CIT 016 Review for Final

About This Presentation

Title:

CIT 016 Review for Final

Description:

CIT 016 Review for Final Security+ Guide to Network Security Fundamentals Second Edition Defining Information Security Three characteristics of information must be ... – PowerPoint PPT presentation

Number of Views:189

Avg rating:3.0/5.0

Slides: 143

Provided by: lba116

Learn more at: https://hills.ccsf.edu

Category:

more less

Transcript and Presenter's Notes

Title: CIT 016 Review for Final

1
CIT 016Review for Final

Security Guide to Network Security Fundamentals
Second Edition

2
Defining Information Security

Three characteristics of information must be
protected by information security
Confidentiality
Integrity
Availability
Information security achieved through a
combination of three entities

3
Importance of Information Security

Information security is important to businesses
Prevents data theft
Avoids legal consequences of not securing
information
Maintains productivity
Foils cyberterrorism
Thwarts identity theft

4
Preventing Data Theft

Theft of data is single largest cause of
financial loss due to a security breach
One of the most important objectives of
information security is to protect important
business and personal data from theft

5
Developing Attacker Profiles

Six categories
Hackers
Crackers
Script kiddies
Spies
Employees
Cyberterrorists

6
Developing Attacker Profiles
7
Hackers

Person who uses advanced computer skills to
attack computers, but not with a malicious intent
Use their skills to expose security flaws
Know that breaking in to a system is illegal but
do not intend on committing a crime
Hacker code of ethics
Target should have had better security

8
Crackers

Person who violates system security with
malicious intent
Have advanced knowledge of computers and networks
and the skills to exploit them
Destroy data, deny legitimate users of service,
or otherwise cause serious problems on computers
and networks

9
Script Kiddies

Break into computers to create damage
Not as skilled as Crackers
Download automated hacking software from Web
sites and use it to break into computers
Tend to be young computer users with large
amounts of leisure time, which they can use to
attack systems

10
Spies

Person hired to break into a computer and steal
information
Do not randomly search for unsecured computers to
attack
Hired to attack a specific computer that contains
sensitive information
Possess excellent computer skills
Could also use social engineering to gain access
to a system
Financially motivated

11
Employees

One of the largest information security threats
to business
Employees break into their companys computer for
these reasons
To show the company a weakness in their security
Being overlooked, revenge
For money
Inside of network is often vulnerable because
security focus is at the perimeter
Unskilled user could inadvertently launch virus,
worm or spyware

12
Cyberterrorists

Experts fear terrorists will attack the network
and computer infrastructure to cause panic
Cyberterrorists motivation may be defined as
ideology, or attacking for the sake of their
principles or beliefs
Targets that are high on the cyberterrorists list
are
Infrastructure outages
Internet itself

13
Cyberterrorists (continued)

Three goals of a cyberattack
Deface electronic information to spread
disinformation and propaganda
Deny service to legitimate computer users
Commit unauthorized intrusions into systems and
networks that result in critical infrastructure
outages and corruption of vital data

14
Understanding Security Principles

Ways information can be attacked
Crackers can launch distributed denial-of-service
(DDoS) attacks through the Internet
Spies can use social engineering
Employees can guess other users passwords
Hackers can create back doors
Protecting against the wide range of attacks
calls for a wide range of defense mechanisms

15
Layering

Layered security approach has the advantage of
creating a barrier of multiple defenses that can
be coordinated to thwart a variety of attacks
Information security likewise must be created in
layers
All the security layers must be properly
coordinated to be effective

16
Layering (continued)
17
Limiting

Limiting access to information reduces the threat
against it
Only those who must use data should have access
to it
Access must be limited for a subject (a person or
a computer program running on a system) to
interact with an object (a computer or a database
stored on a server)
The amount of access granted to someone should be
limited to what that person needs to know or do

18
Limiting (continued)
19
Diversity

Diversity is closely related to layering
You should protect data with diverse layers of
security, so if attackers penetrate one layer,
they cannot use the same techniques to break
through all other layers
Using diverse layers of defense means that
breaching one security layer does not compromise
the whole system
Not just perimeter security
Possibly using different vendors
Increased administrative overhead

20
Diversity (continued)

You can set a firewall to filter a specific type
of traffic, such as all inbound traffic, and a
second firewall on the same system to filter
another traffic type, such as outbound traffic
Use application layer filtering by a Linux box
before traffic hits the firewall
Use one device as the firewall and different
device as the spam filter
Using firewalls produced by different vendors
creates even greater diversity
This could add some complexity

21
Obscurity

Obscuring what goes on inside a system or
organization and avoiding clear patterns of
behavior make attacks from the outside difficult
Network Address Translation
Port Address Translation
Internal ports different from external
External port 80 ? Internal port 8080

22
Simplicity

Complex security systems can be difficult to
understand, troubleshoot, and feel secure about
The challenge is to make the system simple from
the inside but complex from the outside

23
Using Effective Authentication Methods

Information security rests on three key pillars
Authentication
Access control (Authorization)
Auditing (Accounting)
Also Known as AAA

24
Effective Authentication Methods

Authentication
Process of providing identity
Can be classified into three main categories
what you know, what you have, what you are
Most common method providing a user with a
unique username and a secret password

25
Username and Password

ID management
Users single authenticated ID is shared across
multiple networks or online businesses
Attempts to address the problem of users having
individual usernames and passwords for each
account (thus, resorting to simple passwords that
are easy to remember)
Can be for users and for computers that share
data

26
Disabling Nonessential Systems

First step in establishing a defense against
computer attacks is to turn off all nonessential
services
Disabling services that are not necessary
restricts attackers can use
Reducing the attack surface

27
Disabling Nonessential Systems

A service can be set to one of the following
modes
Automatic
Manual
Disabled
Besides preventing attackers from attaching
malicious code to services, disabling
nonessential services blocks entries into the
system

28
Hardening Operating Systems

Hardening process of reducing vulnerabilities
A hardened system is configured and updated to
protect against attacks
Three broad categories of items should be
hardened
Operating systems
Applications that the operating system runs
Networks

29
Hardening Operating Systems

You can harden the operating system that runs on
the local client or the network operating system
(NOS) that manages and controls the network, such
as Windows Server 2003 or Novell NetWare

30
Applying Updates

Operating systems are intended to be dynamic
As users needs change, new hardware is
introduced, and more sophisticated attacks are
unleashed, operating systems must be updated on a
regular basis
However, vendors release a new version of an
operating system every two to four years
Vendors use certain terms to refer to the
different types of updates.

31
Applying Updates (continued)

A service pack (a cumulative set of updates
including fixes for problems that have not been
made available through updates) provides the
broadest and most complete update
A hotfix does not typically address security
issues instead, it corrects a specific software
problem

32
Applying Updates (continued)
33
Applying Updates (continued)

A patch or a software update fixes a security
flaw or other problem
May be released on a regular or irregular basis,
depending on the vendor or support team
A good patch management system
Design patches to update groups of computers
Include reporting system
Download patches from the Internet
Distribute patches to other computers

34
Securing the File System

Another means of hardening an operating system is
to restrict user access
Generally, users can be assigned permissions to
access folders (also called directories in DOS
and UNIX/Linux) and the files contained within
them

35
Firmware Updates

RAM is volatile?interrupting the power source
causes RAM to lose its entire contents
Read-only memory (ROM) is different from RAM in
two ways
Contents of ROM are fixed
ROM is nonvolatile?disabling the power source
does not erase its contents

36
Firmware Updates (continued)

ROM, Erasable Programmable Read-Only Memory
(EPROM), and Electrically Erasable Programmable
Read-Only Memory (EEPROM) are firmware (flash)
To erase an EPROM chip, hold the chip under
ultraviolet light so the light passes through its
crystal window
The contents of EEPROM chips can also be erased
using electrical signals applied to specific pins

37
Firmware Updates (continued)

To update a network device we copy over a new
version of the OS software to the flash memory of
the device.
This can be done via a tftp server or a compact
flash reader/writer
Router copy tftp flash
Having the firmware updated ensures the device is
not vulnerable to bugs in the OS that can be
exploited

38
Network Configuration

You must properly configure network equipment to
resist attacks
The primary method of resisting attacks is to
filter data packets as they arrive at the
perimeter of the network
In addition to making sure the perimeter is
secure, make sure the device itself is secure by
using strong passwords and encrypted connections
SSH instead of Telnet and console, vty passwords

39
Configuring Packet Filtering

The User Datagram Protocol (UDP) provides for a
connectionless TCP/IP transfer
TCP and UDP are based on port numbers
Socket combination of an IP address and a port
number
The IP address is separated from the port number
by a colon, as in 198.146.118.2080

40
Network Configuration

Rule base or access control list (ACL) rules a
network device uses to permit or deny a packet
(not to be confused with ACLs used in securing a
file system)
Rules are composed of several settings (listed on
pages 122 and 123 of the text)
Observe the basic guidelines on page 124 of the
text when creating rules

41
Network Cable Plant

Cable plant physical infrastructure of a network
(wire, connectors, and cables) used to carry data
communication signals between equipment
Three types of transmission media
Coaxial cables
Twisted-pair cables
Fiber-optic cables

42
Twisted-Pair Cables

Standard for copper cabling used in computer
networks today, replacing thin coaxial cable
Composed of two insulated copper wires twisted
around each other and bundled together with other
pairs in a jacket

43
Twisted-Pair Cables (continued)

Shielded twisted-pair (STP) cables have a foil
shielding on the inside of the jacket to reduce
interference
Unshielded twisted-pair (UTP) cables do not have
any shielding
Twisted-pair cables have RJ-45 connectors

44
Fiber-Optic Cables

Coaxial and twisted-pair cables have copper wire
at the center that conducts an electrical signal
Fiber-optic cable uses a very thin cylinder of
glass (core) at its center instead of copper that
transmit light impulses
A glass tube (cladding) surrounds the core
The core and cladding are protected by a jacket

45
Hardening Standard Network Devices

A standard network device is a typical piece of
equipment that is found on almost every network,
such as a workstation, server, switch, or router
This equipment has basic security features that
you can use to harden the devices

46
Switches and Routers

Switch
Most commonly used in Ethernet LANs
Receives a packet from one network device and
sends it to the destination device only
Limits the collision domain (part of network on
which multiple devices may attempt to send
packets simultaneously)
A switch is used within a single network
Routers connect two or more single networks to
form a larger network

47
Hardening Network Security Devices

The final category of network devices includes
those designed and used strictly to protect the
network
Include
Firewalls
Intrusion-detection systems
Network monitoring and diagnostic devices

48
Firewalls

Typically used to filter packets
Designed to prevent malicious packets from
entering the network or its computers (sometimes
called a packet filter)
Typically located outside the network security
perimeter as first line of defense
Can be software or hardware configurations

49
Firewalls (continued)

Software firewall runs as a program on a local
computer (sometimes known as a personal firewall)
Enterprise firewalls are software firewalls
designed to run on a dedicated device and protect
a network instead of only one computer
One disadvantage is that it is only as strong as
the operating system of the computer

50
Firewalls (continued)

Filter packets in one of two ways
Stateless packet filtering permits or denies
each packet based strictly on the rule base
Stateful packet filtering records state of a
connection between an internal computer and an
external server makes decisions based on
connection and rule base
Can perform content filtering to block access to
undesirable Web sites

51
Designing Network Topologies

Topology physical layout of the network devices,
how they are interconnected, and how they
communicate
Essential to establishing its security
Although network topologies can be modified for
security reasons, the network still must reflect
the needs of the organization and users

52
Security Zones

One of the keys to mapping the topology of a
network is to separate secure users from
outsiders through
Demilitarized Zones (DMZs)
Intranets
Extranets

53
Demilitarized Zones (DMZs)

Separate networks that sit outside the secure
network perimeter
Outside users can access the DMZ, but cannot
enter the secure network
For extra security, some networks use a DMZ with
two firewalls
The types of servers that should be located in
the DMZ include
Web servers E-mail servers
Remote access servers FTP servers

54
Network Address Translation (NAT)

You cannot attack what you do not see is the
philosophy behind Network Address Translation
(NAT) systems
Hides the IP addresses of network devices from
attackers
Computers are assigned special IP addresses
(known as private addresses)

55
Network Address Translation (NAT)

These IP addresses are not assigned to any
specific user or organization anyone can use
them on their own private internal network
Port address translation (PAT) is a variation of
NAT
Each packet is given the same IP address, but a
different TCP port number

56
Virtual LANs (VLANs)

Segment a network with switches to divide the
network into a hierarchy
Core switches reside at the top of the hierarchy
and carry traffic between switches
Workgroup switches are connected directly to the
devices on the network
Core switches must work faster than workgroup
switches because core switches must handle the
traffic of several workgroup switches

57
Virtual LANs (VLANs)
58
Virtual LANs (VLANs)

Segment a network by grouping similar users
together
Instead of segmenting by user, you can segment a
network by separating devices into logical groups
(known as creating a VLAN)

59
Secure/MIME (S/MIME)

Protocol that adds digital signatures and
encryption to Multipurpose Internet Mail
Extension (MIME) messages
Provides these features
Digital signatures Interoperability
Message privacy Seamless integration
Tamper detection

60
Pretty Good Privacy (PGP)

Functions much like S/MIME by encrypting messages
using digital signatures
A user can sign an e-mail message without
encrypting it, verifying the sender but not
preventing anyone from seeing the contents
First compresses the message
Reduces patterns and enhances resistance to
cryptanalysis
Creates a session key (a one-time-only secret
key)
This key is a number generated from random
movements of the mouse and keystrokes typed

61
Pretty Good Privacy (PGP)

Uses a passphrase to encrypt the private key on
the local computer
Passphrase
A longer and more secure version of a password
Typically composed of multiple words
More secure against dictionary attacks

62
Pretty Good Privacy (PGP)
63
Securing Web Communications

Most common secure connection uses the Secure
Sockets Layer/Transport Layer Security protocol
One implementation is the Hypertext Transport
Protocol over Secure Sockets Layer

64
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)

SSL protocol developed by Netscape to securely
transmit documents over the Internet
Uses private key to encrypt data transferred over
the SSL connection
Version 20 is most widely supported version
Personal Communications Technology (PCT),
developed by Microsoft, is similar to SSL

65
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)

TLS protocol guarantees privacy and data
integrity between applications communicating over
the Internet
An extension of SSL they are often referred to
as SSL/TLS
SSL/TLS protocol is made up of two layers

66
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)

TLS Handshake Protocol allows authentication
between server and client and negotiation of an
encryption algorithm and cryptographic keys
before any data is transmitted
FORTEZZA is a US government security standard
that satisfies the Defense Messaging System
security architecture
Has cryptographic mechanism that provides message
confidentiality, integrity, authentication, and
access control to messages, components, and even
systems

67
Secure Hypertext Transport Protocol (HTTPS)

One common use of SSL is to secure Web HTTP
communication between a browser and a Web server
This version is plain HTTP sent over SSL/TLS
and named Hypertext Transport Protocol over SSL
Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it
Whereas SSL/TLS creates a secure connection
between a client and a server over which any
amount of data can be sent security, HTTPS is
designed to transmit individual messages securely

68
Tunneling Protocols

Tunneling technique of encapsulating one packet
of data within another type to create a secure
link of transportation

69
IEEE 8021x

Based on a standard established by the Institute
for Electrical and Electronic Engineers (IEEE)
Gaining wide-spread popularity
Provides an authentication framework for
802-based LANs (Ethernet, Token Ring, wireless
LANs)
Uses port-based authentication mechanisms
Switch denies access to anyone other than an
authorized user attempting to connect to the
network through that port

70
IEEE 8021x (continued)

Network supporting the 8021x protocol consists of
three elements
Supplicant client device, such as a desktop
computer or personal digital assistant (PDA),
which requires secure network access
Authenticator serves as an intermediary device
between supplicant and authentication server
Authentication server receives request from
supplicant through authenticator

71
802.1x

802.1x is a standardized framework defined by the
IEEE that is designed to provide port-based
network access.
The 802.1x framework defines three roles in the
authentication process
Supplicant endpoint that needs network access
Authenticator switch or access point
Authentication Server RADIUS, TACACS, LDAP
The authentication process consists of exchanges
of Extensible Authentication Protocol (EAP)
messages between the supplicant and the
authentication server.

72
802.1x Roles

Microsoft Windows XP includes 802.1x supplicant
support

73
Remote Authentication Dial-In User Service
(RADIUS)

Originally defined to enable centralized
authentication and access control and PPP
sessions
Requests are forwarded to a single RADIUS server
Supports authentication, authorization, and
auditing functions
After connection is made, RADIUS server adds an
accounting record to its log and acknowledges the
request
Allows company to maintain user profiles in a
central database that all remote servers can share

74
Terminal Access Control Access Control System
(TACACS)

Industry standard protocol specification that
forwards username and password information to a
centralized server (TACACS)
Whereas communication between a NAS and a TACACS
server is encrypted, communication between a
client and a NAS is not
TACACS utilizes TCP port 49.
It is a Cisco proprietary enhancement to original
TACACS protocol.

75
IP Security (IPSec) (continued)

IPSec is a set of protocols developed to support
the secure exchange of packets
Considered to be a transparent security protocol
Transparent to applications, users, and software
Provides three areas of protection that
correspond to three IPSec protocols
Authentication
Confidentiality
Key management

76
IP Security (IPSec) (continued)
77
IP Security (IPSec) (continued)

Supports two encryption modes
Transport mode encrypts only the data portion
(payload) of each packet, yet leaves the header
encrypted
Tunnel mode encrypts both the header and the data
portion
IPSec accomplishes transport and tunnel modes by
adding new headers to the IP packet
The entire original packet is then treated as the
data portion of the new packet

78
IP Security (IPSec) (continued)
79
IP Security (IPSec) (continued)

Both Authentication Header (AH) and Encapsulating
Security Payload (ESP) can be used with Transport
or Tunnel mode, creating four possible transport
mechanisms
AH in transport mode
AH in tunnel mode
ESP in transport mode
ESP in tunnel mode

80
Virtual Private Networks (VPNs)

Takes advantage of using the public Internet as
if it were a private network
Allow the public Internet to be used privately
Prior to VPNs, organizations were forced to lease
expensive data connections from private carriers
so employees could remotely connect to the
organizations network

81
Virtual Private Networks (VPNs)

Two common types of VPNs include
Remote-access VPN or virtual private dial-up
network (VPDN) user-to-LAN connection used by
remote users
Site-to-site VPN multiple sites can connect to
other sites over the Internet
VPN transmissions achieved through communicating
with endpoints
An endpoint can be software on a local computer,
a dedicated hardware device such as a VPN
concentrator, or even a firewall

82
Basic WLAN Security

Two areas
Basic WLAN security
Enterprise WLAN security
Basic WLAN security uses two new wireless tools
and one tool from the wired world
Service Set Identifier (SSID) beaconing
MAC address filtering
Wired Equivalent Privacy (WEP)

83
Service Set Identifier (SSID) Beaconing

A service set is a technical term used to
describe a WLAN network
Three types of service sets
Independent Basic Service Set (IBSS)
Basic Service Set (BSS)
Extended Service Set (ESS)
Each WLAN is given a unique SSID

84
MAC Address Filtering

Another way to harden a WLAN is to filter MAC
addresses
The MAC address of approved wireless devices is
entered on the AP
A MAC address can be spoofed
When wireless device and AP first exchange
packets, the MAC address of the wireless device
is sent in plaintext, allowing an attacker with a
sniffer to see the MAC address of an approved
device

85
Wired Equivalent Privacy (WEP)

Optional configuration for WLANs that encrypts
packets during transmission to prevent attackers
from viewing their contents
Uses shared keys?the same key for encryption and
decryption must be installed on the AP, as well
as each wireless device
A serious vulnerability in WEP is that the IV is
not properly implemented
Every time a packet is encrypted it should be
given a unique IV

86
Other Wireless Authentication Protocols

Wi-Fi Protected Access WPA
The TKIP encryption algorithm was developed for
WPA to provide improvements to WEP
WPA2
WiFi Alliance branded version of the final
802.11i standard
WPA2 support EAP authentication methods using
RADIUS servers and preshared key (PSK) based
security
802.1X
LEAP
PEAP
TKIP

87
Untrusted Network

The basic WLAN security of SSID beaconing, MAC
address filtering, and WEP encryption is not
secure enough for an organization to use
One approach to securing a WLAN is to treat it as
an untrusted and unsecure network
Requires that the WLAN be placed outside the
secure perimeter of the trusted network

88
Untrusted Network (continued)
89
Trusted Network (continued)

WPA encryption addresses the weaknesses of WEP by
using the Temporal Key Integrity Protocol (TKIP)
TKIP mixes keys on a per-packet basis to improve
security
Although WPA provides enhanced security, the IEEE
80211i solution is even more secure
80211i is expected to be released sometime in
2004

90
Cryptography Terminology

Cryptography science of transforming information
so it is secure while being transmitted or stored
Steganography attempts to hide existence of data
Encryption changing the original text to a
secret message using cryptography

91
Cryptography Terminology

Decryption reverse process of encryption
Algorithm process of encrypting and decrypting
information based on a mathematical procedure
Key value used by an algorithm to encrypt or
decrypt a message

92
Cryptography Terminology

Weak key mathematical key that creates a
detectable pattern or structure
Plaintext original unencrypted information (also
known as clear text)
Cipher encryption or decryption algorithm tool
used to create encrypted or decrypted text
Ciphertext data that has been encrypted by an
encryption algorithm

93
Cryptography Terminology (continued)
94
Defining Hashing

Hashing, also called a one-way hash, creates a
ciphertext from plaintext
Cryptographic hashing follows this same basic
approach
Hash algorithms verify the accuracy of a value
without transmitting the value itself and
subjecting it to attacks
A practical use of a hash algorithm is with
automatic teller machine (ATM) cards

95
Defining Hashing (continued)

Hashing is typically used in two ways
To determine whether a password a user enters is
correct without transmitting the password itself
To determine the integrity of a message or
contents of a file
Hash algorithms are considered very secure if the
hash that is produced has the characteristics
listed on pages 276 and 277 of the text

96
Message Digest (MD)

Message digest 2 (MD2) takes plaintext of any
length and creates a hash 128 bits long
MD2 divides the message into 128-bit sections
If the message is less than 128 bits, data known
as padding is added
Message digest 4 (MD4) was developed in 1990 for
computers that processed 32 bits at a time
Takes plaintext and creates a hash of 128 bits
The plaintext message itself is padded to a
length of 512 bits

97
Message Digest (MD)

Message digest 5 (MD5) is a revision of MD4
designed to address its weaknesses
The length of a message is padded to 512 bits
The hash algorithm then uses four variables of 32
bits each in a round-robin fashion to create a
value that is compressed to generate the hash

98
Secure Hash Algorithm (SHA)

Patterned after MD4 but creates a hash that is
160 bits in length instead of 128 bits
The longer hash makes it more resistant to
attacks
SHA pads messages less than 512 bits with zeros
and an integer that describes the original length
of the message

99
Protecting with Symmetric Encryption Algorithms

A block cipher manipulates an entire block of
plaintext at one time
The plaintext message is divided into separate
blocks of 8 to 16 bytes and then each block is
encrypted independently
The blocks can be randomized for additional
security

100
Data Encryption Standard (DES)

One of the most popular symmetric cryptography
algorithms
DES is a block cipher and encrypts data in 64-bit
blocks
The 8-bit parity bit is ignored so the effective
key length is only 56 bits
DES encrypts 64-bit plaintext by executing the
algorithm 16 times
The four modes of DES encryption are summarized
on pages 282 and 283

101
Triple Data Encryption Standard (3DES)

Uses three rounds of encryption instead of just
one
The ciphertext of one round becomes the entire
input for the second iteration
Employs a total of 48 iterations in its
encryption (3 iterations times 16 rounds)
The most secure versions of 3DES use different
keys for each round

102
Advanced Encryption Standard (AES)

Approved by the NIST in late 2000 as a
replacement for DES
Process began with the NIST publishing
requirements for a new symmetric algorithm and
requesting proposals
Requirements stated that the new algorithm had to
be fast and function on older computers with
8-bit, 32-bit, and 64-bit processors

103
Advanced Encryption Standard (AES)

Performs three steps on every block (128 bits) of
plaintext
Within step 2, multiple rounds are performed
depending upon the key size
128-bit key performs 9 rounds
192-bit key performs 11 rounds
256-bit key uses 13 rounds

104
Hardening with Asymmetric Encryption Algorithms

The primary weakness of symmetric encryption
algorithm is keeping the single key secure
This weakness, known as key management, poses a
number of significant challenges
Asymmetric encryption (or public key
cryptography) uses two keys instead of one
The private key typically is used to encrypt the
message
The public key decrypts the message

105
Hardening with Asymmetric Encryption Algorithms
106
Rivest Shamir Adleman (RSA)

Asymmetric algorithm published in 1977 and
patented by MIT in 1983
Most common asymmetric encryption and
authentication algorithm
Included as part of the Web browsers from
Microsoft and Netscape as well as other
commercial products
Multiplies two large prime numbers

107
Diffie-Hellman

Unlike RSA, the Diffie-Hellman algorithm does not
encrypt and decrypt text
Strength of Diffie-Hellman is that it allows two
users to share a secret key securely over a
public network
Once the key has been shared, both parties can
use it to encrypt and decrypt messages using
symmetric cryptography

108
Elliptic Curve Cryptography

First proposed in the mid-1980s
Instead of using prime numbers, uses elliptic
curves
An elliptic curve is a function drawn on an X-Y
axis as a gently curved line
By adding the values of two points on the curve,
you can arrive at a third point on the curve

109
Understanding How to Use Cryptography

Cryptography can provide a major defense against
attackers
If an e-mail message or data stored on a file
server is encrypted, even a successful attempt to
steal that information will be of no benefit if
the attacker cannot read it

110
Understanding Cryptography Strengths and
Vulnerabilities

Cryptography is science of scrambling data so
it cannot be viewed by unauthorized users, making
it secure while being transmitted or stored
When the recipient receives encrypted text or
another user wants to access stored information,
it must be decrypted with the cipher and key to
produce the original plaintext

111
Symmetric Cryptography Strengths and Weaknesses

Identical keys are used to both encrypt and
decrypt the message
Popular symmetric cipher algorithms include Data
Encryption Standard, Triple Data Encryption
Standard, Advanced Encryption Standard, Rivest
Cipher, International Data Encryption Algorithm,
and Blowfish
Disadvantages of symmetric encryption relate to
the difficulties of managing the private key

112
Asymmetric Cryptography Strengths and
Vulnerabilities

With asymmetric encryption, two keys are used
instead of one
The private key encrypts the message
The public key decrypts the message

113
Digital Signatures

Asymmetric encryption allows you to use either
the public or private key to encrypt a message
the receiver uses the other key to decrypt the
message
A digital signature helps to prove that
The person sending the message with a public key
is who they claim to be
The message was not altered
It cannot be denied the message was sent

114
Digital Certificates

Digital documents that associate an individual
with its specific public key
Data structure containing a public key, details
about the key owner, and other optional
information that is all digitally signed by a
trusted third party

115
Certification Authority (CA)

The owner of the public key listed in the digital
certificate can be identified to the CA in
different ways
By their e-mail address
By additional information that describes the
digital certificate and limits the scope of its
use
Revoked digital certificates are listed in a
Certificate Revocation List (CRL), which can be
accessed to check the certificate status of other
users

116
Certification Authority (CA)

The CA must publish the certificates and CRLs to
a directory immediately after a certificate is
issued or revoked so users can refer to this
directory to see changes
Can provide the information in a publicly
accessible directory, called a Certificate
Repository (CR)
Some organizations set up a Registration
Authority (RA) to handle some CA, tasks such as
processing certificate requests and
authenticating users

117
Understanding Public Key Infrastructure (PKI)

Weaknesses associated with asymmetric
cryptography led to the development of PKI
A CA is an important trusted party who can sign
and issue certificates for users
Some of its tasks can also be performed by a
subordinate function, the RA
Updated certificates and CRLs are kept in a CR
for users to refer to

118
The Need for PKI
119
Description of PKI

Manages keys and identity information required
for asymmetric cryptography, integrating digital
certificates, public key cryptography, and CAs
For a typical enterprise
Provides end-user enrollment software
Integrates corporate certificate directories
Manages, renews, and revokes certificates
Provides related network services and security
Typically consists of one or more CA servers and
digital certificates that automate several tasks

120
PKI Standards and Protocols

A number of standards have been proposed for PKI
Public Key Cryptography Standards (PKCS)
X509 certificate standards

121
Public Key Cryptography Standards (PKCS)

Numbered set of standards that have been defined
by the RSA Corporation since 1991
Composed of 15 standards detailed on pages 318
and 319 of the text

122
X509 Digital Certificates

X509 is an international standard defined by the
International Telecommunication Union (ITU) that
defines the format for the digital certificate
Most widely used certificate format for PKI
X509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS), IP Security
(IPSec), and Secure/Multipurpose Internet Mail
Extensions (S/MIME)

123
X509 Digital Certificates
124
Trust Models

Refers to the type of relationship that can exist
between people or organizations
In the direct trust, a personal relationship
exists between two individuals
Third-party trust refers to a situation in which
two individuals trust each other only because
each individually trusts a third party
The three different PKI trust models are based on
direct and third-party trust

125
Hardening Physical Security with Access Controls

Adequate physical security is one of the first
lines of defense against attacks
Protects equipment and the infrastructure itself
Has one primary goal to prevent unauthorized
users from reaching equipment to use, steal, or
vandalize

126
Hardening Physical Security with Access Controls

Configure an operating system to enforce access
controls through an access control list (ACL), a
table that defines the access rights each subject
has to a folder or file
ACLs are also configured on network devices to
permit or deny packets to the network.
Access control also refers to restricting
physical access to computers or network devices

127
Controlling Access with Physical Barriers

Most servers are rack-mounted servers
A rack-mounted server is 175 inches (445 cm) tall
and can be stacked with up to 50 other servers in
a closely confined area
Rack-mounted units are typically connected to a
KVM (keyboard, video, mouse) switch, which in
turn is connected to a single monitor, mouse, and
keyboard

128
Controlling Access with Physical Barriers

In addition to securing a device itself, you
should also secure the room containing the device
Two basic types of door locks require a key
A preset lock (key-in-knob lock) requires only a
key for unlocking the door from the outside
A deadbolt lock extends a solid metal bar into
the door frame for extra security
To achieve the most security when using door
locks, observe the good practices listed on pages
345 and 346 of the text

129
Controlling Access with Physical Barriers

Cipher locks are combination locks that use
buttons you push in the proper sequence to open
the door
Can be programmed to allow only the code of
certain people to be valid on specific dates and
times
Basic models can cost several hundred dollars
each while advanced models can run much higher
Users must be careful to conceal which buttons
they push to avoid someone seeing the combination
(shoulder surfing)

130
Limiting Wireless Signal Range

Use the following techniques to limit the
wireless signal range
Relocate the access point
Add directional antenna
Reduce power
Cover the device
Modify the building

131
Reducing the Risk of Fires

Systems can be classified as
Water sprinkler systems that spray the room with
pressurized water
Dry chemical systems that disperse a fine, dry
powder over the fire
Clean agent systems that do not harm people,
documents, or electrical equipment in the room

132
Types of Security Policies
133
Types of Security Policies
134
Acceptable Use Policy (AUP)

Defines what actions users of a system may
perform while using computing and networking
equipment
Should have an overview regarding what is covered
by this policy
Unacceptable use should also be outlined

135
Understanding Identity Management (continued)

Four key elements
Single sign-on (SSO)
Password synchronization
Password resets
Access management

136
Understanding Identity Management (continued)

SSO allows user to log on one time to a network
or system and access multiple applications and
systems based on that single password
Password synchronization also permits a user to
use a single password to log on to multiple
servers
Instead of keeping a repository of user
credentials, password synchronization ensures the
password is the same for every application to
which a user logs on

137
Understanding Identity Management (continued)

Password resets reduce costs associated with
password-related help desk calls
Identity management systems let users reset their
own passwords and unlock their accounts without
relying on the help desk
Access management software controls who can
access the network while managing the content and
business that users can perform while online

138
Auditing Privileges

You should regularly audit the privileges that
have been assigned
Without auditing, it is impossible to know if
users have been given too many unnecessary
privileges and are creating security
vulnerabilities

139
Usage Audit

Process of reviewing activities a user has
performed on the system or network
Provides a detailed history of every action, the
date and time, the name of the user, and other
information

140
Usage Audits (continued)
141
Privilege Audit

Reviews privileges that have been assigned to a
specific user, group, or role
Begins by developing a list of the expected
privileges of a user

142
Escalation Audits

Reviews of usage audits to determine if
privileges have unexpectedly escalated
Privilege escalation attack attacker attempts to
escalate her privileges without permission
Certain programs on Mac OS X use a special area
in memory called an environment variable to
determine where to write certain information

Write a Comment

User Comments (0)