Index
3-leg perimeter DMZ, 124
configuring, 165
3DES (triple DES), 357
10 tape rotation backup method, 419
A
AAA (authentication, authorization, accounting), 5–6
acceptable use policies, 449
access control
authentication. See authentication
best practices, 254–256
physical security, 215
biometric readers, 217–218
building security, 215
door access systems, 216–217
server room security, 215
policies, 264–267
UAC (User Account Control), 267–268
usernames/passwords, 261–264
users, groups, permissions, 256–261
access control lists (ACLs), 166, 258
for router security, 121
access control models, 250
DAC (discretionary access control), 250–252
MAC (mandatory access control), 252
RBAC (role-based access control), 253
Account lockout threshold, 266
accounting, 5
accounts
default accounts, 186–187
guest accounts, 187
restrictions, configuring, 270–272
user accounts
expiration, 256
time-of-day restrictions, 258
ACK, 318
ACLs (access control lists), 166, 258
for router security, 121
Active Directory Users and Computers (ADUC), 256
active fingerprinting, 288
active interception, 21
active security analysis, 288
ActiveX controls in Internet Explorer, 99
ad filtering, 37
add-ons
in Firefox, 103
in Internet Explorer, 99
addresses
IP addresses
public versus private, 121–122
subnetting, 126–127
network socket addresses, 134
administration interface for wireless access points, 195
administrative shares, 329
Administrator accounts, passwords for, 264
ADUC (Active Directory Users and Computers), 256
Advanced Encryption Standard (AES), 357–358
adware, 18
AES (Advanced Encryption Standard), 357–358
AH (authentication header), 388
air-conditioning systems, 439–440
ALE (annualized loss expectancy), 286
alerts, 318
ALG (application-level gateway), 164
algorithms
asymmetric key algorithms, 354
Diffie-Hellman key exchange, 360
ECC, 360–361
RSA, 359–360
defined, 352
hashes
LANMAN hash, 365–367
MD5, 364
NTLM 2 hash, 367
NTLM hash, 367
SHA, 364–365
one-time pads, 361
PGP, 362
public key cryptography, 354–355
symmetric key algorithms, 353-354, 359
AES, 357–358
DES and 3DES, 357
RC, 358–359
annualized loss expectancy (ALE), 286
annualized rate of occurrence (ARO), 286
anomaly-based monitoring, 315
anonymous access control, 254
anti-malware software, 6
antispyware software, 27–29
antivirus (AV) software, 23, 26–27
Application logs, 325
application security, 103–107. See also browser security
with group policies, 110–111
application-level gateway (ALG), 164
applications, removing, 58–62
archival methods, 420
armored viruses, 17
ARO (annualized rate of occurrence), 286
ARP poisoning, 144
ArpON, 144
assessing risk. See risk assessments
assessments. See audits
asymmetric key algorithms, 354
Diffie-Hellman key exchange, 360
ECC, 360–361
RSA, 359–360
attacks. See also vulnerabilities
ARP poisoning, 144
brute force attacks, 300
cryptanalysis attacks, 300
DDoS (Distributed Denial of Service), 140
dictionary attacks, 300
DNS poisoning, 143-144
DoS (Denial of Service), 137–140
null sessions, 143
replay attacks, 142–143
session hijacking, 141–142
spoofing, 140–141
TCP reset attacks, 137
TCP/IP hijacking, 141
audit trails, 325
audits, 322
log files for, 324–327
maintenance of, 327–328
in patch management, 69
steps in, 322
on system security settings, 328–331
localized technologies, 220
IEEE 802.1X standard, 221–224
Kerberos, 225–226
LDAP, 224
Terminal Services, 226
methods of, 214
models for, 219–220
remote technologies, 226
RADIUS versus TACACS, 230–232
RAS, 227–228
VPNs, 228–230
usernames/passwords, 261–264
authentication header (AH), 388
authentication servers (802.1X connections), 222
authenticators (802.1X connections), 222
automated monitoring, 314
AV (antivirus) software, 23, 26–27
availability, 5
B
Back Orifice, 17
back-to-back perimeter DMZ, 124
backup generators, 408–410
backup plans in disaster recovery, 416–420
backup sites, 416
backups of log files, 328. See also data backups
baiting, 444
Barracuda Networks Spam Firewall, 30
battery-inverter generators, 409
behavior-based monitoring, 315
Bell-La Padula access control, 252
best practices in access control, 254–256
Biba Integrity Model, 252
biometric readers, 217–218
birthday attacks, 365
BitLocker, 40–41
black book analogy (cryptography), 350–352
black hats, 8
blacklists, 31
blackouts, 406
blind hijacking, 142
block ciphers, 354
blue hats, 8
Bluetooth vulnerabilities, 42, 199–200
bots, 18
Bro, 170
broadcast storms, 318
broadcasting, 118
brownouts, 406
browser security, 90–91
Firefox, 100–103
Internet Explorer, 96–100, 109–110
proxy servers and content filters, 94–95
security policies, implementing, 91–92
user education, 93–94
brute force attacks, 300
buffer overflows, 107
building loss (disaster recovery), 421
building security, 215
bulletin boards, policies for, 267
butt sets, 194
C
CA (certificate authorities), 381–384
cabling
STP (shielded twisted-pair) cables, 440
vulnerabilities, 189–195
crosstalk, 191–192
data emanation, 192
interference, 190–191
tapping into data, 192–195
caching proxy servers, 168
Cain & Abel password recovery tool, 299
CAM (Content Addressable Memory) table, 119
CAPTCHA, 267
carbon dioxide (CO2) extinguishers, 437
cardkey access systems, 216
castle analogy (network security), 161
CCI (co-channel interference), 191
cell phones, securing, 41–42
certificate authorities (CA), 381–384
certificate revocation list (CRL), 382–383
dual-sided certificates, 384
revoking, 383
single-sided certificates, 384
validation, 381
chain of custody, 456
challenge-handshake authentication protocol (CHAP), 227
change management policies, 449–450
CHAP (challenge-handshake authentication protocol), 227
cheat sheet for exam preparation, 472
Check Point Security Appliances, 172
checklist for exam preparation, 469–471
chromatic dispersion, 195
CIA triad, 4–5
cipher locks, 216
ciphers, defined, 352. See also algorithms
circuit-level gateway, 164
Clark-Wilson access control, 252
classification of data, policies concerning, 447–448
clean agent fire extinguishers, 437–438
clear-text passwords, 321
clearing data, 454
closing
pop-up windows, 94
ports, 136
clusters, 415
co-channel interference (CCI), 191
CO2 (carbon dioxide) extinguishers, 437
coaxial cables, 190
vampire taps on, 193
cold sites, 416
collisions in hashes, 364–365
combustible metal fires, extinguishing, 437
computer disposal policies, 452–454
computer forensics, 455
computer security audits. See audits
computer telephony integration (CTI), 129
confidence tricks, 443
confidentiality, 5
configuration baselines, 69–71
configuring
BIOS, 39
inbound filters, 176
L2TP-based VPNs with Windows Server 2003, 390–394
log files, 327
NAT firewalls, 175
password policies, 270–272
proxy server connections in Firefox, 102
RADIUS servers, 236–238
RAID, 425–426
security zones (Internet Explorer), 96
user and group permissions, 272
VPNs, 235–236
containment (incident response), 455
Content Addressable Memory table, 119
browser security, 94–95
router security, 121
contracts with vendors, 452
converting NTFS to FAT32, 72
cookies
in Firefox, 101
in Internet Explorer, 97–98
stealing, 141
copying files/folders, permissions for, 260–261
cracking passwords, 304–305
CRL (certificate revocation list), 382–383
cross-site scripting (XSS), 98, 142
crosstalk, 191–192
cryptanalysis attacks, 300
cryptographic hash functions, 364–365
cryptography, 350–353. See also encryption
asymmetric key algorithms, 354
Diffie-Hellman key exchange, 360
ECC, 360–361
RSA, 359–360
black book analogy, 350–352
defined, 352
key management, 355
public key cryptography, 354–355
steganography, 356
symmetric key algorithms, 353–354, 359
AES, 357–358
DES and 3DES, 357
RC, 358–359
terminology, 352–353
CTI (computer telephony integration), 129
Ctrl+Alt+Del logon, 264
D
DAC (discretionary access control), 250–252
data, separating OS from, 25
in disaster recovery, 416–420
data classification policies, 447–448
data emanation, 192
Data Encryption Standard (DES), 357
data failure, avoiding with RAID, 410–413
data security. See security
data sensitivity policies, 447–448
data validation, 107
DDoS (distributed denial of service) attacks, 23, 140
decryption, 351
default accounts, 186–187
default browser, setting, 100
Default Domain Policy, 265
defragmenting hard drives, 73
delivery methods for malware, 20–23
active interception, 21
backdoors, 21
botnets, 23
logic bombs, 22
privilege escalation, 21
removable media, 21
software, 21
zombies, 23
Demilitarized Zone (DMZ), 124
Denial of Service (DoS) attacks, 137–140
DES (Data Encryption Standard), 357
designing networks. See network design
destruction of computer equipment, 454
dial-up connections, RAS, 227–228
dictionary attacks, 300
differential backups, 417
Diffie-Hellman encryption, 355, 360
digital forensics, 455
Digital Signature Algorithm (DSA), 361
digital signatures, 355
Directory Service log, 326
dirty power, 407
disabling
file sharing, 72
Guest accounts, 264
services
in Linux, 61
in Mac OS X, 61
Telnet, 60
disaster recovery. See also environmental controls; redundancy planning
data backup, 416–420
incident response procedures, 454–457
planning, 420–422
types of disasters, 420–422
disaster-tolerant disk systems, 413
discretionary access control (DAC), 250–252
disposal of equipment, policies concerning, 452–454
distributed denial of service (DDoS) attacks, 23, 140
diversion theft, 441
DMZ (Demilitarized Zone), 124
DNS poisoning, 143–144
DNS Server log, 326
in incident response, 455
domain name kiting, 144
door access systems, 216–217
DoS (Denial of Service) attacks, 137–140
double tagging, 129
Dragon IPS, 172
drills, fire, 439
drive lock technology, 38
dry pipe systems, 438
DSA (Digital Signature Algorithm), 361
dual-sided certificates, 384
due care, 450
due diligence, 450
due process, 450
dumpster diving, 443
E
e-mail addresses, removing from websites, 30
EAP (Extensible Authentication Protocol), 221–224
EAP-FAST authentication, 223
EAP-MD5 authentication, 223
EAP-TLS (Transport Layer Security) authentication, 223
EAP-TTLS (Tunneled Transport Layer Security) authentication, 223
Easter eggs, 22
ECC (elliptic curve cryptography), 360–361
electrical fires, extinguishing, 436
electromagnetic interference (EMI), 190
shielding, 440–441
elite hackers, 8
elliptic curve cryptography (ECC), 360–361
email messages, S/MIME, 385–386
EMI (electromagnetic interference), 190
shielding, 440–441
employee security policies. See personnel security policies
emulators, 75
enabling
file auditing, 323
IEEE 802.1X standard, 234
MAC filtering, 177
packet filtering, 175
Encapsulating Security Payload (ESP), 388
encapsulation, 297
encryption, 7. See also cryptography; hashes
asymmetric key algorithms
Diffie-Hellman key exchange, 360
ECC, 360–361
RSA, 359–360
defined, 352
of log files, 328
one-time pads, 361
PGP, 362
PKI (public key infrastructure), 380, 390
certificate authorities (CA), 381–384
certificates, 380–381
dual-sided certificates, 384
single-sided certificates, 384
web of trust, 384
IPsec, 388
L2TP, 387–394
PPTP, 387
S/MIME, 385–386
SSH, 386–387
SSL/TLS, 386
symmetric key algorithms, 359
AES, 357–358
DES and 3DES, 357
RC, 358–359
website encryption notification, 94
whole disk encryption, 40–41, 73
on wireless access points, 196–197
Enterasys, 170
Enterasys Intrusion Prevention System, 172
environmental controls, 436
fire suppression, 436
fire extinguishers, 436–437
hazard protection systems, 438–439
sprinkler systems, 438
HVAC, 439–440
shielding, 440–441
equipment disposal policies, 452–454
eradication (incident response), 455
ESP (Encapsulating Security Payload), 388
Ethereal. See Wireshark
events, incidents versus, 454
evidence gathering (incident response), 455
evidence preservation (incident response), 456
Evil Maid Attack, 19
exam preparation
cheat sheet, 472
checklist, 469–471
Security+ certification requirements, 469
tips for, 472–475
Excel, securing, 106
exhaust systems, 439
expiration of user accounts, 256
Extensible Authentication Protocol (EAP), 221–224
external security testing, 290
extranets, securing, 124–125
F
fail-over redundancy, 405
failopen mode, 119
failover clusters, 415
failure of power supplies, 406
failure-resistant disk systems, 413
failure-tolerant disk systems, 413
far end crosstalk (FEXT), 191
FAT32, converting to NTFS, 72
FEXT (far end crosstalk), 191
fiber-optic cables, 190
splitting, 194
File Replication Service log, 326
file sharing, disabling, 72
file systems, hardening, 71–73
files
moving/copying, permissions for, 260–261
FileZilla, 135
filters
ad filtering, 37
in browser security, 94–95
content filtering, 37
fingerprinting, 288
fire class A extinguishers, 436
fire class B extinguishers, 436
fire class C extinguishers, 436
fire class D extinguishers, 437
fire class K extinguishers, 437
fire drills, 439
fire extinguishers, 436–437
fire suppression, 436
fire extinguishers, 436–437
hazard protection systems, 438–439
sprinkler systems, 438
Firefox
Internet Explorer versus, 90–91
securing, 100–103
fires (disaster recovery), 420
firewall logs, 326–327
configuring inbound filters, 176
enabling MAC filtering, 177
NAT firewalls, configuring, 175
personal firewalls, 33–34
for router security, 120
first responders, 455
flammable liquid/gas fires, extinguishing, 436
Flash scripts in Internet Explorer, 99
flashing the BIOS, 39
flood attacks, 137
floods (disaster recovery), 421
Fluke Networks, 298
folders, permissions for moving/copying, 260–261
fork bomb attacks, 139
Fraggle attacks, 138
FreeBSD, 252
FreeNAC, 126
FTP connections, ports and protocols for, 134
full backups, 417
G
gaseous fire suppression systems, 437–438
generators. See backup generators
Gnutella, 165
Gramm-Leach-Bliley Act, 447
grandfather-father-son backup rotation method, 419
gray hats, 8
grayware, 19
green hats, 8
group policies, 69–71
for application security, 110–111
groups
in access control, 256–261
permissions, configuring, 272
guessing passwords, 300
guest accounts, 187
disabling, 264
H
hackers, types of, 7–8
Halon extinguishers, 437
handheld devices, protocol analyzers, 298
handheld fire extinguishers, 436–437
hands-on labs
auditing files, 335–337
BIOS, securing, 44–46
inbound filters, 176
L2TP-based VPNs with Windows Server 2003, 390–394
NAT firewalls, 175
password policies and user account restrictions, 270–272
RADIUS servers, 236–238
RAID, 425–426
user and group permissions, 272
VPNs, 235–236
creating VMs (virtual machines) in Virtual PC 2007, 81–82
data backups, 424–425
disabling
applications with group policies, 110–111
LANMAN hash, 369
enabling
IEEE 802.1X, 234
MAC filtering, 177
packet filtering, 175
network mapping, 303–304
password cracking, 304–305
PKI (public key infrastructure), 390
protocol analyzers, 333–335
scanning
for malware, 44
ports, 150–151
securing
Internet Explorer, 109–110
wireless access points, 203–205
SSH connections, 394–395
updating service packs, 80–81
wardriving, 205
hard drives
hardening, 71–73
sanitizing, 453–454
hardening operating systems, 58, 73–74
file systems and hard drives, 71–73
with group policies, security templates, configuration baselines, 69–71
installing
service packs, 62–65
updates, patches, hotfixes, 65–69
removing applications and services, 58–62
hashes, 362–364
cryptographic hash functions, 364–365
password hash functions, 365–367
hazard protection systems, 438–439
Health Insurance Portability and Accountability Act (HIPAA), 447
hidden files/folders, 72
hidden shares, 329
hiding protected system files, 72
HIDS (host-based intrusion detection systems), 33–36
high-availability clusters, 415
HIPAA (Health Insurance Portability and Accountability Act), 447
hoaxes, 442–443
honeyfarms, 170
honeynets, 169–170
honeypots, 169–170
horizontal privilege escalation, 188
host-based intrusion detection systems (HIDS), 33–36
hosts file attacks, 144
hot sites, 416
hotfixes, installing, 65–69
HTTP connections, ports and protocols for, 135
HTTP proxy servers, 168
HTTPS (Hypertext Transfer Protocol Secure), 386
hubs, securing, 118–119
humidity controls, 439
HVAC shielding, 440
HVAC systems, 439–440
Hypertext Transfer Protocol Secure (HTTPS), 386
I
ICMP flood attacks, 137
identification (incident response), 213, 455
identity proofing, 214
IDS (intrusion detection systems), 33–36
NIDS (network intrusion detection system), 170–171
IE. See Internet Explorer
IEEE 802.1Q standard, 128
IEEE 802.1X standard, 126, 198, 221–224
enabling, 234
impact assessment, 285
impersonation, 441
implementing in patch management, 69
inbound filters, configuring, 176
inbound ports, 133
incident response procedures, 454–457
incremental backups, 417
inheritance of permissions, 260
initialization in 802.1X authentication, 222
initiation in 802.1X authentication, 222
input validation, 107
installing
updates, patches, hotfixes, 24, 65–69
instant messaging programs, 58
integrity, 5
interconnections in network design, 123
DMZ (Demilitarized Zone), 124
Internet, 123
intranets/extranets, 124–125
LANs versus WANs, 123
interference, 190–191
shielding, 440–441
Internet
content filtering, 169
in network security, 123
Internet Explorer
Firefox versus, 90–91
security policies, implementing, 91–92
security settings, 27
Internet Optimizer, 19
Internet Protocol Security (IPsec), 388
intranets, securing, 124–125
intrusion detection systems (IDS), 33–36
NIDS (network intrusion detection system), 170–171
intrusion prevention systems (IPS), 36
NIPS (network intrusion prevention system), 171–172
NIDS versus, 173
for router security, 121
investigation (incident response), 455
IP address spoofing, 141
public versus private, 121–122
subnetting, 126–127
IP masquerading, 121
IP proxy servers, 167
ipfirewall, 33
IPS (intrusion prevention systems), 36
NIPS (network intrusion prevention system), 171–172
NIDS versus, 173
for router security, 121
IPsec (Internet Protocol Security), 388
Ironkey, 40
ISO/IEC 27002 2005 standard, 447, 456
ISP (Internet service providers), redundancy planning, 414
IT security audits. See audits
J
K
key algorithms. See algorithms
key escrow, 383
key management, 355
keys, defined, 352–353
kitchen fires, extinguishing, 437
L
L2TP (Layer 2 Tunneling Protocol), 229, 387–388
configuring VPN with Windows Server 2003, 390–394
label-based access control, 252
LAN Surveyor, 292
LANMAN hash, 365–367
disabling, 369
LANs (local area networks), WANs (wide area networks) versus, 123
lattice-based access control, 252
Layer 2 Tunneling Protocol (L2TP), 229, 387–388
configuring VPN with Windows Server 2003, 390–394
LDAP (Lightweight Directory Access Protocol), 224
LEAP (Lightweight EAP), 223
legislative policies. See policies
Lightweight Directory Access Protocol (LDAP), 224
Lightweight EAP (LEAP), 223
line conditioners, 407
Linux, disabling services in, 61
load-balancing clusters, 415
local area networks (LANs), wide area networks (WANs) versus, 123
localized authentication technologies, 220
IEEE 802.1X standard, 221–224
Kerberos, 225–226
LDAP, 224
Terminal Services, 226
locking computers, 266
logic bombs, 22
logon process, locking computers, 266
logs
for audits, 324–327
maintenance of, 327–328
firewall logs, 165
security logs in file auditing, 323–324
long-term power loss (disaster recovery), 421
Love Bug virus, 16
M
MAC (mandatory access control), 252
MAC filtering, 167
enabling, 177
MAC flooding, 119
Mac OS X, disabling services in, 61
macro viruses, 17
maintenance release, 68
malicious attacks (disaster recovery), 421
delivery methods for, 20–23
active interception, 21
backdoors, 21
botnets, 23
logic bombs, 22
privilege escalation, 21
removable media, 21
software, 21
zombies, 23
preventing and troubleshooting, 23, 32
rootkits, 29–30
spam, 30–31
spyware, 27–29
viruses, 23–27
worms and Trojan horses, 27
rootkits, 19
scanning for, 44
spam, 19
spyware, 18
Trojan horses, 17
viruses, 16–17
worms, 17
man-in-the-middle attacks, 140–142
mandatory access control (MAC), 252
mandatory vacation policies, 450
mantraps, 217
manual monitoring, 314
many-to-one mapping, 382
mapping the network, 292–295, 303–304
McAfee IntruShield, 172
MD5 (Message-Digest algorithm 5), 364
message authentication code, 354
message digests, 363
Message-Digest algorithm 5 (MD5), 364
metal fires, extinguishing, 437
Microsoft Update, 67
Microsoft Virtual PC, 76–77
Microsoft Virtual Server, 78
Microsoft Windows XP Mode, 78
mining log files, 327
MITM attacks. See man-in-the-middle attacks
modems, securing, 130
monitoring
incident response, 455
in intrusion detection systems (IDS), 35
methodologies, 314
anomaly-based monitoring, 315
behavior-based monitoring, 315
signature-based monitoring, 314
tools
performance baselining, 316–318
protocol analyzers, 318-321
moving files/folders, permissions for, 260–261
MS-CHAP, 227
multifactor authentication, 219
multihomed connections, 167
multipartite viruses, 17
mutual authentication, 225–226
N
NAC (Network Access Control), 125–126
NAS (network attached storage), securing, 40
NAT (network address translation), 121–122
NAT filtering, 164
NAT firewalls, configuring, 175
near end crosstalk (NEXT), 191
negotiation in 802.1X authentication, 223
Nessus, 295
NetBus, 17
netmon. See Network Monitor
netstat command, 297
Network Access Control (NAC), 125–126
network address translation (NAT), 121–122
network attached storage (NAS), securing, 40
network connections, redundancy planning, 413–415
network design, 118
interconnections, 123
DMZ (Demilitarized Zone), 124
Internet, 123
intranets/extranets, 124–125
LANs versus WANs, 123
NAC (Network Access Control), 125–126
NAT (network address translation), 121–122
network devices, 118
hubs, 118–119
routers, 120–121
switches, 119–120
subnetting, 126–127
telephony devices, 129–131
modems, 130
PBX equipment, 130
VoIP, 131
VLAN (virtual local area network), 128–129
network devices, 118
hubs, 118–119
routers, 120–121
switches, 119–120
vulnerabilities, 186–189
backdoors, 188
default accounts, 186–187
network attacks, 189
privilege escalation, 188
weak passwords, 187
network intrusion detection system (NIDS), 35, 170–171
network intrusion prevention system (NIPS), 171–172
NIDS versus, 173
Network Magic, 292
network management system (NMS), 321
network mapping, 292–295, 303–304
network masquerading, 121
Network Monitor, 320–321
network monitoring methodologies, 314
anomaly-based monitoring, 315
behavior-based monitoring, 315
signature-based monitoring, 314
network monitoring tools
performance baselining, 316–318
protocol analyzers, 318
Network Monitor, 320–321
SNMP, 321
Wireshark, 319–320
network perimeter, 161
network security
ARP poisoning, 144
attacks, list of, 145–148
castle analogy, 161
DDoS (Distributed Denial of Service) attacks, 140
DNS poisoning, 143–144
DoS (Denial of Service) attacks, 137–140
firewalls, 162–167
honeypots and honeynets, 169–170
network design. See network design
network documentation, 200
NIDS (network intrusion detection system), 35, 170–171
NIPS (network intrusion prevention system), 171–172
NIDS versus, 173
null sessions, 143
ports and protocols, 131–136
protocol analyzers, 173
proxy servers, 167–169
replay attacks, 142–143
session hijacking, 141–142
spoofing attacks, 140–141
wired networks, 186
cable vulnerabilities, 189–195
device vulnerabilities, 186–189
wireless access points, securing, 203–205
wireless networks, 195
Bluetooth vulnerabilities, 199–200
wireless access point vulnerabilities, 195–199
wireless transmission vulnerabilities, 199
network sniffers. See protocol analyzers
network socket addresses, 134
network-based firewalls. See firewalls
NEXT (near end crosstalk), 191
NIDS (network intrusion detection system), 35, 170–171
Nimda worm, 17
NIPS (network intrusion prevention system), 171–172
NIDS versus, 173
NIST penetration testing, 290
NMS (network management system), 321
nonce, 142
nonpromiscuous mode, 318
NoScript, 103
NTFS
converting FAT32 to, 72
permissions, 259
NTLM 2 hash, 367
NTLM hash, 367
null sessions, 143
O
one-time pads, 361
one-way functions, 363
open mail relays, 30
open ports on twisted-pair cables, 194
Open Source Security Testing Methodology Manual (OSSTMM), 290
Open Vulnerability and Assessment Language (OVAL), 290
operating systems
file systems and hard drives, 71–73
with group policies, security templates, configuration baselines, 69–71
installing service packs, 62–65
installing updates, patches, hotfixes, 65–69
removing applications and services, 58–62
separating from data, 25
optical splitters, 194
The Orange Book, 250
organizational policies. See policies
OS. See operating systems
OSI Model, 120
Osiris, 36
OSSTMM (Open Source Security Testing Methodology Manual), 290
outbound ports, 133
Outlook, securing, 106
OVAL (Open Vulnerability and Assessment Language), 290
P
packet filtering, 164
enabling, 175
packet sniffers. See protocol analyzers
PacketFence, 126
padding schemes in RSA encryption, 360
PAP, 227
passive fingerprinting, 288
passive security analysis, 288
password analysis, 298–301, 304–305
password crackers, 299
password hash functions, 365–367
passwords
in access control, 261–264
BIOS passwords, 38
clear-text passwords, 321
frequency of changes, 263
guessing, 300
policies for, 264–266
configuring, 270–272
storing in web browsers, 102
strong passwords, 262–263
weak versus strong passwords, 187
PAT (port address translation), 121
patch management, 68–69
patch version, 68
patches, installing, 24, 65–69
PBX (private branch exchange) equipment, securing, 130
PDAs, securing, 41–42
PDoS (permanent DoS) attacks, 139
PEAP (protected extensible authentication protocol) authentication, 223
penetration testing, 290
performance baselining, 316–318
Performance Monitor, 316–317
permanent DoS (PDoS) attacks, 139
permanently installed generators, 409
permissions, 256–261
auditing, 329
inheritance and propagation, 260
moving/copying files and folders, 260–261
types of, 258
user and group permissions, configuring, 272
personal firewalls, 33–34
personally identifiable information (PII), 451
personnel security policies, 448–452
acceptable use, 449
change management, 449–450
due care, 450
due diligence, 450
due process, 450
mandatory vacation, 450
separation of duties, 450
training employees, 451
types of, 451
PGP (Pretty Good Privacy), 362
Phage virus, 25
Phlashing, 139
physical security, 215
biometric readers, 217–218
building security, 215
door access systems, 216–217
server room security, 215
of switches, 120
piggybacking, 444
PII (personally identifiable information), 451
ping flood attacks, 137
ping of death (POD) attacks, 139
PKI (Public Key Infrastructure), 355, 380, 390
certificate authorities (CA), 381–384
certificates, 380–381
dual-sided certificates, 384
single-sided certificates, 384
web of trust, 384
planning
for disaster recovery, 420–422
in patch management, 69
PNAC (port-based Network Access Control), 126
POD (ping of death) attacks, 139
point release, 68
Point-to-Point Tunneling Protocol (PPTP), 229, 387
policies. See also procedures
for access control, 264–267
for application security, 104-105, 110–111
auditing, 331
for browsers, implementing, 91–92
configuring, 270–272
data sensitivity and classification, 447–448
in disaster recovery plans, 422
equipment disposal, 452–454
example of, 446
group policies, 69–71
personnel security policies, 448–452
acceptable use, 449
change management, 449–450
due care, 450
due diligence, 450
due process, 450
mandatory vacations, 450
separation of duties, 450
training employees, 451
types of, 451
vendor contracts, 452
polymorphic viruses, 17
in Firefox, 103
in Internet Explorer, 98
pop-up windows, closing, 94
POP3 connections, ports and protocols for, 135
port address translation (PAT), 121
port forwarding, 163
port zero, securing, 136
port-based Network Access Control (PNAC), 126
portable gas-engine generators, 409
ports
closing, 136
inbound, 133
outbound, 133
protocol associations, list of, 133–134
ranges of, 131
scanning, 150–151
securing, 131–136
power supplies
failure of, 406
redundancy planning, 405–410
backup generators, 408–410
redundant power supplies, 406–407
UPS, 407–408
PPTP (Point-to-Point Tunneling Protocol), 229, 387
pre-action sprinkler systems, 438
precomputation, 300
preparing for exam. See exam preparation
preservation of evidence (incident response), 456
pretexting, 441
Pretty Good Privacy (PGP), 362
preventing
BIOS attacks, 38–39
rootkits, 29–30
spam, 30–31
spyware, 27–29
worms and Trojan horses, 27
previous logon notification, 266
Privacy Act of 1974, 447
private addresses, public addresses versus, 121–122
private branch exchange (PBX) equipment, securing, 130
private keys, 353. See also symmetric key algorithms
privilege de-escalation, 188
procedures, incident response, 454–457. See also policies
process virtual machines, 75
program viruses, 17
programs. See applications
propagation of permissions, 260
protected system files, hiding, 72
protocol analyzers, 118, 173, 297–298, 318, 333–335
Network Monitor, 320–321
SNMP, 321
Wireshark, 319–320
port associations, list of, 133–134
securing, 131–136
proximity sensors, 217
proximity-based door access systems, 217
proxy servers, 167–169
in browser security, 94–95
configuring connections in Firefox, 102
public addresses, private addresses versus, 121–122
public key cryptography, 354–355
Public Key Infrastructure (PKI), 355, 380, 390
certificate authorities (CA), 381–384
certificates, 380–381
dual-sided certificates, 384
single-sided certificates, 384
web of trust, 384
public keys, 353
punch block connections, 194
Pure-FTPd, 135
purging data, 454
Q
qualitative risk assessments, 285–286
quantitative risk assessments, 286–287
R
RA (registration authority), 383
radio frequency interference (RFI), 191
RADIUS (Remote Authentication Dial-In User Service), 230–232
RADIUS servers, configuring, 236–238
RAID (redundant array of independent disks), 410–413
configuring, 425–426
Rainbow Tables, 300
RAS (Remote Access Service), 227–228
RATs (remote access Trojans), 17
raw socket programming, 137
RBAC (role-based access control), 253
RC (Rivest Cipher), 358–359
RC4, 358
RC5, 358
RC6, 358
recovery (incident response), 455. See also disaster recovery
recycling computers, policies concerning, 452–454
The Red Book, 250
redundancy planning, 404–405. See also disaster recovery
network connections, 413–415
power supplies, 405–410
backup generators, 408–410
redundant power supplies, 406–407
UPS, 407–408
RAID, 410–413
servers, 415
single points of failure, 404
sites, 415–416
redundant array of independent disks (RAID), 410–413
configuring, 425–426
redundant ISP, 414
redundant power supplies, 406–407
registration authority (RA), 383
Remote Access Service (RAS), 227–228
remote access Trojans (RATs), 17
Remote Authentication Dial-In User Service (RADIUS), 230, 232
remote authentication technologies, 226
RADIUS versus TACACS, 230–232
RAS, 227–228
VPNs, 228–230
remote ports, 189
removable media
as malware delivery method, 21
securing, 39–40
removing. See also data removal
applications and services, 58–62
e-mail addresses from websites, 30
web browsers, 99
replay attacks, 142–143
requirements for Security+ certification, 469
residual risk, 284
restoration from backup tapes, 418
restore points, 73
restrictions on user accounts, configuring, 270–272
revoking certificates, 383
RFI (radio frequency interference), 191
risk assessments, 284–285
qualitative risk assessments, 285–286
quantitative risk assessments, 286–287
security analysis methodologies, 287–288
vulnerability management, 288–291
risk management, 284
risk mitigation, 285
risks, residual, 284
Rivest Cipher (RC), 358–359
rogue wireless access points, 196
role-based access control (RBAC), 253
rootkits, 19
preventing and troubleshooting, 29–30
rotation schemes for backups, 418–419
routers, securing, 120–121
RSA (Rivest, Shamir, Adleman) encryption, 359–360
rule-based access control, 252
S
S/MIME (Security/Multipurpose Internet Mail Extensions), 385–386
SA (security association), 388
safety. See environmental controls
sags, 406
salting, 300
sandboxes, 107
sanitizing hard drives, 453–454
Sarbanes-Oxley Act (SOX), 447
saving log files, 327
SCA (side channel attacks), 361
scanning
for malware, 44
the network, 303–304
for vulnerabilities, 295–297
secret key encryption, 352. See also symmetric key algorithms
Secure Hash Algorithm (SHA), 364–365
Secure HTTP (SHTTP), 386
Secure LDAP, 224
Secure Shell (SSH), 386–387
Secure Sockets Layer (SSL), 386
Secure/Multipurpose Internet Mail Extensions (S/MIME), 385–386
AAA, 5–6
access control. See access control models
application security, 103–107
with group policies, 110–111
authentication models, 219–220
browser security, 90–91
Firefox, 100–103
Internet Explorer, 96–100, 109–110
proxy servers and content filters, 94–95
security policies, implementing, 91–92
user education, 93–94
of cell phones and PDAs, 41–42
CIA triad, 4–5
of log files, 328
network design, 118
interconnections, 123–125
NAC (Network Access Control), 125–126
NAT (network address translation), 121–122
network devices, 118–121
subnetting, 126–127
telephony devices, 129–131
VLAN (virtual local area network), 128–129
network security
ARP poisoning, 144
attacks, list of, 145–148
castle analogy, 161
DDoS (Distributed Denial of Service) attacks, 140
DNS poisoning, 143–144
DoS (Denial of Service) attacks, 137–140
firewalls, 162–167
honeypots and honeynets, 169–170
network documentation, 200
NIDS (network intrusion detection system), 170–171
NIPS (network intrusion prevention system), 171–173
null sessions, 143
ports and protocols, 131–136
protocol analyzers, 173
proxy servers, 167–169
replay attacks, 142–143
session hijacking, 141–142
spoofing attacks, 140–141
physical security, 215
biometric readers, 217–218
building security, 215
door access systems, 216–217
server room security, 215
risk assessments, 284–285
qualitative risk assessments, 285–286
quantitative risk assessments, 286–287
security analysis methodologies, 287–288
vulnerability management, 288–291
of storage devices
network attached storage (NAS), 40
removable media, 39–40
whole disk encryption, 40–41
technologies
intrusion detection systems (IDS), 34–36
personal firewalls, 33–34
pop-up blockers, 36–37
types of, 6–7
threats
malware, 16–32
types of, 6
wired network security, 186
cable vulnerabilities, 189–195
device vulnerabilities, 186–189
wireless network security, 195
Bluetooth vulnerabilities, 199–200
wireless access point vulnerabilities, 195–199
wireless transmission vulnerabilities, 199
security analysis methodologies, 287–288
security association (SA), 388
security audits. See audits
security logs, 324–325
in file auditing, 323–324
security permissions, 259
security policies. See policies
security protocols
IPsec, 388
L2TP, 387–388
configuring VPN with Windows Server 2003, 390–394
PPTP, 387
S/MIME, 385–386
SSH, 386–387
SSL/TLS, 386
security settings (Internet Explorer), 27
security templates, 69–71
security tokens, 217
security tools. See technologies
security zones (Internet Explorer), configuring, 96
Security+ certification requirements, 469
sensitivity of data, policies concerning, 447–448
Separation of Duties (SoD), 255, 450
separation of OS and data, 25
server room security, 215
servers, redundancy planning, 415
service level agreement (SLA), 452
service packs
services versus, 61
updating, 80–81
Service Set Identifier (SSID) broadcasting, 167, 196
services
removing, 58–62
service packs versus, 61
session cookies, 98
session hijacking, 141–142
Session Initiation Protocol (SIP), 131
session theft, 141
session-key. See symmetric key algorithms
SHA (Secure Hash Algorithm), 364–365
shared folders, auditing, 329
shared-key. See symmetric key algorithms
sharing permissions, 258
shielded twisted pair (STP) cables, 192, 440
shielding, 440–441
shoulder surfing, 443
SHTTP (Secure HTTP), 386
side channel attacks (SCA), 361
signal emanation, 192
signature-based monitoring, 35, 314
Simple Network Management Protocol (SNMP), 321
single loss expectancy (SLE), 286
single points of failure, 404
Single Sign-on (SSO), 219
single-key. See symmetric key algorithms
single-sided certificates, 384
SIP (Session Initiation Protocol), 131
sites, redundancy planning, 415–416
SLA (service level agreement), 452
SLE (single loss expectancy), 286
slipstreaming, 64
smart cards, 217
SMTP open relays, 30
SMTP relay, 143
Smurf attacks, 137
SNMP (Simple Network Management Protocol), 321
SNMP agents, 321
baiting, 444
diversion theft, 441
dumpster diving, 443
eavesdropping, 443
hoaxes, 442–443
phishing, 442
piggybacking, 444
pretexting, 441
shoulder surfing, 443
training employees against, 445
types of, 444–445
SoD (Separation of Duties), 255
software, as malware delivery method, 21
software versions, explained, 68
SOX (Sarbanes-Oxley) Act, 447
SP. See service packs
spam, 19
preventing and troubleshooting, 30–31
spam filters, 30
spam honeypots, 170
SPAP, 227
spectral analyzers, 194
SPI (stateful packet inspection), 164
spikes, 406
splitting
fiber-optic cables, 194
twisted-pair cable wires, 194
spoofing attacks, 140–141
sprinkler systems, 438
spyware, 18
preventing and troubleshooting, 27–29
symptoms of, 28
SSH (Secure Shell), 386–387
SSH connections, 394–395
SSID (Service Set Identifier) broadcasting, 167, 196
SSL (Secure Sockets Layer), 386
certificates, 382
settings in Internet Explorer, 99
SSO (Single Sign-on), 219
standard load, 316
standby generators, 409
stateful packet inspection (SPI), 164
stateless packet inspection, 164
static NAT (network address translation), 121
statistical anomaly monitoring, 35, 315
stealth viruses, 17
steganography, 356
storage devices
network attached storage (NAS), securing, 40
removable media, securing, 39–40
whole disk encryption, 40–41
STP (shielded twisted pair) cables, 192, 440
stream ciphers, 354
strong passwords, 187, 262–263
subnetting, 126–127
SubSeven, 18
subversion errors, 172
supplicants (802.1X connections), 222
surges, 406
switch spoofing, 129
switches, securing, 119–120
symmetric key algorithms, 353–354, 359
AES, 357–358
DES and 3DES, 357
RC, 358–359
symptoms
of spyware, 28
of viruses, 26
SYN, 318
SYN flood attacks, 138
system failure, 6
System logs, 325
System Monitor, 318
System Restore, 73
system security settings, audits on, 328–331
system virtual machines, 75
T
TACACS (Terminal Access Controller Access-Control System), 231
TACACS+, 231
tape backups, types of, 417
tapping into data, 192–195
TCP reset attacks, 137
TCP/IP hijacking, 141
TDEA (Triple Data Encryption Algorithm), 357
teardrop attacks, 139
technologies
intrusion detection systems (IDS), 34–36
localized authentication technologies, 220
IEEE 802.1X standard, 221–224
Kerberos, 225–226
LDAP, 224
Terminal Services, 226
monitoring tools
performance baselining, 316–318
protocol analyzers, 318–321
personal firewalls, 33–34
pop-up blockers, 36–37
remote authentication technologies, 226
RADIUS versus TACACS, 230–232
RAS, 227–228
VPNs, 228–230
types of, 6–7
for vulnerability assessments, 291
network mapping, 292–295
password analysis, 298–301
protocol analyzers, 297–298
vulnerability scanning, 295–297
telephony devices, securing, 129–131
modems, 130
PBX equipment, 130
VoIP, 131
disabling, 60
templates, 69–71
temporary files, removing, 72, 99
Terminal Access Controller Access-Control System (TACACS), 231
Terminal Services, 226
test systems, importance of, 18
testing in patch management, 69
theft (disaster recovery), 421
threats
delivery methods for, 20–23
preventing and troubleshooting, 23–32
rootkits, 19
spam, 19
spyware, 18
Trojan horses, 17
viruses, 16–17
worms, 17
types of, 6
tickets (Kerberos), 225
time bombs, 22
time-of-day restrictions on user accounts, 258
TLS (Transport Layer Security), 386
tools. See technologies
Towers of Hanoi backup rotation method, 419
training employees
against social engineering, 445
on policies, 451
Transport Layer Security (TLS), 386
Trend Micro OSSEC, 36
Triple Data Encryption Algorithm (TDEA), 357
Trojan horses, 17
preventing and troubleshooting, 27
troubleshooting malware, 23, 32
rootkits, 29–30
spam, 30–31
spyware, 27–29
viruses, 23–27
worms and Trojan horses, 27
true negatives, 220
true positives, 220
TrueCrypt, 40
tunneling protocols (VPNs), 228
twisted-pair cables, 190–191
open ports on, 194
splitting wires of, 194
Type I errors, 220
Type II errors, 220
U
UAC (User Account Control), 104, 267–268
UDP flood attacks, 138
unauthorized access, 6
unicast, 119
uninterruptible power supplies (UPS), 407–408
unshielded twisted pair (UTP) cables, 192
updates, installing, 24, 65–69
updating
BIOS, 39
service packs, 80–81
UPS (uninterruptible power supplies), 407–408
URL spoofing attacks, 140
USB devices, securing, 39
User Account Control (UAC), 104, 267–268
user accounts
expiration, 256
time-of-day restrictions, 258
user awareness, 6
in browser security, 93–94
to prevent viruses, 25
spam prevention, 31
spyware prevention, 28
usernames in access control, 261–264
users
in access control, 256–261
account restrictions, configuring, 270–272
permissions, configuring, 272
UTP (unshielded twisted pair) cables, 192
V
v12n. See virtualization
validation
of certificates, 381
of input, 107
vampire taps, 193
vendor contracts, 452
Verisys, 36
versions of patches, explained, 68
vertical privilege escalation, 188
virtual appliances, 75
virtual local area network (VLAN), 128–129
virtual machines (VMs), 74–75
creating in Virtual PC 2007, 81–82
Microsoft Virtual PC, 76–77
Microsoft Virtual Server, 78
Microsoft Windows XP Mode, 78
VMware, 78
Virtual PC, 76–77
Virtual PC 2007, creating VMs (virtual machines) in, 81–82
virtual private networks (VPNs), 228–230
configuring, 235–236
IPsec, 388
L2TP, 387–388
configuring with Windows Server 2003, 390–394
PPTP, 387
for router security, 121
Virtual Server, 78
virtual servers, 163
virtualization, 74
Microsoft Virtual PC, 76–77
Microsoft Virtual Server, 78
Microsoft Windows XP Mode, 78
types of, 74–76
VMware, 78
viruses, 16–17
preventing and troubleshooting, 23–27
symptoms of, 26
VLAN (virtual local area network), 128–129
VLAN hopping, 129
VMs (virtual machines), 74–75
creating in Virtual PC 2007, 81–82
Microsoft Virtual PC, 76–77
Microsoft Virtual Server, 78
Microsoft Windows XP Mode, 78
VMware, 78
VMware, 78
VoIP (voice over Internet Protocol), securing, 131
VPNs (virtual private networks), 228–230
configuring, 235–236
IPsec, 388
L2TP, 387–388
configuring with Windows Server 2003, 390–394
PPTP, 387
for router security, 121
vulnerabilities, 283. See also attacks
of Bluetooth, 199–200
of cabling, 189–195
crosstalk, 191–192
data emanation, 192
interference, 190–191
tapping into data, 192–195
of network devices, 186–189
backdoors, 188
default accounts, 186–187
network attacks, 189
privilege escalation, 188
weak passwords, 187
of wireless access points, 195–199
of wireless transmission, 199
vulnerability assessments, tools for, 291
network mapping, 292–295
password analysis, 298–301
protocol analyzers, 297–298
vulnerability scanning, 295–297
vulnerability management, 288–291
vulnerability scanning, 295–297
W
WANs (wide area networks), LANs (local area networks) versus, 123
wardialing, 130
warm sites, 416
weak encryption on wireless access points, 196–197
weak passwords, 187
guessing, 300
web browser security. See browser security
web of trust, 384
web proxy servers, 168
websites
encryption notification, 94
pop-up blocking, 36–37
pop-up windows, closing, 94
removing e-mail addresses from, 30
well-known ports, list of, 133–134
wet pipe systems, 438
white hats, 7
whole disk encryption, 40–41, 73
wide area networks (WANs), location area networks (LANs) versus, 123
Windows Firewall, 33
Windows Update, installing updates, patches, hotfixes, 65–69
Windows XP Mode, 78
wire tapping, 192–195
wired network security, 186
cable vulnerabilities, 189–195
crosstalk, 191–192
data emanation, 192
interference, 190–191
tapping into data, 192–195
device vulnerabilities, 186–189
backdoors, 188
default accounts, 186–187
network attacks, 189
privilege escalation, 188
weak passwords, 187
securing, 203–205
vulnerabilities, 195–199
wireless network security, 195
wireless access point vulnerabilities, 195–199
wireless transmission vulnerabilities, 199
wireless networks, vulnerability assessments, 292
wireless transmission vulnerabilities, 199
wood fires, extinguishing, 436
Word, securing, 106
worms, 17
preventing and troubleshooting, 27
X
X.509 standard, 380
XSS (cross-site scripting), 98, 142
Z
zone transfers, 143
ZoneAlarm, 33