CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)

More on Scanning Tools 1 1.9  Success Questions

In this chapter, we looked at the topics in the first domain of the Security+ exam, General Security Concepts.

You learned about the AAA of security (Access control, authentication and auditing/accounting).

Within Access control, you explored the characteristics of different types of access control such as:

• MAC, Mandatory Access Control, a lattice-based approach using labels, related to the Bell-LaPadula model.
  
  
• DAC, Discretionary Access Control, in which the owner of an object generally retains the right to distribute it to others, so a Trojan horse sent to the document owner could potentially be used to cause a document to be distributed.
  
  
• RBAC, Role-Based Access Control, in which access permissions are based on user job roles such as Accountant, Regional Sales Director, etc.

Within Authentication, you learned about the three types of authentication, based on:

• Something you are (biometrics)
  
  
• Something you have (such as a smart card)
  
  
• Something you know (such as a password)

You discovered key points about several authentication technologies, such as:

• Kerberos, which uses tickets as identity tokens, employs temporary session keys and symmetric encryption, and is careful not to send the password over the wire, but can be vulnerable to attacks like replay and brute-force password guessing.
  
  
• CHAP, which uses a 3-way challenge/response handshake, repeated at random times during a login session, and which like Kerberos also does not send the password over the wire.
  
  
• Digital certificates (more about these in Chapter 4 -- later!)
  
  
• Passwords, which should not be sent over the network where they can be “sniffed” by users running network monitoring software, and should not be dictionary words or other short, easy-to-guess sequences.
  
  
• Tokens, hardware devices which can be used, often with a PIN, for authentication; they often also employ digital certificates.
  
  
• Multi-factor authentication, which uses a combination of 2 or more authentication techniques to reduce the probability of spoofing.
  
  
• Mutual authentication, in which both parties to a conversation authenticate themselves to each other.
  
  
• Biometrics, involves something you are, such as your fingerprint, or something you do, such as your typing style/rate.

You learned about different types of Auditing (the process of monitoring a system or network, verifying configuration and watching for security exposures), including configuration and log analysis and system/network scanning (using programs like nmap).

You learned that it is best to disable and filter access to non-essential services and protocols, because the more unnecessary features available on a system, the more vulnerable it is.

You discovered that would-be crackers may use OS fingerprinting to learn about a server before they attack it, and investigated the details of common types of “cyber attacks” such as:

• DoS/DDoS, where the attacker floods a network with traffic and causes a denial of service to a machine or network, in the case of a Distributed DoS using multiple machines on the network to do it, via techniques such as ping flooding, SYN flooding and teardrop attacks; Trinoo is a common DDoS tool.
  
  
• Backdoors, which give the attacker a way into the system without the usual security checks; NetBus and BackOrifice are common backdoor programs.
  
  
• Spoofing, made possible due to the design of IP, involves the attacker misleading everyone as to their location and identity, by using a faked IP address in packets; in blind spoofing, the user sends packets to the target system but does not have access to that system’s replies.
  
  
• Man-in-the-Middle, or MITM, often used to “take over” a telnet session, in which the attacker intercepts the packets in a conversation between two machines, altering some on the fly.
  
  
• Replay, where the attacker captures the packets involved in one side of a network conversation and replays them later; can sometimes be used to spoof authentication/authorization.
  
  
• TCP/IP Hijacking, where the attacker takes control of a TCP/IP conversation.
  
  
• Weak Keys, in which the attacker takes advantage of the use of weak encryption keys used to secure a conversation or data; generally 40-bit and 56-bit key lengths are not considered sufficient today.
  
  
• Mathematical attacks; the attacker takes advantage of mathematical properties of an encryption technique to discover the original key or break the technique without need for the original key.
  
  
• Social Engineering, where the attacker uses interaction with people to learn about and compromise the network, taking advantage of their desire to be helpful by providing names, passwords, etc.
  
  
• Birthday attacks, based on the high probability of duplicates within a small number of samples; attackers can take advantage of this to find duplicate texts that have the same “message digest” signature.
  
  
• Automated Password Guessing attacks like Brute Force (the attacker tries every possible combination of characters in an attempt to find a password) and Dictionary Attacks (the attacker tries each word appearing in a dictionary, to see if it matches the password).
  
  
• Software Exploitation, in which the attacker takes advantage of “bugs”, or malfunctions, in software with techniques like buffer overflow or SQL injection exploits.

You explored different types of malicious code, which are programs written for a malicious purpose, such as:

• Viruses, programs that attach themselves to a host file and often automatically replicate around the system; can generally be detected by anti-virus programs.
  
  
• Trojan Horses, programs that masquerade as one thing, but include extra, hidden, malicious functionality.
  
  
• Logic Bombs, programs whose malicious functionality runs at some future date – when a set time has elapsed, when a user ID is no longer on the system, etc.
  
  
• Worms¹³⁰, programs similar to viruses which can replicate across a network.

You learned that social engineering involves defeating established security measures by taking advantage of the fact that people are often the weakest link in any security system. It often uses no software tools at all and thus cannot be detected automatically by traditional intrusion-detection technology.

More on Scanning Tools 1 1.9  Success Questions