Eleventh Hour Security+: Exam SY0-201 Study Guide

By Ido Dubrawsky

Eleventh Hour Network+: Exam N10-004 Study Guide offers a practical guide for those preparing for the Security+ certification exam. The book's 14 chapters provide in-depth discussions of the following topics: systems security; operating system hardening; application security; virtualization technologies; network security; wireless networks; network access; network authentication; risk assessment and risk mitigation; general cryptographic concepts; public key infrastructure; redundancy planning; environmental controls and implementing disaster recovery and incident response procedures; and legislation and organizational policies. Each chapter includes information on exam objectives, exam warnings, and the top five toughest questions along with their answers.

• The only book keyed to the new SY0-201 objectives that has been crafted for last minute cramming
• Easy to find, essential material with no fluff – this book does not talk about security in general, just how it applies to the test
• Includes review of five toughest questions by topic - sure to improve your score

• Language: English
• Publisher: Syngress
• Release date: Oct 3, 2009
• ISBN: 9781597494946

Ido Dubrawsky

Ido Dubrawsky (CISSP, CCNA, CCDA) is the Chief Security Advisor for Microsoft’s Communication Sector North America, a division of the Mobile and Embedded Devices Group. Prior to working at Microsoft, Ido was the acting Security Consulting Practice Lead at AT&T’s Callisma subsidiary and a Senior Security Consultant. Before joining AT&T, Ido was a Network Security Architect for Cisco Systems, Inc., SAFE Architecture Team. He has worked in the systems and network administration field for almost 20 years in a variety of environments from government to academia to private enterprise. He has a wide range of experience in various networks, from small to large and relatively simple to complex. Ido is the primary author of three major SAFE white papers and has written, and spoken, extensively on security topics. He is a regular contributor to the SecurityFocus website on a variety of topics covering security issues. Previously, he worked in Cisco Systems, Inc. Secure Consulting Group, providing network security posture assessments and consulting services for a wide range of clients. In addition to providing penetration-testing consultation, he also conducted security architecture reviews and policy and process reviews. He holds a B.Sc. and a M.Sc. in Aerospace Engineering from the University of Texas at Austin.

Book preview

Dubrawsky

Brief Table of Contents

Copyright

About the Authors

Chapter 1. Systems Security

Chapter 2. OS Hardening

Chapter 3. Application Security

Chapter 4. Virtualization Technologies

Chapter 5. Network Security

Chapter 6. Wireless Networks

Chapter 7. Network Access

Chapter 8. Network Authentication

Chapter 9. Risk Assessment and Risk Mitigation

Chapter 10. General Cryptographic Concepts

Chapter 11. Public Key Infrastructure

Chapter 12. Redundancy Planning

Chapter 13. Controls and Procedures

Chapter 14. Legislation and Organizational Policies

Table of Contents

Copyright

About the Authors

Chapter 1. Systems Security

Systems Security Threats

Privilege escalation

Viruses and worms

Trojan

Spyware and adware

Rootkits and botnets

Logic bombs

Host Intrusion Detection System

Behavior-based vs. signature-based IDS characteristics

Anti-SPAM

Pop-Up Blockers

Hardware and Peripheral Security Risks

BIOS

USB devices

Cell phones

Removable storage devices

Network attached storage

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 2. OS Hardening

General OS Hardening

Services

File system

Removing unnecessary programs

Hotfixes/patches

Service packs/maintenance updates

Patch management

Windows group policies

Security templates

Configuration baselines

Server OS Hardening

Enabling and disabling services and protocols

FTP servers

DNS servers

NNTP servers

File and print servers

DHCP servers

Data repositories

Workstation OS

User rights and groups

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 3. Application Security

Threats are Moving Up the Stack

Rationale

Threat modeling

Application Security Threats

Browser

Buffer overflows

Packet Sniffers and Instant Messaging

Instant messaging

Peer-to-peer

SMTP open relays

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 4. Virtualization Technologies

The Purpose of Virtualization

Benefits of Virtualization

Types of virtualization

Designing a virtual environment

System Virtualization

Management of virtual servers

Application Virtualization

Application streaming

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 5. Network Security

General Network Security

Network services and risks associated with them

Network design elements

Network security tools

Network Ports, Services, and Threats

Network ports and protocols

Network threats

Network Design Elements and Components

Firewalls

What is a DMZ?

VLANs

Network Address Translation

Network access control/network access protection

Telephony

Network Security Tools

Intrusion detection and preventions systems

Honeypots

Content filters

Protocol analyzers

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 6. Wireless Networks

Wireless Network Design

Wireless communications

Spread spectrum technology

Wireless network architecture

CSMA/CD and CSMA/CA

Service Set ID Broadcast

Wireless Security Standards

The failure of WEP

WPA and WPA2

WAP

WTLS

Authentication

Rogue Access Points

Data Emanation

Bluetooth

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 7. Network Access

General Network Access

Access control

Access control models

Authentication models and components

Identity

Access Control Methods and Models

Separation of duties

Least privilege

Job rotation

Mandatory access control

Discretionary access control

Role- and rule-based access control

Access Control Organization

Security groups

Security controls

Logical Access Control Methods

Access control lists

Group policies

Domain policies

Time of day restrictions

Account expiration

Logical tokens

Physical Access Security Methods

Access lists and logs

Hardware locks

ID badges

Door access systems

Man-trap

Video surveillance

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 8. Network Authentication

Authentication Methods

Access control

Authentication

Auditing

Authentication Methods

One-factor

Two-factor

Three-factor

Single sign-on

Authentication Systems

Remote access policies and authentication

Biometrics

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 9. Risk Assessment and Risk Mitigation

Conduct Risk Assessments and Implement Risk Mitigation

Vulnerability assessment tools

Password crackers

Network mapping tools

Use Monitoring Tools on Systems and Networks

Workstations

Intrusion Detection Systems

Logging and Auditing

Auditing systems

System Logs

Performance Logs

Access Logs

Audits

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 10. General Cryptographic Concepts

General Cryptography

Symmetric key cryptography

Asymmetric key cryptography

Hashes and applications

Digital signatures

Certificates

CIA—For all your security needs

Non-repudiation

Key management

Encryption Algorithms

DES

3DES

RSA

AES

Elliptic curve cryptography

One-time pads

Transmission encryption

WEP

TKIP

Protocols

SSL/TLS

HTTP vs. HTTPS vs. SHTTP

Other protocols with TLS

S/MIME

SSH

IPSec

PPTP

L2TP

Cryptography in Operating Systems

File and folder encryption

E-mail

Whole disk encryption

Trusted platform module

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 11. Public Key Infrastructure

PKI Overview

PKI encryption

PKI standards

PKI solutions

Components of PKI

Digital certificates

Certification authority

Certificate revocation list

Recovery agents

Certificate authority

Certificate revocation list

Key escrow

Registration

Recovery Agents

Implementation

Certificate Management

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 12. Redundancy Planning

Alternate Sites

Hot site

Warm site

Cold site

Redundant Systems

Servers

Connections

ISP

RAID

Spare Parts

Backup Generator

UPS

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 13. Controls and Procedures

Environmental Controls

Fire suppression

HVAC

Shielding

Implementing Disaster Recovery and Incident Response Procedures

Disaster recovery

Incident response

Defending against social engineering

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Chapter 14. Legislation and Organizational Policies

Secure Disposal of Systems

Retention/storage

Destruction

Acceptable Use Policies

Password Complexity

Strong passwords

Password changes and restrictions

Administrator accounts

Change Management

Information Classification

Vacations

Separation of duties

Personally Identifiable Information

Privacy

Due Care

Due Process

Due Diligence

SLAs

User Education and Awareness Training

Communication

User awareness

Education

Online resources

Security-Related HR Policies

Code of Ethics

Summary of Exam Objectives

Top Five Toughest Questions

Answers

Copyright

Syngress is an imprint of Elsevier

30 Corporate Drive, Suite 400, Burlington, MA 01803, USA

Linacre House, Jordan Hill, Oxford OX2 8DP, UK

Eleventh Hour Security+ Exam SY0-201 Study Guide

© 2010 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Application submitted

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library.

ISBN: 978-1-59749-427-4

Printed in the United States of America

09 10 11 12 13 10 9 8 7 6 5 4 3 2 1

Elsevier Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively Makers) of this book (the Work) do not guarantee or warrant the results to be obtained from the Work.

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights; email m.pedersen@elsevier.com

For information on all Syngress publications, visit our Web site at www.syngress.com

About the Authors

Author

Ido Dubrawsky (CISSP, Security+, CCNA) is the Chief Security Advisor for Microsoft’s Communication Sector Americas division. His responsibilities include providing subject matter expertise on a wide range of technologies with customers as well as discussions on policy, regulatory concerns, and governance. Prior to working at Microsoft, Ido was the acting Security Consulting Practice Lead and a Senior Security Consultant at AT&T’s Callisma subsidiary where he was tasked with helping to rebuild the practice. Ido has held a wide range of previous roles, including Network Security Architect for Cisco Systems, Inc. on the SAFE Architecture Team. He has worked in the systems and network administration field for almost 20 years in a variety of environments from government to academia to private enterprise and has a wide range of experience in various networks, from small to large and relatively simple to complex. Ido is the primary author of three major SAFE white papers and has written, and spoken, extensively on security topics. He has been a regular contributor to the SecurityFocus Web site on a variety of topics covering security issues. He holds a BSc and an MSc in Aerospace Engineering from the University of Texas at Austin.

Technical Editor

Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet specialist/programmer with the Niagara Regional Police Service. In addition to designing and maintaining the Niagara Regional Police’s Web site (www.nrps.com) and intranet, he has also provided support and worked in the areas of programming, hardware, database administration, graphic design, and network administration. In 2007, he was awarded a Police Commendation for work he did in developing a system to track high-risk offenders and sexual offenders in the Niagara Region. As part of an information technology team that provides support to a user base of over 1,000 civilian and uniformed users, his theory is that when the users carry guns, you tend to be more motivated in solving their problems.

Michael was the first computer forensic analyst in the Niagara Regional Police Service’s history, and for 5 years he performed computer forensic examinations on computers involved in criminal investigations. The computers he examined for evidence were involved in a wide range of crimes, inclusive to homicides, fraud, and possession of child pornography. In addition to this, he successfully tracked numerous individuals electronically, as in cases involving threatening e-mail. He has consulted and assisted in numerous cases dealing with computer-related/Internet crimes and served as an expert witness on computers for criminal trials.

Michael has previously taught as an instructor for IT training courses on the Internet, Web development, programming, networking, and hardware repair. He is also seasoned in providing and assisting in presentations on Internet safety and other topics related to computers and the Internet. Despite this experience as a speaker, he still finds his wife won’t listen to him.

Michael also owns KnightWare, which provides computer-related services like Web page design, and Bookworms, which provides online sales of merchandise. He has been a freelance writer for over a decade and has been published over three dozen times in numerous books and anthologies. When he isn’t writing or otherwise attached to a computer, he spends as much time as possible with the joys of his life: his lovely wife, Jennifer; darling daughter Sara; adorable daughter Emily; charming son Jason; and beautiful and talented daughter Alicia

Chapter 1. Systems Security

Exam objectives in this chapter:

Systems Security Threats

Host Intrusion Detection System

Personal Software Firewall

Anti-Virus

Anti-SPAM

Pop-Up Blockers

Hardware and Peripheral Security Risks

Systems Security Threats

There are security risks to almost any system. Any computer, network or device that can communicate with other technologies, allows software to be installed, or is accessible to groups of people faces any number of potential threats. The system may be at risk of unauthorized access, disclosure of information, destruction or modification of data, code attacks through malicious software, or any number of other risks discussed in this book.

Some of the most common threats to systems come in the form of malicious software, which is commonly referred to as malware. Malware is carefully crafted software written by attackers and designed to compromise security and/or do damage. These programs are written to be independent and do not always require user intervention or for the attacker to be present for their damage to be done. Among the many types of malware we will look at in this chapter are viruses, worms, Trojan horses, spyware, adware, logic bombs, and rootkits.

Privilege escalation

Privilege escalation occurs when a user acquires greater permissions and rights than he or she was intended to receive.

Privilege escalation can be a legitimate action.

Users can also gain elevated privileges by exploiting vulnerabilities in software (bugs or backdoors) or system misconfigurations. Bugs are errors in software, causing the program to function in a manner that wasn’t intended.

Backdoors are methods of accessing a system in a manner that bypasses normal authentication methods.

System misconfigurations include such items as adding a user to a privileged group (such as the Administrator group in Active Directory) or leaving the root password blank or easily guessable.

Viruses and worms

Malicious software has appeared in many forms over the decades, but the problem has increased substantially as more computers and devices are able to communicate with one another.

Before networks were commonplace, a person transferring data needed to physically transport software between machines, often using floppy diskettes or other removable media.

To infect additional machines, the malicious software would have to write itself to the media without the user’s knowledge.

With the widespread use of networking, exploitable vulnerabilities, file sharing, and e-mail attachments made it much easier for malware to disseminate.

There are many different types of malicious code that are written with the intention of causing damage to systems, software, and data—two of the most common forms are viruses and worms.

VIRUSES

A computer virus is defined as a self-replicating computer program that interferes with a computer’s hardware, software, or OS.

A virus’s primary purpose is to create a copy of itself.

Viruses contain enough information to replicate and perform other damage, such as deleting or corrupting important files on your system.

A virus must be executed to function (it must be loaded into the computer’s memory) and then the computer must follow the virus’s instructions.

The instructions of the virus constitute its payload. The payload may disrupt or change data files, display a message, or cause the OS to malfunction.

A virus can replicate by writing itself to removable media, hard drives, legitimate computer programs, across the local network, or even throughout the Internet.

WORMS

Worms are another common type of malicious code, and are often confused with viruses.

A worm is a self-replicating program that does not alter files but resides in active memory and duplicates itself by means of computer networks.

Worms can travel across a network from one computer to another, and in some cases different parts of a worm run on different computers.

Some worms are not only self-replicating but also contain a malicious payload.

DIFFERENCE BETWEEN VIRUSES AND WORMS

Over time the distinction between viruses and worms has become blurred. The differences include:

Viruses require a host application to transport itself; worms are self-contained and can replicate from system to system without requiring an external application.

Viruses are intended to cause damage to a system and its files; worms are intended to consume the resources of a system.

DEFENDING AGAINST VIRUSES AND WORMS

Protection against viruses, worms, and other malicious code usually includes up-to-date anti-virus software, a good user education program, and diligently applying the software patches provided by vendors.

Tip

If you’re really pressed for time, focus on the general characteristics of viruses and worms as they still represent some of the most challenging problems for enterprise network and security administrators.

Anti-virus software is an application that is designed to detect viruses, worms, and other malware on a computer system. These programs may monitor the system for suspicious activity that indicates the presence of malware, but more often will detect viruses using signature files. Signature files are files that contain information on known viruses, and are used by anti-virus software to identify viruses on a system.

User education is an important factor in preventing viruses from being executed and infecting a system. As viruses require user interaction to load, it is important that users are aware that they shouldn’t open attached files that have executable code (such as files with the extension .com, .exe, and .vbs), and avoid opening attachments from people they don’t know.

Updating systems and applying the latest patches and updates is another important factor in protecting against viruses and worms.

When researchers discover a flaw or vulnerability, they report it to the software vendor, who typically works on quickly developing a fix to the flaw.

A zero-day attack is an attack where a vulnerability in a software program or operating system is exploited before a patch has been made available by the software vendor.

You can prepare for an infection by a virus or worm by creating backups of legitimate original software and data files on a regular basis. These backups will help to restore your system, should that ever be necessary.

Trojan

A Trojan horse is a program in which malicious code is contained inside what appears to be harmless data or programming, and is most often disguised as something fun, such as a game or other application. The malicious program is hidden, and when called to perform its functionality, can actually ruin your hard disk.

Spyware and adware

Spyware and adware are two other types of programs that can be a nuisance or malicious software. Both of these may be used to gather information about your computer, or other information that you may not want to share with other parties.

SPYWARE

Spyware is a type of program that is used to track user activities and spy on their machines.

Spyware programs can scan systems, gather personal information (with or without the user’s permission), and relay that information to other computers on the Internet.

Spyware has become such a pervasive problem that dozens of anti-spyware programs have been created.

Some spyware will hijack browser settings, changing your home page, or redirect your browser to sites you didn’t intend to visit. Some are even used for criminal purposes, stealing passwords and credit card numbers and sending it to the spyware’s creator.

Spyware usually does not self-replicate, meaning that the program needs to be installed in each target computer.

Some spyware programs are well behaved and even legal, with many spyware programs taking the form of browser toolbars.

ADWARE

Adware is software that displays advertising while the product is being used, allowing software developers to finance the distribution of their product as freeware (software you don’t have to pay for to use). However, some types of adware can be a nuisance and display pop-up advertisements (such as through an Internet browser), or be used to install and run other programs without your permission.

Adware can cause performance issues.

DIFFERENCE BETWEEN SPYWARE AND ADWARE

Adware and spyware are two distinctively different types of programs.

Adware is a legitimate way for developers to make money from their programs.

Spyware is an insidious security risk.

Adware displays what someone wants to say; spyware monitors and shares what you do.

Adware may incorporate some elements that track information, but this should only be with the user’s permission. Spyware will send information whether the user likes it or not.

DEFENDING AGAINST SPYWARE AND ADWARE

Preventing spyware and adware from being installed on a computer can be difficult as a person will give or be tricked into giving permission for the program to install on a machine. Users need to be careful in the programs they install on a machine and should do the following:

Read the End User License Agreement (EULA), as a trustworthy freeware program that uses advertising to make money will specifically say it’s adware. If it says it is and you don’t want adware, don’t install it.

Avoid installing file-sharing software as these are commonly used to disseminate adware/spyware.

Install and/or use a pop-up blocker on your machine such as the one available with Google Toolbar, MSN Toolbar, or the pop-up blocking feature available in Internet Explorer running on Windows XP SP2 or higher. The pop-up blocker prevents browser windows from opening and displaying Web pages that display ads or may be used to push spyware to a computer.

Be careful when using your Web browser and clicking on links. If you see a dialog box asking you to download and install an ActiveX control or another program, make sure that it’s something you want to install and that it’s from a reliable source. If you’re unsure, do not install it.

Use tools that scan for spyware and adware, and can remove any that’s found on a machine.

Rootkits and botnets

Botnets and rootkits are tools used to exploit vulnerabilities in operating systems and other software.

Rootkits are software that can be hidden on systems and can provide elevated privileges to hackers.

A rootkit is a collection of tools used to gain high levels of access to computers (such as that of an administrator).

Rootkits try to conceal their presence from the OS and anti-virus programs in a computer.

Rootkits can make it easy for hackers to install remote control programs or software that can cause significant damage.

A bot is a type of program that runs automatically as robots performing specific tasks without the need for user intervention.

Bots have been developed and used by Google, Yahoo, and MSN to seek out Web pages and return information about each page for use in their search engines. This is a legitimate use for bots, and do not pose a threat to machines.

Botnets are one of the biggest and best-hidden threats on the Internet.

The botnet controller is referred to as the bot herder, and he or she can send commands to the bots and receive data (such as passwords or access to other resources) from them.

Bots can be used to store files on other people’s machines, instruct them to send simultaneous requests to a single site in a DoS attack, or for sending out SPAM mail.

A Web server or IRC server is typically used as the Command and Control (C&C) server for a group of bots or a botnet.

Logic bombs

A logic bomb is a type of malware that can be compared to a time bomb.

Designed to execute and do damage after a certain condition is met, such as the passing of a certain date or time, or other actions like a command being sent or a specific user account being deleted.

Attackers will leave a logic bomb behind when they’ve entered a system to try to destroy any evidence that system administrators might find.

Host Intrusion Detection System

Intrusion detection is an important piece of security in that it acts as a detective control. An intrusion detection system (IDS) is a specialized device that can read and interpret the contents of log files from sensors placed on the network as well as monitor traffic in the network and compare activity patterns against a database of known attack signatures. Upon detection of a suspected