This site is 100% ad supported. Please add an exception to adblock for this site.

Microsoft Security+

Start Studying!

Terms

undefined, object
copy deck
Confidentiality.
Ensures that information is accessed only by authorized personnel.

Integrity.
Ensures that information is modified only by authorized personnel.

Availability.
Ensures that information and systems c
When you combine efforts to provide data confidentiality, data integrity, and data availability with physical security you can provide a very effective security solution.
Risk is the exposure to loss or possible injury. With information security, the risk is that your company's information will fall prey to outside forces and cause your company losses in time, money, and reputation.
A threat, for information security, is any activity that represents possible danger to your information. Threats can take many forms, but any threat poses a danger to the C-I-A triad. In the example of the tea company, another company could steal the formula for the tea, or an employee could sell the formula to another company.
A vulnerability is a weakness in your information security that could be exploited by a threat; that is, a weakness in your systems and network security, processes, and procedures. With the tea company, the formula for the tea is the valued information.
Place a value on the information.

Identify as many risks as possible and their associated threats and vulnerabilities.

Mitigate the identified risks.

Be aware that there are always things that you overlooked.
Denial of service (DoS).
This type of attack renders a service inoperative. For instance, a DoS attack can make a popular Web site unavailable for some length of time. A distributed denial of service (DDoS) attack has the same impact, but the attac
Spoofing.
For information security, spoofing is pretending to be someone else by impersonating, masquerading, or mimicking that person. If you provide a user name and password, Internet Protocol (IP) address, or any other credential that is not yours to gain access to a network, system, or application, then you are spoofing that system.
Virus.
A virus is a program that can replicate, but not propagate, itself. It requires an installation vector, such as an executable file attached to an e-mail message or a floppy disk. A virus infects other programs on the same system and can be t
Worm.
A worm is a program that can replicate and propagate itself. It propagates itself by infecting other programs on the same system, and also spreading itself to other systems across a network, without the need for an installation vector. A worm can also destroy data, crash systems, or be mostly harmless.
Trojan horse.
Generally, a Trojan horse program looks desirable or harmless, but actually does damage. For instance, you might download what you think is a game, but when you run it, you find that it deletes all of the executable files on your hard
One of the hardest attacks to defend against is social engineering, the act of leveraging politeness and gullibility in others to gain access to secure resources through deceit. For instance, someone might call and say he or she is repairing a system of yours and needs the password to log on to the system and verify that the repair is complete. Another ploy might be that someone will walk up to a secured door that requires a special card to access and ask you to hold the door open so he or she can enter.
Internal access points

Systems that are not in a secured room

Systems that do not have any local security configured

External access points

Network components that connect your company to the Internet

An external intruder might place a virus or worm in an e-mail message and send the message to a user on your internal network. When opened, a virus might infect the system or provide the intruder with a way to control the system the e-mail was opened on.
An internal intruder might use native operating system utilities to connect to other systems on your internal network that do not require a user name or password to gain access. They might also use an application such as a Web browser to access confident
System hardening.
Includes removing unused services, ensuring that the latest security patches and service packs are installed, and limiting the number of people with administrative permissions. Hardening the system minimizes the risk of a security breach to the system.
Application hardening.
Includes applying the latest security patches and enforcing user-level security if available. Applications on a system can be client applications, such as a Web browser, or server applications, such as a Web server applicatio
Enable local file security.
Enabling local-level file security could include applying access control lists (ACLs) or an Encrypting File System (EFS); each would help ensure that only authorized people have access to the sensitive data stored in files on the hard disk.
When you use encryption keys to secure communications there are a pair of keys involved, a public key and a private key. The public key is used to either encrypt or sign data, and the private key is used to decrypt the data. The private key can also be u
With biometric authentication, a physical characteristic and knowledge are combined to provide authentication. For instance, a user's retina or thumbprint is scanned and used for authentication in concert with a PIN or password.
Enabling auditing does not provide a method of defense through securing a system. Auditing is used to capture security-related events in a log file. You then use the log file to identify possible security breaches or attempts at breaching security.
Forensics is the investigation and analysis of a computer for the purpose of gathering and preserving evidence.
When an attack occurs, preserve the data so that a forensics expert can attempt to gather enough information to find and eventually prosecute the attacker. When you preserve data, you do not need to collect the data; you simply need to make sure you do n
Your company's employees do not own the e-mail they receive in their e-mail account at work, nor is the telephone theirs. The e-mail stored in an employee's account is subject to review by the company, as are their telephone records and calls.
The Data Link layer (Layer 2) is responsible for converting data packets that are received from the network layer and encoding them into bits.
The Network layer (Layer 3) provides routing and switching capabilities, and creates logical paths between two computers to create virtual circuits. This layer is responsible for routing, forwarding, addressing, internetworking, error handling, congestion control, and packet sequencing.
The Transport layer (Layer 4) transfers data between end systems or hosts, and is responsible for end-to-end error recovery and flow control between the two end systems.
The Session layer (Layer 5) establishes, manages, and terminates connections between applications on two computers. The session layer sets up, coordinates, and terminates all interchanges between applications on both computers.
The Presentation layer (Layer 6) provides a heterogeneous operating environment by translating from the application's data format to the underlying network's communications format.
The Application layer (Layer 7) support end-user and application processes.
SYN segment.
This is the first segment of the three-way handshake. The information sent by computer1 includes source and destination port, starting sequence number, the receive buffer size, maximum TCP segment size, and the supported TCP options.
SYN-ACK segment.
This segment is the reply that computer2 returns to computer1. The information sent includes source and destination port, starting sequence number, acknowledgment number, receive buffer size, maximum TCP segment size, and an acknowledgment that computer2 supports the options that computer1 sends. When computer2 sends this message, it reserves resources to support this connection.
ACK segment.
This segment is sent by computer1 to establish the final TCP connection parameters that will be used between the two computers. The information sent includes the source and destination ports, sequence number, acknowledgment number, ACK
Attacks at the Network Interface layer involve manipulation of the header information and addressing. This layer supports communication on a local network, and therefore uses MAC addresses to communicate. Attacks at this layer are localized to a single network, and can use the MAC addressing information protocols that are used to resolve MAC addresses to deny or disrupt communications.
Attacks at the Internet layer also involve manipulation of the header information and addressing. The IP addresses of the source and destination computers are part of the header, as well as the Transport layer protocol that particular datagram is using.
Attacks at the Transport layer can take advantage of the TCP and UDP protocols and the various implementations of those protocols. Examples of this type of attack would be sending the ending sequence of a TCP three-way handshake, or sending a packet that is larger that the largest supported packet size.
Attacks at the Application layer typically attack applications that are used to pass information between client and server computers. An example of this would be a client opening a Web browser and retrieving a Web page from a Web server. An attack might
...
Confidentiality.
Confidential means private or secret. Confidentiality ensures that only authorized personnel access information. One way to provide confidentiality is to encrypt data.

Integrity.
Integrity means having an unimpaire
Nonrepudiation.
Repudiate means to reject as unauthorized or nonbinding. Nonrepudiation prevents an individual or process from denying performing a task or sending data.

Identification and authentication.
Access control allows access only to those who should have it. This is accomplished through identification and authentication, which ensures that when data is received or accessed, the sender is authorized.
A key is a set of instructions that govern ciphering or deciphering messages.

A secure hash function is a one-way mathematical function that creates a fixed-sized representation of data.
A symmetric key is a single key used for encrypting and decrypting data, and everyone that is allowed to encrypt and decrypt the data has a copy of the key.

An asymmetric key pair is made up of two keys that form a key pair; one key is used to encrypt data, and the other key is used to decrypt data.
A public key is provided to many people and is used to validate that a message came from the private key holder or to encrypt data to send the private key holder.
A private key is a secret key that only the private key holder has. It is used to decrypt information encrypted with the public key, and also to create a digital signature.
By combining the abilities of secure hash functions, symmetric key encryption, and asymmetric key encryption, you can create a solution that provides confidentiality, integrity, authentication, and nonrepudiation.
Using a symmetric key or shared secret to encrypt and decrypt large amounts of data is the best way to provide confidentiality.
You can provide message integrity using a secure hash function to create a message digest, although symmetric keys and asymmetric key pairs provide data integrity in other ways.
Asymmetric encryption can be used to create a digital signature, which can be attached to an e-mail. This authenticates who sent the message.
You can establish nonrepudiation by using an asymmetric key to create a digital signature and attaching it to an e-mail. This can verify the sender's identity.
...
Using asymmetric keys without a supporting infrastructure is not scalable to a large environment. A public key infrastructure (PKI) uses asymmetric key pairs and combines software, encryption technologies, and services to provide a means of protecting th
A certificate is a digital representation of information that identifies you as a relevant entity by a trusted third party (TTP).
A certification authority (CA) is an entity that is recognized as an authority trusted by one or more users or processes to issue and manage certificates.
A certificate revocation list (CRL) is a list of certificates issued by a CA that are no longer valid.
To create a scalable solution, you have to design a CA architecture so that CAs can validate certificates issued by other CAs by establishing trusts between CAs.
Trusts are established between CAs by having each CA issue a certificate to the other CA.
With mesh trust architectures, all CAs issue certificates for all other CAs. This provides multiple trust paths that can be used for certificate validation.
Hierarchical trusts establish a top-level CA known as a root CA. Subordinate CAs can be created below that. All users issued certificates in the hierarchy know the root CA, so certificate validation across multiple arms of the hierarchical structure validate through the root CA.
Bridge CAs connect mesh and hierarchical architectures together. They do not issue certificates to end users, only to other CAs.
...
The key life cycle of a certificate is broken into seven distinct stages: certificate enrollment, certificate distribution, certificate validation, certificate revocation, certificate renewal, certificate destruction, and certificate auditing.
During certificate enrollment, a user requests a certificate from a CA.
Once the CA is satisfied with the credentials presented by the user requesting the certificate, the CA distributes the certificate to the user.
If anything occurs before the expiration of the certificate that warrants the cancellation of the certificate, it is added to the CA's certificate revocation list (CRL).
If the certificate is not revoked and reaches the expiration date, it can be renewed.
To better manage and control certificates, CAs track various events, such as creations, revocations, renewals, and in some cases, successful usage.
You must control access to critical resources, protocols, and network access points. This includes protecting the physical security of equipment and the configuration of devices.
Attacks against your network infrastructure can include physical attacks, such as destruction or theft of equipment, and the physical modification of equipment configurations. Attacks can also involve the logical modification of network infrastructure device configurations, such as changing a routing or switching table.
You can protect your physical network infrastructure with security personnel, closed-circuit TV, alarms, access cards, locks, tamper-proof seals, backup electrical power, and similar measures.
Restrict remote administration of network infrastructure equipment whenever possible. When you must allow remote administration, be sure to use the most secure authentication and encryption possible.
Security zones help organizations classify, prioritize, and focus on security issues based on the services that are required in each zone. When a perimeter network is present there are at least three security zones: intranet, perimeter network, and extra
Some organizations require a separate security zone called an extranet, which is an extension of the private network (or a portion of that network) to provide services to trusted partners.
NAT can be used to protect your internal network-addressing scheme from discovery by hosts on the external network. This helps prevent attacks against individual hosts and obscure the number of hosts and services provided by the internal network. NAT can
VLANs can combine or subdivide internal physical network segments logically using switches and frame tagging. VLANs can change the logical structure of your network without the need for physical reconfiguration. VLANs can be used to isolate hosts and segments and control broadcast traffic.
Honeypots and honeynets are used to help you detect and learn from attackers. Honeypots are attractive targets for attackers because they are often exposed directly to the Internet without the protection of a firewall. The devices are configured to track
...
War dialing is a programmatic technique used to dial every possible telephone number in a specified range. Therefore, keeping your remote access telephone numbers unpublished cannot be considered a reliable method of securing your remote access telephone
...
A VPN is a connection between a remote computer and a server on a private network that uses the Internet as its network medium.
PPTP is a tunneling protocol that helps provide a secure, encrypted communications link between a remote client and a remote access server. Other protocols that are associated with VPNs include IPSec, IKE, L2F, and L2TP.
RADIUS provides centralized authentication, authorization, and accounting services for remote access connectivity.
TACACS+ provides a way to centrally validate users attempting to access a router or access server.
SSH provides strong authentication and secure communications over unsecured channels and protects against packet spoofing, IP spoofing, host spoofing, password sniffing, and eavesdropping.
...
Application

Wireless Application Environment (WAE)

Wireless Markup Language (WML)protocol operates at this layer.
Session

Wireless Session Protocol (WSP)

Uses a token-based version of Hypertext Transfer Protocol (HTTP) to support operations over limited bandwidth.
Transaction

Wireless Transaction Protocol (WTP)

Supports multiple message types and limits the overhead of packaging sequencing.
Transport

Wireless Transport Layer Security (WTLS)

Security layer, based on standard Transport Layer Security (TLS)
Bearer

Wireless Datagram Protocol (WDP)

Provides a consistent interface between over-the-air protocols.
...
IEEE 802.11b devices can transmit in the 2.4 GHz range at speeds of up to 11 Mbps and a range of up to 1500 feet outdoors.
The IEEE 802.11 standard provides three ways to provide a greater amount of security for the data that travels over the WLAN: using SSIDs, providing a mechanism to authenticate wireless users, and employing encryption capabilities.
WEP utilizes the RC4 encryption algorithm to provide up to 128-bit encryption and also provides the added benefit of becoming an authentication mechanism.
WAP is a transport protocol used with wireless networking, and most application development for wireless applications uses WML.
WTLS is the security layer of the WAP, providing privacy, data integrity, and authentication for WAP services.
IEEE 802.1x is a standard for port-based network access control that provides authenticated network access to 802.11 wireless networks and wired Ethernet networks.
During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed th
...
You can protect e-mail by using secure electronic messaging programs. PGP-enabled and S/MIME-enabled applications are able to encrypt, decrypt, and digitally sign e-mail. When implemented properly, only the intended recipient can read encrypted e-mail. F
E-mail vulnerabilities plague almost all e-mail systems. It is very likely that the discovery and exploitation of vulnerabilities will never end. Therefore, it is imperative that you pay attention to security alerts from vendors concerning their applications, in addition to generic alerts provided by organizations such as cert.org. Further, you should test and apply security fixes as soon as they are made available.
You can protect your organization from spam by implementing e-mail filters at the Internet gateway and on client desktops. You can also educate network users on how to avoid being targeted by spam. A list of six steps to help people reduce their exposure
E-mail scams are not new. Many scams that are carried out today over e-mail were propagated through letters and faxes before e-mail became popular. Awareness of the existence of most scams is the best defense against them. To that end, the FTC has compiled a list of 12 common e-mail scams. To protect your organization from these scams, educate network users about them and create policies that help to prevent people in your organization from being caught in a scam.
You can help reduce the propagation of e-mail hoaxes by educating users about how to recognize these hoaxes. Hoaxbusters.org has compiled a list of five tell-tale signs of an e-mail hoax. Ask users to review the list. Your organization's technical suppor
...
SSL/TLS can be used to protect Web communications by encrypting them. SSL/TLS can also be used to identify and authenticate clients securely and protect the transfer of passwords across the Internet.
Active content is frequently used on the Internet to provide value-added services. Unfortunately, active content might be used to exploit systems. Users who interact with malicious active content might run programs that harm their systems and others on the network. To protect your organization from active content exploits, consider disabling the processing of active content. You should also warn network users of the potential for exploits.
Buffer overflows occur when an application receives more data than it was designed to handle in its buffer. A buffer that overflows could negatively affect other applications. Buffer overflows are frequently found and exploited by attackers. To protect y
Cookies are sometimes used to store authentication information or other private data. Cookies can be stolen and packet sniffed during transfers. To improve the security of cookie data, use SSL/TLS encryption. Limit or prevent the use of cookies for authentication or private information.
CGI programs that are not created using secure coding practices are likely to have vulnerabilities. Buffer overflows are one of the most commonly exploited vulnerabilities of CGI applications. To secure CGI applications, ensure that they are developed us
Instant messaging (IM) programs typically transfer messages in cleartext between hosts. These communications can easily be intercepted and read by attackers with protocol analyzers. Further, buffer overflow security exploits have been discovered in several popular IM applications. Be sure to test and apply all security patches as soon as they are made available by software vendors.
Standard FTP is not encrypted and consequently authentication and file transfers are not encrypted. This means that anyone with a protocol analyzer could potentially read user names, passwords, and the files transferred over this protocol.
To protect your FTP client/server communications from packet sniffing, you can implement Secure FTP or Kerberized FTP, which encrypt FTP communications.
File-trading utilities could pose a significant security risk to many organizations. They are often used to transfer copyrighted material from user to user. Further, these utilities can be used to circulate Trojan horse software.
The best protection against security issues related to file-trading utilities is to prohibit their use and remove them from all systems on the network.
Kerberos provides a method of mutual authentication that is scalable enough to support authentication across the Internet.

A Kerberos realm is a boundary that is comprised of an AS and TGS. Together these form a KDC.
Once a principal in a realm is granted a TGT, it is able to obtain session tickets for other realm principals.

To access services in other realms, the TGS in each realm must form a relationship. When the principal in one realm needs access to a principal in another realm, the principal requests an RTGT from its TGS and then contacts the TGS for the other realm to request a session ticket for the remote service.
With user name and password authentication, the user provides his or her user name and password to authenticate. This information is typically encrypted for transport to the authentication server, but if it is intercepted, it can be cracked programmatica
With token-based authentication, the user is issued a device that is used for authentication. The device can be synchronized with a server with a number that changes at predetermined intervals, or it can contain user information and a certificate. This type of authentication relies on something you have.
With biometric authentication, the user is issued a sensor that scans some physical attribute of the user and sends that information to the authenticating server. The server compares a stored sample to the sample provided by the user to validate the user
There are multiple authentication methods available, and the security offered by combining methods to form a multifactor authentication process is much greater than using any single authentication method.
Access control is the process of limiting access to systems and resources to those who require access. That access is limited to just the access permissions needed by the user to perform the tasks he or she needs to perform.
DAC permits the owner of an object (such as a process, file, or folder) to manage access control at his or her own discretion. A security limitation with this model is that there is no mechanism for creating and enforcing rules regarding access control. The access controls are configured at the discretion of the owner of an object.
With MAC, access to an object is restricted based on the sensitivity of the object (defined by the label that is assigned), and granted through authorization (clearance) to access that level of data.
With RBAC, access is based on the role a user plays in the organization. For instance, a human resources manager would need access to information that a department manager would not need access to, and both would need access to some common information.
Vulnerabilities are often discovered in network devices, operating systems, and applications. You should monitor for security alerts to ensure that you know about exploits that could affect your equipment. Be sure to verify, test, and apply all security
To better protect your network devices and hosts, you should do the following:

Disable unnecessary programs and processes.

Disable unnecessary services.

Disable unnecessary protocols.

Verify, test, and install all vendor patches.

Use vulnerability scanners to identify potential security weaknesses.

Disable promiscuous mode.
Choose secure file systems that allow you to set file- and folder-level permissions. Configure file system permissions according to the rule of least privilege.
In addition to removing all unnecessary components and applying security updates, additional steps to secure operating systems, beyond those already discussed, include the following:

Set complex passwords for all user accounts and change them frequently.

Set account lockout policies.

Remove or disable all unnecessary modems.

Enable monitoring, logging, auditing, and detection.

Maintain backups and disk images.
The following security tips are common to all servers: research issues that are specific to your server and its applications, keep informed of security alerts and updates, enable logging mechanisms, enable user encryption, maintain backup copies of infor
General tips for securing Web servers include the following: reduce features, secure available features, isolate your public Web servers from your internal network by placing them in a perimeter network, protect your internal Web servers by blocking port 80 on the internal firewall, and carefully choose Web server directories and secure them appropriately.
Security tips for FTP servers include the following: isolate your public FTP servers from the internal network by placing them in a perimeter network, protect your internal FTP servers by blocking TCP/UDP ports 21 and 20 on the internal firewall, don't a
The following are some security tips for e-mail servers: use virus scanners to protect your systems from viruses, use an e-mail relay or gateway server to protect your e-mail server, reduce processing load, scan for unwanted content, and scan for and close open SMTP relays.
Security tips for DNS servers include the following: use a separate DNS server for internal and perimeter network name resolution, restrict the information you place in DNS, limit zone transfers, secure zone transfers, secure dynamic updates, and use sec
The following are some security tips for DHCP: scan for rogue DHCP servers, configure DNS server information at the DHCP client, restrict address leases to known MAC addresses, and block DHCP ports at the firewall.
Security tips for file and printer servers include the following: block access to shares and related information at the firewall, use the highest security and authentication levels available, and verify share security.
Security tips for NNTP servers include the following: block NNTP at the internal firewall, require authentication and encryption on private servers, and consider the information you allow and post on NNTP servers.
The following are some security tips for LDAP servers: configure strong authentication, implement SLADP when encryption is required, and block access to LDAP ports from external networks.
Security tips for database servers include the following: run test queries against the server to check security, use stored procedures, configure authenticated access and restrict or disallow unauthenticated access, encrypt data transfers for confidential data, and block database ports at the firewall.
Network resources must be protected physically as well as technically.

Proper physical security uses concentric rings of increasingly strong barriers as you approach the central ring.
Biometric technologies provide an additional method for identifying and verifying users.

Social engineering is the process of circumventing security barriers by persuading authorized users to provide passwords or other sensitive information.
Fire suppression systems using inert gas minimize the damage caused by fire and firefighting techniques.
Wireless networking presents additional security problems that can be minimized by judicious selection of power settings and careful antenna placement.
Regular backups with offsite storage are an essential element of any disaster recovery plan.
Maintaining mirror servers at distant sites provides an immediate failover capability.
Rather than assign privileges to individual users, operating systems typically enable administrators to create groups, of which users are members. Privileges granted to a group are inherited by all of its members.
Creating groups is a matter of determining which users need to have the same privileges.
Centralized management, in the form of directory services and other single sign-on applications, has simplified the privilege management process by enabling administrators to create one account for each user, instead of many.
Auditing enables administrators to track the privileges granted to a user, the resources that the user has accessed, and the overall usage of a resource.
Magnetic tape is the traditional storage medium of choice for backups and data archiving. Data stored on tapes can be secured using passwords or encryption, and the data can be completely and permanently erased if needed.
CD-Rs and CD-RWs have become the most popular general-use removable storage media in recent years, due to their low cost and relatively high capacity. Data on CD-Rs and CD-RWs can be secured, and CD-RWs can be securely erased. CD-Rs must be physically destroyed to erase their data, and there is no practical destruction method at this time that is completely foolproof.
The low cost and high capacity of hard disks have made them a viable solution for backups and archiving, now that drive arrays that allow quick removal of the device are common. Hard disks are relatively fragile compared to other storage media, however.
Floppy disks are no longer a popular storage medium because of their slow speed and low capacity. In most cases, floppy disk drives can be removed from computers if an administrator wants to prevent users from copying confidential data.
Flashcards are new technologies that store data in extremely compact form factors, making them a potential source of concern for security administrators.
Smart cards are specialized data storage devices that are primarily used for authentication. They are encrypted to keep the information on them secure.
Business continuity management (BCM) consists of the review, planning, and implementation processes that a business must perform to keep operating in the face of any sort of interruption. BCM transcends the IT department and must involve the entire compa
To create a business continuity plan, you must identify the mission-critical processes that your business needs to function.
After outlining your business processes, you must then decide on a course of action for each process, whether to take steps to keep that process operating under any conditions, insure the business against the losses an interruption of that process can ca
Backups with offsite media storage are the most fundamental business continuity tool.
High availability and fault-tolerance technologies, such as RAID and server clustering, can keep a business operating despite a systems or hardware failure.
Utilities, such as electric power, are frequently taken for granted, and compensation for outages should be a part of the business continuity plan.
Documentation creates the foundation of your security plan. You can use standards, guidelines, and government regulations to help formulate your organizational policies and procedures.
Common Criteria is an international standard for evaluating the security of computer and network devices. This standard is supported by many different countries and has ISO equivalent standard 15408.
Security policy is created from multiple subordinate policies such as access policy, accountability policy, authentication policy, password policy, firewall policy, and many other policies concerning privacy, system availability, maintenance, violations
...
Threat multiplied by vulnerability multiplied by impact equals risk. To calculate risk, you must first assess the value of your assets, determine the likelihood of potential threats attacking or affecting your organization, and estimate the damage that w
Assets are typically identified and valued by accountants because depreciation in value is involved in some of these calculations. The security administrator must be able to identify assets and have some concept of their value to the organization.
Identifying and categorizing threats is important because there are many possible threats to any given organization. The security administrator must assess the likelihood that each threat will affect the organization and then prioritize security controls
To properly assess risk, a security administrator must assess the vulnerabilities of the organization's assets. This means the security administrator must determine how exposed each resource is to the possible threats that exist in the world.
The security administrator must also decide how susceptible each asset is to compromise. The question here is how much of a given asset could or probably would be compromised in an attack.
...
Communication lines must be open for a security program to be successful. Support from top executives and the security administrator should be quite evident throughout the organization. Organizational members should be encouraged to ask questions, expres
Security awareness is largely a marketing effort to promote the organization's security program. This effort can be undertaken with logon banners, trinkets with messages, motivational slogans, and a variety of other attention-catching methods.
Security training seeks to increase involvement and teach people how to accomplish tasks. Security training is most effective when it is hands-on and directly related to the participant's job.
Security education is an ongoing effort. As organizational members move into discussing, researching, and fully participating, they are embracing the education stage.
Replay attacks involve listening to and repeating data passed on the network. An attacker tries to capture packets containing passwords or digital signatures as they pass between two hosts on the network using a protocol analyzer. The attacker then filte
DoS and DDoS attacks seek to disrupt normal operations. Essentially, a DoS attack is any attack that consumes or disables resources in an attempt to hinder or disrupt some operation or function. Some DoS attacks target specific software flaws and others attempt to consume resources so that legitimate users cannot utilize a service.
DDoS attacks are DoS attacks conducted simultaneously from multiple computers. DDoS attacks are often conducted using other compromised computers running zombie software, which is any software under the remote command of an attacker.
IP address spoofing is forging the IP source address in one or more IP packets to show that the packet came from a source other than the true source of the packet.

ARP cache poisoning or spoofing is a method for placing incorrect information in computers' ARP caches to misroute packets.

RIP spoofing uses the Routing Information Protocol (RIP) to update routing tables with bogus information.
The ping of death (POD) is a flaw exploitation attack in which the attacker sends an ICMP echo request that is larger than 65,536 bytes to a target.
Teardrop (also called a fragmentation attack) is a flaw exploitation attack that involves two or more IP fragments that cannot be properly assembled due to improperly configured fragment offset numbers. Some targets of the teardrop attack would become unresponsive, crash, or restart.
Land is a flaw exploitation attack in which an attacker sends a forged packet with the same destination and source address and port. Some targets of the land attack would become unresponsive, crash, or restart.
ICMP flood is a DoS attack that attempts to overwhelm the target with ICMP packets so that it cannot service them, making it unresponsive.
UDP flood is very much like an ICMP flood, except that the protocol attacked is UDP. The attacker sends a large number of UDP packets to random ports on the target.
Smurf is a specific type of ICMP flood attack that involves sending spoofed ICMP echo packets. In this attack, the attacker spoofs the IP address of the target in an ICMP echo request packet to the broadcast address of a segment where the target is a zombie network on the Internet. For example, if the target is 192.168.1.1 on segment 192.168.1.0, the attacker would send an ICMP echo request with the forged source address 192.168.1.1 to a destination address 192.168.1.255, which is the broadcast address for the segment on which the host is located. Every system on that segment then replies to the target with an ICMP echo reply message. If the attacker sends enough of these packets, the target could be overwhelmed by ICMP echo replies and become unresponsive.
A fraggle is a variation of the smurf attack that uses UDP service request packets instead of ICMP packets. The details and method of the attack are identical, except that the UDP protocol and UDP echo packets are used.
...
Attackers typically use scanners to locate potential targets and security weaknesses. You can better protect your network by running scanners on it to find and correct weaknesses before attackers. Remove all unnecessary services and patch all discovered
There are numerous types of DoS and DDoS attacks that attackers can use in attempts to hinder business operations of a target organization. You can reduce the effectiveness of many of these attacks by configuring appropriate filtering rules on your firewalls and routers. Also, maintain a good relationship with your ISP to ensure that you can mitigate a successful DoS attack.
Source routing can be used by an attacker to route packets around security devices on your network. To prevent this, configure your routers to drop packets that contain LSRR information.
Password guessing and encryption breaking can both be accomplished by brute force. To prevent such attacks from being successful, employ the latest and strongest encryption mechanisms and longest key lengths practical. If you must use passwords, ensure that you educate your users on creating secure passwords that cannot be easily broken by a dictionary attack. Ensure that users know not to write passwords down or share them with other people. Implement strong password policies, so that users must change their passwords frequently.
Intrusion detection systems (IDS's) can collect and analyze information in different ways. Some analyze information from the network, others from system files, and still others from log files. Many IDS's analyze information from multiple sources.
IDS's can be network-based, host-based, or application-based. NIDS's are able to protect a larger number of systems and are easier to implement than HIDS's. However, NIDS's are limited by their processing power and ability to decode packets quickly. NIDS's also have trouble with encryption, VLANs, and encrypted tunnels. HIDS's are able to work around encryption and provide better individual host protection. However, HIDS's might be compromised during an attack on the target and might lose valuable information. Application-based IDS's are best for detecting specific attacks on applications and are not limited by data encryption. However, like HIDS's, they can be compromised or disabled in an attack.
Typical IDS responses are passive, allowing the administrator to take action when an incident occurs. Active IDS responses have different levels of severity. The most benign level is to increase logging. An intermediate level is to reconfigure the networ
IDS deployment is best done in stages. This allows network staff to customize and become familiar with IDS implementations. The NIDS should be deployed first. Once the NIDS is fully configured and deployed, the HIDS can be deployed to critical hosts. After critical hosts are successfully configured and running with a HIDS, a full HIDS deployment can be contemplated.
CSIRTs can be either formalized or ad hoc teams. CSIRTs help an organization deal with computer security incidents and possibly protect other organizations from compromise. There are CSIRTs all over the world that are willing to work with network adminis
Computer forensics is the investigation and analysis of computer security incidents with the objective of collecting evidence. Evidence must be gathered carefully so that other evidence is not disturbed. When possible, systems should be analyzed by making images or backups to avoid disturbing a system that might be used as evidence in a legal proceeding.
A chain of custody is required to prove that evidence is preserved and unaltered. Without a chain of custody, evidence might be considered invalid. Evidence must be carefully preserved with plenty of documentation, including logs, reports, pictures, back
...
Start Studying!

Deck Info

99

permalink