CIT 016 Review for Final - PowerPoint PPT Presentation

About This Presentation
Title:

CIT 016 Review for Final

Description:

CIT 016 Review for Final Security+ Guide to Network Security Fundamentals Second Edition Defining Information Security Three characteristics of information must be ... – PowerPoint PPT presentation

Number of Views:203
Avg rating:3.0/5.0
Slides: 143
Provided by: lba116
Learn more at: https://hills.ccsf.edu
Category:
Tags: cit | algorithm | final | review | ring | token | work

less

Transcript and Presenter's Notes

Title: CIT 016 Review for Final


1
CIT 016Review for Final
  • Security Guide to Network Security Fundamentals
  • Second Edition

2
Defining Information Security
  • Three characteristics of information must be
    protected by information security
  • Confidentiality
  • Integrity
  • Availability
  • Information security achieved through a
    combination of three entities

3
Importance of Information Security
  • Information security is important to businesses
  • Prevents data theft
  • Avoids legal consequences of not securing
    information
  • Maintains productivity
  • Foils cyberterrorism
  • Thwarts identity theft

4
Preventing Data Theft
  • Theft of data is single largest cause of
    financial loss due to a security breach
  • One of the most important objectives of
    information security is to protect important
    business and personal data from theft

5
Developing Attacker Profiles
  • Six categories
  • Hackers
  • Crackers
  • Script kiddies
  • Spies
  • Employees
  • Cyberterrorists

6
Developing Attacker Profiles
7
Hackers
  • Person who uses advanced computer skills to
    attack computers, but not with a malicious intent
  • Use their skills to expose security flaws
  • Know that breaking in to a system is illegal but
    do not intend on committing a crime
  • Hacker code of ethics
  • Target should have had better security

8
Crackers
  • Person who violates system security with
    malicious intent
  • Have advanced knowledge of computers and networks
    and the skills to exploit them
  • Destroy data, deny legitimate users of service,
    or otherwise cause serious problems on computers
    and networks

9
Script Kiddies
  • Break into computers to create damage
  • Not as skilled as Crackers
  • Download automated hacking software from Web
    sites and use it to break into computers
  • Tend to be young computer users with large
    amounts of leisure time, which they can use to
    attack systems

10
Spies
  • Person hired to break into a computer and steal
    information
  • Do not randomly search for unsecured computers to
    attack
  • Hired to attack a specific computer that contains
    sensitive information
  • Possess excellent computer skills
  • Could also use social engineering to gain access
    to a system
  • Financially motivated

11
Employees
  • One of the largest information security threats
    to business
  • Employees break into their companys computer for
    these reasons
  • To show the company a weakness in their security
  • Being overlooked, revenge
  • For money
  • Inside of network is often vulnerable because
    security focus is at the perimeter
  • Unskilled user could inadvertently launch virus,
    worm or spyware

12
Cyberterrorists
  • Experts fear terrorists will attack the network
    and computer infrastructure to cause panic
  • Cyberterrorists motivation may be defined as
    ideology, or attacking for the sake of their
    principles or beliefs
  • Targets that are high on the cyberterrorists list
    are
  • Infrastructure outages
  • Internet itself

13
Cyberterrorists (continued)
  • Three goals of a cyberattack
  • Deface electronic information to spread
    disinformation and propaganda
  • Deny service to legitimate computer users
  • Commit unauthorized intrusions into systems and
    networks that result in critical infrastructure
    outages and corruption of vital data

14
Understanding Security Principles
  • Ways information can be attacked
  • Crackers can launch distributed denial-of-service
    (DDoS) attacks through the Internet
  • Spies can use social engineering
  • Employees can guess other users passwords
  • Hackers can create back doors
  • Protecting against the wide range of attacks
    calls for a wide range of defense mechanisms

15
Layering
  • Layered security approach has the advantage of
    creating a barrier of multiple defenses that can
    be coordinated to thwart a variety of attacks
  • Information security likewise must be created in
    layers
  • All the security layers must be properly
    coordinated to be effective

16
Layering (continued)
17
Limiting
  • Limiting access to information reduces the threat
    against it
  • Only those who must use data should have access
    to it
  • Access must be limited for a subject (a person or
    a computer program running on a system) to
    interact with an object (a computer or a database
    stored on a server)
  • The amount of access granted to someone should be
    limited to what that person needs to know or do

18
Limiting (continued)
19
Diversity
  • Diversity is closely related to layering
  • You should protect data with diverse layers of
    security, so if attackers penetrate one layer,
    they cannot use the same techniques to break
    through all other layers
  • Using diverse layers of defense means that
    breaching one security layer does not compromise
    the whole system
  • Not just perimeter security
  • Possibly using different vendors
  • Increased administrative overhead

20
Diversity (continued)
  • You can set a firewall to filter a specific type
    of traffic, such as all inbound traffic, and a
    second firewall on the same system to filter
    another traffic type, such as outbound traffic
  • Use application layer filtering by a Linux box
    before traffic hits the firewall
  • Use one device as the firewall and different
    device as the spam filter
  • Using firewalls produced by different vendors
    creates even greater diversity
  • This could add some complexity

21
Obscurity
  • Obscuring what goes on inside a system or
    organization and avoiding clear patterns of
    behavior make attacks from the outside difficult
  • Network Address Translation
  • Port Address Translation
  • Internal ports different from external
  • External port 80 ? Internal port 8080

22
Simplicity
  • Complex security systems can be difficult to
    understand, troubleshoot, and feel secure about
  • The challenge is to make the system simple from
    the inside but complex from the outside

23
Using Effective Authentication Methods
  • Information security rests on three key pillars
  • Authentication
  • Access control (Authorization)
  • Auditing (Accounting)
  • Also Known as AAA

24
Effective Authentication Methods
  • Authentication
  • Process of providing identity
  • Can be classified into three main categories
    what you know, what you have, what you are
  • Most common method providing a user with a
    unique username and a secret password

25
Username and Password
  • ID management
  • Users single authenticated ID is shared across
    multiple networks or online businesses
  • Attempts to address the problem of users having
    individual usernames and passwords for each
    account (thus, resorting to simple passwords that
    are easy to remember)
  • Can be for users and for computers that share
    data

26
Disabling Nonessential Systems
  • First step in establishing a defense against
    computer attacks is to turn off all nonessential
    services
  • Disabling services that are not necessary
    restricts attackers can use
  • Reducing the attack surface

27
Disabling Nonessential Systems
  • A service can be set to one of the following
    modes
  • Automatic
  • Manual
  • Disabled
  • Besides preventing attackers from attaching
    malicious code to services, disabling
    nonessential services blocks entries into the
    system

28
Hardening Operating Systems
  • Hardening process of reducing vulnerabilities
  • A hardened system is configured and updated to
    protect against attacks
  • Three broad categories of items should be
    hardened
  • Operating systems
  • Applications that the operating system runs
  • Networks

29
Hardening Operating Systems
  • You can harden the operating system that runs on
    the local client or the network operating system
    (NOS) that manages and controls the network, such
    as Windows Server 2003 or Novell NetWare

30
Applying Updates
  • Operating systems are intended to be dynamic
  • As users needs change, new hardware is
    introduced, and more sophisticated attacks are
    unleashed, operating systems must be updated on a
    regular basis
  • However, vendors release a new version of an
    operating system every two to four years
  • Vendors use certain terms to refer to the
    different types of updates.

31
Applying Updates (continued)
  • A service pack (a cumulative set of updates
    including fixes for problems that have not been
    made available through updates) provides the
    broadest and most complete update
  • A hotfix does not typically address security
    issues instead, it corrects a specific software
    problem

32
Applying Updates (continued)
33
Applying Updates (continued)
  • A patch or a software update fixes a security
    flaw or other problem
  • May be released on a regular or irregular basis,
    depending on the vendor or support team
  • A good patch management system
  • Design patches to update groups of computers
  • Include reporting system
  • Download patches from the Internet
  • Distribute patches to other computers

34
Securing the File System
  • Another means of hardening an operating system is
    to restrict user access
  • Generally, users can be assigned permissions to
    access folders (also called directories in DOS
    and UNIX/Linux) and the files contained within
    them

35
Firmware Updates
  • RAM is volatile?interrupting the power source
    causes RAM to lose its entire contents
  • Read-only memory (ROM) is different from RAM in
    two ways
  • Contents of ROM are fixed
  • ROM is nonvolatile?disabling the power source
    does not erase its contents

36
Firmware Updates (continued)
  • ROM, Erasable Programmable Read-Only Memory
    (EPROM), and Electrically Erasable Programmable
    Read-Only Memory (EEPROM) are firmware (flash)
  • To erase an EPROM chip, hold the chip under
    ultraviolet light so the light passes through its
    crystal window
  • The contents of EEPROM chips can also be erased
    using electrical signals applied to specific pins

37
Firmware Updates (continued)
  • To update a network device we copy over a new
    version of the OS software to the flash memory of
    the device.
  • This can be done via a tftp server or a compact
    flash reader/writer
  • Router copy tftp flash
  • Having the firmware updated ensures the device is
    not vulnerable to bugs in the OS that can be
    exploited

38
Network Configuration
  • You must properly configure network equipment to
    resist attacks
  • The primary method of resisting attacks is to
    filter data packets as they arrive at the
    perimeter of the network
  • In addition to making sure the perimeter is
    secure, make sure the device itself is secure by
    using strong passwords and encrypted connections
  • SSH instead of Telnet and console, vty passwords

39
Configuring Packet Filtering
  • The User Datagram Protocol (UDP) provides for a
    connectionless TCP/IP transfer
  • TCP and UDP are based on port numbers
  • Socket combination of an IP address and a port
    number
  • The IP address is separated from the port number
    by a colon, as in 198.146.118.2080

40
Network Configuration
  • Rule base or access control list (ACL) rules a
    network device uses to permit or deny a packet
    (not to be confused with ACLs used in securing a
    file system)
  • Rules are composed of several settings (listed on
    pages 122 and 123 of the text)
  • Observe the basic guidelines on page 124 of the
    text when creating rules

41
Network Cable Plant
  • Cable plant physical infrastructure of a network
    (wire, connectors, and cables) used to carry data
    communication signals between equipment
  • Three types of transmission media
  • Coaxial cables
  • Twisted-pair cables
  • Fiber-optic cables

42
Twisted-Pair Cables
  • Standard for copper cabling used in computer
    networks today, replacing thin coaxial cable
  • Composed of two insulated copper wires twisted
    around each other and bundled together with other
    pairs in a jacket

43
Twisted-Pair Cables (continued)
  • Shielded twisted-pair (STP) cables have a foil
    shielding on the inside of the jacket to reduce
    interference
  • Unshielded twisted-pair (UTP) cables do not have
    any shielding
  • Twisted-pair cables have RJ-45 connectors

44
Fiber-Optic Cables
  • Coaxial and twisted-pair cables have copper wire
    at the center that conducts an electrical signal
  • Fiber-optic cable uses a very thin cylinder of
    glass (core) at its center instead of copper that
    transmit light impulses
  • A glass tube (cladding) surrounds the core
  • The core and cladding are protected by a jacket

45
Hardening Standard Network Devices
  • A standard network device is a typical piece of
    equipment that is found on almost every network,
    such as a workstation, server, switch, or router
  • This equipment has basic security features that
    you can use to harden the devices

46
Switches and Routers
  • Switch
  • Most commonly used in Ethernet LANs
  • Receives a packet from one network device and
    sends it to the destination device only
  • Limits the collision domain (part of network on
    which multiple devices may attempt to send
    packets simultaneously)
  • A switch is used within a single network
  • Routers connect two or more single networks to
    form a larger network

47
Hardening Network Security Devices
  • The final category of network devices includes
    those designed and used strictly to protect the
    network
  • Include
  • Firewalls
  • Intrusion-detection systems
  • Network monitoring and diagnostic devices

48
Firewalls
  • Typically used to filter packets
  • Designed to prevent malicious packets from
    entering the network or its computers (sometimes
    called a packet filter)
  • Typically located outside the network security
    perimeter as first line of defense
  • Can be software or hardware configurations

49
Firewalls (continued)
  • Software firewall runs as a program on a local
    computer (sometimes known as a personal firewall)
  • Enterprise firewalls are software firewalls
    designed to run on a dedicated device and protect
    a network instead of only one computer
  • One disadvantage is that it is only as strong as
    the operating system of the computer

50
Firewalls (continued)
  • Filter packets in one of two ways
  • Stateless packet filtering permits or denies
    each packet based strictly on the rule base
  • Stateful packet filtering records state of a
    connection between an internal computer and an
    external server makes decisions based on
    connection and rule base
  • Can perform content filtering to block access to
    undesirable Web sites

51
Designing Network Topologies
  • Topology physical layout of the network devices,
    how they are interconnected, and how they
    communicate
  • Essential to establishing its security
  • Although network topologies can be modified for
    security reasons, the network still must reflect
    the needs of the organization and users

52
Security Zones
  • One of the keys to mapping the topology of a
    network is to separate secure users from
    outsiders through
  • Demilitarized Zones (DMZs)
  • Intranets
  • Extranets

53
Demilitarized Zones (DMZs)
  • Separate networks that sit outside the secure
    network perimeter
  • Outside users can access the DMZ, but cannot
    enter the secure network
  • For extra security, some networks use a DMZ with
    two firewalls
  • The types of servers that should be located in
    the DMZ include
  • Web servers E-mail servers
  • Remote access servers FTP servers

54
Network Address Translation (NAT)
  • You cannot attack what you do not see is the
    philosophy behind Network Address Translation
    (NAT) systems
  • Hides the IP addresses of network devices from
    attackers
  • Computers are assigned special IP addresses
    (known as private addresses)

55
Network Address Translation (NAT)
  • These IP addresses are not assigned to any
    specific user or organization anyone can use
    them on their own private internal network
  • Port address translation (PAT) is a variation of
    NAT
  • Each packet is given the same IP address, but a
    different TCP port number

56
Virtual LANs (VLANs)
  • Segment a network with switches to divide the
    network into a hierarchy
  • Core switches reside at the top of the hierarchy
    and carry traffic between switches
  • Workgroup switches are connected directly to the
    devices on the network
  • Core switches must work faster than workgroup
    switches because core switches must handle the
    traffic of several workgroup switches

57
Virtual LANs (VLANs)
58
Virtual LANs (VLANs)
  • Segment a network by grouping similar users
    together
  • Instead of segmenting by user, you can segment a
    network by separating devices into logical groups
    (known as creating a VLAN)

59
Secure/MIME (S/MIME)
  • Protocol that adds digital signatures and
    encryption to Multipurpose Internet Mail
    Extension (MIME) messages
  • Provides these features
  • Digital signatures Interoperability
  • Message privacy Seamless integration
  • Tamper detection

60
Pretty Good Privacy (PGP)
  • Functions much like S/MIME by encrypting messages
    using digital signatures
  • A user can sign an e-mail message without
    encrypting it, verifying the sender but not
    preventing anyone from seeing the contents
  • First compresses the message
  • Reduces patterns and enhances resistance to
    cryptanalysis
  • Creates a session key (a one-time-only secret
    key)
  • This key is a number generated from random
    movements of the mouse and keystrokes typed

61
Pretty Good Privacy (PGP)
  • Uses a passphrase to encrypt the private key on
    the local computer
  • Passphrase
  • A longer and more secure version of a password
  • Typically composed of multiple words
  • More secure against dictionary attacks

62
Pretty Good Privacy (PGP)
63
Securing Web Communications
  • Most common secure connection uses the Secure
    Sockets Layer/Transport Layer Security protocol
  • One implementation is the Hypertext Transport
    Protocol over Secure Sockets Layer

64
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
  • SSL protocol developed by Netscape to securely
    transmit documents over the Internet
  • Uses private key to encrypt data transferred over
    the SSL connection
  • Version 20 is most widely supported version
  • Personal Communications Technology (PCT),
    developed by Microsoft, is similar to SSL

65
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
  • TLS protocol guarantees privacy and data
    integrity between applications communicating over
    the Internet
  • An extension of SSL they are often referred to
    as SSL/TLS
  • SSL/TLS protocol is made up of two layers

66
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
  • TLS Handshake Protocol allows authentication
    between server and client and negotiation of an
    encryption algorithm and cryptographic keys
    before any data is transmitted
  • FORTEZZA is a US government security standard
    that satisfies the Defense Messaging System
    security architecture
  • Has cryptographic mechanism that provides message
    confidentiality, integrity, authentication, and
    access control to messages, components, and even
    systems

67
Secure Hypertext Transport Protocol (HTTPS)
  • One common use of SSL is to secure Web HTTP
    communication between a browser and a Web server
  • This version is plain HTTP sent over SSL/TLS
    and named Hypertext Transport Protocol over SSL
  • Sometimes designated HTTPS, which is the
    extension to the HTTP protocol that supports it
  • Whereas SSL/TLS creates a secure connection
    between a client and a server over which any
    amount of data can be sent security, HTTPS is
    designed to transmit individual messages securely

68
Tunneling Protocols
  • Tunneling technique of encapsulating one packet
    of data within another type to create a secure
    link of transportation

69
IEEE 8021x
  • Based on a standard established by the Institute
    for Electrical and Electronic Engineers (IEEE)
  • Gaining wide-spread popularity
  • Provides an authentication framework for
    802-based LANs (Ethernet, Token Ring, wireless
    LANs)
  • Uses port-based authentication mechanisms
  • Switch denies access to anyone other than an
    authorized user attempting to connect to the
    network through that port

70
IEEE 8021x (continued)
  • Network supporting the 8021x protocol consists of
    three elements
  • Supplicant client device, such as a desktop
    computer or personal digital assistant (PDA),
    which requires secure network access
  • Authenticator serves as an intermediary device
    between supplicant and authentication server
  • Authentication server receives request from
    supplicant through authenticator

71
802.1x
  • 802.1x is a standardized framework defined by the
    IEEE that is designed to provide port-based
    network access.
  • The 802.1x framework defines three roles in the
    authentication process
  • Supplicant endpoint that needs network access
  • Authenticator switch or access point
  • Authentication Server RADIUS, TACACS, LDAP
  • The authentication process consists of exchanges
    of Extensible Authentication Protocol (EAP)
    messages between the supplicant and the
    authentication server.

72
802.1x Roles
  • Microsoft Windows XP includes 802.1x supplicant
    support

73
Remote Authentication Dial-In User Service
(RADIUS)
  • Originally defined to enable centralized
    authentication and access control and PPP
    sessions
  • Requests are forwarded to a single RADIUS server
  • Supports authentication, authorization, and
    auditing functions
  • After connection is made, RADIUS server adds an
    accounting record to its log and acknowledges the
    request
  • Allows company to maintain user profiles in a
    central database that all remote servers can share

74
Terminal Access Control Access Control System
(TACACS)
  • Industry standard protocol specification that
    forwards username and password information to a
    centralized server (TACACS)
  • Whereas communication between a NAS and a TACACS
    server is encrypted, communication between a
    client and a NAS is not
  • TACACS utilizes TCP port 49.
  • It is a Cisco proprietary enhancement to original
    TACACS protocol.

75
IP Security (IPSec) (continued)
  • IPSec is a set of protocols developed to support
    the secure exchange of packets
  • Considered to be a transparent security protocol
  • Transparent to applications, users, and software
  • Provides three areas of protection that
    correspond to three IPSec protocols
  • Authentication
  • Confidentiality
  • Key management

76
IP Security (IPSec) (continued)
77
IP Security (IPSec) (continued)
  • Supports two encryption modes
  • Transport mode encrypts only the data portion
    (payload) of each packet, yet leaves the header
    encrypted
  • Tunnel mode encrypts both the header and the data
    portion
  • IPSec accomplishes transport and tunnel modes by
    adding new headers to the IP packet
  • The entire original packet is then treated as the
    data portion of the new packet

78
IP Security (IPSec) (continued)
79
IP Security (IPSec) (continued)
  • Both Authentication Header (AH) and Encapsulating
    Security Payload (ESP) can be used with Transport
    or Tunnel mode, creating four possible transport
    mechanisms
  • AH in transport mode
  • AH in tunnel mode
  • ESP in transport mode
  • ESP in tunnel mode

80
Virtual Private Networks (VPNs)
  • Takes advantage of using the public Internet as
    if it were a private network
  • Allow the public Internet to be used privately
  • Prior to VPNs, organizations were forced to lease
    expensive data connections from private carriers
    so employees could remotely connect to the
    organizations network

81
Virtual Private Networks (VPNs)
  • Two common types of VPNs include
  • Remote-access VPN or virtual private dial-up
    network (VPDN) user-to-LAN connection used by
    remote users
  • Site-to-site VPN multiple sites can connect to
    other sites over the Internet
  • VPN transmissions achieved through communicating
    with endpoints
  • An endpoint can be software on a local computer,
    a dedicated hardware device such as a VPN
    concentrator, or even a firewall

82
Basic WLAN Security
  • Two areas
  • Basic WLAN security
  • Enterprise WLAN security
  • Basic WLAN security uses two new wireless tools
    and one tool from the wired world
  • Service Set Identifier (SSID) beaconing
  • MAC address filtering
  • Wired Equivalent Privacy (WEP)

83
Service Set Identifier (SSID) Beaconing
  • A service set is a technical term used to
    describe a WLAN network
  • Three types of service sets
  • Independent Basic Service Set (IBSS)
  • Basic Service Set (BSS)
  • Extended Service Set (ESS)
  • Each WLAN is given a unique SSID

84
MAC Address Filtering
  • Another way to harden a WLAN is to filter MAC
    addresses
  • The MAC address of approved wireless devices is
    entered on the AP
  • A MAC address can be spoofed
  • When wireless device and AP first exchange
    packets, the MAC address of the wireless device
    is sent in plaintext, allowing an attacker with a
    sniffer to see the MAC address of an approved
    device

85
Wired Equivalent Privacy (WEP)
  • Optional configuration for WLANs that encrypts
    packets during transmission to prevent attackers
    from viewing their contents
  • Uses shared keys?the same key for encryption and
    decryption must be installed on the AP, as well
    as each wireless device
  • A serious vulnerability in WEP is that the IV is
    not properly implemented
  • Every time a packet is encrypted it should be
    given a unique IV

86
Other Wireless Authentication Protocols
  • Wi-Fi Protected Access WPA
  • The TKIP encryption algorithm was developed for
    WPA to provide improvements to WEP
  • WPA2
  • WiFi Alliance branded version of the final
    802.11i standard
  • WPA2 support EAP authentication methods using
    RADIUS servers and preshared key (PSK) based
    security
  • 802.1X
  • LEAP
  • PEAP
  • TKIP

87
Untrusted Network
  • The basic WLAN security of SSID beaconing, MAC
    address filtering, and WEP encryption is not
    secure enough for an organization to use
  • One approach to securing a WLAN is to treat it as
    an untrusted and unsecure network
  • Requires that the WLAN be placed outside the
    secure perimeter of the trusted network

88
Untrusted Network (continued)
89
Trusted Network (continued)
  • WPA encryption addresses the weaknesses of WEP by
    using the Temporal Key Integrity Protocol (TKIP)
  • TKIP mixes keys on a per-packet basis to improve
    security
  • Although WPA provides enhanced security, the IEEE
    80211i solution is even more secure
  • 80211i is expected to be released sometime in
    2004

90
Cryptography Terminology
  • Cryptography science of transforming information
    so it is secure while being transmitted or stored
  • Steganography attempts to hide existence of data
  • Encryption changing the original text to a
    secret message using cryptography

91
Cryptography Terminology
  • Decryption reverse process of encryption
  • Algorithm process of encrypting and decrypting
    information based on a mathematical procedure
  • Key value used by an algorithm to encrypt or
    decrypt a message

92
Cryptography Terminology
  • Weak key mathematical key that creates a
    detectable pattern or structure
  • Plaintext original unencrypted information (also
    known as clear text)
  • Cipher encryption or decryption algorithm tool
    used to create encrypted or decrypted text
  • Ciphertext data that has been encrypted by an
    encryption algorithm

93
Cryptography Terminology (continued)
94
Defining Hashing
  • Hashing, also called a one-way hash, creates a
    ciphertext from plaintext
  • Cryptographic hashing follows this same basic
    approach
  • Hash algorithms verify the accuracy of a value
    without transmitting the value itself and
    subjecting it to attacks
  • A practical use of a hash algorithm is with
    automatic teller machine (ATM) cards

95
Defining Hashing (continued)
  • Hashing is typically used in two ways
  • To determine whether a password a user enters is
    correct without transmitting the password itself
  • To determine the integrity of a message or
    contents of a file
  • Hash algorithms are considered very secure if the
    hash that is produced has the characteristics
    listed on pages 276 and 277 of the text

96
Message Digest (MD)
  • Message digest 2 (MD2) takes plaintext of any
    length and creates a hash 128 bits long
  • MD2 divides the message into 128-bit sections
  • If the message is less than 128 bits, data known
    as padding is added
  • Message digest 4 (MD4) was developed in 1990 for
    computers that processed 32 bits at a time
  • Takes plaintext and creates a hash of 128 bits
  • The plaintext message itself is padded to a
    length of 512 bits

97
Message Digest (MD)
  • Message digest 5 (MD5) is a revision of MD4
    designed to address its weaknesses
  • The length of a message is padded to 512 bits
  • The hash algorithm then uses four variables of 32
    bits each in a round-robin fashion to create a
    value that is compressed to generate the hash

98
Secure Hash Algorithm (SHA)
  • Patterned after MD4 but creates a hash that is
    160 bits in length instead of 128 bits
  • The longer hash makes it more resistant to
    attacks
  • SHA pads messages less than 512 bits with zeros
    and an integer that describes the original length
    of the message

99
Protecting with Symmetric Encryption Algorithms
  • A block cipher manipulates an entire block of
    plaintext at one time
  • The plaintext message is divided into separate
    blocks of 8 to 16 bytes and then each block is
    encrypted independently
  • The blocks can be randomized for additional
    security

100
Data Encryption Standard (DES)
  • One of the most popular symmetric cryptography
    algorithms
  • DES is a block cipher and encrypts data in 64-bit
    blocks
  • The 8-bit parity bit is ignored so the effective
    key length is only 56 bits
  • DES encrypts 64-bit plaintext by executing the
    algorithm 16 times
  • The four modes of DES encryption are summarized
    on pages 282 and 283

101
Triple Data Encryption Standard (3DES)
  • Uses three rounds of encryption instead of just
    one
  • The ciphertext of one round becomes the entire
    input for the second iteration
  • Employs a total of 48 iterations in its
    encryption (3 iterations times 16 rounds)
  • The most secure versions of 3DES use different
    keys for each round

102
Advanced Encryption Standard (AES)
  • Approved by the NIST in late 2000 as a
    replacement for DES
  • Process began with the NIST publishing
    requirements for a new symmetric algorithm and
    requesting proposals
  • Requirements stated that the new algorithm had to
    be fast and function on older computers with
    8-bit, 32-bit, and 64-bit processors

103
Advanced Encryption Standard (AES)
  • Performs three steps on every block (128 bits) of
    plaintext
  • Within step 2, multiple rounds are performed
    depending upon the key size
  • 128-bit key performs 9 rounds
  • 192-bit key performs 11 rounds
  • 256-bit key uses 13 rounds

104
Hardening with Asymmetric Encryption Algorithms
  • The primary weakness of symmetric encryption
    algorithm is keeping the single key secure
  • This weakness, known as key management, poses a
    number of significant challenges
  • Asymmetric encryption (or public key
    cryptography) uses two keys instead of one
  • The private key typically is used to encrypt the
    message
  • The public key decrypts the message

105
Hardening with Asymmetric Encryption Algorithms
106
Rivest Shamir Adleman (RSA)
  • Asymmetric algorithm published in 1977 and
    patented by MIT in 1983
  • Most common asymmetric encryption and
    authentication algorithm
  • Included as part of the Web browsers from
    Microsoft and Netscape as well as other
    commercial products
  • Multiplies two large prime numbers

107
Diffie-Hellman
  • Unlike RSA, the Diffie-Hellman algorithm does not
    encrypt and decrypt text
  • Strength of Diffie-Hellman is that it allows two
    users to share a secret key securely over a
    public network
  • Once the key has been shared, both parties can
    use it to encrypt and decrypt messages using
    symmetric cryptography

108
Elliptic Curve Cryptography
  • First proposed in the mid-1980s
  • Instead of using prime numbers, uses elliptic
    curves
  • An elliptic curve is a function drawn on an X-Y
    axis as a gently curved line
  • By adding the values of two points on the curve,
    you can arrive at a third point on the curve

109
Understanding How to Use Cryptography
  • Cryptography can provide a major defense against
    attackers
  • If an e-mail message or data stored on a file
    server is encrypted, even a successful attempt to
    steal that information will be of no benefit if
    the attacker cannot read it

110
Understanding Cryptography Strengths and
Vulnerabilities
  • Cryptography is science of scrambling data so
    it cannot be viewed by unauthorized users, making
    it secure while being transmitted or stored
  • When the recipient receives encrypted text or
    another user wants to access stored information,
    it must be decrypted with the cipher and key to
    produce the original plaintext

111
Symmetric Cryptography Strengths and Weaknesses
  • Identical keys are used to both encrypt and
    decrypt the message
  • Popular symmetric cipher algorithms include Data
    Encryption Standard, Triple Data Encryption
    Standard, Advanced Encryption Standard, Rivest
    Cipher, International Data Encryption Algorithm,
    and Blowfish
  • Disadvantages of symmetric encryption relate to
    the difficulties of managing the private key

112
Asymmetric Cryptography Strengths and
Vulnerabilities
  • With asymmetric encryption, two keys are used
    instead of one
  • The private key encrypts the message
  • The public key decrypts the message

113
Digital Signatures
  • Asymmetric encryption allows you to use either
    the public or private key to encrypt a message
    the receiver uses the other key to decrypt the
    message
  • A digital signature helps to prove that
  • The person sending the message with a public key
    is who they claim to be
  • The message was not altered
  • It cannot be denied the message was sent

114
Digital Certificates
  • Digital documents that associate an individual
    with its specific public key
  • Data structure containing a public key, details
    about the key owner, and other optional
    information that is all digitally signed by a
    trusted third party

115
Certification Authority (CA)
  • The owner of the public key listed in the digital
    certificate can be identified to the CA in
    different ways
  • By their e-mail address
  • By additional information that describes the
    digital certificate and limits the scope of its
    use
  • Revoked digital certificates are listed in a
    Certificate Revocation List (CRL), which can be
    accessed to check the certificate status of other
    users

116
Certification Authority (CA)
  • The CA must publish the certificates and CRLs to
    a directory immediately after a certificate is
    issued or revoked so users can refer to this
    directory to see changes
  • Can provide the information in a publicly
    accessible directory, called a Certificate
    Repository (CR)
  • Some organizations set up a Registration
    Authority (RA) to handle some CA, tasks such as
    processing certificate requests and
    authenticating users

117
Understanding Public Key Infrastructure (PKI)
  • Weaknesses associated with asymmetric
    cryptography led to the development of PKI
  • A CA is an important trusted party who can sign
    and issue certificates for users
  • Some of its tasks can also be performed by a
    subordinate function, the RA
  • Updated certificates and CRLs are kept in a CR
    for users to refer to

118
The Need for PKI
119
Description of PKI
  • Manages keys and identity information required
    for asymmetric cryptography, integrating digital
    certificates, public key cryptography, and CAs
  • For a typical enterprise
  • Provides end-user enrollment software
  • Integrates corporate certificate directories
  • Manages, renews, and revokes certificates
  • Provides related network services and security
  • Typically consists of one or more CA servers and
    digital certificates that automate several tasks

120
PKI Standards and Protocols
  • A number of standards have been proposed for PKI
  • Public Key Cryptography Standards (PKCS)
  • X509 certificate standards

121
Public Key Cryptography Standards (PKCS)
  • Numbered set of standards that have been defined
    by the RSA Corporation since 1991
  • Composed of 15 standards detailed on pages 318
    and 319 of the text

122
X509 Digital Certificates
  • X509 is an international standard defined by the
    International Telecommunication Union (ITU) that
    defines the format for the digital certificate
  • Most widely used certificate format for PKI
  • X509 is used by Secure Socket Layers
    (SSL)/Transport Layer Security (TLS), IP Security
    (IPSec), and Secure/Multipurpose Internet Mail
    Extensions (S/MIME)

123
X509 Digital Certificates
124
Trust Models
  • Refers to the type of relationship that can exist
    between people or organizations
  • In the direct trust, a personal relationship
    exists between two individuals
  • Third-party trust refers to a situation in which
    two individuals trust each other only because
    each individually trusts a third party
  • The three different PKI trust models are based on
    direct and third-party trust

125
Hardening Physical Security with Access Controls
  • Adequate physical security is one of the first
    lines of defense against attacks
  • Protects equipment and the infrastructure itself
  • Has one primary goal to prevent unauthorized
    users from reaching equipment to use, steal, or
    vandalize

126
Hardening Physical Security with Access Controls
  • Configure an operating system to enforce access
    controls through an access control list (ACL), a
    table that defines the access rights each subject
    has to a folder or file
  • ACLs are also configured on network devices to
    permit or deny packets to the network.
  • Access control also refers to restricting
    physical access to computers or network devices

127
Controlling Access with Physical Barriers
  • Most servers are rack-mounted servers
  • A rack-mounted server is 175 inches (445 cm) tall
    and can be stacked with up to 50 other servers in
    a closely confined area
  • Rack-mounted units are typically connected to a
    KVM (keyboard, video, mouse) switch, which in
    turn is connected to a single monitor, mouse, and
    keyboard

128
Controlling Access with Physical Barriers
  • In addition to securing a device itself, you
    should also secure the room containing the device
  • Two basic types of door locks require a key
  • A preset lock (key-in-knob lock) requires only a
    key for unlocking the door from the outside
  • A deadbolt lock extends a solid metal bar into
    the door frame for extra security
  • To achieve the most security when using door
    locks, observe the good practices listed on pages
    345 and 346 of the text

129
Controlling Access with Physical Barriers
  • Cipher locks are combination locks that use
    buttons you push in the proper sequence to open
    the door
  • Can be programmed to allow only the code of
    certain people to be valid on specific dates and
    times
  • Basic models can cost several hundred dollars
    each while advanced models can run much higher
  • Users must be careful to conceal which buttons
    they push to avoid someone seeing the combination
    (shoulder surfing)

130
Limiting Wireless Signal Range
  • Use the following techniques to limit the
    wireless signal range
  • Relocate the access point
  • Add directional antenna
  • Reduce power
  • Cover the device
  • Modify the building

131
Reducing the Risk of Fires
  • Systems can be classified as
  • Water sprinkler systems that spray the room with
    pressurized water
  • Dry chemical systems that disperse a fine, dry
    powder over the fire
  • Clean agent systems that do not harm people,
    documents, or electrical equipment in the room

132
Types of Security Policies
133
Types of Security Policies
134
Acceptable Use Policy (AUP)
  • Defines what actions users of a system may
    perform while using computing and networking
    equipment
  • Should have an overview regarding what is covered
    by this policy
  • Unacceptable use should also be outlined

135
Understanding Identity Management (continued)
  • Four key elements
  • Single sign-on (SSO)
  • Password synchronization
  • Password resets
  • Access management

136
Understanding Identity Management (continued)
  • SSO allows user to log on one time to a network
    or system and access multiple applications and
    systems based on that single password
  • Password synchronization also permits a user to
    use a single password to log on to multiple
    servers
  • Instead of keeping a repository of user
    credentials, password synchronization ensures the
    password is the same for every application to
    which a user logs on

137
Understanding Identity Management (continued)
  • Password resets reduce costs associated with
    password-related help desk calls
  • Identity management systems let users reset their
    own passwords and unlock their accounts without
    relying on the help desk
  • Access management software controls who can
    access the network while managing the content and
    business that users can perform while online

138
Auditing Privileges
  • You should regularly audit the privileges that
    have been assigned
  • Without auditing, it is impossible to know if
    users have been given too many unnecessary
    privileges and are creating security
    vulnerabilities

139
Usage Audit
  • Process of reviewing activities a user has
    performed on the system or network
  • Provides a detailed history of every action, the
    date and time, the name of the user, and other
    information

140
Usage Audits (continued)
141
Privilege Audit
  • Reviews privileges that have been assigned to a
    specific user, group, or role
  • Begins by developing a list of the expected
    privileges of a user

142
Escalation Audits
  • Reviews of usage audits to determine if
    privileges have unexpectedly escalated
  • Privilege escalation attack attacker attempts to
    escalate her privileges without permission
  • Certain programs on Mac OS X use a special area
    in memory called an environment variable to
    determine where to write certain information
Write a Comment
User Comments (0)
About PowerShow.com