1. CIT 016 Review for Final Security+ Guide to Network Security Fundamentals Second Edition

2.  Three characteristics of information must be protected by information security: Confidentiality Integrity Availability  Information security achieved through a combination of three entities Defining Information Security

3. Importance of Information Security  Information security is important to businesses: Prevents data theft Avoids legal consequences of not securing information Maintains productivity Foils cyberterrorism Thwarts identity theft

4. Preventing Data Theft  Theft of data is single largest cause of financial loss due to a security breach  One of the most important objectives of information security is to protect important business and personal data from theft

5. Developing Attacker Profiles  Six categories: Hackers Crackers Script kiddies Spies Employees Cyberterrorists

6. Developing Attacker Profiles

7. Hackers  Person who uses advanced computer skills to attack computers, but not with a malicious intent  Use their skills to expose security flaws  Know that breaking in to a system is illegal but do not intend on committing a crime “Hacker code of ethics” Target should have had better security

8.  Person who violates system security with malicious intent  Have advanced knowledge of computers and networks and the skills to exploit them  Destroy data, deny legitimate users of service, or otherwise cause serious problems on computers and networks Crackers

9.  Break into computers to create damage  Not as skilled as Crackers  Download automated hacking software from Web sites and use it to break into computers  Tend to be young computer users with large amounts of leisure time, which they can use to attack systems Script Kiddies

10.  Person hired to break into a computer and steal information  Do not randomly search for unsecured computers to attack  Hired to attack a specific computer that contains sensitive information  Possess excellent computer skills  Could also use social engineering to gain access to a system  Financially motivated Spies

11.  One of the largest information security threats to business  Employees break into their company’s computer for these reasons: To show the company a weakness in their security Being overlooked, revenge For money  Inside of network is often vulnerable because security focus is at the perimeter  Unskilled user could inadvertently launch virus, worm or spyware Employees

12.  Experts fear terrorists will attack the network and computer infrastructure to cause panic  Cyberterrorists’ motivation may be defined as ideology, or attacking for the sake of their principles or beliefs  Targets that are high on the cyberterrorists list are: Infrastructure outages Internet itself Cyberterrorists

13.  Three goals of a cyberattack: Deface electronic information to spread disinformation and propaganda Deny service to legitimate computer users Commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data Cyberterrorists (continued)

14. Understanding Security Principles  Ways information can be attacked: Crackers can launch distributed denial-of- service (DDoS) attacks through the Internet Spies can use social engineering Employees can guess other user’s passwords Hackers can create back doors  Protecting against the wide range of attacks calls for a wide range of defense mechanisms

15. Layering  Layered security approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks  Information security likewise must be created in layers  All the security layers must be properly coordinated to be effective

16. Layering (continued)

17. Limiting  Limiting access to information reduces the threat against it Only those who must use data should have access to it  Access must be limited for a subject (a person or a computer program running on a system) to interact with an object (a computer or a database stored on a server)  The amount of access granted to someone should be limited to what that person needs to know or do

18. Limiting (continued)

19. Diversity  Diversity is closely related to layering  You should protect data with diverse layers of security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers  Using diverse layers of defense means that breaching one security layer does not compromise the whole system Not just perimeter security Possibly using different vendors Increased administrative overhead

20. Diversity (continued)  You can set a firewall to filter a specific type of traffic, such as all inbound traffic, and a second firewall on the same system to filter another traffic type, such as outbound traffic Use application layer filtering by a Linux box before traffic hits the firewall Use one device as the firewall and different device as the spam filter  Using firewalls produced by different vendors creates even greater diversity This could add some complexity

21. Obscurity  Obscuring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside difficult Network Address Translation Port Address Translation Internal ports different from external  External port 80  Internal port 8080

22. Simplicity  Complex security systems can be difficult to understand, troubleshoot, and feel secure about  The challenge is to make the system simple from the inside but complex from the outside

23. Using Effective Authentication Methods  Information security rests on three key pillars: Authentication Access control (Authorization) Auditing (Accounting)  Also Known as AAA

24. Effective Authentication Methods  Authentication: Process of providing identity Can be classified into three main categories: what you know, what you have, what you are Most common method: providing a user with a unique username and a secret password

25. Username and Password  ID management: User’s single authenticated ID is shared across multiple networks or online businesses Attempts to address the problem of users having individual usernames and passwords for each account (thus, resorting to simple passwords that are easy to remember) Can be for users and for computers that share data

26. Disabling Nonessential Systems  First step in establishing a defense against computer attacks is to turn off all nonessential services  Disabling services that are not necessary restricts attackers can use Reducing the attack surface

27. Disabling Nonessential Systems  A service can be set to one of the following modes: Automatic Manual Disabled  Besides preventing attackers from attaching malicious code to services, disabling nonessential services blocks entries into the system

28. Hardening Operating Systems  Hardening: process of reducing vulnerabilities  A hardened system is configured and updated to protect against attacks  Three broad categories of items should be hardened: Operating systems Applications that the operating system runs Networks

29. Hardening Operating Systems  You can harden the operating system that runs on the local client or the network operating system (NOS) that manages and controls the network, such as Windows Server 2003 or Novell NetWare

30. Applying Updates  Operating systems are intended to be dynamic  As users’ needs change, new hardware is introduced, and more sophisticated attacks are unleashed, operating systems must be updated on a regular basis  However, vendors release a new version of an operating system every two to four years  Vendors use certain terms to refer to the different types of updates.

31. Applying Updates (continued)  A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most complete update  A hotfix does not typically address security issues; instead, it corrects a specific software problem

32. Applying Updates (continued)

33.  A patch or a software update fixes a security flaw or other problem May be released on a regular or irregular basis, depending on the vendor or support team A good patch management system:  Design patches to update groups of computers  Include reporting system  Download patches from the Internet  Distribute patches to other computers

34. Securing the File System  Another means of hardening an operating system is to restrict user access  Generally, users can be assigned permissions to access folders (also called directories in DOS and UNIX/Linux) and the files contained within them

35. Firmware Updates  RAM is volatile―interrupting the power source causes RAM to lose its entire contents  Read-only memory (ROM) is different from RAM in two ways: Contents of ROM are fixed ROM is nonvolatile―disabling the power source does not erase its contents

36. Firmware Updates (continued)  ROM, Erasable Programmable Read- Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware (flash)  To erase an EPROM chip, hold the chip under ultraviolet light so the light passes through its crystal window  The contents of EEPROM chips can also be erased using electrical signals applied to specific pins

37. Firmware Updates (continued)  To update a network device we copy over a new version of the OS software to the flash memory of the device.  This can be done via a tftp server or a compact flash reader/writer Router# copy tftp flash:  Having the firmware updated ensures the device is not vulnerable to bugs in the OS that can be exploited

38. Network Configuration  You must properly configure network equipment to resist attacks  The primary method of resisting attacks is to filter data packets as they arrive at the perimeter of the network  In addition to making sure the perimeter is secure, make sure the device itself is secure by using strong passwords and encrypted connections SSH instead of Telnet and console, vty passwords

39. Configuring Packet Filtering  The User Datagram Protocol (UDP) provides for a connectionless TCP/IP transfer  TCP and UDP are based on port numbers  Socket: combination of an IP address and a port number The IP address is separated from the port number by a colon, as in 198.146.118.20:80

40. Network Configuration  Rule base or access control list (ACL): rules a network device uses to permit or deny a packet (not to be confused with ACLs used in securing a file system)  Rules are composed of several settings (listed on pages 122 and 123 of the text)  Observe the basic guidelines on page 124 of the text when creating rules

41. Network Cable Plant  Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment  Three types of transmission media: Coaxial cables Twisted-pair cables Fiber-optic cables

42. Twisted-Pair Cables  Standard for copper cabling used in computer networks today, replacing thin coaxial cable  Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket

43. Twisted-Pair Cables (continued)  Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference  Unshielded twisted-pair (UTP) cables do not have any shielding  Twisted-pair cables have RJ-45 connectors

44. Fiber-Optic Cables  Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal  Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses  A glass tube (cladding) surrounds the core  The core and cladding are protected by a jacket

45. Hardening Standard Network Devices  A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router  This equipment has basic security features that you can use to harden the devices

46. Switches and Routers  Switch Most commonly used in Ethernet LANs Receives a packet from one network device and sends it to the destination device only Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously)  A switch is used within a single network  Routers connect two or more single networks to form a larger network

47. Hardening Network Security Devices  The final category of network devices includes those designed and used strictly to protect the network  Include: Firewalls Intrusion-detection systems Network monitoring and diagnostic devices

48. Firewalls  Typically used to filter packets  Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter)  Typically located outside the network security perimeter as first line of defense  Can be software or hardware configurations

49. Firewalls (continued)  Software firewall runs as a program on a local computer (sometimes known as a personal firewall) Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer One disadvantage is that it is only as strong as the operating system of the computer

50. Firewalls (continued)  Filter packets in one of two ways: Stateless packet filtering: permits or denies each packet based strictly on the rule base Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base  Can perform content filtering to block access to undesirable Web sites

51. Designing Network Topologies  Topology: physical layout of the network devices, how they are interconnected, and how they communicate  Essential to establishing its security  Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users

52. Security Zones  One of the keys to mapping the topology of a network is to separate secure users from outsiders through: Demilitarized Zones (DMZs) Intranets Extranets

53. Demilitarized Zones (DMZs)  Separate networks that sit outside the secure network perimeter  Outside users can access the DMZ, but cannot enter the secure network  For extra security, some networks use a DMZ with two firewalls  The types of servers that should be located in the DMZ include: Web servers – E-mail servers Remote access servers – FTP servers

54. Network Address Translation (NAT)  “You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems  Hides the IP addresses of network devices from attackers  Computers are assigned special IP addresses (known as private addresses)

55.  These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network  Port address translation (PAT) is a variation of NAT  Each packet is given the same IP address, but a different TCP port number Network Address Translation (NAT)

56. Virtual LANs (VLANs)  Segment a network with switches to divide the network into a hierarchy  Core switches reside at the top of the hierarchy and carry traffic between switches  Workgroup switches are connected directly to the devices on the network  Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches

57. Virtual LANs (VLANs)

58.  Segment a network by grouping similar users together  Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)

59. Secure/MIME (S/MIME)  Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages  Provides these features: Digital signatures– Interoperability Message privacy– Seamless integration Tamper detection

60. Pretty Good Privacy (PGP)  Functions much like S/MIME by encrypting messages using digital signatures  A user can sign an e-mail message without encrypting it, verifying the sender but not preventing anyone from seeing the contents  First compresses the message Reduces patterns and enhances resistance to cryptanalysis  Creates a session key (a one-time-only secret key) This key is a number generated from random movements of the mouse and keystrokes typed

61. Pretty Good Privacy (PGP)  Uses a passphrase to encrypt the private key on the local computer  Passphrase: A longer and more secure version of a password Typically composed of multiple words More secure against dictionary attacks

62. Pretty Good Privacy (PGP)

63. Securing Web Communications  Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol  One implementation is the Hypertext Transport Protocol over Secure Sockets Layer

64. Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)  SSL protocol developed by Netscape to securely transmit documents over the Internet Uses private key to encrypt data transferred over the SSL connection Version 20 is most widely supported version Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL

65. Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)  TLS protocol guarantees privacy and data integrity between applications communicating over the Internet An extension of SSL; they are often referred to as SSL/TLS  SSL/TLS protocol is made up of two layers

66. Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)  TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted  FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems

67. Secure Hypertext Transport Protocol (HTTPS)  One common use of SSL is to secure Web HTTP communication between a browser and a Web server This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL  Sometimes designated HTTPS, which is the extension to the HTTP protocol that supports it  Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely

68. Tunneling Protocols  Tunneling: technique of encapsulating one packet of data within another type to create a secure link of transportation

69. IEEE 8021x  Based on a standard established by the Institute for Electrical and Electronic Engineers (IEEE)  Gaining wide-spread popularity  Provides an authentication framework for 802-based LANs (Ethernet, Token Ring, wireless LANs)  Uses port-based authentication mechanisms Switch denies access to anyone other than an authorized user attempting to connect to the network through that port

70. IEEE 8021x (continued)  Network supporting the 8021x protocol consists of three elements: Supplicant: client device, such as a desktop computer or personal digital assistant (PDA), which requires secure network access Authenticator: serves as an intermediary device between supplicant and authentication server Authentication server: receives request from supplicant through authenticator

71. 802.1x  802.1x is a standardized framework defined by the IEEE that is designed to provide port- based network access.  The 802.1x framework defines three roles in the authentication process: 1. Supplicant = endpoint that needs network access 2. Authenticator = switch or access point 3. Authentication Server = RADIUS, TACACS+, LDAP  The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server.

72. 802.1x Roles Authentication Server Authenticator Supplicant Microsoft Windows XP includes 802.1x supplicant support

73. Remote Authentication Dial-In User Service (RADIUS)  Originally defined to enable centralized authentication and access control and PPP sessions  Requests are forwarded to a single RADIUS server  Supports authentication, authorization, and auditing functions  After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request  Allows company to maintain user profiles in a central database that all remote servers can share

74. Terminal Access Control Access Control System (TACACS+)  Industry standard protocol specification that forwards username and password information to a centralized server (TACACS)  Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not  TACACS+ utilizes TCP port 49.  It is a Cisco proprietary enhancement to original TACACS protocol.

75. IP Security (IPSec) (continued)  IPSec is a set of protocols developed to support the secure exchange of packets  Considered to be a transparent security protocol  Transparent to applications, users, and software  Provides three areas of protection that correspond to three IPSec protocols: Authentication Confidentiality Key management

76. IP Security (IPSec) (continued)

77.  Supports two encryption modes: Transport mode encrypts only the data portion (payload) of each packet, yet leaves the header encrypted Tunnel mode encrypts both the header and the data portion  IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet  The entire original packet is then treated as the data portion of the new packet

78. IP Security (IPSec) (continued)

79.  Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms: AH in transport mode AH in tunnel mode ESP in transport mode ESP in tunnel mode

80. Virtual Private Networks (VPNs)  Takes advantage of using the public Internet as if it were a private network  Allow the public Internet to be used privately  Prior to VPNs, organizations were forced to lease expensive data connections from private carriers so employees could remotely connect to the organization’s network

81. Virtual Private Networks (VPNs)  Two common types of VPNs include: Remote-access VPN or virtual private dial- up network (VPDN): user-to-LAN connection used by remote users Site-to-site VPN: multiple sites can connect to other sites over the Internet  VPN transmissions achieved through communicating with endpoints An endpoint can be software on a local computer, a dedicated hardware device such as a VPN concentrator, or even a firewall

82. Basic WLAN Security  Two areas: Basic WLAN security Enterprise WLAN security  Basic WLAN security uses two new wireless tools and one tool from the wired world: Service Set Identifier (SSID) beaconing MAC address filtering Wired Equivalent Privacy (WEP)

83. Service Set Identifier (SSID) Beaconing  A service set is a technical term used to describe a WLAN network  Three types of service sets: Independent Basic Service Set (IBSS) Basic Service Set (BSS) Extended Service Set (ESS)  Each WLAN is given a unique SSID

84. MAC Address Filtering  Another way to harden a WLAN is to filter MAC addresses  The MAC address of approved wireless devices is entered on the AP  A MAC address can be spoofed  When wireless device and AP first exchange packets, the MAC address of the wireless device is sent in plaintext, allowing an attacker with a sniffer to see the MAC address of an approved device

85. Wired Equivalent Privacy (WEP)  Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents  Uses shared keys―the same key for encryption and decryption must be installed on the AP, as well as each wireless device  A serious vulnerability in WEP is that the IV is not properly implemented  Every time a packet is encrypted it should be given a unique IV

86. Other Wireless Authentication Protocols  Wi-Fi Protected Access WPA The TKIP encryption algorithm was developed for WPA to provide improvements to WEP  WPA2 WiFi Alliance branded version of the final 802.11i standard WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK) based security  802.1X  LEAP  PEAP  TKIP

87. Untrusted Network  The basic WLAN security of SSID beaconing, MAC address filtering, and WEP encryption is not secure enough for an organization to use  One approach to securing a WLAN is to treat it as an untrusted and unsecure network  Requires that the WLAN be placed outside the secure perimeter of the trusted network

88. Untrusted Network (continued)

89. Trusted Network (continued)  WPA encryption addresses the weaknesses of WEP by using the Temporal Key Integrity Protocol (TKIP)  TKIP mixes keys on a per-packet basis to improve security  Although WPA provides enhanced security, the IEEE 80211i solution is even more secure  80211i is expected to be released sometime in 2004

90. Cryptography Terminology  Cryptography: science of transforming information so it is secure while being transmitted or stored  Steganography: attempts to hide existence of data  Encryption: changing the original text to a secret message using cryptography

91. Cryptography Terminology  Decryption: reverse process of encryption  Algorithm: process of encrypting and decrypting information based on a mathematical procedure  Key: value used by an algorithm to encrypt or decrypt a message

92. Cryptography Terminology  Weak key: mathematical key that creates a detectable pattern or structure  Plaintext: original unencrypted information (also known as clear text)  Cipher: encryption or decryption algorithm tool used to create encrypted or decrypted text  Ciphertext: data that has been encrypted by an encryption algorithm

93. Cryptography Terminology (continued)

94. Defining Hashing  Hashing, also called a one-way hash, creates a ciphertext from plaintext  Cryptographic hashing follows this same basic approach  Hash algorithms verify the accuracy of a value without transmitting the value itself and subjecting it to attacks  A practical use of a hash algorithm is with automatic teller machine (ATM) cards

95. Defining Hashing (continued)  Hashing is typically used in two ways: To determine whether a password a user enters is correct without transmitting the password itself To determine the integrity of a message or contents of a file  Hash algorithms are considered very secure if the hash that is produced has the characteristics listed on pages 276 and 277 of the text

96. Message Digest (MD)  Message digest 2 (MD2) takes plaintext of any length and creates a hash 128 bits long MD2 divides the message into 128-bit sections If the message is less than 128 bits, data known as padding is added  Message digest 4 (MD4) was developed in 1990 for computers that processed 32 bits at a time Takes plaintext and creates a hash of 128 bits The plaintext message itself is padded to a length of 512 bits

97. Message Digest (MD)  Message digest 5 (MD5) is a revision of MD4 designed to address its weaknesses The length of a message is padded to 512 bits The hash algorithm then uses four variables of 32 bits each in a round-robin fashion to create a value that is compressed to generate the hash

98. Secure Hash Algorithm (SHA)  Patterned after MD4 but creates a hash that is 160 bits in length instead of 128 bits  The longer hash makes it more resistant to attacks  SHA pads messages less than 512 bits with zeros and an integer that describes the original length of the message

99. Protecting with Symmetric Encryption Algorithms  A block cipher manipulates an entire block of plaintext at one time  The plaintext message is divided into separate blocks of 8 to 16 bytes and then each block is encrypted independently  The blocks can be randomized for additional security

100. Data Encryption Standard (DES)  One of the most popular symmetric cryptography algorithms  DES is a block cipher and encrypts data in 64-bit blocks  The 8-bit parity bit is ignored so the effective key length is only 56 bits  DES encrypts 64-bit plaintext by executing the algorithm 16 times  The four modes of DES encryption are summarized on pages 282 and 283

101. Triple Data Encryption Standard (3DES)  Uses three rounds of encryption instead of just one  The ciphertext of one round becomes the entire input for the second iteration  Employs a total of 48 iterations in its encryption (3 iterations times 16 rounds)  The most secure versions of 3DES use different keys for each round

102. Advanced Encryption Standard (AES)  Approved by the NIST in late 2000 as a replacement for DES  Process began with the NIST publishing requirements for a new symmetric algorithm and requesting proposals  Requirements stated that the new algorithm had to be fast and function on older computers with 8-bit, 32-bit, and 64-bit processors

103. Advanced Encryption Standard (AES)  Performs three steps on every block (128 bits) of plaintext  Within step 2, multiple rounds are performed depending upon the key size: 128-bit key performs 9 rounds 192-bit key performs 11 rounds 256-bit key uses 13 rounds

104. Hardening with Asymmetric Encryption Algorithms  The primary weakness of symmetric encryption algorithm is keeping the single key secure  This weakness, known as key management, poses a number of significant challenges  Asymmetric encryption (or public key cryptography) uses two keys instead of one The private key typically is used to encrypt the message The public key decrypts the message

105. Hardening with Asymmetric Encryption Algorithms

106. Rivest Shamir Adleman (RSA)  Asymmetric algorithm published in 1977 and patented by MIT in 1983  Most common asymmetric encryption and authentication algorithm  Included as part of the Web browsers from Microsoft and Netscape as well as other commercial products  Multiplies two large prime numbers

107. Diffie-Hellman  Unlike RSA, the Diffie-Hellman algorithm does not encrypt and decrypt text  Strength of Diffie-Hellman is that it allows two users to share a secret key securely over a public network  Once the key has been shared, both parties can use it to encrypt and decrypt messages using symmetric cryptography

108. Elliptic Curve Cryptography  First proposed in the mid-1980s  Instead of using prime numbers, uses elliptic curves  An elliptic curve is a function drawn on an X-Y axis as a gently curved line  By adding the values of two points on the curve, you can arrive at a third point on the curve

109. Understanding How to Use Cryptography  Cryptography can provide a major defense against attackers  If an e-mail message or data stored on a file server is encrypted, even a successful attempt to steal that information will be of no benefit if the attacker cannot read it

110. Understanding Cryptography Strengths and Vulnerabilities  Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored  When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext

111. Symmetric Cryptography Strengths and Weaknesses  Identical keys are used to both encrypt and decrypt the message  Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish  Disadvantages of symmetric encryption relate to the difficulties of managing the private key

112. Asymmetric Cryptography Strengths and Vulnerabilities  With asymmetric encryption, two keys are used instead of one The private key encrypts the message The public key decrypts the message

113. Digital Signatures  Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message  A digital signature helps to prove that: The person sending the message with a public key is who they claim to be The message was not altered It cannot be denied the message was sent

114. Digital Certificates  Digital documents that associate an individual with its specific public key  Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party

115. Certification Authority (CA)  The owner of the public key listed in the digital certificate can be identified to the CA in different ways By their e-mail address By additional information that describes the digital certificate and limits the scope of its use  Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users

116. Certification Authority (CA)  The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes  Can provide the information in a publicly accessible directory, called a Certificate Repository (CR)  Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users

117. Understanding Public Key Infrastructure (PKI)  Weaknesses associated with asymmetric cryptography led to the development of PKI  A CA is an important trusted party who can sign and issue certificates for users  Some of its tasks can also be performed by a subordinate function, the RA  Updated certificates and CRLs are kept in a CR for users to refer to

118. The Need for PKI

119. Description of PKI  Manages keys and identity information required for asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs  For a typical enterprise: Provides end-user enrollment software Integrates corporate certificate directories Manages, renews, and revokes certificates Provides related network services and security  Typically consists of one or more CA servers and digital certificates that automate several tasks

120. PKI Standards and Protocols  A number of standards have been proposed for PKI Public Key Cryptography Standards (PKCS) X509 certificate standards

121. Public Key Cryptography Standards (PKCS)  Numbered set of standards that have been defined by the RSA Corporation since 1991  Composed of 15 standards detailed on pages 318 and 319 of the text

122. X509 Digital Certificates  X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate  Most widely used certificate format for PKI  X509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)

123. X509 Digital Certificates

124. Trust Models  Refers to the type of relationship that can exist between people or organizations  In the direct trust, a personal relationship exists between two individuals  Third-party trust refers to a situation in which two individuals trust each other only because each individually trusts a third party  The three different PKI trust models are based on direct and third-party trust

125. Hardening Physical Security with Access Controls  Adequate physical security is one of the first lines of defense against attacks  Protects equipment and the infrastructure itself  Has one primary goal: to prevent unauthorized users from reaching equipment to use, steal, or vandalize

126. Hardening Physical Security with Access Controls  Configure an operating system to enforce access controls through an access control list (ACL), a table that defines the access rights each subject has to a folder or file  ACLs are also configured on network devices to permit or deny packets to the network.  Access control also refers to restricting physical access to computers or network devices

127. Controlling Access with Physical Barriers  Most servers are rack-mounted servers  A rack-mounted server is 175 inches (445 cm) tall and can be stacked with up to 50 other servers in a closely confined area  Rack-mounted units are typically connected to a KVM (keyboard, video, mouse) switch, which in turn is connected to a single monitor, mouse, and keyboard

128. Controlling Access with Physical Barriers  In addition to securing a device itself, you should also secure the room containing the device  Two basic types of door locks require a key: A preset lock (key-in-knob lock) requires only a key for unlocking the door from the outside A deadbolt lock extends a solid metal bar into the door frame for extra security  To achieve the most security when using door locks, observe the good practices listed on pages 345 and 346 of the text

129. Controlling Access with Physical Barriers  Cipher locks are combination locks that use buttons you push in the proper sequence to open the door  Can be programmed to allow only the code of certain people to be valid on specific dates and times  Basic models can cost several hundred dollars each while advanced models can run much higher  Users must be careful to conceal which buttons they push to avoid someone seeing the combination (shoulder surfing)

130. Limiting Wireless Signal Range  Use the following techniques to limit the wireless signal range: Relocate the access point Add directional antenna Reduce power Cover the device Modify the building

131. Reducing the Risk of Fires  Systems can be classified as: Water sprinkler systems that spray the room with pressurized water Dry chemical systems that disperse a fine, dry powder over the fire Clean agent systems that do not harm people, documents, or electrical equipment in the room

132. Types of Security Policies

134. Acceptable Use Policy (AUP)  Defines what actions users of a system may perform while using computing and networking equipment  Should have an overview regarding what is covered by this policy  Unacceptable use should also be outlined

135. Understanding Identity Management (continued)  Four key elements: Single sign-on (SSO) Password synchronization Password resets Access management

136. Understanding Identity Management (continued)  SSO allows user to log on one time to a network or system and access multiple applications and systems based on that single password  Password synchronization also permits a user to use a single password to log on to multiple servers Instead of keeping a repository of user credentials, password synchronization ensures the password is the same for every application to which a user logs on

137. Understanding Identity Management (continued)  Password resets reduce costs associated with password-related help desk calls Identity management systems let users reset their own passwords and unlock their accounts without relying on the help desk  Access management software controls who can access the network while managing the content and business that users can perform while online

138. Auditing Privileges  You should regularly audit the privileges that have been assigned  Without auditing, it is impossible to know if users have been given too many unnecessary privileges and are creating security vulnerabilities

139. Usage Audit  Process of reviewing activities a user has performed on the system or network  Provides a detailed history of every action, the date and time, the name of the user, and other information

140. Usage Audits (continued)

141. Privilege Audit  Reviews privileges that have been assigned to a specific user, group, or role  Begins by developing a list of the expected privileges of a user

142. Escalation Audits  Reviews of usage audits to determine if privileges have unexpectedly escalated  Privilege escalation attack: attacker attempts to escalate her privileges without permission  Certain programs on Mac OS X use a special area in memory called an environment variable to determine where to write certain information