit in the plain text D. The same plain text should always generate the same cipher text E. The cipher should prevent the use of keys chosen by poor random number generators Correct Answers and Explanations: A and D are the two properties from this list that are useful for a symmetric cipher.
706 Appendix: Self Test
Incorrect Answers and Explanations: B is not a good idea, since symmetric ciphers are generally required to be fast. C would indicate that the cipher simply inverts every bit, which is not a strong cipher. E is not a property of the cipher but a property of key generation.
2. Which key is used to decrypt traffic encrypted using an asymmetric cipher? A. The sender’s public key D. The recipient’s private key B. The recipient’s public key E. A negotiated shared secret C. The sender’s private key Correct Answer and Explanation: D—the recipient’s private key is the only key that will decrypt traffic in an asymmetric cipher. The easy way to remember this is that only the recipient should be able to decrypt the traffic, and if there’s an action only the recipient can do, it is to use his private key. This seems like an easy question, but I see it stated wrongly in a number of places. The reader might be tempted to select E, because most traffic encryption schemes start with an asymmetric cipher used to exchange symmetric keys for use in a subsequent symmetric cipher, but we were specifically asking about traffic encrypted using an asymmetric cipher.
3. What technique improves the protection given by a cryptographic hash of small data? A. Signing the hash with a private key B. Padding the data with null bytes to match the block size of the hash algorithm C. Prefixing the small data with a random value prior to hashing it D. Repeating the data two or more times Correct Answer and Explanation: C—this is known as “salting” the data or “adding a salt.” I ncorrect Answers and Explanations: Answer A doesn’t address the question, which is to improve the protection given by a hash; signing the hash provides different protections, but doesn’t increase the protection we have applied using a hash. Answer B almost helps, but with the example of the LM Hash, it is clear that it doesn’t make the problem of unhashing the hash any harder. Answer D also does not add any “entropy” or randomness that could be used to increase the protection provided by the hash.
4. What is the process required to digitally sign a document? A. Calculate a hash of the document and encrypt the hash with the recipient’s public key B. Calculate a hash of the document and encrypt the hash with the sender’s private key
Chapter 11: General Cryptographic Concepts 707
C. Encrypt the document with the recipient’s public key and attach a hash to the document D. Encrypt the document with the sender’s private key and attach a hash to the document E. Encrypt the document and its hash with a shared secret key negotiated through public key exchange. Correct Answer and Explanation: B. This is a simple definition uestion—to sign a document, you (the sender) must calculate a hash over q the document’s contents and then encrypt the hash with your private key, which acts as proof that it was you who signed the document.
5. Why is a digital signature not simply performed by encrypting the entire document using the sender’s private key? Select one or more answers. A. Because it would be slow on large documents B. Because encryption of large amounts of data with the private key could expose information about the private key C. Because nobody has carried out cryptanalysis on this method D. Because not all the document is important enough to encrypt E. Because encrypting the whole document would be more likely to create a colliding hash Correct Answers and Explanations: A to D are all reasons not to use encryption with the private key as a replacement for a proper digital signature. Answer A is usually the most compelling reason, as creation of a hash of a large document is significantly faster than encrypting it. Answers B and C go together—cryptanalysis of discouraged methods of using an encryption tool is generally not performed, and it is theorized that some private keys could expose information about themselves if used to encrypt large stretches of predictable data. Finally, answer D is also correct—the signature should not alter the document, because it may be useful or even necessary for the document to be read independently from its signature. I ncorrect Answers and Explanations: Answer E is nonsense—the encrypted document contains at least as much entropy or randomness as the original and therefore should not be any more likely to create a colliding hash.
6. How should you encrypt an X.509 digital certificate to protect it in normal use? A. Use the RSA encryption algorithm with a key derived from the certificate’s private key B. Use the DES encryption algorithm with a shared secret key that will be published for certificate users to fetch C. Use the base64 encoding scheme D. No encryption is necessary for normal use of a certificate
708 Appendix: Self Test
Correct Answer and Explanation: D. No encryption is necessary, because everything in a certificate is considered “public” information. This comes as a surprise to some readers, because there is an association between the certificate and its private key—however, the term “certificate” only refers to public information, and it is important to learn this and use the term correctly to avoid confusion when discussing certificate-based solutions.
7. When verifying a certificate from the Web site “www.whitehouse.gov/,” which of the following Subject names would be correct matches? A. CN = www.whitehouse.gov, S = District of Columbia, OU = Office of Administration, O = Executive Office of the President, L = Washington, C = US B. www.whitehouse.gov C. www.whitehouse.gov/ D. CN = www.whitehouse.gov E. CN = *.gov Correct Answers and Explanations: A, D. The “CN = ” portion of the subject name is what is checked. Incorrect Answers and Explanations: B and C would be invalid subject names and should be refused by the browser. E is incorrect, because although “*.gov” would match “whitehouse.gov,” it is not allowed to match “www.whitehouse.gov.”
8. Between which dates should you keep a certificate on file? A. From the Valid-From date until the Valid-To date B. From the Valid-From date until the certificate is revoked or expires, whichever is the sooner C. For all dates during which you intend to use the certificate to verify or decrypt protected data D. From the day it first appears in a revocation list, until the Valid-To date Correct Answer and Explanation: C. There are many uses of a certificate outside of its valid lifetime, generally to verify that a certificate was used at a time in the past (during its valid lifetime).
9. In a dual-sided certificate, what private keys should be retained by the issuing organization for later recovery? Choose one. A. No private keys should ever be held by anyone but the owner B. The signing key C. The decrypting key D. Both the signing and the decrypting key
Chapter 11: General Cryptographic Concepts 709
Correct Answer and Explanation: C. For use in an enterprise or organization, the signing key is used to identify the individual, but the decrypting key is used to allow the individual to encrypt and decrypt organizational data to which the individual has been allowed access. In a sense, the decrypting key belongs more to the organization than the individual and should be retained by the organization. 10. One-time pads would be the perfect source of a key stream for symmetric encryption—but what makes them impractical? Choose one or more answers. A. Their length B. The secrecy required to exchange and protect them C. Transcription errors when reading from the paper of the pad D. The fact that you can only use them once Correct Answers and Explanations: A and B make one-time pads impractical for general use. The length of an OTP stream must be at least as long as the stream of data being protected. The OTP must be exchanged in perfect secrecy, and maintained in secret until it is used—and then either maintained in secret or destroyed. That is a long time to keep a large piece of data secret. I ncorrect Answers and Explanations: Answer C—transcription errors— would apply to any method of holding a secret, and Answer D is simply a part of the point of a one-time pad. 11. I am sending a document by e-mail to a client that must remain protected through its transmission to the client, but which I want the client to be able to read, print, or distribute once the client has received it. Which protocol or protocols would achieve this? A. S/MIME D. FTP over TLS. B. S-HTTP E. All of the above C. SMTP with STARTTLS Correct Answers and Explanations: A. S/MIME and S-HTTP allow the encryption of the document from sender to recipient, and FTP over TLS allows the encryption of a document from the client to the server, which also matches the requirement. But only S/MIME works over e-mail as required in the question. Answer C—SMTP with STARTTLS—is an e-mail protocol, but because SMTP is a store-and-forward protocol, this only guarantees one hop, after which the message may be sent and stored decrypted before it reaches the recipient.
710 Appendix: Self Test
12. With which key is an EFS-protected file encrypted? A. The shared FEK B. The file creator’s private key C. A key made from combining the file creator’s public key with the FEK D. The FEK after it has been encrypted with the file creator’s public key Correct Answer and Explanation: A. The file is encrypted using a shared key known as the FEK. This key is then encrypted using the creator’s public key and the public keys of any users who are granted access. 13. By roughly how much does Whole Disk Encryption reduce the available storage space? A. 5 percent B. 10 percent C. Three or four disk sectors D. It depends on the block size of the encryption algorithm Correct Answer and Explanation: C. Whole Disk Encryption uses a block cipher that does not add any extra header or trailer bytes (which, if present, would cause a constant percentage loss of disk space); the sectors used up are those that store the keying information and the boot software needed to access the keying information and load the disk. 14. What is the difference between TPM “Wrap” and “Seal”? A. The “wrap” operation will allow a key to be used at any time; the “seal” operation will allow a key to be used only when system measurements match those present at the time of sealing the key B. The “wrap” operation allows a key to be revealed if the system measurements match those at its creation; the “seal” operation never allows a key to be revealed but may allow it to be used C. The “wrap” operation uses symmetric cryptography keys; the “seal” operation uses asymmetric keys D. The “seal” operation is designed not to leak the key, the “wrap” operation may leak the key under some attacks Correct Answer and Explanation: A. This is the definition of the TPM “wrap” and “seal” operations. 15. What are the necessary components to fully protect a laptop using Whole Disk Encryption? A. A TPM or similar key operation component B. A well-trained user C. External key material—for example, a USB stick or a passphrase
Chapter 12: Public Key Infrastructure 711
D. A BIOS and boot sector that support the use of encryption and the TPM E. All of the above Correct Answer and Explanation: E. All these components are required to protect a laptop using Whole Disk Encryption.
Chapter 12: Public Key Infrastructure
1. You are applying for a certificate for the Web server for your company. Which of these parties would you not expect to be contacted in the process? A. A registration authority C. A key escrow agent B. A leaf CA D. A root CA Correct Answer: Answer D. A root CA. Incorrect Answers and Explanations: You will most likely contact a RA (Answer A) to prove your identity as a representative of your company, and you will be receiving your issued certificate from the leaf CA (Answer B). You will also want to escrow your private key with a key escrow agent (Answer C) so that it can be recovered in the event of your departure from the company, or you losing the key. However, you will never want to contact the root CA, because the root CA is only used to form the trust anchor at the root of the certificate chain.
2. What portion of the information in your certificate should be kept private? A. All of it. It is entirely concerned with your private information. B. None of it. There is nothing private in the certificate. C. The thumbprint that uniquely identifies your certificate D. The public key listed in the certificate Correct Answer and Explanation: Answer B. The certificate contains no private information, and its design is that it should be transmitted publicly and shared with anyone who connects to your server. Incorrect Answers and Explanations: The thumbprint is simply an identifier, like a unique name, and the public key is, of course, public. Answers A, C, and D are incorrect because they suggest that the certificate contains some or all private information.
3. In creating a key recovery scheme that should allow for the possibility that as many as two of the five key escrow agents are unreachable, what scheme is most secure to use? A. Every escrow agent gets a copy of the key. B. m of n control, where m is 3 and n is 5
712 Appendix: Self Test
C. Every escrow agent gets a fifth of the key, and you keep copies of those parts of the key so that you can fill in for unreachable agents. D. Keep an extra copy of the key with family members, without telling them what it is. Correct Answer and Explanation: Answer B. m of n control is necessary for providing key recovery in a secure manner while accommodating the possibility that a number of agents are unreachable. Incorrect Answers and Explanations: If every escrow agent gets a copy of the key (Answer A), then any one of them is able to impersonate you. If every agent gets a fifth of the key (Answer C), you can recover the key if all five agents are available, but if you are covering for unreachable agents, then you face the likelihood that the same disaster that wiped out your key also wiped out your copy of the key. Storing keys with family members (Answer D) is not secure.
4. What statement best describes the transitive trust in a simple CA model? A. Users trust certificate holders, because the users and the certificate holders each trust the CA. B. Users trust certificate holders, because the users trust the CA, and the CA trusts the certificate holders. C. Certificate holders trust users, because the certificate holders trust the CA and the CA trusts its users. D. Users trust certificate holders, because the certificate holders have been introduced to the users by the CA. Correct Answer and Explanation: Answer B. Users trust the CA, the CA trusts the certificate owners, and therefore the users trust the certificate owners. Incorrect Answers and Explanations: Answer A is wrong, because there is no trust from the certificate holders up to the CA. Answer C is wrong for the same reason, and also because there is no trust from the CA to its users. Answer B is wrong, because it does not involve the PKI model in any way.
5. In a children’s tree-house club, new members are admitted to the club on the basis of whether they know any existing members of the club. What form of PKI would be most analogous to this? A. A hierarchical CA model C. A simple CA model B. A chain of trust D. A web of trust Correct Answer and Explanation: Answer D. A web of trust is a model in which new members are added to the trust model by creating a trust relationship between themselves and any existing member of the web.
Chapter 12: Public Key Infrastructure 713
Incorrect Answers and Explanations: Any CA model (Answers A and C) would require a CA, a trusted authority who would uniquely identify who is allowed in the club. A chain of trust (Answer B) would assume that each newly admitted member knew only the most recent addition to the club.
6. In a hierarchical CA model, which servers will use self-signed certificates to identify themselves? A. Root CAs D. Subordinate CAs B. Intermediate CAs E. All CAs C. Leaf CAs Correct Answer and Explanation: Answer A. Any CA other than the root must chain up to the root; only the trust anchor is able to vouch for itself with no other authority to support its claim. Incorrect Answers and Explanations: Intermediate CAs (Answer B) are signed by another CA; Leaf CAs (Answer C) are signed by the intermediate or root CA above them; subordinate CAs (Answer D) are signed by the CA above them. Answer E—all CAs—cannot be true unless all A–D are true.
7. Where would you search to find documentation on the formats in which certificates and keys can be exchanged? A. ITU X.500 standards B. Internet Requests for Comment (RFCs) C. PKCS D. ITU X.509 standards E. Internet Drafts Correct Answer and Explanation: Answer C. The PKCS define formats for exchange of certificates, keys, and encrypted information. Incorrect Answers and Explanations: The ITU X.500 standard (Answer A) defines addresses; X.509 (Answer D) defines certificates, but not the formats in which they are exchanged. The Internet Drafts (Answer E) and Internet RFCs (Answer B) define a large number of protocols, but not all of the PKCS.
8. Which of the following certificate lifecycle events is best handled without revoking the certificate? A. The contact e-mail address for the certificate changes to a different person. B. The certificate reaches its expiry date. C. The company represented by the certificate moves to a new town in the same state. D. The certificate’s private key is accidentally posted in a public area of the Web site.
714 Appendix: Self Test
Correct Answer and Explanation: Answer B. When the certificate reaches its expiry date, it naturally expires everywhere, and you should already have requested a renewal certificate with a later expiry date. Incorrect Answers and Explanations: The other answers are all reasons to revoke the certificate as soon as possible. Answer A, a change of contact e-mail address, requires revoking the certificate to prevent the old e-mail contact from being able to submit a request for a changed certificate; a change of address (Answer C) voids information in the certificate, so that it is no longer a true statement of identity; accidental (or deliberate) exposure of the private key to unauthorized parties results in the certificate being unreliable as a uniquely identifying piece of information.
9. If you are following best PKI practices, which of the following would require a certificate to be revoked? A. The private key is destroyed in an unfortunate disk crash. B. The certificate has been found circulating on an underground bulletin board. C. The private key was left on a laptop that was stolen, then recovered. D. A new certificate is generated for the same private key. Correct Answer and Explanation: Answer C. The private key may have been exposed to someone while the laptop was in their possession. Incorrect Answers and Explanations: If the private key is destroyed (Answer A), you should follow key recovery procedures. The certificate is supposed to circulate anywhere, even in public, so Answer B is incorrect. If a new certificate is generated from the same private key (Answer D), that’s just an overlap between two valid certificates, a natural part of certificate renewal.
10. Which is an example of m of n control? A. A personal check book for an individual B. A business check book, requiring signatures of two principals C. A locked door with a dead-bolt D. A bank vault with a time lock that allows opening at three separate times within a week Correct Answer and Explanation: Answer B. This is a “2-of-N” control, where N is the number of principals at the company. Incorrect Answers and Explanations: Answer B requires one signature; Answer C may require two or more keys, but they are possessed by the same individual; and Answer D does not specify how many individuals may open the safe.
Chapter 12: Public Key Infrastructure 715
11. Which statement is true about a CRL? A. A CRL may contain all revoked certificates, or only those revoked since the last CRL. B. A CRL is published as soon as a revocation is called for. C. A CRL only applies to one certificate. D. A CRL lists certificates that can never be trusted again. Correct Answer and Explanation: Answer A. A CRL may be simple, containing all certificates that have been revoked, or delta, containing all certificates that have been revoked since the last CRL was published. Incorrect Answers and Explanations: Answer B is not true. CRLs are published to a schedule. Answer C is not true of CRLs, but is true of OCSP. Answer D is not true, because some of the certificates on the CRL may be merely “suspended,” and will be trustable later. 12. Your company receives a list of certificates in a CRL. Which certificates in this list should not be permanently marked as untrustworthy? A. Certificates for which you own the private key B. Certificates whose name matches those under your company’s domain C. Those marked as “Certification Hold” D. None—all certificates in a CRL are permanently untrustworthy Correct Answer and Explanation: Answer C. Certificate Hold means a certificate is suspended, and will not be used for a time. Certificates for which you own the private key may be revoked, if their information is no longer valid, or you allowed the private key to be exposed. The same is true for certificates under your company’s domain. 13. When exchanging encrypted information with a trusted partner by e-mail, what information do you need to exchange first? A. Your certificates B. Your private keys C. The expected size of the data to be sent D. Web site addresses Correct Answer and Explanation: Answer A. Your certificates need to be exchanged, so that e-mail to you can be encrypted using your public key. Incorrect Answers and Explanations: Exchanging your private key with anyone (Answer B) is a definite no-no. The expected size of the data to be sent (Answer C) may be interesting, but is not a necessary precursor to sending encrypted e-mail; sending Web site addresses (Answer D) is not of any particular use to exchanging encrypted information.
716 Appendix: Self Test
14. An attacker has broken into your SSL-secured Web server, which uses a certificate held in local software storage, and defaced it. Do you need to revoke the certificate? A. Yes. Software storage is no protection against hackers, and the hacker may now have the private key in his possession. B. No. The hacker would have needed to know the key’s password to sign anything. C. No. The hacker cannot use the key to sign data once the Web server has been repaired. D. Yes. The hacker may have used the key to sign information that others may continue to trust. Correct Answer and Explanation: Answer D. The hacker has defaced the site, and as a result, a site behind SSL was giving out trusted information that was incorrect. Revoking the certificate allows you to notify users to not trust the signed data. Incorrect Answers and Explanations: Answer A is false, because software storage is some protection against hackers, as the key is only known to those with the right password. Answer B is false, because even without knowing the key, the attacker has persuaded the Web site to certify that the data is coming from your site through SSL. Answer C is false, because although the hacker can no longer use the key, he or she has already signed data of his or her own as yours. 15. A certificate from your company was revoked after its private key was exposed. Now that a new certificate has been generated using a new key pair, what should you do with the old key pair? A. Use the key pair to generate a new certificate under a different name. B. Destroy the key pair. C. Deregister the old certificate. D. Use the private key to sign your own CRL. Correct Answer and Explanation: Answer B. The key pair should be destroyed, so that it is not inadvertently used. Incorrect Answers and Explanations: Answer A. Using the key pair to generate a new certificate would be bad, because anyone who has the exposed private key would be able to pretend to be the identity in the new certificate. Answer C. Deregistering a revoked certificate is not necessary, and would confuse people as to what the certificate now represents. Answer D. Using the private key to sign your own CRL is not appropriate, as you are not acting as a CA in this example.
Chapter 13: Redundancy Planning 717
Chapter 13: Redundancy Planning
1. Your company wants to set up an alternate site that can be used if a disaster damages servers or the network. A copy of the data will be held on servers at this location, with replication data from production servers being copied to it. Which of the following sites will you implement? A. Hot site C. Warm site B. Cold site D. Hot spare Correct Answer and Explanation: A. A hot site has a copy of the data on a server at the site, and may have data replicated to the server in real time. If a disaster occurred, there would be minimal downtime, allowing the business to resume normal business functions quickly. Incorrect Answers and Explanations: B is incorrect, because a cold site is built from scratch, and thereby wouldn’t have servers online on which a copy of the data could be stored. C is incorrect, because a warm site doesn’t have all of the data available on servers. The bulk of data must be restored to servers from backup tapes. D is incorrect, because a hot spare is a redundant component that is used for fault tolerance and can be brought online to take over the functions of a faulty component.
2. Your company wants to set up an alternate site that can be used if a disaster damages servers or the network. The company has budgeted to have servers, some furniture, and other necessary equipment set up onsite. In the event of a disaster, these servers can be brought online. The site will also be used for storage, having backup tapes of the production servers stored there. This not only makes it cheaper, not having to pay a security company for storage of tapes, but also allows the data to be restored to servers quickly if a disaster occurs. What kind of site is this? A. Hot site B. Cold site
C. Warm site D. Hot spare
Correct Answer and Explanation: C. While the necessary equipment is onsite, the bulk of data needs to be restored to servers, and additional work needs to be done. Incorrect Answers and Explanations: A is incorrect, because a hot site has a copy of data stored on the servers, and doesn’t need additional equipments brought to the site in the case of a disaster. B is incorrect, because a cold site would need to have servers to be set up and wouldn’t have most of the necessary equipments onsite. D is incorrect, because a hot spare is a redundant component that is used for fault tolerance, and can be brought online to take over the functions of a faulty component.
718 Appendix: Self Test
3. Your company wants to set up an alternate site that can be used if a disaster damages servers or the network. Due to budget concerns, it doesn’t have the capabilities to provide much funding. Which of the following is the least expensive type of alternate site to implement? A. Hot site C. Warm site B. Cold site D. Hot spare Correct Answer and Explanation: B. A cold site is the least expensive of the different types of alternate sites, but it is also the most time consuming to bring online during a disaster. It requires the most work to set up, because, although it may have all or part of the necessary equipments and resources needed to resume business activities, the servers need to be installed and data needs to be restored to the servers. The site basically needs to be built from the scratch during the disaster and may require additional equipments either to be obtained from other offices or purchased. Incorrect Answers and Explanations: A is incorrect, because it is the most expensive site. A hot site has the necessary hardware, software, phone lines, and network connectivity to allow a business to resume normal functions almost immediately. C is incorrect, because a warm site is partially equipped and is more expensive than a cold site. D is incorrect, because a hot spare is a redundant component that is used for fault tolerance, and can be brought online to take over the functions of a faulty component.
4. You are deciding on appropriate locations for a cold site that will be used in case of a disaster. You decide to set up the cold site in a nearby facility, which is used by the company to store equipment and office supplies. The building has an old Halon system for fire suppression in key areas, has air conditioning in all areas, and is dry. Should a disaster occur, the members of the organization will simply move down the street and set up operations at this location. Based on the features and location of the site, is it suitable to set up a cold site? A. The facility is a perfect location for a cold site B. The fire suppression system, air conditioning, and other environmental conditions make it unsuitable for a cold site C. The physical proximity to the company makes it unsuitable for a cold site D. The fact that it is not part of the production network makes it unsuitable for a cold site Correct Answer and Explanation: C. The physical proximity to the company makes it unsuitable for a cold site. When deciding on appropriate locations for such sites, it is important that they be in a different geographical location. If it is not at a significant distance from the primary site, it can fall
Chapter 13: Redundancy Planning 719
victim to the same disaster. Both sites would experience the same disaster, so there would be no alternate site available to resume business. Incorrect Answers and Explanations: A is incorrect, because the location makes it unsuitable for a cold site. B is incorrect, because the site uses an old but functional fire suppression system, and has other environmental conditions that make it suitable for a cold site. D is incorrect, because a cold site is not part of the production network.
5. A service runs on a network server that users access with an application on their workstations. The application is used to process the requests and access data in a database. If the server or service fails, you still want users to be able to access this data. What method of fault tolerance will you use so that network users can still continue to work? A. Install two network cards on the server, so that if one card fails, users can still access the data through the second card B. Use server clustering to provide fault tolerance C. Implement RAID D. Connect the server to a UPS Correct Answer: B. Use server clustering to provide fault tolerance. Incorrect Answers and Explanations: A is incorrect, because if the service failed, it wouldn’t matter that there were two network cards installed. Users still wouldn’t be able to access the data because the service wouldn’t be available. C is incorrect, because the RAID array would become unavailable when the server failed. D is incorrect, because if the service failed, the data would still be unavailable even though the server still had power.
6. You have decided to set up server clustering on your network, so that there is no loss of availability to data. Which of the following will you use? A. Active/active clustering, so that all of the servers are able to become active if one of them fails B. Active/active clustering, so that all of the servers are actively processing the requests C. Active/passive clustering, so that if the active server fails, the passive server will become active and begin the processing of requests D. Active/passive clustering, so that all of the servers are actively processing the requests Correct Answer: D.
720 Appendix: Self Test
Incorrect Answers and Explanations: A is incorrect, because an active/ active cluster already has all of the servers actively responding to requests. C is incorrect, because there is a loss of availability during the time when the passive server identifies that the active server is no longer active. D is incorrect, because this describes an active/active cluster and not an active/ passive cluster.
7. Your company relies on the Internet to make sales and run an e-commerce site. If the Internet was unavailable to users, it could cost the organization significant sales, and possibly result in a loss of customers. Which of the following are options that you could implement to ensure there is no loss of Internet connectivity to the network? Choose all that apply. A. Ensure that the ISP uses two different points of presence B. Use multiple links across the WAN of your network so that connectivity is always available if one of the links fails C. Use a redundant ISP. Configure the normal ISP as a high-priority connection, and the redundant ISP as low-priority connection D. Use a redundant ISP. Configure the redundant ISP as a high-priority connection, and the normal ISP as low-priority connection Correct Answers and Explanations: A and C. Ensure that the ISP uses two different points of presence, or use a redundant ISP. A point of presence is an access point to the Internet. If the ISP uses two different points of presence, you are assured to have Internet access even if one of these points fails. In using a redundant ISP, you would configure the normal ISP as a high-priority connection, and the redundant ISP as low-priority connection. Such a configuration will have users using the primary ISP for normal usage, but automatically switching over to the low-priority connection, when the first one fails. Incorrect Answers and Explanations: B is incorrect, because redundant links across the WAN would ensure connectivity across the internal network, but wouldn’t ensure that the company had access to the Internet. D is incorrect, because the low-priority ISP should be the redundant ISP.
8. You have decided to implement a RAID for fault tolerance, and want data to be striped across multiple disks with parity information stored on multiple drives. Which of the following levels of RAID will you use? A. RAID 0 C. RAID 3 B. RAID 1 D. RAID 5 Correct Answer and Explanation: D. RAID 5 is disk striping with parity. Data is striped across multiple disks, but parity information is stored across multiple drives. It provides fault tolerance because a single disk that fails in the set can be restored from the parity information on the other disks.
Chapter 13: Redundancy Planning 721
Incorrect Answers and Explanations: A is incorrect, because RAID 0 provides no fault tolerance. Data is written (striped) across multiple disks, but no copies of the data are made. This improves performance because data is read from multiple disks, but the data on the entire set will be lost if one disk fails. B is incorrect, because RAID 1 is disk mirroring or duplexing. Data that is written to one disk is also written to another, so that the data of one disk is a mirror image of the other. Parity information is not stored on multiple drives with this method. C is incorrect, because RAID 3 has data striped across several drives, but one drive is used to store the parity bits for each byte that is written to the other disks. When a disk fails, it can be replaced and data can be restored to it from the parity information. If two or more disks in the set fail, then the data cannot be recovered.
9. You have decided to implement disk duplexing on a Novell Netware server. You want the server to have 800 GB of storage space. How many of the following disks would you need to provide this amount of storage? A. Four 200 GB hard disks C. Four 400 GB hard disks B. Two 400 GB hard disks D. One 800 GB hard disk Correct Answer and Explanation: C. Disk duplexing is RAID 1 (disk mirroring) where separate disk controllers are used for each disk. Because each drive has an exact copy of the data, this means that RAID would have to use half of the overall storage capacity to hold a mirrored copy of another disk. To have 800 GB of storage capacity, you would thereby need four 400 GB hard disks. Incorrect Answers and Explanations: A and B are incorrect, because half of the storage capacity is used by RAID to store a mirror image of the disk. Because RAID uses half, this would mean that each of these options would only provide 400 GB of storage capacity. D is incorrect, because a minimum of two hard disks is needed, so that each drive has an exact copy of the data of the other.
10. You have a server that you plan to use to store backup files from other servers. An application backs up the data from these other servers and will store them on the backup server. Because of its purpose, fault tolerance isn’t an issue, but high performance is important. Which level of RAID will you use? A. RAID 0 C. RAID 3 B. RAID 1 D. RAID 5 Correct Answer and Explanation: A. RAID 0 provides improved performance because data is written (striped) across multiple disks but no copies of the data are made. This improves performance because data is read from multiple disks.
722 Appendix: Self Test
Incorrect Answers and Explanations: B, C, and D are incorrect, because each of these levels of RAID provide fault tolerance, and they don’t provide the performance that RAID 0 does. B is incorrect, because RAID 1 is disk mirroring or duplexing, in which the data that is written to one disk is also written to another. C is incorrect, because RAID 3 has data striped across several drives, but one drive is used to store the parity bits for each byte that is written to the other disks. D is incorrect, because RAID 5 is disk striping with parity. Data is striped across multiple disks, but parity information is stored across multiple drives to provide fault tolerance. 11. You have decided to purchase spare hardware components that you can replace on a server without having to shut down the computer. Which of the following is being used? A. Hot swapping C. Hot spare B. Warm swapping D. Hot site Correct Answer and Explanation: A. Hot swapping refers to the ability to replace hardware components without having to shut down the computer. If a component fails, you don’t need to power off the machine. Incorrect Answers and Explanations: B is incorrect, because warm swapping requires the computer to be put into a suspended state (such as hibernate) while the hardware is being inserted or removed. C is incorrect, because a hot spare is a spare component that is installed on the system, but it isn’t used until the primary component fails. When the primary component fails, the system might be configured to detect this and automatically switch over to the hot spare. D is incorrect, because a hot site has a copy of data stored on the servers, and doesn’t need additional equipment brought to the site in the case of a disaster. 12. You have purchased a spare hardware component that can be replaced on a computer when it is put into a suspended state. Which of the following is being used? A. Hot swapping C. Hot spare B. Warm swapping D. Hot site Correct Answer and Explanation: B. Warm swapping allows you to replace a faulty component by putting the computer into a suspended state (such as hibernate). After the hardware has been inserted or removed, the computer is then taken out of the suspended state and can resume working again. Incorrect Answers and Explanations: A is incorrect, because hot swapping refers to the ability to replace hardware components without having to shut down the computer. With this type of swapping, the computer doesn’t need to be shut down or even put in a suspended state. C is incorrect,
Chapter 13: Redundancy Planning 723
because a hot spare is a spare component that is installed on the system, but it isn’t used until the primary component fails. When the primary component fails, the system might be configured to detect this and automatically switch over to the hot spare. D is incorrect, because a hot site has a copy of data stored on the servers, and doesn’t need additional equipment brought to the site in the case of a disaster. 13. You have purchased a hardware component that is installed in a server, and it remains inactive until a fault occurs and it is needed. Once the primary component fails, the system switches over to this secondary component. Which of the following is being used? A. Hot swapping C. Hot spare B. Warm swapping D. Hot site Correct Answer and Explanation: C. A hot spare is a spare component that is installed on the system, but it isn’t used until the primary component fails. When the component fails, the system might be configured to detect this and automatically switch over to the hot spare. Incorrect Answers and Explanations: A is incorrect, because hot swapping refers to the ability to replace hardware components without having to shut down the computer. With this type of swapping, the computer doesn’t need to be shut down or even put in a suspended state. B is incorrect, because warm swapping allows you to replace a faulty component by putting the computer into a suspended state (such as hibernate). D is incorrect, because a hot site has a copy of data stored on the servers, and doesn’t need additional equipment brought to the site in the case of a disaster. 14. You have been experiencing intermittent brownouts and blackouts that can last upwards of a few minutes, and concerned that power outages will result in data being lost as the computers suddenly shut down improperly. Which of the following can you use for these temporary outages? A. UPS C. Power bar B. Line conditioner D. Backup generator Correct Answer and Explanation: A. The UPSes are power supplies that can switch over to a battery backup, when power outages occur. The UPS allows multiple devices to be plugged into it, allowing it to supply power for short periods of time (often ranging from 10 to 45 min), until normal power is restored or the system can shut down properly. Incorrect Answers and Explanations: B is incorrect, because a line conditioner is used to ensure that there are no spikes or dips in power (which could damage equipment) and that it remains at consistent levels. C is incorrect, because a power bar is used to allow multiple devices to be plugged in,
724 Appendix: Self Test
which runs from a single outlet. D is incorrect, because the outages are for short periods of time. A UPS would provide short-term power, but the generator would need to be started up before it could provide power for longer periods of time. 15. You are developing a disaster recovery plan, and you are concerned that blackouts could cause power outages that could last hours or even days. To address the risk of this happening, which of the following should you implement in your company? A. UPS C. Power bar B. Line conditioner D. Backup generator Correct Answer and Explanation: D. Backup generators can provide power for long periods of time. Generators running on gas or other fuels need to be refueled at intervals, but generators will provide power for days at a time. Incorrect Answers and Explanations: A is incorrect, because UPSes are power supplies that can switch over to a battery backup when power outages occur, but only supply power for short periods of time (often ranging from 10 to 45 min). B is incorrect, because a line conditioner is used to ensure that there are no spikes or dips in power (which could damage equipment) and that it remains at consistent levels. C is incorrect, because a power bar is used to allow multiple devices to be plugged in, which runs from a single outlet.
Chapter 14: Controls and Procedures
1. Your organization is planning on installing a new fire suppression system in a server room. The system must be able to successfully extinguish the fire without causing damage to the servers and other equipment in the room. Which of the following will you use? A. Water sprinkler system B. A system that releases a fine mist of water to extinguish the fire C. A system that uses halon to extinguish the fire D. A system that uses Inergen to extinguish the fire Correct Answer and Explanation: D. Inergen is a combination of three different gases: nitrogen, argon, and carbon dioxide. When released, it lowers the oxygen content in a room to the point that the fire cannot be sustained. Incorrect Answers and Explanations: A and B are incorrect because water-based systems can cause significant damage to equipment. C is incorrect because halon isn’t manufactured anymore and used in new systems because of the damage it causes to the ozone.
Chapter 14: Controls and Procedures 725
2. You are planning to install a new fire detection system in a server room, which will monitor the area for specific types of energy that would indicate the presence of a fire. Which of the following types of fire detection methods will be used? A. Smoke C. Flame B. Heat D. Halon Correct Answer and Explanation: C. Flame detection is a method of detecting the presence of fire by detecting the movement of flames or certain types of energy, such as ultraviolet and infrared, which indicate that there is a fire. Incorrect Answers and Explanations: A is incorrect because smoke detectors monitor for the presence of smoke in a room. Smoke detectors commonly use an optical (photoelectric) detector, which detects the presence of fire when smoke passes in front of a beam of light. There are also other types of smoke alarms that sample the air to check for smoke particles, and others that are designed to check for high levels of carbon monoxide and carbon dioxide. C is incorrect because heat detectors monitor the room for spikes in temperature or a specific temperature threshold. D is incorrect because halon is an agent that was used for fire suppression but isn’t manufactured anymore.
3. The air conditioning in your server room has broken down, and temperatures are rising dramatically. Which of the following can result if this problem isn’t fixed as soon as possible? A. ESD C. HVAC B. Chip creep D. Shielding Correct Answer and Explanation: B. Chip creep is caused when circuit boards expand and contract due to changes in temperature. The sudden change in temperature causes the computer chips on these boards to move until they begin to lose contact with the sockets in which they are inserted. When the chips lose contact, they are unable to send and receive signals, resulting in hardware failure. Incorrect Answers and Explanations: A is incorrect because ESD doesn’t result from spikes in temperature but from humidity and air quality issues. C is incorrect because HVAC is the climate control system itself (heating, ventilation, and air conditioning). D is incorrect because shielding is the materials used to prevent data signals from being affected by external sources. This not only applies to wireless data escaping outside of an office but also pertains to external signals or interference affecting data being carried along cables.
726 Appendix: Self Test
4. New cable has been installed in an elevator shaft, allowing network cabling to run from the basement to all the floors in the building. To save money, cabling with very little shielding is used. After the new cabling is installed, you find that the servers are repeatedly resending data to computers on other floors. This is causing a performance issue, and users begin complaining that the network is slower than before. Which of the following kinds of interference is resulting from the installation of the new cable? A. EMI C. Noise B. RFI D. UTP Correct Answer and Explanation: A. EMI is electromagnetic interference and is caused by electromagnetism. EMI is generated by heavy machinery such as elevators, industrial equipment, and lights. The signals from these sources can overlap those traveling along network cabling, corrupting the data signals so that they need to be retransmitted by servers and other network devices. Incorrect Answers and Explanations: B is incorrect because RFI is radio frequency interference, but the scenario is describing a situation that would create EMI. C is incorrect because noise is a term referring to the interference caused by EMI and RFI. D is incorrect because UTP is unshielded twisted-pair, which is a type of cabling.
5. You are planning to install new cable between the floors of a building where there are a high number of sources for interference from industrial equipment and devices that transmit radio frequencies. Which of the following cable is the most effective against interference under these circumstances? A. UTP C. Fiber optic B. STP D. Coaxial Correct Answer and Explanation: C. Because fiber-optic cabling is immune to EMI and RFI interference, it is the best type of cabling to use in these circumstances. Because the signal is transmitted via light, data that travel along fiber-optic cable is not affected by interference from electromagnetism or radio frequencies. Incorrect Answers and Explanations: A is incorrect because UTP is unshielded and won’t provide protection from EMI and RFI. B is incorrect because although STP provides shielding from interference, it is not immune to EMI and RFI like fiber-optic cabling. D is incorrect because although coaxial cable has shielding, it is not immune to EMI and RFI like fiber optic.
6. Data is degrading as it is transmitted down the length of cabling between two buildings. Which of the following is occurring? A. Attenuation C. EMI B. Crosstalk D. RFI
Chapter 14: Controls and Procedures 727
Correct Answer and Explanation: A. Attenuation is the decrease of a signal’s strength over the length of a cable. The signal’s power weakens over distance so that it degrades. Devices must be used to boost the signal strength or different cable that is more resistant to attenuation and supports greater lengths should be used. Incorrect Answers and Explanations: B is incorrect because crosstalk occurs when a signal from one channel or circuit interferes with another. The signals from one wire cause interference with another wire because the signal from one wire is essentially jumping over to the other wire, creating distortion that can corrupt data. C is incorrect because EMI is electromagnetic interference. D is incorrect because RFI is radio frequency interference.
7. Data is being corrupted by a faulty cable, causing the signals from one wire to interfere with the signals on another wire. Which of the following is occurring? A. Attenuation C. EMI B. Crosstalk D. RFI Correct Answer and Explanation: B. Crosstalk occurs when a signal from one channel or circuit interference with another. The signals from one wire cause interference with another wire because the signal from one wire is essentially jumping over to the other wire, creating distortion that can corrupt data. Incorrect Answers and Explanations: A is incorrect because attenuation is the decrease of a signal’s strength over the length of a cable. The signal’s power weakens over distance so that it degrades. Devices must be used to boost the signal strength or different cable that is more resistant to attenuation and supports greater lengths should be used. C is incorrect because EMI is electromagnetic interference. D is incorrect because RFI is radio frequency interference.
8. You receive a complaint from the network administrators of another company regarding an attempted hacking of their Web site. Their firewall logs show that the attempt came from an IP address from your company. Upon hearing the IP address, you find that this is the IP address of the proxy server belonging to your company. Further investigation on your part will be needed to identify who actually performed the attempted intrusion on the other company’s Web site. Who will you notify of this problem before starting the investigation? A. Media outlets to publicize the incident B. The Incident Response Team C. Users of the network to ensure they are aware that private information dealing with employees may need to be shared with the other company D. No one
728 Appendix: Self Test
Correct Answer and Explanation: B. The Incident Response Team would deal with incidents such as hacking and would be the appropriate people to notify. The Incident Response Team could assist or take over the investigation and provide insight dealing with issues related to the intrusion attempt. Incorrect Answers and Explanations: Answers A, C, and D are incorrect because they would have no possible reason to be notified before conducting the investigation, if they ever are notified. Information that needs to be kept on a “need to know” basis means that only the people who need information are given it. At the beginning of an investigation, the Incident Response Team or a designated member of the company should only be notified.
9. You are designing a backup regime that will allow you to recover data to servers in the event of a disaster. Should a disaster occur, you want to use a backup routine that will take minimal time to restore. Which of the following types of backups will you perform? A. Daily full backups B. A full backup combined with daily incremental backups C. A full backup combined with daily differential backups D. A combination of incremental and differential backups Correct Answer and Explanation: A. Daily full backup is a full backup that backs up all data in a single backup job. Because the data is backed up on a single tape or tape set, it means that it will take the least amount of time to restore. This may not be the most efficient method of performing backups. Combining full backups with incremental or differential backups takes less time, is fastest to restore, and requires fewer backup tapes. Incorrect Answers and Explanations: Answer B is incorrect because a combination of a full backup and daily incremental backups would take the least amount of time to backup each day but the most amount of time to restore. When restoring the data, the full backup must be restored first, followed by each incremental backup that was taken since. Answer C is incorrect because a combination of a full backup with daily differential backups would require you to restore the last full backup and the last differential backup. This is still one more tape than if daily full backups were performed. Answer D is incorrect because incremental and differential backups cannot be combined together. Each would be part of a different backup regime and both would require a full backup to be restored.
10. You are the administrator of a network that is spread across a main building and a remote site several miles away. You make regular backups of the data on your servers, which are centrally located in the main building. Where should you store the backup tapes so they are available when needed in the case of a disaster?
Chapter 14: Controls and Procedures 729
A. Keep the backup tapes in the server room within the main building, so they are readily at hand. If a disaster occurs, you will be able to obtain these tapes quickly and restore the data to servers. B. Keep the backup tapes in another section of the main building. C. Keep the backup tapes in the remote site. D. Keep the backup tapes in the tape drives of the servers so that a rotation scheme can be maintained. Correct Answer and Explanation: C. Keep the backup tapes in the remote site. Since the company has a remote location that is miles from the main building, the tapes can be kept there for safekeeping. A firm can also be hired to keep the tapes in a storage facility. When a disaster occurs, you can then retrieve these tapes and restore the data. Incorrect Answers and Explanations: A, B, and D are incorrect because a disaster that affects the server room or main building could also destroy the backup tapes if they were stored in these locations. 11. You have created a backup regime as part of a disaster recovery plan. Each day, data on a server are backed up. After implementing it, you decide you want to make a separate backup of all data on the server but do not want it to interfere with the current backup jobs. Which of the following types of backups would you perform? A. Full backup C. Differential backup B. Incremental backup D. Copy backup Correct Answer and Explanation: D. Copy backup is the same as a full backup but does not change the archive bit. The archive bit is used to indicate that a file was backed up. Because the archive bit is not marked, any other backup jobs will not detect that a backup of data took place. As far as any incremental or differential setup on the server is concerned, it will appear as if the backup never took place. Incorrect Answers and Explanations: Answer A is incorrect because a full backup will change the archive bit, affecting any other backup jobs. Answer B is incorrect because an incremental backup will also change the archive bit but is also wrong because a full backup would need to be used in conjunction with the incremental backup to acquire all data on the server. Answer C is incorrect because although a differential backup will not affect the archive bit, it will need to be used in conjunction with a full backup to acquire all data on the server. If the full backup were performed as part of this backup, the archive bit would be changed on files, affecting other backup jobs. 12. You are working in a server room and notice that someone has remotely accessed a server used for storing backups of data and is modifying files.
730 Appendix: Self Test
You quickly realize that an unauthorized user has remote controlled the server and is hacking the system. To prevent any further damage to data, the file server is taken offline, and a member of the Incident Response Team who looks into these matters is called immediately. Which of the following roles have you fulfilled? A. First responder C. Crime scene technician B. Investigator D. Unauthorized user Correct Answer and Explanation: A. The first responder is the first person to arrive at a crime scene who has the knowledge and skill to deal with the incident. The first responder may be an officer, security personnel, a member of the IT staff or Incident Response Team, or any number of other individuals. The first responder is responsible for identifying the scope of the crime scene, securing it, and preserving volatile evidence. Incorrect Answers and Explanations: Answer B is incorrect because the investigator establishes a chain of command, conducts a search of the crime scene, and is responsible for maintaining the integrity of the evidence. Answer C is incorrect because a crime scene technician is responsible for preserving volatile evidence, duplicating data on disks and other media, shutting down systems for transport, and tagging, logging, packaging, and processing evidence. Answer D is incorrect because the person hacking the system would be the unauthorized user, not the person who is attempting to protect the system. 13. A criminal is attempting to acquire information from people. In doing so, he sends out e-mails to a small group of individuals working in the finance department of your company. The e-mail appears to be from the bank your company uses. It has a link that takes the user to a Web site, where a form requests his or her name, department, bank account numbers, and other information. Which of the following social engineering methods is being used? Choose the best answer. A. Phishing C. Pharming B. Spear phishing D. Spaming Correct Answer and Explanation: B. Spear phishing is a variation of phishing that involves targeting groups of people, such as individuals who work in the same department or company. E-mail is sent to a group, often with a link to a Web site that is set up to acquire information from people. In this scenario, bulk e-mail wasn’t sent to large groups of individuals. Instead, only those working in the finance department of your company were targeted, which makes this a spear phishing expedition. Incorrect Answers and Explanations: Answer A is incorrect because although phishing is being used, this is not the best answer to choose from.
Chapter 14: Controls and Procedures 731
A group of individuals are being targeted in the scenario, which would make this a case of spear phishing. Answer C is incorrect because pharming is a scam that involves redirecting traffic to a Web site to a different bogus site. In this scenario, there is a link in the e-mail, but the scenario does not say that the person is being redirected from the Web site specified in the link. Answer D is incorrect because spam is unsolicited e-mail. Although the e-mail was unsolicited, spam is not necessarily a method of social engineering and thereby isn’t the best answer to this scenario. 14. A member of the IT staff has just modified the hosts files on Windows XP computers on your network. After making this modification, you notice that a Web site commonly used by members of your organization’s staff looks somewhat different. You check the hosts file on a computer and realize that people are being redirected to a different site. Which of the following has occurred? A. Phishing C. Pharming B. Spear phishing D. Spaming Correct Answer and Explanation: C. Pharming is a scam that involves redirecting traffic to a Web site to a different bogus site. One method of redirecting traffic to a bogus site is to modify the hosts file of a computer so that when the Web address is entered in a program like a browser, the user is redirected to another site. Incorrect Answers and Explanations: Answer A is incorrect because phishing occurs when e-mail is sent out to acquire information from the recipient. Phishing can involve thousands or even millions of e-mails being sent, in the hope that a few people will fall for the scam. Answer B is incorrect because spear phishing is a variation of phishing in which a group or organization is targeted. Answer D is incorrect because spam is unsolicited e-mail, which is not an aspect of this scenario. 15. You are about to make configuration changes to a computer and log on to the workstation as the administrator. In doing so, you notice the user whose computer you’re working on is watching what you’re typing on the keyboard. Which of the following has occurred? A. Phishing C. Dumpster diving B. Shoulder surfing D. Hoaxes Correct Answer and Explanation: B. Shoulder surfing is a method of obtaining passwords by watching what the person types on a keyboard, PIN pad, or other device that’s used to enter a password. It is a low tech method of acquiring information for hacking because it only requires watching someone enter information.
732 Appendix: Self Test
Incorrect Answers and Explanations: Answer A is incorrect because phishing occurs when e-mail is sent out to acquire information from the recipient. Phishing can involve thousands or even millions of e-mails being sent, in the hope that a few people will fall for the scam. Answer C is incorrect because dumpster diving is a method of acquiring information by going through an individual’s or organization’s trash. By reading discarded materials or acquiring hard disks and other media that was thrown out, a person can gather significant information that can later be used for hacking and other criminal activities. Answer D is incorrect because hoaxes are false information. They can be e-mail messages or other methods of circulating inaccurate information about companies, false virus warnings, or other stories that can negatively impact a business.
Chapter 15: Legislation and Organizational Policies
1. You are developing a policy that will address that hard disks are to be properly erased using special software, and that any CDs or DVDs are to be damaged by scarring or breaking them before they are thrown away. It is the hope of the policy that any information that is on the media will not fall into the wrong hands after properly discarding them. What type of policy are you creating? A. Due care C. Acceptable use policy B. Privacy policy D. Disposal and destruction policy Correct Answer and Explanation: D. Disposal and destruction policy. This type of policy establishes procedures dealing with the safe disposal and destruction of data and equipment. Incorrect Answers and Explanations: Answer A is incorrect because due care refers to the level of care that a reasonable person would exercise and is used to address problems of negligence. Answer B is incorrect because privacy policies outline the level of privacy that employees and clients can expect, and the organization’s perspective on what is considered private information. Answer C is incorrect because an acceptable use policy is used to outline what activities are permissible when using a computer or network, and what an organization considers proper behavior.
2. An organization has just installed a new T1 Internet connection, which employees may use to research issues related to their jobs and send e-mail. Upon reviewing firewall logs, you see that several users have visited inappropriate sites and downloaded illegal software. Finding this information, you contact senior management to have the policy relating to this problem enforced. Which of the following policies would you recommend as applicable to this situation? A. Privacy policy C. HR policy B. Acceptable use policy D. SLAs
Chapter 15: Legislation and Organizational Policies 733
Correct Answer and Explanation: B. Acceptable use policy. An acceptable use policy establishes guidelines on the appropriate use of technology. It is used to outline what activities are permissible when using a computer or network, and what an organization considers proper behavior. Acceptable use policies not only protect an organization from liability, but also provide employees with an understanding of what they can and cannot do when using technology. Incorrect Answers and Explanations: Answer A is incorrect because a privacy policy will outline the level of privacy an employee and/or customer can expect from the company. Privacy policies generally include sections that stipulate corporate e-mail as being the property of the company, and that Internet browsing may be audited. Answer C is incorrect because HR policies deal with the hiring, termination, and changes of an employee within a company. They do not provide information on the acceptable use of technology. Answer D is incorrect because SLAs are agreements between clients and service providers that outline what services will be supplied, what is expected from the service, and who will fix the service if it does not meet an expected level of performance.
3. You are configuring OSes used in your organization. Part of this configuration involves updating several programs, modifying areas of the registry, and modifying the background wallpaper to show the company’s new logo. In performing these tasks, you want to create documentation on the steps taken, so that if there is a problem, you can reverse the steps and restore systems to their original state. What kind of documentation will you create? A. Change control documentation B. Inventory C. Classification D. Retention and storage documentation Correct Answer and Explanation: A. Change control documentation provides information of changes that have been made to a system, and often provides back out steps that show how to restore the system to its previous state. Incorrect Answers and Explanations: Answer B is incorrect because inventories provide a record of devices and software making up a network, not changes made to the configuration of those devices. Answer C is incorrect because classification is a scheme of categorizing information, so that members of an organization are able to understand the importance of information and less likely to leak sensitive information. Answer D is incorrect because retention and storage documentation is necessary to keep track of data, so that it can be determined what data should be removed and/or destroyed once a specific date is reached.
734 Appendix: Self Test
4. You are concerned about the possibility of hackers using programs to determine the passwords of users. You decide to create a policy that provides information on creating strong passwords and want to provide an example of a strong password. Which of the following is the strongest password? A. Strong C. ih8Xams! B. PKBLT D. 12345 Correct Answer and Explanation: C. ih8Xams! Strong passwords consist of a combination of lower case letters (a through z), upper case letters (A through Z), numbers (0 through 9), and special characters (({}[],.<>;:’”?/|\`~!@#$%^and* ()_-+=). Of the possible passwords listed, the only one that has all these characteristics is ih8Xams! Incorrect Answers and Explanations: Answers A, B, and D are all incorrect because they do not use a combination of numbers, special characters, and upper case and lower case letters.
5. In your organization, users in similar positions often give each other their passwords. This is a common practice when a user goes on vacation and another user temporarily takes over that person’s job. There is a corporate policy that prohibits this practice, but it still goes on. Currently, users are required to use alphanumeric combinations for their passwords, but don’t have other restrictions on their passwords due to the previous network administrator’s belief that frequent changes will cause users to forget their passwords. Which of the following will you implement to prevent unauthorized users from indefinitely using known passwords? A. Set a policy that forces users to use strong passwords B. Set a policy that forces users to change their password once every 60 days C. Require users to use PIN numbers D. Use SecureID tokens for remote logons, so that it requires users to enter a PIN that is synchronized with the server and changes frequently Correct Answer and Explanation: B. Set a policy that forces users to change their password once every 60 days. Passwords should be changed after a set period of time, so that anyone who has a particular password will be unable to use it indefinitely and others will have more difficulty guessing it. Incorrect Answers and Explanations: Answer A is incorrect because enforcing strong passwords would not remove the problem of users not changing their passwords. If a password fell into the wrong hands, it could be used by an unauthorized user, even if it was a strong password. Answer C is incorrect because network users are already using a combination of letters and numbers, which is stronger than a series of numbers. Answer D is incorrect because using a token like SecureID for remote logons doesn’t solve the problem of users not changing their password when logging on locally to the computer.
Chapter 15: Legislation and Organizational Policies 735
6. Your organization uses its intranet to disseminate information to employees. Part of the intranet includes an employee database, so that users can look up the name, department, and phone extension of members of the organization. For morale purposes, birthdates of employees are available to view with this information, so that other employees can wish them a happy birthday. Employees also have the capability to post their own information on blogs allowing social networking between users. Users have used this information to post information on corporate softball tournaments, previous employment experience within the organization, and other information. Which of this information is PII that should be removed? A. Blogs B. Employee database information that provides the full name of employees C. Employee database information that provides the date of birth D. Employee database information that provides departments and work extensions Correct Answer and Explanation: C. Employee database information that provides the date of birth of an employee. Although HR or certain other departments may require this information, the birthdate of an employee is PII that should not be available to everyone. An unauthorized or unscrupulous user could use this with other information to steal the person’s identity, or perform other actions that could result in litigation against the company. Incorrect Answers and Explanations: Answer A is incorrect because although a user can post information themselves, it does not necessarily mean that they will post PII to a blog. Answer C is incorrect because the full name of an employee is something that other employees would already know and it is common knowledge within the company, having this information on an intranet site. Answer D is incorrect because the department and work extension of an employee would be information that would be available to other employees within an organization. As such, it wouldn’t be an issue posting it on an internal Web site.
7. You are developing a new password policy for your company, and identifying elements that should be included to control unauthorized users guessing a user’s password. Which of the following will you include in your policy? A. Allow users to change their passwords to something similar, so they are less likely to forget the new passwords B. Passwords should not expire after a specified number of days and can be reused C. Passwords should be used on their own, and not part of a multifaceted security system D. Passwords should automatically expire every 45 to 90 days
736 Appendix: Self Test
Correct Answer and Explanation: D. Passwords should automatically expire every 45 to 90 days. Passwords should be changed after a set period of time, so that anyone who has a particular password will be unable to use it indefinitely and others will have more difficulty guessing it. Incorrect Answers and Explanations: Answer A is incorrect because if a new password is similar to the old one, it is easier for someone who has the old password to guess the new one. Answer B is incorrect because passwords should expire after a specified amount of time, and passwords shouldn’t be reused until a certain number of password changes have occurred. If an old password has been compromised, a hacker could keep trying it until the user changes back to the old password. Passwords are often used with biometrics, tokens, or other security devices. Answer C is incorrect because using passwords as part of a multifaceted security system is a common way of improving security. Passwords are often used with biometrics, tokens, or other security devices.
8. An organization has decided to implement a policy dealing with the disposal and destruction of data and other materials that may contain sensitive information. They have consulted you to determine what elements should be included in the policy. Which of the following will you tell them? A. Data on hard disks should be deleted before hard disks are disposed of B. Hard disks should be shredded before being disposed of C. Nonclassified materials, such as media releases, should be shredded before being disposed of D. Classified documents should be shredded before being disposed of Correct Answer and Explanation: D. Classified documents should be shredded before being disposed of. Printed materials can still be accessed after they have been disposed of. Classified documents may contain sensitive information about the company, its clients, or employees. To prevent printed materials from getting into the wrong hands, the policy should specify that these types of documents should be shredded. Incorrect Answers and Explanations: Answer A is incorrect because even if data is deleted from a hard disk it may still be recovered. Answer B is incorrect because it is not a standard method of physically destroying magnetic media. Answer C is incorrect because nonclassified materials such as media releases are not sensitive, and are cleared for public release. There is no problem with someone outside of the organization seeing this type of material.
9. An employee complains that his or her coworker has pornography on his or her computer. Upon investigating, IT staff finds illegal pornography on the hard drive of his or her workstation. There is a concern that the employee who made the complaint may file a law suit against the company for it being
Chapter 15: Legislation and Organizational Policies 737
a hostile workplace on these grounds. The company further tries to protect itself by calling the police and suspending the employee from work until an internal inquiry is conducted. Which of the following is being practiced here? A. Change control C. Due process B. Due care D. Due diligence Correct Answer and Explanation: D. Due diligence refers to the practices of an organization in identifying risks and implementing strategies to protect the data, equipment, and other assets of a company. In the scenario, there is a concern of civil litigation and the company having some responsibility that could result in other legal problems, inclusive to criminal charges. By securing the computer, suspending the employee from his duties, and calling the police, the company is attempting to show due diligence in protecting their employees and equipment. Incorrect Answers and Explanations: Answer A is incorrect because change control documentation provides information on changes that have been made to a system and often provides back out steps that show how to restore the system to its previous state. Answer B is incorrect because due care is the level of care that a reasonable person would exercise in a given situation and is used to address problems of negligence. Answer C is incorrect because due process is the act of notifying an employee that he or she has violated existing policies of legislation and also refers to the employee’s right to a fair and impartial inquiry into the incident. 10. An employee has accessed a social networking site and made some complaints about his or her job on a blog. In doing so, he or she has violated an internal policy that prohibits the company’s equipment from being used for personal use. Because the policy has been violated, the person is told that he or she will need to go before an internal tribunal and is informed of his or her rights in the matter. Which of the following has been practiced? A. Change control C. Due process B. Due care D. Due diligence Correct Answer and Explanation: C. Due process is the act of notifying an employee that he or she has violated existing policies of legislation and also refers to the employee’s right to a fair and impartial inquiry into the incident. Incorrect Answers and Explanations: Answer A is incorrect because change control documentation provides information on changes that have been made to a system and often provides back out steps that show how to restore the system to its previous state. Answer B is incorrect because due care is the level of care that a reasonable person would exercise in a given situation and is used to address problems of negligence. Answer D is incorrect
738 Appendix: Self Test
because due diligence refers to the practices of an organization in identifying risks and implementing strategies to protect the data, equipment, and other assets of a company. 11. You are preparing to destroy a selection of CD-Rs that have been previously used to store sensitive data. Which of the following will you do to ensure that the data is destroyed? A. Delete the files and erase the data from the CDs B. Use a degausser C. Scrape the CD so the data layer is removed D. Throw away the CD Correct Answer and Explanation: C. Scrape the CD so the data layer is removed. By scratching the CD so it can’t be used, or using a tool to scrape off the data layer, any data that was burned to the disk can’t be accessed. Incorrect Answers and Explanations: Answer A is incorrect because CD-Rs are not rewritable and can’t have files deleted and data erased. Answer B is incorrect because degaussers are used to erase magnetic media and thereby wouldn’t work on CDs. Answer D is incorrect because throwing away the CD will not destroy the data. 12. You are the administrator of a network running Novell NetWare and are having problems with a server’s ability to connect to other servers. The server was able to connect to the network before you installed a recent bug fix. After attempting to solve the problem, you decide to check and see if anyone else has had this problem. Where is the best place to find this information? A. The manual that came with the server B. The vendor’s Web site C. Service pack D. Microsoft knowledge base Correct Answer and Explanation: B. The vendor’s Web site. Manufacturers’ Web sites are also valuable to the security and effectiveness of a network and its systems, as they provide support information and may include a knowledge base of known problems and solutions. Incorrect Answers and Explanations: Answer A is incorrect because the bug fix is for the OS and would not be included in the documentation for the server. Also, because it is a recent bug fix, it would have come out after the server’s manual was published. Answer C is incorrect because a service pack is software that is used to fix issues and upgrade elements of the OS. Answer D is incorrect because the OS is manufactured by Novell, so the Microsoft knowledge base would not have specific information on issues with another company’s OSes.
Chapter 15: Legislation and Organizational Policies 739
13. Your organization wants to control the distribution of documents. In doing so, they plan to classify the documents so that only those who are specifically meant to view the documents are allowed to do so. In creating this system, which of the following would you use to specify that anyone can view a document and make it available for public dissemination? A. Classified C. Confidential B. Unclassified D. Department specific Correct Answer and Explanation: B. Unclassified or public documents are those that can be distributed and viewed by the public. Incorrect Answers and Explanations: Answer A is incorrect because classified documents are meant for internal use, not for distribution to outside parties. Answer C is incorrect because confidential documents are those that are private and meant for a specific person or people. Answer D is incorrect because department specific documents are meant for specific departments in an organization, but not necessarily every employee in the organization. 14. You are concerned about the possibility of sensitive information developed by your company being distributed to the public and decide to implement a system of classification. In creating this system, which of the following levels of classification would you apply to sensitive information that is not to be disseminated outside of the organization? A. Unclassified C. Public B. Classified D. External Correct Answer and Explanation: B. Classified. When information is designated as classified, it means that it is for internal use only and not for distribution to parties outside of the organization. Incorrect Answers and Explanations: Answers A and C are incorrect because when information is classified as public or unclassified, then it can be viewed by parties outside of an organization. Answer D is incorrect because external documents are those generated outside of the organization. 15. Changes in the law now require your organization to store data on clients for 3 years, at which point the data are to be destroyed. When the expiration date on the stored data is reached, any printed documents are to be shredded and media that contains data on the client is to be destroyed. What type of documentation would you use to specify when data is to be destroyed? A. Disaster recovery documentation B. Retention policies and logs C. Change documentation D. Destruction logs
740 Appendix: Self Test
Correct Answer and Explanation: B. Retention policies and logs. Policy regarding the retention of data will decide how long the company will retain data before destroying it. Retention and storage documentation is necessary to keep track of this data, so that it can be determined what data should be removed and/or destroyed once a specific date is reached. Incorrect Answers and Explanations: Answer A is incorrect because disaster recovery documentation is used to provide information on how the company can recover from an incident. Answer C is incorrect because change documentation provides information on changes that have occurred in a system. Answer D is incorrect because destruction logs are used to chronicle what data and equipment have been destroyed after the retention date has expired.
Index 12Ghosts Popup-Killer, 198–199 3DES algorithm. See Triple DES algorithm 802.1x authentication methods, 322–323, 406–409 dynamic key derivation, 409 user identification and strong authentication, 408–409
A AAA. See Access control, authentication, and auditing Acceptable use policies, 605–607 enforcing, 606–607 Access control, 294 DAC, 45–46 MAC, 45 network. See Network access control RBAC, 46–47 Access control, authentication, and auditing (AAA), 381–382 Access control lists (ACLs), 349, 353, 354, 360 Access control objects, 340, 360 Access control subjects, 340, 360, 361 Access lists, 366 Access logs, 366, 450–451 ACLs. See Access control lists Active/active cluster, 549 Active directory, 134, 150, 163 Active/passive cluster, 549 Active scripting, 102 ActiveX controls, 89–99 custom security levels, 93 developing, 90–91 securing execution of, 91–99 security zones, 92–99 configuring, 95–97 ActiveX-option, 98 Ad-Aware, 19–20 Ad hoc network, 315 Address resolution protocol (ARP) poisoning, 281 spoofing, 85, 277–278, 325 Administrator accounts, 609–610 Advanced encryption standard (AES), 480 cipher, 480 Adware, 15–16, 190–191 defending against, 18–19 Eudora, 18 example, 18 and spyware, difference between, 16 AES. See Advanced encryption standard
AH. See Authentication header AIM. See AOL instant messenger AirSnort, 325 Altiris, 54–55 Anomaly detection, 436 Antispam, 196–198, 206 Antivirus, 182–196, 205–206 Antivirus software, 10 vendors of, 11 AOL instant messenger (AIM), 112, 113 APOP. See Authentication POP Apple Safari, 89 Application agents, 194 Application filtering. See Application layer firewalls Application layer firewalls, 262 Application-layer gateway. See Application layer firewalls Application security threat modeling, 85–88 application decomposition, 87 application review, 87 security objective definition, 86–87 threat identification, 87 vulnerability identification, 87 Application security threats, 88–117 ActiveX. See ActiveX controls buffer overflows, 109–112 cookies. See Cookies drive-by-download attacks, 88–89 input validation, 110–112 instant messaging, 112–114 Java, 99–101 P2P networks, 114–116 scripting, 101–103 SMTP open relays, 116–117 XSS attacks, 107–109 Application virtualization, 230–235 application streaming, 233–235 terminal services (remote desktop services), 232–233 XenApp, 233 Application viruses, 186 ARP. See Address resolution protocol Asymmetric encryption, 464 Asymmetric key cryptography, 464 ATM cards, 346, 386 Attack signature database, 127, 251 Attack signatures, 436 Attenuation, 569 Audit policy logs, 449
741
742 Index
Auditing, 383, 441–442, 452 in Microsoft Windows, configuration, 443–451 Authentication, 158, 383, 406–409 in 802.11 standard, 319 802.1 x, 322–323 computer, 150, 151–152 computer and user, 150 creating, 151–152 mutual, 324 network. See Network authentication open, 319 RADIUS, 390–393 shared-key, 320 strong, 323 user, 150, 152–153 Authentication header (AH), 489 header format, 491 protocol, 149 Authentication POP (APOP), 386 Authentication server, 322, 389, 394, 407 Automatic teller machine cards. See ATM cards
B Backdoors, 4, 7, 189 Background intelligent transfer service (BITS), 137 Backtrack, 253 Backup generator, 554 Backup rotation schemes, 573–574 GFS, 573 Backup techniques and practices, 572 Basic firewall installation, 284 Basic input/output system (BIOS), 3, 22–23, 37 See also NetBIOS flashing, 24 passwords, 23–24 as security risk, 23 Bastille, 61–62 Bastion host, 290 Bell–La Padula formal access control model, 343 Berkeley Internet name domain (BIND) server, 68–69 Biba formal access control model, 343–344 Big Brother tool, 269 BIND server. See Berkeley Internet name domain server Biometric authentication, 347–348, 389–390, 609 BIOS. See Basic input/output system BitLocker, 497, 498 Blind spoofing attacks, 276 Block ciphers, 477, 490, 500 Block symmetric algorithms, 511 Blu-Ray, 34 Bluebugging, 327
Bluejacking, 327 Bluesnarfing, 30, 327 Bluetooth, 30 hop rate of, 327 Boot sector viruses, 186 Booting, 25 Bootstrap sector viruses, 6 Bot herder, 20–21 Botnets, 20–21, 191–192 Bots, 20 Broadcast domain, 296 Browser based threats, 88–109 Brute force attack, 87, 428, 463, 608 Buffer overflows, 109–112 heap, 109 stack, 109 Bugs, 4 Bulk demagnetizer. See Degausser Business sites, alternate, 545–548 cold site, 547–548 hot site, 547 warm site, 547
C CA. See Certificate authority Caesar cipher, 462 Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), 342 Carrier sense multiple access with collision avoidance (CSMA/CA), 314 CBC. See Cyclic block chaining CD audio, 31 CD-ROM, 32 CDs, 31–32 Cell phones, 28–29 bypassing network firewalls, 30 viruses, 29 CERT. See Computer emergency response team Certificate authority (CA), 150–153, 519, 525–527 definition of, 525 enterprise, 525 intermediate, 527 leaf, 527 root subordinate, 526 Certificate policy, 534 Certificate revocation list (CRL), 527–531 characteristics of, 528 Certificates, 469–473 digital. See Digital certificates dual-sided, 473 key usage values, 472 OIDs values, 472
Index 743
single, 471–472 X.509, 466, 469, 470 Certification request syntax standard, 514 CFB. See Cipher feedback Chain of custody, 585–586 Challenge handshake authentication protocol (CHAP), 402–403 Change control documentation, 610 Change management, 610 CHAP. See Challenge handshake authentication protocol chmod command, 354 CIA. See Confidentiality, integrity, and availability Cipher feedback (CFB), 478 Cipher suites, 484, 485 Circuit level firewalls, 255 Cisco security agent (CSA), 131–132 management center for, 132 OS supported by, 131 Cisco systems, 253, 439 Clark–Wilson formal access control model, 343 Clean agent fire extinguishing systems, 564 Client/server architecture, 262 Client-server model, 114 Clipper chip, 530 CMOS settings. See Complementary metal oxide semiconductor settings CMS. See Cryptographic messaging syntax Coaxial cable, 569 Code of ethics, 627 Collision domains, 296 Command and control (C&C) server, 21 Common criteria (CC), 342 Common off the shelf (COTS) applications, 88 Communication, 621–622 Compact discs. See CDs Companion virus, 6–7 Complementary metal oxide semiconductor (CMOS) settings, 23–25 Complex N-tier arrangement, 283 Computer emergency response team (CERT), 187, 587 Web site, 52 Computer forensics, 579 awareness for, 580–581 basic components of, 581 conceptual knowledge for, 581 Conduct risk assessments, 423–429 Confidentiality, integrity, and availability (CIA), 381, 382, 430, 474 Configuration baselines, 61–62 determining, 62 for security metrics, 62–63 Connection security rules
authentication exemption, 154, 155–157 creating, 153–154, 155 custom, 154, 160–161 isolation, 154–155 server-to-server, 154, 157–158 tunnel, 154, 158–160 Connections of sites, 550 Content filters, 267 Control frames, 315 Control zone, 326 Cookies, 103–107, 191 attacks, preventing, 106 hijacking, 105 leaking, 106 poisoning, 105 types persistent, 104 session, 103–104 tracking, 104 vulnerabilities, 104–105 Copy backup, 573 COTS applications. See Common off the shelf applications Crime scene technicians, 585 CRL. See Certificate revocation list CRL. See Certificate revocation list Cross-site scripting attacks. See XSS attacks Crosstalk, 569 Cryptanalysis, 463, 466, 476, 479, 510 Cryptographic message syntax (CMS), 513 protocol, 487 Cryptographic token interface standard, 514 Cryptography, 462, 510 asymmetric key, 464 certificates, 469–473 CIA, 473–475 comparative strength of algorithms, 475–476 digital signatures, 468–469 elliptic curve, 480 encryption algorithms, 477–482 hash function of, 511 hashes and applications, 464–468 LM hash, 466–467 MD5, 466 NT hash, 467–468 reasons to generate hashes, 465 SHA, 466 key management, 476–477 modern, 512 nonrepudiation, 475 in operating systems, 494–499 e-mail, 496 file and folder encryption, 494–496
744 Index
TPM, 498–499 whole disk encryption, 497–498 protocols, 482–494 symmetric key, 462–463 CSA. See Cisco security agent CSMA/CA. See Carrier sense multiple access with collision avoidance CTCPEC. See Canadian Trusted Computer Product Evaluation Criteria Cybercrime, 85 Cyclic block chaining (CBC), 478
D DAC. See Discretionary access control Damage control, 586–587 DAP. See Directory access protocol DASD. See Direct attached storage devices Data destruction, 604 Data emanation, 326 Data encryption, 149, 517 Data encryption standard (DES), 467 algorithm, 477–479 triple, 479 Data file virus, 7 Data frames, 315 Data integrity, 149 Data recovery agents (DRA), 495 Data repositories, 72 Data retention, 603–604 Data storage, 603–604 zone, 292 Database administrator (DBA), 86 Database servers, 73–74 DBA. See Database administrator Debug logging, 447 Deep packet inspection firewall, 256 Degausser, 603 Demilitarized zone (DMZ) bastion hosts, 290 design, 289–295 future of, 295 implementation of multiple interface firewall, 289 services, 291 Denial all strategy, 295 Denial-of-service (DoS) attacks, 20–21, 23, 69, 113, 185, 258, 279, 430, 431, 571 conditions, 85, 110, 116 distributed, 280 Deny by default, 257 DES. See Data encryption standard
DHCP servers. See Dynamic host configuration protocol servers Dictionary attack, 410, 428, 429 Differential backup, 573, 576 factors associated with, 577 Diffie-Hellman key agreement standard, 513 Digital certificates, 469, 471, 518–525 implementation of, 533–534 information stored in, 536 management, 534–535 mechanisms played in life cycle of, 534 X.509 standard of, 519–520 Digital signatures, 516, 517 Digital versatile discs. See DVDs Direct attached storage devices (DASD), 224–225 Direct sequence spread spectrum (DSSS), 312 comparing FHSS with, 313 Directory access protocol (DAP), 397 Directory information tree (DIT), 398 Directory services, 72–73, 389, 396 active directory, 397 eDirectory, 397 openLDAP, 397 Disaster recovery, 571 plan for, 571–572 Discretionary access control (DAC), 45–46, 353–354 settings, 354–355 Disk striping, 551 with mirroring, 551 with parity, 552 DMZ. See Demilitarized zone DNS. See Domain name system Document management systems, 611 Domain name kiting, 280 Domain name system (DNS), 398, 441, 590 poisoning, 281 servers, 68–69, 447, 448 Domain name tasting, 280 Door access systems, 368–369 piggybacking, 368, 369 standalone, 368 DoS. See Denial-of-service DRA. See Data recovery agents Drive-by-download attacks, 88–90 Dsniff, 277 DSSS. See Direct sequence spread spectrum Dual-sided certificate, 473 Due care, 616–617 Due diligence, 618 Due process, 617–618 Dumpster diving, 591–592 Duplexing. See Mirroring
Index 745
DVDs, 31–33 Dwell time, 312 Dynamic host configuration protocol (DHCP) servers, 71 Dynamic/private ports, 257
E E-commerce implementation, 293 E-mail hoaxes, 590–591 E-mail relaying, 291 E-mail spam, 196 E-mail viruses, 186 EAL. See Evaluation assurance levels EAP. See Extensible authentication protocol EAPoL. See Extensible authentication protocol over LAN EAPoW. See Extensible authentication protocol over wireless EFS. See Encrypting file system Elcomsoft password auditor, 429 Electromagnetic interference (EMI), 568. See also Radio frequency interference Electrostatic discharge (ESD), 567 protecting equipment from, 567–568 Elliptic curve cryptography, 480 EMI. See Electromagnetic interference Encapsulating security payload (ESP), 149, 489 header format, 491 integrity check value (ICV) in, 490 IPsec ESP, 491, 494 Encrypting file system (EFS), 50–51, 495–497 Encryption, 27, 29 algorithms, 477–482 AES, 480 DES, 477–479 3DES, 479 one-time pads, 480–481 RSA, 479–480 TKIP, 482 WEP, 481–482 asymmetric, 464 data, 149 PKI, 510–512 secret key, 511 symmetric key, 512 End user license agreement (EULA), 19, 190, 191 Enterprise single sign-on (ESSO), 388 Environmental controls, 563–570 ESP. See Encapsulating security payload ESSO. See Enterprise single sign-on Ettercap, 425–427 Eudora, 18
EULA. See End user license agreement Evaluation assurance levels (EAL), 342 Evidence bag, 585 eXclusive OR (XOR), 411, 478, 482 Extended-certificate syntax standard, 513 Extensible authentication protocol (EAP), 406, 409–410 different forms of, 409 PEAP, 411–413 Extensible authentication protocol over LAN (EAPoL), 323, 407, 408 Extensible authentication protocol over wireless (EAPoW), 323, 407 Extranets, 288, 289. See also Intranet
F Factors of authentication, 348 Faraday cage, 326 Fault tolerance, 548 FEK. See File encryption key FHSS. See Frequency hopping spread spectrum Fiber channel (FC) SAN, 225 Fiber-optic cabling, 570 File and print sharing service, 69–71 File encryption key (FEK), 496 File system access, 49–50 EFS, 50–51 File transfer protocol (FTP), 385, 488 active mode of, 259 passive mode of, 259 servers, 67–68 services, 290 File types, carrying viruses, 12–13 Financial processing segment, 293 Finite state machine, 127 Fire detection systems, 565 Fire suppression system carbon dioxide systems, 565 heptafluoropropane (HFC-227ea), 565 inergen (IG-541), 564 trifluromethane (FE-13), 565 Firewall rules, creating, 161–162 custom, 166–170 port, 164–165 predefined, 166 program, 162–164 Firewalls, 30, 255–256 NAT, 299 packet filtering, 257–261 restricting connection by user or computer, 164 Windows Vista. See Windows Vista firewall Windows XP, 133 Windows XP SP2, 134
746 Index
First responders, 583–584 Flame detection, 565 Flash memory cards, 26 Flashing, 24 Floppy disks, 34 Frequency hopping spread spectrum (FHSS), 312 comparing DSSS with, 313 Fresnel zone, 310 FTP. See File transfer protocol Full backup, 573, 576 factors associated with, 577 Full volume encryption key (FVEK), 497 FVEK. See Full volume encryption key
G GFI LANguard, 253, 439 GFS rotation. See Grandfather-Father-Son rotation GLBA. See Gramm–Leach–Bliley Act Google toolbar, 202–203 GPOs. See Group policy objects Gramm–Leach–Bliley Act (GLBA), 424, 614 Grandfather-Father-Son (GFS) rotation, 573 Group policies, 55 creating, 56–57 domain, 56 local, 55 management console, 57 organizational unit (OU), 56 setting, 59 site, 55 Group policy objects (GPOs), 55–56, 361 edit screen, 59
H Hackers, 587 Halon, 564 Hardening OS. See Operating system (OS) hardening server OS. See Server OS hardening Hardware components. See Spare parts locks, 366–367 security risks, 22–35, 37–38 Hashed message authentication code (HMAC), 485 Healthcare Information Privacy and Portability Act (HIPPA), 424, 614 Heat detection, 565 Heating, ventilation, and air conditioning (HVAC), 566–567 Help desks, 622 HIDS. See Host intrusion detection system
HIPPA. See Healthcare Information Privacy and Portability Act HMAC. See Hashed message authentication code Hoax viruses, 7 HomeRF, 312 Honeynets, 266 definition of, 266 typical characteristics of, 266 Honeypots, 205, 262–265 characteristics of, 264–265 definition of, 262 installing, 265–266 Hop time, 312 Host bus adapter (HBA), 225–226 Host intrusion detection system (HIDS), 125–127, 204–205 Hostile work environments, 605 Hosts file, 590 Hot spare, 553 Hot swapping, 552, 553 Hotfixes, 53 HR. See Human resource HTTP. See Hypertext transfer protocol HTTPS. See Hypertext transfer protocol secure Human resource (HR), role of, 626–627 HVAC. See Heating, ventilation, and air conditioning Hypertext transfer protocol (HTTP), 105, 134, 529 vs. HTTPS, 486–487 Hypertext transfer protocol secure (HTTPS), 257 vs. SHTTP, 486–487 Hypervisor, 214–215, 217, 228 binary translation, 218–219 hardware assist, 219–221 hosted, 218 paravirtualization, 219–220
I IANA. See Internet assigned numbers authority IBM’s Internet Security Systems (ISS) division, 439 ICMP. See Internet control message protocol IDS. See Intrusion detection systems IEAK. See Internet explorer administration kit IEEE 802.11 standard, 409 IEEE 802.11b standard, 409 IEEE 802.11w, 409 IETF. See Internet engineering task force IKE. See Internet key exchange IM. See Instant messaging IMAP4, 426, 427 Incident response, 576–578 documentation process, 579 identification process, 578
Index 747
investigation process, 578 policy, 577, 578 repair process of, 579 teams, 578–579 Incremental backup, 573, 576 factors associated with, 577 Independent computing architecture (ICA) protocol, 233 Information classification, 610–611 Information Technology Security Evaluation Criteria (ITSEC), 342 Informed attacks, 276 Infrastructure network, 315, 316 Initialization vector (IV), 411, 478 Input validation, 110–112 attacks, preventing, 111–112 client-side, 110–111 Instant messaging (IM), 112–114 packet sniffers and, 114 security issues, 113 Internet, 286 Internet agents, 194 Internet assigned numbers authority (IANA), 258 Internet connection firewall (ICF), 133–134 Internet control message protocol (ICMP), 133, 146, 167 ICMPv4 message types, 169 ICMPv6 message types, 167–168 Internet engineering task force (IETF), 409, 483 Internet explorer administration kit (IEAK), 95, 96 Internet explorer (IE) security zones, 92–95 configuring, 95–97 Internet information server (IIS), 9, 47, 187 Internet key exchange (IKE), 406, 489 operation, 490 protocol, 146 Internet protocol (IP) addresses, 297, 298 exemption from authentication, 155–157 public and private, 299–300 hijacking, 275 spoofing, 276–277 Internet relay chat (IRC) channel, 191 Internet security systems (ISS), 253 Internet service provider (ISP), 390, 550–551 planet, 254, 440 Internet small computer system interface (iSCSI), 226 SAN, 226 Internet Web site access, 290 Intranet, 286 corporate, 622
Intrusion detection systems (IDS), 125, 430, 435–438, 441. See also Host intrusion detection system; Network intrusion detection systems anomaly based, 436–437 behavior based, 129–130 commercial, 438–439 definition of, 126 signature based, 127–128, 436 Intrusion prevention system (IPS), 128, 438, 439 Investigator, 584 IP. See Internet protocol IP Security. See IPSec iPod, 27–28 virus and Windows, 28 IPS. See Intrusion prevention system IPSec, 489–491, 494 advantages and disadvantages, 490–491 authentication method, 150–153 data protection (quick mode), 149 ESP, 491, 494 key exchange (main mode), 146–148 security mechanisms, 489–490 security methods, 148 settings, 146–153 iSCSI. See Internet small computer system interface ISP. See Internet service provider ISS. See Internet security systems iTunes, 27 IV. See Initialization vector
J Jamming, 326 Java, 99–101 Java applets developing, 100 securing the execution of, 100–101 Java runtime environment (JRE), 99 Java virtual machines (JVMs), 99, 434 uses of, 100 JavaScript, 101 vulnerabilities, 102 JRE. See Java runtime environment Jscript, 102 JVMs. See Java virtual machines
K KDC. See Key distribution center Kerberos authentication, 393–396 Kerberos realm, 393 authentication path, 395
748 Index
components of, 394 resource access in, 395 Key distribution center (KDC), 393–396 Key escrow, 529–530 Key recovery information (KRI), 533 Keyloggers, 189 Known-plaintext attack, 321 Konqueror, 89 KRI. See Key recovery information
L LAN. See Local area network LANMAN, 466–467 Layer 2 forwarding (L2F) protocol, 493 Layer 2 tunneling protocol (L2TP), 493–494 LDAP. See Lightweight directory access protocol LDAP data interchange format (LDIF), 399–400 LDIF. See LDAP data interchange format Least privileged principle, 44, 49 Legislation, 601–628 L2F. See Layer 2 forwarding protocol Lightweight directory access protocol (LDAP), 72–73, 396–402, 487 directories, 397–398 objects, attributes, and the schema, 399–400 OUs, 397–399 security, 400–402 Link viruses, 7 Local area network (LAN), 72 Logging and auditing, 441–452 Logic bombs, 21–22 Loss control, 586–587 L0phtCrack, 429 L2TP. See Layer 2 tunneling protocol Lunchtime attack, 523, 524
M MAC. See Mandatory access control; Media access control Macro viruses, 7, 186 Magnetic tapes, 34–35 Mail transport agent (MTA), 496 Mail user agent (MUA), 426, 496 Mailsnarf, 278 Malicious code, 5–7, 14 Malicious software. See Malware Malware, 3, 5, 10, 14, 19–20, 182–184 MyDoom-O, 184 Netsky-D, 184 prevention and response, 192–193 Stratio-Zip, 184
Man-in-the middle (MITM) attacks, 278–279, 281, 405, 406 Managed security services providers (MSSPs), 253, 439, 440 Management frames, 315 Mandatory access control (MAC), 45, 343, 351–353 McAfee, 253, 439 MD5. See Message digest 5 Media access control (MAC) address, 281 layer, 313 Memory cards, flash, 26 Message digest 5 (MD5), 402, 466 Messaging application programming interface (MAPI) address book, 185 Metasploit, 432–434 Microsoft baseline security analyzer (MBSA), 62–63 scanning computer, 64 Microsoft development network (MSDN), 91 Microsoft point-to-point encryption (MPPE) protocol, 493 Microsoft security bulletin MS08-041, 90 MIME. See S/Multipurpose Internet mail extensions Mirroring, 551 MITM. See Man-in-the middle attacks Mixed mode authentication, 74 Mixed threat attack, 275 Mobile phones. See Cell phones Modern cryptography, 512 Monitoring tools, on systems and networks, 430–441 Mozilla Firefox, 87, 203 MPPE. See Microsoft point-to-point encryption protocol MSDN. See Microsoft development network MSN Sniffer 2, 114 MSSPs. See Managed security services providers MTA. See Mail transport agent MUA. See Mail user agent Multifaceted security system, using passwords as part of, 609 Multipartite viruses, 6 Multipath interference, 310, 311 Mutual authentication, 405–406
N NAC. See Network access control NAP service. See Network access protection service NAS. See Network attached storage NAT. See Network access translation; Network address translation NAT-tunneling (NAT-T), 491 NDS. See Novell directory services
Index 749
NetBIOS, 69–70, 431 NetBIOS statistics (NBTSTAT), 70 Network, security practices of, 192 Network access control (NAC), 73, 300–301, 340–341. See also Media access control definition of, 340 endpoint-based, 300 hardware-based, 300 identity, 349 implementation, ways, 340–341 infrastructure-based, 300 parts of, 340 Network access control methods, 349–357 DAC, 353–354 implicit deny, 349 job rotation, 351 least privilege, 350–351 logical, 360–363 account expiration, 362 ACLs, 360 domain policies, 361–362 group policies, 361 logical tokens, 362–363 time of day restrictions, 362 MAC, 351–353 physical, 363–370 RBAC, 355–357 separation of duties, 349–350 Network access control models, 341–344 Bell-La Padula, 343 Biba, 343 Clark–Wilson, 343 Orange book guidelines, 341, 341 Red book guidelines, 342 Network access control organization, 357–360 security controls, 358–360 security groups, 357–358 file resources, 359 print resources, 359–360 Network access protection (NAP) service, 150, 300 Network access security methods, physical, 363–370 access lists and logs, 366 door access systems, 368–369 hardware locks, 366–367 ID badges, 367–368 mantrap, 369–370 video surveillance, 370 Network access translation (NAT), 491 Network address translation (NAT), 297–300 benefits of, 298 router, 299 types of, 298 Network analyzer. See Protocol analyzers
Network attached storage (NAS), 35, 72, 226–227 Network authentication, 383–388 biometric, 347–348 cleartext, 385–386 combinations, 348 one-factor, 384–385 password types, 345 SSO, 388 three-factor (multifactor), 387–388 token, 386 two-factor, 386–387 types something you are, 347–348 something you have, 346–347 something you know, 344–346 Network authentication systems, 388–413 802.1x methods, 406–409 biometrics, 347–348, 389–390 Kerberos, 393–396 LDAP, 396–402 mutual, 405–406 per-packet, 410 RADIUS, 390–393 remote access policies, 389 TACACS/TACACS+, 403–404 Network basic input/output system. See NetBIOS Network design elements and components, 281–302 defense-in-depth, 285 Network file system (NFS), 226 Network interface cards (NICs), 216, 222–224 Network intrusion detection systems (NIDS), 126–127, 252–254 tuning, 291 Network intrusion preventions systems (NIPS), 252–254 Network layer firewalls, 257–261 Network mapping tools, 429–430 Network news transfer protocol (NNTP), 487 servers, 69 Network ports, 268–274 Network protocols, 268–274 Network security tools, 250–267 application layer firewalls, 262 content filters, 267 firewalls, 255–256 honeynets, 266 honeypots, 262–265 network layer firewalls, 257–261 protocol analyzers, 267 proxy servers, 256–257 Network services, risks of, 250
750 Index
Network threats, 274–275 of attacks, 275 New technology file system (NTFS), 132, 226, 355, 495, 496 NICs. See Network interface cards NIDS. See Network intrusion detection systems NIPS. See Network intrusion preventions systems Nmap tool, 269, 270 NNTP. See Network news transfer protocol Noise, 568 Nonrepudiation, 383, 475, 515 Norton Internet Security 2008, 91 Novell directory services (NDS), 397 NTFS. See New technology file system NTLM protocol, 467–468 Number of nines, 619
O Object identifiers (OIDs), 471, 472 OCSP. See Online certificate status protocol OFB. See Output feedback Off-site backup storage, 574 OIDs. See Object identifiers One-time pads algorithm, 480–481 Online certificate status protocol (OCSP), 528–529 Online resources, 625–626 Open authentication, 320 Open systems interconnection (OSI) model, 84 application layer, 84, 85 data link layer, 84–85 physical layer, 84, 85 Open vulnerability and assessment language (OVAL), 427–428 benefits of, 428 steps of assessments, 427–428 Opera, 89 Operating system (OS) hotfixes for, 53 patches for, 54 securing, steps for, 48 supported by CSA, 131 surface area in, 47 updates for, 51 maintenance, 53 security, 52 Operating system hardening, 43 general, 44–65, 76 server. See Server OS hardening Organizational policies, 601–628 Organizational units (OUs), 361, 397–399 OS. See Operating system OSI model. See Open systems interconnection model
OUs. See Organizational units Output feedback (OFB), 479 operation, 478 OVAL. See Open vulnerability and assessment language
P Pack analyzer. See Protocol analyzers Packet filtering firewall benefits of, 260 drawbacks of, 260 operation of, 261 Packet sniffers, 114 Packet sniffing, 424–427 PAE, Port access entity PAP. See Password authentication protocol Parasitic viruses, 6 Password authentication protocol (PAP), 402 Password-based cryptography standard, 513 Password complexity, 607–610 Password crackers, 428–429 Password management, 607 Passwords changes, 608–609 power-on, 23 restrictions, 608–609 setting, 23–24 Patch management scripts for, 54 systems for, 54–55 PBX. See Private Branch eXchange PEAP. See Protected extensible authentication protocol Peer-to-peer networks. See P2P networks Penetration testing, 47 Per-packet authentication, 324, 410 Performance logs, 449–450 Peripheral, security risks, 22–35, 37–38 Personal identification number (PIN), 29 Personal information exchange syntax standard, 514 Personal software firewalls, 132, 205 Windows Vista. See Windows Vista firewall Windows XP, 133 Personally identifiable information (PII) privacy policies, 614–616 Pharming, 589–590 Phishing, 588–589 Phising. See Phishing Phreakers, 301 Physical servers, 213, 215–216, 224 PII. See Personally identifiable information Pirated software, 615
Index 751
PKI. See Public key infrastructure Point of presence, 550 Point-to-point tunneling protocol (PPTP), 492–493 Polymorphic viruses, 187 POP3. See Post office protocol 3 Pop-up blockers, 198–203, 206 Port access entity (PAE), 322, 407 authenticator, 322, 407 supplicant, 322, 407 Port-based access control, 406 Port exceptions, 140, 142 Port vulnerabilities, scanning for, 270–273 Post office protocol 3 (POP3), 385, 425–426 Power generator. See Backup generator Power-on passwords, 23 P2P clients, securing, 115–116 P2P networks, 114–116 comparision with client-server networks, 115 PPTP. See Point-to-point tunneling protocol Preshared key (PSK), 489 Privacy policies, 614 ensuring legally, 616 Private Branch eXchange (PBX), 301 Private keys, 522–525 root CA’s, 522 using for data exchange, 516, 517 Privilege escalation, 4–5 Program exceptions, 140–141 Protected extensible authentication protocol (PEAP), 411 advantages of, 411–413 Protected network, 289 Protocol analyzers, 267, 424 Proxy RADIUS, 390 Proxy servers, 256–257 PSK. See Preshared key Public key, 464, 468, 470, 489 using, for data exchange, 516, 517 Public key certificate, 516 Public key infrastructure (PKI), 509–537 components of, 516–530 digital certificates in, 518–525 encryption, 510–512 public keys of, 520–522 solutions, 514–515 standards, 513–514
Q Queen’s jewels technique, 463
R Radio frequency interference (RFI), 568
RADIUS access-request, 323, 408 access server, 323 authentication, 390–393 implementation, 391 process, 390–391 protocols, 390 vs. TACACS+, 405 vulnerabilities, 393 RAID. See Redundant array of independent disks; Redundant arrays of inexpensive disks RBAC. See Role-based access control; Rule-based access control RC4 algorithm, 317, 321, 328, 410 RealSecure, 253 Recovery agents, 531–533, 535 Redundancy, 548 planning, 545–555 Redundant array of independent disks (RAID), 35, 224 Redundant array of inexpensive disks (RAID), 551–552 disk striping with parity level of, 552 hardware, 552 mirroring or duplexing level of, 551 software, 552 Redundant systems, 548–551 Registered ports, 257 Remote access policies and authentication, 389 Remote authentication dial-in user service. See RADIUS Remote desktop protocol (RDP), 232 Remote desktop services, 232–233 Removable storage devices, 30–31 Replay attacks, 279 Request for comments (RFC), 381, 394, 402, 483, 484 RFC. See Request for comments RFI. See Radio frequency interference Rijndael cipher, 480 Risk analysis, 571 Risk assessments, conduct, 423–429 Risk mitigation, implement, 423–429 Rivest, Shamir, and Adleman (RSA) algorithm, 479–480 cryptography standard, 513 Robust security network (RSN), 318 Rogue access points (APs), 325–326 Role-based access control (RBAC), 46–48, 355–357 Rootkits, 19–21, 189 RSA. See Rivest, Shamir, and Adleman algorithm RSN. See Robust security network Rule-based access control (RBAC), 47, 357
752 Index
S S/Multipurpose Internet mail extensions (MIME), 487–488 SAN. See Storage area network SANS. See SysAdmin, Audit, Network, Security Institute Screensavers, password-protected, 451–452 Script kiddie, 185 Scripting, 101–103 active scripting, 102 client-side scripts, securing the execution of, 103 JavaScript, 101 Jscript, 102 VBScript, 102 SE Linux, 61 Secret key encryption, advantage and disadvantage of, 511 Secure disposal of systems, 602–605 Secure hash algorithm (SHA), 466 Secure recovery, restoration, 575–576 Secure shell (SSH), 488–489 Secure sockets layer (SSL), 67, 232–233, 385, 401, 483 negotiation process, 484–486 Security accounts manager (SAM) format, 428 Security risks BIOS as, 23 hardware and peripheral, 22–35, 37–38 Security scanners, 270 Security templates, 58 snap-in, 61 Windows, 60 Security threats, 4–22, 36–37 adware, 15–16 botnets, 20–21 logic bombs, 21–22 privilege escalation, 4–5 rootkits, 19–21 spyware, 15 Trojan, 14 viruses, 6–7 worms, 7–8 Security updates, 52 Security zones, 92–99, 282, 292 configuring, 95–97 SecurityFocus Web site, 52 Serial line Internet protocol (SLIP), 402 Server clusters, 549 Server OS hardening, 65–74 data repositories, 72 database, 73–74 DHCP, 71 directory services, 72–73
DNS, 68–69 file and print servers, 69–71 FTP, 67–68 network access control, 73 NNTP, 69 nonessential processes, 67 nonessential programs, 67 nonessential protocols, 66–67 nonessential services, 66 services and protocols, enabling and disabling, 65–66 Servers, 549–550 authentication, 322 database, 73–74 physical, 213, 215, 216, 224 proxy, 256 virtual, 230–231 Service level agreements (SLAs), 618–620 Service packs, 53 Service set identifier (SSID) broadcast, 315–316 Set-user ID (SUID), 109 SHA. See Secure hash algorithm Shared-key authentication, 320, 321 Shielded twisted-pair (STP), 568 Shielding, 568–570 Signature detection, 436 Signature files, 11 Signatures on e-mails, 622 Simple mail transfer protocol (SMTP), 116, 487 open relays, 116–117 securing mail relays, 117 Single sign-on (SSO), 388 SLIP. See Serial line Internet protocol Smart cards, 524 Smoke detection, 565 SMS. See System management server SMS/System Center, 55 SMTP. See Simple mail transfer protocol Sniffer. See Protocol analyzers Snoopstick, 16–17 Social engineering defending against, 587–593 dumpster diving, 591–592 e-mail hoaxes, 590–591 by education and awareness training, 592 pharming, 589–590 phishing or phising, 588–589 shoulder surfing, 591 spear phishing, 589 Sourcefire, 253, 439 Spare parts, 552–553 Spread spectrum technology, 311
Index 753
Spyware, 15, 190–191 and adware, difference between, 16 defending against, 18–19 examples, 16–18 Snoopstick, 16–17 SQL server security, 74 SRK. See Storage root key SSH. See Secure shell SSL. See Secure sockets layer SSO. See Single sign-on Stateful inspection firewalls, 109 Stealware, 191 Storage, types of DASD, 224–225 NAS, 226–227 SAN, 224–226 fiber channel (FC), 225 iSCSI, 226 Storage area network (SAN), 72, 224–226 fiber channel (FC), 225 iSCSI, 226 Storage root key (SRK), 498 Store-and-forward method, 294 STP. See Shielded twisted-pair Stream cipher, 410, 411, 478, 479, 482, 500 Stream symmetric algorithms, 511. See also Block symmetric algorithms Strong passwords, 608 creating, 608 Subnets, 295 SUID. See Set-user ID Symantec, 85, 89, 91 Symmetric ciphers, 463 Symmetric key cryptography, 462–463, 511 Symmetric key encryption, 512 SysAdmin, Audit, Network, Security Institute (SANS), 88 System, security practices of, 192–193 System agents, 194 System IDS. See Host intrusion detection system (HIDS) System logs, 448 System management server (SMS), 425 System virtualization, 227–230, 236–237 Systems security, overview, 3–38
T TACACS, 403 TACACS+, 403 vs. RADIUS, 404 vulnerabilities, 404 TCP. See Transmission control protocol
Telephony, 301 Telnet, 385 Temporal key integrity protocol (TKIP), 318, 482 Terminal access controller access control system. See TACACS TGT. See Ticket granting ticket Ticket granting ticket (TGT), 394–396 TippingPoint, 253 TKIP. See Temporal key integrity protocol TLS. See Transport layer security TPM. See Trusted platform module Transmission control protocol (TCP), 17, 133, 143, 271 hijacking, 275–277 IP spoofing, 276–277 null sessions, 275 Transport layer security (TLS), 401, 483 negotiation process, 484–486 protocols with, 487 Triple DES (3DES) algorithm, 479 Trojan horses, 14, 45, 188–190, 615 ports of, 259 TrueVector Internet monitor service, 182 Trunk, 297 Trust anchor, 526 Trusted platform module (TPM), 497–499
U UDP. See User datagram protocol Uninterruptible power supplies (UPS), 554–555 Universal serial bus (USB) devices, 3, 25–26 flash drives, 27 UPS. See Uninterruptible power supplies USB devices. See Universal serial bus devices User awareness, 622–623 User datagram protocol (UDP), 17, 133, 143 User education, 623 User identification, 323
V Vacation policy, 612–613 mandatory, 612 separation of duties, 613–614 Van Eck phreaking, 326 VBScript, 102 Vector markup language (VML) messages, 432 Virtual environment, designing, 221 networking, 222–224 processor selection for, 222 storage, 224–227 Virtual local area networks (VLANs), 217, 224, 296–297 to segment network traffic, 297
754 Index
Virtual machines (VMs), 214–215 configuration file for, 228 creating, 228–229 new virtual servers, 229 physical to virtual conversion, 229 separation of, 216 virtual hard disk file for, 228–229 Virtual private networks (VPNs), 389, 491 Virtual servers creating, 230 management of, 230–231 Virtualization application, 230–238 terminal services (remote desktop services), 232–233 XenApp, 233 benefits of, 214–216, 235–237 purpose of, 213–214, 235, 237 system, 227–230, 236–237 types of binary translation, 218–219 hardware assist, 219–221 hosted, 217–218 paravirtualization, 219–220 Viruses, 6–7, 183, 185–187. See also specific viruses application, 186 boot sector, 186 cell phone, 29 defending against, 10–12 e-mail, 186 examples, 9 file types carrying, 12–13 Melissa, 184 payload of, 6 polymorphic, 187 Repulik, 9 W32. Shoren, 9 and worms, difference between, 8 VLANs. See Virtual local area networks VMs. See Virtual machines VPNs. See Virtual private networks Vulnerability assessment tools, 424 Vulnerability scanners, 424
W WAP. See Wireless application protocol Warm swapping, 553. See also Hot swapping Web services on devices API (WSDAPI), 137–138 WebSpy, 278 WEP. See Wired equivalent privacy; Wireless encryption protocol WEPCrack, 325
Wi-Fi protected access (WPA), 318 protocol, 482 Windows autoplay feature in, 26, 28 group policies. See Group policies and iPod virus, 28 security templates, 60 Windows defender, 193–194 scanning with, 194–195 setting options, 195 Software Explorer, 195–196 using, 194–195 Windows exploder control, 91 Windows firewall with advanced security, 134, 144, 153, 161, 205 advanced configuration of, 143–146 monitoring, 171–173 settings, customizing, 145 Windows security center (WSC), 194 Windows software update services (WSUS), 55 Windows Vista firewall, 133–134 advanced tab in, 136–137 with built-in exceptions, 137–140 configuring, 134–136 from command line, 170–171 control panel applet, 134–135 creating manual exceptions, 140–143 profiles, 144 settings, 135–136, 144 Windows XP firewall, 133 SP2 firewall, 134 workstation groups on, 76 WinDUMP, installing, 254–255 Wired equivalent privacy (WEP), 314, 481–482 40-bit vs. 104-bit keys, 317–318 protocol, 317 Wireless application protocol (WAP), 318–319 Wireless communications, 310–311 EM field in, 310 Wireless devices, synchronizing, 311 Wireless encryption protocol (WEP), 409, 410 Wireless networks, 309–329 architecture, 313 design of, 310–314 Wireless phones. See Cell phones Wireless security standards, IEEE 802.11, 316–318 Wireless transmission protocols, 500 Wireless transport layer security (WTLS), 319 Wireshark, 425 Workstation OS, 75, 77 user rights and groups, 75
Index 755
Workstations, 431–432 services enabling and disabling, 48 properties, 49 Worms, 7–8, 187–188 Code Red, 9, 187 conficker, 10 defending against, 10–12 definition, 7 examples, 9–10 Klez, 188 Morris, 187 Nimda, 9, 188 Sasser, 10, 187 SQL Slammer, 9, 187 and viruses, difference between, 8 Zotob, 10 WPA. See Wi-Fi protected access Write-protection, 12, 27 WSC. See Windows security center WTLS. See Wireless transport layer security
X X.509 certificates, 466, 469, 469, 520 XenApp, 233 XOR. See eXclusive OR
XSS attacks, 107–109 preventing, 108–109 reflected, 107–108 stored, 108
Y Yahoo! Anti-Spy toolbar, 199–202 for Internet Explorer, 200 main window, 201 scan results, 201–202
Z Zero-day attack, 12, 131 Zombies, 185 Zone transfers, 68 ZoneAlarm, 172–173 alerts and logs, 182 configuring, 174–177 creating custom zone, 177–178 firewall section, 175–176 monitoring, 182 overview screen, 174 preferences, 176 program control, 178–181 protection details statistics, 175 security zones, 175–177
This page intentionally left blank