Principles of Computer

Security: CompTIA
Security+ and Beyond
Second Edition
Wm. Arthur Conklin
Gregory White
Dwayne Williams
Roger Davis
Chuck Cothren

New York Chicago San Francisco

Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto

CONTENTS AT A GLANCE
Chapter I

Introduction and Security Trends

Chapter 2

General Security Concepts

Chapter 3

Operational and Organizational Security

Chapter 4

The Role of People in Security

Chapter 5

Cryptography

20
50

66

82

Chapter 6

Public K e y Infrastructure

Chapter 7

Standards and Protocols

Chapter 8

Physical Security

Chapter 9

Network Fundamentals

Chapter 10

Infrastructure Security

Chapter I I

114
152

178
204
228

Authentication and Remote Access

Chapter 12

Wireless Security

Chapter 13

Intrusion Detection Systems and

Network Security 3 18

Chapter 14

Baselines

260

294

358

Contents at a Glance

Chapter 15

Types of Attacks and Malicious Software

388

Chapter 16

E-Mail and Instant Messaging

Chapter 17

W e b Components

Chapter 18

Secure Software Development

Chapter 19

Disaster Recovery, Business Continuity, and

Organizational Policies 492

Chapter 20

Risk Management

Chapter 21

Change Management

Chapter 22

Privilege Management

Chapter 23

Computer Forensics

Chapter 24

Legal Issues and Ethics

Chapter 25

Privacy

Appendix A

Objectives Map: CompTIA Security+

Appendix B

About the CD

420

444

474

524

544

560

580

596

618

640

648

Glossary 650

Index 664

Contents at a Glance

xiii

^ar

CONTENTS
Preface
Introduction
CompTIA Authorized Quality Curriculum.
Instructor and Student Web Site

xxi

xxiii
. xxvi
xxvii

Chapter I
Introduction and Security Trends I
The Security Problem
Security Incidents
Threats to Security
Security Trends
Avenues of Attack
The Steps in an Attack
M i n i m i z i n g Possible A v e n u e s o f A t t a c k
Types
of
Attacks
Chapter 1 Review

....

1
1
7
10
11
12
13
14
15

XIV

Security Operations in Your Organization

Policies, Procedures, Standards,
and Guidelines
The Security Perimeter
Physical Security
Access Controls
Physical Barriers
Environmental Issues
Fire Suppression
Wireless
Electromagnetic Eavesdropping
Location
Chapter 3 Review

....

51
51
52
53
54
56
56
57
58
59
60
62

Chapter 4
The Role of People in Security 66

Chapter 2
General Security Concepts 20
Basic Security Terminology
Security Basics
Access Control
Authentication
Authentication and Access
Control Policies
Social Engineering
Security Policies
Change Management Policy
Classification of Information
Acceptable Use Policy
Due Care and Due Diligence
Due Process
'
Need to Know
Disposal and Destruction Policy
Service Level Agreements
Human Resources Policies
Security Models
Confidentiality Models
Integrity Models
Chapter 2 Review

Chapter 3
Operational and Organizational
Security 50

21
21
31
31
32
33
34
35
36
36
38
38
39
39
40
40
42
42
43
46

PeopleA Security Problem

Social Engineering
Poor Security Practices
People as a Security Tool
Security Awareness
Individual User Responsibilities
Chapter 4 Review

67
67
71
76
76
77
78

Chapter 5
Cryptography 82
Algorithms
Hashing Functions
SHA
Message Digest
Hashing Summary
Symmetric Encryption
DES
3DES

84
87
88
90
91
91
92
93

AES

94

CAST

95

Contents

RC
Blowfish
IDEA
Symmetric Encryption Summary
Asymmetric Encryption
RSA
Diffie-Hellman
ElGamal
ECC
Asymmetric Encryption Summary
Steganography
Cryptography Algorithm Use
Confidentiality
Integrity
Nonrepudiation
Authentication
Key Escrow
Digital Signatures
Digital Rights Management
Cryptographic Applications
Chapter 5 Review

95
97
97
97
98
98
99
100
100
101
101
103
104
104
104
105
105
106
107
108
110

Chapter 6
Public Key Infrastructure I 14
The Basics of Public Key Infrastructures
Certificate Authorities
Registration Authorities
Local Registration Authorities
Certificate Repositories
Trust and Certificate Verification
Digital Certificates
Certificate Attributes
Certificate Extensions
Certificate Lifecycles
Centralized and Decentralized
Infrastructures
Hardware Storage Devices
Private Key Protection
Key Recovery
Key Escrow
Public Certificate Authorities
In-House Certificate Authorities
Choosing Between a Public CA
and an In-House CA
Outsourced Certificate Authorities
Tying Different PKIs Together
Trus) Models
'

Contents

115
117
118
120
120
121
124
125
126
127
132
133
134
135
136
137
138
138
139
140
140

Certificate-Based Threats
Chapter 6 Review

145
147

Chapter 7
Standards and Protocols 152
PKTXandPKCS
PK1X Standards
PKCS
Why You Meed to Know the PKIX
and PKCS Standards

154
155
156

X.509

160

SSL/TLS
ISAKMP
CMP
XKMS
S/MIME
IETF S/MIME History
IETF S/MIME v3 Specifications
PGP
How PGP Works
HTTPS
IPsec
CEP
FIPS
Common Criteria for Information Technology
Security (Common Criteria or CC)
WTLS
PPTP
WEP
WEP Security Issues
ISO/IEC 27002 (Formerly ISO 17799)
Chapter 7 Review

161
162
163
164
166
166
167
168
168
169
170
170
170

158

171
171
172
172
172
173
174

Chapter 8
Physical Security 178
The Security Problem
Physical Security Safeguards
Walls and Guards
Policies and Procedures
Access Controls and Monitoring
En'oironmental Controls
Fire Suppression
Authentication
Chapter 8 Review

179
183
183
184
188
191
191
195
200

xv

Chapter 9
Network Fundamentals 204
Network Architectures
Network Topology
Network Protocols
Packets
TCP us. UDP
ICMP
Packet Delivery
Local Packet Delivery
Remote Packet Delivery
IP Addresses and Subletting
Network Address Translation
Security Zones
VLANs
Tunneling
Chapter 9 Review

205
206
207
209
210
211
213
213
214
215
217
218
222
223
224

Chapter 10
Infrastructure Security 228
Devices
Workstations

Servers
Visualization
Network Interface Cards
Hubs
Bridges
Switches
Routers
Firewalls
Wireless
Modems
Telecom/PBX
VPN
Intrusion Detection Systems
Network Access Control
Network Monitoring/Diagnostic
Mobile Devices
Device Security, Common Concerns
Media
'
Coaxial Cable
UTP/STP
Fiber
Unguided Media
Security Concerns for Transmission Media
Physical Security Concerns
Removable Media
Magnetic Media
Optical Media

XVI

229
229

231
232
232
233
233
234
235
236
238
239
240
241
241
242
242
244
244
245
245
245
247
248
. . . 249
249
250
251
253

Electronic Media
Network Attached Storage
Chapter 10 Review

254
255
256

Chapter I I
Authentication and Remote Access 260
The Remote Access Process
Identification
Authentication
Authorization
Access Control
IEEE802.1X
Wireless Protocols
RADIUS
RAD/US Authentication
RADIUS Authorization
RADIUS Accounting
Diameter
TACACS+
TACACS+ Authentication
TACACS+ Authorization
TACACS+ Accounting
Authentication Protocols
L2TP and PPTP
PPP
PPTP
EAP
CHAP
NTLM
PAP
L2TP
Telnet
SSH
VPNs
IPsec
Security Associations
IPsec Configurations
IPsec Security
Vulnerabilities of Remote Access Methods
Connection Summary
Chapter 11 Review

261
262
262
267
268
270
271
271
272
273
273
274
274
275
276
276
277
277
277
278
279
279
280
280
280
281
281
283
284
284
285
286
. . . 288
289
290

Chapter 12
Wireless Security 294
Introduction to Wireless Networking
Mobile Phones
WAP
3G Mobile Networks

295
296
298
300

Contents

Bluetooth
802.11
802.11: Individual Standards
Attacking 802.11
New Security Protocols
Implementing 802.1 X
Chapter 12 Review

300
302
304
306
310
311
314

Chapter 13
Intrusion Detection Systems and
Network Security 3 18
History of Intrusion
Detection Systems
319
IDS Overview
320
Network-Based IDSs
322
Advantages of a NIDS
326
Disadvantages
of
a
NIDS
326
Active vs. Passive NIDSs
326
Signatures
327
False Positives and False Negatives
328
IDS Models
329
Firewalls
329
How Do Firewalls Work?
331
Intrusion Prevention Systems
333
Proxy Servers
334
Internet Content Filters
336
Protocol Analyzers
336
Honeypots and Honeynets
338
Host-Based IDSs
340
Advantages of HIDSs
343
Disadvantages of HIDSs
344
Active vs. Passive HIDSs
345
Resurgence and Advancement of HIDSs . . . 345
PC-Based Malware Protection
346
Antivirus Products
346
Personal Software Firewalls
349
Pop-up Blockers
350
Windows Defender
351
Antispam
353
Chapter 13 Review
354

Chapter 14
Baselines 358
Overview of Baselines
Password Selection

Contents

Operating System and Network

Operating System Hardening
360
Hardening Microsoft Operating Systems . . . 361
Hardening UNIX- or Linux-Based
Operating Systems
364
Updates (a.k.a. Hotfixes,
Service Packs, and Patches)
373
Network Hardening
375
Software Updates
376
Device Configuration
376
Application Hardening
377
Application Patches

377

Patch Management
Group Policies
Security Templates
Chapter 14 Review

378
380
382
384

Chapter 15
Types of Attacks and Malicious
Software 388
Avenues of Attack
The Steps in an Attack
Minimizing Possible Avenues of Attack
A t t a c k i n g C o m p u t e r Systems
and N e t w o r k s . . ".

Denial-of-Service Attacks
Backdoors and Trapdoors
Null Sessions
Sniffing
Spoofing
Man-in-the-Middle Attacks
Replay Attacks
TCP/IP Hijacking
Drive-by Download Attacks
Phishing and Pharming Attacks
Attacks on Encryption
Address System'Attacks
Password Guessing
Software Exploitation
Malicious Code
Malware Defenses
War-Dialing and War-Driving
Social Engineering
Auditing
Chapter 15 Review

389
389
. . . .

391
392

392
395
395
396
397
400
400
401
401
401
402
403
404
405
406
412
413
414
414
416

359
359

XVII

Chapter 19

Chapter 16
E-Mail and Instant Messaging 420
Security of E-Mail
Malicious Code
HoaxE-Mails
Unsolicited Commercial E-Mail (Spam)
Mail Encryption
S/MIME
PGP
Instant Messaging
Chapter 16 Review

421
423
427
428
431
432
433
435
440

Chapter 17
W e b Components 444
Current Web Components and Concerns
W e b Protocols
Encryption (SSL and TLS)
The Web (HTTP and EITTPS)
Directory Services (DAP and LDAP)
File Transfer (FTP and SFTP)
Vulnerabilities
Code-Based Vulnerabilities
Buffer Overflows
Java and JavaScript
ActiveX
Securing the Browser
CGI
Server-Side Scripts
Cookies
Signed Applets
Bnrwser Plug-ins
Application-Based Weaknesses
Open Vulnerability and Assessment
Language (OVAL)
Web 2.0 and Security
Chapter 17 Review

....

445
445
446
452
453
454
455
455
456
457
459
460
461
461
462
464
465
467
468
468
470

Chapter 18
Secure Software Development 474
The Software Engineering Process
Process Models
Secure Development Lifeci/cle
Threat Modeling Steps
Chapter 18 Review

475
475
476
478
488

Disaster Recovery, Business Continuity,

and Organizational Policies 492
Disaster Recovery
Disaster Recovery Plans/Process
Backups . . . \
Utilities
Secure Recovery
Cloud Computing
High A v a i l a b i l i t y and Fault Tolerance
Computer Incident Response Teams
Test, Exercise, and Rehearse
Policies and Procedures
Security Policies
Privacy
Service Level Agreements
Human Resources Policies
Code of Ethics
Incident Response Policies
and Procedures
Chapter 19 Review

493
493
495
502
502
503
503
505
505
506
507
513
513
513
515

....

516
520

Chapter 20
Risk Management 524
An Overview of Risk Management
Example of Risk Management at
the International Banking Level
Risk Management Vocabulary
What Is Risk Management?
Business Risks
Examples of Business Risks
Examples of Technology Risks
Risk Management Models
General Risk Management Mode!
Software E n g i n e e r i n g I n s t i t u t e Model
Model Application
Qualitatively Assessing Risk
Quantitatively Assessing Risk
Adding Objectivity to
a Qualitative Assessment
A Common Objective Approach
Qualitative vs. Quantitative
Risk Assessment
Tools
Chapter 20 Review

525

....

525
526
527
528
528
529
529
529
532
533
533
535
535
536
537
538
539

Contents

Chapter 21
Change Management 544
Why Change Management?
545
The Key Concept: Separation of Duties
547
Elements of Change Management
548
Implementing Change Management
550
The Purpose of a Change Control Board
....
551
Code Integrity
553
The Capability Maturity Model Integration . . . 553
Chapter 21 Review
555

Chapter 22
Privilege Management 560
User, Group, and Role Management
User
Group
Role
Password Policies
Domain Password Policy
Single Sign-On
Time of Day Restrictions
Tokens
Account and Passxvord Expiration
Security Controls and Permissions
Access Control Lists
Handling Access Control
(MAC, DAC, and RBAC)
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control (RBAC)
Chapter 22 Review

561
561
563
564
564
565
567
568
568
569
570
571
573
573
574
575
575
576

Chapter 23
Computer Forensics 580
Evidence
Standards for Evidence
Types of Evidence
Three Rules Regarding Evidence
Collecting Evidence
Acquiring Evidence
Identifying Evidence
Protecting Evidence
Transporting Ei'idence
Storing Evidence
Conducting the Investigation
Chain of Custody
Free Space vs. Slack Space
Free Space
Slack Space

Contents

582
582
582
583
583
583
585
585
586
586
586
587
588
588
588

Message Digest and Hash

Analysis
Chapter 23 Review

588
589
591

Chapter 24
Legal Issues and Ethics 596
Cybercrime
Common Internet Crime Schemes
Sources of Laws
Computer Trespass
Significant LI.S. Laws
Payment Card Industry Data
Security Standard (PCI DSS)
Import/Export Encryption
Restrictions
Non-U.S.Laws .
Digital Signature Laws
Digital Rights Management
Ethics .\ . . .'
'
SANS Institute IT Code of Ethics1
Chapter 24 Review
Essay Quiz

597
599
600
600
601

....

604
605
607
607
609
611
612
614
617

Chapter 25
Privacy 618
Personally Identifiable
Information (PIT)
Sensitive PII
Notice, Choice, and Consent
U.S. Privacy Laws
Privacy Act of 1974
Freedom of Information Act (FOIA)
Family Education Records
and Privacy Act (FERPA)
U.S. Computer Fraud and Abuse
Act(CFAA)
U.S. Children's Online Privacy
Protection Act (COPPA)
'.
Video Privacy Protection Act (VPPA)
....
Health
Insurance Portability
& Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
California Senate Bill 1386 (SB 1386)
U.S. Banking Rules and Regulations
Payment Card Industry Data
Security Standard (PCI DSS)
Fair Credit Reporting Act (FCRA)
Fair and Accurate Credit
Transactions Act (FACTA)
Non-Federal Privacy Concerns
in the United States

619
620
620
620
621
621
622
622
623
623
624
625
625
625
626
627
627
628

XIX

International Privacy Laws

OECD Fair Information Practices
European Laws
Canadian Laws
Asian Laws
Privacy-Enhancing Technologies
Privacy Policies
Privacy Impact Assessment
Web Privacy Issues
Platform for Privacy Preferences
Project (P3P)
'.
^ }
Chapter 25 Review

629
629
629
631
631
632
632
633
634
634
sr,.
636

Appendix B
About the CD 648
S stem

V
Requirements
LearnKey Online Training
Installing and Running MasterExam
MasterExam
Electronic Book
Hel
P
Removing Installation(s)
Technical Support
LearnKey Technical Support

I Glossary
Appendix A
Objectives Map: CompTIA
Security+ 640

xx

I Index

648
648
648
648
649
649

649
649
649

650

664

Contents