Sie sind auf Seite 1von 25

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),

Organizational Security (12%)

This is just a brief overview of the most important

concepts. I still recommend reading a book and watching
the classes on VTE or Mindleaders or a program you have
This is a list of the well known ports KNOW THIS!!!
FTP 20, 21: SSH 22 : Telnet 23 : SMTP 25 : TACACS
DNS 53 : Kerberos 88 : HTTP 80 : HTTPS 443 : SSL
Network News Transfer Protocol (NNTP) 119 : IMAP4
143 :
LDAP 389 : LDAP/TLS 636 LDAP/SSL 636 : POP3
110 :
L2TP 1701 : PPTP 1723 : Terminal Services 3389

1)Systems Security
a) Differentiate among various systems security threats

i) Privilege escalation: This is when a vulnerability inside of the

system allows a user or process access to elevated permissions (go
higher up in the system without permission i.e. user becomes
administrator etc)
ii) Virus: A set of malicious code that attaches itself onto a system.
The characteristics of a virus are: Replication mechanism(able to
replicate itself onto other hosts), Activation mechanism (when the
objective is executed), Objective mechanism (the damage or action
that the virus is wanting to commit). Viruses are restrained in that
they have to be executed by the user and are found in emails, USB
flash drives, Floppies, and download. Some viruses are even
circulated as a virus hoax (an email or message that tells of a virus
that doesnt exist and then causes the user to delete a much

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

needed file). Protect yourself by researching Antivirus vendor sites,

urban legend sites, and
iii) Worm: Worms travel through a network without the assistance of a
host application or user interaction. These types of malicious code
do NOT need to be executed
iv) Trojan: This is a type of virus that looks like something benign
while actually being a virus.
v) Spyware: Is software that is downloaded to a system without the
users knowledge and takes a certain level of control over the users
system. There is the possibility of it changing the home page,
redirecting browsers, installing other software, or even putting on a
keylogger that records the computers keystrokes.
vi) Spam: Is used to deliver malware and to consume the computers
resources (bandwidth etc.).
vii) Adware: These are the pop-up ads when you are on the
internet. When they are malicious they are called spyware. The best
protection against these is a pop-up blocker.
viii) Rootkits: This is a group of programs (maybe only one program)
that hide the fact that the system is under attack from a virus. A
user may suspect something is wrong but a rootkit hides the virus.
ix) Botnets: This is usually used when attacking with a Distributed
Denial of Service attack (DDoS). A botnet is a group of computers
are act as robots under the control of the central command. The
computers inside the botnet are called zombies. The master is the
controlling computer and the slave follows what the master
x) Logic Bomb: This is a string of code that will activate after a
certain event. The event could be anything from a time and a date
to a certain change inside of the system.

b) Explain the security risks pertaining to system hardware and


i) BIOS: This is the systems firmware and is used to configure basic

settings such as which device the system will try to boot from (Basic
Input/Output System). This poses a great vulnerability towards the
system if not password protected or better yet, locked down.
ii) USB devices: Are small and can hold large amounts of data. This is
obviously a risk. Not only with loss of data but also with spreading
viruses. Usage can be restricted by disabling the USB root hub,
disabling the USB in the BIOS, Disabling the USB driver via Group
Policy, or by using third-party tools.

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

iii) Cell phones: Are risks in that they have built in cameras and the
ability to turn on their audio remotely. Attackers can also eavesdrop
onto cell phone calls or can steal the phone to access your sensitive
iv) Removable storage: The information in question is usually in
reference to information in a network. Any computer in the network
can have access to the information that this makes removable
storage a risk (CDs, DVDs, USBs etc.)
v) Network attached storage: These are the hard drives or hard
drive systems that are attached directly to the network with an IP

c) Implement OS hardening practices and procedures to

achieve workstation and server security

i) Hotfixes: This is a small update similar to a patch. They are

patches that can be applied without a reboot, intended to address
an immediate threat, and to address a specific issue for a narrow
market. To harden your system, it is best to keep these up to date.
ii) Service packs: A collection of patches, hotfixes, and maybe some
additional features.
iii) Patches: A string of code that is used to correct a single bug or
vulnerability in the operating system or application.
iv) Patch management: A group of methodologies that are
implemented to assure that all the systems in the network have the
appropriate patches. This also includes: Testing the patches,
applying the changes, and auditing the changes ( to make sure the
patch was properly updated). Be sure to properly audit systems to
make sure of the patches (or lack thereof) that are on the system.
There are tools that help manage patches. MBSA is used to query
one or multiple computers in an enterprise. It can check for current
updates and basic vulnerabilities. WSUS is used by administrator to
download and approve updates. SMS can be used to schedule the
deployment of patches.
v) Group Policies: this is used to manage multiple users and
computers in a domain. It allows tan administrator to configure a
setting once in the group policy object (GPO). This is usually used
for a password policy. This policy includes the following: maximum
password age, minimum password age, enforce password history,
minimum password length, complexity requirements, and storing
with reversible encryption. GPO can also give out a device policy.
This restricts the use of portable devices. These restrictions are:

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

disable autorun, preventing the installation of small devices, detect

the use of small devices.
vi) Security Templates: These are the starting point for security
settings. They can be used as part of Group policy to ensure that
systems start with a common configuration. These configurations
are: account policies(password and lockout settings), Local
policies(many detailed user rights settings), Restricted
groups( automate the control of group membership such as the
administrators and Domain admins), System services( used to
enable and disable specific services), and software restrictions (only
specific software can be allowed to run on a system).
vii) Configuration baselines: This is the starting point for a
systems configuration. It is very similar to a security baseline but
this focuses not strictly on security aspects but is focused on
system consistency (every computer has the same configuration:
printers, background, screensaver, applications, etc.).

d) Carry out the appropriate procedures to establish application

i) ActiveX: This is a mini-program that gives a site pizzazz. These
pose a threat when they do not have the proper Certificate
Authority (CA). The CA shows that the mini-program was written
by an acceptable source and does not contain malicious code.
ii) Java: Java applets are similar to ActiveX controls. They too need
proper certifications to be considered safe to run on your computer.
Java applets will only run inside a confined area (for added
protection) called a Java Virtual Machine (JVM).
iii) Scripting: JavaScript is different from both of the above. It is a
script language used on the Internet. It is an interpreted language
and is simple text that will be read and interpreted with executed.
There is also Cross-Site Scripting (XSS). This is where attackers
are able to gather data from a user, without the users knowledge.
The data is obtained by passing a hyperlink that contains malicious
content. The best way to protect against this is to: only follow links
within a site and turn off JavaScript except when absolutely needed.
iv) Browser: This is used to accept the HTML code form the web
server and display it.
v) Buffer overflows: This is when an attacker send more input, or
different input, to an application than expected. This causes erratic
behavior and opens an opportunity for the attacker to access the
internal buffer and insert malware. To prevent this: perform

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

significant testing and code review and perform input validation.

Keeping servers up-to-date is the best defense against this attack.
vi) Cookies: This is a text file stored on a users computer that can be
used for multiple purposes, but it is often used to track activity. XSS
opens the door for attackers to read cookies that
vii) SMTP open relays: Simple mail transport Protocol is a mail
server. An anonymous open relay (SMTP open relay) is an
viii) Instant messaging: Sends all your information over plain text.
Thus, it is highly vulnerable to sniffing attacks.
ix) P2P: Peer-to-Peer is file sharing over a network. It is sharing files
over a network and the Internet. An issue with this (not counting
that it is now illegal) is Data Leakage. Data leakage is when a user
is not aware that they are signed onto a P2P and their files are now
spread to whoever is on the network.
x) Input validation: This checks that the data is within the scope of
what is expected (amount, type, etc.). If this is not done, an
attacker can enter other data and thus perform an SQL injection
attack. This allows the attacker to execute commands directly
against the database through the web server.
xi) Cross-site scripting (XSS): This is where attackers are able to
gather data from a user, without the users knowledge. The data is
obtained by passing a hyperlink that contains malicious content.
The best way to protect against this is to: only follow links within a
site and turn off JavaScript except when absolutely needed.

e) Implement security applications

i) HIDS: This is Host based Intrusion Detection System (IDS). It

monitors traffic that moves through the network interface card
(NIC). The strengths are: encrypted traffic can be interpreted by the
host and dial up traffic can be monitored. Weaknesses are:
consumes resources(because it is another piece of downloaded
software), cannot monitor network traffic, expensive, and data
stored locally (if corrupted, then all is lost).
ii) Personal software firewalls: This is software that will monitor the
traffic that passes through the NIC. In making it personal you
implement it on your machine and it monitors the traffic on your
iii) Antivirus: This is to help protect you from viruses. This software
also usually protects you from other malware (worms, trojan

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

iv) Anti-spam: Spam has become one of the main ways to send
viruses and it is important to have anti-spam software on your
v) Popup blockers: The best defense against adware!

f) Explain the purpose and application of virtualization

technology: Virtualization is technology that allows a user to have
multiple virtual servers on only one actual server. This is very helpful in
that you can conduct testing in an isolated environment. You can also
test malware and applications. Another benefit is that you can isolate
network services and roles (like DNS, WINS, and DHCP). A weakness in
virtualization is that the host becomes a single point of failure.

2)Network Infrastructure
a) Differentiate between the different ports & protocols, their
respective threats and mitigation techniques.

i) Antiquated protocols: These are protocols that are no longer in

common use. Some of these are NetBEUI(used to quickly set up a
virtual network), IPX/SPX(was used instead of TCP/IP), and
AppleTalk(was the proprietary networking protocol).
ii) TCP/IP hijacking: This is where a third party takes over a session
and logically disconnects a client that was originally involved in the
session. CHAP has helped make this attack much more difficult by
periodically re-authenticating the client. This type of attack is very
difficult to pull off.
iii) Null sessions: This is a logon session that represents anonymous
users in Windows environments. Thus unauthenticated clients can
access resources such as files, folders, and printers. The best
practice to prevent this is to replace the Everyone group with the
Authenticated Users.
iv) Spoofing: Where a person or entity disguises itself as something
else. IP Spoofing is where the source IP address is modified. Thus
they can act like a trusted individual and can even attack multiple
computers (a whole network). Email Spoofing is another type of
spoofing where someone changes the from address to something
else to make it look like it is from some credible source.
v) Man-in-the-middle: This is another advanced attack. This is active
interception and eavesdropping. The attacker uses a separate
computer that accepts traffic from each party in a conversation and
then forwards the traffic without modification.
vi) Replay: Another advanced attack and this is one where an attack
replays data that was already part of a communication session.

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

This is usually done to impersonate another individual. This attack

can be prevented with Kerberos because it requires that the
internal clock of all computers be within five minutes of each other.
This greatly narrows the time that the attacker has to less than 5
minutes to implement the attack.
vii) DOS: Denial of service attack is used to make certain services
unavailable to users. There are two types of DOS attacks. The first is
SYN Flood Attack and it disrupts the TCP initiation process by
withholding the third packet of the TCP three-way hand shake. The
next type is the Smurf Attack. It sends out a ping as a broadcast
(a ping is usually one-to-one) and it spoofs the source Ip. Thus the
victim gets flooded with ICMP (used in diagnostics for and uses IP
addresses) replies.
viii) DDOS: This is where the attack is done with a Botnet.
ix) Domain name kiting: This is an underhanded way to not pay for a
domain name. Each domain has a 5 day free period and this is just
dropping the name before the 5 days are up and then reinstating it
x) DNS poisoning: Domain Name System is what allows us to simply
type out instead of the IP address. It also locates the
following: mail servers, domain controllers in a network using
Service (SRV) records, and domain controllers holding specific roles
or sunning specific services using SRV records. The name resolution
results are cached on the server and on the client. DNS poisoning
occurs when the cache holding the names redirects the client to
bogus web sites.
xi) ARP Poisoning: This can be used in a DDoS to mislead computers
about the actual MAC address of a system. Address resolution
protocol is used to resolve the IP addresses to MAC addresses on a
subnet. The poisoning stops the computer form communicating with
other hosts. Thus the entire subnets become isolated for attack.

b) Distinguish between network design elements and


i) DMZ: The demilitarized zone (DMZ) is a buffer zone between the

private network (intranet) and the Internet. This adds another layer
of security for internet-facing servers. The DMZ has firewalls as
bookends around if (one at the internet side and another at the
intranet side). Internet-facing servers like web servers, mail servers,
or PTF servers accessible from the Internet would be placed in the

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

DMZ with very specific rules on both firewalls on what is allowed

inside the DMZ and the intranet.
ii) VLAN: The virtual local area network uses a switch to group several
different computers to a virtual network. This allows computers to
be grouped on the same network by logical needs instead of
physical location (no need for a physical router connecting the
machines). The traffic is isolated between the computers and thus
adds a level of security.
iii) NAT: Network address translation is a protocol that translates the
public IP address into a private IP and the private back into public.
Private UPs are internal to a network, and public IPs are accessible
on the Internet. NAT translates and allows internal clients access to
the Internet while still hiding them from attackers on the Internet. A
static NAT uses one-to-one mapping. Dynamic NAT uses multiple
public IPs, and NAT can decide which public ones to use based on
load (many people can use the same public IP). NAT is NOT
compatible with IPSec.
iv) Network interconnections: Inside th Open Systems
Interconnection reference model there are 7 distinct layers (this is
how networks are interconnected). Layer 1 Physical and it
contains hubs, NICs, Ethernet, Token rings. Layer 2 Data contains
switches, MAC, PPP. Layer 3 Network containsrouters, and layer 3
switches, IP, IPSec, ICMP, ARP. Layer 4 Transport contains TLS,
TCP, UDP. Layer 5 Session contains SSL, NetBIOS. Layer 6
Presentation contains ASCII, EBCDIC, TIFF, JPG. Application
Layer application-proxy firewall operates on all layers up to the
application layer it also contains HTTP, HTTPS, FTP, DNS, SMTP,
v) NAC: Network access control adds a layer of restricted access to
your private network. It includes three primary components:
authentication (clients provide credentials before access), remote
access policies (this controls after they are authenticated what and
when different elements in the network are accessable to them),
and Inspection and control (this makes sure they are running up to
date anti-malware software. If they are not, they are given only
restricted access to the network).
vi) Subnetting: this is used to divide a single range of IPs into
multiple smaller ranges of IPs. This is to increase effeciency and

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

vii) Telephony: This is contained in Dial-up remote accesses. It uses

telephone technology to connect computers.

c) Determine the appropriate use of network security tools to

facilitate network security

i) NIDS: Network based Intrusion Detection System monitors activity

on the network. This is installed on network devices (firewalls and
routers) as sensors and taps. All the info gathered is sent back to
the central server hosting a console to monitor activity. This does
not read the anomalies on individual systems unless it has a
significant influence on network traffic. These sensors can be put on
either side of the networks firewall and reads what traffic occurs
related to that position (what makes it through or all the
ii) NIPS: Network intrusion prevention system is an extension of NIDS
and is made to catch an attack in real-time(at the actually
occurrence). It defends the network from attackers actively
attacking it. NIPS will also be at the Firewalls in actuality (in-line)
while NIDS will simply have sensors.
iii) Firewalls: These are design to filter traffic. It can be hardwarebased (will have 2 or more NICs) or software-based (monitor traffic
through a single NIC). A stateful firewall has the ability to
examine multiple packets that are involved in a network connection.
Application firewall was discussed above. A firewall has the
ability to filter content such as, spam, attachments, URLs, and
certificates. There are also firewall logs that record any activity of
interest. This is the first place an administrator will look to see if an
intrusion has taken place.
iv) Proxy servers: These are found in many networks. They can
perform performance caching (short-term storage of content to
make access quicker and easier for others on the network) and can
use content filters to restrict access. The proxy server will also
contain the NAT to transform the IPs from private to public. These
can either be static or dynamic.
v) HOneypot: This is a server that looks like an easy target for an
attacker. Uses of these are to divert attackers from the live network
and to allow observation of the attacker.
vi) Internet content filters: This is a firewall that contains the ability
to filter content.
vii) Protocol analyzers: This captures and analysis packets on a
network. That means that ANY data sent in plain text can be

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

observed and analyzed by the protocol analyzer. Wireshark is a

popular one. These analyzers can be used to analyze traffic, capture
and display clear text, analyze TCP/IP sessions (SYN flood attack),
monitor specific traffic or network traffic, and detect internal
computer being used as zombies with a botnet. Protocol analyzers
can be used for good or bad. They are used in sniffer attacks.
There are two main modes of protocol analyzers: nonpromiscuous (only traffic passing through the NIC) and
promiscuous (all traffic that reaches the NIC).

d) Apply the appropriate network tools to facilitate network

security.(these are handled above)
ii) Firewalls
iii) Proxy servers
iv) Internet content filters
v) Protocol analyzers

e) Explain the vulnerabilities and mitigations associated with

network devices
i) Privilege escalation
ii) Weak passwords
iii) Back doors: Some developers keep back doors for ease of access
but since they bypass all the regular security measures, they are a
danger to keep open.
iv) Default accounts DOS: Rename the administrator account and
have a complex password to protect from attacks. Also, disable the
user accounts.

f) Explain the vulnerabilities and mitigations associated with

various transmission media

i) Vampire taps: This is any tap that tries to gain access by tapping
into the physical wire. Fiber optic cable is the most difficult to tap
but coaxial and twisted pair are easy.

g) Explain the vulnerabilities and implement mitigations

associated with wireless networking

i) Data emanation: These are data transmissions that can be

capture outside the source (physical cable or wireless). Fiber optic is
not susceptible to emanations. These emanations are NOT taps they
are electronic losses of data. They can jump from cables that are
close to each other. Coaxial cables are highly susceptible to this.
Wireless data transference is also highly susceptible to data
emanation because anyone with the correct channel can get the

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

information. You should secure your wireless network with WPA2

(WEP and WPA are considered compromised).
ii) War driving: The act of going around trying to find an open
wireless connection.
iii) SSID broadcast: The broadcast of the wireless signal so that
anybody can see it. This should be disabled and changed from its
iv) Bluejacking: This is using someones Bluetooth signal without the
persons knowledge. The bluejacker can send information and
packets with your signal (so it gets traced to you). Stop discovery
mode to prevent this.
v) Bluesnarfing: This is the unauthorized observation of data that is
sent over the Bluetooth signal. Turn off discovery mode to protect
vi) Rogue access points: This is a wireless access point (WAP) that is
placed in a network with some sort of attack in mind. It is used as a
sniffer to broadcast all the information that is passed through the
wired network. The first part of prevention if one is found is to
disable it, contain it, or isolate the threat.
vii) Weak encryption: WEP has weak encryption and is almost no
help against an intrusion. WPA2 has the best encryption for a
wireless network.

3)Access control
a) Indentify and apply industry best practices for access control
i) Implicit deny: This is when those who are not specifically allowed
into the network are not allowed access.
ii) Least privilege: The user is only allowed the specified privileges
and nothing more (if you need to print you can use the printer and
nothing more)
iii) Separation of duties: This is a principle that prevents any one
person from being able to complete all the functions of a critical or
sensitive process. This is to prevent fraud, theft, and errors.
iv) Job rotation: This rotates each person to the different jobs to learn
the processes and procedures of each. This is to keep a person to
have the only knowledge about a job. This also prevents collusion
(two or more people engaged in a secret activity for the purpose of
fraud). Because of the rotation, one person is not working at the
same activity long enough to effectively commit fraud.

b) Explain common access control models and the differences

between each

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

i) MAC: Mandatory access control uses labels (assigned to users and

objects) to determine access. Once the matching labels are found
the appropriate access is granted. These labels are called Top
Secret, Secret, and Confidential (the lattice model). Those who are
Top Secret get access to Top Secret objects and so on and so forth.
This access method is broken down into labels.
ii) DAC: Discretionary access control makes every object have an
owner and the owner establishes access to his/her object. The
owner has full and explicit control of his object. The owner can
easily change the permissions and thus making this a dynamic
access control. The only downside is that these dynamic changes in
access make it susceptible to Trojan horse attacks (owner
unwittingly giving access to a disguised virus).
iii) Role and rule based access control: Each user has a role and
has access to the objects that are associated with that role. So, a
change in role is a change in access (phone answerer, head of
department, RA guys, Event Managers, etc all have different roles
and thus different access).

c) Organize users and computers into appropriate

security groups and roles while distinguishing
between appropriate rights and privileges
d) Apply appropriate security controls to file and print
e) Compare and implement logical access control methods

i) ACL: Access control lists are used to specifically identify what traffic
is allowed and what traffic is not allowed. Most ACLs run off of an
implicit deny (if you dont have specific permission you are
denied).Routers use ACLs as a list of rules that define what traffic is
ii) Group policies: This allows an administrator to configure a setting
once in the group policy object (GPO) and apply the setting to many
users and every computer in the domain. This can also be done to
specific users and computers in the network (Organization Units
iii) Password policy: This is good to make sure that the users have a
secure enough password. The administrator can control password
length, complexity, maximum age, minimum age, password history
(prevent the use of previously used passwords), and store the
passwords using reversible encryption (this is a very weak

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

iv) Domain password policy: This just makes all the users in a
domain follow the password policy.
v) User names and passwords:
vi) Time of day restrictions: This specifies when certain users can
log onto the network.
vii) Account expiration: account expiration can be set to be done
automatically and will not let the user log on after the set
viii) Logical Tokens: This is used in a single sign-on environment to
identify a user and a users group membership. Every user and
group is identified with security identifiers (SIDs) and a logical token
contains all the SIDs associated with a user.

f) Summarize the various authentication models and identify

the components of each

i) One, two and three-factor authentication: There are three

different factors of identification: what you know (password,
username), what you have (CAC card, token, etc.), and something
you are (biometrics, retina scanners, finger prints, etc.). Threefactor authentication uses all three.
ii) Single sign-on (SSO): This refers to the ability of a user to use a
single set of credentials to sign on for an entire session. This
increases security in that it reduces the temptation to write down
passwords and other credentials.

g) Deploy various authentication models and identify the

components of each

i) Biometric reader: There are three types of biometric readers:

retina scanners, fingerprint scanners, and hand written signature.
There are four possible results from the scanning process: False
acceptance (accepts and unauthorized user), false rejection
(incorrectly rejects an authorized user), True acceptance (correctly
accepts an authorized user), and True rejection (accurately
determines an unauthorized user).
ii) RADIUS: Remote authentication Dial-in user service is a centralized
authentication service. Instead of each RAS server needing separate
databases to know who to authenticate, they send the info to the
RADIUS and they are authenticated there.
iii) RAS: Remote access service is used to provide access to an
internal network from an outside source. RADIUS and
TACACS/TACACS+ provide a centralized method of authentication of
multiple RAS servers. This uses multiple authentication mechanism:

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

iv) LDAP: Lightweight Directory access protocol specifies formats and

methods to query directories. Active Directory uses this protocol
format. It is also an extension of the X.500 standard.
v) Remote access policies: These are used after the authentication
to control access to a network. This can allow or deny access to the
connection. One or more of the conditions stated in the policy must
be met before access is allowed. These can be used to control ho
and when users connect to the server(from home or from work etc.).
vi) Remote authentication: This is what allows a user to access a
network from outside the network (like connecting to Area52 from
vii) VPN: Virtual private network allows a connection to a private
network over a public one (i.e. the Internet). The VPN server has a
public IP that allows it to connect to any other host on the internet.
Tunneling is what connects the network together. These tunnels are:
L2F not used, PPTP has known vulnerabilities, and L2TP is the most
common and secured with IPSec (not compatible with NAT, so the
VPN has to communicate with a public IP). SSTP is a already secured
tunnel that is compatible with NAT, VPN can have private and public
IPs (this is brand new and not implemented much yet).
viii) Kerberos: this is a commonly used authentication protocol used
in Windows. This uses time-stamped tickets to insure time
synchronization between computers. It is symmetric and the most
common method for distributing its tickets is the Key Distribution
Center (KDC). The PKI is for asymmetric key distribution.
ix) CHAP: Challenge Hand-shake authentication protocol is a much
used authentication method. It is where a client tries to log in, the
server sends back a nonce(number used once), the client sends
back a common secret (PIN number etc., and it is encrypted), the
server then compares the response and the nonce with what it
knows. If it matches, we have authentication.
x) PAP: Password authentication policy sends passwords over for
authentication in clear text. This is rarely used today.
xi) Mutual: This is where the user authenticates himself to the
server and the server authenticates himself to the user.
xii) 802.1x: the IEEE 802.1x protocol is designed to provide
authentication when a user connects to a specific access point, a
logical port. This is used to secure the authentication process before
the client is accepted into the server. WEP is the worst type of
security, WPA is the second best, and WPA2 is the best and newest.

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

xiii) TACACS and TACACS+: This is the same as RADUIS but it

encrypts both the username and password.

h) Explain the difference between identification and

authentication (indentify proofing): Authentication is
simple giving the authenticator previously known
credentials. Identity proofing is something that is used to
identify before those credentials are issued, as an extra
measure of identification, or to grant access if the user
forgets their credentials. Identity proofing can be seen in
drivers licenses, safety questions (mothers maiden name,
etc.), and birth certificates etc.
i) Explain and apply physical access security methods
i) Physical access logs/lists: We are given building access cards
and a unique PIN number for when the building goes into security
lock down. Access logs/lists contain the information of who
entered/exited the building and when. This can be used to show
when piggybacking (following somebody closely to gain access) and
tailgating (same thing but with a car) has occurred (when there is
no record of entrance of there is a record of exiting).
ii) Hardware locks: Everyday locks you have in your house
(deadbolts, etc.).
iii) Physical access control ID badges
iv) Door access systems: Door only opens with the use of some sort
of access method (access car, PIN, etc).
v) Man-trap: These are used as protection against
piggybacking/tailgating. Mantraps are buffer areas that are placed
between the unsecure sector and the secure one. They usually
capture the attacker thus preventing them from going forward or
backwards. An example of this is a turnstile that can be locked
before turning completely to the other side.
vi) Physical tokens: These are one time passwords that are physical
and in your hand. It may be a key fob (a little LED display that has a
password that changes every 60 sec or so and is synchronized with
the server).
vii) Video surveillance camera types and positioning: Place
them in public areas, alert employees of their existence, and do not
record audio. Place them around and in the secured areas. The
different types of cameras are: wireless, wired, low-light (can record
in low-light conditions), color, and black-and-white (usually low-light

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

cameras are black/white). Camera positioning is very important

(entrances, exits, and overall activity). There are also fixed cameras
and PTZ (can move, zoom, tilt) cameras.

4)Assessment and Audits

a) Conduct risk assessments and implement risk
mitigation: Risk assessment is the first step in risk
management. It can be done in 2 different ways: quantitative
and qualitative. Quantitative assessment measures in
monetary forms. The two measurement s are impact (the
negative result of the attack) and asset value (the revenue
value or replacement value of an asset). An example of a
quantitative value contains the following: single loss
expectancy (SLE), annualized rate of occurrence (ARO), and
annualized loss expectancy (ALE and is the multiplication of
the two earlier ones). Qualitative assessment is based on
probability and impact (low, medium, high or a scale of 110). Probability is the likelihood the event will occur and the
Impact is the negative result. You multiply the two results to
get the risk assessment.
b) Carry our vulnerability assessments using common tools
i) Port scanners: This is used to determine what ports are open on a
system. Administrators can use this to see what ports are not
needed to be open and attackers can use it to find vulnerability in
the defenses.
ii) Vulnerability scanners: This is the most effective way to identify
security holes. These scanners will look for weak passwords, open
ports, and much more. A popular scanner is Nessus.
iii) Protocol analyzers: Captures and displays packets on a network.
Anything sent in clear text can be read and shown by a protocol
analyzer. A popular one is WireShark. It can be used to discover
passwords sent in clear text, analyze TCP/IP traffic to gain more
information on SYN flood attacks or malformed packets, and analyze
traffic related to a specific protocol. There are two modes that a
protocol analyzer can run in: Promiscuous (capture all traffic that
reaches the NIC) and non-promiscuous (Only traffic that is
addressed to the NIC).
iv) OVAL: Open Vulnerability and Assessment Language is an
international standard. This is a standard that vulnerability

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

assessment scanners follow. The three standard steps are:

collectioning system characteristics and configuration information of
a system, analyzing the system to determine the current state,
and report results.
v) Password crackers: There are many types of brute force attacks
and comparative analysis. Under brute force: Dictionary (uses
common words to guess password) and brute force (uses every
possible combination). For comparative analysis: John the
ripper( used on multiple platforms, often to find weak passwords),
Cain and Abel (used on windows to find passwords; can sniff, use
dictionary, brute force, and cryptanalysis attacks), Ophcrack (used
on windows and through rainbow tables), Airsnort (discovers WEP
keys on wireless), Aircrack (WEP and WPA cracking), L0phtCrack
(used on older windows systems.
c) Network mappers: Nmap is a popular network mapping tool that
combines the features of a ping scanner and a port scanner to learn
what systems are operational and what services are running on these

d) Within the realm of vulnerability assessments,

explain the proper use of penetration testing versus
vulnerability scanning: Penetration testing is used to
actually try to take advantage of the vulnerabilities.
Vulnerability scanning is used to simply find the vulnerable
e) Use monitoring tools on systems and networks and detect
security related anomalies

i) Performance monitor: This shows what the systems performance

is. It is used to create a performance baseline by taking readings
every 30 min for 7 days. An attack will show a large increase in
performance for no apparent reason.
ii) Systems monitor:
iii) Performance: There will be a change in the computers
performance if under attack.
iv) Baseline: A baseline is needed to show what performance is
normal under working and non-working conditions.
v) Protocol analyzers

f) Compare and contrast various types of monitoring


i) Behavior-based: This is the same thing as anomaly-based.

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

ii) Signature-based: This uses databases of predetermined traffic

patterns. It recognizes the type of attack. This is the simplest and
easiest to implement.
iii) Anomaly-based: The computer creates a baseline of normal
behavior and this type of monitoring knows what is normal. So, it
can determine if the computer is acting abnormally.

g) Execute proper logging procedures and evaluate the results

i) Security application:
ii) DNS:
iii) System
iv) Performance
v) Access
vi) Firewall
vii) Antivirus

h) Conduct periodic audits of system security settings

i) User access and rights review
ii) Storage and retention policies
iii) Group policies

a) Explain general cryptography concepts

i) Key management (it is best to think of these as certificates):

There are multiple possibilities when it comes to key management.
One of the issues that occurs with key management is where to
generate the keys and then where to store them. There is
centralized generation (generating keys in one location and is
considered the bestall the certificates for a group are made in one
domain/area), decentralized management( where the keys are
made on individual computers), and the hybrid model (some are
made one way and others are made the other way). A Key Escrow is
where keys are stored. A recovery agent is who recovers your keys
from the Escrow.
ii) Steganography: Hiding one type of file inside another. This is
where a code(malicious or not) is hidden in lets say a picture (.gif)
file. Each color type can be a bit (red 1 is 0 and blue 14 is 11001).
This can be done in any media type file.
iii) Symmetric key: Shared Secret key is where the information is
encrypted with a secret key and is decrypted with the same key. The
is used for LARGE and FAST encryptions. The issue is that there has
to be some way to communicate the secret keys to each other.
iv) Asymmetric key: Public key encryption is where the message is
encrypted with a public key and is decrypted with a private key. The

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

keys are mathematically related. Everyone knows your public key

but only you have your private key. Digitally signed emails are
encrypted with your private key and then decrypted with your
public one to show that it came from you. If you do not know what
keys are, LEARN QUICKLY!!!
v) Confidentiality: This is where the only person who can observe
the data is who you want to observe it.
vi) Integrity and availability: Integrity is saying that the data has
not changed and availability is saying that it is accessible to who
you want to be able to access it.
vii) Non-repudiation: The person who sent it really is the person
who sent it. They cannot deny it.
viii) Comparative strength of algorithms: These are
mathematical in nature. The best one is AES and it is able to use
almost any bit size. DES is weak and 3DES is using DES three
separate times on the data.
ix) Digital signatures: These use an asymmetric key for nonrepudiation. (encrypted with private key and decrypted with public
x) Whole disk encryption: It is what it saysreally strong and good
but takes a long time.
xi) Trusted platform module (TPM): This uses a pre-shared key
(PSK) to encrypt. The user can encrypt with the key and decrypts
with the key. This is essentially software combined with hardware to
encrypt data. This is used when you password protect your laptop.
xii) Single vs. Dual sided certificates: Single sided certificates
are used to validate one direction (usually with the server validating
its identity to the clients). The clients do not validate back. In
mutual authentication two of these can be used (one by client and
other by server) but only one dual sided certificate is needed for
this. Dual-sided certificates are used with a small number of clients.
Two certificates are issued: one to the server and the matching one
to the client.
xiii) Use of proven technologies

b) Explain basic hashing concepts and map various algorithms

to appropriate applications (KNOW what HASHING IS!!!)
i) Hashing: this is essentially giving the data a fingerprint
of a set length. Does NOT encrypt! It is only used for
integrity. They are ONE-WAY. This means you cannot unhash something to see the original message.

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

ii) SHA: This is the best type of hashing algorithm and can use many
lengths of hashes. Currently has 3 types (sha0, sha1(160 bits) is
most popular, sha2) they are working on sha3. All are labeled from
shortest to longest.
iii) MD5: Message Digest 5 is used to make a 128 bit hash
iv) LANMAN: Oldest and not used much any more
v) NTLM: Introduced as an improvement over LANMAN. Still not as
good as SHA1.

c) Explain basic encryption concepts and map various

algorithms to appropriate applications

i) DES: Symmetric key encryption. Very weak and uses a very small
key of only 56 bits.
ii) 3DES: Triple DES uses DES encryption three times with three
different 56 bit keys. This is processor intensive and is very slow.
iii) RSA: Is an asymmetric key encryption key that focuses on the
properties of large prime numbers. Key lengths are 1024 and even
iv) PGP: Pretty good privacy is used on many email servers. It uses a
certificates for authentication. While certs are usually validated by a
certificate authority(CA), PGP uses a web-of-trust format to validate
certificates. A user must accept a certificate without the promise of
a third-party validation. It is decentralized and peer-to-peer.
v) Elliptic curve: Uses elegant advanced mathematics to encrypt.
Usually used on small, hand held devices.
vi) AES: Advanced Encryption Standard can use different key lengths
and is considered the strongest and the fastest of the stronger
vii) AES256: Uses bit lengths of 256.
viii) One time pad: This uses an encryption key only once. This is
seen in a physical key fob(an LED display that shows you your key
and that is synced up with the desired server. The display changes
every 60sec or over a desired time).
ix) Transmission encryption (WEP TKIP, etc.): WEP uses RC4
stream cipher encryption, which is actually really strong but WEP
had horrible key management and thus making WEP the worst.
TKIP(temporal key integrity) was implemented with WPA (Wi-fi
protected access) as a replacement for WEP. It still uses RC4 but it
manages it keys with TKIP. Older users and hardware will still
implement this method. Newer hardware will use WPA2. WPA2 uses
AES for instead of RC4 for encryption purposes.

d) Explain and implement protocols

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

i) SSL/TLS: SSL (secure socket layer) is commonly used on the

internet to encrypt data and it runs on the Session layer of the OSI
model. It uses both symmetric (for encrypting the data) and
asymmetric (to encrypt the secret session key from the symmetric
encryption) encryption methods. Transfer layer security (TLS) was
made as replacement for SSL (strangely SSL is still widely used) and
runs on the transportation layer of the OSI model. TLS essentially
does the exact same thing the same way as SSL but it uses the
Diffie-Hellman asymmetric algorithm to privately share the session
ii) S/MIME: Secure/Multipurpose Internet Mail Extensions is an email
protocol that is used in email messaging applications. It provides
confidentiality, integrity, authentication, and non-repudiation. This is
run on a Public Key Infrastructure and makes use of digital
iii) PPTP: Point to Point tunneling protocol is a tunneling protocol used
in making VPNs. It has known vulnerabilities and is slowly not being
used any more. It is encrypted with Microsoft Point to Point
iv) HTTP vs. HTTPS vs. SHTTP: All of these deliver HTML (hypertext
markup language) formatted pages. HTTP is not secure. HTTPS is
secure and data is encrypted using SSL(secure socket layer). SHTTP
is an alternate method of encrypting but it is rarely used.
v) L2TP: Layer two tunneling protocol is more commonly used than
PPTP. It is made by combining Layer two Forwarding and PPTP. It
does not encrypt the tunnel itself but it is commonly seen using
vi)IPSEC: This application is used to apply security to tunneling
(commonly used on L2TP). It secures the data in two ways:
Authentication Header(used for authentication only) and
encapsulating Security Payload (ESP)(and encrypts the data and
provides confidentiality. This however, encrypts ALL data coming
through the tunnel, thus making it difficult for viruses to be
detected because they are encrypted).
vii) SSH: Secure Shell is placed on the wire to prevent the
effectiveness of sniffing attacks and protocol analyzers. The
applications commonly used are: securely log in to a remote host,
remotely execute a command, to secure FTP traffic. This is a secure
channel between two computers.

e) Explain core concepts of public key cryptography

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

i) Public key infrastructure (PKI): This is a group of technologies

that are used to request, create, manage, store, distribute, and
revoke digital certificates. It is asymmetric. Know about CAs,
Certificates, and Key management.
ii) Recovery agent: This is a person or group who are used to recover
or restore cryptographic keys. One person could have all of the key
or multiple people could have multiple pieces and must recover the
key together.
iii)Public key: Keys that everyone knows that are unique to you.
iv)Private keys: Unique keys that only you know
v) Certificate Authority (CA): This is the individual who gives out
certificates. If they are trusted by the website and you have the
certificate, then your certificate will allow you to access the website.
There are also private and public CAs. The public ones are
accessible to everyone (this is the majority). Private CAs are
commonly used to support Outlook Web Access (OWA). They are
used when a more secure connection is being used and they only
want certain groups access to the CA.
vii) Key escrow: Place used to store keys.
viii) Certificate Revocation list (CRL): (pronounced crill) This is
the list of certificates that have been revoked. Some common
reasons for revocation are: the private key is compromised, CA
discovers that certificate was improperly used, or the certificate has
been superseded.
ix)Trust models: There are two main models to find a trusted CA: in
the hierarchal model there is a root CA that if it is trusted then all
the other CAs underneath it are trusted, in the web-of-trust it is a
peer to peer trusting.

f) Implement PKI and certificate management

i) Public Key Infrastructure (PKI)
ii) Recover agent
iii)Public key
iv)Private Keys
v) Certificate Authority (CA)
vii) Key escrow
viii) Certificate revocation list (CRL)


Organizational security

a) Explain redundancy planning and its components

i) Hot site: The most expensive backup site option. The site includes
software, equipment, and communications. It is essentially the

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

exact same as the original site and it simply not running like the
first one is. It can take over operations in minutes.
ii) Cold site: Very basic utilities and is cheapest but slowest to get up
and running.
iii)Warm site: Somewhere in between the two above options.
iv) Backup generator : Takes over the power when the original
power source goes out. Usually a Uninterruptible power source
(UPS) is used while the generator is started up.
v) Single point of failure: This is a point where if it fails the whole
system becomes inoperable.
vi)RAID: Redundant Array of Independent (or inexpensive) disks is
different type of disk redundancy models. The main ones are RAID0, RAID-1, RAID-5, RAID-10, Raid-0 is actually not used for
redundancy. It is simply used for the system to write and record
information more quickly. It only uses striping (where different
pieces of data are stored on different disks) and all the disks being
used need to be available to have all the data. Raid-1 is a
redundancy model and it uses disk mirroring. One disk is written on
and the other writes down the exact same thing. Raid-5 uses
striping along with data parities. What this means is that disks
stripe the information but also contain a parity(essentially a copy of
the data being striped to the other disk). This method contains at
least 3 disks. Raid-10 is a combination of raid-0 and raid-1.
vii) Spare parts: Spare parts for the machines.
viii) Redundant servers: This is used in failover clusters where one
or more servers are in a cluster formation. At least one server is
active and at least one server is inactive. When the active goes
down the inactive is activated and takes over the load.
ix)Redundant ISP: For a company that needs constant access to the
internet, it is best to have multiple Internet Service Providers just in
case your main server goes down.
x) UPS: Uninterruptible power supply and it is a small amount of
power that keeps the system up for 5-10 min (sometimes longer or
shorter) and this allows the secondary power supply (backup
generator) to start up and begin taking the load.
xi)Redundant connections

b) Implement disaster recovery procedures

i) Planning
ii) Disaster recovery exercises
iii)Backup techniques and practices storage: There are three
types of backups: full, incremental, and differential. A full-backup

Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

backups everything and usually takes a very long time to do. An

incremental backup backups only the information that has changed
since the previous backups (full or incremental). To be restored, all
the incremental backups and the previous full one must be restored.
A differential backup backups all the information that has changed
since the previous full backup. It simply over-writes the previous
differential backup and includes all the data that was on that
particular backup as well. To restore this one you only need the last
full backup and the latest differential backup.
v) Restoration

c) Differentiate between and execute appropriate incidentresponse procedures

i) Forensics: Analyzes the computer to investigate a crime.

ii) Chain of custody: This will provide that the evidence given is the
evidence found.
iii)First responders
iv)Damage and loss control
v) Reporting disclosure of

d) Identify and explain applicable legislation and organizational

i) Secure disposal of computers
ii) Acceptable use policies
iii)Password complexity
iv)Change management
v) Classification of information
vi)Mandatory vacations
vii) Personally identifiable information (PII)
viii) Due care: These are the steps a company has taken to protect
against the risks
ix)Due diligence: This refers to the companys obligation to spend
appropriate time and effort to identify the risks to data and systems
it manages.
x) Due process:
xi)SLA: Service level agreement is the expected amount of service
that vendors provide ( example: Alabama Power on 99.9% of the
time. If they fall below that percentage that is a breach of the SLA).
security-related HR policy
xii) User education and awareness training

e) Explain the importance of environmental controls

i) Fire suppression: Dont use water on electronics or CO2 on


Systems Security (21% of exam), Network Infrastructure (20 %), Access

Control (17%), Assessments and Audits (15%), Cryptography (15%),
Organizational Security (12%)

ii) HVAC: Heating, ventilation, and air conditioning.


f) Explain the concept of and how to reduce the risks of social

engineering( you should already know what these are and
how to prevent them (it is just logical))
i) Phishing
ii) Hoaxes
iii)Shoulder surfing
iv)Dumpster diving
v) User education and awareness training