In early summer of 2011, the latest version SY0-301 was released. This revamped exam focuses more on risk, operational security, and mobile device security. It also clearly emphasizes security in three main areas: application, data, and host. In your efforts to prepare for SY0-301, it would be a good idea to pay special attention to the new topics and issues added for this latest revision.
This series of posts focuses on some of the new topics, terms, and issues added to the SY0-301 Security+ 2011 exam in domains 2.0 – 6.0. These domains include:
- 2.0 Compliance and Operational Security
- 3.0 Threats and Vulnerabilities
- 4.0 Application, Data and Host Security
- 5.0 Access Control and Identity Management
- 6.0 Cryptography
For the discussion of the new topics in Domain 1.0, please review the white paper Ten New Topics on Security+ 2011 (SY0-301) from Domain 1.0. (Note: The number in parenthesis after each topic is the official objective sub-domain reference as defined by CompTIA for SY0-301. Please visit www.comptia.org for a complete accounting of the objectives.)
Domain 2.0 – Compliance and Operational Security
1. Annualized Loss Expectancy (2.1)
Annualized Loss Expectancy (ALE) is one of the many calculated values crafted as part of a risk assessment process. ALEs have long been a staple concept for those pursuing CISSP, but its new addition in the Security+ content reveals a new focus on risk management rather than just a cursory nod. The ALE is calculated using three values: asset value (AV), exposure factor (EF), and annualized rate of occurrence (ARO). The AV is an assigned dollar number representing the importance or value of an asset to an organization. The EF is the percentage of loss that may be experienced if a specific threat is realized. ARO is a prediction of how many times in the next year is the threat possible to be realized. AV x EF x ARO = ALE. Once an ALE has been calculated for each pairing of asset and threat, the largest ALE points to the most significant risk to the organization and should be addressed in priority in the security response.
2. Quantitative vs. Qualitative (2.1)
Risk assessment is performed using a hybrid approach, a combination of a quantitative and a qualitative assessment of risk. A quantitative approach uses mathematical calculations to prioritize security response. A qualitative approach processes the subjective perspectives of various personnel on the state or status of security and risk. It is important to use a hybrid approach for risk assessment because performing only quantitative or qualitative assessments will produce a skewed view of the true state of risk.
3. Risks associated to Cloud Computing and Virtualization (2.1)
Virtualization was a topic in the previous exam, but cloud computing is a new addition. This objective focuses on the risks related to these technologies. Virtualization is the concept of hosting multiple operating systems (and/or their various applications) on a single set of computer hardware. Cloud computing expands on this by taking advantage of Internet (public) or private online services, which can include software, platform, or infrastructure as a service. The risks associated with cloud computing and virtualization include:
- Reduced control due to data being located outside the physical premise
- Difficulty of maintaining regulation compliance
- Lack of security training and implementation at the cloud service organization
- Potential geographic storage location issue (within your country or spread across multiple countries)
- Legal implications in the event of disclosure or breach in terms of jurisdiction,
- Method/type of encryption and who possesses the encryption keys
- In the event of a search warrant, can the cloud service organization turn over your data in plaintext
- Speed of recovery/restoration
4. Basic forensic procedures (2.3)
Basic forensic procedures were included in the previous list of exam objectives, but the new objectives list nine new specific sub-objectives: order of volatility, capture system image, network traffic and logs, capture video, record time offset, take hashes, screenshots, witnesses, and track man hours and expense. Each of these new sub-objects is fairly straightforward and self-explanatory, especially if you have a basic understanding of computer forensics (i.e., digital evidence collection and processing). For the exam, focus on understanding each of these topics on a more in-depth level since they were named specifically on the new objectives list.
5. Personally Identifiable Information (2.4)
Personally identifiable information (PII) is any information that can be linked back to an individual person. This could be due to a reference or identification being included with the information or that the information alone points to an individual. For example, the fact that someone has a favorite flavor of ice cream, such as mint chocolate chip, is not PII, unless it is on a document indicating who that person is (such as Michael). However, if the information is a phone number, e-mail, mailing address, social security number, employee ID, driver’s license number, license plate, etc., this information is PII itself as it directly points back to an individual (or nearly so). PII protection is of utmost importance as information is being gathered at an alarming rate, and often we are giving away this information without even realizing. It may be years before we fully understand the ramifications of being so open about ourselves on social networks and smart phone apps. Will your PII be harvested and used against you one day?
6. Clean desk policies (2.4)
A clean desk policy indicates that workers need to secure all materials on their computers and physical workspaces before they end their work shift. A worker should save their work, transfer files to proper locations, potentially make backups, then log out of their computer terminal. A worker should also collect and file away all paperwork from their work surface. All paperwork of any sensitive value must be secured in a locked drawer or office safe. The purpose of a clean desk policy is to reduce the risk of information theft, loss, or disclosure.
7. Zero day exploits (2.5)
Zero day exploits are new malicious attacks that have been recently released by malicious attackers. Generally, the term refers to any attack or exploit for which there is no specific or direct countermeasure or safeguard. It is called a “zero day exploit” because a victim has zero notice of the attack being imminent. Since it is a new and, therefore, unknown attack, there are no countermeasures; security solutions are unable to detect or respond to the new threat. Thus, this term can be used to describe attacks that may be days, weeks, or even months old if there is no specific defense against it. Once discovered and a protection or countermeasure exists, such a threat ceases to be a zero day exploit.
8. Succession planning (2.5)
Succession planning is the pre-determination of the next-in-line for key leadership positions within an organization. People in an organization’s top C-level hierarchy can make or break an organization. Failing to have responsible leadership can be the downfall of any organization. Since life can be chaotic, it is important to plan for the worst with a line-up of successors to any key positions. Those selected as leadership alternatives can be trained and groomed so as to be ready to take over in the event of a top position becoming vacant.
9. Hot and cold aisles (2.6)
Hot and cold aisles is a data center or computer vault air management concept. If a data center is designed so the banks of computers, servers, etc., are lined up like parallel walls or aisles, then, by alternating cold air input and hot air extraction, an otherwise difficult-to-manage situation becomes quite easy. Keeping high-end computing equipment cool is key to high-performance and long-term reliability. Allowing overheating will result in expensive downtime. This air management concept is both simple in design and effective in execution.
Domain 3.0 Threats and Vulnerabilities
1. Smurf attack (3.2)
The Smurf attack has been a staple example of DDoS (Distributed Denial of Service) for well over a decade. It is a predecessor to the modern botnet concept. Smurf uses ICMP Type 0 echo requests packets to imitate a flood of responses to a victim. This is accomplished by spoofing the source address of the ICMP echo request as the victim’s address and then setting the destination address to several different directed broadcast addresses of vulnerable networks (a.k.a. amplification networks). The amplification networks effectively multiply the inbound requests by the number of members of their network. Then, each of the network members sends back an ICMP Type 8 echo reply to the victim. This can cause so much traffic to the victim that they are cut off from the network. Generally, the Smurf attack is ineffective today, since ICMP and inbound directed broadcasts are often blocked on network boarders.
2. Spam over Instant Messaging (3.2)
Spam over Instant Messaging (SPIM) is another cute term to refer to unwanted and/or unsolicited messages appearing in any form of instant messaging or chatting service, which can include mobile device texting (i.e., SMS). SPIM is yet another way of wasting your time and money (if you are not on an unlimited data plan) just so advertising and malicious content can reach you. Also, SPAM over Internet Telephony (SPIT), which is SPAM over VoIP services, such as Vonage, Skype, or Google Video Chat, is also a time and money waster for the consumer.
3. Vishing (3.2, 3.3)
Vishing, or VoIP Phishing, is using VoIP services to support phishing attacks. A VoIP service can often falsify its caller ID, fooling you into believing that an inbound call is from someone you might know or trust, even though it is actually a call from an attacker. It is important to be extra cautious when giving up personal information over the phone. Mainly, if you are asked to give up information instead of confirming it (for example, they tell you the personal data, like your account number, and you confirm that they are correct), then you need to hang up and call the claimed organization/person on a known trusted line.
4. Xmas attack (3.2)
The Xmas attack is not actually an attack; instead, it is one of the many variants of port scanning. Its name is derived from one of the earliest forms of this port scan where every other flag in the TCP header flag byte was alternated as a 0 or 1. This is said to represent the alternating flashing lights of a Christmas (or Xmas) tree. A basic firewall is usually sufficient to render Xmas scans/attacks, as well as most other port scanning variations, worthless. However, it is important to remember that port scans using the TCP Full Connect or Half Connect methods are always successful at determining open ports. Otherwise, legitimate connections would be refused as well.
5. Pharming (3.2)
Pharming is maliciously stealing someone’s traffic. Commonly this is done against Web sites through an attack on DNS. The attack can be local or global. A local attack would only affect visitors from a specific subnet, company network, or maybe a small ISP. A global attack would affect anyone on the Internet attempting to resolve the correct domain name by returning a false IP address. In any case, the pharming attack results in victims being sent to an alternative location, often presenting a false or spoofed version of the original Web site in order to steal sales, perform phishing, or attempt identity theft.
6. Tailgating (3.3)
Tailgating is the act of gaining access to a security location by taking advantage of someone else’s valid credentials in such a way that the owner of the valid credentials is unaware that an attack just took place. This is often easiest to understand with a scenario: a worker approaches a secure door and uses his smart card to unlock the door. After the worker enters, an attacker sneaks up and grabs the door just before it closes, slips in unnoticed, and allows the door to close. Tailgating can be reduced by having workers ensure a door closes and re-locks before they leave it, positioning security guards at each entrance, and installing man-traps.
7. Whaling (3.3)
Whaling is an attack of phishing aimed at a specific individual or a small class or group of individuals. Typical phishing attacks are distributed to everyone and anyone indiscriminately. Whaling focuses on a specific individual or a group of high-value targets. Common whaling targets are company executives or persons with high net worth, who may have significant monetary funds in a bank or brokerage account.
8. Evil Twin (3.4)
Evil Twin is a wireless attack tool that will automatically duplicate the identity of a trusted wireless network. The attack tool can perform this feat because wireless devices typically retain a profile history of wireless networks that it has successfully connected to. Each time the interface is turned back on, it will seek out these known networks and attempt to re-connect. The reconnect request includes the original SSID and base station MAC address. The Evil Twin attack tool captures these reconnect requests and replies with a spoofed identity of the known network.
9. SQL Injection (3.5)
SQL injector is a form of command injection attack that takes advantage of poor programming and Web backend architecture that allows the arbitrary execution of database query expressions or even command line code provided by the hacker. Generally, using input filtering and reducing access privileges can greatly reduce the threat this attack represents. Similar to SQL injection are LDAP injection and XML injection. Both are newly listed topics, but both are similar in overall concept. LDAP injection focuses on an LDAP-based directory service. XML injection focuses on any XML-based application, processing, or results rendering.
10. MAC limiting and filtering (3.6)
MAC limiting and filtering is an important defense on switches to protect against MAC flooding and ARP spoofing attacks. Basically, MAC limiting or MAC filtering allows a switch to detect the first source MAC address seen on each physical port, then locks that address as the only device identity it will recognize off of that specific port. MAC filtering is also found on wireless access points to potentially limit wireless connectivity to known physical devices.
11. Black box, White box, Gray box (3.8)
Black box, white box, and gray box are labels given to various forms of testing, including application testing and penetration testing. Black box implies that the testers have no knowledge of the internal structure or logic of the item/network/system being tested and must learn everything on their own. This is also known as a zeroknowledge test. A white box test is when everything is known about the test target. This is also known as a full knowledge test. A gray box test is when some information about the target is known. This is also called a partial knowledge test.
Next week we’ll finish with Domains 4.0-6.0.