Prowse REST OF IT pt1 (chs. 3,. 5, 10, 11 and. 12)

Key Points of Access Control Model: RBAC (2)

-Based on roles, or sets of permissions involved in an operation. -Controlled by the system.

Safeguards for Application name: Word (3)

-Consider using passwords for opening or modifying documents. -Use read-only or comments only (tracking changes) settings. -Consider using a digital certificate to seal the document.

But what is a strong password? That depends on the organization you deal with, but generally it is broken down into a few easy-to-remember points. Passwords should comply with the following: (5)

-Contain uppercase letters -Contain lowercase letters -Contain numbers -Contain special characters (symbols) -Should be 8 to 10 characters or more. Some organizations that have ex- tremely sensitive data will require 15 characters as a minimum.

Key Points of Access Control Model: ABAC (2)

-Context-aware, and dynamic authentication. -Uses IF-THEN statements to allow access.

Countermeasure(s) for mobile device security topic: Botnets & DDoS (3)

-Download apps from a legitimate source. If BYOD is in place, use company-approved apps. -Refrain from "rooting" or "jailbreaking" the device. -Have data backed up in case the device becomes part of a botnet and has to be wiped.

Prevention methods for this vulnerability: Untrained users:

-Educate users about social engineering methods (see Chapter 17) -Educate users about malware and attacks (see Chapter 2 and Chapter 7)

DLP systems can be software or hardware-based solutions and come in three varieties: (describe)

-Endpoint DLP systems: These systems run on an individual computer and are usually software-based. They monitor data in use, such as e-mail communications, and can control what information flows between various users. These systems can also be used to inspect the content of USB-based mass-storage devices or block those devices from being accessed altogether by creating rules within the software. -Network DLP systems: These can be software- or hardware-based so- lutions and are often installed on the perimeter of the network. They inspect data that is in motion. -Storage DLP systems: These are typically installed in data centers or server rooms as software that inspects data at rest.

Key Points of Access Control Model: DAC (2)

-Every object in the system has an owner. -Permissions are determined by the owner.

The BIOS can be the victim of malicious attacks; for mischievous persons, it can also act as the gateway to the rest of the system. Protect it! Otherwise, your computer might not boot—or worse. Following are a few ways to do so: (5) (describe)

-Flash the BIOS: Flashing is a term that describes the updating of the BIOS. By updating the BIOS to the latest version, you can avoid possible ex- ploits and BIOS errors that might occur. An updated BIOS (and newer moth- erboard) can also better protect from electromagnetic interference (EMI) and electromagnetic pulses (EMP). All new motherboards issue at least one new BIOS version within the first six months of the motherboard's release. Normally, you would flash the BIOS first before making any changes to the BIOS configurations. -Use a BIOS password: The password that blocks unwanted persons from gaining access to the BIOS is the supervisor password. Don't confuse it with the user password (or power-on password) employed so that the BIOS can verify a user's identity before accessing the operating system. Both of these are shown in Figure 3-1. Because some computers' BIOS password can be cleared by opening the computer (and either removing the battery or changing the BIOS jumper), some organizations opt to use locking cables or a similar locking device that deters a person from opening the computer. -Configure the BIOS boot order: Set up the BIOS to reduce the risk of infiltration. For example, change the BIOS boot order (boot device priority) so that it looks for a hard drive first and not any type of removable media. -Disable external ports and devices: If a company policy requires it, disable removable media including the optical drives, eSATA ports, and USB ports. -Enable the secure boot option: UEFI 2.3.1 and higher offer an option called secure boot. This can secure the boot process of the computer by pre- venting unsigned—or improperly signed—device drivers and OS loaders. Im- plementing this may or may not be possible depending on the type of hard- ware used by your organization. Review hardware documentation and device drivers, and more importantly test the configuration, before implementing this option.

In Windows, there are two types of permissions. Sharing permissions are ba- sic permissions including Full Control, Change, and Read, which are applied to folders only. These are often ignored in favor of the more powerful (and superseding) NTFS permissions, also called security permissions, which can secure folders and individual files. In a standard Windows folder on a do- main, the types of NTFS permissions include the following: (6)

-Full Control -Modify -Read & Execute -List Folder Contents -Read -Write

Describe permissions when: you copy a folder (or file) on the same volume; you copy a folder (or file) to a different volume; you move a folder (or file) to a different location on the same volume

-If you copy a folder (or file) on the same volume or to a different volume, the folder inherits the permissions of the parent folder it was copied to (tar- get directory). -If you move a folder (or file) to a different location on the same volume, the folder retains its original permissions. (You cannot move a folder to a separate volume; if you attempt to do so it will automatically be copied to the other volume.)

First, some general procedures should be implemented regardless of the browser your organization uses. These concepts can be applied to desktop browsers as well as mobile browsers: (4)

-Implement policies. -Train your users. -Use a proxy and content filter. -Secure against malicious code.

Countermeasure(s) for mobile device security topic: BYOD concerns (4)

-Implement storage segmentation. -Utilize an MDM solution. -Create and implement clear policies that the or- ganization and user must adhere to. -Consider CYOD or COPE as opposed to the tradi- tional BYOD method.

User accounts can be added to individual computers or to networks. For ex- ample, a Windows client, Linux computer, or Mac can have multiple users. And larger networks that have a controlling server, for example, a Windows domain controller, enable user accounts that can access one or more com- puters on the domain. In a Microsoft domain, users are added in Active Di- rectory Users and Computers (ADUC), as shown in Figure 11-3. ADUC can be accessed from Administrative Tools or added as a snap-in to an MMC. Users can be added in one of two places: (describe)

-In the Users folder: This is located inside the domain name within ADUC. -In an OU: Organizational units can be created within the domain. These are often made to mimic the departments of a company. In Figure 11-3, there are Accounting and Marketing OUs; users can be created within these OUs.

Job rotation: This is one of the checks and balances that might be em- ployed to enforce the proper separation of duties. Job rotation is when users are cycled through various assignments to (4)

-Increase user insight as to overall operations -Reduce employee boredom -Enhance employee skill level -Increase operation security

Safeguards for Application name: Outlook (10)

-Install the latest Office update or service pack. (This applies to all Office suite applications.) -Keep Office up to date with Windows Update. (This also applies to all Office suite applications.) -Consider an upgrade to a newer version of Office, if the currently used one is no longer supported. -Increase the junk e-mail security level or use a whitelist. -Read messages in plain text instead of HTML. Enable attachment blocking. -Use a version that enables Object Model Guard func- tionality, or download it for older versions. -Password protect any .PST files. -Use strong passwords for Microsoft accounts if using web-based Outlook applications. -Use encryption: Consider encrypting the authentication scheme, and possibly other traffic, including message traffic between Outlook clients and Exchange servers. Consider a digital certificate. Secure Password Authen- tication (SPA) can be used to secure the login, and S/MIME and PGP/GPG can be used to secure actual e- mail transmissions. Or, in the case of web-based e- mail, use SSL or TLS for encryption.

Before we get into managing vulnerabilities, I'd like to revisit the concept of security controls. In Chapter 1 we discussed three basic security controls that are often used to develop a security plan: physical, technical, and adminis- trative. However, there are additional categorical controls as described by the NIST. In short, the three can be described as the following: (3) (describe)

-Management controls: These are techniques and concerns addressed by an organization's management (managers and executives). Generally, these controls focus on decisions and the management of risk. They also con- centrate on procedures, policies, legal and regulatory, the software develop- ment life cycle (SDLC), the computer security life cycle, information assur- ance, and vulnerability management/scanning. In short, these controls focus on how the security of your data and systems is managed. -Operational controls: These are the controls executed by people. They are designed to increase individual and group system security. They include user awareness and training, fault tolerance and disaster recovery plans, in- cident handling, computer support, baseline configuration development, and environmental security. The people who carry out the specific requirements of these controls must have technical expertise and understand how to im- plement what management desires of them. -Technical controls: These are the logical controls executed by the com- puter system. Technical controls include authentication, access control, au- diting, and cryptography. The configuration and workings of firewalls, ses- sion locks, RADIUS servers, or RAID 5 arrays would be within this category, as well as concepts such as least privilege implementation.

OVAL can be de- fined in two parts: (describe)

-OVAL Language: Three different XML schemas have been developed that act as the framework of OVAL: 1. System testing information 2. System state analysis 3. Assessment results reporting OVAL is not a language like C++ but is an XML schema that defines and de- scribes the XML documents to be created for use with OVAL. OVAL Interpreter: A reference developed to ensure that the correct syntax is used by comparing it to OVAL schemas and definitions. Several downloads are associated with the OVAL Interpreter and help files and fo- rums that enable security people to check their work for accuracy.

Key Points of Access Control Model: MAC (3)

-Permissions are determined by the system. -Can be rule-based or lattice-based. -Labels are used to identify security levels of subjects and objects.

An example of MAC can be seen in FreeBSD version 5.0 and higher. In this OS, access control modules can be installed that allow for security policies that label subjects and objects. The enforcement of the policies is done by administrators or by the OS; this is what makes it mandatory and sets it apart from DAC. Another example is Security-Enhanced Linux (SELinux), a set of kernel modifications to Linux that supports DoD-style mandatory ac- cess controls such as the requirement for trusted computing base (TCB). Though often interpreted differently, TCB can be described as the set of all hardware and software components critical to a system's security and all as- sociated protection mechanisms. The mechanisms must meet a certain stan- dard, and SELinux helps accomplish this by modifying the kernel of the Lin- ux OS in a secure manner. Like DAC, MAC was also originally defined in The Orange Book, but as the Mandatory Security Policy—a policy that enforces access control based on a user's clearance and by the confidentiality levels of the data. Even though The Orange Book is deprecated, the concept of MAC lives on in today's systems and is implemented in two ways: (describe)

-Rule-based access control: Also known as label-based access control, this defines whether access should be granted or denied to objects by com- paring the object label and the subject label. -Lattice-based access control: Used for more complex determinations of object access by subjects. Somewhat advanced mathematics are used to create sets of objects and subjects and define how the two interact.

Following are two main types of monitoring that an IDS can carry out: (describe)

-Statistical anomaly: It establishes a performance baseline based on normal network traffic evaluations, and then compares current network traf- fic activity with the baseline to detect whether it is within baseline parame- ters. If the sampled traffic is outside baseline parameters, an alarm is trig- gered and sent to the administrator. -Signature-based: Network traffic is analyzed for predetermined attack patterns, which are known as signatures. These signatures are stored in a database that must be updated regularly to have effect. Many attacks today have their own distinct signatures. However, only the specific attack that matches the signature will be detected. Malicious activity with a slightly dif- ferent signature might be missed.

Following are three components to an 802.1X connection:

-Supplicant: A software client running on a workstation. This is also known as an authentication agent. -Authenticator: A wireless access point or switch. -Authentication server: An authentication database, most likely a RA- DIUS server.

Following are a couple methodologies for accomplishing penetration testing: (2) (describe)

-The Open Source Security Testing Methodology Manual (OSST- MM): This manual and corresponding methodology define the proper way to conduct security testing. It adheres to the scientific method. The manual is freely obtained from ISECOM. -NIST penetration testing: This is discussed in the document SP800- 115. This document and methodology is less thorough than the OSSTMM; however, many organizations find it satisfactory because it comes from a de- partment of the U.S. government. At times, it refers to the OSSTMM instead of going into more detail.

User Account Control (UAC) is a security component of Windows that keeps every user (besides the actual Administrator account) in standard user mode instead of as an administrator with full administrative rights—even if the person is a member of the administrators group. It is meant to prevent unauthorized access, as well as avoid user error in the form of accidental changes. With UAC enabled, users perform common tasks as non-adminis- trators, and, when necessary, as administrators, without having to switch users, log off, or use Run As. Basically, UAC was created with two goals in mind:

-To eliminate unnecessary requests for excessive administrative-level ac- cess to Windows resources -To reduce the risk of malicious software using the administrator's access control to infect operating system files

Organizations usually employ one of the four following general strategies when managing a particular risk:

-Transfer the risk to another organization or third party. -Avoid the risk. -Reduce the risk. -Accept some or all of the consequences of a risk.

Three examples of HIDS ap- plications include the following:

-Trend Micro OSSEC :(https://ossec.github.io/index.html): A free solu- tion with versions for several platforms. -Verisys: (www.ionx.co.uk/products/verisys (http://www.ionx.co.uk/prod- ucts/verisys)): A commercial HIDS file integrity monitoring solution for Windows. -Tripwire: (https://www.tripwire.com/products/tripwire-file-integrity- monitoring/): Another commercial HIDS solution.

Following are some requirements for encrypting an entire drive:

-Trusted platform module (TPM)—A chip residing on the motherboard that stores the encrypted keys. (This is part of the concept mentioned previ- ously known as the root of trust.) OR -An external USB key to store the encrypted keys. AND -A hard drive with two volumes, preferably created during the installation of Windows. One volume is for the operating system (most likely C:) that will be encrypted; the other is the active volume that remains unencrypted so that the computer can boot. If a second volume needs to be created, the Bit- Locker Drive Preparation Tool can be of assistance and can be downloaded from the Microsoft Download Center.

Countermeasure(s) for mobile device security topic: Malware: (4)

-Update device to latest version (or point release for the current version). -Use security suites and AV software. Enable them if preloaded on the device and update regularly. -Train users to carefully screen e-mail and selec- tively access websites. -Be careful of social networks and third-party apps.

Countermeasure(s) for mobile device security topic: Wireless attacks (4)

-Use a strong password for the wireless network. -Turn off unnecessary wireless features such as mobile hotspot, tethering, and so on. -Disable Bluetooth if not in use for long periods of time (also conserves battery). -Set device to undiscoverable.

Countermeasure(s) for mobile device security topic: Application security (5)

-Use encryption from reputable providers. -Use anti-malware endpoint protection platforms. -Utilize non-transitive trusts between networks and apps. -White-list applications. -Disable geotagging.

Safeguards for Application name: Excel (3)

-Use password protection on worksheets. -Set macro security levels. -Consider Excel encryption.

Countermeasure(s) for mobile device security topic: Theft (4)

-Utilize data and voice encryption (especially in BYOD implementations). -Implement lockout, remote locator, and remote wipe programs. -Limit the amount of confidential information stored on the device. -Use screen locks and complex passwords.

Examples of software-based personal firewalls include the following: (4) (Describe)

-Windows Firewall: Built into Windows, the basic version is accessible from the Control Panel or by typing firewall.cpl in the Run prompt or Command Prompt. The advanced version, Windows Firewall with Advanced Security, can be accessed by typing wf.msc in the Run prompt or Command Prompt. This advanced version enables a user to perform more in-depth configurations such as custom rules. -ZoneAlarm: Originally a free product that is still available (see the fol- lowing link), this was purchased by Check Point and is now also offered as part of a suite of security applications. Go to https://www.zonealarm.- com/software/free-firewall/. -PF (packet filter) and IPFW (IP Firewall): PF is the command-line- based firewall built into OS X version 10.10 and higher and macOS. Its pre- decessor, IPFW, was available in OS X through 10.9 but was deprecated in 10.7. Some OS X versions and macOS also include a graphical firewall titled "Firewall." PF and IPFW are also used in FreeBSD. -iptables: Used in Linux systems. Is used to configure the tables provided by the Linux kernel firewall and its rules. Can be extended upon using vari- ous configuration tools and third-party add-ons.

Knowledgeable attackers understand where password information is stored. In Windows, it is stored in an encrypted binary format within the SAM hive. In Linux, the data used to verify passwords was historically stored in the __ file, but in newer Linux systems the passwd file only shows an X, and the real password information is stored in another file, perhaps __, or elsewhere in an encrypted format.

/etc/passwd; /etc/shadow

A security admin should monitor the biometric system for errors. Generally, if either the false acceptance rate (FAR) or the false rejection rate (FRR) goes above __(#)%, it should be investigated further

1

A common SDLC model used by com- panies is the waterfall model. Using this model the SDLC is broken down into several sequential phases. Here's an example of an SDLC's phases based on the waterfall model: (7)

1. Planning and analysis. Goals are determined, needs are assessed, and high-level planning is accomplished. 2. Software/systems design. The design of the system or application is defined and diagrammed in detail. 3. Implementation. The code for the project is written.4. Testing. The system or application is checked thoroughly in a testing environment. 5. Integration. If multiple systems are involved, the application should be tested in conjunction with those systems. 6. Deployment. The system or application is put into production and is now available to end users. 7. Maintenance. Software is monitored and updated throughout the rest of its life cycle. If there are many versions and configurations. version control is implemented to keep everything organized.

OVAL can be de- fined in two parts: the OVAL Language and the OVAL Interpreter. OVAL Language: Three different XML schemas have been developed that act as the framework of OVAL:

1. System testing information 2. System state analysis 3. Assessment results reporting

A Microsoft server that has Active Directory and LDAP running will have in- bound port __(#) open by default.

389

When Password Policy is selected, you see the following policies: Minimum password length: This requires that the password must be at least the specified number of characters. For a strong password policy, set this to

8 or more (as long as other complex requirements are also set; if not, the password should be longer).

Description of authentication type: 802.1X

802.1X An IEEE standard that defines Port-based Net- work Access Control (PNAC). 802.1X is a data link layer authentication technology used to connect devices to a LAN or WLAN. Defines EAP.

What's the best way to prevent SQL injection attacks on web applications?A. Input validationB. Host-based firewallC. Add HTTPS pagesD. Update the web server

A A. Input validation is the best way to prevent SQL injection attacks on web servers and database servers (or combinations of the two). Host-based firewalls aid in preventing network attacks but not necessarily coded attacks of this type. HTTPS pages initiate a secure transfer of data, but they don't necessarily lock out attackers who plan on using SQL injection. Updating the web server is a good idea, but will have little if any effect on the forms that are written by the web programmer.

Why do attackers often target nonessential services? (Select the two best answers.)A. Often they are not configured correctly. B. They are not monitored as often.C. They are not used.D. They are not monitored by an IDS.

A and B. Nonessential services are often not configured and secured by the network administrator; this goes hand-in-hand with the fact that they are not monitored as often as essential services. It is imperative that network administrators scan for nonessential services and close any corresponding ports. Even though services may be nonessential, that doesn't necessarily mean that they are not used. An IDS, if installed properly, should monitor everything on a given system.

Which of the following are good practices for tracking user identities? (Se- lect the two best answers.)A. Video camerasB. Key card door access systemsC. Sign-in sheetsD. Security guards

A and B. Video cameras enable a person to view and visually identify users as they enter and traverse a building. Key card access systems can be configured to identify a person as well, as long as the right person is carrying the key card!

Of the following, what two authentication mechanisms require something you physically possess? (Select the two best answers.)A. Smart cardB. CertificateC. USB flash drive D. Username and password

A and C. Two of the authentication mechanisms that require something you physically possess include smart cards and USB flash drives. Key fobs and cardkeys would also be part of this category. Certificates are granted from a server and are stored on a computer as software. The username/pass- word mechanism is a common authentication scheme, but it is something that you type and not something that you physically possess.

Kerberos uses which of the following? (Select the two best answers.) A. Ticket distribution serviceB. The Faraday cageC. Port 389D. Authentication service

A and D. Kerberos uses a ticket distribution service and an authentica- tion service. This is provided by the Key Distribution Center.

What types of technologies are used by external motion detectors? (Se- lect the two best answers.)A. InfraredB. RFIDC. Gamma rays D. Ultrasonic

A and D. Motion detectors often use infrared technology; heat would set them off. They also use ultrasonic technology; sounds in higher spec- trums that humans cannot hear would set these detectors off.

A smartphone is an easy target for theft. Which of the following are the best methods to protect the confidential data on the device? (Select the two best answers.) A. Remote wipeB. E-mail passwordC. GPSD. TetheringE. EncryptionF. Screen lock

A and E. Remote wipe and encryption are the best methods to protect a stolen device's confidential or sensitive information. GPS can help to locate a device, but it can also be a security vulnerability in general; this will depend on the scenario in which the mobile device is used. Passwords should never be e-mailed and should not be associated with e-mail. Tethering is when a mobile device is connected to another computer (usually via USB) so that the other computer can share Internet access, or other similar sharing function- ality in one direction or the other. This is great as far as functionality goes, but more often than not can be a security vulnerability. Screen locks are a decent method of reducing the chance of login by the average person, but they are not much of a deterrent for the persistent attacker.

Describe OVAL Interpreter:

A reference developed to ensure that the correct syntax is used by comparing it to OVAL schemas and definitions. Several downloads are associated with the OVAL Interpreter and help files and fo- rums that enable security people to check their work for accuracy.

Description of authentication type: RAS

A service that enables dial-up and various types of VPN connections from remote clients.

You are a consultant for an IT company. Your boss asks you to determine the topology of the network. What is the best device to use in this circumstance? A. Network mapperB. Protocol analyzer C. Port scannerD. Vulnerability scanner

A. A network mapper is the best tool to use to determine the topology of the network and to find out what devices and computers reside on that net- work. One example of this is the Network Topology Mapper.

Which of the following tools uses ICMP as its main underlying protocol? A. Ping scannerB. Port scannerC. Image scannerD. Barcode scanner

A. A ping scanner uses the Internet Control Message Protocol (ICMP) to conduct its scans. Ping uses ICMP as its underlying protocol and IP and ARP. Image scanners are found in printers and as standalone items that scan images, photos, and text into a computer. Barcode scanners are used to scan barcodes, for example, at the supermarket.

In an attempt to collect information about a user's activities, which of the following will be used by spyware? A. Tracking cookieB. Session cookieC. Shopping cartD. Persistent cookie

A. A. A tracking cookie will be used, or misused, by spyware in an at- tempt to access a user's activities. Tracking cookies are also known as brows- er cookies or HTTP cookies, or simply cookies. Shopping carts take advan- tage of cookies to keep the shopping cart reliable.

Which of the following will allow the triggering of a security alert be- cause of a tracking cookie?A. Anti-spyware applicationB. Anti-spam softwareC. Network-based firewallD. Host-based firewall

A. A. Anti-spyware can be used to trigger security alerts in case a user's web browser accesses a web page that includes a tracking cookie. Anti-spam software can possibly trigger alerts when an e-mail appears to be spam (or simply move it to a junk folder automatically).

What would you use to control the traffic that is allowed in or out of a network? (Select the best answer.)A. Access control listsB. FirewallC. Address Resolution ProtocolD. Discretionary access control

A. Access control lists can be used to control the traffic that is allowed in or out of a network. They are usually included as part of a firewall, and they are the better answer because they specifically will control the traffic. Ad- dress Resolution Protocol (ARP) resolves IP addresses to MAC addresses. In the discretionary access control model, the owner controls permissions of resources.

Which of the following is an advantage of implementing individual file encryption on a hard drive that already uses whole disk encryption? A. Individually encrypted files will remain encrypted if they are copied to ex- ternal drives. B. It reduces the processing overhead necessary to access encrypted files.C. NTFS permissions remain intact when files are copied to an external drive.D. Double encryption doubles the bit strength of the encrypted file.

A. By implementing individual file encryption (such as EFS) on files that are stored on a disk encrypted with whole disk encryption, the files will re- main encrypted (through EFS) even if they are copied to a separate drive that does not use whole disk encryption. However, running two types of en- cryption will usually increase processing overhead, not reduce it. NTFS per- missions aren't relevant here; however, if files are copied to an external drive, those files by default lose their NTFS permissions and inherit new per- missions from the parent folder on the new drive. We'll discuss NTFS per- missions more in Chapter 11. We shouldn't call this double encryption— rather, the files are encrypted twice separately. The bit strength is not cumu- lative in this example, but there are two layers of encryption, which is an ex- ample of defense in depth and security layering.

You are the security administrator for your organization. You want to ensure the confidentiality of data on mobile devices. What is the best solution?A. Device encryptionB. Remote wipeC. Screen locksD. AV software

A. Device encryption is the best solution listed to protect the confiden- tiality of data. By encrypting the data, it makes it much more difficult for a malicious person to make use of the data. Screen locks are a good idea but are much easier to get past than encryption. Antivirus software will not stop an attacker from getting to the data once the mobile device has been stolen. Remote sanitization (remote wipe) doesn't keep the data confidential; it re- moves it altogether! While this could be considered a type of confidentiality, it would only be so if a good backup plan was instituted. Regardless, the best answer with confidentiality in mind is encryption. For example, if the device was simply lost, and was later found, it could be reused (as long as it wasn't tampered with). But if the device was sanitized, it would have to be reloaded and reconfigured before being used again.

Heaps and stacks can be affected by which of the following attacks? A. Buffer overflowsB. RootkitsC. SQL injectionD. Cross-site scripting

A. Heaps and stacks are data structures that can be affected by buffer overflows. Value types are stored in a stack, whereas reference types are stored in a heap. An ethical coder will try to keep these running efficiently. An unethical coder will attempt to use a buffer overflow to affect heaps and stacks, which in turn could affect the application in question or the operating system. The buffer overflow might be initiated by certain inputs and can be prevented by bounds checking.

You are implementing a new enterprise database server. After you evalu- ate the product with various vulnerability scans you determine that the prod- uct is not a threat in of itself but it has the potential to introduce new vulner- abilities to your network. Which assessment should you now take into con- sideration while you continue to evaluate the database server? A. Risk assessmentB. Code assessmentC. Vulnerability assessmentD. Threat assessment

A. If a new solution poses the potential for new vulnerabilities to your network, you should run an in-depth risk assessment of the new product. In this case, you are not yet doing any coding, so a code assessment is not nec- essary, but should be implemented as part of a secure code review in the case that you make any programming changes to the database server. You have already run a vulnerability assessment when you did the vulnerability scans. You found that the solution is not a threat but could pose other threats. The risk assessment defines what kind of issues your organization could face due to the threats and vulnerabilities.

Which of the following has schemas written in XML? A. OVALB. 3DESC. WPAD. PAP

A. OVAL (Open Vulnerability and Assessment Language) uses XML as a framework for the language. It is a community standard dealing with the standardization of information transfer.

What can attackers accomplish using malicious port scanning? A. "Fingerprint" of the operating systemB. Topology of the networkC. All the computer names on the networkD. All the usernames and passwords

A. Port scanning can be used in a malicious way to find out all the open- ings to a computer's operating system; this is known as the "fingerprint" of the operating system. Port scanning cannot find out the topology of the net- work, computer names, usernames, or passwords.

Which of the following methods can be used by a security administrator to recover a user's forgotten password from a password-protected file?A. Brute-forceB. Packet sniffingC. Social engineering D. Cognitive password

A. The brute-force method can be used to recover a user's password from a protected file or otherwise protected area of an operating system. Tools such as these are used by security administrators to recover pass- words, but are also used by attackers to crack password codes in order to ob- tain unauthorized access. Packet sniffing can be used to find passwords that have been sent over the network in clear text (which happens more often than you might suspect), but cannot crack the password stored in a protected file. Social engineering is when con artists attempt to find out information (such as a password) from unsuspecting users. But in the scenario of the question, the user has forgotten the password (thus the need for recovery), so social engineering would be pointless. The cognitive password is an au- thentication type where, in addition to the password, the user must answer a question of some sort; used collectively, the authentication system grants ac- cess if the answer and the password are correct. This is an excellent method to use in the case an attacker does crack a password, because that second level of authentication (based on the user's knowledge) is necessary. And that is when social engineering could perform wonders, attempting to elicit that information from the user. But again, for this question, brute-force is the answer, because the security administrator is simply trying to recover the password for the user.

A company has a high attrition rate. What should you ask the network administrator to do first? (Select the best answer.)A. Review user permissions and access control lists.B. Review group policies.C. Review Performance logs.D. Review the Application log.

A. The first thing administrators should do when they notice that the company has a high attrition rate (high turnover of employees) is to conduct a thorough review of user permissions, rights, and access control lists. A re- view of group policies might also be necessary but is not as imperative. Per- formance logs and the Application log will probably not pertain to the fact that the company has a lot of employees being hired and leaving the company.

Which of the following would you make use of when performing a quali- tative risk analysis?A. JudgmentB. Asset valueC. Threat frequencyD. SLE

A. When performing a qualitative risk analysis, a person often uses his own judgment. Asset value, threat frequency, and SLE (single loss expectan- cy) are all components of a quantitative risk analysis.

Which of the following best describes the proper method and reason to implement port security? A. Apply a security control that ties specific ports to end-device MAC ad- dresses, and prevents additional devices from being connected to the network. B. Apply a security control that ties specific ports to end-device IP address- es, and prevents additional devices from being connected to the network. C. Apply a security control that ties specific ports to end-device MAC ad- dresses, and prevents all devices from being connected to the network. D. Apply a security control that ties specific ports to end-device IP address- es, and prevents all devices from being connected to the network.

A. You can achieve port security by applying a security control (such as 802.1X), which ties specific physical ports to end-device MAC addresses and prevents additional devices from being connected to the network. Note that port security solutions such as 802.1X are data link layer technologies (layer 2) so they deal with MAC addresses, not IP addresses. You wouldn't want to exclude all devices from being connected to the network as this would cause a severe problem with connectivity.

What are two ways to secure a Microsoft-based web browser? (Select the two best answers.)A. Set the Internet zone's security level to High.B. Disable the pop-up blocker.C. Disable ActiveX controls.D. Add malicious sites to the Trusted Sites zone.

AC. A and C. By increasing the Internet zone security level to High, you employ the maximum safeguards for that zone. ActiveX controls can be used for malicious purposes; disabling them makes it so that they do not show up in the browser. Disabling a pop-up blocker and adding malicious sites to the Trusted Sites zone would make a Microsoft-based web browser (such as In- ternet Explorer) less secure.

ADUC stands for

Active Di- rectory Users and Computers (ADUC)

In a Microsoft domain, users are added in

Active Di- rectory Users and Computers (ADUC)

Many add-ons are

ActiveX con- trols, and ActiveX could also be turned off altogether in the advanced set- tings of the web browser. Depending on the add-on and the situation, other ways to fix the problem include updating Flash and upgrading the browser. ActiveX controls are small program building blocks used to allow a web browser to execute a program. They are similar to Java applets; however, Java applets can run on any platform, whereas ActiveX can run only on In- ternet Explorer (and Windows operating systems). You can see how a down- loadable, executable ActiveX control or Java applet from a suspect website could possibly contain viruses, spyware, or worse. These are known as mali- cious add-ons—Flash scripts especially can be a security threat. Generally, you can disable undesirable scripts from either the advanced settings or by creating a custom security level or zone. If a particular script technology can- not be disabled within the browser, consider using a different browser, or a content filtering solution.

General Browser Security Procedures: Secure Against Malicious Code: Depending on your company's policies and procedures, you might need to configure a higher level of security concerning (4)

ActiveX controls, Java, Java- Script, Flash media, phishing, and much more. We discuss these more as we progress through the chapter.

BitLocker software is based on the __(protocol) and can use __(key size)

Advanced Encryption Standard (AES); 128-bit and 256-bit keys.

Net- work mapping is the study of physical and logical connectivity of net- works. One example of automated network mapping software is the Network Topology Mapper by SolarWinds. This product can map elements on layers 1 through 3 of the OSI model, giving you a thorough representation of what is on the network. This type of network scan is not for the "weak of band- width." It should be attempted only during off-hours (if there is such a thing nowadays), if possible; otherwise, when the network is at its lowest point of usage. Most network mapping programs show routers, layer 3 switches, client computers, servers, and virtual machines. You can usually export the mapped contents directly to Microsoft Visio, a handy time-saver. Plenty of other free and pay versions of network mapping software are avail- able. A quick Internet search displays a list. Try out different programs, get to know them, and decide what works best for your infrastructure. Wireless networks can be surveyed in a similar fashion. Applications such as __ can map out the wireless clients on your network, and apps such as __ can locate the available WAPs. Both can output the informa- tion as you want to aid in your network documentation efforts.

Air-Magnet; NetStumbler

What key combination should be used to close a pop-up window?

Alt+F4

Description of authentication type: LDAP

An application layer protocol used for accessing and modifying directory services data. It is part of the TCP/IP suite. Originally used in WAN connec- tions, it has morphed into a protocol commonly used by services such as Microsoft Active Directory.

Description of authentication type: Kerberos

An authentication protocol designed at MIT that enables computers to prove their identity to each other in a secure manner. It is used most often in a client-server environment; the client and the server both verify each other's identity.

Description of authentication type: CHAP

An authentication scheme used by the Point-to- Point Protocol (PPP) that is the standard for dial- up connections. It utilizes a challenge-response mechanism with one-way encryption. Derivatives include MS-CHAP and MS-CHAPv2.

Describe Arbitrary Code Execution/Remote Code Execution

Arbitrary code execution is when an attacker obtains control of a target com- puter through some sort of vulnerability, thus gaining the power to execute commands on that remote computer at will. Programs that are designed to exploit software bugs or other vulnerabilities are often called arbitrary code execution exploits. These types of exploits inject "shellcode" to allow the at- tacker to run arbitrary commands on the remote computer. This type of at- tack is also known as remote code execution (RCE) and can potentially allow the attacker to take full control of the remote computer and turn it into a zombie. RCE commands can be sent to the target computer using the URL of a browser, or by using the Netcat service, among other methods. To defend against this, applications should be updated, or if the application is being de- veloped by your organization, it should be checked with fuzz testing and strong input validation (client side and server side) as part of the testing stage of the SDLC. If you have PHP running on a web server, it can be set to disable remote execution of configurations. A web server (or other server) can also be configured to block access from specific hosts.

Some other very important security principles that should be incorporated into the SDLC include: Fail securely:

At times, applications will fail. How they fail determines their security. Failure exceptions might show the programming language that was used to build the application, or worse, lead to access holes. Error handling/exception handling code should be checked thoroughly so that a malicious user can't find out any additional information about the system. These error-handling methods are sometimes referred to technically as pseudocodes. For example, to handle a program exception, a properly writ- ten pseudocode will basically state (in spoken English): "If a program mod- ule crashes, then restart the program module."

What are the two ways in which you can stop employees from using USB flash drives? (Select the two best answers.) A. Utilize RBAC.B. Disable USB devices in the BIOS.C. Disable the USB root hub.D. Enable MAC filtering.

B and C. By disabling all USB devices in the BIOS, a user cannot use his flash drive. Also, the user cannot use the device if you disable the USB root hub within the operating system. RBAC, which stands for role-based ac- cess control, defines access to networks by the person's role in the organiza- tion (we will cover this more later in the book). MAC filtering is a method of filtering out computers when they attempt to access the network (using the MAC addresses of those computers).

Carl is the security administrator for a transportation company. Which of the following should he encrypt to protect the data on a smartphone? (Se- lect the two best answers.) A. Public keysB. Internal memoryC. Master boot record (MBR)D. Steganographic imagesE. Removable memory cards

B and E. When encrypting a smartphone, the security administrator should encrypt internal memory and any long-term storage such as remov- able media cards. The admin must remember that data can be stored on both. Public keys are already encrypted; it is part of their inherent nature. Smartphones don't necessarily use an MBR the way Windows computers do, but regardless, if the internal memory has been encrypted, any boot sector should be secured. Images based on steganography, by their very nature, are encrypted through obfuscation. It is different from typical data encryption, but it's a type of cryptography nonetheless.

In the DAC model, how are permissions identified? A. Role membership.B. Access control lists.C. They are predefined. D. It is automatic.

B.

Which of the following can enable you to find all the open ports on an en- tire network?A. Protocol analyzerB. Network scannerC. FirewallD. Performance monitor

B. A network scanner is a port scanner used to find open ports on multi- ple computers on the network. A protocol analyzer is used to delve into pack- ets. A firewall protects a network, and a performance monitor is used to cre- ate baselines for and monitor a computer.

An example of a program that does comparative analysis is what? A. Protocol analyzerB. Password crackerC. Port scannerD. Event Viewer

B. A password cracker is considered to be a program that does compara- tive analysis. It systematically guesses the password and compares all previ- ous guesses before making new ones until it cracks the password.

An organization hires you to test an application that you have limited knowledge of. You are given a login to the application but do not have access to source code. What type of test are you running? A. White-boxB. Gray-boxC. Black-boxD. SDLC

B. B. A gray-box test is when you are given limited information about the system you are testing. Black-box testers are not given logins, source code, or anything else, though they may know the functionality of the system. White- box testers are given logins, source code, documentation, and more. SDLC stands for software development life cycle, of which these types of tests are just a part.

To mitigate risks when users access company e-mail with their smart- phone, what security policy should be implemented? A. Data connection capabilities should be disabled.B. A password should be set on the smartphone.C. Smartphone data should be encrypted.D. Smartphones should be only for company use.

B. B. A password should be set on the phone, and the phone should lock after a set period of time. When the user wants to use the phone again, the user should be prompted for a password. Disabling the data connection alto- gether would make access to e-mail impossible on the smartphone. Smart- phone encryption of data is possible, but it could use a lot of processing pow- er that may make it unfeasible. Whether the smartphone is used only for company use is up to the policies of the company.

Which of the following attacks uses a JavaScript image tag in an e-mail? A. SQL injectionB. Cross-site scriptingC. Cross-site request forgeryD. Directory traversalE. Null pointer dereference

B. B. Cross-site scripting (XSS) can be initiated on web forms or through e- mail. It often uses JavaScript to accomplish its means. SQL injection is when code (SQL based) is inserted into forms or databases. Cross-site request forgery (XSRF) is when a user's browser sends unauthorized commands to a website, without the user's consent. Directory traversal is when an attacker attempts to gain access to higher directories in an OS. A null pointer derefer- ence is a memory dereference that can result in a memory fault error.

As part of your user awareness training, you recommend that users re- move which of the following when they finish accessing the Internet? A. Instant messagingB. CookiesC. Group policiesD. Temporary files

B. B. The best answer is cookies, which can be used for authentication and session tracking and can be read as plain text. They can be used by spy- ware and can track people without their permission. It is also wise to delete temporary Internet files as opposed to temporary files.

You are in charge of training a group of technicians on the authentica- tion method their organization uses. The organization currently runs an Ac- tive Directory infrastructure. Which of the following best correlates to the host authentication protocol used within that organization's IT environment? A. TACACS+B. KerberosC. LDAPD. 802.1X

B. If the organization runs Active Directory, that means it has a Win- dows Server that is acting as a domain controller. These use the Kerberos au- thentication system by default. TACACS+ is an example of a remote authen- tication system, but is owned by Cisco, and is not a part of Active Directory. LDAP is the protocol in Windows that controls Active Directory objects, and works in conjunction with Kerberos, but is not the actual authentication method used. 802.1X is an authentication method used by network adapters on the data link layer.

What is the most secure method of authentication and authorization in its default form?A. TACACSB. KerberosC. RADIUS D. LDAP

B. Kerberos is the most secure method of authentication listed. It has a more complicated system of authentication than TACACS (which is outdat- ed) and RADIUS (which is used in different scenarios than Kerberos). LDAP deals with directories (for example, the ones on a Microsoft domain con- troller), which Kerberos first needs to give access to.

Why should penetration testing only be done during controlled conditions?A. Because vulnerability scanners can cause network flooding. B. Because penetration testing actively tests security controls and can cause system instability. C. Because white-box penetration testing cannot find zero-day attacks.D. Because penetration testing passively tests security controls and can cause system instability.

B. Penetration testing is an active test that seeks to exploit one vulnera- bility. It can indeed cause system instability, so it should be run only during controlled conditions and with express consent of the system owner. Vulner- ability scanners are usually passive and should not cause network flooding. Zero-day attacks are based on vulnerabilities that are unknown to the system designer. In a white-box testing environment, zero-day vulnerabilities may become uncovered (at which point they are not quite zero-day anymore), but the fact remains that penetration testing can cause system instability.

Which protocol can be used to secure the e-mail login from an Outlook client using POP3 and SMTP? . SMTPB. SPAC. SAP D. Exchange

B. SPA (Secure Password Authentication) is a Microsoft protocol used to authenticate e-mail clients. S/MIME and PGP can be used to secure the actual e-mail transmissions.

To show risk from a monetary standpoint, which of the following should risk assessments be based upon?A. Survey of loss, potential threats, and asset valueB. Quantitative measurement of risk, impact, and asset valueC. Complete measurement of all threatsD. Qualitative measurement of risk and impact

B. When dealing with dollars, risk assessments should be based upon a quantitative measurement of risk, impact, and asset value.

A security administrator implements access controls based on the secu- rity classification of the data and need-to-know information. Which of the following would best describe this level of access control? A. Least privilegeB. Mandatory access controlC. Role-based access controlD. Implicit deny

B. When you are dealing with access controls based on the classification of data and need-to-know information, you are most likely working with a mandatory access control (MAC) system. Least privilege means the lowest amount of permissions possible. This differs from need-to-know in that a user configured as need-to-know might need to have access to a lot of data, and actually require a good deal of permissions. Role-based access control (RBAC), like MAC, is controlled by the system, but it works with sets of per- missions based on user roles. Implicit deny means that unless otherwise configured, all access to data is denied.

Note: Other related access control models include (3)

Bell-LaPadula, Biba, and Clark-Wilson. Bell-LaPadula is a state machine model used for enforcing access control in government applications. It is a less common multilevel security derivative of mandatory ac- cess control. This model focuses on data confidentiality and controlled access to classified information. The Biba Integrity Model describes rules for the protection of data integrity. Clark- Wilson is another integrity model that provides a foundation for specifying and analyzing an integrity policy for a computing system.

Which of the following is the verification of a person's identity? A. AuthorizationB. AccountabilityC. AuthenticationD. Password

C

On a semi-related note, integer overflows are when arithmetic operations attempt to create a numeric value that is too big for the available memory space. This creates a wrap and can cause resets and undefined behavior in programming languages such as (2)

C and C++

Your data center has highly critical information. Because of this you want to improve upon physical security. The data center already has a video surveillance system. What else can you add to increase physical security? (Select the two best answers.) A. A software-based token systemB. Access control listsC. A mantrapD. Biometrics

C and D. A mantrap is a device made to capture a person. It is usually an area with two doorways, the first of which leads to the outside and locks when the person enters, the second of which leads to the secure area and is locked until the person is granted access. Biometrics can help in the granting of this access by authenticating the user in a secure way, such as thumbprint, retina scan, and so on. Software-based token systems and access control lists are both logical and do not play into physical security.

What are two examples of common single sign-on authentication configu- rations? (Select the two best answers.)A. Biometrics-basedB. Multifactor authenticationC. Kerberos-based D. Smart card-based

C and D. Kerberos and smart card setups are common single sign-on configurations.

What is the main purpose of a physical access log? A. To enable authorized employee accessB. To show who exited the facilityC. To show who entered the facilityD. To prevent unauthorized employee access

C. A physical access log's main purpose is to show who entered the facility and when. Different access control and authentication models will be used to permit or prevent employee access.

Which of the following is the final step a user needs to take before that user can access domain resources?A. VerificationB. ValidationC. Authorization D. Authentication

C. Before a user can gain access to domain resources, the final step is to be authorized to those resources. Previously the user should have provided identification to be authenticated.

Two items are needed before a user can be given access to the network. What are these two items?A. Authentication and authorizationB. Authorization and identificationC. Identification and authenticationD. Password and authentication

C. Before users can be given access to the network, the network needs to identify them and authenticate them. Later, users may be authorized to use particular resources on the network. Part of the authentication scheme may include a username and password. This would be known as an access control method.

Jason needs to add several users to a group. Which of the following will help him to get the job done faster?A. PropagationB. InheritanceC. Template D. Access control lists

C. By using a template, you can add many users to a group at once sim- ply by applying the template to the users. Propagation and inheritance deal with how permissions are exchanged between parent folders and subfolders. Access control lists show who was allowed access to a particular resource.

You check the application log of your web server and see that someone attempted unsuccessfully to enter the text below into an HTML form field. Which attack was attempted?test; etc/passwd A. SQL injectionB. Code injectionC. Command injectionD. Buffer overflow

C. C. In this case a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. If the attacker tried to inject code, he would not use commands, but rather PHP, ASP, or another language. SQL injections are usually run on databases, not web servers' HTML forms. Buffer overflows have to do with memory and how ap- plications utilize it.

Which of the following should occur first when developing software? A. FuzzingB. Penetration testingC. Secure code reviewD. Patch management

C. C. Of the listed answers, secure code review should happen first in the SDLC. It should be followed by fuzzing and penetration testing, in that or- der. Patch management is a recurring theme until the software meets the end of its life cycle.

Which of the following encompasses application patch management? A. Policy managementB. FuzzingC. Configuration managementD. Virtualization

C. Configuration management encompasses application patch manage- ment and other ways of hardening an OS or application. Policy management is considered separate because it can be used to harden or soften a system; plus, it is best done at a server—affecting many systems at once. Fuzzing (or fuzz testing) is the act of providing random data to a computer program, testing it in an automated fashion. Virtualization is the term used to refer to any virtual computing platform.

How can you train a user to easily determine whether a web page has a valid security certificate? (Select the best answer.)A. Have the user contact the webmaster.B. Have the user check for HTTPS://.C. Have the user click the padlock in the browser and verify the certificate.D. Have the user call the ISP.

C. In general, the user should click the padlock in the browser; this will show the certificate information. Often, the address bar will have different colors as the background; for example, green usually means that the certifi- cate is valid, whereas red or pink indicates a problem. Or, you might have to click the name of the website listed in the address bar just before where it says HTTPS to find out the validity of the certificate. Contacting the web- master and calling the ISP are time-consuming, not easily done, and not something that an end user should do. Although HTTPS:// can tell a person that the browser is now using Hypertext Transfer Protocol Secure, it does not necessarily determine whether the certificate is valid.

Which of the following would most likely be considered for DLP? A. Proxy serverB. Print serverC. USB mass storage deviceD. Application server content

C. Of the answers listed, the USB mass storage device would be the most likely asset to be considered for data loss prevention (DLP). It's the only de- vice listed in the answers that should have any real organizational data! A proxy server temporarily caches such data as HTTP and FTP. A print server forwards printed documents to the correct printer (again the data is usually held temporarily). An application server contains programs, but usually doesn't store organizational data files. It's the devices and computers that store actual company data files that we are primarily concerned with.

Which of the following persons is ultimately in charge of deciding how much residual risk there will be?A. Chief security officerB. Security administratorC. Senior management D. Disaster recovery plan coordinator

C. Residual risk is the risk left over after a security plan and a disaster recovery plan have been implemented. There is always risk, because a com- pany cannot possibly foresee every future event, nor can it secure against every single threat. Senior management as a collective whole is ultimately responsible for deciding how much residual risk there will be in a company's network. No one person should be in charge of this, but it should be decided on as a group. If the group decides that residual risk is too high, the group might decide to get insurance in addition to its security plan. The security administrator is in charge of finding and removing risks to the network and systems and should mitigate risks if possible. The disaster recovery plan (DRP) coordinator usually assesses risks and documents them, along with creating strategies to defend against any disastrous problems that might oc- cur from that risk, but that person does not decide on the amount of accept- able residual risk to a company.

When attempting to grant access to remote users, which protocol uses separate, multiple-challenge responses for each of the authentication, autho- rization, and audit processes? A. RADIUSB. TACACSC. TACACS+D. LDAP

C. TACACS+ is the only answer listed that uses separate processes for authentication, authorization, and auditing. That is one of the main differ- ences between it and RADIUS. TACACS is deprecated and is not often seen in the field. LDAP deals with managing directories of information.

You are consulting for a small organization that relies on employees who work from home and on the road. An attacker has compromised the network by denying remote access to the company using a script. Which of the follow- ing security controls did the attacker exploit? A. Password complexityB. DoSC. Account lockoutD. Password length

C. The attacker most likely exploited the account lockout policy, a secu- rity control originally implemented by the organization. The script modified the policy and caused all of the users to be locked out when they attempted to log in. Password complexity is the level of intricacy of a password; it usu- ally entails using uppercase letters, numerals, and special characters, and is defined by a policy, just as the account lockout threshold is. DoS stands for denial-of-service, an attack that floods a network device (or server) with so much data that the device cannot perform its duties. Password length is the number of characters in a password, also definable by policy.

Which statement best applies to the term Java applet? A. It decreases the usability of web-enabled systems.B. It is a programming language.C. A web browser must have the capability to run Java applets.D. It uses digital signatures for authentication.

C. To run Java applets, a web browser must have that option enabled. Java increases the usability of web-enabled systems, and Java is a program- ming language. It does not use digital signatures for authentication.

The memory leak might happen on its own due to poor programming, or it could be that code resides in the application that is vulnerable, and is later exploited by an attacker who sends specific packets to the system over the network. This type of error is more common in lan- guages such as __ or __ that __, but it could happen in any programming language.

C; C++; have no automatic garbage collection

Detective controls: These controls are used during an event and can find out whether malicious activity is occurring or has occurred. Examples include (4)

CCTV/video surveillance, alarms, NIDSs, and auditing.

RADIUS works within the AAA concept: It is used to authenticate users, au- thorize them to services, and account for the usage of those services. RA- DIUS checks whether the correct authentication scheme such as __ or __ is used when clients attempt to connect.

CHAP; EAP

Older VPNs use either PPTP (port 1723) or L2TP (port 1701) with IPsec. They can also incorporate __ on the client side and __ for authentication. Newer VPNs protect traffic by using SSL or TLS. For exam- ple, OpenVPN uses this type of encryption (https://openvpn.net/). SSL/TLS solutions for VPN improve on endpoint security and enable always-on VPN functionality—where a user can always have access via the VPN with- out the need to periodically disconnect and reconnect.

CHAP; RADIUS servers

Well, we've mapped the network, documented it, scanned for vulnerabilities, scanned ports, and analyzed packets. But wait, let's not forget about pass- words. We've mentioned more than once in this book that weak passwords are the bane of today's operating systems and networks. This could be be- cause no policy for passwords was defined, and people naturally gravitate to- ward weaker, easier-to-remember passwords. Or it could be that a policy was defined but is not complex enough, or is out of date. Whatever the reason, it would be wise to scan computers and other devices for weak passwords with a password cracker, which uses comparative analysis to break passwords and systematically guesses until it cracks the password. And of course, a va- riety of password-cracking programs can help with this. For Windows com- puters, there is the well-documented

Cain & Abel password recovery tool. This program has a bit of a learning curve but is quite powerful. It can be used to crack all kinds of different passwords on the local system or on re- mote devices and computers. It sniffs out other hosts on the network the way a protocol analyzer would. This is an excellent tool to find out whether weak passwords are on the network, or to help if users forget their passwords (when password resets are not possible). Figure 12-4 shows an example of Cain & Abel. You can see hashed passwords (encrypted) that the program has discovered for various accounts on a test computer. From these hashes, the program can attempt to crack the password and deliver the original plaintext version of the password.

Note: In general, access control can be centralized or decentralized. (describe)

Centralized access control means that one entity is responsible for administering access to resources. Decentralized access control means that more than one entity is responsible, and those entities are closer to the actual resources than the entity would be in a centralized access control scenario.

For this, I set up a Windows Server as a domain controller (controlling the domain dpro42.com), created an organizational unit (OU) named Market- ing, and then created a Group Policy object named Marketing-Policy that I added to a Microsoft Management Console (MMC). From that policy, the In- ternet Explorer settings, which can affect all computers within the Marketing OU, can be accessed by navigating to

Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer

More important, policies can be configured for an entire network; for exam- ple, on a Microsoft domain. This would be known as a group policy and there can be more than one. A group policy can affect the entire domain or an indi- vidual organizational unit. The main group policy is known as the Default Domain Policy. Figure 11-9 shows an example of the Default Domain Policy added to an MMC. To access the Password Policy section, you would navi- gate to

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

Here are a few more tips when it comes to user accounts, passwords, and logons: Rename and password protect the Administrator account: It's nice that Windows has incorporated a separate Administrator account; the problem is that by default the account has no password. To configure this ac- count, navigate to

Computer Management > System Tools > Local Users and Groups > Users and locate the Administrator account. On a Windows server acting as a domain controller, this would be in ADUC > Domain name > Users. By right-clicking the account, you see a drop-down menu in which you can rename it and/or give it a password. (Just remember the new user- name and password!)

Which type of vulnerability assessments software can check for weak pass- words on the network?A. WiresharkB. Antivirus softwareC. Performance MonitorD. A password cracker

D

Which of the following permits or denies access to resources through the use of ports?A. HubB. 802.11nC. 802.11xD. 802.1X

D. 802.1X permits or denies access to resources through the use of ports. It implements Port-based Network Access Control (PNAC). This is part of the 802.1 group of IEEE protocols. 802.1X should not be confused with 802.11x, which is an informal term used to denote any of the 802.11 standards including 802.11b, 802.11g, 802.11n, and 802.11ac. A hub con- nects computers by way of physical ports but does not permit or deny access to any particular resources; it is a simple physical connector of computers.

Your organization provides employee badges that are encoded with a private encryption key and specific personal information. The encoding is used to provide access to the organization's network. What type of authenti- cation method is being used? A. TokenB. BiometricsC. KerberosD. Smart card

D. A badge encoded with a private encryption key would be an example of a smart card. Tokens are software-based and could be used with a USB flash drive or could be stored on a mobile device. An example of biometrics is a thumbprint scan or retina scan. Kerberos is an authentication technolo- gy used by operating systems such as Windows (often in domain scenarios).

You administer a bulletin board (another name for a forum site) system for a rock and roll band. While reviewing logs for the board, you see one particular IP address posting spam multiple times per day. What is the best way to prevent this type of problem? A. Block the IP address of the user.B. Ban the user.C. Disable ActiveX.D. Implement CAPTCHA.

D. By implementing CAPTCHA, another level of security is added that users have to complete before they can register to and/or post to a bulletin board. Although banning a user or the user's IP address can help to elimi- nate that particular person from spamming the site, the best way is to add another level of security, such as CAPTCHA. This applies to all persons who attempt to attack the bulletin board.

Which security measure should be included when implementing access control?A. Disabling SSID broadcastB. Time-of-day restrictionsC. Changing default passwordsD. Password complexity requirements

D. By implementing password complexity requirements, users will be forced to select and enter complex passwords—for example, eight characters or more, uppercase characters, special characters, and more. Disabling the SSID deals with wireless networks, time-of-day restrictions are applied only after persons log in with their username and password, and changing default passwords should be part of a password policy.

Which authentication method completes the following in order: logon request, encrypts value response, server, challenge, compare encrypted re- sults, and authorize or fail referred to? A. Security tokensB. CertificatesC. KerberosD. CHAP

D. CHAP, the Challenge Handshake Authentication Protocol, authenti- cates a user or a network host to entities like Internet access providers. CHAP periodically verifies the identity of the client by using a three-way handshake; the verification is based on a shared secret. After a link has been established, the authenticator sends a challenge message to the peer; this does not happen in the other three authentication methods listed.

You have analyzed what you expect to be malicious code. The results show that JavaScript is being utilized to send random data to a separate ser- vice on the same computer. What attack has occurred? A. DoSB. SQL injectionC. LDAP injectionD. Buffer overflow

D. D. Buffer overflows can be initiated by sending random data to other services on a computer. While JavaScript is commonly used in XSS attacks, it can also be used to create a buffer overflow. DoS stands for denial-of-ser- vice, which is when a computer sends many packets to a server or other im- portant system in the hope of making that system fail. SQL and LDAP injec- tion do not use JavaScript.

Your organization's servers and applications are being audited. One of the IT auditors tests an application as an authenticated user. Which of the following testing methods is being used? A. White-boxB. Penetration testingC. Black-boxD. Gray-box

D. D. This would be an example of gray-box testing. The IT auditor is not an employee of the company (which is often a requirement for white-box testing) but rather an outside consultant. Being an outside consultant, the IT auditor should not be given confidential details of the system to be tested. However, the auditor was given a real login, so the auditor cannot be em- ploying black-box testing. Penetration testing might be occurring in this sce- nario as well—this is when an auditor, or other security expert, tests servers' network connections for vulnerabilities. But the scenario only states that the auditor is testing an application.

Many third-party programs have security settings disabled by default. What should you as the security administrator do before deploying new software? A. Network penetration testingB. Input validationC. Application whitelistingD. Application hardening

D. D. You should employ application hardening. This means updating the application, configuring strong passwords, applying policies if necessary, and in general, configuring the settings of the application securely.

Which of the following access control models would be found in a firewall?A. Mandatory access controlB. Discretionary access controlC. Role-based access controlD. Rule-based access control

D. Firewalls are most often considered to be based off of the rule-based access control model. This is because you indeed create rules (ACLs) that govern how data is transmitted through the firewall.

Which password management system best provides for a system with a large number of users?A. Locally saved passwords management systemB. Synchronized passwords management systemC. Multiple access methods management systemD. Self-service password reset management system

D. If a network has a large number of users, the administrator should set up a system, and policies to enforce the system, that will allow for users to reset their own passwords. The passwords should be stored centrally, not locally. Also, it would be best if single sign-on were implemented and not a multiple access method.

Which of the following statements regarding the MAC model is true? A. Mandatory access control is a dynamic model.B. Mandatory access control enables an owner to establish access privileges to a resource.C. Mandatory access control is not restrictive.D. Mandatory access control users cannot share resources dynamically.

D. In the MAC (mandatory access control) model, users cannot share re- sources dynamically. MAC is not a dynamic model; it is a static model. Own- ers cannot establish access privileges to a resource; this would be done by the administrator. MAC is indeed very restrictive, as restrictive as the ad- ministrator wants it to be.

Why would a security administrator use a vulnerability scanner? (Select the best answer.)A. To identify remote access policiesB. To analyze protocolsC. To map the networkD. To find open ports on a server

D. The best answer for why a security administrator would use a vulner- ability scanner is to find open ports on a particular computer. Although a vulnerability scanner can do more than scan for open ports, it is the best an- swer listed.

How are permissions defined in the mandatory access control model? A. Access control listsB. User rolesC. Defined by the userD. Predefined access privileges

D. The mandatory access control model uses predefined access privi- leges to define which users have permission to resources. 15. D. To have a secure password scheme, passwords should be ch

Of the following, which best describes the difference between RADIUS and TACACS+?A. RADIUS is a remote access authentication service. B. RADIUS separates authentication, authorization, and auditing capabilities. C. TACACS+ is a remote access authentication service.D. TACACS+ separates authentication, authorization, and auditing capabilities.

D. Unlike RADIUS, TACACS+ separates authentication, authorization, and auditing capabilities.

What is the best action to take when you conduct a corporate vulnerabil- ity assessment?A. Document your scan results for the change control board. ISHED Active Connections Proto Local Address Foreign Address State TCP WorkstationA:1395 8.15.228.165:http ESTABL B. Examine vulnerability data with a network sniffer.C. Update systems.D. Organize data based on severity and asset value.

D. When conducting vulnerability assessments, you should organize the collected data by vulnerability and exploit severity as well as the asset value of the possibly affected equipment/systems. Documenting your scan results for a change control board may come later depending on some decision- making by the corporation. You should have already used a network sniffer to find vulnerabilities and possible exploits. Updating the systems will most likely happen at some point, but for the time being, it should be a recom- mendation within your vulnerability assessment. Management will decide how and if that will occur.

CHAP uses __ and __ encryption types

DES; MD5

Note: Penetration testing can become even more intrusive (active) when it is associated with

DLL injection testing. This is when dy- namic link libraries are forced to run within currently used mem- ory space, influencing the behavior of programs in a way the creator did not intend or anticipate.

Vulnerability of description: A method of accessing unauthorized parent (or worse, root) directories.

Directory traversal

Another way to deny access to applications is to create a policy. For example, on a Windows Server, you can do this in two ways. The first way is to disal- low access to specific applications; this policy is called

Don't Run Specified Windows Applications (a form of application blacklisting). However, the list could be longer than Florida, so another possibility would be to configure the Run Only Specified Windows Applications policy (a form of application whitelisting), as shown in Figure 5-7. This and the previously mentioned pol- icy are adjacent to each other and can be found at the following path in Win- dows Server: Policy (in this case we use the Marketing-Policy again) > User Configuration > Policies > Administrative Templates > System

Types of EAP authentication: PEAP: It competes with

EAP- TTLS and includes legacy password-based protocols.

Following are several types of EAP authentication: (This uses a protected access credential instead of a certifi- cate to achieve mutual authentication. FAST stands for Flexible Authentica- tion via Secure Tunneling.)

EAP-FAST

Following are several types of EAP authentication: (This is a challenge-based authentication providing basic EAP support. It enables only one-way authentication and not mutual authentication.)

EAP-MD5

Following are several types of EAP authentication: (This version uses Transport Layer Security, which is a certifi- cate-based system that does enable mutual authentication. This does not work well in enterprise scenarios because certificates must be configured or managed on the client side and server side.)

EAP-TLS

Following are several types of EAP authentication: (This version is ba- sically the same as TLS except that it is done through an encrypted channel, and it requires only server-side certificates.)

EAP-TTLS

SECURING THE BROWSER: Another important point is whether you will be centrally managing multiple client computers' browsers:

Edge and IE can be centrally managed through the use of Group Policy objects (GPOs) on a domain. I'll show a quick demonstration of this later in the chapter.

Some other very important security principles that should be incorporated into the SDLC include: Minimize the attack surface area:

Every additional feature that a programmer adds to an application increases the size of the attack surface and increases risk. Unnecessary functions should be removed, and necessary functions should require authorization.

802.1X encapsulates the__ over wired or wireless connections.

Extensible Authentication Protocol (EAP)

There are two important points to remember when talking about the DAC model:

First, every object in the system has an owner, and the owner has control over its access policy; and second, access rights, or permissions, can be assigned by the owner to users to specifically control object access.

Another concept similar to cookies is locally shared objects (LSOs), also called

Flash cookies.

Some other very important security principles that should be incorporated into the SDLC include: Provide for authenticity and integrity:

For example, when deploy- ing applications and scripts, use code signing in the form of a cryptographic hash with verifiable checksum for validation. A digital signature will verify the author and/or the version of the code—that is, if the corresponding pri- vate key is secured properly.

An example of MAC can be seen in (operating system)____ and higher. In this OS, access control modules can be installed that allow for security policies that label subjects and objects. The enforcement of the policies is done by administrators or by the OS; this is what makes it mandatory and sets it apart from DAC. Another example is __, a set of kernel modifications to Linux that supports DoD-style mandatory ac- cess controls such as the requirement for trusted computing base (TCB). Though often interpreted differently, TCB can be described as the set of all hardware and software components critical to a system's security and all as- sociated protection mechanisms. The mechanisms must meet a certain stan- dard, and SELinux helps accomplish this by modifying the kernel of the Lin- ux OS in a secure manner.

FreeBSD version 5.0; Security-Enhanced Linux (SELinux)

In Windows, there are two types of permissions. Sharing permissions are ba- sic permissions including (3)___, which are applied to folders only.

Full Control, Change, and Read

Describe Fuzz Testing

Fuzz testing (also known as fuzzing or dynamic analysis) is another smart concept. This is where random data is inputted into a computer program in an attempt to find vulnerabilities. This is often done without knowledge of the source code of the program. The program to be tested is run, has data in- putted to it, and is monitored for exceptions such as crashes. This can be done with applications and operating systems. It is commonly used to check file parsers within applications such as Microsoft Word, and network parsers that are used by protocols such as DHCP. Fuzz testing can uncover full sys- tem failures, memory leaks, and error-handling issues. Fuzzing is usually au- tomated (a program that checks a program) and can be as simple as sending a random set of bits to be inputted to the software. However, designing the inputs that cause the software to fail can be a tricky business, and often a myriad of variations of code needs to be tried to find vulnerabilities. Once the fuzz test is complete, the results are analyzed, the code is reviewed and made stronger, and vulnerabilities that were found are removed. The stronger the fuzz test, the better the chances that the program will not be susceptible to exploits.

Cisco systems use the __ protocol to en- capsulate a lot of different data, namely, routing information that passes be- tween VPN-enabled connected networks that use PPTP or IPsec. __ might also make use of Multiprotocol Label Switching (MPLS), a packet-forward- ing technology that uses labels to make data forwarding decisions. With MPLS, the Layer 3 header analysis is done just once (when the packet enters the MPLS domain). Label inspection drives subsequent packet forwarding. It is a natural evolution for networks that provide predictable IP services.

Generic Routing Encapsulation (GRE)

Prevention methods for these vulnerabilities: Default configuration, Design weaknesses, Resource exhaustion, Improperly con- figured accounts: (3)

Harden systems (see Chapter 4); Proper network design (see Chapter 6); Properly configure and audit permissions (see Chapter 11)

Note: There are other basic port scanners you can use, such as Angry IP Scanner (and plenty of other free port scanners on the Inter- net). Some of these tools can be used as ping scanners, send- ing out

ICMP echoes to find the IP addresses within a particular network segment.

Attribute-based access control (ABAC) is an access model that is dy- namic and context-aware. Access rights are granted to users through the use of multiple policies that can combine various user, group, and resource at- tributes together. It makes use of

IF-THEN statements based on the user and requested resource. For example, if David is a systems administrator,then allow full control access to the \\dataserver\ adminfolder share. If implemented properly, it can be a more flexible solu- tion. As of the writing of this book, many technologies—and organizations— are moving toward a more context-sensitive, context-aware mindset when it comes to authentication and access control.

PF is the command-line- based firewall built into OS X version 10.10 and higher and macOS. Its pre- decessor, __, was available in OS X through 10.9 but was deprecated in 10.7.

IPFW

There are techniques available to unlock a smartphone from its carrier. Users should be advised against this, and a security administrator should create and implement policies that make unlocking the SIM card difficult, if not impossible. Unlocking the phone—making it SIM-free—effectively takes it off the grid and makes it difficult to track and manage. When the SIM is wiped, the

International Mobile Subscriber Identity (IMSI) is lost and after- ward the user cannot be recognized. However, the security administrator can attempt to blacklist the smartphone through its provider using the In- ternational Mobile Equipment Identity (IMEI), electronic serial number (ESN), or Mobile Equipment Identifier (MEID). The ID used will vary de- pending on the type and age of smartphone. Regardless, as a security admin- istrator, you would rather avoid that tactic altogether because the damage has already been done; so, protection of the SIM becomes vital.

We mentioned RADIUS previously in this chapter and in Chapter 9, and said that it could be used in combination with a SOHO router in order to provide strong authentication. Let's define it further: The Remote Authentication Dial-In User Service (RADIUS) provides centralized administration of dial-up, VPN, and wireless authentication and can be used with EAP and 802.1X. To set this up on a Windows Server, the __(service) must be loaded; it is usually set up on a separate physical server. RA- DIUS is a client-server protocol that runs on the application layer of the OSI model.

Internet Authentication Service

Here are a few more tips when it comes to user accounts, passwords, and logons: Rename and password protect the Administrator account:

It's nice that Windows has incorporated a separate Administrator account; the problem is that by default the account has no password. To configure this ac- count, navigate to Computer Management > System Tools > Local Users and Groups > Users and locate the Administrator account. On a Windows server acting as a domain controller, this would be in ADUC > Domain name > Users. By right-clicking the account, you see a drop-down menu in which you can rename it and/or give it a password. (Just remember the new user- name and password!) Now it's great to have this additional Administrator account on the shelf just in case the primary account fails; however, your or- ganization's policy might call for disabling it, which can be done by right- clicking the account and selecting Disable Account. (In older Windows sys- tems, you would access the General tab of the account and select the Account Is Disabled checkbox.) Then, you would use that separate account previously created with administrative rights as your main administrative account. If you need access to the actual Administrator account later, it can be re-en- abled using the methods previously described. Alternatively, open the com- mand-line and type the following: "net user administrator /active:yes" The way that the Administrator account behaves by default depends on the version of Windows. The Linux/Unix counterpart is the root account. The same types of measures should be employed when dealing with this account.

ActiveX controls are small program building blocks used to allow a web browser to execute a program. They are similar to Java applets; however,

Java applets can run on any platform, whereas ActiveX can run only on In- ternet Explorer (and Windows operating systems). You can see how a down- loadable, executable ActiveX control or Java applet from a suspect website could possibly contain viruses, spyware, or worse. These are known as mali- cious add-ons—Flash scripts especially can be a security threat. Generally, you can disable undesirable scripts from either the advanced settings or by creating a custom security level or zone. If a particular script technology can- not be disabled within the browser, consider using a different browser, or a content filtering solution.

ActiveX controls are small program building blocks used to allow a web browser to execute a program. They are similar to

Java applets; however, Java applets can run on any platform, whereas ActiveX can run only on In- ternet Explorer (and Windows operating systems). You can see how a down- loadable, executable ActiveX control or Java applet from a suspect website could possibly contain viruses, spyware, or worse. These are known as mali- cious add-ons—Flash scripts especially can be a security threat. Generally, you can disable undesirable scripts from either the advanced settings or by creating a custom security level or zone. If a particular script technology can- not be disabled within the browser, consider using a different browser, or a content filtering solution.

The XSS attack can be defeated by programmers through the use of output encoding (__(3))

JavaScript escaping, CSS escaping, and URL encoding

Prevention methods for these vulnerabilities: New threats and Zero-day attacks: (2)

Keep abreast of latest CVEs and CWEs (seeChapter 6 and Chapter 5) Plan for unknowns (see Chapter 7)

Single sign-on can be __, __, or __.

Kerberos-based; integrated with Windows authentication; token- or smart card-based

Another concept similar to cookies is locally shared objects (LSOs), also called Flash cookies. These are data that Adobe Flash-based websites store on users' computers, especially for Flash games. The privacy concern is that

LSOs are used by a variety of websites to collect information about users' browsing habits. However, LSOs can be disabled via the Flash Player Set- tings Manager (a.k.a. Local Settings Manager) in most of today's operating systems. LSOs can also be deleted entirely with third-party software, or by accessing the user's profile folder in Windows.

__ is the strictest of the access control models.

MAC

Types of EAP authentication: PEAP: This uses __, which supports au- thentication via__

MS-CHAPv2; Microsoft Active Directory databases.

In Chapter 1 we discussed three basic security controls that are often used to develop a security plan: physical, technical, and adminis- trative. However, there are additional categorical controls as described by the NIST. In short, the three can be described as the following: (Generally, these controls focus on decisions and the management of risk. They also con- centrate on procedures, policies, legal and regulatory, the software develop- ment life cycle (SDLC), the computer security life cycle, information assur- ance, and vulnerability management/scanning. In short, these controls focus on how the security of your data and systems is managed.)

Management controls

The buffer overflow can also be initiated by certain inputs. For example, corrupt- ing the stack with no-operation (no-op, NOP, or NOOP) machine instruc- tions, which when used in large numbers can start a

NOP slide, can ultimate- ly lead to the execution of unwanted arbitrary code, or lead to a denial-of- service (DoS) on the affected computer.

Vulnerability scanning is a technique that identifies threats on your net- work, but does not exploit them. When you are ready to assess the level of vulnerability on the network, it is wise to use a general vulnerability scanner and a port scanner (or two). By scanning all the systems on the network, you determine the attack surface of those systems, and you can gain much in- sight as to the risks that you need to mitigate, and malicious activity that might already be going on underneath your nose. One such vulnerability scanner is called

Nessus. This is one of many exploitation framework tools, but it is a very commonly deployed tool used to perform vulnerability, con- figuration, and compliance assessments. The tool can use a lot of resources, so it is wise to try to perform scans off-hours.

Examples of banner-grabbing ap- plications include (2)

Netcat and Telnet. Aside from the security administrator (and perhaps auditors), no one should be running banner-grabbing tools, or network enumeration tools in general. A good security admin will attempt to sniff out any unpermitted usage of these tools.

OpenID Connect is an interoperable au- thentication protocol based on the __ family of specifications.

OAuth 2.0

Some other very important security principles that should be incorporated into the SDLC include: Fix security issues correctly:

Once found, security vulnerabilities should be thoroughly tested, documented, and understood. Patches should be developed to fix the problem, but not cause other issues or application regression.

Brute-force attack: When every possible password instance is attempt- ed. This is often a last resort due to the amount of CPU resources it might re-quire. It works best on shorter passwords but can theoretically break any password given enough time and CPU power. For example, a four-character, lowercase password with no numbers or symbols could be cracked quickly. But a ten-character, complex password would take much longer; some com- puters will fail to complete the process. Also, you must consider whether the attack is online or offline. (describe)

Online means that a connection has been made to the host, giving the password-cracking program only a short window to break the password. Offline means that there is no connection and that the password-cracking computer knows the target host's password hash and hashing algorithm, giving the cracking computer more (or unlimited) time to make the attempt. Some password-cracking programs are considered hy- brids and make use of dictionary attacks (for passwords with actual words in them) and brute-force attacks (for complex passwords).

The __ is a stan- dard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available at the time. It is an international standard but is funded by the U.S. Depart- ment of Homeland Security.

Open Vulnerability and Assessment Language (OVAL)

In Chapter 1 we discussed three basic security controls that are often used to develop a security plan: physical, technical, and adminis- trative. However, there are additional categorical controls as described by the NIST. In short, the three can be described as the following: (These are the controls executed by people. They are designed to increase individual and group system security. They include user awareness and training, fault tolerance and disaster recovery plans, in- cident handling, computer support, baseline configuration development, and environmental security. The people who carry out the specific requirements of these controls must have technical expertise and understand how to im- plement what management desires of them.)

Operational controls

Some other very important security principles that should be incorporated into the SDLC include: Establish secure defaults:

Out-of-the-box offerings should be as se- cure as possible. If possible, user password complexity and password aging default policies should be configured by the programmer, not the user. Per- missions should default to no access and should be granted only as they are needed.

There are several compliance regulations that require the type of file in- tegrity monitoring that a HIDS can provide, including (2)

PCI DSS and NIST 800-53. When selecting a HIDS, make sure it meets the criteria of any com- pliance regulations that your organization must adhere to.

Following are several types of EAP authentication: (This uses MS-CHAPv2, which supports au- thentication via Microsoft Active Directory databases. )

PEAP

Following are several types of EAP authentication: (This uses MS-CHAPv2, which supports au- thentication via Microsoft Active Directory databases. It competes with EAP- TTLS and includes legacy password-based protocols. It creates a TLS tunnel by acquiring a public key infrastructure (PKI) certificate from a server known as a certificate authority (CA). The TLS tunnel protects user authenti- cation much like EAP-TTLS.)

PEAP

__ is the command-line- based firewall built into OS X version 10.10 and higher and macOS.

PF

An example of a SQL database is Microsoft's SQL Server (pronounced "sequel"); it can act as the back end for a program written in Visual Basic or Visual C++. Another example is MySQL, a free, open source relational database often used in conjunction with websites that employ __ pages.

PHP

If an organization has a web page with a __-based contact form, the data entered by the visitor should be checked for errors, or maliciously typed in- put.

PHP

An IEEE standard that defines

Port-based Net- work Access Control (PNAC).

Here are a few more tips when it comes to user accounts, passwords, and logons: Use Ctrl+Alt+Del:

Pressing Ctrl+Alt+Del before the logon adds a layer of security to the logon process by ensuring that users are communicating by means of a trusted path when entering passwords. This can be added in Win- dows 10 by going to Run and typing netplwiz (which opens the User Ac- counts dialog box), then going to the Advanced tab and selecting the check- box for Require Users to Press Ctrl+Alt+Delete. Or, it can be added as a poli- cy on individual Windows computers within the Local Group Policy Editor. It is implemented by default for computers that are members of a domain.

Describe Compile-Time Errors Versus Runtime Errors

Programmers and developers need to test for potential compile-time errors and runtime errors. Compile time refers to the duration of time during which the statements written in any programming language are checked for errors. Compile-time errors might include syntax errors in the code and type-checking errors. A programmer can check these without actually "run- ning" the program, and instead checks it in the compile stage when it is con- verted into machine code. A runtime error is a program error that occurs while the program is run- ning. The term is often used in contrast to other types of program errors, such as syntax errors and compile-time errors. Runtime errors might include running out of memory, invalid memory address access, invalid parameter value, or buffer overflows/dereferencing a null pointer (to name a few), all of which can only be discovered by running the program as a user. Another po- tential runtime error can occur if there is an attempt to divide by zero. These types of errors result in a software exception. Software and hardware excep- tions need to be handled properly. Consequently, structured exception handling (SEH) is a mechanism used to handle both types of exceptions. It enables the programmer to have complete control over how exceptions are handled and provides support for debugging. Code issues and errors that occur in either compile time or run time could lead to vulnerabilities in the software. However, it's the runtime environ- ment that we are more interested in from a security perspective, because that more often is where the attacker will attempt to exploit software and websites.

Prevention methods for these vulnerabilities: System sprawl, End-of-life systems, Vulnerable busi- ness processes: (3)

Proper network auditing (see Chapter 6 and Chapter 13); SDLC (see Chapter 5); Implement secure policies (Chapter 18)

Describe Qualitative risk assessment

Qualitative risk assessment is an assessment that assigns numeric val- ues to the probability of a risk and the impact it can have on the system or network. Unlike its counterpart, quantitative risk assessment, it does not as- sign monetary values to assets or possible losses. It is the easier, quicker, and cheaper way to assess risk but cannot assign asset value or give a total for possible monetary loss. With this method, ranges can be assigned, for example, 1 to 10 or 1 to 100. The higher the number, the higher the probability of risk, or the greater the impact on the system. As a basic example, a computer without antivirus soft- ware that is connected to the Internet will most likely have a high probability of risk; it will also most likely have a great impact on the system. We could assign the number 99 as the probability of risk. We are not sure exactly when it will happen but are 99% sure that it will happen at some point. Next, we could assign the number 90 out of 100 as the impact of the risk. This number implies a heavy impact; probably either the system has crashed or has been rendered unusable at some point. There is a 10% chance that the system will remain usable, but it is unlikely. Finally, we multiply the two numbers to- gether to find out the qualitative risk: 99 × 90 = 8910. That's 8910 out of a possible 10,000, which is a high level of risk. Risk mitigation is when a risk is reduced or eliminated altogether. The way to mitigate risk in this ex- ample would be to install antivirus software and verify that it is configured to auto-update. By assigning these types of qualitative values to various risks, we can make comparisons from one risk to another and get a better idea of what needs to be mitigated and what doesn't. The main issue with this type of risk assessment is that it is difficult to place an exact value on many types of risks. The type of qualitative system varies from organization to organization, even from person to person; it is a com- mon source of debate as well. This makes qualitative risk assessments more descriptive than truly measurable. However, by relying on group surveys, company history, and personal experience, you can get a basic idea of the risk involved.

Risk assessment type with description: (Measures risk by using exact mone- tary values. It attempts to give an ex- pected yearly loss in dollars for any given risk.)

Quantitative risk assessment

There are a few differences between RADIUS and TACACS+. Whereas RA- DIUS uses UDP as its transport layer protocol, TACACS+ uses TCP as its transport layer protocol, which is usually seen as a more reliable transport protocol (though each will have its own unique set of advantages). Also, (3)

RA- DIUS combines the authentication and authorization functions when dealing with users; however, TACACS+ separates these two functions into two sepa- rate operations that introduce another layer of security. It also separates the accounting portion of AAA into its own operation. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other infor- mation such as the username can be easily captured, without need of decryp- tion, by a third party. However, TACACS+ encrypts the entire body of the ac- cess-request packet. So, effectively TACACS+ encrypts entire client-server dialogues, whereas RADIUS does not. Finally, TACACS+ provides for more types of authentication requests than RADIUS.

Even more important than authenticating local users is authenticating re- mote users. The chances of illegitimate connections increase when you allow remote users to connect to your network. Examples of remote authentication technologies include __(5). Let's dis- cuss these now.

RAS, VPN, RADIUS, TACACS+, and CHAP

Hardware-based security tokens are physical devices given to authorized users to help with authentication. These devices might be attached to a keychain or might be part of a card sys- tem. Hardware-based tokens might be used as part of the door access system or as something that gives access to an individ- ual computer. As one example, __ tokens carry and generate rolling one-time passwords (OTPs), each of which is valid for only one login session or transaction.

RSA

The actual data transmitted in these RAS connections is encrypted as well. By default, Microsoft RAS connections are encrypted by the __ algo- rithm.

RSA RC4

RDP: Third-party applications such as VNC, TeamViewer, and so on can be more secure in this respect because they can use web-based connections via HTTPS on port 443. Out-of-the-box, RDP is generally limited to SSL (TLS 1.0) with a 128-bit key based on the RC4 algorithm (which is considered crackable, though difficult to do so). However, RDP can also comply with Federal Information Processing Standard (FIPS) 140 encryption methods, but additional hardware and software modules are required, which might in- cur an unacceptable expense. On the other hand, third-party remote control applications such as the ones mentioned earlier will often use __ encryp- tion for the HTTPS connection, and the __ (protocol) with up to __(#)-bit keys for session security.

RSA; Advanced Encryption Standard (AES); 256

Describe Remote Access Service (RAS)

Remote Access Service (RAS) began as a service that enabled dial-up connections from remote clients. Nowadays, more and more remote connec- tions are made with high-speed Internet technologies such as cable Internet, DSL, and fiber-optic connections. But we can't discount the dial-up connec- tion. It is used in certain areas where other Internet connections are not available, and is still used as a fail-safe in many network operation centers and server rooms to take control of networking equipment. One of the best things you can do to secure a RAS server is to deny access to individuals who don't require it. Even if the user or user group is set to "not configured," it is wise to specifically deny them access. Allow access to only those users who need it, and monitor on a daily basis the logs that list who connected. If there are any unknowns, investigate immediately. Be sure to update the permissions list often in the case that a remote user is terminated or otherwise leaves the organization. The next most important security precaution is to set up RAS authentication. One secure way is to use the Challenge-Handshake Authentication Protocol (CHAP), which is an authentication scheme used by the Point-to- Point Protocol (PPP), which in turn is the standard for dial-up connections. It uses a challenge-response mechanism with one-way encryption. Due to this, it is not capable of mutual authentication in the way that Kerberos is, for example. CHAP uses DES and MD5 encryption types, which we cover in Chapter 14. Microsoft developed its own version of CHAP known as MS- CHAP; an example of this is shown in Figure 10-5. The figure shows the Ad- vanced Security Settings dialog box of a dial-up connection. Notice that this particular configuration shows that encryption is required, and that the only protocol allowed is MS-CHAPv2. It's important to use version 2 of MS-CHAP because it provides for mutual authentication between the client and the au- thenticator. Of course, the RAS server has to be configured to accept MS- CHAP connections as well. You also have the option to enable EAP for the dial-up connection. Other RAS authentication protocols include SPAP, which is of lesser security, and PAP, which sends usernames and passwords in clear text—obviously insecure and to be avoided.

Vulnerability of description: When an attacker obtains control of a target com- puter through some sort of vulnerability, gaining the power to execute commands on that remote computer.

Remote code execution (RCE)

Describe Role-based access control (RBAC)

Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system, and, unlike DAC, not by the owner of a resource. However, RBAC is different from MAC in the way that permissions are con- figured. RBAC works with sets of permissions, instead of individual permis- sions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources. A role might be the ability to complete a specific operation in an organization as opposed to accessing a single data file. For example, a person in a bank who wants to check a prospective client's credit score would be attempting to per- form a transaction that is allowed only if that person holds the proper role. So roles are created for various job functions in an organization. Roles might have overlapping privileges and responsibilities. Also, some general opera- tions can be completed by all the employees of an organization. Because there is overlap, an administrator can develop role hierarchies; these define roles that can contain other roles, or have exclusive attributes. Think about it. Did you ever notice that an administrator or root user is ex- tremely powerful? Perhaps too powerful? And standard users are often not powerful enough to respond to their own needs or fix their own problems? Some operating systems counter this problem by creating mid-level accounts such as Power Users (Microsoft) or Operators (Solaris), but for large organi- zations, this is not flexible enough. Currently, more levels of roles and spe- cial groups of users are implemented in newer operating systems. RBAC is used in database access as well and is becoming more common in the health- care industry and government.

Shibboleth is also based on __.

SAML

Other examples of code injection include (3)

SQL injection, XML injection, and LDAP injection.

Older VPNs use either PPTP (port 1723) or L2TP (port 1701) with IPsec. They can also incorporate CHAP on the client side and RADIUS servers for authentication. Newer VPNs protect traffic by using

SSL or TLS. For exam- ple, OpenVPN uses this type of encryption (https://openvpn.net/). SSL/TLS solutions for VPN improve on endpoint security and enable always-on VPN functionality—where a user can always have access via the VPN with- out the need to periodically disconnect and reconnect.

Prevention method for these vulnerabilities: Improper input handling, Improper error handling, and Memory vulnerabilities:

Secure coding, SDLC

__ is the number one way to stop intruders from getting into the building or server room.

Secure door ac- cess

In Windows, there are two types of permissions (describe) :

Sharing permissions are ba- sic permissions including Full Control, Change, and Read, which are applied to folders only. These are often ignored in favor of the more powerful (and superseding) NTFS permissions, also called security permissions, which can secure folders and individual files. In a standard Windows folder on a domain, the types of NTFS permissions include the following: -Full Control -Modify -Read & Execute -List Folder Contents -Read -Write

SSO is a derivative of federated identity management (also called FIM or FIdM). This is when a user's identity, as well as the user's attributes, is shared across multiple identity management systems. These various systems can be owned by one organization; for example, Microsoft offers the Fore- front Identity Manager software, which can control user accounts across lo- cal and cloud environments. Also, Google, Yahoo!, and Amazon are exam- ples of companies that utilize this federation approach. But, some providers join forces so that information can be shared across multiple services and environments between the companies, yet still allow the user a single login. __ is an example of an SSO system that allows people to sign in with a single digital identity and connect to various systems run by federations of different organizations.

Shibboleth

__ is also based on SAML.

Shibboleth

__ and __ are data struc- tures that can be affected by buffer overflows.

Stacks; heaps

Describe Static and Dynamic Code Analysis

Static code analysis is a type of debugging that is carried out by examining the code without executing the program. This can be done by scrutinizing code visually, or with the aid of specific automated tools—static code analyz- ers—based on the language being used. Static code analysis can help to re- veal major issues with code that could even lead to disasters. While this is an important phase of testing, it should always be followed by some type of dy- namic analysis—for example, fuzz testing. This is when the program is actu- ally executed while it is being tested. It is meant to locate minor defects in code and vulnerabilities. The combination of static and dynamic analysis by an organization is sometimes referred to as glass-box testing, which is anoth- er name for white-box testing.

Vulnerability management is the practice of finding and mitigating soft- ware vulnerabilities in computers and networks. It consists of analyzing net- work documentation, testing computers and networks with a variety of secu- rity tools, mitigating vulnerabilities, and periodically monitoring for effects and changes. Vulnerability management can be broken down into five steps: (describe)

Step 1. Define the desired state of security: An organization might have written policies defining the desired state of security, or you as the se- curity administrator might have to create those policies. These policies in- clude access control rules, device configurations, network configurations, network documentation, and so on. Step 2. Create baselines: After the desired state of security is defined, baselines should be taken to assess the current security state of computers, servers, network devices, and the network in general. These baselines are known as vulnerability assessments. The baselines should find as many vulnerabilities as possible utilizing vulnerability scans and other scanning and auditing methods. These baselines will be known as premitigation base- lines and should be saved for later comparison. Step 3. Prioritize vulnerabilities: Which vulnerabilities should take precedence? For example, the e-commerce web server we talked about earli- er should definitely have a higher priority than a single client computer that does not have antivirus software installed. Prioritize all the vulnerabilities; this creates a list of items that need to be mitigated in order. Step 4. Mitigate vulnerabilities: Go through the prioritized list and miti- gate as many of the vulnerabilities as possible. This depends on the level of acceptable risk your organization allows. Mitigation techniques might in- clude secure code review, and a review of system and application architec- ture and system design. Step 5. Monitor the environment: When you finish mitigation, monitor the environment and compare the results to the original baseline. Use the new results as the post-mitigation baseline to be compared against future analyses. (Consider tools that can perform automated baseline reporting.) Because new vulnerabilities are always being discovered, and because com- pany policies may change over time, you should periodically monitor the en- vironment and compare your results to the post-mitigation baseline. Do this anytime policies change or the environment changes. Be careful to monitor for false positives—when a test reports a vulnerability as present when in fact there is none—they can be real time-wasters. If possible, use templates, scripts, and built-in system functionality to automate your monitoring ef- forts and employ continuous monitoring and configuration validation. All of these things will help to reduce risk.

Risk assessment is the attempt to determine the amount of threats or haz- ards that could possibly occur in a given amount of time to your computers and networks. When you assess risks, they are often recognized threats—but risk assessment can also take into account new types of threats that might occur. When risk has been assessed, it can be mitigated up until the point in which the organization will accept any additional risk. Generally, risk assess- ments follow a particular order, for example: (4 steps)

Step 1. Identify the organization's assets. Step 2. Identify vulnerabilities .Step 3. Identify threats and threat likelihood. Step 4. Identify potential monetary impact. The fourth step is also known as impact assessment. This is when you deter- mine the potential monetary costs related to a threat.

The typical 802.1X authentication procedure has four steps:

Step 1. Initialization: If a switch or wireless access point detects a new supplicant, the port connection enables port 802.1X traffic; other types of traffic are dropped. Step 2. Initiation: The authenticator (switch or wireless access point) pe- riodically sends EAP requests to a MAC address on the network. The suppli- cant listens for this address and sends an EAP response that might include a user ID or other similar information. The authenticator encapsulates this re- sponse and sends it to the authentication server. Step 3. Negotiation: The authentication server then sends a reply to the authenticator. The authentication server specifies which EAP method to use. (These are listed next.) Then the authenticator transmits that request to the supplicant. Step 4. Authentication: If the supplicant and the authentication server agree on an EAP method, the two transmit until there is either success or failure to authenticate the supplicant computer.

In the appropriate Windows version/edition, BitLocker security settings can be accessed via the following steps: (3)

Step 1. Navigate to the Run prompt.Step 2. Type gpedit.msc and press Enter. Step 3. In the Group Policy Editor window, navigate to Computer Configu- ration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

Types of EAP authentication: PEAP: This uses MS-CHAPv2, which supports au- thentication via Microsoft Active Directory databases. It competes with EAP- TTLS and includes legacy password-based protocols. It creates a __ by __

TLS tunnel; acquiring a public key infrastructure (PKI) certificate from a server known as a certificate authority (CA). The TLS tunnel protects user authenti- cation much like EAP-TTLS.

Corrective controls: These controls are used after an event. They limit the extent of damage and help the company recover from damage quickly. __, __, and other fault tolerance and disaster recovery meth- ods are also included here. These are sometimes referred to as compensating controls.

Tape backup; hot sites

In Chapter 1 we discussed three basic security controls that are often used to develop a security plan: physical, technical, and adminis- trative. However, there are additional categorical controls as described by the NIST. In short, the three can be described as the following: (These are the logical controls executed by the com- puter system. They include authentication, access control, au- diting, and cryptography. The configuration and workings of firewalls, ses- sion locks, RADIUS servers, or RAID 5 arrays would be within this category, as well as concepts such as least privilege implementation.)

Technical controls

Note: Remote Desktop Services is still often referred to as its original name, __

Terminal Services. (In fact, the underlying service name is actually still called "TermService.")

Describe OVAL

The Open Vulnerability and Assessment Language (OVAL) is a stan- dard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available at the time. It is an international standard but is funded by the U.S. Depart- ment of Homeland Security. A worldwide OVAL community contributes to the standard, storing OVAL content in several locations, such as the MITRE Corporation (http://oval.mitre.org/ (http://oval.mitre.org/)). OVAL can be de- fined in two parts: the OVAL Language and the OVAL Interpreter.

Of the following, which is not a logical method of access control? A. Username/passwordB. Access control listsC. BiometricsD. Software-based policy

The only answer that is not a logical method of access control is bio- metrics. Biometrics deals with the physical attributes of a person and is the most tangible of the answers.

Stacks and heaps are data struc- tures that can be affected by buffer overflows. (describe)

The stack is a key data struc- ture necessary for the exchange of data between procedures. The heap con- tains data items whose size can be altered during execution. Value types are stored in a stack, whereas reference types are stored in a heap. An ethical coder will try to keep these running efficiently. An unethical coder wanting to create a program vulnerability could, for example, omit input validation, which could allow a buffer overflow to affect heaps and stacks, which in turn could adversely affect the application or the operating system in question.

Describe Management controls:

These are techniques and concerns addressed by an organization's management (managers and executives). Generally, these controls focus on decisions and the management of risk. They also con- centrate on procedures, policies, legal and regulatory, the software develop- ment life cycle (SDLC), the computer security life cycle, information assur- ance, and vulnerability management/scanning. In short, these controls focus on how the security of your data and systems is managed.

Describe Operational controls:

These are the controls executed by people. They are designed to increase individual and group system security. They include user awareness and training, fault tolerance and disaster recovery plans, in- cident handling, computer support, baseline configuration development, and environmental security. The people who carry out the specific requirements of these controls must have technical expertise and understand how to im- plement what management desires of them.

In Chapter 1 we discussed three basic security controls that are often used to develop a security plan: physical, technical, and adminis- trative. However, there are additional categorical controls as described by the NIST. In short, the three can be described as the following: Describe Technical controls:

These are the logical controls executed by the com- puter system. Technical controls include authentication, access control, au- diting, and cryptography. The configuration and workings of firewalls, ses- sion locks, RADIUS servers, or RAID 5 arrays would be within this category, as well as concepts such as least privilege implementation.

Another great tool is the previous logon notification. (describe)

This can be configured in a policy and shows the user the last time the account logged in successful- ly—generally during the logon process. If users suspect that their account was compromised, they could check the previous logon notification and compare that with when they remember logging in.

Describe EAP-MD5:

This is a challenge-based authentication providing basic EAP support. It enables only one-way authentication and not mutual authentication.

__ cookies are used by spyware to collect information about a web user's activities.

Tracking

Typical users shouldn't have access to any applications other than the ones they specifically need. For instance, would you want a typical user to have full control over the Command Prompt or PowerShell in Windows? The an- swer is: Doubtful. Protective measures should be put into place to make sure the typical user does not have access. One way to do this is to use User Account Control (UAC) on qualifying Windows operating systems. (describe)

UAC is a security component of Windows Vista and newer, and Windows Server 2008 and newer. It keeps every user (be- sides the actual Administrator account) in standard user mode instead of as an administrator with full administrative rights—even if the person is a member of the administrators group. It is meant to prevent unauthorized ac- cess and avoid user error in the form of accidental changes. A user attempt- ing to execute commands in the Command Prompt and PowerShell will be blocked and will be asked for credentials before continuing. This applies to other applications within Windows as well.

There are lots of providers of fingerprint scanners (also called fingerprint readers) for desk- tops and laptops also; these fingerprint recognition systems are usually __- based.

USB

USB flash drives can easily be considered inherently insecure devices. It's the nature of the beast, so to speak. As such, a security administrator needs to implement removable media controls governing the usage of USB sticks and other removable media. These should include but are not limited to: (6)

USB lockdown in the BIOS and OS; limited use of USB devices; scanning of media devices for malware; encryption of data; monitoring of connected systems; and auditing of removable media. In addition, the reuse and dis- posal of removable media should be carefully managed—destruction of me- dia might be necessary. Finally, a security administrator should be instru- mental in writing policies for the company that dictate how these controls are implemented and educate users about these policies and maintain their awareness over time.

Moving on, the Terminal Access Controller Access-Control System (TACACS) is one of the most confusing-sounding acronyms ever. Now that we have reached the pinnacle of computer acronyms, let's really discuss what it is. TACACS is another remote authentication protocol that was used more often in

Unix networks. In Unix, the TACACS service is known as the TACACS daemon. The newer and more commonly used implementation of TACACS is called Terminal Access Controller Access-Control System Plus (TACACS+). It is not backward compatible with TACACS. TACACS+, and its predecessor XTACACS, were developed by Cisco. TACACS+ uses in- bound port 49 like its forerunners; however, it uses TCP as the transport mechanism instead of UDP. Let's clarify: the older TACACS and XTACACS technologies are not commonly seen anymore. The two common protocols for remote authentication used today are RADIUS and TACACS+.

Prevention methods for these vulnerabilities: Weak ciphers and Improper certificates: (2)

Upgrade encryption (see Chapter 14 and Chapter 9); Review certificates, use a CRL (see Chapter 15)

Countermeasure(s) for mobile device security topic: SIM cloning

Use V2 and newer cards with strong encryption algorithms

General Browser Security Procedures: Implement Policies: The policy could be hand-written, configured at the browser, implemented within the computer operating system, or better yet, configured on a server centrally. Policies can be configured to manage add-ons, and disallow access to websites known to be malicious, have Flash content, or use a lot of band- width. As an example, Figure 5-1 shows the Local Group Policy of a Windows 10 computer focusing on the settings of the two Microsoft browsers. You can open the Local Group Policy Editor by going to Run and typing gpedit.msc. Then navigate to

User Configuration > Administrative Templates > Windows Components. From there, depending on which browser you want to modify security set- tings for, you can access Internet Explorer (especially the Security Features subsection) or Microsoft Edge.

Password recovery (or cracking) can be done in several different ways: Cryptanalysis attack:

Uses a considerable set of precalculated encrypt- ed passwords located in a lookup table. These tables are known as rainbow tables, and the type of password attack is also known as precomputation, where all words in the dictionary (or a specific set of possible passwords) are hashed and stored. This is done in an attempt to recover passwords quicker. It is used with the ophcrack and RainbowCrack applications. This attack can be defeated by implementing salting, which is the randomization of the hashing process.

You don't have to use a server for incoming VPN sessions. Hardware appli- ances are offered by several vendors. Larger organizations that need hun- dreds of simultaneous connections should opt for a

VPN concentrator as their solution. Or, it might be part of your unified threat management (UTM) solution.

Although 802.1X is often used for port-based network access control on the LAN, especially VLANs, it can also be used with

VPNs as a way of remote au- thentication. Central connecting devices such as switches and wireless access points remain the same, but on the client side 802.1X would need to be con- figured on a VPN adapter, instead of a network adapter.

The worst attack that can be perpetuated on a smartphone or tablet is theft. The theft of a mobile device means the possible loss of important data and personal information. There are a few ways to protect against this loss of data, and recover from the theft of a mobile device if it does happen. First, mobile devices in an organization should utilize data encryption. The stronger the encryption, the more difficult it is for a thief to decode and use the data on the device. If at all possible, use full device encryption, similar to Windows BitLocker. The actual conversations on phones can also be en- crypted. __ can protect the confidentiality of spoken conversa- tions and can be implemented with a special microSD chip (preferably) or with software.

Voice encryption

It's important to note that when logging on to a Microsoft network, the logon process is secured by the Kerberos protocol, which is run by the domain con- troller. This adds a layer of protection for the username and password as they are authenticated across the network. When users take a break or go to lunch, they should lock the computer. This can be done by pressing

Win- dows+L. ats starting from scratch!

Two web application vulnerabilities to watch out for include cross-site scripting (XSS) and cross-site request forgery (XSRF). __ are vulnerabilities that can be exploited with a type of code injec- tion.

XSS holes

Network intrusion detection system (NIDS): the disadvantage (compared to host based) is that

a NIDS cannot moni- tor for things that happen within an operating system.

Figure 10-6 illustrates a single computer connecting to a VPN server at an office, which is typical and is known as VPN remote access. However, organi- zations sometimes need to connect multiple offices to each other. This is done with a site-to-site configuration, where each site has

a VPN device (SOHO router, concentrator, or server) that takes care of VPN connections for each network of computers. Site-to-site VPNs are generally more secure because an admin can specify that only specific networks can connect—and can do it in a private intranet fashion. If a company is growing, site-to-site is the way to go, whether the company is flourishing geographically or is simply inhabiting a separate space of the same building. When separate networks are connected in the same building, it is often wise to use a VPN, because the physical wiring might pass through a public area.

Mandatory access control (MAC) is an access control policy determined by

a computer system, not by a user or owner, as it is in DAC. Permissions are predefined in the MAC model. Historically, it has been used in highly classified government and military multilevel systems, but you will find less- er implementations of it in today's more common operating systems as well. The MAC model defines sensitivity labels that are assigned to subjects(users) and objects (files, folders, hardware devices, network connections, and so on). A subject's label dictates its security level, or level of trust. An ob- ject's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling). The access controls in a MAC system are based on the security classification of the data and "need- to-know" information—where a user can access only what the system consid- ers absolutely necessary. Also, in the MAC model, data import and export are controlled. MAC is the strictest of the access control models.

After the risk transference, risk avoidance, and risk reduction techniques have been implemented, an organization is left with a certain amount ofresidual risk—the risk left over after

a detailed security plan and disaster recovery plan have been implemented. There is always risk, as a company cannot possibly foresee every future event, nor can it secure against every single threat. Senior management as a collective whole is ultimately respon- sible for deciding how much residual risk there will be in a company's in- frastructure, and how much risk there will be to the company's data. Often, no one person will be in charge of this, but it will be decided on as a group.

Vulnerability scanning is a technique that identifies threats on your net- work, but does not exploit them. When you are ready to assess the level of vulnerability on the network, it is wise to use (2)

a general vulnerability scanner and a port scanner (or two). By scanning all the systems on the network, you determine the attack surface of those systems, and you can gain much in- sight as to the risks that you need to mitigate, and malicious activity that might already be going on underneath your nose. One such vulnerability scanner is called Nessus. This is one of many exploitation framework tools, but it is a very commonly deployed tool used to perform vulnerability, con- figuration, and compliance assessments. The tool can use a lot of resources, so it is wise to try to perform scans off-hours.

An ACL is

a list of permissions attached to an object. ACLs reside on firewalls, routers, and computers. Per- missions in an ACL might allow access or deny access. It all depends on who is required to have access; then, the configuration is up to you.

Directory traversal, or the ../ (dot dot slash) attack, is

a method of access- ing unauthorized parent (or worse, root) directories. It is often used on web servers that have PHP files and are Linux or UNIX-based, but it can also be perpetrated on Microsoft operating systems (in which case it would be ..\ or the "dot dot backslash" attack). It is designed to get access to files such as ones that contain passwords. This can be prevented by updating the OS, or by checking the code of files for vulnerabilities, otherwise known as fuzzing. For example, a PHP file on a Linux-based web server might have a vulnera- ble if or include statement, which when attacked properly could give the attacker access to higher directories and the passwd file.

Well, we've mapped the network, documented it, scanned for vulnerabilities, scanned ports, and analyzed packets. But wait, let's not forget about pass- words. We've mentioned more than once in this book that weak passwords are the bane of today's operating systems and networks. This could be be- cause no policy for passwords was defined, and people naturally gravitate to- ward weaker, easier-to-remember passwords. Or it could be that a policy was defined but is not complex enough, or is out of date. Whatever the reason, it would be wise to scan computers and other devices for weak passwords with (describe)

a password cracker, which uses comparative analysis to break passwords and systematically guesses until it cracks the password. And of course, a va- riety of password-cracking programs can help with this. For Windows com- puters, there is the well-documented Cain & Abel password recovery tool. This program has a bit of a learning curve but is quite powerful. It can be used to crack all kinds of different passwords on the local system or on re- mote devices and computers. It sniffs out other hosts on the network the way a protocol analyzer would. This is an excellent tool to find out whether weak passwords are on the network, or to help if users forget their passwords (when password resets are not possible). Figure 12-4 shows an example of Cain & Abel. You can see hashed passwords (encrypted) that the program has discovered for various accounts on a test computer. From these hashes, the program can attempt to crack the password and deliver the original plaintext version of the password.

The most common type of authentication is the username/password combi- na-tion. Usernames are usually based on

a person's real name. Large organiza- tions often use firstname.lastname as the standard naming convention (for example, [email protected]) or first initial and last name ([email protected]). Smaller organizations might use the first name and last initial. The naming convention decided upon should be easy for you to implement without name confusion, and it should have the capability to be utilized for all systems on the network, including login, e-mail, database, file access, and so on.

Types of EAP authentication: EAP-FAST: This uses __ instead of __ to achieve mutual authentication.

a protected access credential; a certificate

User Account Control (UAC) is

a security component of Windows that keeps every user (besides the actual Administrator account) in standard user mode instead of as an administrator with full administrative rights—even if the person is a member of the administrators group. It is meant to prevent unauthorized access, as well as avoid user error in the form of accidental changes. With UAC enabled, users perform common tasks as non-adminis- trators, and, when necessary, as administrators, without having to switch users, log off, or use Run As.

Encryption is a huge component of today's computer security. By encrypting information, the data is rearranged in such a way that only the persons with proper authentication can read it. To encrypt an entire hard drive, you either need (describe)

a self-encrypting drive (SED) or some kind of full disk encryption (FDE) software. ("Disk," though not accurate in some cases, is the commonly used term here.) Several types of FDE software are currently available on the market; one developed by Microsoft is called BitLocker—available in the elite editions of several newer versions of Windows. Full disk encryption software can encrypt the entire disk, which, after complete, is transparent to the user.

The CHAP authentication scheme consists of several steps. It authenticates a user or a network host to entities such as Internet access providers. CHAP periodically verifies the identity of the client by using a three-way hand- shake. The verification is based on

a shared secret. After the link has been established, the authenticator sends a challenge message to the peer. The en- crypted results are compared, and finally the client is either authorized or denied access.

It isn't possible to assign a specific ALE to incidents that will happen in the future, so new technologies should be monitored carefully. Any failures should be documented thoroughly. For example,

a spreadsheet could be maintained that contains the various technologies your organization uses, their failure history, their SLE, ARO, and ALE, and mitigation techniques that you have employed, and when they were implemented.

The XSS attack exploits the trust

a user's browser has in a website. The con- verse of this, the XSRF attack, exploits the trust that a website has in a user's browser.

LDAP injection is similar to SQL injection, again using

a web form input box to gain access, or by exploiting weak LDAP lookup configurations. The Light- weight Directory Access Protocol is a protocol used to maintain a directory of information such as user accounts, or other types of objects. The best way to protect against this (and all code injection techniques for that matter) is to incorporate strong input validation.

By incorporating the implicit deny, least privilege, separation of duties, and job rotation concepts, your total __ plan can be improved greatly.

access control

Discretionary access control (DAC) is an access control policy generally determined by the owner. Objects such as files and printers can be created and accessed by the owner. Also, the owner decides which users are allowed to have access to the objects, and what level of access they may have. The levels of access, or permissions, are stored in

access control lists (ACLs).

One example of the difference between active and passive is fingerprinting, which is when a security person (or attacker) scans hosts to find out what ports are open, ultimately helping the person to distinguish the operating system used by the computer. It is also known as OS fingerprinting or TCP/IP fingerprinting. Active fingerprinting is when a direct connection is made to the computer starting with ICMP requests. This type of test could cause the system to respond slowly to other requests from legitimate com- puters. Passive fingerprinting is when the scanning host sniffs the network by chance, classifying hosts as the scanning host observes its traffic on the occasion that it occurs. which one is most common?

active fingerprinting

Security analysis can be done in one of two ways: (describe)

actively or passively. Active security analysis is when actual hands-on tests are run on the system in question. These tests might require a device to be taken off the network for a short time, or might cause a loss in productivity. Active scanning is used to find out if ports are open on a specific device, or to find out what IP addresses are in use on the network. A backup of the systems to be analyzed should be accomplished before the scan takes place. Active scanning (also known as intrusive scanning) can be detrimental to systems or the entire network, especially if you are dealing with a mission-critical network that re- quires close to 100% uptime. In some cases, you can pull systems off the net- work or run your test during off-hours. But in other cases, you must rely on passive security analysis. Passive security analysis is when servers, devices, and networks are not af- fected by your analyses, scans, and other tests. It could be as simple as using documentation only to test the security of a system. For example, if an orga- nization's network documentation shows computers, switches, servers, and routers, but no firewall, you have found a vulnerability to the network (a rather large one). Passive security analysis might be required in real-time, mission-critical networks or if you are conducting computer forensics analy- sis, but even if you are performing a passive security analysis, a backup of the system is normal procedure. Passive security analysis is also known as non-intrusive or non-invasive analysis.

Another attack on smartphones is SIM cloning (also known as phone cloning), which (also comment on versions)

allows two phones to utilize the same service and allows an attacker to gain access to all phone data. V1 SIM cards had a weak algorithm that made SIM cloning possible (with some expertise). However, V2 cards and higher are much more difficult (if not impossible) to clone due to a stronger algorithm on the chip. Users and administrators should be aware of the version of SIM card being used and update it (or the entire smartphone) if necessary.

Older VPNs use either PPTP (port 1723) or L2TP (port 1701) with IPsec. They can also incorporate CHAP on the client side and RADIUS servers for authentication. Newer VPNs protect traffic by using SSL or TLS. For exam- ple, OpenVPN uses this type of encryption (https://openvpn.net/). SSL/TLS solutions for VPN improve on endpoint security and enable __ functionality—where__

always-on VPN; a user can always have access via the VPN with- out the need to periodically disconnect and reconnect.

OVAL can be de- fined in two parts: the OVAL Language and the OVAL Interpreter. OVAL Language: Three different XML schemas have been developed that act as the framework of OVAL: 1. System testing information 2. System state analysis 3. Assessment results reporting OVAL is not a language like C++ but is

an XML schema that defines and de- scribes the XML documents to be created for use with OVAL.

Policies are rules or guidelines used to guide decisions and achieve out- comes. They can be written or configured on a computer. The former are more difficult to enforce, whereas the latter would have to be hacked to be bypassed. Local computer policies and network policies are what really make

an access control model effective.

XSS holes are vulnerabilities that can be exploited with a type of code injec- tion. Code injection is the exploitation of a computer programming bug or flaw by inserting and processing invalid information—it is used to change how the program executes data. In the case of an XSS attack, an attacker in- serts malicious scripts into a web page in the hopes of gaining elevated privi- leges and access to session cookies and other information stored by a user's web browser. This code (often Java-Script) is usually injected from a sepa- rate "attack site." It can also manifest itself as (3)

an embedded JavaScript im- age tag, header manipulation (as in manipulated HTTP response headers), or other HTML embedded image object within e-mails (that are web-based). The XSS attack can be defeated by programmers through the use of output encoding (JavaScript escaping, CSS escaping, and URL encoding), by pre- venting the use of HTML tags, and by input validation: for example, check- ing forms and confirming that input from users does not contain hypertext. On the user side, the possibility of this attack's success can be reduced by in- creasing cookie security and by disabling scripts in the ways mentioned in the first section of this chapter, "Securing the Browser." If XSS attacks by e- mail are a concern, the user could opt to set his e-mail client to text only.

Some of the vulnerabilities to Remote Desktop Services—and the Remote Desktop Protocol in general, otherwise known as RDP—include (3)

an extremely well-known port, comparatively weak encryption, and a lack of multifactor authentication. Because of this, you might choose to utilize another remote control application. At this point, security is relative, and your decision on what tool to use will be based on the type of data you are protecting.

The CIA concepts are important when doing a secure code review, which can be defined as

an in-depth code inspection procedure. It is often included by organizations as part of the testing phase of the SDLC but is usually con- ducted before other tests such as fuzzing or penetration tests, which we dis- cuss more later in this chapter.

Another concern is web-based SSO. Web-based SSO can be problematic due to disparate proprietary technologies. To help alleviate this problem, the XML-based Security Assertion Markup Language (SAML) and the OpenID Connect protocol were developed. OpenID Connect is

an interoperable au- thentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of "making simple things simple and complicated things possible." Both OpenID Con- nect and SAML specify separate roles for the user, the service provider, and the identity provider. Shibboleth is also based on SAML.

Another concept you will encounter is that of RADIUS federation. This is when

an organization has multiple RADIUS servers—possibly on different networks—that need to communicate with each other in a safe way. It is ac- complished by creating trust relationships and developing a core to manage those relationships as well as the routing of authentication requests. It is of- ten implemented in conjunction with 802.1X. This federated network au- thentication could also span between multiple organizations.

Vulnerability management is the practice of finding and mitigating soft- ware vulnerabilities in computers and networks. It consists of (4)

analyzing net- work documentation, testing computers and networks with a variety of secu- rity tools, mitigating vulnerabilities, and periodically monitoring for effects and changes.

For applications that users are allowed to work with, they should be secured accordingly. In general, applications should be updated, patched, or have the appropriate service packs installed. This is collectively known as

application patch management, and is an overall part of the configuration management of an organization's software environment.

RCE commands can be sent to the target computer using the URL of a browser, or by using the Netcat service, among other methods. To defend against this,

applications should be updated, or if the application is being de- veloped by your organization, it should be checked with fuzz testing and strong input validation (client side and server side) as part of the testing stage of the SDLC. If you have PHP running on a web server, it can be set to disable remote execution of configurations. A web server (or other server) can also be configured to block access from specific hosts.

Programs that are designed to exploit software bugs or other vulnerabilities are often called

arbitrary code execution exploits. These types of exploits inject "shellcode" to allow the at- tacker to run arbitrary commands on the remote computer. This type of at- tack is also known as remote code execution (RCE) and can potentially allow the attacker to take full control of the remote computer and turn it into a zombie.

OVAL has several uses, one of which is

as a tool to standardize security advi- sory distributions. Software vendors need to publish vulnerabilities in a standard, machine-readable format. By including an authoring tool, defini- tions repository, and definition evaluator, OVAL enables users to regulate their security advisories. Other uses for OVAL include vulnerability assess- ment, patch management, auditing, threat indicators, and so on.

Qualitative risk assessment is an assessment that assigns numeric val- ues to the probability of a risk and the impact it can have on the system or network. Unlike its counterpart, quantitative risk assessment, it does not

as- sign monetary values to assets or possible losses. It is the easier, quicker, and cheaper way to assess risk but cannot assign asset value or give a total for possible monetary loss.

Another (pentest) technique is that of persistence. As the name implies, an attack- er/tester will

attempt to reconnect at a later date using a backdoor, privilege escalation, and cryptographic keys. Whatever the method, it would have to endure reboots of the target system. Consider developing systems that are non-persistent by using a master image, and then utilizing snapshots, revert- ing to known states, rolling back to known good configurations, and using live boot media.

RADIUS works within the AAA concept: It is used to authenticate users, au- thorize them to services, and account for the usage of those services. RA- DIUS checks whether the correct authentication scheme such as CHAP or EAP is used when clients attempt to connect. It commonly uses port 1812 for ___ and port 1813 for __ (both of which use UDP as the transport mechanism).

authentication messages; accounting messages

In Chapter 1 we discussed three basic security controls that are often used to develop a security plan: physical, technical, and adminis- trative. However, there are additional categorical controls as described by the NIST. In short, the three can be described as the following: Technical controls: These are the logical controls executed by the com- puter system. Technical controls include (4)

authentication, access control, au- diting, and cryptography. The configuration and workings of firewalls, ses- sion locks, RADIUS servers, or RAID 5 arrays would be within this category, as well as concepts such as least privilege implementation.

General Browser Security Procedures: Use a Proxy and Content Filter: Remember that the proxy server is a mediator be- tween the client and the Internet, and as such the client's web browser must be configured to connect to them. You can either have the browser

automati- cally detect a proxy server or (and this is more common) configure it statical- ly.

Tools such as Nmap and Nessus are also known as network enumerators. Enumeration refers to a complete listing of items (such as port numbers); network enumerators extract information from servers including network shares, services running, groups of users, and so on. It is this additional ex- traction of information (enumerating) that sets them apart from a basic net- work mapping tool. This type of enumeration is also referred to as (describe)

banner grabbing. Banner grabbing is a technique used to find out information about web servers, FTP servers, and mail servers. For example, it might be used by a network administrator to take inventory of systems and services running on servers. Or, it could be used by an attacker to grab information such as HTTP headers, which can tell the attacker what type of server is run- ning, its version number, and so on. Examples of banner-grabbing ap- plications include Netcat and Telnet. Aside from the security administrator (and perhaps auditors), no one should be running banner-grabbing tools, or network enumeration tools in general. A good security admin will attempt to sniff out any unpermitted usage of these tools.

It is important to protect the HIDS database because this can be a target for attackers. It should either (3)

be encrypted, stored on some sort of read-only memory, or stored outside the system.

If you create a folder, the default action it takes is to inherit permissions from the parent folder, which ultimately come from the root folder. So any permissions set in the parent are inherited by the subfolder. To view an ex- ample of this, locate any folder within an NTFS volume (besides the root folder), right-click it, and select Properties, access the Security tab, and click the Advanced button. That brings up a window as shown in Figure 11-7. If you look at the bottom of the figure, you can tell whether or not the folder is inheriting permissions from the parent. In this case, it is inheriting permissions. This means that any permissions added or removed in the parent folder will also be added or removed in the current folder. In addition, those permis- sions inherited cannot

be modified in the current folder. To make modifica- tions, you would have to disable inheritance, either by clicking the button shown in Figure 11-7 or by deselecting a checkbox on older versions of Win- dows Server. When you do so, you have the option to copy the permissions from the parent to the current folder or remove them entirely. To summa- rize, by default the parent is automatically propagating permissions to the subfolder, and the subfolder is inheriting its permissions from the parent.

Core SDLC and DevOps Principles: The CIA concepts are important when doing a secure code review, which can be defined as an in-depth code inspection procedure. It is often included by organizations as part of the testing phase of the SDLC but is usually con- ducted (when)

before other tests such as fuzzing or penetration tests, which we dis- cuss more later in this chapter.

Preventive controls: These controls are employed before the event and are designed to prevent an incident. Examples include (3)

biometric systems de- signed to keep unauthorized persons out, NIPSs to prevent malicious activi- ty, and RAID 1 to prevent loss of data.

When dealing with the previously listed applications and add-ons, pop-up blocking is known as ad filtering, but this can be taken to another level, known as content filtering. Content filters...

block external files that use JavaScript or images from loading into the browser. Content filtering contin- ues to become more and more important as advertisers become more and more clever. Most newer web browser versions offer some kind of filtering, plus proxy-based programs such as Squid can filter content (among other things) for multiple computers.

While variations of the waterfall model are commonplace, an organization might opt to use a different model, such as the V-shaped model, which stresses more testing, or rapid application development (RAD), which puts more emphasis on process and less emphasis on planning. Then there is the agile model, which

breaks work into small increments and is designed to be more adaptive to change. The agile model has become more and more popular since 2001. It focuses on customer satisfaction, cooperation between developers and business people, face-to-face conversation, simplicity, and quick adjustments to change.

However, the most common goal of risk management is to reduce all risk to a level acceptable to the organization. It is impossible to eliminate all risk, but it should be mitigated as much as possible within reason. Usually,__ and __ dictate the level of risk reduction, and what kind of deterrents can be put in place. For example, installing antivirus/firewall software on every client computer is common; most companies do this. However, installing a high-end, hardware-based firewall at every computer is not common; although this method would probably make for a secure net- work, the amount of money and administration needed to implement that solution would make it unacceptable.

budgeting; IT resources

It is also possible to delete accounts (aside from

built-in accounts such as the Guest account)

Note that sideloading can occur in several ways: (4)

by direct Internet connection (usually disabled by default); by con- necting to a second mobile device via USB OTG (USB On-The-Go) or Blue- tooth; by copying apps directly from a microSD card; or via tethering to a PC or Mac.

Once again, the best way to defend against code injection/command injec- tion techniques in general is

by implementing input validation during the development, testing, and maintenance phases of the SDLC.

Kerberos is designed to protect against replay attacks and eavesdropping. One of the drawbacks of Kerberos is that it relies on a centralized server such as a domain controller. This can be a single point of failure. To alleviate this problem, secondary and tertiary domain controllers can be installed that keep a copy of the Active Directory and are available with no downtime in case the first domain controller fails. Another possible issue is one of syn- chronicity. Time between the clients and the domain controller must be syn- chronized for Kerberos to work properly. If for some reason a client attempt- ing to connect to a domain controller becomes desynchronized, it

cannot complete the Kerberos authentication, and as an end result the user cannot log on to the domain. This can be fixed by logging on to the affected client locally and synchronizing the client's time to the domain controller by using the net time command. For example, to synchronize to the domain con- troller in Figure 10-4, the command would be

Of course, many organizations (and especially government) get more techni- cal with their door access systems. Electronic access control systems such as cardkey systems are common. These use scanning devices on each door used for access to the building. They read the cardkeys that you give out to em- ployees and visitors. These cardkeys should be logged; it should be known exactly who has which key at all times. The whole system is guided by a

card- key controller. This controller should be placed in a wiring closet or in a server room, and that room should be locked as well (and protected by the cardkey system). Some companies implement separate cardkey systems for the server room and for the main entrances. Some systems use photo ID badges for identification and authentication to a building's entrance. They might have a magnetic stripe similar to a credit card, or they might have a barcode or use an RFID chip. A key card door access system is another good practice for tracking user identities.

Types of EAP authentication: EAP-TLS: This version uses Transport Layer Security, which is a certifi- cate-based system that does enable mutual authentication. This does not work well in enterprise scenarios because

certificates must be configured or managed on the client side and server side.

Here's an example of the chmod command: on file named "testfile" using numbers

chmod 760 testfile

Today's UEFI-based systems use a root of trust, which is

code—usually embedded in hardware in the form of a trusted platform module (TPM)— that incorporates encryption in the form of a public key. For a system with secure boot enabled to start up properly, kernel-based operating system drivers must present private keys that match the root of trust's public key. This process can prevent a system from being booted by undesirable OSes that can reside on flash drives or elsewhere, and prevent OSes that have been tampered with from booting. This tampering might occur in-house, or previ- ously while in transit through the manufacturing supply chain.

One thing to remember is that when attackers utilize code injecting tech- niques, they are adding their own code to existing code, or are inserting their own code into a form. A variant of this is

command injection, which doesn't utilize new code; instead, an attacker executes system-level commands on a vulnerable application or OS. The attacker might enter the command (and other syntax) into an HTML form field or other web-based form to gain ac- cess to a web server's password files.

Windows servers running Active Directory use parameters and variables when querying the names of objects. For example, CN=dprowse, where CN stands for __ and dprowse is the __. Taking it to the next level: DC=ServerName.DC stands for __. ServerName is __.

common name; username; domain component; the variable and is the name of the server

Corrective controls: These controls are used after an event. They limit the extent of damage and help the company recover from damage quickly. Tape backup, hot sites, and other fault tolerance and disaster recovery meth- ods are also included here. These are sometimes referred to as

compensating controls.

Here are a few more tips when it comes to user accounts, passwords, and logons: Use Ctrl+Alt+Del: Pressing Ctrl+Alt+Del before the logon adds a layer of security to the logon process by ensuring that users are communicating by means of a trusted path when entering passwords. This can be added in Win- dows 10 by going to Run and typing netplwiz (which opens the User Ac- counts dialog box), then going to the Advanced tab and selecting the check- box for Require Users to Press Ctrl+Alt+Delete. Or, it can be added as a poli- cy on individual Windows computers within the Local Group Policy Editor. It is implemented by default for

computers that are members of a domain.

Databases are just as vulnerable as web servers. The most common kind of database is the relational database, which is administered by a relational database management system (RDBMS). These systems are usually written in the Structured Query Language (SQL). An example of a SQL database is Microsoft's SQL Server (pronounced "sequel"); it can act as the back end for a program written in Visual Basic or Visual C++. Another example is MySQL, a free, open source relational database often used in conjunction with websites that employ PHP pages. One concern with SQL is the SQL in- jection attack, which occurs in databases, ASP.NET applications, and blog- ging software (such as WordPress) that use MySQL as a back end. In these attacks user input in web forms is not filtered correctly and is executed im- properly, with the end result of gaining access to resources or changing data. For example, the login form for a web page that uses a SQL back end (such as a WordPress login page) can be insecure, especially if the front-end appli- cation is not updated. An attacker will attempt to access the database (from a form or in a variety of other ways), query the database, find out a user, and then inject code to the password portion of the SQL code—perhaps some- thing as simple as X = X. This will allow any password for the user account to be used. If the login script was written properly (and validated properly), it should deflect this injected code. But if not, or if the application being used is not updated, it could be susceptible. It can be defended against by (3)

con- straining user input, filtering user input, and using stored procedures such as input validating forms. Used to save memory, a stored procedure is a sub- routine in an RDBMS that is typically implemented as a data-validation or access- control mechanism which includes several SQL statements in one procedure that can be accessed by multiple applications.

A Microsoft VPN can be set up on a standard Windows Server by

configuring Routing and Remote Access Service (RRAS). Remote access policies can be created from here that permit or deny access to groups of users for dial-in or VPN connections. In a typical Windows Server you would need to set up RRAS as part of the Network Policy and Access Services role. Then you would right-click the Remote Access Logging & Policies node and access the Network Policy Server (NPS) window to create a new RRAS policy. Figure 10-7 displays the initiation of a RRAS VPN policy.

Basic Browser Security: The first thing that you should do is to update the browser—that is, if compa- ny policy permits it. Remember to use the patch management strategy dis- cussed earlier in the book. You might also want to halt or defer future up- dates until you are ready to implement them across the entire network. Next, install pop-up blocking and other ad-blocking solutions. Many an- tivirus suites have pop-up blocking tools. There are also third-party solu- tions that act as add-ons to the browser. And of course, newer versions of web browsers will block some pop-ups on their own. After that,

consider security zones if your browser supports them. You can set the security level for the Internet and intranet zones, and specify trusted sites and restricted sites. In addition, you can set custom levels for security; for example, disable ActiveX controls and plug-ins, turn the scripting of Java applets on and off, and much more.

Another disadvantage of some MFA environments is that they are static—rules and whitelists/blacklists are usually configured manually. A more dynamic way of authenticating individuals is to utilize (describe)

context-aware authentication (also known as context-sensitive access). It is an adaptive way of authenticating users based on their usage of re- sources, and the confidence that the system has in the user. It can automati- cally increase the level of identification required and/or increase or decrease the level of access to resources based on constant analysis of the user.

Attribute-based access control (ABAC) is an access model that is dy- namic and

context-aware. Access rights are granted to users through the use of multiple policies that can combine various user, group, and resource at- tributes together. It makes use of IF-THEN statements based on the user and requested resource. For example, if David is a systems administrator,then allow full control access to the \\dataserver\ adminfolder share. If implemented properly, it can be a more flexible solu- tion. As of the writing of this book, many technologies—and organizations— are moving toward a more context-sensitive, context-aware mindset when it comes to authentication and access control.

Cookies can also pose a security threat. Cookies are text files placed on the client computer that store information about it, which could include your computer's browsing habits and possibly user credentials. The latter are sometimes referred to as persistent cookies, used so that a person doesn't have to log in to a website every time. By adjusting cookie settings, you can either accept all cookies, deny all cookies, or select one of several options in between. A high cookie security setting will usually block

cookies that save information that can be used to contact the user, and cookies that do not have a privacy policy.

Another concept you will encounter is that of RADIUS federation. This is when an organization has multiple RADIUS servers—possibly on different networks—that need to communicate with each other in a safe way. It is ac- complished by

creating trust relationships and developing a core to manage those relationships as well as the routing of authentication requests. It is of- ten implemented in conjunction with 802.1X. This federated network au- thentication could also span between multiple organizations.

Cookies can also be the target for various attacks; namely, session cookies are used when an attacker attempts to hijack a session. There are several types of session hijacking. One common type is

cross-site script- ing (also known as XSS), which is when the attacker manipulates a client computer into executing code considered trusted as if it came from the server the client was connected to. In this way, the attacker can acquire the client computer's session cookie (allowing the attacker to steal sensitive in- formation) or exploit the computer in other ways. We cover more about XSS later in this chapter, and more about session hijacking in Chapter 7, "Net- working Protocols and Threats."

Advanced smart cards have specialized

cryptographic hardware that can use algorithms such as RSA and 3DES but generally use private keys to encrypt data. (More on encryption and these encryption types is provided in Chapter 14, "Encryption and Hashing Concepts.") A smart card might incorporate a microprocessor (as is the case with the PIV and CAC cards). A smart card security system usually is composed of the smart card itself, smart card readers, and a back-office database that stores all the smart card access control lists and history.

Then there is theagile model, which breaks work into small increments and is designed to be more adaptive to change. The agile model has become more and more popular since 2001. It focuses on (5)

customer satisfaction, cooperation between developers and business people, face-to-face conversation, simplicity, and quick adjustments to change.

Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner, as it is in DAC. Permissions are predefined in the MAC model. Historically, it has been used in highly classified government and military multilevel systems, but you will find less- er implementations of it in today's more common operating systems as well. The MAC model defines sensitivity labels that are assigned to subjects(users) and objects (files, folders, hardware devices, network connections, and so on). A subject's label dictates its security level, or level of trust. An ob- ject's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling). The access controls in a MAC system are based on the security classification of the data and "need- to-know" information—where a user can access only what the system consid- ers absolutely necessary. Also, in the MAC model,

data import and export are controlled.

Data loss prevention (DLP) is a concept that refers to the monitoring of (3)

data in use, data in motion, and data at rest.

802.1X is a __(what layer) authentication technology used to connect devices to a LAN or WLAN.

data link layer

Another concept similar to cookies is locally shared objects (LSOs), also called Flash cookies. These are

data that Adobe Flash-based websites store on users' computers, especially for Flash games. The privacy concern is that LSOs are used by a variety of websites to collect information about users' browsing habits. However, LSOs can be disabled via the Flash Player Set- tings Manager (a.k.a. Local Settings Manager) in most of today's operating systems. LSOs can also be deleted entirely with third-party software, or by accessing the user's profile folder in Windows.

Role-Based Access Control (RBAC): Think about it. Did you ever notice that an administrator or root user is ex- tremely powerful? Perhaps too powerful? And standard users are often not powerful enough to respond to their own needs or fix their own problems? Some operating systems counter this problem by creating mid-level accounts such as Power Users (Microsoft) or Operators (Solaris), but for large organi- zations, this is not flexible enough. Currently, more levels of roles and spe- cial groups of users are implemented in newer operating systems. RBAC is used in __ as well and is becoming more common in the health- care industry and government.

database access

In a way, DAC, when implemented in client-server networks, is sort of a __(centralized or decentralized?) administration model.

de- centralized

Management controls: These are techniques and concerns addressed by an organization's management (managers and executives). Generally, these controls focus on

decisions and the management of risk. They also con- centrate on procedures, policies, legal and regulatory, the software develop- ment life cycle (SDLC), the computer security life cycle, information assur- ance, and vulnerability management/scanning. In short, these controls focus on how the security of your data and systems is managed.

Management controls: These are techniques and concerns addressed by an organization's management (managers and executives). Generally, these controls focus on (7)

decisions and the management of risk. They also con- centrate on procedures, policies, legal and regulatory, the software develop- ment life cycle (SDLC), the computer security life cycle, information assur- ance, and vulnerability management/scanning. In short, these controls focus on how the security of your data and systems is managed.

One of the best things you can do to secure a RAS server is to

deny access to individuals who don't require it. Even if the user or user group is set to "not configured," it is wise to specifically deny them access. Allow access to only those users who need it, and monitor on a daily basis the logs that list who connected. If there are any unknowns, investigate immediately. Be sure to update the permissions list often in the case that a remote user is terminated or otherwise leaves the organization.

Preventive controls: These controls are employed before the event and are designed to prevent an incident. Examples include biometric systems de- signed to keep unauthorized persons out, NIPSs to prevent malicious activi- ty, and RAID 1 to prevent loss of data. These are also sometimes referred to as

deterrent controls.

Another (pentest) technique is that of persistence. As the name implies, an attack- er/tester will attempt to reconnect at a later date using a backdoor, privilege escalation, and cryptographic keys. Whatever the method, it would have to endure reboots of the target system. Consider (how to address)

developing systems that are non-persistent by using a master image, and then utilizing snapshots, revert- ing to known states, rolling back to known good configurations, and using live boot media.

One of the best things you can do to secure a RAS server is to deny access to individuals who don't require it. Even if the user or user group is set to "not configured," it is wise to specifically deny them access. Allow access to only those users who need it, and monitor on a daily basis the logs that list who connected. If there are any unknowns, investigate immediately. Be sure to update the permissions list often in the case that a remote user is terminated or otherwise leaves the organization. The next most important security precaution is to set up RAS authentication. One secure way is to use the Challenge-Handshake Authentication Protocol (CHAP), which is an authentication scheme used by the Point-to- Point Protocol (PPP), which in turn is the standard for

dial-up connections.

The Lightweight Directory Access Protocol (LDAP) is an application layer protocol used for accessing and modifying directory services data. It is part of the TCP/IP suite. Originally used in WAN connections, it has devel- oped over time into a protocol commonly used by services such as Microsoft Active Directory on Windows Server domain controllers. LDAP acts as the protocol that controls the __ service. This is the service that organizes the users, computers, and other objects within the Active Directory.

directory

RCE commands can be sent to the target computer using the URL of a browser, or by using the Netcat service, among other methods. To defend against this, applications should be updated, or if the application is being de- veloped by your organization, it should be checked with fuzz testing and strong input validation (client side and server side) as part of the testing stage of the SDLC. If you have PHP running on a web server, it can be set to

disable remote execution of configurations. A web server (or other server) can also be configured to block access from specific hosts.

Cisco also created a proprietary protocol called LEAP (Lightweight EAP), and it is just that—proprietary. To use LEAP, you must have a Cisco device such as an Aironet WAP or Catalyst switch, or another vendor's device that complies with the Cisco Compatible Extensions program. Then you must

download a third-party client on Windows computers to connect to the Cisco device. Most WLAN vendors offer an 802.1X LEAP download for their wire- less network adapters.

Core SDLC and DevOps Principles: From a larger perspective, an organization might implement modeling as part of its software quality assurance program. By modeling, or simulating, a system or application, it can be tested, verified, validated, and finally accred- ited as acceptable for a specific purpose. One secure and structured approach that organizations take is called threat modeling. Threat modeling..

enables you to prioritize threats to an applica- tion, based on their potential impact. This modeling process includes identi- fying assets to the system or application, uncovering vulnerabilities, identify- ing threats, documenting threats, and rating those threats according to their potential impact. The more risk, the higher the rating. Threat modeling is of- ten incorporated into the SDLC during the design, testing, and deployment phases.

The smart card might have a photo ID as well. Exam- ples of smart cards include the PIV card (Personal Identity Verification), which is required for all U.S. government employees and contractors, and the Common Access Card (CAC), which is used to identify Department of Defense (DoD) military personnel, other DoD civilian government employ- ees, and so on. These cards not only identify the person and are responsible for authentication to buildings and systems, but can also

encrypt and digital- ly sign e-mails.

On a related note, salespeople, field technicians, and other remote users should be trained to delete temporary files, cookies, and passwords when they are using computers on the road. In general, most companies discourage the saving of passwords by the browser. Some organizations make it a policy to disable that option. If you do save passwords, it would be wise to

enter a master password. This way, when saved passwords are necessary, the browser will ask for only the master password, and you don't have to type or remember all the others.

Although it's impossible to predict the future accurately, it can be quantified on an average basis using concepts such as mean time between failures (MTBF). This term deals with reliability. It defines the average number of

failures per million hours of operation for a product in question. This is based on historical baselines among various customers that use the product. It can be very helpful when making quantitative assessments.

Sometimes users have more than one account. This might have been done to allow access to multiple systems or resources. There are plenty of different issues that can occur because of this. To mitigate problems that can develop from a user having two accounts, consider the consolidation of accounts, for example, utilizing a

federated identity management (FIM) system, one that will incorporate single sign-on (SSO). User administration can also benefit from credential management, where passwords, certificates, and other logon credentials are stored in a special folder called a vault. A security administra- tor should also consider the use of roles (RBAC) and user groups.

SSO is a derivative of

federated identity management (also called FIM or FIdM). This is when a user's identity, as well as the user's attributes, is shared across multiple identity management systems. These various systems can be owned by one organization; for example, Microsoft offers the Fore- front Identity Manager software, which can control user accounts across lo- cal and cloud environments. Also, Google, Yahoo!, and Amazon are exam- ples of companies that utilize this federation approach. But, some providers join forces so that information can be shared across multiple services and environments between the companies, yet still allow the user a single login. Shibboleth is an example of an SSO system that allows people to sign in with a single digital identity and connect to various systems run by federations of different organizations. SSO systems—and federated systems in general— will often incorporate the concept of transitive trust where two networks (or more) have a relationship such that users logging in to one network get ac- cess to data on the other.

Permissions such as file and printer access can be assigned to individual users or to groups. These permissions (also known as access modes) are ex- amples of access control lists (ACLs)—specifically,

file system access control lists (abbreviated as FACL or FSACL). An ACL is a list of permissions attached to an object. ACLs reside on firewalls, routers, and computers. Per- missions in an ACL might allow access or deny access. It all depends on who is required to have access; then, the configuration is up to you.

XML injection attacks can compromise the logic of XML (Extensible Markup Language) applications—for example, XML structures that contain the code for users. It can be used to create new users and possibly obtain administra- tive access. This can be tested for by attempting to insert XML metacharac- ters such as single and double quotes. It can be prevented by filtering IN al- lowed characters (for example, A-Z only). This is an example of "default deny" where only what you explicitly filter in is permitted; everything else is forbidden.

filtering IN al- lowed characters (for example, A-Z only). This is an example of "default deny" where only what you explicitly filter in is permitted; everything else is forbidden.

One example of the difference between active and passive (security analysis) is (describe)

fingerprinting, which is when a security person (or attacker) scans hosts to find out what ports are open, ultimately helping the person to distinguish the operating system used by the computer. It is also known as OS fingerprinting or TCP/IP fingerprinting. Active fingerprinting is when a direct connection is made to the computer starting with ICMP requests. This type of test could cause the system to respond slowly to other requests from legitimate com- puters. Passive fingerprinting is when the scanning host sniffs the network by chance, classifying hosts as the scanning host observes its traffic on the occasion that it occurs. This method is less common in port scanners but can help to reduce stress on the system being scanned.

In Chapter 1 we discussed three basic security controls that are often used to develop a security plan: physical, technical, and adminis- trative. However, there are additional categorical controls as described by the NIST. In short, the three can be described as the following: Technical controls: These are the logical controls executed by the com- puter system. Technical controls include authentication, access control, au- diting, and cryptography. The configuration and workings of __(4) would be within this category, as well as concepts such as least privilege implementation.

firewalls, ses- sion locks, RADIUS servers, or RAID 5 arrays

ADUC can be accessed (how?) (2)

from Administrative Tools or added as a snap-in to an MMC.

Fuzz testing can uncover (3)

full sys- tem failures, memory leaks, and error-handling issues.

The memory leak might happen on its own due to poor programming, or it could be that code resides in the application that is vulnerable, and is later exploited by an attacker who sends specific packets to the system over the network. This type of error is more common in lan- guages such as C or C++ that have no automatic garbage collection, but it could happen in any programming language. There are several memory de- buggers that can be used to check for leaks. However, it is recommended that

garbage collection libraries be added to C, C++, or other programming language, to check for potential memory leaks.

In Linux, file permissions are broken down into three types: read, write, and execute (R, W, and X). They can be assigned to three different permission groups: owner, group, and all users (U, G, and O or A). These can be as- signed and configured in the command-line with the chmod command (change mode), either by

group letter or by using a designated numbering system.

Cloud-based DLP solutions are offered by most cloud providers to protect against data breaches and misuse of data. These often integrate with soft- ware, infrastructure, and platform services, and can include any of the sys- tems mentioned previously. Cloud-based DLP is necessary for companies that

have increased bring your own device (BYOD) usage (discussed later in the chapter), and that store data and operate infrastructure within the cloud.

A programmer may make use of address space layout randomization (ASLR) to

help prevent the exploitation of memory corruption vulnerabili- ties. It randomly arranges the different address spaces used by a program (or process). This can aid in protecting mobile devices (and other systems) from exploits caused by memory-management problems. While there are exploits to ASLR (such as side-channel attacks) that can bypass it and de-randomize how the address space is arranged, many systems employ some version of ASLR.

Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner, as it is in DAC. Permissions are predefined in the MAC model. Historically, it has been used in

highly classified government and military multilevel systems, but you will find less- er implementations of it in today's more common operating systems as well. The MAC model defines sensitivity labels that are assigned to subjects(users) and objects (files, folders, hardware devices, network connections, and so on). A subject's label dictates its security level, or level of trust. An ob- ject's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling). The access controls in a MAC system are based on the security classification of the data and "need- to-know" information—where a user can access only what the system consid- ers absolutely necessary. Also, in the MAC model, data import and export are controlled. MAC is the strictest of the access control models.

Management controls: These are techniques and concerns addressed by an organization's management (managers and executives). Generally, these controls focus on decisions and the management of risk. They also con- centrate on procedures, policies, legal and regulatory, the software develop- ment life cycle (SDLC), the computer security life cycle, information assur- ance, and vulnerability management/scanning. In short, these controls focus on

how the security of your data and systems is managed.

Separation of duties can also be applied to a single user. For example,

if a user on a typical Windows computer (Vista or newer) has a specific set of privileges, but the user wants to do something on the system that requires administrative access, User Account Control (UAC) kicks in and asks for the proper credentials to perform the actions of that role. If the credentials can- not be supplied, UAC blocks the action, keeping the various duties separate.

Kerberos is an authentication protocol designed at MIT that enables com- puters to prove their identity to each other in a secure manner. It is used most often in a client-server environment; the client and the server both ver- ify each other's identity. This is known as two-way authentication or mutual authentication. Often, Kerberos protects a network server from

illegiti- mate login attempts, just as the mythological three-headed guard dog of the same name (also known as Cerberus) guards Hades.

Risk assessment is the attempt to determine the amount of threats or haz- ards that could possibly occur in a given amount of time to your computers and networks. When you assess risks, they are often recognized threats—but risk assessment can also take into account new types of threats that might occur. When risk has been assessed, it can be mitigated up until the point in which the organization will accept any additional risk. Generally, risk assess- ments follow a particular order, for example: Step 1. Identify the organization's assets. Step 2. Identify vulnerabilities .Step 3. Identify threats and threat likelihood. Step 4. Identify potential monetary impact. The fourth step is also known as (describe)

impact assessment. This is when you deter- mine the potential monetary costs related to a threat.

Cryptanalysis attack: Uses a considerable set of precalculated encrypt- ed passwords located in a lookup table. These tables are known as rainbow tables, and the type of password attack is also known as precomputation, where all words in the dictionary (or a specific set of possible passwords) are hashed and stored. This is done in an attempt to recover passwords quicker. It is used with the ophcrack and RainbowCrack applications. This attack can be defeated by

implementing salting, which is the randomization of the hashing process.

HSMs can be found (in what form?)(3)

in adapter card form, as devices that plug into a comput- er via USB, and as network-attached devices.

Knowledgeable attackers understand where password information is stored. In Windows, it is stored

in an encrypted binary format within the SAM hive. In Linux, the data used to verify passwords was historically stored in the /etc/passwd file, but in newer Linux systems the passwd file only shows an X, and the real password information is stored in another file, perhaps /etc/shadow, or elsewhere in an encrypted format.

The XSS attack can be defeated by programmers through the use of output encoding (JavaScript escaping, CSS escaping, and URL encoding), by pre- venting the use of HTML tags, and by input validation: for example, check- ing forms and confirming that input from users does not contain hypertext. On the user side, the possibility of this attack's success can be reduced by (3)

in- creasing cookie security and by disabling scripts in the ways mentioned in the first section of this chapter, "Securing the Browser." If XSS attacks by e- mail are a concern, the user could opt to set his e-mail client to text only.

Risk management can be defined as the identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks. Specifically, when talking about computer hardware and software, risk man- agement is also known as

information assurance (IA). The two common models of IA include the well-known CIA triad (which we covered in Chapter 1, "Introduction to Security"), and the DoD "Five Pillars of IA," which com- prise the concepts of the CIA triad (confidentiality, integrity, and availabili- ty) but also include authentication and non-repudiation.

Motion detec- tors and other sensors are also common as part of a total alarm system. They are often __-based or __-based . We could go on and on about general building secu- rity, but this chapter focuses on authentication. Besides, I think you get the idea. If your organization is extremely concerned about building security, and doubts that it has the knowledge to protect the building and its contents properly, consider hiring a professional.

infrared (set off by heat); ultrasonic(set off by cer- tain higher frequencies)

Remember that all these policies, when enabled, affect all users to which the policy applies. If it is the Default Domain Policy (usually not recommended for configuration),

it affects all users; if it is an OU policy, it affects all users in the OU.

Core SDLC and DevOps Principles: From a larger perspective, an organization might implement modeling as part of its software quality assurance program. By modeling, or simulating, a system or application,

it can be tested, verified, validated, and finally accred- ited as acceptable for a specific purpose.

Qualitative risk assessment: The main issue with this type of risk assessment is that

it is difficult to place an exact value on many types of risks. The type of qualitative system varies from organization to organization, even from person to person; it is a com- mon source of debate as well. This makes qualitative risk assessments more descriptive than truly measurable. However, by relying on group surveys, company history, and personal experience, you can get a basic idea of the risk involved.

Types of EAP authentication: EAP-TTLS: This version is Tunneled Transport Layer Security and is ba- sically the same as TLS except that __ and __

it is done through an encrypted channel; it requires only server-side certificates.

Hardware security modules (HSMs) are physical devices that act as se- cure cryptoprocessors. This means that they are used for encryption during secure login/authentication processes, during digital signings of data, and for payment security systems. The beauty of a hardware-based encryption device such as an HSM (or a TPM) is that

it is faster than software encryption.

One other thing to watch for in general is consolidation. Some organizations, in an attempt to save money, will merge several back office systems onto one computer. While this is good for the budget, and uses a small amount of re- sources,

it opens the floodgates for attack. The more services a server has running, the more open doorways that exist to that system—and, the more possible ways that the server can fail. The most important services should be compartmentalized physically or virtually in order to reduce the size of the attack surface, and lower the total amount of threats to an individual system. We'll discuss servers more in Chapter 6, "Network Design Elements."

It's important to use version 2 of MS-CHAP because

it provides for mutual authentication between the client and the au- thenticator. Of course, the RAS server has to be configured to accept MS- CHAP connections as well. You also have the option to enable EAP for the dial-up connection. Other RAS authentication protocols include SPAP, which is of lesser security, and PAP, which sends usernames and passwords in clear text—obviously insecure and to be avoided.

Kerberos is designed to protect against replay attacks and eavesdropping. One of the drawbacks of Kerberos is that (2)

it relies on a centralized server such as a domain controller. This can be a single point of failure. To alleviate this problem, secondary and tertiary domain controllers can be installed that keep a copy of the Active Directory and are available with no downtime in case the first domain controller fails. Another possible issue is one of syn- chronicity. Time between the clients and the domain controller must be syn- chronized for Kerberos to work properly. If for some reason a client attempt- ing to connect to a domain controller becomes desynchronized, it cannot complete the Kerberos authentication, and as an end result the user cannot log on to the domain. This can be fixed by logging on to the affected client locally and synchronizing the client's time to the domain controller by using the net time command.

One of the advantages of using a HIDS is that it can interpret encrypted traffic. Dis- advantages include (3)

its purchase price, its resource-intensive operation, and its default local storage of the HIDS object database; if something happens to the computer, the database will be unavailable.

Types of EAP authentication: PEAP: This uses MS-CHAPv2, which supports au- thentication via Microsoft Active Directory databases. It competes with EAP- TTLS and includes legacy password-based protocols.

legacy password-based protocols. It creates a TLS tunnel by acquiring a public key infrastructure (PKI) certificate from a server known as a certificate authority (CA). The TLS tunnel protects user authenti- cation much like EAP-TTLS.

Core SDLC and DevOps Principles: Another important concept is code checking, which involves

limiting the reuse of code to that which has been approved for use, and removing dead code. It's also vital to incorporate good memory management tech- niques. Finally, be very careful when using third-party libraries and software development kits (SDKs), and test them thoroughly before using them with- in a live application.

LSO stands for

locally shared object

Another concept similar to cookies is __, also called Flash cookies.

locally shared objects (LSOs)

On the other side of the spectrum, white-box testing (also known as trans- parent testing) is a way of testing the internal workings of the application or system. Testers must have programming knowledge and are given detailed information about the design of the system. They are given (3)

login details, pro- duction documentation, and source code.

Temporary browser files can contain

lots of personally identifiable informa- tion (PII). You should consider automatically flushing the temp files from a system every day. For example, a hotel that offers Internet access as a service for guests might enable this function. This way, the histories of users are erased when they close the browser. On a related note, salespeople, field technicians, and other remote users should be trained to delete temporary files, cookies, and passwords when they are using computers on the road. In general, most companies discourage the saving of passwords by the browser.

For the Security+ exam, the most important of the SDLC phases are (describe)

mainte- nance and testing. In the maintenance phase, which doesn't end until the software is removed from all computers, an application needs to be updated accordingly, corrected when it fails, and constantly monitored. We discuss more about monitoring in Chapter 13, "Monitoring and Auditing." In the testing phase, a programmer (or team of programmers and other employees) checks for bugs and errors in a variety of ways. It's imperative that you know some of the vulnerabilities and attacks to a system or application, and how to fix them and protect against them. The best way to prevent these attacks is to test and review code.

In today's "hassle-free" world of peripherals, there are a ton of wireless de- vices in use. Unfortunately, because wireless signals are generally spread spectrum, they can be more easily intercepted than wired signals. Some Note For more information about BitLocker and how to use it, see the follow-ing link: https://technet.microsoft.com/en- us/library/hh831713(v=ws.11).aspx wireless peripherals, such as keyboards and mice, can have their keystrokes and clicks captured with the most basic of attacks. To protect against this, some manufacturers offer encrypted wireless device solutions, with AES be- ing one of the most common encryption protocols used. Wireless displays use technologies such as Wi-Fi Direct (WiDi) that is backward compatible with standard Wi-Fi technologies. As such, these displays should

make con- nections using WPA2 and AES. Wi-Fi-enabled cameras and SD/microSD cards should be configured in a similar manner. The same goes with external storage devices, printers, and multi-function devices. The bottom line is this: Any peripheral that connects in a wireless fashion needs to have proper au- thentication put in place (such as WPA2) and strong encryption (such as AES-256 or higher). Also keep in mind that newer types of authentication and encryption become available occasionally. Remember to periodically check whether your wireless security schemes are up to date.

Brute-force attack: When every possible password instance is attempt- ed. This is often a last resort due to the amount of CPU resources it might re- quire. It works best on shorter passwords but can theoretically break any password given enough time and CPU power. For example, a four-character, lowercase password with no numbers or symbols could be cracked quickly. But a ten-character, complex password would take much longer; some com- puters will fail to complete the process. Also, you must consider whether the attack is online or offline. Online means that a connection has been made to the host, giving the password-cracking program only a short window to break the password. Offline means that there is no connection and that the password-cracking computer knows the target host's password hash and hashing algorithm, giving the cracking computer more (or unlimited) time to make the attempt. Some password-cracking programs are considered hy- brids and

make use of dictionary attacks (for passwords with actual words in them) and brute-force attacks (for complex passwords).

Although it's impossible to predict the future accurately, it can be quantified on an average basis using concepts such as mean time between failures (MTBF). This term deals with reliability. It defines the average number of failures per million hours of operation for a product in question. This is based on historical baselines among various customers that use the product. It can be very helpful when

making quantitative assessments.

ActiveX controls are small program building blocks used to allow a web browser to execute a program. They are similar to Java applets; however, Java applets can run on any platform, whereas ActiveX can run only on In- ternet Explorer (and Windows operating systems). You can see how a down- loadable, executable ActiveX control or Java applet from a suspect website could possibly contain viruses, spyware, or worse. These are known as

mali- cious add-ons—Flash scripts especially can be a security threat. Generally, you can disable undesirable scripts from either the advanced settings or by creating a custom security level or zone. If a particular script technology can- not be disabled within the browser, consider using a different browser, or a content filtering solution.

Note: Rule-based access control uses labels, is part of __, and should not be confused with role-based ac- cess control.

mandatory ac- cess control

A null pointer dereference occurs when the program dereferences a pointer that it expects to be valid, but is null, which can cause the application to exit, or the system to crash. From a programmatical standpoint, the main way to pre- vent this is

meticulous coding. Programmers can use special memory error analysis tools to enable error detection for a null pointer deference. Once identified, the programmer can correct the code that may be causing the er- ror(s).

Advanced smart cards have specialized cryptographic hardware that can use algorithms such as RSA and 3DES but generally use private keys to encrypt data. (More on encryption and these encryption types is provided in Chapter 14, "Encryption and Hashing Concepts.") A smart card might incorporate a

microprocessor (as is the case with the PIV and CAC cards).

Risk assessment is the attempt to determine the amount of threats or haz- ards that could possibly occur in a given amount of time to your computers and networks. When you assess risks, they are often recognized threats—but risk assessment can also take into account new types of threats that might occur. When risk has been assessed, it can be

mitigated up until the point in which the organization will accept any additional risk.

Some antivirus application suites have basic HIDS functionality, but true HIDS solutions are individual and separate applications that (5)

monitor log files, check for file integrity, monitor policies, detect rootkits, and alert the administrator in real time of any changes to the host. This is all done in an effort to detect malicious activity such as spamming, zombie/botnet activity, identity theft, keystroke logging, and so on.

One of the best things you can do to secure a RAS server is to deny access to individuals who don't require it. Even if the user or user group is set to "not configured," it is wise to specifically deny them access. Allow access to only those users who need it, and monitor on a daily basis the logs that list who connected. If there are any unknowns, investigate immediately. Be sure to update the permissions list often in the case that a remote user is terminated or otherwise leaves the organization. The next most important security precaution is to set up RAS authentication. One secure way is to use the Challenge-Handshake Authentication Protocol (CHAP), which is an authentication scheme used by the Point-to- Point Protocol (PPP), which in turn is the standard for dial-up connections. It uses a challenge-response mechanism with one-way encryption. Due to this, it is not capable of

mutual authentication in the way that Kerberos is, for example.

Types of EAP authentication: EAP-FAST: This uses a protected access credential instead of a certifi- cate to achieve

mutual authentication.

types of EAP authentication: EAP-TLS: This version uses Transport Layer Security, which is a certifi- cate-based system that does enable

mutual authentication. This does not work well in enterprise scenarios because certificates must be configured or managed on the client side and server side.

Password policies can be implemented to enforce the usage of complex pass- words and regulate how long passwords last. They can be configured on local computers, such as Windows operating systems, by

navigating to Adminis- trative Tools > Local Security Policy. When in the Local Security Settings window, continue to Security Settings > Account Policies > Password Policy.

Network documentation is an important part of defining the desired state of security. To develop adequate detailed network documentation, network mapping software should be used with

network diagramming software.

Tools such as Nmap and Nessus are also known as (describe)

network enumerators. Enumeration refers to a complete listing of items (such as port numbers); network enumerators extract information from servers including network shares, services running, groups of users, and so on. It is this additional ex- traction of information (enumerating) that sets them apart from a basic net- work mapping tool. This type of enumeration is also referred to as banner grabbing. Banner grabbing is a technique used to find out information about web servers, FTP servers, and mail servers. For example, it might be used by a network administrator to take inventory of systems and services running on servers. Or, it could be used by an attacker to grab information such as HTTP headers, which can tell the attacker what type of server is run- ning, its version number, and so on. Examples of banner-grabbing ap- plications include Netcat and Telnet. Aside from the security administrator (and perhaps auditors), no one should be running banner-grabbing tools, or network enumeration tools in general. A good security admin will attempt to sniff out any unpermitted usage of these tools.

Tools such as Nmap and Nessus are also known as network enumerators. Enumeration refers to a complete listing of items (such as port numbers); network enumerators extract information from servers including __(3), and so on.

network shares, services running, groups of users

Is TACACS+ compatible with TACACS?

no

types of EAP authentication: EAP-MD5: This is a challenge-based authentication providing basic EAP support. It enables only

one-way authentication and not mutual authentication.

Whatever the reason, it would be wise to scan computers and other devices for weak passwords with a password cracker, which uses comparative analysis to break passwords and systematically guesses until it cracks the password. And of course, a va- riety of password-cracking programs can help with this. For Windows com- puters, there is the well-documented Cain & Abel password recovery tool. This program has a bit of a learning curve but is quite powerful. It can be used to crack all kinds of different passwords on the local system or on re- mote devices and computers. It sniffs out other hosts on the network the way a protocol analyzer would. This is an excellent tool to find out whether weak passwords are on the network, or to help if users forget their passwords (when password resets are not possible). Figure 12-4 shows an example of Cain & Abel. You can see hashed passwords (encrypted) that the program has discovered for various accounts on a test computer. From these hashes, the program can attempt to crack the password and deliver the original plaintext version of the password. Cain & Abel is a free download, and many other tools are available for vari- ous platforms; some free, some not, including (5)

ophcrack, John the Ripper, THC-Hydra, Aircrack-ng (used to crack WPA preshared keys), and Rainbow- Crack.

In Linux, file permissions are broken down into three types: read, write, and execute (R, W, and X). They can be assigned to three different permission groups:

owner, group, and all users (U, G, and O or A).

When Password Policy is selected, you see the following policies: Password must meet complexity requirements: This means that

passwords must meet three of these four criteria: uppercase characters, low- ercase characters, digits between 0 and 9, and non-alphabetic characters (special characters).

Sometimes users have more than one account. This might have been done to allow access to multiple systems or resources. There are plenty of different issues that can occur because of this. To mitigate problems that can develop from a user having two accounts, consider the consolidation of accounts, for example, utilizing a federated identity management (FIM) system, one that will incorporate single sign-on (SSO). User administration can also benefit from credential management, where

passwords, certificates, and other logon credentials are stored in a special folder called a vault. A security administra- tor should also consider the use of roles (RBAC) and user groups.

buffer overflow: Let's say a programmer allows for 16 bytes in a string variable. This won't be a problem normally. However, if the programmer failed to verify that no more than 16 bytes could be copied over to the variable, that would create a vulnerability that an attacker could exploit with a buffer overflow attack. The buffer overflow can also be initiated by certain inputs. For example, corrupt- ing the stack with no-operation (no-op, NOP, or NOOP) machine instruc- tions, which when used in large numbers can start a NOP slide, can ultimate- ly lead to the execution of unwanted arbitrary code, or lead to a denial-of- service (DoS) on the affected computer. All this can be prevented by (4)

patching the system or application in question, making sure that the OS uses data execution prevention, and utilizing bounds checking, which is a programmatic method of detecting whether a particular variable is within design bounds before it is allowed to be used. It can also be prevented by using correct code, checking code carefully, and us- ing the right programming language for the job in question (the right tool for the right job, yes?). Without getting too much into the programming side of things, special values called "canaries" are used to protect against buffer overflows.

To avoid access violations when working with permissions, the "least privi- lege" or "minimal privilege" concept should be implemented. Give the users only the amount of access that they absolutely need. Note that permissions for long-term employees could suffer from privilege creep over time. To mit- igate this, consider

periodic user permission reviews and evaluation of ACLs. This permission auditing procedure will ensure that users have the access to the correct data. In general, this is known as user access recertification. Consider this procedure if a company has a particularly high attrition rate (hiring and terminating of employees). This will verify that users no longer with the company cannot log on to the network and cannot gain access to re- sources. It also ensures that new users can gain access to necessary resources.

Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system, and, unlike DAC, not by the owner of a resource. However, RBAC is different from MAC in the way that

permissions are con- figured. RBAC works with sets of permissions, instead of individual permis- sions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources. A role might be the ability to complete a specific operation in an organization as opposed to accessing a single data file. For example, a person in a bank who wants to check a prospective client's credit score would be attempting to per- form a transaction that is allowed only if that person holds the proper role. So roles are created for various job functions in an organization. Roles might have overlapping privileges and responsibilities. Also, some general opera- tions can be completed by all the employees of an organization. Because there is overlap, an administrator can develop role hierarchies; these define roles that can contain other roles, or have exclusive attributes.

Cookies can also pose a security threat. Cookies are text files placed on the client computer that store information about it, which could include your computer's browsing habits and possibly user credentials. The latter are sometimes referred to as

persistent cookies, used so that a person doesn't have to log in to a website every time. By adjusting cookie settings, you can either accept all cookies, deny all cookies, or select one of several options in between. A high cookie security setting will usually block cookies that save information that can be used to contact the user, and cookies that do not have a privacy policy.

Hardware security modules (HSMs) are

physical devices that act as se- cure cryptoprocessors. This means that they are used for encryption during secure login/authentication processes, during digital signings of data, and for payment security systems. The beauty of a hardware-based encryption device such as an HSM (or a TPM) is that it is faster than software encryption.

802.1X is an IEEE standard that defines port-based network access control (PNAC). Not to be confused with 802.11x WLAN standards, 802.1X is a data link layer authentication technology used to connect hosts to a LAN or WLAN. 802.1X allows you to apply a security control that ties

physical ports to end-device MAC addresses, and prevents additional devices from being connected to the network. It is a good way of implementing port security, much better than simply setting up MAC filtering.

Note: In a Red Hat Enterprise environment that uses an SSO such as Kerberos, __ can be in- strumental in providing the systems admin/security admin flexi- bility and control over authentication, as well as fully document- ed libraries for the developer.

pluggable authentication modules (PAMs)

Another excellent tool is netcat (and Ncat), which is generally used in Lin- ux/Unix platforms. It can be used for (5)

port scanning, port listening, transfer- ring files, opening raw connections, and as a backdoor into systems.

802.1X is an IEEE standard that defines

port-based network access control (PNAC).

Cryptanalysis attack: Uses a considerable set of precalculated encrypt- ed passwords located in a lookup table. These tables are known as rainbow tables, and the type of password attack is also known as

precomputation, where all words in the dictionary (or a specific set of possible passwords) are hashed and stored. This is done in an attempt to recover passwords quicker. It is used with the ophcrack and RainbowCrack applications. This attack can be defeated by implementing salting, which is the randomization of the hashing process.

Kerberos—like any authentication system—is vulnerable to attack. Older Windows operating systems that run, or connect to, Kerberos are vulnerable to __; and newer Windows operating systems are vulnerable to __. Of course, Microsoft will quickly release updates for these kinds of vulnerabilities (as they are found), but for the security admin- istrator who does not allow Windows Update to automatically update, it's important to review the CVEs for the Microsoft systems often.

privilege escalation attacks; spoofing

Race conditions are also known as time-of-check (TOC) or time-of-use (TOU) attacks. Imagine that you are tasked with changing the permissions to a folder, or changing the rights in an ACL. If you remove all of the permissions and apply new per- missions, then there will be a short period of time where the resource (and system) might be vulnerable. This depends on the system used, how it de- faults, and how well you have planned your security architecture. That was a basic example, but the race condition is more common within the program- ming of an application. This exploit can be prevented by (2)

proper secure cod- ing of applications, and planning of the system and network architecture.

Application Security: One of the important roles for the server is key management—the creation, storage, usage, and retirement of encryption keys. Proper key management (and the regular updating of keys) is a security administrator's primary con- cern. Generally, an organization will

purchase a master key algorithm from a third-party company such as VeriSign. That company informs the organiza- tion if a key has become compromised and needs to be revoked. These third parties might also take part in credential management (the managing of usernames, passwords, PINs, and other passcodes, usually stored within a secure database) to make things a bit easier for the security administrator. It depends on the size of the organization and its budget. This gets quite in- depth, as you can imagine. For now, realize that a mobile device is an easy target. Therefore, applications (especially third-party apps) should be scruti- nized to make sure they are using a solid encryption plan when personal in- formation is transferred back and forth.

The two most common risk assessment methods are

qualitative and quanti- tative.

While variations of the waterfall model are commonplace, an organization might opt to use a different model, such as the V-shaped model, which stresses more testing, or __, which puts more emphasis on process and less emphasis on planning.

rapid application development (RAD)

Passive security analysis is when servers, devices, and networks are not af- fected by your analyses, scans, and other tests. It could be as simple as using documentation only to test the security of a system. For example, if an orga- nization's network documentation shows computers, switches, servers, and routers, but no firewall, you have found a vulnerability to the network (a rather large one). Passive security analysis might be required in

real-time, mission-critical networks or if you are conducting computer forensics analy- sis, but even if you are performing a passive security analysis, a backup of the system is normal procedure. Passive security analysis is also known as non-intrusive or non-invasive analysis.

However, the most common goal of risk management is to

reduce all risk to a level acceptable to the organization. It is impossible to eliminate all risk, but it should be mitigated as much as possible within reason. Usually, bud- geting and IT resources dictate the level of risk reduction, and what kind of deterrents can be put in place. For example, installing antivirus/firewall software on every client computer is common; most companies do this. However, installing a high-end, hardware-based firewall at every computer is not common; although this method would probably make for a secure net- work, the amount of money and administration needed to implement that solution would make it unacceptable.

Kerberos is designed to protect against __ and __.

replay attacks; eavesdropping

The XSS attack exploits the trust a user's browser has in a website. The con- verse of this, the XSRF attack, exploits the trust that a website has in a user's browser. In this attack (also known as a one-click attack), the user's browser is compromised and transmits unauthorized commands to the website. The chances of this attack can be reduced by (4)

requiring tokens on web pages that contain forms, special authentication techniques (possibly encrypted), scan- ning .XML files (which could contain the code required for unauthorized ac- cess), and submitting cookies twice instead of once, while verifying that both cookie submissions match.

After the risk transference, risk avoidance, and risk reduction techniques have been implemented, an organization is left with a certain amount of (describe)

residual risk—the risk left over after a detailed security plan and disaster recovery plan have been implemented. There is always risk, as a company cannot possibly foresee every future event, nor can it secure against every single threat. Senior management as a collective whole is ultimately respon- sible for deciding how much residual risk there will be in a company's in- frastructure, and how much risk there will be to the company's data. Often, no one person will be in charge of this, but it will be decided on as a group.

As a final word on this, once code is properly tested and approved, it should be

reused whenever possible. This helps to avoid "re-creating the wheel" and avoids common mistakes that a programmer might make that others might have already fixed. Just remember, code reuse is only applicable if the code is up to date and approved for use.

However, the most common goal of risk management is to reduce all risk to a level acceptable to the organization. It is impossible to eliminate all risk, but it should be mitigated as much as possible within reason. Usually, bud- geting and IT resources dictate the level of risk reduction, and what kind of deterrents can be put in place. For example, installing antivirus/firewall software on every client computer is common; most companies do this. However, installing a high-end, hardware-based firewall at every computer is not common; although this method would probably make for a secure net- work, the amount of money and administration needed to implement that solution would make it unacceptable. This leads to

risk acceptance, also known as risk retention. Most organiza- tions are willing to accept a certain amount of risk. Sometimes, vulnerabili- ties that would otherwise be mitigated by the implementation of expensive solutions are instead dealt with when and if they are exploited. IT budgeting and resource management are big factors when it comes to these risk man- agement decisions.

An excellent tool to create during your risk assessment is a (describe)

risk register, also known as a risk log, which helps to track issues and address problems as they occur. After the initial risk assessment, a security administrator will continue to use and refer to the risk register. This can be a great tool for just about any organization but can be of more value to certain types of organiza- tions, such as manufacturers that utilize a supply chain. In this case, the or- ganization would want to implement a specialized type of risk management called supply chain risk management (SCRM). This is when the organiza- tion collaborates with suppliers and distributors to analyze and reduce risk.

risk acceptance, also known as

risk retention

Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system, and, unlike DAC, not by the owner of a resource. However, RBAC is different from MAC in the way that permissions are con- figured. RBAC works with sets of permissions, instead of individual permis- sions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources. A role might be the ability to complete a specific operation in an organization as opposed to accessing a single data file. For example, a person in a bank who wants to check a prospective client's credit score would be attempting to per- form a transaction that is allowed only if that person holds the proper role. So roles are created for various job functions in an organization. Roles might have overlapping privileges and responsibilities. Also, some general opera- tions can be completed by all the employees of an organization. Because there is overlap, an administrator can develop

role hierarchies; these define roles that can contain other roles, or have exclusive attributes.

A runtime error is a program error that occurs while the program is run- ning. The term is often used in contrast to other types of program errors, such as syntax errors and compile-time errors. Runtime errors might include __(5), all of which can only be discovered by running the program as a user.

running out of memory, invalid memory address access, invalid parameter value, or buffer overflows/dereferencing a null pointer (to name a few)

The beauty of mobile devices is in their inherent portability—that and the ability to track SIM cards. Administrators of mobile devices should consider remote lockout programs. If a device is lost or stolen, the admin can lock the device, disallowing a would-be attacker access. In addition, the device can be configured to use the "three strikes and you're out" rule, meaning that if a user tries to be authenticated to the device and is unsuccessful after three at- tempts, the user is locked out. Taking it to the next level, if the data is ex- tremely sensitive, you might want to consider a remote wipe program. If the mobile device is reported as lost or stolen, these programs can remove all data from the phone in a bit by bit process, making it difficult (if not impos- sible) to recover. This is known as __ the phone remotely.

sanitizing

Compensating controls, also known as alternative controls, are mechanisms put in place to

satisfy security requirements that are either impractical or too difficult to implement. For example, instead of using expensive hardware- based encryption modules, an organization might opt to use network access control (NAC), data loss prevention (DLP), and other security methods. Or, on the personnel side, instead of implementing segregation of duties, an or- ganization might opt to do additional logging and auditing. (See Chapter 18 for more information on segregation of duties.) Approach compensating controls with great caution. They do not give the same level of security as their replaced counterparts.

The increasing popularity of the agile model led to DevOps, and subsequent- ly, the practice of secure DevOps. DevOps is a portmanteau of the terms soft- ware development and information technology operations. It emphasizes the collaboration of those two departments so that the coding, testing, and releasing of software can happen more efficiently—and hopefully, more se- curely. DevOps is similar to continuous delivery—which focuses on au- tomation and quick execution—but from an organizational standpoint is broader and supports greater collaboration. A secure DevOps environment should include the following concepts: (6)

secure provisioning and deprovision- ing of software, services, and infrastructure; security automation; continu- ous integration; baselining; infrastructure as code; and immutable systems. Immutable means unchanging over time. From a systems and infrastructure viewpoint it means that software and services are replaced instead of being changed. Rapid, efficient deployment of new applications is at the core of DevOps and it is one of the main tasks of all groups involved.

In Windows, there are two types of permissions. Sharing permissions are ba- sic permissions including Full Control, Change, and Read, which are applied to folders only. These are often ignored in favor of the more powerful (and superseding) NTFS permissions, also called __, which can secure folders and individual files.

security permissions

Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner, as it is in DAC. Permissions are predefined in the MAC model. Historically, it has been used in highly classified government and military multilevel systems, but you will find less- er implementations of it in today's more common operating systems as well. The MAC model defines

sensitivity labels that are assigned to subjects(users) and objects (files, folders, hardware devices, network connections, and so on). A subject's label dictates its security level, or level of trust. An ob- ject's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling). The access controls in a MAC system are based on the security classification of the data and "need- to-know" information—where a user can access only what the system consid- ers absolutely necessary. Also, in the MAC model, data import and export are controlled. MAC is the strictest of the access control models.

Note: The Default Domain Policy affects all users. This is okay for small networks, but for larger networks,

separate organizational units should be created, each with its own security policy. From there, group-based privileges and individual user-based privi- leges can be expertly defined.

Another concern is web-based SSO. Web-based SSO can be problematic due to disparate proprietary technologies. To help alleviate this problem, the XML-based Security Assertion Markup Language (SAML) and the OpenID Connect protocol were developed. OpenID Connect is an interoperable au- thentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of "making simple things simple and complicated things possible." Both OpenID Con- nect and SAML specify

separate roles for the user, the service provider, and the identity provider. Shibboleth is also based on SAML.

Tracking cookies are used by spyware to collect information about a web user's activities. Cookies can also be the target for various attacks; namely,

session cookies are used when an attacker attempts to hijack a session. There are several types of session hijacking. One common type is cross-site script- ing (also known as XSS), which is when the attacker manipulates a client computer into executing code considered trusted as if it came from the server the client was connected to. In this way, the attacker can acquire the client computer's session cookie (allowing the attacker to steal sensitive in- formation) or exploit the computer in other ways.

One of the best things you can do to secure a RAS server is to deny access to individuals who don't require it. Even if the user or user group is set to "not configured," it is wise to specifically deny them access. Allow access to only those users who need it, and monitor on a daily basis the logs that list who connected. If there are any unknowns, investigate immediately. Be sure to update the permissions list often in the case that a remote user is terminated or otherwise leaves the organization. The next most important security precaution is to

set up RAS authentication. One secure way is to use the Challenge-Handshake Authentication Protocol (CHAP), which is an authentication scheme used by the Point-to- Point Protocol (PPP), which in turn is the standard for dial-up connections. It uses a challenge-response mechanism with one-way encryption. Due to this, it is not capable of mutual authentication in the way that Kerberos is, for example. CHAP uses DES and MD5 encryption types, which we cover in Chapter 14. Microsoft developed its own version of CHAP known as MS- CHAP; an example of this is shown in Figure 10-5. The figure shows the Ad- vanced Security Settings dialog box of a dial-up connection. Notice that this particular configuration shows that encryption is required, and that the only protocol allowed is MS-CHAPv2. It's important to use version 2 of MS-CHAP because it provides for mutual authentication between the client and the au- thenticator. Of course, the RAS server has to be configured to accept MS- CHAP connections as well. You also have the option to enable EAP for the dial-up connection. Other RAS authentication protocols include SPAP, which is of lesser security, and PAP, which sends usernames and passwords in clear text—obviously insecure and to be avoided.

A secure DevOps environment should include the following concepts: secure provisioning and deprovision- ing of software, services, and infrastructure; security automation; continu- ous integration; baselining; infrastructure as code; and immutable systems. Immutable means unchanging over time. From a systems and infrastructure viewpoint it means that

software and services are replaced instead of being changed. Rapid, efficient deployment of new applications is at the core of DevOps and it is one of the main tasks of all groups involved.

A runtime error is a program error that occurs while the program is run- ning. The term is often used in contrast to other types of program errors, such as syntax errors and compile-time errors. Runtime errors might include running out of memory, invalid memory address access, invalid parameter value, or buffer overflows/dereferencing a null pointer (to name a few), all of which can only be discovered by running the program as a user. Another po- tential runtime error can occur if there is an attempt to divide by zero. These types of errors result in a

software exception. Software and hardware excep- tions need to be handled properly. Consequently, structured exception handling (SEH) is a mechanism used to handle both types of exceptions. It enables the programmer to have complete control over how exceptions are handled and provides support for debugging.

HSMs can be found in adapter card form, as devices that plug into a comput- er via USB, and as network-attached devices. They are generally tamper- proof, giving a high level of physical security. They can also be used in high- availability clustered environments because they work independently of oth- er computer systems and are used solely to calculate the data required for encryption keys. However, many of these devices require

some kind of man- agement software to be installed on the computer they are connected to. Some manufacturers offer this software as part of the purchase, but others do not, forcing the purchaser to build the management software themselves. Due to this lack of management software, and the cost involved in general, HSMs have seen slower deployment with some organizations. This concept also holds true for hardware-based drive encryption solutions.

On the other side of the spectrum, white-box testing (also known as trans- parent testing) is a way of testing the internal workings of the application or system. Testers must have programming knowledge and are given detailed information about the design of the system. They are given login details, pro- duction documentation, and source code. System testers might use a combi- nation of fuzzing (covered shortly), data flow testing, and other techniques such as (3) (describe)

stress testing, penetration testing, and sandboxes. Stress testing is usually done on real-time operating systems, mission-critical systems, and software, and checks if they have the robustness and availability required by the organization. A penetration test is a method of evaluating a system's se- curity by simulating one or more attacks on that system. We speak more about penetration testing in Chapter 12, "Vulnerability and Risk Assessment." A sandbox is a term applied to when a web script (or other code) runs in its own environment (often a virtual environment) for the ex- press purpose of not interfering with other processes, often for testing. Sand- boxing technology is frequently used to test unverified applications for mal- ware, malignant code, and possible errors such as buffer overflows.

A runtime error is a program error that occurs while the program is run- ning. The term is often used in contrast to other types of program errors, such as syntax errors and compile-time errors. Runtime errors might include running out of memory, invalid memory address access, invalid parameter value, or buffer overflows/dereferencing a null pointer (to name a few), all of which can only be discovered by running the program as a user. Another po- tential runtime error can occur if there is an attempt to divide by zero. These types of errors result in a software exception. Software and hardware excep- tions need to be handled properly. Consequently, __ is a mechanism used to handle both types of exceptions. It enables the programmer to have complete control over how exceptions are handled and provides support for debugging.

structured exception handling (SEH)

An excellent tool to create during your risk assessment is a risk register, also known as a risk log, which helps to track issues and address problems as they occur. After the initial risk assessment, a security administrator will continue to use and refer to the risk register. This can be a great tool for just about any organization but can be of more value to certain types of organiza- tions, such as manufacturers that utilize a supply chain. In this case, the or- ganization would want to implement a specialized type of risk management called (describe)

supply chain risk management (SCRM). This is when the organiza- tion collaborates with suppliers and distributors to analyze and reduce risk.

Secure boot, also known as trusted boot, is an excellent method for protect- ing the boot process. However, if something occurs that causes the boot process to fail, we won't know because that data is stored in the UEFI of the system that failed to boot. More importantly, we want to be sure that secure boot is working properly. Enter the measured boot option. Measured boot...

takes measurements of each step of the secure boot process. It signs them, stores them, and sends those measurements to an external source, such as a remote attestation service. A trusted, external, third-party system is required for attestation—meaning verification of the integrity of the computer in question has been corroborated. Basically, the remote attestation service compares the measurements with known good values. From this informa- tion, the remote service can attest to the fact that the boot process is indeed secure—or has failed to meet the requirements.

Operational controls: These are the controls executed by people. They are designed to increase individual and group system security. They include user awareness and training, fault tolerance and disaster recovery plans, in- cident handling, computer support, baseline configuration development, and environmental security. The people who carry out the specific requirements of these controls must have

technical expertise and understand how to im- plement what management desires of them.

Vulnerability management can be broken down into five steps: Monitor the environment: When you finish mitigation, monitor the environment and compare the results to the original baseline. Use the new results as the post-mitigation baseline to be compared against future analyses. (Consider tools that can perform automated baseline reporting.) Because new vulnerabilities are always being discovered, and because com- pany policies may change over time, you should periodically monitor the en- vironment and compare your results to the post-mitigation baseline. Do this anytime policies change or the environment changes. Be careful to monitor for false positives—when a test reports a vulnerability as present when in fact there is none—they can be real time-wasters. If possible, use __(3) to automate your monitoring ef- forts and employ continuous monitoring and configuration validation. All of these things will help to reduce risk.

templates, scripts, and built-in system functionality

Watch out for split tunneling. This is when a client system (for example, a mobile device) can access a public network and a LAN at the same time us- ing one or more network connections. For example, a remote user might connect to the Internet through a hotel's Wi-Fi network. If the user needs to access resources on the company LAN, the VPN software will take control. But if the user needs to connect to websites on the Internet, the hotel's gate- way will provide those sessions. While this can provide for bandwidth con- servation and increase efficiency, it can also bypass upper-layer security in place within the company infrastructure. While it is common, split tunneling should be

tested thoroughly before being allowed by administrators. For ex- ample, simulate the split tunnel from a remote location, then perform vul- nerability scans and capture packets. Analyze the session in depth and log your findings.

One of the advantages of using a HIDS is

that it can interpret encrypted traffic.

Penetration testing is a method of evaluating the security of a system by simulating one or more attacks on that system. One of the differences be- tween regular vulnerability scanning and penetration testing is (2)

that vulnera- bility scanning may be passive or active, whereas penetration testing will be active. Generally, vulnerability scans will not exploit found threats, but pene- tration testing will definitely exploit those threats. Another difference is that vulnerability scanning will seek out all vulnerabilities and weaknesses within an organization. But penetration tests are designed to determine the impact of a particular threat against an organization. For each individual threat, a different penetration test will be planned.

Network documentation is an important part of defining the desired state of security. To develop adequate detailed network documentation, network mapping software should be used with network diagramming software. Net- work mapping is the study of physical and logical connectivity of net- works. One example of automated network mapping software is the Network Topology Mapper by SolarWinds. This product can map elements on layers 1 through 3 of the OSI model, giving you a thorough representation of what is on the network. This type of network scan is not for

the "weak of band- width." It should be attempted only during off-hours (if there is such a thing nowadays), if possible; otherwise, when the network is at its lowest point of usage. Most network mapping programs show routers, layer 3 switches, client computers, servers, and virtual machines. You can usually export the mapped contents directly to Microsoft Visio, a handy time-saver.

Discretionary access control (DAC) is an access control policy generally determined by the owner. Objects such as files and printers can be created and accessed by the owner. Also, the owner decides which users are allowed to have access to the objects, and what level of access they may have. The levels of access, or permissions, are stored in access control lists (ACLs). Originally, DAC was described in The Orange Book as the Discretionary Se- curity Policy and was meant to enforce a consistent set of rules governing limited access to identified individuals. The Orange Book's proper name is the Trusted Computer System Evaluation Criteria, or TCSEC, and was developed by the U.S. Department of Defense (DoD); however, The Or- ange Book is old (they refer to it in the movie Hackers in the 1990s!), and the standard was superseded in 2005 by an international standard called

the Common Criteria for Information Technology Security Evaluation (or simply Common Criteria). But the DAC methodology lives on in many of today's personal computers and client/server networks.

More important, policies can be configured for an entire network; for exam- ple, on a Microsoft domain. This would be known as a group policy and there can be more than one. A group policy can affect the entire domain or an indi- vidual organizational unit. The main group policy is known as

the Default Domain Policy. Figure 11-9 shows an example of the Default Domain Policy added to an MMC. To access the Password Policy section, you would navi- gate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

When Password Policy is selected, you see the following policies: To effectively stop users from reusing the same password, a security admin- istrator should combine

the Enforce Password History policy with the Mini- mum Password Age policy. The Minimum Password Age setting must be less than the Maximum Password Age setting and must be more than zero to en-force a password history policy. In addition, the security administrator might need to create a policy that states that passwords cannot be changed more than once a day: This would prevent users from changing their passwords Xnumber of times in an attempt to bypass that password history policy.

Another concept similar to cookies is locally shared objects (LSOs), also called Flash cookies. These are data that Adobe Flash-based websites store on users' computers, especially for Flash games. The privacy concern is that LSOs are used by a variety of websites to collect information about users' browsing habits. However, LSOs can be disabled via

the Flash Player Set- tings Manager (a.k.a. Local Settings Manager) in most of today's operating systems. LSOs can also be deleted entirely with third-party software, or by accessing the user's profile folder in Windows.

It's important to note that when logging on to a Microsoft network, the logon process is secured by

the Kerberos protocol, which is run by the domain con- troller. This adds a layer of protection for the username and password as they are authenticated across the network. When users take a break or go to lunch, they should lock the computer. This can be done by pressing Win- dows+L. When doing so, the operating system goes into a locked state, and the only way to unlock the computer is to enter the username and password of the person who locked the computer. The difference between this and log- ging out is that a locked computer keeps all the session's applications and files open, whereas logging out closes all applications and open files. A policy can also be configured to force locking after a certain amount of time has elapsed. Literally hundreds of policies are configurable. You could spend weeks doing it! Microsoft understands this and offers various levels of secu- rity templates that can be imported into your OU policy, making your job as an administrator a bit easier. A particular template might be just what you are looking for, or it might need a bit of tweaking. But in most cases it beats starting from scratch!

Moving on, the Terminal Access Controller Access-Control System (TACACS) is one of the most confusing-sounding acronyms ever. Now that we have reached the pinnacle of computer acronyms, let's really discuss what it is. TACACS is another remote authentication protocol that was used more often in Unix networks. In Unix, the TACACS service is known as

the TACACS daemon. The newer and more commonly used implementation of TACACS is called Terminal Access Controller Access-Control System Plus (TACACS+). It is not backward compatible with TACACS. TACACS+, and its predecessor XTACACS, were developed by Cisco. TACACS+ uses in- bound port 49 like its forerunners; however, it uses TCP as the transport mechanism instead of UDP. Let's clarify: the older TACACS and XTACACS technologies are not commonly seen anymore. The two common protocols for remote authentication used today are RADIUS and TACACS+.

Another concern is web-based SSO. Web-based SSO can be problematic due to disparate proprietary technologies. To help alleviate this problem, __ and __ were developed.

the XML-based Security Assertion Markup Language (SAML); the OpenID Connect protocol

ActiveX controls are small program building blocks used to allow a web browser to execute a program. They are similar to Java applets; however, Java applets can run on any platform, whereas ActiveX can run only on In- ternet Explorer (and Windows operating systems). You can see how a down- loadable, executable ActiveX control or Java applet from a suspect website could possibly contain viruses, spyware, or worse. These are known as mali- cious add-ons—Flash scripts especially can be a security threat. Generally, you can disable undesirable scripts from either

the advanced settings or by creating a custom security level or zone. If a particular script technology can- not be disabled within the browser, consider using a different browser, or a content filtering solution.

Brute-force attack: When every possible password instance is attempt- ed. This is often a last resort due to

the amount of CPU resources it might re-quire. It works best on shorter passwords but can theoretically break any password given enough time and CPU power. For example, a four-character, lowercase password with no numbers or symbols could be cracked quickly. But a ten-character, complex password would take much longer; some com- puters will fail to complete the process. Also, you must consider whether the attack is online or offline. Online means that a connection has been made to the host, giving the password-cracking program only a short window to break the password. Offline means that there is no connection and that the password-cracking computer knows the target host's password hash and hashing algorithm, giving the cracking computer more (or unlimited) time to make the attempt. Some password-cracking programs are considered hy- brids and make use of dictionary attacks (for passwords with actual words in them) and brute-force attacks (for complex passwords).

Risk assessment is

the attempt to determine the amount of threats or haz- ards that could possibly occur in a given amount of time to your computers and networks. When you assess risks, they are often recognized threats—but risk assessment can also take into account new types of threats that might occur. When risk has been assessed, it can be mitigated up until the point in which the organization will accept any additional risk.

The KDC is composed of two logical parts:

the authenti- cation server and the ticket-granting server.

Wi-Fi has many vulnerabilities as well. Not only should mobile devices con- nect in a secure, encrypted fashion, but also the security administrator needs to keep a sharp eye on

the current CVEs, and the available updates and patches for those vulnerabilities. For example, there was a flaw in the pro- gramming of a well-known Wi-Fi System on Chip (SoC). The firmware had a vulnerability that could result in buffer overflows, which could then be ex- ploited by an attacker—connecting remotely via Wi-Fi—ultimately allowing the execution of their own code. Sometimes SoCs are not properly vetted for vulnerabilities and so security administrators must be ready to patch at a moment's notice—and this applies not only to smartphones and other typical mobile devices, but also to just about any devices in the Internet of Things (IoT) that have built-in Wi-Fi connections.

When Password Policy is selected, you see the following policies: Maximum and minimum password age: This defines exactly how long a password can be used. The maximum is initially set to 42 days but does not affect

the default Administrator account. To enforce effective pass- word history, the minimum must be higher than zero. This is part of a cate- gory known as password expiration.

Threat modeling enables you to prioritize threats to an applica- tion, based on their potential impact. This modeling process includes identi- fying assets to the system or application, uncovering vulnerabilities, identify- ing threats, documenting threats, and rating those threats according to their potential impact. The more risk, the higher the rating. Threat modeling is of- ten incorporated into the SDLC during what phases?

the design, testing, and deployment phases.

Two web application vulnerabilities to watch out for include cross-site scripting (XSS) and cross-site request forgery (XSRF). XSS holes are vulnerabilities that can be exploited with a type of code injec- tion. Code injection is

the exploitation of a computer programming bug or flaw by inserting and processing invalid information—it is used to change how the program executes data. In the case of an XSS attack, an attacker in- serts malicious scripts into a web page in the hopes of gaining elevated privi- leges and access to session cookies and other information stored by a user's web browser. This code (often Java-Script) is usually injected from a sepa- rate "attack site." It can also manifest itself as an embedded JavaScript im- age tag, header manipulation (as in manipulated HTTP response headers), or other HTML embedded image object within e-mails (that are web-based). The XSS attack can be defeated by programmers through the use of output encoding (JavaScript escaping, CSS escaping, and URL encoding), by pre- venting the use of HTML tags, and by input validation: for example, check- ing forms and confirming that input from users does not contain hypertext. On the user side, the possibility of this attack's success can be reduced by in- creasing cookie security and by disabling scripts in the ways mentioned in the first section of this chapter, "Securing the Browser." If XSS attacks by e- mail are a concern, the user could opt to set his e-mail client to text only.

Network intrusion detection system (NIDS): Ad- vantages (compared to host based) include (2)

the fact that it is less expensive and less resource intensive, and an entire network can be scanned for malicious activity as opposed to just one computer.

The most important parts of vulnerability management are

the finding and mitigating of vulnerabilities. Actual tools used to conduct vulnerability as- sessments include network mappers, port scanners, and other vulnerability scanners, ping scanners, protocol analyzers (also called network sniffers), and password crackers. Vulnerability assessments might discover confiden- tial data or sensitive data that is not properly protected, open ports, weak passwords, default configurations, prior attacks, system failures, and so on. Vulnerability assessments or vulnerability scanning can be taken to the next level by administering a penetration test.

Often, HSMs are involved in

the generation, storage, and archiving of en- crypted key pairs such as the ones used in Secure Sockets Layer (SSL) ses- sions online, public key cryptography, and public key infrastructures (PKIs), which we discuss more in Chapter 14, "Encryption and Hashing Concepts," and Chapter 15, "PKI and Encryption Protocols."

A security admin should monitor the biometric system for errors. Generally, if either the false acceptance rate (FAR) or the false rejection rate (FRR) goes above 1%, it should be investigated further—perhaps .1% for some organiza- tions. More importantly, the two should be collectively analyzed with thecrossover error rate (CER). This is also known as the equal error rate (EER) because

the goal is to keep both the FAR and FRR errors at a common value, or as close as possible.

Risk management can be defined as

the identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks.

When Password Policy is selected, you see the following policies: Enforce password history: When this is defined, users cannot use any of the passwords remembered in the history. If you set the history to 3,

the last three passwords cannot be reused when it is time to change the password.

Secure boot, also known as trusted boot, is an excellent method for protect- ing the boot process. However, if something occurs that causes the boot process to fail, we won't know because that data is stored in the UEFI of the system that failed to boot. More importantly, we want to be sure that secure boot is working properly. Enter

the measured boot option. Measured boot takes measurements of each step of the secure boot process. It signs them, stores them, and sends those measurements to an external source, such as a remote attestation service. A trusted, external, third-party system is required for attestation—meaning verification of the integrity of the computer in question has been corroborated. Basically, the remote attestation service compares the measurements with known good values. From this informa- tion, the remote service can attest to the fact that the boot process is indeed secure—or has failed to meet the requirements.

Note: In a Windows environment there are two types of permissions: share permissions and NTFS permissions. By default, (which are applied to the user?)

the more restrictive of the two sets of permissions is applied to the user. However, quite often an administrator will configure NTFS per- missions to take precedence over share permissions—and ef- fectively "ignore" the share permissions.

Discretionary access control (DAC) is an access control policy generally determined by

the owner. Objects such as files and printers can be created and accessed by the owner. Also, the owner decides which users are allowed to have access to the objects, and what level of access they may have. The levels of access, or permissions, are stored in access control lists (ACLs).

RADIUS encrypts only

the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other infor- mation such as the username can be easily captured, without need of decryp- tion, by a third party. However, TACACS+ encrypts the entire body of the ac- cess-request packet. So, effectively TACACS+ encrypts entire client-server dialogues, whereas RADIUS does not. Finally, TACACS+ provides for more types of authentication requests than RADIUS.

When a standard end user requires administrator privileges to perform cer- tain tasks such as installing an application, a small pop-up UAC window ap- pears, notifying the user that an administrator credential is necessary. If the user has administrative rights and clicks Continue, the task is carried out, but if the user does not have sufficient rights, the attempt fails. Note that these pop-up UAC windows do not appear if

the person is logged on with the actual Administrator account.

Figure 10-6 illustrates a single computer connecting to a VPN server at an office, which is typical and is known as VPN remote access. However, organi- zations sometimes need to connect multiple offices to each other. This is done with a site-to-site configuration, where each site has a VPN device (SOHO router, concentrator, or server) that takes care of VPN connections for each network of computers. Site-to-site VPNs are generally more secure because an admin can specify that only specific networks can connect—and can do it in a private intranet fashion. If a company is growing, site-to-site is the way to go, whether the company is flourishing geographically or is simply inhabiting a separate space of the same building. When separate networks are connected in the same building, it is often wise to use a VPN, because

the physical wiring might pass through a public area.

Vulnerability management is

the practice of finding and mitigating soft- ware vulnerabilities in computers and networks. It consists of analyzing net- work documentation, testing computers and networks with a variety of secu- rity tools, mitigating vulnerabilities, and periodically monitoring for effects and changes. Vulnerability management can be broken down into five steps: Step 1. Define the desired state of security: An organization might have written policies defining the desired state of security, or you as the se- curity administrator might have to create those policies. These policies in- clude access control rules, device configurations, network configurations, network documentation, and so on. Step 2. Create baselines: After the desired state of security is defined, baselines should be taken to assess the current security state of computers, servers, network devices, and the network in general. These baselines are known as vulnerability assessments. The baselines should find as many vulnerabilities as possible utilizing vulnerability scans and other scanning and auditing methods. These baselines will be known as premitigation base- lines and should be saved for later comparison. Step 3. Prioritize vulnerabilities: Which vulnerabilities should take precedence? For example, the e-commerce web server we talked about earli- er should definitely have a higher priority than a single client computer that does not have antivirus software installed. Prioritize all the vulnerabilities; this creates a list of items that need to be mitigated in order. Step 4. Mitigate vulnerabilities: Go through the prioritized list and miti- gate as many of the vulnerabilities as possible. This depends on the level of acceptable risk your organization allows. Mitigation techniques might in- clude secure code review, and a review of system and application architec- ture and system design. Step 5. Monitor the environment: When you finish mitigation, monitor the environment and compare the results to the original baseline. Use the new results as the post-mitigation baseline to be compared against future analyses. (Consider tools that can perform automated baseline reporting.) Because new vulnerabilities are always being discovered, and because com- pany policies may change over time, you should periodically monitor the en- vironment and compare your results to the post-mitigation baseline. Do this anytime policies change or the environment changes. Be careful to monitor for false positives—when a test reports a vulnerability as present when in fact there is none—they can be real time-wasters. If possible, use templates, scripts, and built-in system functionality to automate your monitoring ef- forts and employ continuous monitoring and configuration validation. All of these things will help to reduce risk.

Another potential memory-related issue deals with pointer dereferencing— for example, the null pointer dereference. Pointer dereferencing is common in programming; when you want to access data (say, an integer) in memory, dereferencing the pointer would retrieve different data from a different sec- tion of memory (perhaps a different integer). Programs that contain a null pointer dereference generate memory fault errors (memory leaks). A null pointer dereference occurs when

the program dereferences a pointer that it expects to be valid, but is null, which can cause the application to exit, or the system to crash. From a programmatical standpoint, the main way to pre- vent this is meticulous coding. Programmers can use special memory error analysis tools to enable error detection for a null pointer deference. Once identified, the programmer can correct the code that may be causing the er- ror(s). But this concept can be used to attack systems over the network by initiating IP address to hostname resolutions—ones that the attacker hopes will fail—causing a return null. What this all means is that the network needs to be protected from attackers attempting this (and many other) program- matical and memory-based attacks via a network connection. We'll discuss how to do that in Chapters 6 through 9 .

Code issues and errors that occur in either compile time or run time could lead to vulnerabilities in the software. However, it's __(which one) that we are more interested in from a security perspective,

the runtime environ- ment (because that more often is where the attacker will attempt to exploit software and websites.)

Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner, as it is in DAC. Permissions are predefined in the MAC model. Historically, it has been used in highly classified government and military multilevel systems, but you will find less- er implementations of it in today's more common operating systems as well. The MAC model defines sensitivity labels that are assigned to subjects(users) and objects (files, folders, hardware devices, network connections, and so on). A subject's label dictates its security level, or level of trust. An ob- ject's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling). The access controls in a MAC system are based on __and __. Also, in the MAC model, data import and export are controlled.

the security classification of the data ; "need- to-know" information—where a user can access only what the system consid- ers absolutely necessary

A smart card security system usually is composed of (3)

the smart card itself, smart card readers, and a back-office database that stores all the smart card access control lists and history.

The power of the dictionary attack depends on

the strength of the dictionary used by the password-cracking program.

Net- work mapping is

the study of physical and logical connectivity of net- works. One example of automated network mapping software is the Network Topology Mapper by SolarWinds. This product can map elements on layers 1 through 3 of the OSI model, giving you a thorough representation of what is on the network. This type of network scan is not for the "weak of band- width." It should be attempted only during off-hours (if there is such a thing nowadays), if possible; otherwise, when the network is at its lowest point of usage. Most network mapping programs show routers, layer 3 switches, client computers, servers, and virtual machines. You can usually export the mapped contents directly to Microsoft Visio, a handy time-saver.

Role-based access control (RBAC) is an access model that, is controlled by

the system (like MAC), and, unlike DAC, not by the owner of a resource. However, RBAC is different from MAC in the way that permissions are con- figured. RBAC works with sets of permissions, instead of individual permis- sions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources. A role might be the ability to complete a specific operation in an organization as opposed to accessing a single data file. For example, a person in a bank who wants to check a prospective client's credit score would be attempting to per- form a transaction that is allowed only if that person holds the proper role. So roles are created for various job functions in an organization. Roles might have overlapping privileges and responsibilities. Also, some general opera- tions can be completed by all the employees of an organization. Because there is overlap, an administrator can develop role hierarchies; these define roles that can contain other roles, or have exclusive attributes.

The CIA concepts are important when doing a secure code review, which can be defined as an in-depth code inspection procedure. It is often included by organizations as part of what phase?

the testing phase of the SDLC but is usually con- ducted before other tests such as fuzzing or penetration tests, which we dis- cuss more later in this chapter.

One common pen test technique is the pivot. Once an attacker or tester has gained access to a system with an initial exploit, the pivot allows for move- ment to other systems in the network. Pivoting might occur through the same exploit used to compromise the first system; a second exploit; or infor- mation discovered when accessing a previous system—also known as pillag- ing. Pivoting can be prevented through (4)

the use of host-based IDS and IPS, secure coding, network-based solutions such as unified threat management (UTM), and, of course, good solid network and system planning.

Attribute-based access control (ABAC) is an access model that is dy- namic and context-aware. Access rights are granted to users through

the use of multiple policies that can combine various user, group, and resource at- tributes together. It makes use of IF-THEN statements based on the user and requested resource. For example, if David is a systems administrator,then allow full control access to the \\dataserver\ adminfolder share. If implemented properly, it can be a more flexible solu- tion. As of the writing of this book, many technologies—and organizations— are moving toward a more context-sensitive, context-aware mindset when it comes to authentication and access control.

The XSS attack can be defeated by programmers through (3)

the use of output encoding (JavaScript escaping, CSS escaping, and URL encoding), by pre- venting the use of HTML tags, and by input validation: for example, check- ing forms and confirming that input from users does not contain hypertext.

The XSS attack exploits the trust a user's browser has in a website. The con- verse of this, the XSRF attack, exploits the trust that a website has in a user's browser. In this attack (also known as a one-click attack),

the user's browser is compromised and transmits unauthorized commands to the website. The chances of this attack can be reduced by requiring tokens on web pages that contain forms, special authentication techniques (possibly encrypted), scan- ning .XML files (which could contain the code required for unauthorized ac- cess), and submitting cookies twice instead of once, while verifying that both cookie submissions match.

Threat modeling enables you to prioritize threats to an applica- tion, based on

their potential impact. This modeling process includes identi- fying assets to the system or application, uncovering vulnerabilities, identify- ing threats, documenting threats, and rating those threats according to their potential impact. The more risk, the higher the rating. Threat modeling is of- ten incorporated into the SDLC during the design, testing, and deployment phases.

Core SDLC and DevOps Principles: Another important concept is code checking, which involves limiting the reuse of code to that which has been approved for use, and removing dead code. It's also vital to incorporate good memory management tech- niques. Finally, be very careful when using

third-party libraries and software development kits (SDKs), and test them thoroughly before using them with- in a live application.

In order to have a successful BYOD implementation, the key is to implementstorage segmentation—a clear separation of organizational and personal information, applications, and other content. It must be unmistakable where the data ownership line occurs. For networks with a lot of users, consider

third-party offerings from companies that make use of mobile device management (MDM) platforms. These are centralized software solutions that can control, configure, update, and secure remote mobile devices such as Android, iOS, BlackBerry, and so on, all from one administrative console.The MDM software can be run from a server within the organization, or ad- ministered within the cloud.

Race conditions are also known as __ or __ attacks.

time-of-check (TOC); time-of-use (TOU)

Controlling user access is of paramount importance. You don't want just any Tom, Dick, or Harry to gain admittance to your computer network! The first step in controlling user access is

to define who needs to have access and what they need to have access to. After this is done, an access control plan must be developed. This primarily consists of choosing an access control model. Which model you should choose depends on your organization's procedures and written policies, the level of security you need, and the amount of IT re- sources at your disposal. After a model has been selected, you should imple- ment as many safe practices as possible to bolster the model's effectiveness. Then, you can actually implement security on the computers and network. This includes creating and organizing secure users, groups, and other net- work objects such as organizational units. More important, it incorporates the use of policies and Group Policy objects. By configuring computer-based policies for your users, groups, and computers, you are forcing them to abide by your organization's rules.

Basic Browser Security: The first thing that you should do is

to update the browser—that is, if compa- ny policy permits it. Remember to use the patch management strategy dis- cussed earlier in the book. You might also want to halt or defer future up- dates until you are ready to implement them across the entire network.

Of course, many organizations (and especially government) get more techni- cal with their door access systems. Electronic access control systems such as cardkey systems are common. These use scanning devices on each door used for access to the building. They read the cardkeys that you give out to em- ployees and visitors. These cardkeys should be logged; it should be known exactly who has which key at all times. The whole system is guided by a card- key controller. This controller should be placed in a wiring closet or in a server room, and that room should be locked as well (and protected by the cardkey system). Some companies implement separate cardkey systems for the server room and for the main entrances. Some systems use photo ID badges for identification and authentication to a building's entrance. They might have a magnetic stripe similar to a credit card, or they might have a barcode or use an RFID chip. A key card door access system is another good practice for tracking user identities. Another possibility is the smart card. The smart card falls into the category of "something a person has" and is known as a

token. It's the size of a credit card and has an embedded chip that stores and transacts data for use in se- cure applications such as hotel guest room access, prepaid phone services, and more. Smart cards have multiple applications, one of which is to authen- ticate users by swiping the card against a scanner, thus securing a computer or a computer room. The smart card might have a photo ID as well. Exam- ples of smart cards include the PIV card (Personal Identity Verification), which is required for all U.S. government employees and contractors, and the Common Access Card (CAC), which is used to identify Department of Defense (DoD) military personnel, other DoD civilian government employ- ees, and so on. These cards not only identify the person and are responsible for authentication to buildings and systems, but can also encrypt and digital- ly sign e-mails. These cards might be used as part of a multifactor authenti- cation scheme in which there is a combination of username/password (or PIN) and a smart card. Advanced smart cards have specialized cryptographic hardware that can use algorithms such as RSA and 3DES but generally use private keys to encrypt data. (More on encryption and these encryption types is provided in Chapter 14, "Encryption and Hashing Concepts.") A smart card might incorporate a microprocessor (as is the case with the PIV and CAC cards). A smart card security system usually is composed of the smart card itself, smart card readers, and a back-office database that stores all the smart card access control lists and history.

SSO systems—and federated systems in general— will often incorporate the concept of __ where two networks (or more) have a relationship such that users logging in to one network get ac- cess to data on the other.

transitive trust

Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner, as it is in DAC. Permissions are predefined in the MAC model. Historically, it has been used in highly classified government and military multilevel systems, but you will find less- er implementations of it in today's more common operating systems as well. The MAC model defines sensitivity labels that are assigned to subjects(users) and objects (files, folders, hardware devices, network connections, and so on). A subject's label dictates its security level, or level of trust. An ob- ject's label dictates what level of clearance is needed to access it, also known as a

trust level (this is also known as data labeling). The access controls in a MAC system are based on the security classification of the data and "need- to-know" information—where a user can access only what the system consid- ers absolutely necessary. Also, in the MAC model, data import and export are controlled. MAC is the strictest of the access control models.

An example of MAC can be seen in FreeBSD version 5.0 and higher. In this OS, access control modules can be installed that allow for security policies that label subjects and objects. The enforcement of the policies is done by administrators or by the OS; this is what makes it mandatory and sets it apart from DAC. Another example is Security-Enhanced Linux (SELinux), a set of kernel modifications to Linux that supports DoD-style mandatory ac- cess controls such as the requirement for

trusted computing base (TCB). Though often interpreted differently, TCB can be described as the set of all hardware and software components critical to a system's security and all as- sociated protection mechanisms. The mechanisms must meet a certain stan- dard, and SELinux helps accomplish this by modifying the kernel of the Lin- ux OS in a secure manner. Like DAC, MAC was also originally defined in The Orange Book, but as the Mandatory Security Policy—a policy that enforces access control based on a user's clearance and by the confidentiality levels of the data. Even though The Orange Book is deprecated, the concept of MAC lives on in today's systems and is implemented in two ways:

Cisco systems use the Generic Routing Encapsulation (GRE) protocol to en- capsulate a lot of different data, namely, routing information that passes be- tween VPN-enabled connected networks that use PPTP or IPsec. GRE might also make use of Multiprotocol Label Switching (MPLS), a packet-forward- ing technology that uses labels to make data forwarding decisions. With MPLS, the Layer 3 header analysis is done just once (when the packet enters the MPLS domain). Label inspection drives subsequent packet forwarding. It is a natural evolution for networks that provide predictable IP services. There is a minor amount of risk when using MPLS due to its open-ended na- ture, and when connecting from MPLS to non-MPLS networks. To mitigate this, the MPLS over GRE feature provides a mechanism for

tunneling MPLS packets over a non-MPLS network. This feature utilizes MPLS over Generic Routing Encapsulation (MPLSoGRE) to encapsulate MPLS packets inside IP tunnels. The encapsulation of MPLS packets inside IP tunnels creates a vir- tual point-to-point link across non-MPLS networks.

Authentication to servers and other networks (and all their applications) can get even more complicated when the concept of transitive trust is imple- mented. Effectively, a transitive trust is when

two networks (or more) have a relationship such that users logging in to one network get access to data on the other. In days gone by, these types of trusts were created automatically between different sections of networks. However, it was quickly realized that this type of transitivity was insecure, allowing users (and potential attackers) access to other networks that they shouldn't have had access to in the first place. There's a larger looming threat here as well. The transitive trust is based on the transitive property in mathematics, which states that if A is equal to B, and B is equal to C, then A is automatically equal to C. Put into computer terms: if the New York network trusts the California network, and the California network trusts the Hong Kong network, then the New York network automatically trusts the Hong Kong network. You can imagine the security concerns here, as well as the domino effect that could occur. So, or- ganizations will usually prefer the non-transitive trust, where users need to be authenticated to each network separately, and therefore are limited to the applications (and data) they have access to on a per-network basis.

Directory traversal, or the ../ (dot dot slash) attack, is a method of access- ing unauthorized parent (or worse, root) directories. It is often used on web servers that have PHP files and are Linux or UNIX-based, but it can also be perpetrated on Microsoft operating systems (in which case it would be ..\ or the "dot dot backslash" attack). It is designed to get access to files such as ones that contain passwords. This can be prevented by

updating the OS, or by checking the code of files for vulnerabilities, otherwise known as fuzzing. For example, a PHP file on a Linux-based web server might have a vulnera- ble if or include statement, which when attacked properly could give the attacker access to higher directories and the passwd file.

To begin, applications should be analyzed for backdoors. As mentioned inChapter 2, "Computer Systems Security Part I," backdoors are used in com- puter programs to bypass normal authentication and other security mecha- nisms in place. These can be avoided by

updating the operating system and applications and firmware on devices, and especially by carefully checking the code of the program. If the system is not updated, a malicious person could take all kinds of actions via the backdoor.

So, if you are in charge of implementing a browser solution, be sure to plan for performance and security right from the start. I do make some standard recommendations to customers, students, and readers when it comes to planning and configuring browser security. Let's discuss a few of those now. The first recommendation is to not

use the very latest version of a browser. (Same advice I always give for any application, it seems.) Let the people at the top of the marketing pyramid, the innovators, mess around with the "lat- est and greatest;" let those people find out about the issues, backdoors, and whatever other problems a new application might have; at worst, let their computer crash! For the average user, and especially for a fast-paced organi- zation, the browser needs to be rock-solid; these organizations will not toler- ate any downtime. I always allow for some time to pass before fully embrac- ing and recommending software. The reason I bring this up is because most companies share the same view and implement this line of thinking as a company policy. They don't want to be caught in a situation where they spent a lot of time and money installing something that is not compatible with their systems.

To avoid access violations when working with permissions, the "least privi- lege" or "minimal privilege" concept should be implemented. Give the users only the amount of access that they absolutely need. Note that permissions for long-term employees could suffer from privilege creep over time. To mit- igate this, consider periodic user permission reviews and evaluation of ACLs. This permission auditing procedure will ensure that users have the access to the correct data. In general, this is known as

user access recertification. Consider this procedure if a company has a particularly high attrition rate (hiring and terminating of employees). This will verify that users no longer with the company cannot log on to the network and cannot gain access to re- sources. It also ensures that new users can gain access to necessary resources.

There are other examples of generic account prohibition that work in the same manner as UAC. Third-party tools are available for Windows and Lin- ux. An administrator might find that UAC does not have the configurability they desire. Regardless of the type of account prohibition used, it is impor- tant to conduct

user access reviews—audits of what users have been able to access over time—and continuously monitor users' actions in this regard.

Operational controls: These are the controls executed by people. They are designed to increase individual and group system security. They include (6)

user awareness and training, fault tolerance and disaster recovery plans, in- cident handling, computer support, baseline configuration development, and environmental security. The people who carry out the specific requirements of these controls must have technical expertise and understand how to im- plement what management desires of them.

On a semi-related note, integer overflows are when arithmetic operations attempt to create a numeric value that is too big for the available memory space. This creates a wrap and can cause resets and undefined behavior in programming languages such as C and C++. The security ramification is that the integer overflow can violate the program's default behavior and possibly lead to a buffer overflow. This can be prevented or avoided by making over- flows trigger an exception condition, or by (2)

using a model for automatically eliminating integer overflow, such as the CERT As-if Infinitely Ranged (AIR) integer model.

Ways of dis- couraging bluesnarfing include

using a pairing key that is not easy to guess; for example, stay away from 0000 or similar default Bluetooth pairing keys! Otherwise, Bluetooth devices should be set to "undiscoverable" (only after legitimate Bluetooth devices have been set up, of course), or Bluetooth can be turned off altogether.

Zero day attacks can be prevented by using newer operating systems that have protection mechanisms and by updating those operating systems. They can also be prevented by (2)

using multiple layers of firewalls and by using whitelisting, which only allows known good applications to run.

RCE commands can be sent to the target computer __(how), or __(how), among other methods.

using the URL of a browser; by using the Netcat service

Some other very important security principles that should be incorporated into the SDLC include: Principle of defense in depth: The more security controls the better. The layering of defense in secure coding may take the form of (4)

validation, en- cryption, auditing, special authentication techniques, and so on.

It's important to note that when logging on to a Microsoft network, the logon process is secured by the Kerberos protocol, which is run by the domain con- troller. This adds a layer of protection for the username and password as they are authenticated across the network. When users take a break or go to lunch, they should lock the computer. This can be done by pressing Win- dows+L. When doing so, the operating system goes into a locked state, and the only way to unlock the computer is to enter the username and password of the person who locked the computer. The difference between this and log- ging out is that a locked computer keeps all the session's applications and files open, whereas logging out closes all applications and open files. A policy can also be configured to force locking after a certain amount of time has elapsed. Literally hundreds of policies are configurable. You could spend weeks doing it! Microsoft understands this and offers

various levels of secu- rity templates that can be imported into your OU policy, making your job as an administrator a bit easier. A particular template might be just what you are looking for, or it might need a bit of tweaking. But in most cases it beats starting from scratch!

The CHAP authentication scheme consists of several steps. It authenticates a user or a network host to entities such as Internet access providers. CHAP periodically

verifies the identity of the client by using a three-way hand- shake. The verification is based on a shared secret. After the link has been established, the authenticator sends a challenge message to the peer. The en- crypted results are compared, and finally the client is either authorized or denied access.

Aside from using password-cracking programs, passwords can be obtained through (7)

viruses and Trojans, wiretapping, keystroke logging, network sniff- ing, phishing, shoulder surfing, and dumpster diving.

Two web application vulnerabilities to watch out for include cross-site scripting (XSS) and cross-site request forgery (XSRF). XSS holes are

vulnerabilities that can be exploited with a type of code injec- tion. Code injection is the exploitation of a computer programming bug or flaw by inserting and processing invalid information—it is used to change how the program executes data.

OVAL has several uses, one of which is as a tool to standardize security advi- sory distributions. Software vendors need to publish vulnerabilities in a standard, machine-readable format. By including an authoring tool, defini- tions repository, and definition evaluator, OVAL enables users to regulate their security advisories. Other uses for OVAL include __(4), and so on.

vulnerability assess- ment, patch management, auditing, threat indicators

Computers and networks are naturally vulnerable. Whether it is an operat- ing system or an appliance installed out-of-the-box, they are inherently inse- cure. Vulnerabilities could come in the form of backdoors or open ports. They could also be caused after installation due to poor design. To understand what can be affected, security administrators should possess thorough computer and network documentation, and if they don't already, they should develop it themselves. Tools such as Microsoft Visio and net- work mapping tools can help to create proper network documentation. Then, tools such as (3)___ should be used to assess the level of vulnerability on a computer network.

vulnerability scanners, protocol analyzers, and password crack- ers

Description of vulnerabillity: Cross- site script- ing (XSS): Exploits the trust a user's browser has in a website through code injection, often in

web forms.

Directory traversal, or the ../ (dot dot slash) attack, is a method of access- ing unauthorized parent (or worse, root) directories. It is often used on

web servers that have PHP files and are Linux or UNIX-based, but it can also be perpetrated on Microsoft operating systems (in which case it would be ..\ or the "dot dot backslash" attack).

Banner grabbing is a technique used to find out information about (3)

web servers, FTP servers, and mail servers. For example, it might be used by a network administrator to take inventory of systems and services running on servers. Or, it could be used by an attacker to grab information such as HTTP headers, which can tell the attacker what type of server is run- ning, its version number, and so on. Examples of banner-grabbing ap- plications include Netcat and Telnet. Aside from the security administrator (and perhaps auditors), no one should be running banner-grabbing tools, or network enumeration tools in general. A good security admin will attempt to sniff out any unpermitted usage of these tools.

Memory and buffer vulnerabilities are common. There are several types of these, but perhaps most important is the buffer overflow. A buffer over- flow is

when a process stores data outside the memory that the developer intended. This could cause erratic behavior in the application, especially if the memory already had other data in it. Stacks and heaps are data struc- tures that can be affected by buffer overflows. The stack is a key data struc- ture necessary for the exchange of data between procedures. The heap con- tains data items whose size can be altered during execution. Value types are stored in a stack, whereas reference types are stored in a heap. An ethical coder will try to keep these running efficiently. An unethical coder wanting to create a program vulnerability could, for example, omit input validation, which could allow a buffer overflow to affect heaps and stacks, which in turn could adversely affect the application or the operating system in question. Let's say a programmer allows for 16 bytes in a string variable. This won't be a problem normally. However, if the programmer failed to verify that no more than 16 bytes could be copied over to the variable, that would create a vulnerability that an attacker could exploit with a buffer overflow attack. The buffer overflow can also be initiated by certain inputs. For example, corrupt- ing the stack with no-operation (no-op, NOP, or NOOP) machine instruc- tions, which when used in large numbers can start a NOP slide, can ultimate- ly lead to the execution of unwanted arbitrary code, or lead to a denial-of- service (DoS) on the affected computer. All this can be prevented by patching the system or application in question, making sure that the OS uses data execution prevention, and utilizing bounds checking, which is a programmatic method of detecting whether a particular variable is within design bounds before it is allowed to be used. It can also be prevented by using correct code, checking code carefully, and us- ing the right programming language for the job in question (the right tool for the right job, yes?). Without getting too much into the programming side of things, special values called "canaries" are used to protect against buffer overflows.

Though not completely related, another type of injection attack is DLL injection. This is

when code is run within the address space of another process by forcing it to load a dynamic link library (DLL). Ultimately, this can influence the behavior of a program that was not originally intended. It can be uncovered through penetration testing, which we will discuss more in Chapter 12.

On a semi-related note, integer overflows are when arithmetic operations attempt to create a numeric value that is too big for the available memory space. This creates a

wrap and can cause resets and undefined behavior in programming languages such as C and C++. The security ramification is that the integer overflow can violate the program's default behavior and possibly lead to a buffer overflow. This can be prevented or avoided by making over- flows trigger an exception condition, or by using a model for automatically eliminating integer overflow, such as the CERT As-if Infinitely Ranged (AIR) integer model.

Security analysis can be done in one of two ways: actively or passively. Active security analysis is when actual hands-on tests are run on the system in question. These tests might require a device to be taken off the network for a short time, or might cause a loss in productivity. Active scanning is used to find out if ports are open on a specific device, or to find out what IP addresses are in use on the network. A backup of the systems to be analyzed should be accomplished before the scan takes place. Active scanning (also known as intrusive scanning) can be detrimental to systems or the entire network, especially if

you are dealing with a mission-critical network that re- quires close to 100% uptime. In some cases, you can pull systems off the net- work or run your test during off-hours. But in other cases, you must rely on passive security analysis.

Cisco also created a proprietary protocol called LEAP (Lightweight EAP), and it is just that—proprietary. To use LEAP,

you must have a Cisco device such as an Aironet WAP or Catalyst switch, or another vendor's device that complies with the Cisco Compatible Extensions program. Then you must download a third-party client on Windows computers to connect to the Cisco device. Most WLAN vendors offer an 802.1X LEAP download for their wire- less network adapters.

Zero day attacks can be prevented by using newer operating systems that have protection mechanisms and by updating those operating systems. They can also be prevented by using multiple layers of firewalls and by using whitelisting, which only allows known good applications to run. Collectively, these preventive methods are referred to as

zero day protection.