• Communication Security
• Cryptography
• IDS/IPS/IDP
• Logging and Monitoring
• Penetration Testing
• Remote Access

Communication Security

Communication security protects the pathways across which voice and data traverse. The goals of communication security include prevention of eavesdropping to protect confidentiality, assurances of integrity, and the maintenance of availability of the connection itself. All communication channels, whether between devices on the same network, across a VPN, over a remote connection, or wirelessly over radio waves, must be protected. A significant portion of communication security requires appropriate encryption. Encryption is used to protect the data itself while in storage and transit and provide a digital means of authentication. Without proper security, communication is subject to interception, manipulation, or denial of service. Communication security also includes planning for protection, as new technologies and data flow patterns are incorporated into the workplace.

Cryptography

Cryptography is the science of obfuscation and is used to protect data while in transit or in storage. Data encryption includes three common sub-divisions: symmetric ciphers, asymmetric ciphers, and hashing. Symmetric cryptography is used for bulk data encryption, protecting information while in transit or in storage. Asymmetric cryptography is used to prove the identity of endpoints (e.g., digital signatures), or provide secure symmetric key exchange (e.g., digital envelopes). Hashing is used to detect alterations or verify integrity of communications and stored data.

IDS/IPS/IDP

Intrusion Detection Systems (IDS) are designed to notify administrators of suspect activities in the computing environment. Intrusion Prevention Systems (IPS) detect suspect activities and alter the environment in attempt to thwart those activities. New Intrusion Detection and Prevention (IDP) solutions can perform deep packet inspection on cloud traffic. These tools supplement the security provided by firewalls, proxies, malicious code scanners, and other typical security mechanisms. IDS/IPS/IDP may be able to detect violations based on pattern matching, anomaly detection, and behavior analysis. However, these tools require expertise for proper deployment, configuration, and tuning.

Logging and Monitoring

Logging and monitoring, in addition to auditing, are essential parts of keeping track of all of the events that occur within an organization’s infrastructure. Each and every piece of equipment that can record a log file should be configured to do so, especially firewalls, proxies, DNS servers, DHCP servers, routers, and switches. Plus, every OS and application that can log events should be enabled as well. The more extensive the logging, monitoring, and auditing, the more evidence will be collected about benign and malicious situations. Other important issues related to event tracking include historical log archival, securing logs, time synchronization, monitoring performance, vector tracking, maintaining accuracy, and complying with rules of evidence and chain of custody.

Penetration Testing

Penetration testing is the third major phase in security assessment and management. Penetration testing is used to stress test a mature environment for issues that cannot be discovered by automated tools or by typical administrators. Penetration testers are skilled in the method and tools of criminal attacks, the art of reconnaissance, and are masters of systems, protocols, and other aspects of IT from the perspective of malicious hackers. Testers craft exploits, modify code, decompile executables, applications, debug scripts, uncover covert channels, and more. These are essential skills of the members of a penetration testing team. A complete understanding of the benefits and the mechanisms of black box security testing will enable an organization to benefit fully from hiring an ethical hacking consultant or developing their own in-house testing team.

Remote Access

Remote access is convenient, can reduce costs, and can make work tasks more flexible, but it also increases risk for an organization. Once remote connectivity of any type is enabled for valid user access to a private network, the benefits of physical security are greatly reduced. As soon as authorized outsiders can establish valid connections to internal resources, hackers from across the globe gain the ability to attempt to intrude into those same remote access channels. Remote access includes traditional PSTN modems, VPN connections over the Internet, wireless connections, and more. Remote access often benefits from the implementation of AAA (authentication, authorization, and accounting) servers exclusively for remote users. Adding filters and rigorous oversight, such as with auditing and IDS/IPS/IDP solutions, is essential. Secure remote connectivity is possible, but is more challenging and involved than most organizations realize when first launching telecommuting or remote access projects.

Related Courses
Cybersecurity Foundations
Security+ Prep Course
Certified Ethical Hacker v7

Ethical hacking can be used to help determine that your company created the safest environment possible for your most valuable data. Whether it’s a local network, web application, or even a SQL database that is used to store sensitive records, the safety of that information is extremely important. If you run any type of business or organization that depends on the safety and security of your information, as most of us do, making sure it’s always safe and protected from cyber criminals is incredibly important.

When it comes to keeping a secure network or securing database records, many companies employee ethical hackers or even hire private security consultants to find the potential security holes before attackers locate these vulnerabilities. It’s only after you’ve found these vulnerabilities that you can then “patch” or secure these potential intrusion areas and put a stop to the potential threats.

If you’re interested in this field, one good place to start is to increase your knowledge of the field. There are several good certifications to get started. One is the CEH (Certified Ethical Hacker). Certified Ethical Hackers are used to ethically hack into their clients’ networks to make sure they are completely secure. The CEH exam requires candidates to have a wide knowledge of ethical hacking techniques and understand networking protocols. You can learn more by checking their website at http://www.eccouncil.org.

Related Posts
Are You Interested in IT Security?
Securing Cyberspace: Are You Ready?
Hacking Back in Self-Defense: Is It Legal; Should It Be?

Related Courses
Certified Ethical Hacker v7
Cybersecurity Foundations
Foundstone Ultimate Hacking

When designing and deploying security solutions, a thorough understanding of what you have to protect is important. Just as important is understanding the vulnerabilities within and around your assets and infrastructure. A threat analysis considers the range of currently known threats and the potential and likelihood that an attack will be attempted against your organization. Do you know what’s coming at you?

Threat management is the mitigation of recognized risk in an attempt to lower that risk to an acceptable level. These efforts require the use of auditing and analysis to confirm your efforts. Humans can be your weakest link. Ensure that they have received adequate training to stay a step or two ahead of potential attackers through:

• Audit & Analysis
• Risk Assessment and Mitigation
• Social Engineering
• Threat Assessment
• Vulnerability Assessment

Audit & Analysis

Audit and analysis are techniques to measure, record, and understand the threats facing an organization. Audit trails, log files, monitoring data, and other collected data points are used to construct a historical perspective of the infrastructure. Some auditing tools are native to any OS, application, or network service. ISO 27002 lists common controls an organization can use to defend infrastructures. ISACA’s COBIT framework provides ways to test these controls when auditing. Standards and frameworks must be understood to prove corporate governance is compliant with applicable government regulations, such as:  Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS).

Making a record of events occurring on the network and within a system, as caused by a process or user account, is only the first part. Recorded event details need to be assessed and evaluated in context of all other events, both digital and physical. Such analysis can reveal what actually occurred and whether or not such occurrences are compliant and in adherence with required/expected work tasks. Internal auditing and analysis helps show a company is taking due care of their environment and can lead to resolving employee issues, tracking down criminals, and providing continuous improvement to the organization’s security profile.

Risk Assessment and Mitigation

Risk assessment is the initial and ongoing evaluation of an organization’s security stance in light of their assets, threats, and risks. Generally, risk assessment is performed as a multi-step process. This process starts with an inventory of assets. Each asset is assigned a composite value based on both tangible and intangible considerations. Threats that could negatively affect each specific asset are listed. Each of these threats is then evaluated in terms of the potential exposure factor (i.e. amount of potential loss), likelihood of occurrence (i.e. probability of becoming real), and annualized rate of occurrence (i.e. how often in a given year is threat realization possible). These calculations are analyzed to determine the threat/asset combination that is expected to cause the most harm the most often, and thus represents the largest risk to the organization.

Once risks are determined and prioritized based on severity and/or occurrence rate, countermeasures are selected to address top priority threats. Mitigation strategies include risk avoidance (i.e. removing elements of the environment or adjusting work tasks to remove that risk), risk reduction (e.g. installing security products or reconfiguring existing products), risk transference (e.g. assigning risk to others via outsourcing or insurance purchase), and risk acceptance (i.e. choosing to let a risk exist as is due to poor countermeasure options, lack of budget, small loss potential, or infrequency of occurrence). Overall, risk assessment and mitigation aims at taking an organization’s original total risk and reducing it to a manageable and acceptable level. All risk is never eliminated (every new control carries new risks), and risk is not all bad; the ability to analyze risk concisely requires training and exercise.

Social Engineering

Social engineering is any attack focusing on the humans of an organization. Since humans are the weakest link in any security solution, it is important to address this growing concern. Social engineering attacks can occur through any means of communication, both real world and digital, whether real-time or not. Social engineering attacks often prey on new or undertrained employees but just as often focus attacks on high value targets such as administrators or C-level executives. Confidence games played by hackers can range from seemingly innocent conversations asking for general information, (e.g. a name, e-mail address, phone number), to specifically targeted ploys to trick a victim into revealing secret information or performing a risk task (e.g. opening an e-mail attachment, typing in commands, or visiting a URL).

Due to the nature of social engineering, there are no specific technology defenses that address it. Some filters for SPAM or phishing in e-mail and Web browsers can help, but the best countermeasure is employee education and awareness. Employees need to know they are targets. They need to be more suspicious of contacts they don’t automatically recognize or that fail to provide a provable identity. Information classification policy should identify how data is to be classified and labeled. Each strata of classification should clearly identify what content can be shared with whom. When necessary, procedures should dictate the means by which identities can be verified, before revealing information or performing tasks. A thorough understanding of the means of social engineering and the common tactics employed by criminals will assist organizations in designing a training program that equips their personnel with the tools needed to avoid the common traps.

Threat Assessment

A threat assessment is part of a comprehensive risk assessment and risk mitigation process. It is the profiling and evaluation of threats that loom over an organization and its assets. Only when you know the potential harm that could occur is it possible to design and deploy an appropriate and sufficient security response. Threats include Internet attacks, internal personnel, nature’s physical elements, unplanned downtime, hardware failures, over allocation of resources and capacity, oversights, mistakes, and more. All of these must all be considered when designing an organization’s security solution. Understanding threats (i.e., what they are, how they manifest, how situations are used by criminals, etc.) involves learning how criminal hackers work, the process and costs of incident response and forensic investigations, as well as a thorough understanding the underpinnings of IT infrastructure, including hardware, firmware, operating systems, applications, file storage, network resources, databases, networking protocols, etc.

Vulnerability Assessment

When crafting and maintaining a secure infrastructure there are three primary phases or elements: risk assessment/analysis, vulnerability assessment/analysis, and penetration testing. Security starts with a risk assessment to establish a foundational security policy. Risk assessments are repeated on a regular basis to incrementally improve upon a security solution. Generally, risk assessments are more paper based methods of security assessment an analysis.

Vulnerability assessment is then possible once an initial security policy has been implemented into the deployed infrastructure. Vulnerability assessment seeks to confirm that all necessary patches and upgrades are installed, that reasonable configuration settings are in place, and that known flaws and vulnerabilities are addressed. This assessment is usually performing using mostly automated analysis tools which include an updatable database of checks, tests, and threat probes. Most vulnerability assessment tools can be run by a well-rounded network or security administrator. These assessment tools are generally safe to use and do not pose a serious risk to the infrastructure.

Once the administrative staff has responded to all issues uncovered by risk assessment and vulnerability assessment, the third phase of security assessment can be performed — namely penetration testing (a.k.a. ethical hacking). Penetration testing is when a highly skilled team of security experts use the tools and techniques of criminal hackers to test the resiliency of the deployed security infrastructure, the methods of detection, and human response. The goal of such testing is to reveal vulnerabilities and other issues that automated tools overlook and which skilled and focused criminal hackers may be able to uncover. If you are able to find these concerns before they are abused, defenses can be implemented to prevent those esoteric breaches which may have been unknown prior to the penetration test.

Related Courses
Cybersecurity Foundations
Security+ Prep Course
Certified Ethical Hacker v7

In order to protect your assets, you must first know what they are, where they are, and understand how they are tracked and managed. Are they secured? Who has access to them? Who tracks and manages them? Do you have functional procedures in place to respond and recover from a security breach quickly? Do you have a process improvement cycle to prevent re-occurrence?

These are all important issues related to assets. It’s important to remember what an asset is — it’s anything used in a business task. Generally, asset protection involves identification of assets, assessment of an asset’s value, and a determination of the technologies needed to provide sufficient security for that asset. There are many facets to the job of asset security including:

• Cloud Computing
• Virtualization
• Secure Coding
• Identity Management
• Information Assurance
• Public Key Infrastructure

Cloud Computing

The cloud offers computing services as a commodity. This involves a wide range of capabilities including online storage and backup, virtual/remote desktop, collaboration services, software as a service, platform as a service, and infrastructure as a service. Popular services include online office productivity (such as Google Docs or Office 365), computing services for custom applications (such as Engine Yard or Windows Azure), or complete back-end scalable datacenters (such as GoGrid or Rackspace). While cloud computing can greatly benefit an organization, it also introduces new and unique security concerns.

Cloud services are at odds with some regulations and security standards. Each organization is responsible for their own compliance of issues like prohibition of comingling of certain data types, hardware types, or data locations. Also, traffic flow must be understood. Is your sensitive and critical data encrypted in transit and while stored/processed in the cloud? Who has access to the encryption keys? What procedures are in place to manage ease of access, recovery options, downtime concerns, backup, privacy protections, and speed of interaction and throughput? Cloud computing revolutionizes technology. The benefits and drawbacks need to be considered carefully before shifting aspects of your infrastructure into the cloud.

Virtualization

Virtualization is the creation and/or support of the simulated copy of a real machine or environment. Virtualization can be used to provide virtual hardware platforms, operating systems/platforms, storage capacity, network resources, and applications. Virtualization can also be used to host applications on a different OS than they were originally designed or allow a single set of server hardware to host several server operating systems in memory simultaneously. Virtualization offers benefits of lower hardware costs, reducing operating costs, efficient backups/restoration, high-availability, portability of services, faster deployment, expandable/scalable, and more. Virtualization adds security to the computing environment by permitting servers to be logically separated from each other. However, virtualization can cause problems with licensing, patch management, and regulation compliance which may cause slower performance of services, greater potential of single point of failure, and potential security concerns due to hardware re-use or sharing.

Secure Coding

Secure coding practices are essential to reducing the threat caused by the exploitation of processes, bad/poor coding, and flaws in design. Secure coding includes the consideration of appropriate controls at the onset of development, proper consideration given to design, robust code and error routines, minimizing verbose error messages, eliminating programmer back doors, bounds checking, input validation, separation of duties, and comprehensive change management. Failure to use secure coding practices leads to software that is susceptible to buffer overflow attacks, DoS attacks, and malicious code injection attacks. Non-robust code can also provide a path for database and command injection attacks.

Secure coding practices can include many aspects of secure design integration and attack prevention. For example, software can be designed to authenticate all resource requests and processing actions before allowing a task to operate. Additionally, software needs to limit and sanitize input to prevent scripting, meta-characters, and/or command injection are essential parts of secure coding. Secure coding is more than just a few extra lines of code; it is an entire process and architecture of software development.

Secure coding is an essential security practice not just for vendors that sell/release products to the world-wide market but also for internal software developers that develop code for use exclusively by internal users or which is exposed to the world via an Internet service. One of the biggest mistakes companies make in relationship to the Internet is assuming their Internet servers are secure and cannot be compromised, and if they were ever compromised it would not lead to serious consequences or a breach of their private network. This is usually a poor assumption. With the growing popularity of fuzzing tools to find coding errors, the proliferation and distribution of buffer overflow exploit code, and with several variants of code injection attacks (including SQL, command, XML, LDAP, SIP, etc.), no Internet service can ever be assumed to be immune from breach.

Identity Management

Companies collect a lot of customer and employee data. Identity management involves the protection of all personally identifiable information (PII). This protection includes proper classification of information, delineation of the lines of communication, and strict policies and procedures for access control. Accountability is a key requirement to hold all information requestors (‘subjects’, both internal users and outside attackers) liable for their actions.

Credentials are a popular form of PII subject to attack. All repositories of personal information, access channels to those repositories, and exchange of information with those repositories needs to be protected with strong authentication and encryption. Today’s sharing of information, transient locations of data repositories, and society’s acceptance of weak authentication set the stage for transitive attacks. Transitive attacks occur when a trust is allowed without realizing that it included other trusts that you were unaware of, and that can defeat your security.

Information Assurance

Information assurance satisfies management’s desire for a given security profile, indicating that all data is properly protected and able to be accepted as accurate and readily available. The set of processes needed to support this assurance requires the establishment of a reliable means to lock down assets and track their usage. Specifically, information assurance is focused on the security of data or information typically stored in files. It is important to properly manage the risk of using, processing, transmitting, and storing these data files. Secure data management addresses not just electronic or digital issues, but physical storage media (especially portable media) as well.

Public Key Infrastructure

Public Key Infrastructure (PKI) is a security framework and is generally comprised of four main components: symmetric encryption, asymmetric encryption (often public key cryptography), hashing, and a reliable method of authentication. Symmetric encryption is used for bulk encryption for storage or transmission of information. Asymmetric encryption is used for digital signatures and digital envelopes (i.e., secure exchange of symmetric keys). Hashing is used to check and verify integrity.

How will you assure reliable authentication is used to ensure that only valid entities participate in the PKI environment, secure key delivery, secure key use, and key revocation? Customers’ belief in the credibility of certificates, and therefore security of transactions with your website, depend on the reputation and reliability of the CA. Due to recent events by hackers, blind use of digital certificates has been called into question. As with any protection measure, companies need to understand what PKI technology affords us in terms of protection, as well as to be cognizant of the technology’s limitations and vulnerabilities.

Related Courses
Cybersecurity Foundations
Security+ Prep Course
Certified Ethical Hacker v7

Earlier this year at the RSA conference, RSA chief Arthur Coviello stated that, “never have the attacks been as targeted, with the aim of breaching one organization as a stepping stone to breaching others.” The last few years have seen a real increase in the rate and magnitude of cyber attacks. While there are several bills in congress slated to address cyber security, there is still much more work to be done. Most of this work will be done by employees and contractors.

If you are interested in making the move to IT security, the best way to start is to increase your security skill set. This can include classroom training, college classes, and reading online security sites and blogs. Some of the areas that I would expect to see growth in include hands-on technical skills, security management practices, risk management, applications development, and cloud security.

Increasingly, the Internet interconnects individuals and businesses which also grants unfettered access by criminals and those who wish to abuse these systems. “Cyber threats” define the attacks that compromise computers, networks, data-sets, and/or their communications. “Cyber attacks” can reach a target from local sources (ie, already on your network) or from across a wide area network link (ie, the Internet). A compromise of IT infrastructure, communications, or data stores can result in serious economic and financial losses. Additionally, security breaches can lead to privacy violations, negative publicity, a depletion of public trust, a reduction of consumer confidence, and loss of market share. Security compromises can cause a violation of regulations, place the organization at risk of losing their license to operate, cause bankruptcy, and potentially trigger criminal or civil penalties for the organization and its officers.

Organizations must take the threat and risk of computer hacking seriously. A well-trained and prepared cyber-work-force is imperative. All personnel in the organization, from the C-level executives to new interns, require cyber-awareness. All organizations benefit from having some personnel trained as cyber warriors. A well-prepared organization is able to build sufficient defenses to ward off most attacks, tune detection systems to discover attempted attacks, and respond to compromises promptly in order to contain and eradicate the violation. The best defense starts with information, knowledge, and education. You need the right-people with the right skills and expertise to counter the ever present onslaught to cyber threats and attacks. Six main security disciplines and their corresponding competencies include:

• Asset Protection
• Threat Management
• Access Control
• Incident Management
• Configuration Management
• Contingency Planning

Continuing next week, this seven part series will teach you to use and understand each of these disciplines to better protect you and your company.

Related Courses
Cybersecurity Foundations
Security+ Prep Course
Certified Ethical Hacker v7

You can think of browser exploitation as a method of taking advantage of vulnerabilities in the browser software to modify specific settings without the knowledge of the end user. The BeEF exploit framework allows penetration testers to select specific modules to target each browser in a one-two-three approach. First, a target is selected. After selecting a target, the user can load a specific module used for attack. The ‘Load Modules’ area shows what modules are available for use and, once selected, allows the code to be sent to the targeted browser. Once the module is loaded, the vulnerability can be exploited.

As an example, one module is used to target the way Apple computers insecurely handle URL schemes when initiating a Skype outbound call. If successful, BeEF will initiate a Skype call without the end user’s permission. While this is just one example of BeEF, it demonstrates the power of the tool and how it can be used by security professionals and penetration testers to test for client side vulnerabilities. Other modules include browser overflows, cross site scripting, keylogging, and clipboard theft.

I hope you will consider checking out this great piece of software. You can learn more by visiting the project page at or by reviewing the wiki.

Domain 4.0 Application, Data and Host Security

1. Fuzzing (4.1)

Fuzzing is a testing method that uses a brute force technique to send data to software or hardware inputs and then notice the response or reaction. The purpose is to discover programming or design flaws that need fixing or which can be exploited. Both security professionals and hackers use fuzzing tools. These tools can operate autonomously to craft random or sequential input data sets in order to stress test a target.

2. Cross-site Request Forgery (XSRF) prevention (4.1)

Cross-site Request Forgery (XSRF) is an attack that takes advantage of a Web server’s trust in an authenticated client. Usually attacks of this type wait until a valid client authenticates to a server before launching and making command requests to the server as if it were the client. The flaw is the server assuming that an authenticated client will only make valid and reasonable requests. This is a bad assumption. Prevention of XSRF must take place at both the client and server. Clients should avoid risky behavior to prevent malware infection and run current anti-malware scanners. Servers should limit the abilities or functions clients can access and re-request authentication when a sensitive action is requested.

3. Cable locks (4.2)

Cable locks are an important part of portable device physical security. A cable lock is used to secure a notebook or other device to a less mobile object (preferable immovable) using a looping cable along with a lock that connects into a K-slot on the device. Cable locks are not insurmountable; a good set of wire cutters or an adept lock-pick may be able to bypass the protection. However, the presence of a cable lock mandates the additional effort in a theft attack, thus reducing the attack’s success rate.

4. Mobile Devices (4.2)

There are several mobile device specifics on the objectives list, including screen lock, strong password, device encryption, remote wipe/sanitation, voice encryption, and GPS tracking. Most of these are standard security issues on desktops and notebooks. Smartphones are somewhat more vulnerable to remote wiping and GPS tracking. Often, these services must be installed and configured prior to a loss or theft event.

5. Data Loss Prevention (DLP) (4.3)

Data Loss Prevention (DLP) is the focus plan and policy to prevent data from being disclosed to unauthorized entities, especially outsiders and hackers. Most of the efforts related to data access, encryption, tracking, and confidentiality protection are part of the DLP solution. Showing sufficient DLP is also an important part of regulation compliance.

Domain 5.0 Access Control and Identity Management

1. Common Access Card (5.2)

The Common Access Card (CAC) has been commonly used by the government and military of the USA since the early 2000s; however, CACs are found in many private companies as well. The CAC is a smart card commonly used to control physical and logical access into a secured environment. It often consists of a photo ID, smart card technologies, and proximity mechanisms (such as RFID).

2. Personal identification verification card (5.2)

A personal identification verification (PIV) card is a more generic form of a CAC. It is any form of ID card that can be used to confirm or check someone’s identity. A PIV could refer to a driver’s license, an access badge, a photo ID, or a visitor’s badge, etc.

Domain 6.0 Cryptography

1. Miscellaneous Cryptography Items (6.0)

This domain contains several new topics not included on the previous exam. The topics are not new to the IT security realm as they are standard elements of most cryptography discussions. They include: block vs. stream, transport encryption, WEP vs. WPA/WPA2 and preshared key, RIPEME, HMAC, RC4, Blowfish, whole disk encryption, TwoFish, SSL, TLS, IPSec, SSH, HTTPS, and PKI.

Conclusion

The descriptions and definitions of some of the new Security+ topics listed here are designed to pique your interest. This is not an exhaustive coverage of these issues, but they point to a larger discussion of security topics that require greater context.

Related Courses

Security+ Prep Course (SYO-301)
Security+ Certification Boot Camp (SYO-301)

In early summer of 2011, the latest version SY0-301 was released. This revamped exam focuses more on risk, operational security, and mobile device security. It also clearly emphasizes security in three main areas: application, data, and host. In your efforts to prepare for SY0-301, it would be a good idea to pay special attention to the new topics and issues added for this latest revision.

This series of posts focuses on some of the new topics, terms, and issues added to the SY0-301 Security+ 2011 exam in domains 2.0 — 6.0. These domains include:

• 2.0 Compliance and Operational Security
• 3.0 Threats and Vulnerabilities
• 4.0 Application, Data and Host Security
• 5.0 Access Control and Identity Management
• 6.0 Cryptography

For the discussion of the new topics in Domain 1.0, please review the white paper Ten New Topics on Security+ 2011 (SY0-301) from Domain 1.0. (Note: The number in parenthesis after each topic is the official objective sub-domain reference as defined by CompTIA for SY0-301. Please visit www.comptia.org for a complete accounting of the objectives.)

Domain 2.0 – Compliance and Operational Security

1. Annualized Loss Expectancy (2.1)

Annualized Loss Expectancy (ALE) is one of the many calculated values crafted as part of a risk assessment process. ALEs have long been a staple concept for those pursuing CISSP, but its new addition in the Security+ content reveals a new focus on risk management rather than just a cursory nod. The ALE is calculated using three values: asset value (AV), exposure factor (EF), and annualized rate of occurrence (ARO). The AV is an assigned dollar number representing the importance or value of an asset to an organization. The EF is the percentage of loss that may be experienced if a specific threat is realized. ARO is a prediction of how many times in the next year is the threat possible to be realized. AV x EF x ARO = ALE. Once an ALE has been calculated for each pairing of asset and threat, the largest ALE points to the most significant risk to the organization and should be addressed in priority in the security response.

2. Quantitative vs. Qualitative (2.1)

Risk assessment is performed using a hybrid approach, a combination of a quantitative and a qualitative assessment of risk. A quantitative approach uses mathematical calculations to prioritize security response. A qualitative approach processes the subjective perspectives of various personnel on the state or status of security and risk. It is important to use a hybrid approach for risk assessment because performing only quantitative or qualitative assessments will produce a skewed view of the true state of risk.

3. Risks associated to Cloud Computing and Virtualization (2.1)

Virtualization was a topic in the previous exam, but cloud computing is a new addition. This objective focuses on the risks related to these technologies. Virtualization is the concept of hosting multiple operating systems (and/or their various applications) on a single set of computer hardware. Cloud computing expands on this by taking advantage of Internet (public) or private online services, which can include software, platform, or infrastructure as a service. The risks associated with cloud computing and virtualization include:

• Reduced control due to data being located outside the physical premise
• Difficulty of maintaining regulation compliance
• Lack of security training and implementation at the cloud service organization
• Potential geographic storage location issue (within your country or spread across multiple countries)
• Legal implications in the event of disclosure or breach in terms of jurisdiction,
• Method/type of encryption and who possesses the encryption keys
• In the event of a search warrant, can the cloud service organization turn over your data in plaintext
• Speed of recovery/restoration

4. Basic forensic procedures (2.3)

Basic forensic procedures were included in the previous list of exam objectives, but the new objectives list nine new specific sub-objectives: order of volatility, capture system image, network traffic and logs, capture video, record time offset, take hashes, screenshots, witnesses, and track man hours and expense. Each of these new sub-objects is fairly straightforward and self-explanatory, especially if you have a basic understanding of computer forensics (i.e., digital evidence collection and processing). For the exam, focus on understanding each of these topics on a more in-depth level since they were named specifically on the new objectives list.

5. Personally Identifiable Information (2.4)

Personally identifiable information (PII) is any information that can be linked back to an individual person. This could be due to a reference or identification being included with the information or that the information alone points to an individual. For example, the fact that someone has a favorite flavor of ice cream, such as mint chocolate chip, is not PII, unless it is on a document indicating who that person is (such as Michael). However, if the information is a phone number, e-mail, mailing address, social security number, employee ID, driver’s license number, license plate, etc., this information is PII itself as it directly points back to an individual (or nearly so). PII protection is of utmost importance as information is being gathered at an alarming rate, and often we are giving away this information without even realizing. It may be years before we fully understand the ramifications of being so open about ourselves on social networks and smart phone apps. Will your PII be harvested and used against you one day?

6. Clean desk policies (2.4)

A clean desk policy indicates that workers need to secure all materials on their computers and physical workspaces before they end their work shift. A worker should save their work, transfer files to proper locations, potentially make backups, then log out of their computer terminal. A worker should also collect and file away all paperwork from their work surface. All paperwork of any sensitive value must be secured in a locked drawer or office safe. The purpose of a clean desk policy is to reduce the risk of information theft, loss, or disclosure.

7. Zero day exploits (2.5)

Zero day exploits are new malicious attacks that have been recently released by malicious attackers. Generally, the term refers to any attack or exploit for which there is no specific or direct countermeasure or safeguard. It is called a “zero day exploit” because a victim has zero notice of the attack being imminent. Since it is a new and, therefore, unknown attack, there are no countermeasures; security solutions are unable to detect or respond to the new threat. Thus, this term can be used to describe attacks that may be days, weeks, or even months old if there is no specific defense against it. Once discovered and a protection or countermeasure exists, such a threat ceases to be a zero day exploit.

8. Succession planning (2.5)

Succession planning is the pre-determination of the next-in-line for key leadership positions within an organization. People in an organization’s top C-level hierarchy can make or break an organization. Failing to have responsible leadership can be the downfall of any organization. Since life can be chaotic, it is important to plan for the worst with a line-up of successors to any key positions. Those selected as leadership alternatives can be trained and groomed so as to be ready to take over in the event of a top position becoming vacant.

9. Hot and cold aisles (2.6)

Hot and cold aisles is a data center or computer vault air management concept. If a data center is designed so the banks of computers, servers, etc., are lined up like parallel walls or aisles, then, by alternating cold air input and hot air extraction, an otherwise difficult-to-manage situation becomes quite easy. Keeping high-end computing equipment cool is key to high-performance and long-term reliability. Allowing overheating will result in expensive downtime. This air management concept is both simple in design and effective in execution.

Domain 3.0 Threats and Vulnerabilities

1. Smurf attack (3.2)

The Smurf attack has been a staple example of DDoS (Distributed Denial of Service) for well over a decade. It is a predecessor to the modern botnet concept. Smurf uses ICMP Type 0 echo requests packets to imitate a flood of responses to a victim. This is accomplished by spoofing the source address of the ICMP echo request as the victim’s address and then setting the destination address to several different directed broadcast addresses of vulnerable networks (a.k.a. amplification networks). The amplification networks effectively multiply the inbound requests by the number of members of their network. Then, each of the network members sends back an ICMP Type 8 echo reply to the victim. This can cause so much traffic to the victim that they are cut off from the network. Generally, the Smurf attack is ineffective today, since ICMP and inbound directed broadcasts are often blocked on network boarders.

2. Spam over Instant Messaging (3.2)

Spam over Instant Messaging (SPIM) is another cute term to refer to unwanted and/or unsolicited messages appearing in any form of instant messaging or chatting service, which can include mobile device texting (i.e., SMS). SPIM is yet another way of wasting your time and money (if you are not on an unlimited data plan) just so advertising and malicious content can reach you. Also, SPAM over Internet Telephony (SPIT), which is SPAM over VoIP services, such as Vonage, Skype, or Google Video Chat, is also a time and money waster for the consumer.

3. Vishing (3.2, 3.3)

Vishing, or VoIP Phishing, is using VoIP services to support phishing attacks. A VoIP service can often falsify its caller ID, fooling you into believing that an inbound call is from someone you might know or trust, even though it is actually a call from an attacker. It is important to be extra cautious when giving up personal information over the phone. Mainly, if you are asked to give up information instead of confirming it (for example, they tell you the personal data, like your account number, and you confirm that they are correct), then you need to hang up and call the claimed organization/person on a known trusted line.

4. Xmas attack (3.2)

The Xmas attack is not actually an attack; instead, it is one of the many variants of port scanning. Its name is derived from one of the earliest forms of this port scan where every other flag in the TCP header flag byte was alternated as a 0 or 1. This is said to represent the alternating flashing lights of a Christmas (or Xmas) tree. A basic firewall is usually sufficient to render Xmas scans/attacks, as well as most other port scanning variations, worthless. However, it is important to remember that port scans using the TCP Full Connect or Half Connect methods are always successful at determining open ports. Otherwise, legitimate connections would be refused as well.

5. Pharming (3.2)

Pharming is maliciously stealing someone’s traffic. Commonly this is done against Web sites through an attack on DNS. The attack can be local or global. A local attack would only affect visitors from a specific subnet, company network, or maybe a small ISP. A global attack would affect anyone on the Internet attempting to resolve the correct domain name by returning a false IP address. In any case, the pharming attack results in victims being sent to an alternative location, often presenting a false or spoofed version of the original Web site in order to steal sales, perform phishing, or attempt identity theft.

6. Tailgating (3.3)

Tailgating is the act of gaining access to a security location by taking advantage of someone else’s valid credentials in such a way that the owner of the valid credentials is unaware that an attack just took place. This is often easiest to understand with a scenario: a worker approaches a secure door and uses his smart card to unlock the door. After the worker enters, an attacker sneaks up and grabs the door just before it closes, slips in unnoticed, and allows the door to close. Tailgating can be reduced by having workers ensure a door closes and re-locks before they leave it, positioning security guards at each entrance, and installing man-traps.

7. Whaling (3.3)

Whaling is an attack of phishing aimed at a specific individual or a small class or group of individuals. Typical phishing attacks are distributed to everyone and anyone indiscriminately. Whaling focuses on a specific individual or a group of high-value targets. Common whaling targets are company executives or persons with high net worth, who may have significant monetary funds in a bank or brokerage account.

8. Evil Twin (3.4)

Evil Twin is a wireless attack tool that will automatically duplicate the identity of a trusted wireless network. The attack tool can perform this feat because wireless devices typically retain a profile history of wireless networks that it has successfully connected to. Each time the interface is turned back on, it will seek out these known networks and attempt to re-connect. The reconnect request includes the original SSID and base station MAC address. The Evil Twin attack tool captures these reconnect requests and replies with a spoofed identity of the known network.

9. SQL Injection (3.5)

SQL injector is a form of command injection attack that takes advantage of poor programming and Web backend architecture that allows the arbitrary execution of database query expressions or even command line code provided by the hacker. Generally, using input filtering and reducing access privileges can greatly reduce the threat this attack represents. Similar to SQL injection are LDAP injection and XML injection. Both are newly listed topics, but both are similar in overall concept. LDAP injection focuses on an LDAP-based directory service. XML injection focuses on any XML-based application, processing, or results rendering.

10. MAC limiting and filtering (3.6)

MAC limiting and filtering is an important defense on switches to protect against MAC flooding and ARP spoofing attacks. Basically, MAC limiting or MAC filtering allows a switch to detect the first source MAC address seen on each physical port, then locks that address as the only device identity it will recognize off of that specific port. MAC filtering is also found on wireless access points to potentially limit wireless connectivity to known physical devices.

11. Black box, White box, Gray box (3.8)

Black box, white box, and gray box are labels given to various forms of testing, including application testing and penetration testing. Black box implies that the testers have no knowledge of the internal structure or logic of the item/network/system being tested and must learn everything on their own. This is also known as a zeroknowledge test. A white box test is when everything is known about the test target. This is also known as a full knowledge test. A gray box test is when some information about the target is known. This is also called a partial knowledge test.

Next week we’ll finish with Domains 4.0–6.0.

Related Courses

Security+ Prep Course (SYO-301)

Security+ Certification Boot Camp (SYO-301)

The bridge from technology to a secure cyberspace is a skilled and well-equipped cyber workforce. Educating and training your workforce to become cyber warriors means giving them the expertise they need to hunt for and continuously monitor networks for intrusions, think like cyber criminals, and reverse-engineer an attack. According to Jim Gosler, NSA Visiting Scientist and founding director of CIA’s Clandestine Information Technology Office, only about 1,000 security specialists in the United States have the specialized skills needed to operate effectively in cyberspace; however, the United States needs about 10,000 to 30,000 such individuals.

Building Skills and Knowledge for a Secure Cyberspace

The best investment you can make to protect your critical data and information systems is to build a skilled and knowledgeable cyber workforce. Having the right people with the right skills to tackle the ever-changing threat landscape is paramount. Keeping your workforce exceptionally skilled is crucial to safeguarding your information and information systems, and it requires continual training.

A Flexible and Scalable Training Approach

A good cybersecurity learning framework is a component-based, phased training system. It enables you to effectively identify, classify, and assess the needs of your organization and the competencies of your cyber workforce and develop a plan for skills building, maintenance, and evolution.

Identify: Identify the roles, functions, and competencies your cyber workforce must possess to effectively carry out your organization’s mission of complete and ongoing protection, while ensuring the confidentiality, integrity, and availability of your critical data.

Classify: Classify the associated roles, functions, and competencies based on level of responsibility or authority as it relates to information systems or the computing environment in which an individual operates. These position levels are also called bands.

Assess: After identifying and classifying your cyber workforce, assess each member’s expertise. Doing so provides an organizational view of your workforce that helps you determine overarching gaps in education or knowledge and to identify potential areas of security risk within the organization based on the current workforce skills and job functions.

Plan: Develop a training plan that begins by closing the gaps and evolves into a continuous training program in which your cyber workforce will follow learning tracks against specific competencies or roles.

Train: With your plan in place, move on to the critical training phase: building and maintaining the knowledge and skills of your cyber workforce.

Evolve: As job roles, technologies, and training requirements change, continuously evolve your training program to ensure a world-class security team into the future.

How Mastering These Disciplines Will Help You Protect and Defend

Whether you need general cyber security awareness, secure network design and implementation, continuous monitoring, network forensics and analysis, or smart and effective incident response training, you need to be prepared to battle the latest cyber threats and attacks.

Asset Protection – What do you have?

In order to protect your assets, you must first know where they are and understand how they are tracked and managed: How are they secured? Who has access to them? Are they tracked and managed? Do you have processes and procedures in place to respond and recover from a security breach quickly?

Threat Management – What’s coming at you?

Assess your vulnerabilities, threats, and risks. Work to mitigate this risk, and use auditing and analysis to confirm your efforts. Humans can be your weakest link. Ensure they have received adequate training to stay one step ahead of the attack.

Access Control – Who gets in?

Control who has access by locking down your systems, including hosts, networks, applications, and data flows.

Incident Management – How do you handle failures?

Perform continuous monitoring with event management tools and maximize your ability to provide an immediate response. Use strong policies that are well communicated for a consistent and uniform reaction.

Configuration Management – How do you manage the lifecycle?

Continuously managing changes to the IT landscape of your organization requires due diligence to ensure your systems are optimally organized and interconnected.

Contingency Planning — How do you plan for failures?

Ensure your organization has planned for continuity after an attack. Failures happen; how best do you respond?