1- Mastering the Basics

Question 1

Core Security Principles: Confidentiality

Answer 1

Confidentiality ensures that data is only viewable by authorized users. If there is a risk of sensitive data falling into the wrong hands, it should be encrypted to make it unreadable. Any data should be protected with access controls to enforce confidentiality.

Question 2

Core Security Principles: Integrity

Answer 2

Integrity is used to verify that data has not been modified, and loss of integrity can occur through unauthorized or unintended changes. Hashing algorithms such as MD5, HMAC, or SHA1 can calculate hashes to verify integrity. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained.

Question 3

Core Security Principles: Availability

Answer 3

Availability ensures that systems are up and operational when needed and often addresses single points of failure. You can increase availability by adding fault tolerance and redundancies such as RAID, clustering, backups, and generators. HVAC systems also increase availability.

Question 4

Core Security Principles: Non-repudiation

Answer 4

Non-repudiation is used to prevent entities from denying they took an action. Digitally signed e-mail prevents individuals from later denying they sent it. An audit log provides non-repudiation since audit log entries include who took an action in addition to what the action was, where the action took place, and when it occurred.

Question 5

Core Security Principles: Defense in Depth

Answer 5

Security is never “done.” Instead, security and IT professionals constantly monitor, update, add to, and improve existing methods. A single layer of security is easily beatable. Defense in depth employs multiple layers to make it harder for attacks to exploit a system or network.

Question 6

Basic Risk Concepts: Risk/ Risk Mitigation

Answer 6

Risk is the likelihood that a threat will exploit a vulnerability. Risk mitigation reduces the chances that a threat will exploit a vulnerability by implementing controls.

Question 7

Authentication Concepts: Identification, Authentication, Authorization

Answer 7

Identification occurs when a user claims an identity. Authentication occurs when the user proves the identity (such as with a password) and the credentials are verified. Authorization is granted to resources based on a proven identity.

Question 8

Authentication Concepts: 3 Factors of Authentication

Answer 8

The three factors are: 1) Something you know (such as username and password), 2) Something you have (such as a smart card), and 3) Something you are (such as a fingerprint or other biometric identification).

Any 2+ is considered multifactor authentication.

Question 9

Authentication Concepts: First Factor of Authentication

Answer 9

The first factor of authentication (something you know, such as a password or PIN) is the weakest factor. Passwords should be strong, changed regularly, never shared with another person, and stored in a safe if written down. Technical means (such as a technical password policy) should be used to ensure that users regularly change their passwords and don’t use the same passwords.

Question 10

Authentication Concepts: First Factor of Authentication– Strong Passwords

Answer 10

Strong passwords use a mix of character types with a minimum password length such as eight or ten characters. The key space of a password is calculated as C ^ N where C indicates the number of possible characters in the password, and the N indicates the password length.

Question 11

Authentication Concepts: First Factor of Authentication– Password History

Answer 11

Password history is combined with a minimum password age to prevent users from reusing the same passwords.

Question 12

Authentication Concepts: First Factor of Authentication– Default Passwords

Answer 12

Many systems and devices have default passwords. A basic security practice is to change these defaults as soon as the system or device is installed.

Some administrators go a step further and add a dummy user account named “administrator.” This account has no permissions. If this account is discovered to be locked out, the administrator knows that someone was trying to guess the password.

Question 13

Authentication Concepts: Second Factor of Authentication

Answer 13

The second factor of authentication (something you have, such as a smart card, key fob, or proximity card) is commonly combined with something you know. Smart cards have embedded certificates issued by a Public Key Infrastructure (PKI). Both smart cards and key fobs provide a significant level of secure authentication, especially when used with another factor of authentication (multifactor authentication).

Question 14

Authentication Concepts: Second Factor of Authentication– Examples

Answer 14

The second factor of authentication (something you have, such as a smart card, key fob, or proximity card) is commonly combined with something you know. Smart cards have embedded certificates issued by a Public Key Infrastructure (PKI). Both smart cards and key fobs provide a significant level of secure authentication, especially when used with another factor of authentication (multifactor authentication).

Similarly, a personal identity verification (PIV) card is a specialized type of smart card used by United States federal agencies.

CACs and PIVs are specialized smart cards that include photo identification. They are used to gain access into secure locations, and can also be used to log onto computer systems.

Question 15

Authentication Concepts: Third Factor of Authentication

Answer 15

The third factor of authentication (something you are, defined with biometrics) is considered the strongest method of authentication since it is the most difficult for an attacker to falsify. Physical biometrics (such as fingerprints) and behavioral biometrics (such as voice recognition) can be used to authenticate individuals.

Question 16

Authentication Concepts: Third Factor of Authentication– Biometric Systems

Answer 16

Most biometric systems allow you to adjust the sensitivity of the system based on your needs.

You can determine the accuracy of a biometric system based on its crossover error rate (CER). The CER is the rate at which both the FAR and FRR are equal. A lower CER indicates a more accurate biometric system than one with a higher CER.

Question 17

Authentication Concepts: Third Factor of Authentication– Biometric Systems: False Readings

Answer 17

2 possible false readings are:

• False acceptance: This is when a biometric system incorrectly identifies an unauthorized user as an authorized user. The False Accept Rate (FAR, also known as a type 2 error) identifies the percentage of times false acceptance occurs.
• False rejection: This is when a biometric system incorrectly rejects an authorized user. The False Reject Rate (FRR, also known as a type 1 error) identifies the percentage of times false rejections occur.

Question 18

Authentication Services

Answer 18

• Kerberos
• Lightweight Directory Access Protocol (LDAP)
• Mutual Authentication
• Single Sign-On
• IEEE 802.1X

Question 19

Authentication Services: Kerberos

Answer 19

Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a UNIX realm. It uses a database of objects such as Active Directory and a KDC to issue time-stamped tickets that expire after a certain period. Kerberos requires internal time synchronization and uses port 88.

Question 20

Authentication Services: Single Sign-On

Answer 20

Single sign-on enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user’s entire session. SSO can provide central authentication against a federated database for different operating systems.

Question 21

Remote Access Services (RAS)

Answer 21

Remote Access Services (RAS) are used to provide access to an internal network from an outside source.

Question 22

Remote Access Authentication

Answer 22

The different authentication mechanisms that may be used with remote access services are:

• Password Authentication Protocol (PAP): Passwords are sent in clear text so PAP is rarely used today.
• Challenge Handshake Authentication Protocol (CHAP): uses a handshake process where the server challenges the client. The client then responds with appropriate authentication information.
• MS-CHAP: Microsoft’s implementation of CHAP, which is used only by Microsoft clients.
• MS-CHAPv2: An improvement over MS-CHAP. A significant improvement of MS-CHAPv2 over MS-CHAP is the ability to perform mutual authentication.
• RADIUS (Remote Authentication Dial-In User Service): Radius provides a centralized method of authentication for multiple remote access services servers. RADIUS encrypts the password packets, but not the entire authentication process.
• TACACS and XTACACS. Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that was commonly used in UNIX networks. Extended TACACS (XTACACS) is an improvement over TACACS developed by Cisco Systems and is proprietary to Cisco systems. Neither of these are commonly used today with most organizations using either RADIUS or TACACS +.
• TACACS + (Terminal Access Controller Access-Control System +): TACACS is an alternative to RADIUS and is proprietary to Cisco systems. A benefit of TACACS + is that it can interact with Kerberos allowing it to work with a broader range of environments including Microsoft. Additionally, TACACS + encrypts the entire authentication process (RADIUS encrypts only the password).

Question 23

Remote Access Services: PAP (Password Authentication Protocol)

Answer 23

Password Authentication Protocol (PAP) is used with Point to Point Protocol (PPP) to authenticate clients.

A significant weakness of PAP is that passwords are sent in clear text, presenting a significant security risk.

PPP is primarily used with dial-up connections.

Question 24

Remote Access Services: CHAP (Challenge Handshake Authentication Protocol)

Answer 24

Challenge Handshake Authentication Protocol has often been used to authenticate users in the past. However, it is often replaced with more secure forms of authentication today. The goal of CHAP is to allow the client to pass credentials over a public network (such as a phone or the Internet) without allowing attackers to intercept the data and later use it in an attack.

Question 25

Remote Access Services: MS-CHAP and MS-CHAPv2

Answer 25

A significant improvement of MS-CHAPv2 over MS-CHAP is the ability to perform mutual authentication. Not only does the client authenticate to the server, but the server also authenticates to the client. This provides added protection to ensure that the client doesn’t send data to a server that may be impersonating the live remote access server.

Question 26

Remote Access Services: RADIUS (Remote Authentication Dial-In User Service)

Answer 26

Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication service. Instead of each individual RAS server needing a separate database to identify who can authenticate, authentication requests are forwarded to a central RADIUS server.

AOL works well to illustrate how RADIUS works.

Question 27

Remote Access Services– summary

Answer 27

MS-CHAPv2 is used to authenticate Microsoft clients and includes mutual authentication. TACACS + is used by Cisco for authentication and can use Kerberos, allowing it to interact with a Microsoft environment. TACACS + uses TCP, encrypts the entire authentication process, and uses multiple challenges and responses. RADIUS uses UDP and encrypts just the password.

Question 28

Remote Access Services: TACACS/XTACACS (Terminal Access Controller Access-Control System AND Extended TACACS)

Answer 28

Terminal Access Controller Access-Control System (TACACS) and Extended TACACS (XTACACS) are older authentication protocols rarely used today. TACACS is a generic protocol and was commonly used on Cisco and UNIX systems. It uses UDP port 49 by default

Question 29

Remote Access Services: TACACS+

Answer 29

Terminal Access Controller Access-Control System +, or TACACS +, is Cisco’s alternative to RADIUS.

While TACACS uses UDP port 49, TACACS + uses TCP port 49 for increased reliability of the transmissions.

TACACS + provides two important security benefits over RADIUS. First, it encrypts the entire authentication process, while RADIUS encrypts only the password. Second, TACACS + uses multiple challenges and responses between the client and the server.

While TACACS + is proprietary to Cisco, it can interact with Kerberos. This allows a Cisco RAS server (or VPN concentrator) to interact in a Microsoft Active Directory environment. As a reminder, Microsoft’s Active Directory uses Kerberos for authentication.

Question 30

Remote Access Services: AAA Protocols

Answer 30

AAA protocols provide authentication, authorization, and accounting.

RADIUS and TACACS + are both considered AAA protocols

Question 31

Chapter 1 Exam Topic Review

Answer 31

Chapter 1 Exam Topic Review
When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Core Security Principles

• Confidentiality ensures that data is only viewable by authorized users. Access controls and encryption protect the confidentiality of data.
• Integrity provides assurances that data has not been modified, tampered with, or corrupted through unauthorized or unintended changes. Data can be a message, a file, or data within a database. Hashing is one method of ensuring that integrity has not been lost.
• Availability ensures that data and services are available when needed. A common goal is to remove single points of failure (SPOF). Methods used to increase or maintain availability include fault tolerance, backups, virtualization, HVAC systems, and generators.
• Confidentiality, integrity, and availability are not treated equally in all situations. Organizations may prioritize confidentiality, integrity, or availability differently depending on their goals.
• Non-repudiation prevents entities from denying they took an action. Digital signatures and audit logs provide non-repudiation.
• Defense in depth employs multiple layers of security. Security and IT professionals constantly monitor, update, add to, and improve existing security controls.
• Implicit deny indicates that unless something is explicitly allowed, it is denied. Firewalls often use implicit deny by explicitly allowing some traffic and then implicitly denying all other traffic that is not identified. Anything not explicitly allowed is implicitly denied.

Basic Risk Concepts

• Risk is the possibility of a threat exploiting a vulnerability resulting in a loss. A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.
• A vulnerability is a weakness. It can be a weakness in the hardware, software, the configuration, or users operating the system.
• Risk mitigation reduces risk by reducing the chances that a threat will exploit a vulnerability.
• Controls are actions taken to reduce risks. Examples include access controls (starting with authentication), business continuity plans, and antivirus software.

Authentication Concepts Authentication allows entities to prove their identity by using credentials known to another entity. Authentication concepts covered in this chapter were:
-Identification occurs when a user professes or claims an identity, such as with a username.
-Authentication occurs when an entity provides proof of an identity (such as a password) and the proof is verified by a second entity.
-Authorization provides access to resources based on a proven identity.
-Three factors of authentication:
• Something you know (such as a username and password)
• Something you have (such as a smart card, CAC, PIV, or a token)
• Something you are (using biometrics)
-The something you know factor typically refers to a shared secret, such as a password, a username and password, or even a personal identification number (PIN). This is the least secure form of authentication.
-Passwords should be strong and changed often. Complexity (or key space) is calculated as C ^ N (CN) where C is the number of possible characters used and N is the length of the password. Using more character types increases the key space.
-Self-service password systems automate password recovery.
-Account lockout policies lock out an account after an incorrect password is entered too many times.
-Smart cards are credit-card-size cards that have embedded certificates used for authentication. They require a PKI to issue certificates.
- Common access cards (CACs) and personal identity verification (PIV) cards can be used as photo IDs and as smart cards.
-Tokens (or key fobs) display numbers in an LCD synchronized with a server. These numbers provide rolling one-time use passwords.
-Biometric methods are the most difficult to falsify. Physical methods include fingerprints and iris scans. Behavioral methods include voice recognition and signature geometry.
-Multifactor authentication employs two or more of the three factors. Multifactor authentication is stronger than any form of single-factor authentication.

Authentication Services

• Kerberos is a network authentication protocol using tickets issued by a KDC. If a ticket-granting ticket expires, the user may not be able to access resources. Kerberos is used in Microsoft Active Directory domains and in UNIX realms.
• Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories. It provides a single point of management for objects, such as users and computers, in an Active Directory domain.
• Single sign-on (SSO) allows users to authenticate with a single user account and access multiple resources on a network without authenticating again. SSO can be used to provide central authentication with a federated database and use this authentication in an environment with different operating systems (nonhomogeneous environment). Remote Access Authentication Remote access authentication is used when a user accesses a private network from a remote location, such as with a dial-up connection or a VPN connection. The following authentication mechanisms used with remote access were covered in this chapter:
• PAP is rarely used, primarily because passwords are sent in clear text.
• CHAP uses a challenge response authentication process.
• MS-CHAP and MS-CHAPv2 are Microsoft’s improvement over CHAP. CHAPv2 provides mutual authentication.
• RADIUS provides central authentication for multiple remote access services. RADIUS uses UDP and only encrypts the password during the authentication process.
• TACACS /XTACACS are two legacy protocols that are rarely used anymore. TACACS is generic, defined by RFC 1492, and uses UDP port 49. XTACACS is a Cisco systems proprietary improvement over TACACS.
• TACACS + is used by some Cisco and UNIX remote access systems as an alternative to RADIUS. TACACS + uses TCP, encrypts the entire authentication process, and supports multiple challenge and responses. TACACS + uses TCP port 49.