726 | Chapter 12: Security+ Exam Prep and Practice • Access to a DHCP server can provide information about an internal IP addressing scheme. • DHCP servers must be secured properly and kept up to date with security patches, hotfixes, and service packs. • Rogue DHCP servers should be detected and taken offline immediately. • DHCP servers should be configured to send secure dynamic updates to DNS servers. • Only authorized administrators should be permitted to manage DHCP servers. Basics of Cryptography This subsection covers a summary of highlights from the “Basics of Cryptog- raphy” section in the Security+ Exam Study Guide. Symmetric encryption algorithms • A symmetric algorithm uses one key for both encryption and decryption. • It is also known as a secret key, a private key, or a shared secret encryption. • It is widely used because of simplicity, easy implementation, and speed. • Symmetric algorithms are divided into stream ciphers and block ciphers. • Stream ciphers encrypt bits of the message, one at a time. • Block ciphers take 64-bit blocks and encrypt them as one unit. • Symmetric algorithms are prone to brute force attacks. Data Encryption Standard (DES) • DES uses a single 64-bit block of plain text for encryption. • It also uses a 64-bit key—56 bits for data and 8 bits for parity. • DES is known for weak security due to the small size of the key. • 3DES (Triple DES) uses the 56-bit key three times to make the key size larger. Advanced Encryption Standard (AES) • AES supports a large range of text blocks and key sizes. • Key sizes of 128, 192, and 256 bits are used. • The 128-bit data block is broken into four groups, each with 32 bits. • It is stronger and faster than 3DES and consumes less processing power and memory. International Data Encryption Standard (IDEA) • IDEA operates on 64-bit data blocks with a 128-bit subkey. • The encryption and decryption process uses eight rounds with 16-bit sub- keys per round. • It is a faster and more secure algorithm than DES. Asymmetric encryption algorithms • Asymmetric encryption algorithms are used in public key cryptography. • Two separate keys are used: one for encryption (the public key) and the other for decryption (the private key). Security+ Exam Highlighters Index | 727 Prep and Practice • The public key can be freely distributed, but the private key must be held in strict confidence. • Asymmetric algorithms are much slower than symmetric algorithms. • Asymmetric algorithms are used for confidentiality, integrity, authenticity, and non-repudiation. • Diffie-Hellman, ElGamal, and RSA are asymmetric algorithms. Hashing algorithms • Hashing algorithms are used for integrity and authentication of data. • A hashing algorithm, or a hash function, creates a unique digital fingerprint from data known as the hash value. • If the original data changes, the hash function will produce a different hash value. • The hashing function is considered a one-way process. • Encrypted passwords are stored as hashes in secure networks. • Message Digest 5 (MD5) is a hashing algorithm that uses a 128-bit hash value. • Secure Hashing Algorithm 1 (SHA1) uses a 160-bit hash value. Concepts of cryptography • Confidentiality means that only the intended recipient can decrypt and read a message. • Integrity means that the data/message has not been changed during transmis- sion. • Authentication refers to the verification of identity. • Non-repudiation means that the sender cannot deny that he sent the message. • Digital signatures are used to ensure data integrity and non-repudiation. Digital certificates • Certificates are used to identify a user or an organization. • Certificates are based on the X.509 standard. • The Certification Authority (CA) is a PKI that binds a private key to an indi- vidual or organization. • Certificates are used for encryption of email and e-commerce, and for digi- tally signing software. • Certificate policies define how the CA will issue certificates. • Certificate Practice Statements (CPS) describe how the CA plans to manage the certificates that it issues. Trust models • In a single CA model, there is only one CA that issues and manages certificates. • A hierarchical model is comprised of a root CA (enterprise CA), subordinate CAs, leaf CAs, and end users. • The root CA uses a self-signed certificate. • In the web of trust model, all CAs sign the certificates of each other. 728 | Chapter 12: Security+ Exam Prep and Practice Storage of private keys • Private certificate keys can be stored on hardware devices or software. • Hardware devices such as smart cards or PCMCIA cards can be used to store private keys. • Network operating systems also allow storage of private keys. • In Escrow storage arrangement, the private keys are stored with two different companies, each holding only a part of the keys. Certificate revocation • Certificates are revoked if they are compromised—for example, when a user leaves a company or if an organization changes the ISP. • When a certificate is revoked, the information is sent to the CA. • The CA publishes the revoked certificate in the certificate revocation list (CRL). • Online certificate status protocol (OCSP) allows users to check the status of a particular certificate. • In large organizations, multiple CAs maintain a base CRL. • The base CRL is updated using Delta CRLs. Certificate expiry, renewal, suspension, and destruction • Every certificate has a defined expiry date. • A certificate must be renewed with the CA before the expiry date. • CAs renew certificates either by issuing a new key or by updating the old key. • The CA can renew its own certificate. • If the user will not be using the certificate, it can be suspended to help secure the private key. • When the certificate is no longer needed, it is destroyed. Recovery of private keys • If a user forgets his private key, it needs to be recovered from storage. • An administrator is designated as a key recovery agent. • In large organizations, two key recovery agents are required for added security. • When the key recovery process is broken up into multiple key recovery agents, the process is known as M-of-N Control. • M-of-N Control states that out of a total of N recovery agents, at least M must be present for key recovery. Operational and Organizational Security This subsection covers a summary of highlights from the “Operational and Orga- nizational Security” section in the Security+ Exam Study Guide. Physical security • Access Control is used to grant physical access to network equipment to authorized personnel. Security+ Exam Highlighters Index | 729 Prep and Practice • Critical servers and network equipment should be kept in a locked room. • These rooms should be equipped with alarm systems. • Log books should be maintained for recording entries to the secure room. • Strong authentication methods such as biometrics should be used. • If outsiders work inside secure rooms, an employee should accompany them. Environment • The temperature should be kept within limits. • Alarms should be installed to monitor temperature and to sound alerts, if required. • Humidifiers or dehumidifiers, as required, should be installed. • Hardware technicians should wear ESD wristbands. • Good air quality should be maintained inside server rooms. • Equipment should be located in racks on raised floors. • If required, STP cable should be used to protect the equipment from EMI and RFI. • Fire suppression equipment should be used to prevent damage from acciden- tal fire breakouts. • Water sprinklers should not be used in server rooms. Backups • Data backup is a critical element of a disaster recovery plan. • Backup media should be stored at an offsite location. • The full backup backs up all the data in a single backup job and changes the archive bit. • It takes longer to back up, but restoration is fast. • An incremental backup method backs up all the data that has changed after the last full or incremental backup and changes the archive bit. • The last full backup tape and all incremental tapes after the full backup are required to completely restore data. • The differential backup method backs up all the data that has changed after the last full backup and does not change the archive bit. • Only the last full backup and the differential backup tapes are required for restoring data. • The copy backup method copies all the data on the system, but unlike the full backup, does not change the archive bit. Tape rotation and offsite storage • Backup tapes are reused in order to reduce costs. • Grandfather-father-son (GFS) is the most commonly used tape rotation plan. • The daily tape set is known as son, the weekly tape set is known as father, and the monthly full backup tape set is known as grandfather. • A full backup is taken every week; differential or incremental backups are taken every day; and another full backup is taken every month. 730 | Chapter 12: Security+ Exam Prep and Practice • When the month changes, the tapes used for the first week in the previous month are reused. • The grandfather tape set is not reused. • Offsite storage of backup tapes protects critical data in the event of a disaster. Alternate sites • An alternate site is a temporary facility away from the original location. • It enables administrators to restore a working network on short notice. • A hot site is equipped with necessary hardware, software, network devices, and telephone lines, which allows organizations to resume business immediately. • A warm site is equipped with necessary hardware, but the hardware and software must be configured and data must be restored to make the site operational. • A cold site contains only partial hardware, software, and network devices and needs to be built from scratch. • The cold site requires the maximum amount of time to be set up. Business continuity plan • A business continuity plan is developed after assessment of risks, threats, and disasters. • The disaster recovery plan defines the procedures to recover after a disaster strikes. • The business recovery plan describes the procedures to resume business func- tions at an alternate site after a disaster. • The business resumption plan describes the procedures to resume functions of critical systems in order to begin business again. • The contingency plan describes the procedures to resume business after a disaster strikes or when additional unforeseen events take place during the recovery process. High availability and fault tolerance • High availability refers to providing maximum uptime and availability of net- work services. • Network load balancing is used to distribute load across several servers. • Server clustering is used to provide system fault tolerance. Disk fault tolerance • RAID systems are used to provide fault tolerance for hard disks in a server. • RAID 1 uses two disks with 50 percent disk utilization. • RAID 5 uses 3 to 32 disks and also supports the hot swapping of disks. Acceptable use policy • Acceptable use policy describes the guidelines for users for appropriate use of computers. • Users should not indulge in activities that might damage the image of the company. Security+ Exam Highlighters Index | 731 Prep and Practice • Users should not be involved in activities that might consume network resources beyond limits. • Users should follow the rules that restrict visits to web sites and email programs. • Users should not print any confidential documents. • Users should not transmit confidential information over the Internet. Due care policy • A due care policy describes how the employees should handle hardware and software. • Employees should be given guidelines on how to properly use equipment. Privacy policy • Employees should be educated on maintaining individual and organizational privacy. • Organizations reserve the right to inspect personal data stored on company computers. • Organizations can also monitor an end user’s Internet usage and email. • Critical data is also considered private and confidential. Separation of duties • This policy ensures that critical tasks are not assigned to a single person. • No single person should have control over a task from beginning to end. • Monopolization of duties should be prevented. • Separation of duties makes users experts in their respective fields. Need-to-know policy • This policy defines restricted access to information. • Users should be given permissions based on the principle of least privilege. • Excessive information to employees might result in inappropriate handling. Password management policy • This policy describes how employees should manage their passwords. • A password is the employee’s key to gaining access to the organization’s resources. • Use of blank passwords should not be allowed. • Passwords should have at least eight characters. • A password should be made up of a combination of upper- and lowercase let- ters, special characters, and numbers. • Employees should be forced to change their passwords regularly. • Employees should not be allowed to reuse old passwords. • Administrators should use normal user accounts when not performing any administrative tasks. • Only designated IT employees should have administrative privileges. 732 | Chapter 12: Security+ Exam Prep and Practice Service Level Agreement (SLA) • An SLA is usually signed between the organization and a third party that is providing critical services. • It can also be used inside an organization describing what the company expects from its IT staff. • It describes the expected level of performance and confidentiality. • SLAs may also often include information on the maximum allowed down- time for computer systems. Incident response policy • This policy describes how employees will respond to unexpected incidents involving personal and organizational safety and security. • It describes how incidents are to be handled without causing a panic. • It asks the following common questions: — Who will investigate and analyze the reasons behind the incident? — Who will find an immediate and acceptable solution to the problem caused by the incident? — What other documents can be referred to in order to help resolve the problem? Computer forensics • Computer forensics is the application of computer expertise to establish fac- tual information for judicial review. • It involves activities such as collection, preservation, examination, and trans- fer of information using electronic media. • All electronic crimes are reported to the incident response team. • The first responder identifies and protects the crime scene. • The investigator establishes a chain of command/chain of custody, conducts a search, and maintains the integrity of the evidence. • The crime scene technician preserves volatile evidence, duplicates computer disks, shuts down the system for transportation, and logs activities. Chain of custody • A chain of custody describes how the evidence is transferred from the crime scene to the court of law. • It specifies the personnel responsible for maintaining and preserving the evidence. • It is entered in an evidence log and specifies the persons who possessed the evidence or who worked on it. Preservation of evidence • Crime scene data is protected from being damaged. • Steps are taken to preserve the volatile data first. • Photographs of screens are taken. • Images of hard disks are made using accepted imaging tools. Security+ Exam Highlighters Index | 733 Prep and Practice • The system is shut down normally. • Photographs of the existing system setup are taken before moving. • Each piece of hardware is unplugged and tagged. • Appropriate safety procedures are followed when handling hardware. • Smaller pieces of hardware are placed inside antistatic plastic bags. • Equipment is kept away from strong EMI and RFI. Collection of evidence • Collection of evidence is the process of identifying, locating, and processing evidence. • Appropriate documentation is made. • The crime scene is secured and unauthorized entry is prohibited. • The evidence is identified and secured. • The investigation team examines the evidence and takes steps for collection. • Evidence is collected from audit logs, screen displays, and recovered data files. Education and training • Educating and training users helps to create a safe and secure working envi- ronment. • Users must know available methods to communicate to their peers, their supervisors, management, and employees in other departments. • Users should be made aware of rules, regulations, and security issues when working on computers. • Online resources help educate, train, and keep users informed. Risk identification • A risk is the possibility of incurring some loss due to unexpected situations. • Risk identification is the process of identifying assets, risks, threats, and vul- nerabilities in a system. • Organizations need to take steps to identify all types of assets and make an evaluation. • After identifying assets, the type and severity of risks associated with each type of asset should be identified and assessed. • The likelihood of occurrence of a risk within one year is called the Annual Rate of Occurrence (ARO). • The dollar value of the loss is known as Single Loss Expectancy (SLE). • Multiplying ARO and SLE gives a value of Annual Loss Expectancy (ALE). • The formula for calculating the loss resulting from a risk is ALE=ARO x SLE. Threat identification • Identification of risks leads to identification of possible threats to a system. • Threats include incidents involving vandalism, theft of equipment or data, and physical or software intrusions. • Appropriate steps should be taken to avoid potential threats. 734 | Chapter 12: Security+ Exam Prep and Practice Vulnerabilities • Vulnerability is defined as the weakness of a system. • It can lead to exposure of critical and confidential information. • Vulnerabilities can lead to internal malicious activities or even outside secu- rity attacks. • Every software application and all hardware devices are vulnerable if not con- figured and secured properly. Security+ Exam Practice Questions 1. Removal of nonessential services and protocols helps in all of the following except: ❍ A. Securing the system ❍ B. Network performance ❍ C. System performance ❍ D. Reduction of administrative overheads Answer D is correct. When you remove nonessential services and protocols from a system, it does not reduce administrative overheads. In fact, more administrative efforts are required to detect and disable or remove nonessen- tial services and protocols from different servers across the network. 2. Which of the following authentication methods is used with timestamped session tickets? ❍ A. CHAP ❍ B. MS-CHAP ❍ C. Kerberos ❍ D. PAP Answer C is correct The Kerberos authentication protocol uses timestamped session tickets. The ticket expires when the user logs off. 3. You have been told to develop a system to control how and when a user will be allowed to connect to a remote access server. You should specify which media should be used to connect and to which groups the user should belong. Which of the following aspects of computer security are you supposed to work with? ❍ A. Access control ❍ B. Authorization ❍ C. Auditing ❍ D. Authentication Answer A is correct. Defining the stated conditions essentially applies to an access control system. You are deciding on how the users should connect if they need access to the remote access server. Security+ Exam Practice Questions | 735 Prep and Practice 4. You have just taken charge of some file servers in your organization. You suspect that someone is repeatedly trying to get unauthorized access to a confidential folder on one of the file servers. You decide to configure auditing on this server. Which of the following events should you audit? ❍ A. Object Access Failure ❍ B. Object Access Success ❍ C. Logon/logoff Failure ❍ D. Logon/logoff Success Answer A is correct. The person is trying to access the folder but is not successful. This means that the failure events for object access should be recorded in audit logs. It is also a good idea to audit successful object access events, just in case someone has obtained legitimate user credentials to access confidential information. 5. Which of the following is known as a label-based access control method and is hardcoded into a device? ❍ A. RBAC ❍ B. DAC ❍ C. MAC ❍ D. None of above Answer C is correct. The mandatory access control (MAC) method is hard- coded into devices and is known as label-based access control. 6. Which of the following is a probable cause of a hacker creating a back door in a system? ❍ A. The hacker is trying to guess the credentials of the user. ❍ B. The hacker is trying to get access without having to authenticate. ❍ C. The hacker is trying to get personal information from the user over the phone. ❍ D. The hacker is trying to connect to the user’s wireless home network. Answer B is correct. A back door attack occurs when a hacker tries to get access to a system without having to authenticate. Attackers usually perform a back door attack by exploiting some system configuration or software vulnerability. 7. A programmer has written malicious code that will delete all systems files on a critical file server. This code will execute as soon as the programmer is terminated from the company and his user account is disabled or deleted. What kind of malicious code is this? ❍ A. Trojan horse ❍ B. Worm ❍ C. Virus ❍ D. Logic bomb Answer D is correct. A logic bomb is malicious code that waits for an event to occur. In this case, the code will wait for the user’s account to be disabled or deleted. [...]... 380 Advanced page, 61, 319 Advanced Technology Extended (see ATX) adware, 154, 306 AGP (Accelerated Graphics Port), 22 Alarms page, 61 /all, 346 AMD Turion 64 X2 Mobile, 52 AMD’s Mobile Athlon processor, 52 AMR (Audio/Modem Riser), 23 Analyze button, 96 antenna wires, 275 antistatic bag, 256 antistatic straps and pads, 264 antistatic table mats, 264 antivirus software, 306 AP (Access Point), 131 APIPA... topology, 429 advantages, 429 disadvantages, 429 cables 10 Gigabit Ethernet, 442 100 Mbps Ethernet, 441 100 0 Mbps (1 Gigabit) Ethernet, 442 100 0BaseT, 442 100 0BaseX, 442 100 BaseFX, 441 100 BaseT4, 441 100 BaseTX, 441 10Base2, 440 10BaseFL, 441 10BaseT, 440 10GBaseER, 443 10GBaseLR, 443 10GBaseSR, 442 baseband transmissions, 442 category number, 438 coaxial cables, 437 ER (Extended Range optical technology),... APIPA (Automatic Private IP Addressing), 140 APM (Advanced Power Management), 58 Application, 499 Application Event Log, 292 application failure, 104 applications, 65 applications tuning, 297 applications window, 290 752 | Index Aqua GUI, 68 ARP (Address Resolution Protocol), 331 aspect ratio, 53 ASR preparation exercise, 188 asymmetric algorithm, 160 AT motherboard power connectors, 25 ATA (Advanced... confidential marketing information that needs to be protected You are afraid that if any of the laptops are stolen, the confidential data can be leaked and used against the organization Which of the following is the best method to protect data stored on laptops? ❍ A Encrypt the data ❍ B Compress the data ❍ C Make data read-only ❍ D Archive the data Answer A is correct The data stored on laptop computers... Service for NetWare), 354 D D channel (delta channel), 336 DAC (Discretionary Access Control), 358 data access issues, 369 data backups archive bit, 159 backup tapes, 159 differential backup, 159 exercise, 707 full backup, 159 incremental backup, 159 restoration, 306 data recovery, 356 data transfer speeds, 144 Date and Time screen, 86 DDR SDRAM (double data rate synchronous dynamic random access memory),... System Recovery Wizard, 101 , 287 Automatic IP Addressing, 330 automatic updates configuration exercise, 189, 381 Automatic Updates page, 109 Auto-Restart errors, 299 A/ V jacks, 38 AVI (audio video files), 79 B Backup Media Type, 101 backup operator groups, 360 Backup Utility window, 100 bandwidth, 140 bandwidth bottlenecks, 140 barcode reader (barcode scanner), 35 Base Priority, 290 Basic disks, 283 converting... is available on its web site for its messaging application Which of the following actions should you take immediately? Select two answers ❏ A Download and install the update immediately on all email servers ❏ B Immediately inform your manager that you need to install the update ❏ C Download the update and read the accompanying instructions ❏ D Install the update on a nonproduction email server and... (Gigahertz), 27 Gigabit Ethernet, 142, 143 GO (global states) GPF (general protection fault), 104 graphic tablet, 275 grayware, 154 GSNW (Gateway Service for NetWare), 354 GUI phase (mode), 85, 86 H I HAL.DLL (hardware abstraction layer), 98 handheld scanners, 313 hard disk drive adapter, 30 clean and defragment, 49 exercise, 184 installation, 254 installation exercise, 375 low-level formatting, 47 management,... restoration of data Which of the following backup types would you suggest? ❍ A Full backup everyday ❍ B Full backup and incremental backup ❍ C Full backup and differential backup ❍ D Incremental and differential backup Answer A is correct The full backup takes longer to complete but is the fastest when data needs to be restored in case of a disaster When you are taking full backup everyday, if a disaster... Intranet Answers C and D are both correct You will need to design an extranet or an intranet These are two types of virtual private networks that allow two or more partner companies to share and exchange network resources In which area of the network should you place private web servers, domain controllers, and database servers? ❍ A Intranet ❍ B Extranet ❍ C VLAN ❍ D DMZ | Chapter 12: Security+ Exam Prep and . algorithms • Hashing algorithms are used for integrity and authentication of data. • A hashing algorithm, or a hash function, creates a unique digital fingerprint from data known as the hash value. •. a user or an organization. • Certificates are based on the X.509 standard. • The Certification Authority (CA) is a PKI that binds a private key to an indi- vidual or organization. • Certificates. rooms. Backups • Data backup is a critical element of a disaster recovery plan. • Backup media should be stored at an offsite location. • The full backup backs up all the data in a single backup