security terms facts
TRANSCRIPT
Security Terms Facts
Common security terms are listed below.
Confidentiality ensures that data is not disclosed to unintended persons. This is provided through encryption which converts the data into a form making it more likely to not be usable by an unintended recipient.
Integrity ensures that data is not modified or tampered with. This is provided through hashing. Availability ensures the uptime of the system so that data is available when needed. Authentication identifies and proves who you are. Examples of authentication include a password,
smart card, or biometrics. Authorization identifies what resources you can have access to. Accounting is logging the activity of the system. Non-repudiation provides validation of a message's origin. For example, if a user sends a digitally
signed e-mail, they cannot later claim later that the e-mail was not sent. Non-repudiation is enforced by digital signatures.
In addition to these terms, you will often see the following that apply to multiple security goals:
The CIA of Security refers to confidentiality, integrity, and availability. These are often identified as the three main goals of security.
AAA refers to authentication, authorization, and accounting. AAA is used in the process of access control, allowing and controlling access to secured resources.
Active Directory Facts
Active Directory is a centralized database that contains user account and security information. In a workgroup, security and management takes place on each computer, with each computer holding information about users and resources. With Active Directory, all computers share the same central database.
Active Directory organizes network resources and simplifies management using the following components.
Component Description
Domain
A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure. Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains.
Organizational Unit (OU)
An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit:
Is a container object Can hold other organizational units Can hold objects such as users and computers Can be used to logically organize network resources Simplifies security administration
Generic Containers
Like OUs, generic containers are used to organize Active Directory objects. Generic container objects:
Are created by default Cannot be moved, renamed, or deleted Have very few properties you can edit
You cannot create generic containers. Use OUs instead.
Objects
Within Active Directory, each resource is identified as an object. Common objects include:
Users Groups Computers Printers Shared folders
Each object contains additional information about the shared resource that can be used for locating and securing resources. The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object.
Domain Controller
A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers.
Group Policy Facts
A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.
Each GPO has a common structure, with hundreds of configuration settings that can be enabled and configured. Settings are divided into two categories:
GPO Category Description
Computer Configuration
Computer policies (also called machine policies) are enforced for the entire computer, and are initially applied when the computer boots. Computer policies include:
Software that should be installed on a specific computer Scripts that should run at startup or shutdown Password restrictions that must be met for all user accounts Network communication security settings Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE
subtree)
Computer policies also include a special category of policies called user rights. User rights identify system maintenance tasks and the users or groups who can perform
these actions. Actions include:
Changing the system time Loading and unloading device drivers Removing a computer from a docking station Shutting down the system
Computer policies are initially applied as the computer boots, and are enforced before any user logs on.
User Configuration
User policies are enforced for specific users, and are initially applied when the user logs on. User policy settings include:
Software that should be installed for a specific user Scripts that should run at logon or logoff Internet Explorer user settings (such as favorites and security settings) Registry settings that apply to the current user (the HKEY_CURRENT_USER
subtree)
User policies are initially applied as the user logs on, and often customize Windows based on user preferences.
GPOs apply to objects when they are linked to containers and configured with specific settings.
GPOs can be linked to Active Directory domains or organizational units (OUs). Built-in containers (such as the Computers container) cannot have GPOs linked to them.
A GPO only affects the users and computers beneath the object to which the GPO is linked. A local GPO is stored on a local machine. It can be used to define settings even if the computer is
not connected to a network. A specific setting in a GPO can be:
o Undefined, meaning that the GPO has no value for that setting and does not change the current setting.
o Defined, meaning that the GPO identifies a new value to enforce. GPOs are applied in the following order:
1. The Local Group Policy on the computer 2. GPOs linked to the domain that contains the User or Computer object 3. GPOs linked to the organizational unit(s) that contain(s) the User or Computer object
(from the highest-level OU to the lowest-level OU). Individual settings within all GPOs are combined to form the effective Group Policy setting as follows:
o If a setting is defined in one GPO and undefined in another, the setting will be enforced (regardless of the position of the GPO in the application order).
o If a setting is configured in two GPOs, the setting in the last-applied GPO will be used.
Access Control Models Facts
Access control is the process by which use of resources and services is granted or denied. When implementing access control, one of several models can be used. The following table lists the most commonly used access control models:
Access Control Model
Characteristics
Mandatory Access Control (MAC)
Mandatory access control uses labels for both subjects (users who need access) and objects (resources with controlled access).
Classification labels, such as secret or top secret, are assigned to objects by the owner (usually a management or governmental entity).
Clearance labels are assigned to subjects. When a subject's clearance lines up with an object's classification, and when
the user has a need to know (referred to as a category), the user is granted access.
Access control is mandatory in that access is based on policy (the matching of the labels) rather than identity. Owners can only assign labels; they cannot allow access to specific subjects.
Discretionary Access Control (DAC)
Discretionary access control assigns access directly to subjects based on the discretion (or decision) of the owner.
Objects have a discretionary access control list (DACL) with entries for each subject.
Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object.
With discretionary access control, subjects can pass permissions on to other subjects.
Many computer systems use discretionary access control to limit access to systems or other resources.
Role-Based Access Control (RBAC)
Role-based access control allows access based on a role in an organization, not individual users.
Roles are defined based on job description or a security access level. Users are made members of a role, and receive the permissions assigned to
the role.
Rule-Based Access Control
Rule-based access control uses characteristics of objects or subjects, along with rules, to restrict access.
Access control entries identify a set of characteristics that will be examined for a match.
If all characteristics match, access is either allowed or denied based on the rule.
An example of a rule-based access control implementation is a router access control list that allows or denies traffic based on characteristics within the packet (such as IP address or port number).
Because rule-based access control does not consider the identity of the subject, a system that uses rules can be viewed as a form of mandatory access control.
Authentication Facts
To access resources on a network a user must prove who they are and that they have permissions to access the resources. This process consists of the following:
Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a users types in a user ID to log on. Identity proofing occurs during the identification phase as the user proves that they are who they say they are in order to obtain credentials. If a person has previously been identified, but cannot provide their assigned authentication credentials, for example a lost password, then identity proofing is called upon again.
Authentication is the verification of the issued identification credentials. It is usually the second step after identification, and establishes the user's identity, ensuring that users are who they say they are.
The three ways a user can prove identity to an authentication server are:
Type Description
Type 1Something you know
Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of something you know authentication controls are:
Passwords, codes, or IDs PINs Pass phrases (long, sentence-length passwords) Cognitive information such as questions that only the user can answer such as:
o Your mother's maiden name o The model or color of your first car o The city where you were born
Composition passwords, which are created by the system and are usually two or more unrelated words divided by symbols on the keyboard
Note: Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.
Type 2Something you have
Something you have (also called token-based authentication) is authentication based on something a user has in possession. Examples of something you have authentication controls are:
Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip.
Photo IDs are very useful when combined with other forms of authentication, but are high risk if they are the only form of required authentication. Photo IDs are easily manipulated or reproduced, require personnel for verification, and cannot be verified against a system.
Smart cards contain a memory chip with encrypted authentication information. Smart cards can:
o Require contact such as swiping or they can be contactless. o Contain microprocessor chips with the ability to add, delete, and manipulate
data on it. o Can store digital signatures, cryptography keys, and identification codes. o Use a private key for authentication to log a user into a network. The private
key will be used to digitally sign messages. o Be based on challenge-response. A user is given a code (the challenge)
which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.
Types of token-based authentication are:
Using a static password, the password is saved on the token device. Swiping the token supplies the password for authentication.
A synchronous dynamic password generates new passwords at specific intervals on the hardware token. Users must read the generated password and enter it along with the PIN to gain access.
An asynchronous dynamic password generates new passwords based on an event, such as pressing a key.
A challenge-response password generates a random challenge string. The challenge text is entered into the token along with the PIN, and the token uses both to generate a response which is then used for authentication.
Smart cards typically use certificates for identification and authentication. With certificates, the digital document is associated with a user in one of the following ways:
With a one-to-one mapping, each certificate maps to an individual user account (each user has a unique certificate).
With many-to-one mapping, a certificate maps to many user accounts (a group of users share the same certificate).
Digital certificates require the implementation of a PKI which have high administrative overhead.
Type 3Something you are
Something you are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is the most expensive and least accepted, but is generally considered to be the most secure form of authentication.
Common attributes used for biometric systems are:
Fingerprints (end point and bifurcation pattern) Hand topology (side view) or geometry (top down view) Palm scans (pattern, including fingerprints) Retina scans (blood vein pattern) Iris scans (color) Facial scans (pattern) Voice recognition Handwriting dynamics Keyboard or keystroke dynamics (behavioral biometric systems)
o Dwell time (key press time) o Flight time (how fingers move from key to key)
When implementing a biometric system, the attribute that is used for authentication must meet the following criteria:
Universality means that all individuals possess the attribute. Uniqueness means that the attribute is different for each individual. Permanence means that the attribute always exists and will not change over time. Collectability ensures that the attribute can be measured easily. Performance means that the attribute can be accurately and quickly collected.
Circumvention allows for acceptable substitutes for the attribute in case the original attribute is missing or can't be read.
Acceptability identifies the degree to which the technology is accepted by users and management.
Biometrics include multiple scans of the biological attribute. Scans are then translated into a numeric constellation map of critical points. That mathematical representation is bound to a digital certificate that links to the subject's user account in the user database. Most biometric systems require implementation of a PKI system.
You should be aware of the following terms used to measure the effectiveness of authentication solutions:
Measure Description
False negative
A false negative (or Type I error) occurs when a person who should be allowed access is denied access. The False Rejection Rate (FRR) is a measure of the probability that a false negative will occur.
False positive
A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The False Acceptance Rate (FAR) is a measure of the probability that a false positive will occur. False positives are more serious than false negatives and represent a security breach because unauthorized persons are allowed access.
Crossover error rate
The crossover error rate, also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. Select the system with the lowest crossover error rate within your budget.
Processing rate
The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated. An acceptable rate is 10 subjects per minute or above.
To increase security, you can use a combination of authentication methods as described in these options:
Authentication Method
Description Example
Two-factorThree-factorMulti-factor
Requires two (or more) different authentication types to be deployed.
To enter a secured building, you must insert your key card (Type 2) and undergo a retina scan (Type 3).
StrongRequires two or more methods, but they can be of the same type.
To log on to an online banking system, you enter your username, password, and then must answer a random personal question (such as your birthplace or mother's maiden name).
One-factorUses credentials of only one type, but may require multiple methods within the same type
To log in, you supply a username and a password (the username is not used for authentication, so the only credential supplied for authentication is the password)To log in, you supply a username, PIN, and a pass phrase (all credentials are of the same type)
Mutual
Requires that both parties authenticate with each other before beginning communications.
To log in, your computer sends its digital certificate to prove its identity to a network server. The server then proves its identity to your computer before they will exchange messages.
If you are considering implementing biometrics, keep in mind the following:
Some biometric factors are unique even between identical twins. When a biometric is used by itself, it is no more secure than a strong password. A single
successful attack can subvert a biometric in much the same way that a single successful attack can subvert a password.
Biometric attacks need not be physical harm based (such as cutting off a finger), but can include a wide variety of realistic reproductions that fool the biometric reader device.
The most important consideration for a biometric device is accuracy. When a biometric device has its sensitivity set too high, it will result in numerous false rejections,
that is when authorized users are not recognized and therefore rejected. To use a biometric, new users must go through a physical enrollment process that is more
complex and time consuming than the enrollment process for a password only based system. Biometric enrollment requires the new users to prove their identity physically to a user
administrator, then the new user must provide the first example of their biometric to a reader device under the supervision of the user administrator. This first example is digitized and stored as a reference template. All future uses of the biometric will compare the contemporary biometric sample offered to the historical recorded template.
Single Sign-on Facts
Enterprise environments frequently implement a type of Single Sign-on (SSO) authentication. SSO is a distributed access method that allows a subject to log in (sign on) once to a network and access all authorized resources on the network. The SSO system authenticates the subject against a master system and automatically logs the subject on to all servers the subject is authorized to access. Once authenticated, the subject can request access to additional resources without additional login credentials or passwords. A SSO system is commonly used in directory systems and some types of scripted access.
Advantages of SSO include:
It is a more efficient logon process. Users only need to type their user ID and password once. The user can create stronger passwords because there aren't so many passwords to remember. The need for multiple passwords and change synchronization is avoided. Access to all authorized resources with a single instance of authentication through a single set of
user credentials. Inactivity timeout and attempt thresholds are applied closer to the user point of entry. Improved effectiveness of disabling all network and computer accounts for terminated users
because of SSO's ability to add and delete accounts across the entire network from a centralized database and one user interface.
Disadvantages of SSO include:
Once a user's ID and password are compromised in the system, an intruder can access all of the resources authorized for the user without constraint.
The system security policy must be followed to ensure access is granted and/or limited to appropriate users.
Implementation with microcomputer systems is difficult and can prevent full implementation. Ticket schemes do not scale very well. SSO presents a single point of failure.
User Account and Password Facts
Usernames and passwords are common credentials used during authentication. The username identifies the user, while the password is used for authentication to prove identity.
Method Description
Account lockout
Account lockout disables a user account after a specified number of incorrect logon attempts.
The Account lockout threshold (also called the clipping level) identifies the number of incorrect logon attempts that are allowed before the account is locked.
The Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. When set to 0, an administrator must unlock the account.
The Reset account lockout counter after setting identifies the period of time during which invalid passwords are entered. For example, if this value is set to one hour, and the account lockout threshold is set to 5, the user can enter up to 4 incorrect passwords within an hour without the account being locked.
Account lockout can be used to prevent guessing of passwords by attackers, but can also be used maliciously to lock an account and prevent a valid user from logging on.
Account restrictions
Account restrictions place restrictions upon the use of a user account for logon. For example, you can:
Allow login only during certain days and hours. Allow login only from specific computers. Expire user accounts for temporary users to prevent them from being used past a
certain date. Disable accounts that are not being used to prevent login. For example, you can
disable accounts for employees who have left but who have not yet been replaced, or you can disable accounts for users who are gone for extended periods of time (such as on a long vacation of leave of absence).
Account (password) policies
Account policies control the composition and use of passwords.
The maximum password age requires users to change the password after a given length of time.
The password history requires users to enter unique passwords when changing the password. The password history keeps track of the last several passwords, and prevents users from re-using any recently remembered password.
The minimum password age identifies the time period where users cannot change a recently-changed password. The minimum age prevents users from changing passwords immediately after they've been changed, preventing users from immediately changing the password back to the original password.
The minimum password length identifies the minimum number of characters in a password.
A complex password prevents using passwords that are easy to guess or crack. On a Microsoft system, complex passwords:
o Must be over 7 characters or more. o Must include a minimum of three of the four types of special characters
(e.g., lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *).
o Cannot use dictionary words or any part of the user login identification.
Be aware of the following for controlling user account and password security:
For large environments, implement a password management system with a self-service password reset management system to allow users to change their own passwords and then only they know the password and no one else. In a system where passwords are handed out by administrators, that users cannot change, passwords are very insecure. In this arrangement, more than one person knows the password, no matter how complex the password may be and that can affect the security of the system.
Implement account auditing to track incorrect logon attempts. Small numbers of incorrect logon attempts occur naturally as users mis-type or forget passwords. Large numbers of incorrect logon attempts could identify a potential hacker trying to guess passwords.
Scan systems to identify unused user accounts or accounts with blank passwords. When implementing account lockout and account policies on Microsoft systems:
o The local security policy controls policies for user accounts defined on a local system. o Policy settings in Group Policy linked to the domain control settings for all user accounts
in the domain. Settings defined at other levels in Group Policy do not affect password or account lockout settings.
Hackers can use the following methods to try and discover passwords:
Using tools to check for unencrypted or weakly encrypted passwords sent through the network. Guessing passwords by trying:
o Default passwords for new systems o Blank passwords o Use password as the password o Rows of letters on the keyboard (e.g., qwerty) o User's name or login name o Name of significant other, pet, etc. o Birthdate o Name of celebrity
Using social engineering to get a user to reveal the password. For example, the attacker can pretend to be an administrator that needs the user's password.
Trying all possible dictionary words. Using a brute force attack that tries all character combinations, not just words in the dictionary. Reverse engineering password hashes that have been captured by using precomputation
(Rainbow tables).
In addition to using account lockout, account restrictions, and password policies, use the following strategies to protect against password attacks:
Educate users on how to create and remember strong passwords. Enforcing strict password restrictions might actually weaken network security if you do not educate users about proper procedures to take to protect logon credentials. If users do not understand the restrictions that have been implemented, they might try to circumvent these restrictions by writing down passwords. Take the following measures to educate users:
o Tell users that they should not write down passwords or share logon credentials with other users.
o Teach users how to construct and remember complex passwords. For example, for the password bw2Fs3d, users might create the following sentence: bob went 2 the "capital" Florist shop 3 times daily.
o Educate users about social engineering tactics. Instruct them not to respond to requests for passwords from administrators or other seemingly trusted personnel. Implement policies that prevent administrators from asking for sensitive information.
Protect access to the password file. Passwords are typically stored in a password database file that uses a one-way encryption algorithm (hashing). Use methods available in the operating system to protect the password file.
Apply a salt when hashing passwords. A salt is a value chosen randomly by the system at the time the password is created which is incorporated into the calculation of the hashed password, then is stored with the hashed password. Applying a salt allows two users with the same password to have different hashed values, thus making it harder to create pre-built dictionaries of likely hashes.
Implement two-factor authentication.
Authorization Facts
Authorization is the process of controlling access to resources, such as computers, files, or printers. When managing access to resources, be aware of the following:
A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups: distribution and security groups. Only security groups can be used for controlling access to objects.
An access control list (ACL) identifies users or groups who have specific security assignments to an object. On a Microsoft network, the term permission identifies the type of access that is allowed or denied for the object. For example, permissions for a file include read and write, and can either allow or deny the specified access.
A discretionary access list (DACL) is an implementation of discretionary access control (DAC). Owners add users or groups to the DACL for an object and identify the permissions allowed for that object.
A system access list (SACL) is used by Microsoft for auditing to identify past actions performed by users on an object.
Assigning permissions to a group grants those same permissions to all members of the group. On a Microsoft system, a user right is a privilege or action that can be taken on the system, such
as logging on, shutting down the system, backing up the system, or modifying the system date and time. Permissions apply to objects (files, folders, printers, etc.), while user rights apply to the entire system (computer).
A security principal is an object that can be given permissions to an object. Security principals include users, groups, and computers.
Each security principal is given a unique identification number called a SID (security ID). When a security principal logs on, an access token is generated. The access token is used for
controlling access to resources and contains the following information: o The SID for the user or computer o The SID for all groups the user or computer is a member of o User rights granted to the security principal
When the security principal tries to access a resource or take an action, information in the access token is checked. For example, when a user tries to access a file, the access token is checked for
the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL to identify permissions that apply.
On a Microsoft system, the access token is only generated during authentication. Changes made to group memberships or user rights do not take effect until the user logs on again and a new access token is created.
Authorization Facts
Authorization is the process of controlling access to resources, such as computers, files, or printers. When managing access to resources, be aware of the following:
A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups: distribution and security groups. Only security groups can be used for controlling access to objects.
An access control list (ACL) identifies users or groups who have specific security assignments to an object. On a Microsoft network, the term permission identifies the type of access that is allowed or denied for the object. For example, permissions for a file include read and write, and can either allow or deny the specified access.
A discretionary access list (DACL) is an implementation of discretionary access control (DAC). Owners add users or groups to the DACL for an object and identify the permissions allowed for that object.
A system access list (SACL) is used by Microsoft for auditing to identify past actions performed by users on an object.
Assigning permissions to a group grants those same permissions to all members of the group. On a Microsoft system, a user right is a privilege or action that can be taken on the system, such
as logging on, shutting down the system, backing up the system, or modifying the system date and time. Permissions apply to objects (files, folders, printers, etc.), while user rights apply to the entire system (computer).
A security principal is an object that can be given permissions to an object. Security principals include users, groups, and computers.
Each security principal is given a unique identification number called a SID (security ID). When a security principal logs on, an access token is generated. The access token is used for
controlling access to resources and contains the following information: o The SID for the user or computer o The SID for all groups the user or computer is a member of o User rights granted to the security principal
When the security principal tries to access a resource or take an action, information in the access token is checked. For example, when a user tries to access a file, the access token is checked for the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL to identify permissions that apply.
On a Microsoft system, the access token is only generated during authentication. Changes made to group memberships or user rights do not take effect until the user logs on again and a new access token is created.
Physical Security Facts
Physical security is the protection of corporate assets from threats such as theft or damage. There are three factors to keep in mind with physical security:
Prevention is making the location less tempting to break into. Detection is identifying what was broken into, what is missing, and the extent of the damage. Recovery is the review of the physical security procedures, fixing any damage, and hardening the
physical security of the company against future problems.
Important aspects of physical security are:
Restricting physical access to facilities and computer systems Preventing interruptions of computer services caused by problems such as loss of power or fire Preventing unauthorized disclosure of information Disposing of sensitive material Protecting the interior and exterior of your facility
The table below lists physical control measures and their characteristics:
Control Measure
Characteristics
Perimeter barriers
For a secure facility, the first physical security measure is to secure the building perimeter and restrict access to only secure entry points. Methods for securing the perimeter include:
Fences provide an environmental barrier that prevents easy access to the facility. o A low fence (3 to 4 feet) acts as a deterrent to casual intrusion. o A higher fence (6 to 7 feet) acts as a deterrent unless the trespasser has a
specific intent to violate security. o A fence 8 feet or higher topped with barbed wire is an effective deterrent.
Guard dogs are generally highly reliable but appropriate only for physical perimeter security. They can be expensive to keep and maintain, and their use might raise issues of liability and insurance.
Lighting deters casual intruders, helps guards see intruders, and is necessary for most cameras to monitor the area. To be effective, lights should be placed to eliminate shadows or dark spots.
Security guards offer the best protection for perimeter security because they can actively respond to a variety of threat situations. However, guards are expensive, require training, and can be unreliable or inconsistent.
Closed-circuit television (CCTV)
Closed-circuit television can be used as both a preventative tool (when monitoring live events) or as an investigative tool (when events are recorded for later playback). Camera types include:
A bullet camera has a built-in lens and is long and round in shape. Most bullet cameras can be used indoor or outdoor.
A c-mount camera has interchangable lenses and is typically rectangle in shape with the lens on the end. Most c-mount cameras require a special housing to be used outdoors.
A dome camera is a camera protected with a plastic or glass dome. These cameras are more vandal-resistant than other cameras.
A Pan Tilt Zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas to monitor (cameras without PTZ capabilities are manually set looking a specific direction). Automatic PTZ mode automatically moves the camera between several preset locations; manual PTZ lets an operator remotely control the
position of the camera.
When selecting cameras, be aware of the following characteristics:
The focal length measures the magnification power of a lens. The focal length controls the distance that the camera can see, as well as how much detail can be seen at a specific range.
o The focal length is expressed in millimeters (mm). A higher focal length lets you see more detail at a greater distance.
o Most cameras have a 4mm lens with a range of 30-35 feet, allowing you to see facial features at that distance.
o A fixed lens camera has a set focal length. A varifocal camera lens lets you adjust the focus (zoom).
A lens with a 70 degree angle of view is the largest view angle possible without distorting the image.
The resolution is rated in the number of lines (such as 400) included in the image. In general, the higher the resolution, the sharper the image.
LUX is a measure of the sensitivity to light. The lower the number, the less light needed for a clear image.
Infrared cameras can record images in little or no light. Infrared cameras have a range of about 25 feet in no light, or further in dimly-lit areas.
When used in a preventative way, you must have a guard or other person available who monitors one or more cameras.
Doors
Doors can enhance security if they are properly implemented. Specific door types include:
A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas.
o Once a person enters into the space between the doors, both doors are locked.
o To enter the facility, authentication must be provided. This may include visual identification and identification credentials.
o Mantraps should permit only a single person to enter, and authentication must be provided by each person.
o If authentication is not provided, the intruder is kept in the mantrap until authorities arrive.
A turnstile is a barrier that permits entry in only one direction. o Physical turnstiles are often used to control entry for large events such as
concerts or sporting events. o Optical turnstiles use sensors and alarms to control entry. o Turnstiles are often used to permit easy exit from a secure area. Entry is
controlled through a mantrap or other system that requires authentication for entry.
A double entry door has two doors that are locked from the outside but with crash bars on the inside that allow easy exit. Double entry doors are typically used only for emergency exits, and alarms sound when the doors are opened.
Regular doors are susceptible to social engineering attacks such as piggybacking (tailgating) where an unauthorized person will ask an authorized person to "hold the door." Mantraps and turnstiles that permit only a single person and require individual authentication are effective deterrents to piggybacking.
Door locks Door locks allow access only to those with the proper key. Lock types include:
Pick resistant locks, with restricted key duplication, are the most secure key lock. It is important to note that all traditional key locks are vulnerable to lock-picking (shimming).
Keypad locks require knowledge of a code and reduce the threat from lost keys and cards. Clean keypads frequently to remove indications of buttons used.
Electronic systems often use key cards (or ID badges) instead of keys to allow access. Dumb cards contain limited information. Smart cards have the ability to encrypt access information.
Biometric locks increase security by using fingerprints or iris scans. They reduce the threat from lost keys or cards.
Physical access logs
Physical access logs are implemented by guards of a facility and require everyone gaining access to the facility to sign in.
Physical access controls
Physical access controls can be implemented inside the facility.
Physical controls may include key fobs, swipe cards, or badges. To control access to sensitive areas within the facility, require a card swipe or
reader. Some systems can track personnel movement within a facility and proactively lock
or unlock doors based on the access token device. An anti-passback system prevents a card holder from passing their card back to
someone else. Physical controls are often implemented together with sensors and alarms to detect
unauthorized access. o Photoelectric sensors detect motion and are best suited to detect a
perimeter breach rather than interior motion detection. o Wave pattern, heat sensing, and ultrasonic sensors are all better suited for
interior motion detection than perimeter breach detection.
Physical security should deploy in the following sequence. If a step in the sequence fails, the next step should implement itself automatically.
1. Deter initial access attempts. 2. Deny direct physical access. 3. Detect the intrusion. 4. Delay the violator to allow for response.
When designing physical security, implement a layered defense system. A layered defense system is one in which controls are implemented at each layer to ensure that defeating one level of security does not allow an attacker subsequent access. Using multiple types of security controls within the same layer further enhances security. Tips for implementing a multi-layered defense system are:
Protect entry points with a card access system (or some other type of control) as well as a security camera.
Use a reception area to prevent the public, visitors, or contractors from entering secure areas of the building without an escort.
Use the card access or other system to block access to elevators and stairwells. This will prevent someone who successfully tailgates from gaining further access.
Use a different access system to secure offices or other sensitive area such as key locks, keypad locks, or biometric controls.
Implement security within offices and data centers using locking storage areas and computer passwords.
Perform physical security inspections quarterly. Violations should be addressed in a formal manner with warnings and penalties imposed.
Best Practices Facts
Access control best practices take into consideration the following security principles:
Principles Description
Principle of least privilege
The principle of least privilege states that users or groups are given only the access they need to do their job (and nothing more). Common methods of controlling access include:
With implicit deny, users or groups which are not specifically given access to a resource are denied access. Implicit deny is the weakest form of privilege control.
Explicit allow specifically identifies users or groups who have access. Explicit allow is a moderate form of access control in which privilege has been granted to a subject.
Explicit deny identifies users or groups who are not allowed access. Explicit deny is the strongest form of access control and overrules all other privileges granted.
When assigning privileges, be aware that it is often easier to give a user more access when they need it than to take away privileges that have already been granted.
Need to know
Need to know describes the restriction of data that is highly sensitive and is usually referenced in government and military context. Important facts to know about need to know include:
Even if an individual is fully cleared, information is still not divulged to persons who simply don't need to know the information to perform their official duties.
Need to know discourages casual browsing of sensitive materials. In a classified environment, a clearance into a Top Secret compartment only
allows access to certain information within that compartment. This is a form of MAC.
Separation of duties
Separation of duties is the concept of having more than one person required to complete a task. This helps prevent insider attacks because no one person has end-to-end control and no one person is irreplaceable. Important facts to know about separation of duties include:
System users should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest length of time possible.
To achieve a separation of duties, a business can use the principle of split knowledge. This means that no single person has total control of a system's security mechanisms, so no single person can completely compromise the system.
In cases of sensitive or high-risk transactions, a business can use two man control. This means that two operators must review and approve each other's
work.
Job rotation
Job rotation is a technique where users are cross-trained in multiple job positions, and where responsibilities are regularly rotated between personnel. Job rotation:
Cross trains staff in different functional areas in order to detect fraud. Exchanges positions of two or more employees to allow for an oversight of past
transactions. Can be used for training purposes.
Defense-in-depth
Defense-in-depth is an access control method which implements multiple access control methods instead of relying on a single method. Multiple defenses make it harder to bypass the security measures.
Creeping privileges occurs when a user's job position changes and they are granted a new set of access privileges and their previous access privileges are not removed or modified. As a result, the user accumulates privileges over time that are not necessary for their current work tasks. The principle of least privilege and separation of duties are countermeasures against creeping privileges.
Cryptography Facts
Cryptography is the science of converting data into a secret code to hide the meaning of the message during transmission. Cryptographic systems provide the following security services:
Confidentiality, by ensuring that only authorized parties can access data. Integrity, by verifying that data has not been altered in transit. Authentication, by proving the identity of the sender or receiver. Non-repudiation, by validating that communications have come from a particular sender at a
particular time.
The following terms are related to cryptography:
Term Definition
Plaintext Plaintext is a readable message.
Cipher textCipher text is the message in a form that makes it unreadable to all but those for whom the message was intended.
Cryptographer A cryptographer is a person who develops ways of converting plaintext to cipher text.
Cryptanalysis
Cryptanalysis is the method of recovering original data that has been encrypted without having access to the key used in the encryption process. This can be done to measure and validate the strength of a cryptosystem. It can also be done to violate the confidentiality and/or integrity of a cryptosystem.
CryptosystemA cryptosystem is the associated items of cryptography that are used as a unit to provide a single means of encryption and decryption.
Cryptology Cryptology is the study of cryptography and cryptanalysis.
Key A key is a variable in a cipher used to encrypt or decrypt a message. The key should be kept secret.
The key space is the range of the possible values that can be used to construct a key. Generally speaking, the longer the key space, the stronger the cryptosystem.
Algorithm
A cipher or algorithm is the process or formula used to convert a message or otherwise hide its meaning. Examples of algorithms include:
A transposition cipher (also called an anagram) changes the position of characters in the plaintext message.
A substitution cipher replaces one set of characters with symbols or another character set. A code substitutes hidden words with unrelated terms.
A one-time pad is a cryptography method in which the plaintext is converted to binary and combined with a string of randomly generated binary numbers (referred to as the pad). It is a form of substitution.
EncryptionEncryption is the process of using an algorithm to transform data from plaintext to a cipher text in order to protect the confidentiality, integrity, and sometimes the authenticity of the message.
Decryption Decryption is the procedure used to convert data from cipher text into plaintext.
Steganography
Steganography, literally meaning "concealed writing", hides data or a message such that only the sender or the recipient suspects that the hidden data exists. Examples of steganography include:
Embedding still pictures in a video stream. The picture can only be viewed by stepping through the video frame-by-frame (playing the video in real time hides the image because the eye cannot see one single frame within the video).
Hiding text messages or hiding alternate images within a photograph. With this method, data is distributed inside the last 2 bits of each color. When viewed normally, the hidden information cannot be detected. Using special tools, the data in the last 2 bits of each color is extracted to recreate the original.
With watermarking, hidden data is embedded into an image or a file to prove ownership. Because the file contains the special data sequence, a file with that embedded data could only have come from the original source.
Microdots is a technique of shrinking an image down to the size of a period, then including the microdot in a seemingly harmless message.
Hashing Facts
A hash is a function that takes a variable-length string (message) and compresses and transforms it into a fixed-length value. Important facts about hashes are:
Hashes ensure the data integrity of files and messages in transit. Hashes do not ensure confidentiality (in other words, hashes are not used to encrypt data). A hash is a one-way function. You cannot reproduce the message by running it back through the
hash (or a different hash). The hash value (output) is also referred to as a message digest or digital fingerprint. The sender and the receiver use the same hashing algorithm on the original data. If the hashes
match, then the data can be assumed to be unmodified.
The larger the message digest the more secure the hash. The predominate hashing algorithms in use today are:
MD-5 developed by RSA (Rivest-Shamir-Adleman). MD-5 generates a message digest of 128 bits.
SHA-1 developed by NIST and NSA. SHA-1 generates a message digest of 160 bits.
Hashing is often used for the following:
Use Description
File integrity
Hashes are often used to prove the integrity of downloaded files. After a file is downloaded, the recipient creates a hash of the file. If the recipient's hash matches the hash of the original file you know that:
The downloaded file is complete (no missing parts). The downloaded file was not corrupted during the download process. The downloaded file is the same as the original and has not been altered by
inserting malicious code or replacing the original file with a virus or other destructive file.
For this reason, files available for download are typically not encrypted, as the data integrity of the file can be proven with the hash.
Secure logon credential exchange
Hashes can be used to secure logon credentials during the exchange. The password is used as the key to perform a hash on a challenge text value, and only the hashed value is passed and not the password. The receiving host uses the same method to compare the hashes to verify the identity of the user. Examples of protocols that use this method are:
LANMAN NTLM CHAP MS-CHAP
Be aware of the following regarding hashes:
Strong hash outputs should contain a large number of bits. This makes the duplication of the hash value by an attacker more difficult.
Hashes should be produced from the entire message, not just a portion of the message. Good hashing algorithms have high amplification, also known as the avalanche effect. This
means that a small change in the message results in a big change in the hashed value. Collision is the term used to describe a situation in which two different messages produce the
same hash value. This is an indication that a stronger hashing algorithm should be used. Collision resistance is the term used to describe a hash algorithm's ability to avoid the same
output from two guessed inputs. A birthday attack is a brute force attack in which the attacker hashes messages until one with the
same hash is found. This type of attack is based on the statistic that there is more than a 50% chance that two out of 23 people in a room will have the same birthday. To match a selected day, 253 people would need to be in the room.
A hacker may use a rainbow table when trying to identify a password through reverse engineering. A rainbow table is a table of the hash value associated with all possible passwords. Using the table, a computer can quickly compare the hash values being transmitted across the wire to find a corresponding password value from the table.
Salting the hash helps to mitigate rainbow table attacks by adding random bits to the password before hashing takes place, thereby producing an entirely different hash value for the password. Because the hacker does not know the extra random bits, the rainbow table will now be of no value.
Symmetric encryption algorithms I had this really cool idea to walk around the block cast in the stream for fish, caught 2 fish, both blowfish, was my destiny
Block Cipher vs. Stream cipher
RC4,RC5,RC6, (REALLY COOL)
IDEA block (IDEA)
CAST stream
TWOFISH BLOWFISH
DES,3DES, AES (rijandael)
Symmetric Encryption Facts
Symmetric key encryption (also known as secret key encryption, pre-shared key or private key encryption) uses only one key to encrypt and decrypt data.
Symmetric key encryption is a form of cryptography that provides confidentiality with a weak form of authentication or integrity.
Symmetric encryption is well suited for bulk encryption of less sensitive data because it is less CPU-intensive than other encryption methods.
Before communications begin, both parties must exchange the shared secret key using a secure channel. This is often done manually or with some form of asymmetric key cryptography.
Each pair of communicating entities requires a unique shared key. This means that the number of keys required grows exponentially as the number of communication partners grows. For example, 1,000 users in a system would require the generation of almost 500,000 different keys.
The key space is typically short, ranging from 56-bits to a maximum of 512-bits. (As the number of bits in the key increases, so does the strength of the encryption. However, the greater the number of bits in the key, the more CPU resources are required to perform the encryption.)
Symmetric encryption uses two algorithm types:
Method Description
Block
Block ciphers encrypt by transposing plaintext to cipher text in chunks (block-by-block). Block ciphers:
o Are fast. o Can process large amounts of data. They do not process small amounts of data
well. o Are typically implemented in software.
Stream Stream ciphers use a sequence of bits known as a keystream which is the key used for
encryption. The encryption is performed on each bit within the stream in real time. Stream ciphers:
o Are best used for small amounts of data, usually less than 64 bits. o Are slower than symmetric key block ciphers. o Are best implemented in hardware because the data size makes it infeasible to
have enough RAM or CPU cycles to process the data.
Common symmetric cryptography methods include:
Rivest Cipher (RC) International Data Encryption Algorithm (IDEA) Carlisle Adams Stafford Tavares (CAST) Twofish Blowfish Data Encryption Standard (DES) Triple DES (3DES) Advanced Encryption Standard (AES)
Be aware of the following:
DES was one of the first symmetric encryption methods and is now obsolete (known weaknesses can be used to break the encryption).
3DES improves upon DES by applying the encryption three times. It is an acceptable alternative to DES.
AES is stronger and faster than 3DES when implemented with a large key size (256-bits). Blowfish and Twofish were alternatives to DES, but AES was selected as the protocol to
implement to replace DES.
Asymmetric Encryption Facts
Asymmetric encryption, also known as public key encryption, uses two keys that are mathematically related. Both keys together are called the key pair.
The public key is made available to anyone; the private key is kept secret. Use one key to encrypt and the other to decrypt. For example, if data is encrypted with the public
key, use the private key to decrypt the data. The strength of an asymmetric encryption system lies in the secrecy and security of its private
keys. If the private key is ever discovered, a new key pair must be generated. Both private and public keys are created on a local machine by a local security authority (the
security kernel) and a cryptographic service provider (CSP). Asymmetric encryption of large amounts of data is slow and requires high CPU usage.
Processing speeds are much slower (about 1,000 times slower) than symmetric key encryption. Asymmetric encryption requires fewer keys than symmetric key encryption, because only two
keys per user are required (not a key for every communicating partner). For example, 1,000 users would require a total of 2,000 keys.
Asymmetric key encryption can provide confidentiality (encryption), strong authentication, and non-repudiation. Asymmetric encryption is used for:
Digital signing to confirm the integrity of the message and the authenticity of the sender.
Key exchange to ensure keys are secure during transit. Asymmetric encryption is often used to securely exchange symmetric keys.
Data encryption to secure data.
Asymmetric encryption protocols include:
Diffie-Hellman is a key exchange protocol used for generating and securely exchanging symmetric encryption keys.
ElGamal is a protocol used for encryption and is based on Diffie-Hellman. ElGamal is used in the free GNU Privacy Guard software and recent versions of PGP. A variation of ElGamal, the Digital Signature Algorithm, is used for digital signatures, but is very slow.
RSA is a protocol used for both encryption and digital signatures. It was developed by Rivest, Shamir, and Adleman and uses the multiplication of large prime numbers for encryption.
Elliptic curve cryptography (ECC) is an approach to cryptography that uses a finite set of values within an elliptic curve (an algebraic set of numbers). Elliptic curve cryptography is a more efficient algorithm than other asymmetric algorithms (for example, a key size of 60 bits is equivalent to a 1024-bit key used with RSA). Elliptic curve methods have been deployed for encryption, digital signatures, and key exchange.
Asymmetric encryption is used with the following protocols:
SSL/TLS IPSec VPNs (PPTP, L2TP, SSTP) S/MIME and PGP for e-mail security SSH tunnels
Certificate Lifecycle Facts
A digital certificate, also referred to as a public key certificate or identity certificate, is an electronic document that uses a digital signature to bind together a public key with an identity. Identity information includes the name of a person, computer, or organization. The certificate is the best way to provide non-repudiation and can be used to verify that a public key belongs to an individual.
A public key infrastructure (PKI) is a hierarchy of computers that issue and manage certificates. A Certificate Authority (CA) is the entity that issues certificates. The following process is used to request, issue, and manage certificates:
1. To request a certificate, a client must first generate a public and private key pair. The key pair is generated by an application called a Cryptographic Service Provider (CSP). The CSP uses a specific algorithm for generating the key pair.
2. The client requests a certificate from a CA by sending identifying information along with a copy of the public key. The certificate request is digitally signed using the private key.
3. The CA uses information in the certificate request to approve or deny the certificate. How the certificate is approved is dictated by the approval policy on the CA.
o A manual policy requires an administrator to manually approve or deny all requests coming in.
o An automatic policy allows the CA to review information within the request to determine if it is valid information. Based upon that information it can approve or deny automatically.
The CA performs identity proofing, in that the information submitted to prove identity is verified. The purpose of this process is for the CA to validate that you are who you say you are.
4. If the certificate request is approved, the certificate is issued to the client. Issuance policies on the CA identify the certificates that the CA is allowed to issue. For example, issuance policies can restrict a CA to:
o Only be able to issue certain types of certificates. o Only be able to issue certificates for a particular use. o Only issue certificates that are valid for a specific amount of time.
5. Certificates are issued with a valid lifetime period. As the expiration time period approaches, certificates can be renewed by submitting a renewal request. Instead of requesting a new certificate, clients should renew existing certificates.
6. If a certificate becomes compromised, such as the private key being lost or stolen, it can be revoked. This can be accomplished by going to the CA and revoking the certificate. Before accepting a certificate, a client validates that the certificate has not been revoked. Two methods exist for checking for revoked certificates:
o The Certificate Revocation List (CRL) is a list of certificates revoked by the CA. Clients download the entire CRL and check the CRL for a certificate.
o With the Online Certificate Status Protocol (OCSP), clients can submit a verification request for a specific certificate to a special server called an online responder. The online responder maintains a list of revoked certificates, and responds to certificate status requests on a certificate-by-certificate basis.
Certificates are used for proof of identity and for secure communications. The following process is an example of using SSL and certificates to secure Web transactions:
1. A client with a Web browser accesses a Web server that is using HTTPS (SSL). 2. The server sends the client a copy of the SSL certificate that it obtained from a CA. 3. The client verifies information in the SSL certificate to decide if it trusts the certificate. The client
checks: o Does the subject name in the certificate match the URL that was typed in the Web
browser? o Has the certificate expired? o Does the client trust the issuing CA? Every browser has a Trusted Root CA list that
identifies trusted CAs on the Internet. The browser compares the signature of the issuing CA on the certificate to the list of trusted root CAs. If it does not exist in the list, it will not trust the certificate.
4. If the certificate passes all three checks, the client trusts the issuing CA and trusts any certificates that the CA issues; therefore the client trusts the Web server.
The following table reviews terms you should be familiar with.
Term Function
Certificate Authority (CA)
The Certificate Authority (CA) is an entity trusted to issue, store, and revoke digital certificates.
Certificate Practice Statement (CPS)
The Certificate Practice Statement (CPS) is a declaration of the security that the organization is implementing for all certificates issued by the CA holding the CPS. This statement tells potential partners or others relying on the security of the PKI system how well the security of the PKI system is being managed.
Cryptographic Service Provider (CSP)
A Cryptographic Service Provider (CSP) resides on the client and generates the key pair.
Online Certificate Status
The Online Certificate Status Protocol (OCSP) is a protocol used for checking the status of an individual digital certificate to verify if it is good or has been revoked.
Protocol (OCSP)
Certificate Revocation List (CRL)
The Certificate Revocation List (CRL) resides at the CA and consists of a list of certificates that have been previously revoked. This list can be accessed by the client to verify the validity of a digital certificate.
Registration Authority (RA)
A Registration Authority (RA) can be used in large, enterprise environments to offload client enrollment request processing by handling verification of clients prior to certificates being issued. The RA:
Accepts registrations. Distributes certificates and keys. Validates identities in a certificate request for the CA. Does not issue certificates directly. Though certificates are not issued until the RA
validates the information, the RA cannot issue certificates.
X.509X.509 is the official standard that identifies the format for public key certificates and certification path validation.
Enrollment agent
An enrollment agent is a user who is authorized to request certificates for other users. Enrollment agents are typically authorized to request certificates that are used on smart cards. These agents can request the certificate and create the smart card that the authorized user can then use.
PKI Management Facts
Be aware of the following when managing a public key infrastructure (PKI).
Consideration Description
PKI hierarchy A typical PKI involves multiple certificate authorities (CAs) arranged in a hierarchy.
A root CA is the first CA in the hierarchy and the first CA you set up. The root CA has a self-signed certificate, and is often offline to protect the CA from compromise. The root CA typically does not issue certificates to end users or computers (unless the PKI structure is very small).
A subordinate CA is a CA authorized by the root CA to issue certificates to other CAs or users or computers.
o The subordinate CA gets its certificate from the root CA. o You add subordinate CAs to your hierarchy to distribute the workload of
issuing certificates, or to designate specific CAs to issue certificates for specific uses.
o The subordinate CA is responsible for issuing certificates, holding the CPS, and publishing the Certificate Revocation List (CRL).
o Qualified subordination is implemented on a subordinate CA to restrict the issuance and usage of certificates.
Two types of subordinate CAs are:
o An issuing CA is the CA at the bottom of the hierarchy which actually issues the certificate to the clients.
o An intermediate CA is the CA in the middle of a multi-tier system, and certifies issuing CAs or other intermediate CAs. An intermediate CA is a subordinate CA.
Cross certification
A cross-certification or bridge model is used when one organization with a CA structure needs to trust certificates from another organization who has their own CA structure. By default, clients in an organization will trust certificates issued by that organization but don't trust other root CAs unless they are in an official third party list for trusted root CAs on the Internet. Cross-certification can be set up so both hierarchies trust each other.
A root-to-root configuration allows clients in one organization to trust any certificate issued by the other organization's CAs and vice versa.
A mesh configuration provides trust paths that can be configured for more restrictive certificate validation. This could include root-to-subordinate CA, or even subordinate- to-subordinate.
Key archival
Key archival is the backup and archival of private keys for end users in case they lose their private keys. Normally, private keys are kept private and the CA would never get a copy of the private key. With a key archival system:
Private keys are sent to the CA and backed up by the CA. To protect the private keys during transit, they are encapsulated in a secure
transmission of data to the CA. The location of the private keys backup is secured. Recovery agents are users who are given the ability to restore private keys from
the archive.
Key archival uses a centralized approach to key management, where keys are managed by the CA and not only by individual users.
Key escrow
Key escrow is a form of key archival. The main difference between key escrow and key archival is that escrow stores keys with a trusted third-party, either to increase security or to allow access only under controlled circumstances. With key escrow, keys might be retrieved by a business that needs access to employee files, or key escrow might allow for key access by law enforcement with the proper authorization to investigate crimes or enforce laws.
Dual key pairs Each certificate that is issued has a corresponding public and private key pair. If users are issued a single key pair, that key pair is used for both digital signatures and encryption. In an enterprise environment, it might be beneficial to use two key pairs: one key pair for digital signatures, and the other for encryption.
The private key used for digital signatures is kept completely private. Only the user has access to this key and the key is never archived.
The private key used for encryption is archived so that encrypted documents can be recovered if the private key is lost.
If a single key pair is used for both digital signatures and encryption, it is possible for a recovery agent to obtain the private key from the key archive and use that key for signing
documents. This violates the principle of non-repudiation because someone other than the original user could have signed the document.
Secure Protocols Facts
When many protocols were created, they were designed with little or no security controls. An unsecured protocol is one that does not provide authentication or encryption, or that uses plaintext for passing authentication protocols or data. Security services (authentication and encryption) are often added to new or existing protocols using one of the following secure protocols:
Protocol Description
Secure Sockets Layer (SSL)
Secure Socket Layer (SSL) secures messages being transmitted on the Internet. SSL:
Requires the server to have a certificate issued by a CA and uses asymmetric encryption.
Uses RSA or the Key Exchange Protocol (KEA) for secure exchanging of encryption keys.
Requires two types of keys for a server and workstation to communicate: o A public key is used to secure the communication. o A session key is used between the client and the server for the duration of
the SSL session. Uses the SSL Handshake Protocol to establish the secure channel. Operates at the Session layer (layer 5) of the OSI model. Uses port 443 for encrypted traffic. Most firewalls allow port 443 traffic even when
other traffic is blocked. For this reason, technologies that can use SSL are more likely to be allowed through firewalls than technologies that require other ports to be opened.
Provides an end-to-end encrypted tunnel that is impossible to monitor, scan, or sniff.
o The advantage is that it increases security. o The disadvantages are that:
Security software cannot detect embedded attacks in transit. Internal users can use SSL to bypass proxy servers or Internet
content filtering systems that have been set up by organizations to control Internet usage and content.
o SSL inspection can be used by organizations to decrypt the SSL session, scan the content, and repackage the SSL session without end users knowing. This is similar to a man-in-the middle attack, but for positive use.
Has different versions, with the later versions being more secure. Secure Sockets Layer (SSL) 3.0 was the last SSL version.
Transport Layer Security (TLS)
Transport Layer Security (TLS) is the successor to SSL 3.0.
TLS and SSL are similar but not interoperable, although most applications can use both SSL and TLS.
Applications that can use both SSL and TLS negotiate which protocol to use during the handshake process.
Many secure connections that are described as using SSL might actually be using TLS instead.
TLS uses Diffie-Hellman or RSA to exchange session keys. TLS is implemented through two protocols:
o TLS Record provides connection security with encryption (with DES for example).
o TLS Handshake provides mutual authentication and choice of encryption method.
Secure Shell (SSH)
SSH allows for secure interactive control of remote systems.
SSH uses RSA public key cryptography for both connection and authentication. SSH uses the IDEA algorithm for encryption by default, but is able to use Blowfish
and DES. SSH is a secure and acceptable alternative to Telnet. SSH is used by unsecured protocols to establish a secure channel. For example,
SFTP and SCP are secure file copy protocols that use SSH.
A common unsecured protocol is the Hyper Text Transfer Protocol (HTTP). HTTP is used for exchanging Web content, but passes data in clear text. HTTP uses TCP port 80 and is stateless, which means by default it doesn't keep track of clients. To solve this problem, cookies can be used to keep track of the client's behavior. To secure HTTP, use one of the following protocols:
Protocol Description
HTTPS
Hyper Text Transfer Protocol Secure (HTTPS) is a secure form of HTTP that uses either SSL or TLS to encrypt sensitive data before it is transmitted. HTTPS:
Is stateful, which means that it keeps track of the client. To do this, the client must communicate with the same HTTPS server for the duration of the session. Load balancing is not possible during the connection, and is only available to initially determine which server will handle the client's session.
Requires TCP port 443 inbound on the Web server to be allowed. Can be identified by verifying that the URL starts with https://, or by looking for a lock
symbol in the browser.
S-HTTP
Secure Hypertext Transfer Protocol (S-HTTP) is an alternate protocol that is not widely used because it is not as secure as HTTPS. S-HTTP :
Is connectionless, unlike SSL which is connection-oriented. Provides only message security, unlike HTTPS which provides a full secure channel for
all messages. Does not use port 443.
IPSec Facts
IP Security (IPSec) provides secure data transmission over unprotected TCP/IP networks such as the Internet. IPSec operates on the network layer (layer 3). It provides mutual authentication, integrity, and confidentiality.
IPSec includes two protocols:
Protocol Function
Authentication Header (AH)
AH provides authenticity, non-repudiation, and integrity. AH:
Does not provide confidentiality because the data in the packet is not encrypted.
Provides protection against replay and man-in the-middle attacks. Uses a keyed hash based on all the bytes in the packet for the
authentication information. Authenticates packets by digitally signing them. Uses IP Protocol 51.
Encapsulating Security Payload (ESP)
ESP provides all the security of AH plus confidentiality. ESP:
Is the most commonly used IPSec protocol. Provides data encryption. Uses IP Protocol 50.
Whether using AH or ESP there are two modes of operation that can be implemented with IPSec:
Transport mode only encrypts the payload (data). Tunnel mode encrypts the entire packet. Both the data inside the packet and the IP headers are
encrypted. The entire packet is encapsulated in a new packet.
A Security Association (SA) is the establishment of shared security information between two network entities to support secure communications. An SA may include algorithm selection, cryptographic keys, and/or digital certificates. A Security Association can be established manually or automatically through a protocol called Internet Key Exchange (IKE). IKE helps to establish automatic Security Association (SAs). IKE:
Helps the two endpoints set up a secure tunnel by providing a secure exchange of shared keys before a full IPSec transmission begins:
Uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived.
Uses mutual authentication that is provided by either pre-shared keys on both endpoints or certificates issued by a CA.
Can be implemented to automate the selection of the best security association for each connection.
Uses UDP port 500.
Network Address Translation (NAT) can cause communication errors with an IPSec VPN tunnel because it makes changes to the IP headers, such as changing source and destination IP addresses and ports. NAT-Traversal (NAT-T) is a new method designed to allow IPSec to function properly through a NAT device.
Note: IPSec is most commonly used with L2TP VPNs.
OSI Model Facts
The Open Systems Interconnection (OSI) model is a theoretical way of classifying and talking about the complex process of sending data on a network. The OSI model divides the complex task of networking into various layers to facilitate the development of standards and to allow for interoperability between protocols and hardware components.
Network security devices and solutions are often described based on the OSI model. As you learn about network security, you should be familiar with the networking tasks associated with each OSI model layer. The following table summarizes key facts about each OSI model layer.
Layer Description and Keywords
Application (Layer 7)
The Application layer integrates network functionality into the host operating system, and enables network services. The Application layer does not include specific applications that provide services, but rather provides the capability for services to operate on the network.
The Application layer is associated with the data that is generated by a service or a protocol. A security device operating at the Application layer makes security decisions based on the actual data within a data stream.
Presentation (Layer 6)
The Presentation layer formats or "presents" data into a compatible form for receipt by the Application layer or the destination system. Specifically, the Presentation layer ensures:
Formatting and translation of data between systems. Negotiation of data transfer syntax between systems, through converting character
sets to the correct format. Encapsulation of data into message envelopes by encryption and compression. Restoration of data by decryption and decompression.
Session (Layer 5)
The Session layer's primary function is managing the sessions in which data is transferred. Functions at this layer include:
Management of multiple sessions (each client connection is called a session). A server can concurrently maintain thousands of sessions.
Assignment of the session ID number to each session to keep data streams separate.
Set up, maintain, and tear down communication sessions.
Transport (Layer 4)
The Transport layer provides a transition between the upper and lower layers of the OSI model, making the upper and lower layers transparent from each other. Two protocols associated with the Transport layer are:
The Transmission Control Protocol (TCP) provides services that ensure accurate and timely delivery of network communications between two hosts. TCP provides the following services to ensure message delivery:
o Sequencing of data packets o Flow control o Error checking
TCP is referred to as a connection-oriented protocol because it includes these delivery guarantees.
The User Datagram Protocol (UDP) is similar to TCP, but does not include mechanisms for ensuring timely and accurate delivery. Because it has less overhead, it offers fast communications, but at the expense of possible errors or data loss. UDP is referred to as a connectionless protocol because it lacks these delivery guarantee mechanisms.
Network (Layer 3)
The Network layer describes how data is routed across networks and on to the destination.
Protocols associated with the Network layer include IP and IPX. The logical host address, in the form of the IP address, is defined at the Network
layer. Routers operate at the Network layer by reading the IP address in the packet to
make forwarding decisions.
Data Link (Layer 2)
The Data Link layer defines the rules and procedures for hosts as they access the Physical layer.
The physical device address, in the form of the MAC address used with Ethernet, is defined at the Data Link layer.
Network interface cards (NICs) contain the MAC address and perform functions at the Data Link layer.
Switches operate at the Data Link layer by reading the MAC address in a frame to make forwarding decisions.
Physical (Layer 1)
The Physical layer sets standards for sending and receiving electrical signals between devices. Hubs operate at the physical layer because they simply forward electrical signals out all hub ports without interpreting the meaning of those signals that are present at higher layers.
Network Protocol Facts
A protocol is a set of standards for communication between network hosts. Protocols often provide services, such as e-mail or file transfer. Most protocols are not intended to be used alone, but instead rely on and interact with other dependent or complimentary protocols. A group of protocols that is intended to be used together is called a protocol suite.
The following table lists several major protocols.
Protocol Characteristics
Transmission Control Protocol (TCP)
TCP provides services that ensure accurate and timely delivery of network communications between two hosts. TCP is a layer 4 (Transport layer) protocol. TCP is connection-oriented which means that it provides a guaranteed delivery of data between hosts through the following services:
Sequencing of data packets Flow control Error checking
The TCP three-way handshake is the process used to establish a TCP session. The steps to a TCP three-way handshake process are:
1. A host sends a SYN packet to the target host. 2. The target host responds to the original host with a SYN ACK packet. 3. The host responds to the target host with an ACK packet.
User Datagram Protocol
UDP is a host-to-host protocol like TCP. However, UDP is connectionless, which means that it does not include mechanisms for ensuring timely and accurate delivery, but uses a best effort delivery. Because it has less overhead, it offers fast communications, but at the
(UDP) expense of possible errors or data loss.
Internet Protocol (IP)
IP is a layer 3 protocol that is connectionless and relies on upper layer protocols like TCP to ensure delivery and connection orientation.
Internetwork Packet Exchange (IPX)
IPX is an older protocol used with older Novell networks. IPX has been replaced with TCP/IP in newer versions of NetWare. Unless you are running a version of NetWare that does not support TCP/IP, or are using applications that rely on IPX, you should disable IPX to eliminate attacks against IPX on your network.
Network Basic Input/Output System (NetBIOS)
NetBIOS is the term used to describe the combination of two protocols: NetBEUI and NetBIOS. Because NetBIOS is a non-routable protocol, it was often combined with TCP/IP or IPX/SPX to enable internetwork communications.
NetBIOS was used in early Windows networks. Beginning with Windows 2000, NetBIOS is no longer required. NetBIOS might be needed if the network includes clients running previous versions
of Windows.
Internet Control Message Protocol (ICMP)
ICMP is commonly used for troubleshooting and information gathering. ICMP works closely with IP in providing error and control information, and by allowing hosts to exchange packet status information which helps move the packets through the internetwork. Two common management utilities use ICMP messages to check network connectivity.
ping is an ICMP Echo Request and once executed should initiate an Echo Reply to the source from the target device. Ping can be used to determine whether devices are reachable and can communicate across the network.
traceroute determines how many routers (hops) are between the source and the target and response time for each router.
ICMP also works with IP to send notices when destinations are unreachable and when devices' buffers overflow. ICMP messages are used to determine the route and hops packets take through the network and whether devices can communicate across the network.
Address Resolution Protocol (ARP)
ARP provides IP address-to-MAC address name address resolution. Using ARP, a host that knows the IP address of a host can discover the corresponding MAC address.
Running an antiquated protocol, such as NetBIOS or IPX/SPX, on a system opens the system to attack. Unless there is a critical reason, disable any unnecessary protocols on network devices.
Common Ports
Ports are logical connections, provided by the TCP or UDP protocols at the Transport layer, for use by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers stored in the header of a packet to determine what protocol incoming traffic should be directed to. Some characteristics of ports are listed below:
Ports allow a single host with a single IP address to run multiple network services. Each port number identifies a distinct service.
Each host can have over 65,000 ports per IP address. Port use is regulated by the Internet Corporation for Assigning Names and Numbers (ICANN).
ICANN specifies three categories for ports.
Well known ports range from 0 to 1023 and are assigned to common protocols and services. Registered ports range from 1024 to 49151 and are assigned by ICANN to a specific service. Dynamic (also called private or high) ports range from 49,152 to 65,535 and can be used by any
service on an ad hoc basis. Ports are assigned when a session is established, and released when the session ends.
The following table lists the well known ports that correspond to common Internet services.
Port(s) Service
20 TCP21 TCP
File Transfer Protocol (FTP)
22 TCP and UDP Secure Shell (SSH)
23 TCP Telnet
25 TCP Simple Mail Transfer Protocol (SMTP)
49 TCP and UDP Terminal Access Controller Access-Control System (TACACS)
*IP protocol number 50 Encapsulating Security Payload (ESP) (used with IPSec)
*IP protocol number 51 Authenticating Header (AH) (used with IPSec)
53 TCP and UDP Domain Name Server (DNS)
67 UDP68 UDP
Dynamic Host Configuration Protocol (DHCP)
69 UDP Trivial File Transfer Protocol (TFTP)
80 TCP HyperText Transfer Protocol (HTTP)
88 TCP Kerberos
110 TCP Post Office Protocol (POP3)
119 TCP Network News Transport Protocol (NNTP)
123 UDP Network Time Protocol (NTP)
135 TCP137 and 138 TCP and UDP
139 TCPNetwork Basic Input/Output System (NetBIOS)
143 TCP and UDP Internet Message Access Protocol (IMAP4)
161 TCP and UDP162 TCP and UDP
Simple Network Management Protocol (SNMP)
389 TCP and UDP Lightweight Directory Access Protocol (LDAP)
443 TCP and UDP HTTP with Secure Sockets Layer (SSL)
445 TCP Windows 2000 CIFS/SMB (file access)
500 UDP Internet Key Exchange (IKE) (used with IPSec)
636 TCP and UDP Lightweight Directory Access Protocol over TLS/SSL (LDAPS)
1701 UDP Layer 2 Tunneling Protocol (L2TP)
1723 TCP and UDP Point-to-Point Tunneling Protocol (PPTP)
1812 TCP and UDP1813 TCP and UDP
Remote Authentication Dial In User Service (RADIUS)
3389 TCP Remote Desktop Protocol (RDP)
* Is not a port number, but an IP protocol number used with IPSec.
Note: Ports listed in the table above that are higher than the well known range (0-1023) are newer protocols that were released after the initial Internet protocols were established.
Be aware of the following regarding ports:
Attackers use port scanning software to identify open ports, then focus their attacks on services that use those ports.
Configure a firewall to open (allow) or block ports through the firewall or on a device. As a best practice, only open the necessary ports. For example, if the server is only being used
for e-mail, then shut down ports that correspond to FTP, DNS, and HTTP (among others). For auditing purposes, you can use a port scanner to check systems and firewalls for open ports.
o Use netstat -a to view a list of opened ports on a system. o Use a port scanning tool such as Nmap to scan for open ports on local and remote
systems.
Network Device Facts
The following table lists characteristics of common network devices.
Device Description
Hub
A hub is the central connecting point of a physical star, logical bus topology. Hubs simply repeat incoming frames without examining the MAC address in the frame and send it to every host connected to the hub.
Because frames are repeated out all hub ports, sniffers can be used to collect sensitive information by capturing traffic that flows through the hubs.
All devices connected to a hub share the available bandwidth. Collisions are a natural consequence of the shared medium. As the number of devices
connected to the hub increases, so does the number of collisions. As the number of devices increases, the performance also drops.
For security and performance, replace hubs with switches whenever possible.
Switch
A switch is a multiport device that performs filtering based on MAC addresses. Switches:
Are more secure than hubs because switches only send communication to the destination device, not to all the devices on the switch like a hub.
Pass broadcasts to all ports. This is a disadvantage from a security perspective because it allows sniffers to capture data in broadcasts.
Offer guaranteed bandwidth to each switch port, eliminating collisions when a single device is connected to a switch port and improving data availability.
Can make additional forwarding decisions based on the MAC address. For example, a switch can be configured to prevent unauthorized devices from sending frames through a port.
Router A router is a layer 3 device that routes and forwards information between different IP subnets. Routers receive packets, read their headers to find IP addressing information, and send them on to their correct destination on the network or Internet.
Routers can be used to connect dissimilar networks. Routers forward packets through an internetwork by maintaining routing information in a
database called a routing table. o Static routing requires that entries in the routing table be configured manually.
When changes occur to the network, static entries must be added or removed. o A dynamic routing protocol allows routers to automatically share their routing
table entries. Dynamic routing protocols include RIP, OSPF, BGP, IGRP, EIGRP,
and IS-IS. A router can have an access control list (ACL) that allows or blocks packets based on
information contained in the packet (such as IP address or port). Routers do not pass broadcasts.