Pi's Website - Archived

Vista Q & A
Home
Common Errors
Helpful Links
Linux
Tutorial Index
Windows Vista
Contact Us
Site Map
PC & Certification Info
Tweaks
Programs
Security+ Domain 1 - General Security Concepts

1.1 Recognize and be able to differentiate and explain the following access control models
 
Access control is ensuring that only authorized users may access certain resources.
o MAC (Mandatory Access Control) - MAC is non-discretionary, meaning the owner of an object does not determine access.  In MAC, each resource is given a security label by the administrator or Operating System and users are given sensitivity (or security) levels, or labels.  Users can view information up to their clearance level, and to prevent information from leaking down, can only create information with their clearance level.  Additionally, there may be categories, and even a user with the highest label in one category cannot access information in another category.  This is a very secure method of access control and is often used by the military and other top-secret organizations, but requires a lot of administration.

o DAC (Discretionary Access Control) - DAC allows the "owner" of an object to define who can do what to the object.  Something called an access control list (ACL) is used on DAC.  This is a list determined by the data owner(s) that says who has permission to do what.  Some secure DAC methods automatically deny access unless it is specifically given.

o RBAC (Role Based Access Control) - In RBAC, a type of non-discretionary access control, users are given labels, often based on roles the users play in the organization.  Objects can then be specifically configured to allow or deny access based on the user's role.  In many other types of access control, users can be placed in one or more "groups."  In RBAC, users may be assigned one and only one role.  This type of access control is useful for companies who use a large number of independent contractors since it reduces the amount of administration necessary.
 
o Rule-Based Access Control - In rule-based access control (also sometimes called RBAC), access is also based on ACLs.  When an access request occurs, the system looks at a set of predefined rules, or conditions, made by the administrator, making it similar to MAC.  There are different access levels such as read and write.

1.2 Recognize and be able to differentiate and explain the following methods of authentication
 
Authentication is proving that an individual or PC is what it appears and claims to be.
o Kerberos - Kerberos was developed at MIT, and is a secure authentication method.  Users request encrypted tickets from a Ticket Granting Server (TGS) which are stamped with the time to prevent replay attacks.
o CHAP (Challenge Handshake Authentication Protocol) - CHAP is the successor of Password Authentication Procedure (PAP), which was not secure as it send the password over the network unencrypted.  CHAP uses MD5 hashing and checks the hash from the user's typed password to a hash value on the server, and allows access if the two match.
o Certificates - Certificates are a type of authentication based on credentials.  Usually, a 3rd party widely trusted by the community supplies certificates, which may follow the X.509 standard.
o Username/Password- This is the most common type of authentication.  The username and password are both "What you know."
o Tokens - Tokens are often used only once, since they usually rotate values after a specific amount of time.  This type of authentication is based on "What you have."
o Multi-factor - Multi-factor authentication is authentication based on two or more credentials, such as "Who you are," "What you have," and "What you know."
o Mutual - Mutual authentication is authentication of the client to the server, and the server to the client
o Biometrics - Biometrics is based on "Who you are," and authenticates based on various unique human features, such as a fingerprint reader or retina scan.

1.3 Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols

 

When setting up a new server, it is usually best to start with a clean installation of the Operating System (OS) and determine which specific protocols and services are needed, then disable the rest.


1.4 Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk

o DOS / DDOS (Denial of Service / Distributed Denial of Service) - These attacks are meant to disrupt (deny) service to real users who need or want that service.  A DDOS attack comes from a large collection of unknowing users whose computers have been turned into "zombies."  There are several types of DOS attacks:

  • Smurf - an attack that uses the Internet Control Message Protocol (ICMP) echo reply, or ping.  During a smurf attack, the attacker sends a large number of "ping" packets to a network's broadcast address with the source address changed to the victim.  This causes the entire network to reply to the ping and flood the victim with traffic.
  • Fraggle - this attack is similar to a smuf attack except it uses the User Datagram Protocol (UDP), not ICMP.  Modified UDP packets are sent to a broadcast address to either port 7, which is ECHO, or port 19, CHARGEN.
  • Ping flood - this DOS attack sends a large number of ping requests to the victim
  • Ping of death - this is a type of ping flood with packets that are too large, which can crash the OS
  • SYN flood - this sends a large number of synchronization (SYN) requests to the victim, which replies with a SYN-ACK, but never receives the acknowledgment (ACK), which leaves a large number of half-open TCP sessions.  There is a wait before the port is reset, which can make an overflow possible denying legitimate users access.
  • LAND - this attack is when a fake SYN packet is sent with the IP address and port the same for both the source and destination, which "confuses" the OS and may crash it.
  • Teardrop - this attack sends UDP packets that are fragmented, but when the OS tries to create the original UDP packet, some of the fragments overlap and can crash the OS.
  • Bonk - this is an attack where corrupt UDP packets are sent to port 53 (DNS) which can crash the OS
  • Boink - this is similar to a bonk attack, except more ports are targeted.


o Back Door - A backdoor is a "hole" in fuctional software usually left in by the programmer to allow a support technician into the computer.  If these are unpatched, malicious users may enter your computer through it.  Some well-known examples include Back Orifice, NetBus, and SubSeven.  To avoid possible damage from back doors, only use software from trusted sources, and update that software regularly.


o Spoofing - Spoofing is the modification of data so it appears to come from a different source.  For example, an attacker could find the IP address of a computer within a network, then "spoof" his or her IP address to pretend to be that computer.  The potential danger may be lessened by blocking traffic from the outside that claims to be from the inside of the network.


o Man in the Middle - In a Man in the Middle attack, an attacker secretly sits between two or more communicating computers and can modify information or merely spy on a session of communication between the computers.  Strong encryption can helpt to lessen the danger from a man in the middle attack.


o Replay - A replay attack is capturing data then extracting authentication information from that data and sending it to authenticate the hacker.  One way to avoid this is using time stamps, which limit the length of time the authentication information is valid.


o TCP/IP Hijacking - This attack occurs when an attacker actually "hijacks," or takes over an IP session between two computers.  It often starts as a man in the middle attack then the client is kicked off.  This can be prevented by forcing users to reauthenticate before allowing  transactions or even cookies.


o Weak Keys - This is an attack on poor encryption.


o Mathematical - This attack tries to break encryption based on mathematical structure.


o Social Engineering - A social engineering attack is exploiting users, not PCs, and using trust and emotions to gain information.


o Password Guessing - this attack is on authentication, and is usually an attempt to crack passwords.  The best way to limit the effectiveness of these attacks is to require long, complex passwords, require passwords to change on a regular basis (while not allowing the same password to be used twice), and to limit the number of logon attempts before locking an account.  However, requiring passwords that are too comlplex may result in the users writing passwords down near the computer, which is very unsafe.  There are several password guessing attacks:

  • Brute Force - Ths attack tries every possible combination of letters, symbols, punctuation, and letters to try and crack a password.  It takes a considerable amount of time, but can crack any password if given the proper amount of time.
  • Birthday - A birthday attack is a type of brute force attack that uses hashing.  In a group of 23 people, there is a probability of more than 50% that two or more people have the same birthday.  A birthday attack uses similar logic to try and find another object with the same hash.
  • Dictionary - This attack uses words and phrases from a "dictionary," or list of common words and passwords to try and crack simple passwords.  Some forms replace letters with numbers that are commonly substitued for those letters.


o Software Exploitation - These are attacks based on weaknesses and vulnerabilities in the software on a computer. The main method is a buffer overflow, which occurs when more data is sent in than the software is able to handel, crashing the system.  The best way to avoid this is by frequently updating the software.

1.5 Recognize the following types of malicious code and specify the appropriate actions to take to mitigate vulnerability and risk

o Viruses - A virus is a type of malicious code that "infects" other files and spreads when those files are exchanged.  Well-known virsues include "Stoned," "Michelangelo," "Jerusalem," "Cascade," and "Melissa," (later a worm was also named Melissa).  Please note that there are always many virus hoax e-mails circulating.  Do not pay any attention to them or forward them to anybody.  There are many types of viruses including, but not limited to:

  • Boot-sector - these viruses infect the first sector of the hard drive or floppy drives.  So, when the computer starts up, the virus is loaded into the memory.  These can be detected and removed with antivirus software.
  • Master Boot Record - these are similar to boot sector viruses, but instead infect the master boot record.
  • Multipartite - these viruses infect the boot record and files, complicating repair efforts.  If one part is deleted but not the other, the computer will be re-infected.
  • Polymorphic - polymorphic viruses change in some way each time they run.  This is to make them more difficult to detect by antivirus software.  These can still be detected with updated signatures and behavoir-based scanning.
  • Retro - a retrovirus attempts to attack antimalware software and its database or attempt to bypass it.
  • Stealth - stealth viruses attempt to hide themselves and redirect commands concerning them.  They may also move from one file to another while a scan is being done.  For example, some modify the reported file size. 
  • Macro - these viruses are included in Microsoft Office documents and infect the computer the documents are opened on.  Disabling macros can stop these from spreading.
  • Armored - armored viruses often contain some code to limit the ability for debugging programs to analyze their code, or make parts of the code to act as a decoy.  This helps to allow the virus to last longer without antivirus vendors being able to create signatures to remove it.


o Trojan Horses - Trojan horses often come with software that pretends to be legitimate and are triggered when that program is used.  They, unlike viruses, do not replicate themselves.  Well-known trojans include "Acid Rain," "Vundo," "Nuker," and "Simpsons."  Good antimalware programs can remove these, but reading the license agreement for software and avoiding downloading unknown software is the best way to prevent Trojan Horses from ever being installed.


o Logic Bombs - Logic bombs are malicious code that wait for a specified condition, such as a date, before taking action.  Having an independent consultant review a program's code can help to prevent an employee from inserting a logic bomb.


o Worms - A worm is a type of malicious code that is able to self-replicate and spread to other systems.  These often exploit unpatched vulnerabilities.  Several popular examples include "Code Red," "Netsky," "Nimba," "Badtrans," "Bagle," "Netsky," "Blaster," "Sasser," and "Morris."

1.6 Understand the concept of and know how reduce the risks of social engineering

 

Social Engineering is an attack on human character instead of technology.  For example, an administrator might receive a call from someone claiming to be the company's vice president who says that he or she forgot his or her password and needs it for an important meeting.  The administrator might feel sympathy that clouds his or her judgement and might give the person the password.  Training is usually the best method of avoiding social engineering attacks.


 

1.7 Understand the concept and significance of auditing, logging and system scanning

 

Logging is noting system and/or network information for possible use in the future.

Auditing is analyzing information about a user and/or event, which often uses logged information.

System (Vulnerability) Scanning is scanning one's own network for vulnerabilities using tools that are often used for malicious purposes.

 

Resources:

PrepLogic Security+ Mega Guide - http://www.preplogic.com/products/mega-guides/mega-guides-product-details.asp?eid=129

CompTIA Security+ TechNotes - "Access Control" & "Authentication" -

http://www.techexams.net/technotes/securityplus/mac_dac_rbac.shtml

http://www.techexams.net/technotes/securityplus/authentication.shtml

CompTIA Security+ Certification - http://certification.comptia.org/security/

ExamCram CompTIA Security+ ISBN 0-7897-2910-5 Que Publishing July 2006.

 

 

This page was last modified on 07/28/07 02:08 PM