Q29105 TC Security + 9/5/04 2:46 PM Page 1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Security+ Cram Sheet
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GENERAL SECURITY CONCEPTS
1. Access control includes MAC, DAC, and RBAC
(Rule-Based Access Control or Role-Based
Access Control)
2. Authentication involves determining the identity
of the account attempting access to resources.
Here are some key points:
• Kerberos authentication is a ticket-based, sym-
metric-key authentication system involving a
KDC. Kerberos v5 supports mutual authentica-
tion.
• CHAP involves the exchange of hashed values
for authentication.
• Certificates are used within a PKI to provide an
asymmetric-key solution.
• Username and password combinations are the
most common form of authentication.
• Token-based authentication is a strong form
requiring possession of the token item.
• Biometric authentication uses parts of the
human body (hand, finger, iris, and so on) for 8.
authentication.
3. Nonessential services and protocols should be
disabled, which requires an understanding of the
following:
• The role of each server, along with its current
configuration
• Required or critical services, protocols, and
applications
• Configuration changes that should be made to
existing servers
ATTACKS
4. Denial of service (DoS) and distributed denial of
service (DDoS) attacks involve the disruption of
normal network services and include the follow-
ing types:
• Smurf—An attack based on the ICMP echo
reply
• Fraggle—Smurf-like attack based on UDP
packets
• Ping flood—Blocks service through repeated
pings
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . address
• SYN flood—Repeated SYN requests without
ACK
• Land—Exploits TCP/IP stacks using spoofed
SYNs (where the same source address and
port appears in both source and destination
elements)
• Teardrop—An attack using overlapping, frag-
mented UDP packets that can’t be reassembled
correctly
• Bonk—An attack on port 53 using fragmented
UDP packets with bogus reassembly informa-
tion
• Boink—Bonk-like attack on multiple ports
5. A back door allows access to a system without
normal security checks.
6. Spoofing is the process of making data look as if
it came from somewhere other than its origin.
7. Man-in-the-middle attacks involve the intercep-
tion of traffic between two systems using a third
system pretending to be the others.
Replay attacks involve the reposting of captured
data.
9. TCP/IP hijacking involves taking control of a
TCP/IP session.
10. Mathematical attacks involve cryptographic key
cracking.
11. Password-guessing, brute-force, and dictionary
attacks involve repeated guessing of logons and
passwords.
12. Forms of malicious code include the following:
• Viruses—Infect systems and spread copies of
themselves
• Trojan horses—Disguise malicious code within
apparently useful applications
• Logic bombs—Trigger on a particular
condition
• Worms—Self-replicating forms of other types
of malicious code
• Java and ActiveX controls—Automatically
execute when sent via email
13. Social engineering involves manipulating human
psychology to gain access to something of value.
AUDITING 26. Routers forward packets between subnets
14. Auditing is the process of tracking user actions (Network layer, layer 3) using the following:
on the network. • RIP
15. System scanning involves probing service ports. • IGRP
• EIGRP
COMMUNICATION SECURITY • OSPF
• BGP
REMOTE ACCESS
• EGP
16. Remote access includes these items:
• 802.11x wireless networking (Wi-Fi)
• IS-IS
27. Switches segment broadcast networks (Data Link
• Virtual Private Network (VPN) connections layer, layer 2).
• Dial-up using RADIUS, TACACS, or TACACS+ 28. Wireless devices provide broadcast-based
• SSL connections connectivity.
• Packet-level authentication via IPSec in the 29. Modems allow connection through audio
Network layer (layer 3) of the OSI model telephony.
17. VPN connections use PPTP or L2TP connectivity.
30. RAS allows remote dial-up (Telecom/PBX) or
18. SSH functions as a secure Telnet. VPN connections.
31. Useful network diagnostic tools include the
SECURING CONNECTIVITY
following:
19. Email can be secured using the S/MIME or PGP
• Ping
protocols.
• Tracert/traceroute
20. Email and Instant Messaging suffer from unde-
• Nslookup
sired messages (spam) and hoaxes.
• Netstat
21. Web connectivity can be secured using HTTPS,
SSL, and TLS. • IPConfig/ifconfig
• Telnet
ONLINE VULNERABILITIES • SNMP
32. Workstations, servers, and mobile devices (such
22. Web vulnerabilities include the following:
as PDAs) require configuration to improve securi-
• Java and JavaScript
ty beyond the default.
• ActiveX controls
• Cookies MEDIA
• CGI vulnerabilities
33. The two main types of coaxial cable (coax) are
• SMTP relay vulnerabilities
10Base2 (Thinnet) and 10Base5 (Thicknet).
23. Protocol vulnerabilities include the following:
34. Twisted pair cable is either unshielded (UTP) or
• TLS shielded (STP). Both come in two speeds: Cat3
• LDAP (10Mbps) or Cat5 (100Mbps).
• FTP vulnerabilities, including anonymous 35. Fiber-optic cable (fiber) speeds range from
access and unencrypted authentication 100Mbps to 2Gbps (with higher speeds in the
• Wireless vulnerabilities, including WEP key works).
analysis 36. Removable media includes tape, recordable
24. A site survey is necessary before deploying a compact discs (CD-R), hard drives, diskettes,
WLAN. flashcards, and smartcards.
37. Backups may be full, incremental, differential, or
INFRASTRUCTURE SECURITY copy.
BASIC NETWORK SECURITY DEVICES SECURITY TOPOLOGIES
25. Firewalls separate external and internal networks
38. Security zones support the management of a
and include the following types:
bastion host and screened host or screened
• Packet-filtering firewalls (Network layer, subnet gateways.
layer 3)
39. Networks may be divided into intranets,
• Proxy-service firewalls, including circuit-level
extranets, DMZs, and the Internet.
(Session layer, layer 5) and application-level
40. A VLAN allows for computers on the same
(Application layer, layer 7) gateways
physical segment to be on different logical
• Stateful-inspection firewalls (Application layer,
segments.
layer 7)
41. Network Address Translation (NAT) devices
translate traffic between public and private
. . . .schemes.
. . . . . . . . . . . . . . . . . . .
 Q29105 TC Security + 9/5/04 2:46 PM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42. Tunneling is the process of transmitting data
encapsulated within a second protocol to prevent
direct eavesdropping using a packet sniffer.
INTRUSION DETECTION
43. An IDS monitors packet data using behavior-
based or knowledge-based methods, operating in
network-based or host-based configurations.
44. Honeypots and honeynets are used to study the
actions of hackers and to distract them from
more valuable data.
45. Incident handling may include detection, deflec-
tion, or countermeasures.
46. A security baseline is a measure of normal net-
work activity against which behavior-based IDSs
measure network traffic to detect anomalies.
47. Hardening is the process of securing a host, net-
work, or application to resist attacks. Some key
services that should be considered during hard-
ening are Web, email, FTP, DNS, NNTP, DHCP,
file, print, and data repository servers.
BASICS OF CRYPTOGRAPHY
ALGORITHMS
48. A hashing algorithm uses a mathematical formula 59. IPSec consists of AH, ESP, IPComp, and IKE.
to verify data integrity. Examples include the SHA
and the Message Digest Series algorithms (MD2, KEY MANAGEMENT AND CERTIFICATE
MD4, and MD5).
49. Symmetric-key algorithms depend on a shared
single key for encryption and decryption.
Examples include DES, 3DES, AES, Blowfish,
IDEA, and the Rivest ciphers (RC2, RC4, RC5,
and RC6).
50. Asymmetric-key algorithms use a public key for
encryption and a private key for decryption.
Examples include the RSA, Diffie-Hellman, El
Gamal, and Elliptic Curve Cryptography stan-
dards.
CONCEPTS OF USING CRYPTOGRAPHY
51. Cryptographic encryption improves
confidentiality.
52. Error checking within encryption/decryption
schemes ensures data integrity. Digital signatures
are used to sign data so that the recipient can
verify the data’s origin.
53. Cryptographic routines can perform user authen-
tication and provide for nonrepudiation of data
origin.
54. Cryptographic methods may be used for access
control.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Page 2
PUBLIC KEY INFRASTRUCTURE (PKI)
55. PKI relies on asymmetric-key cryptography using
certificates issued by an authentication Certificate
Authority (CA) such as VeriSign.
56. Certificates are digitally signed blocks of data
that may be used within a PKI setting. Some
things to remember about certificates include
the following:
• Certificate policies specify the uses for a cer-
tificate as well as additional technical data.
• A Certificate Practice Statement (CPS) is a
legal document that details the purpose of
conveying information using a certificate.
• Certificates can be revoked before their expira-
tion date.
57. Certificate Authorities may be grouped into
several trust models, including the following:
• Single CA—Uses a single CA
• Hierarchical CA—Uses a root CA and subordi-
nate CAs
• Bridge CA—Uses a bridge CA and principal
CAs
58. The IETF Working Group on X.509 standards for
PKI is PKIX.
LIFECYCLE
60. Key management and the certificate lifecycle sup-
port PKI solutions through the process of creat-
ing, using, and then destroying public keys and
the digital certificates they are associated with.
The lifecycle includes the following parts:
• Key generation—A public key pair is created
and held by the CA.
• Identity submission—The requesting entity
submits its identity to the CA.
• Registration—The CA registers the request and
verifies the submission identity.
• Certification—The CA creates a certificate
signed by its own digital certificate.
• Distribution—The CA publishes the generated
certificate.
• Usage—The receiving entity is authorized to
use the certificate only for its intended use.
• Revocation and expiration—The certificate will
expire or may be revoked earlier if needed.
• Renewal—If needed, a new key pair can be SECURITY POLICIES AND PROCEDURES
generated and the certificate renewed. 68. Security policies define guidelines and specifica-
• Recovery—Recovery is possible if a certifying tions for general types of security considerations.
key is compromised but the holder is still valid Procedures are step-by-step items defined within
and trusted. each policy that specify the responsible agents,
• Archiving—The certificates and their uses are actions to be taken, and methods for proper
stored. reporting. Procedures must be followed. Policies
61. Key management may be either centralized or include risk assessment, security, acceptable use,
decentralized. and compliance. Focus details may include due
care, privacy, separation of duties, need to know,
62. An escrow agent maintains a copy of the private
password management, retention, disposal and
key signed by the CA.
destruction, incident response, and Human
63. Multiple key pairs will require multiple certifi- Resources policies.
cates.
69. Privilege management may be user based, group
OPERATIONAL/ORGANIZATIONAL SECURITY based, or role based, reflecting a MAC, DAC, or
RBAC configuration.
PHYSICAL SECURITY 70. Risk identification includes asset identification,
64. Access control includes considerations of direct risk assessment, threat identification and
access, network access, facilities, and the envi- classification, and identification of vulnerabilities.
ronment supporting a system. 71. Education is required to ensure that users are
aware of required and recommended security
65. Social engineering involves extracting useful
information from an authorized user, whereas guidelines.
reverse social engineering involves convincing an 72. All aspects of security must be documented,
authorized user of the attacker’s authorization or including security policies, architecture documen-
expertise so that the user will ask for assistance. tation, as well as retention and disposal proce-
66. A disaster recovery plan (DRP) details considera- dures for each form of documentation.
tions for backup and restoration, including secure 73. Computer forensic analysis includes the need to
recovery methods. Some of the items within the establish a clear chain of custody, properly
DRP are impact and risk assessments and serv- collect the evidence, correctly perform the
ice-level agreements (SLAs) with suppliers and investigation, document all actions and findings,
vendors. preserve all evidence and documentation, and
67. A business continuity plan details the procedures prepare to provide expert testimony or consulta-
to follow in order to reestablish proper connectiv- tion if required.
ity as well as the facilities needed to restore data
in the event of a catastrophic loss. Items of con-
sideration include network connectivity, facilities,
clustering, and fault tolerance.