Information Security Management

  

Complete Case Project 7-2 from page 318(chapter 7). Write a one-paragraph explanation along with your table.

Case Project 7-2: Securing Email
Use the Internet to research different options for encrypting and securing email. Create a
table that lists at least five options. Include the advantages and disadvantages of each. Which
would you recommend? Why? Write a one-paragraph explanation along with your table.
2. Complete Case Project 8-2 from page 368(chapter 8). Only one page is needed.
Case Project 8-2: Wireless Peripheral Attacks
Attacks on wireless mice and keyboards are not uncommon. Use the Internet to research
these attacks. How do the attacks occur? What is the vulnerability that is exploited? How can
vendors of these products secure them? Write a one-page paper on your research.
SE/CIAMPA, CompTIA Security+ Guide to Network Security Fundamentals, 6th Edition ISBN-978-1-337-28878-1 20XX Designer: XXX
Text & Cover printer: Quad Graphics Binding: PB Trim: 7.375 x 9.125″ CMYK

Don't use plagiarized sources. Get Your Custom Essay on
Information Security Management
Just from $13/Page
Order Essay

Security+ Guide to
Network Security Fundam

entals

To register or access your online learning solution or purchase materials
for your course, visit www.cengagebrain.com.

Security+ Guide to Network
Security Fundamentals

INFORMATION SECURITY

Sixth Edition

Mark Ciampa

Sixth
Edition

CIAMPA

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CompTIA Security+ SY0-501 Exam Objectives

Security+ Exam Domain/Objectives Chapter Blooms Taxonomy
1.0: Threats, Attacks, and Vulnerabilities
1.1 Given a scenario, analyze indicators of compromise and determine the type of

malware.
2 Analyze

1.2 Compare and contrast types of attacks. 2
3
5
8

11
15

Understand
Analyze
Understand
Apply/Understand
Create
Apply

1.3 Explain threat actor types and attributes. 1 Analyze/Apply
1.4 Explain penetration testing concepts. 13 Apply
1.5 Explain vulnerability scanning concepts. 13 Apply
1.6 Explain the impact associated with types of vulnerabilities. 1

3
4
5
9

10

Understand
Understand
Understand
Understand
Understand
Understand

2.0: Technologies and Tools
2.1 Install and configure network components, both hardware- and software-based,

to support organizational security.
4
6
7
8

Apply
Analyze
Apply
Analyze/Evaluate

2.2 Given a scenario, use appropriate software tools to assess the security posture of
an organization.

8
13
14

Evaluate
Analyze/Evaluate
Evaluate

2.3 Given a scenario, troubleshoot common security issues. 15 Analyze
2.4 Given a scenario, analyze and interpret output from security technologies. 6

7
9

Analyze
Analyze
Analyze

2.5 Given a scenario, deploy mobile devices securely. 8
10
11

Apply/Evaluate
Analyze/Create
Analyze

2.6 Given a scenario, implement secure protocols. 4
5

Apply
Analyze

3.0: Architecture and Design
3.1 Explain use cases and purpose for frameworks, best practices and secure

configuration guides.
1

15
Analyze
Understand

3.2 Given a scenario, implement secure network architecture concepts. 6
7
8

13

Analyze
Apply
Apply/Evaluate
Apply

88781_ifc_hr.indd 2 8/9/17 3:41 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Australia Brazil Mexico Singapore United Kingdom United States

INFORMATION SECURITY

Mark Ciampa, Ph.D.

Sixth Edition

SECURITY+ GUIDE TO
NETWORK SECURITY

CompTIA

FUNDAMENTALS

88781_fm_hr_i-xxvi.indd 1 8/16/17 7:00 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

2018, 2015 Cengage Learning
Unless otherwise noted, all content is Cengage.

Security+ Guide to Network
Security Fundamentals, Sixth
Edition

Mark Ciampa

SVP, GM Skills: Jonathan Lau

Product Team Manager: Kristin
McNary

Associate Product Manager: Amy
Savino

Executive Director of Development:
Marah Bellegarde

Senior Product Development
Manager: Leigh Hefferon

Senior Content Developer: Michelle
Ruelos Cannistraci

Product Assistant: Jake Toth

Marketing Director: Michelle McTighe

Production Director: Patty Stephan

Senior Content Project Manager:
Brooke Greenhouse

Art Director: Diana Graham

Cover image(s): iStockPhoto.com/
supernitram

Printed in the United States of America
Print Number: 01 Print Year: 2017

ALL RIGHTS RESERVED. No part of this work covered by the copy-
right herein may be reproduced or distributed in any form or by
any means, except as permitted by U.S. copyright law, without the
prior written permission of the copyright owner.

Library of Congress Control Number: 2017950178

ISBN: 978-1-337-28878-1
LLF ISBN: 978-1-337-68585-6

Notice to the Reader
Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis in
connection with any of the product information contained herein. Publisher does not assume, and expressly disclaims, any
obligation to obtain and include information other than that provided to it by the manufacturer. The reader is expressly
warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all
potential hazards. By following the instructions contained herein, the reader willingly assumes all risks in connection with such
instructions. The publisher makes no representations or warranties of any kind, including but not limited to, the warranties of
fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth
herein, and the publisher takes no responsibility with respect to such material. The publisher shall not be liable for any special,
consequential, or exemplary damages resulting, in whole or part, from the readers use of, or reliance upon, this material.

Cengage
20 Channel Center Street
Boston, MA 02210
USA

Cengage is a leading provider of customized learning solutions
with employees residing in nearly 40 different countries and sales
in more than 125 countries around the world. Find your local
representative at www.cengage.com.

Cengage products are represented in Canada by NelsonEducation, Ltd.

To learn more about Cengage platforms and services,
visit www.cengage.com

Purchase any of our products at your local college store or at our
preferred online store www.cengagebrain.com

For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706.

For permission to use material from this text or product, submit all
requests online at www.cengage.com/permissions.

Further permissions questions can be e-mailed to
[emailprotected]

Some of the product names and company names used in this book have been used for identification purposes only
and may be trademarks or registered trademarks of their respective manufacturers and sellers.
Windows is a registered trademark of Microsoft Corporation. Microsoft.is registered trademark of Microsoft
Corporation in the United States and/or other countries. Cengage is an independent entity from Microsoft Corporation
and not affiliated with Microsoft in any manner.

88781_fm_hr_i-xxvi.indd 2 8/16/17 7:00 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Brief Contents
INTRODUCTION…………………………………………………………………………………xv

PART 1

SECURITY AND ITS THREATS ………………………………………………………………..1

CHAPTER 1

Introduction to Security ……………………………………………………………………..3

CHAPTER 2

Malware and Social Engineering Attacks …………………………………………. 51

PART 2

CRYPTOGRAPHY ……………………………………………………………………………… 97

CHAPTER 3

Basic Cryptography …………………………………………………………………………. 99

CHAPTER 4

Advanced Cryptography and PKI …………………………………………………… 145

PART 3

NETWORK ATTACKS AND DEFENSES ………………………………………………. 189

CHAPTER 5

Networking and Server Attacks …………………………………………………….. 191

CHAPTER 6

Network Security Devices, Design, andTechnology ……………………….. 233

CHAPTER 7

Administering a SecureNetwork …………………………………………………… 281

CHAPTER 8

Wireless Network Security …………………………………………………………….. 321

PART 4

DEVICE SECURITY…………………………………………………………………………… 371

CHAPTER 9

Client and ApplicationSecurity ……………………………………………………… 373

iii

88781_fm_hr_i-xxvi.indd 3 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Brief Contents

CHAPTER 10

Mobile and Embedded Device Security ……………………………………………421

PART 5

IDENTITY AND ACCESS MANAGEMENT …………………………………………….469

CHAPTER 11

Authentication and Account Management ……………………………………..471

CHAPTER 12

Access Management ……………………………………………………………………….521

PART 6

RISK MANAGEMENT ………………………………………………………………………..563

CHAPTER 13

Vulnerability Assessment and Data Security …………………………………..565

CHAPTER 14

Business Continuity ………………………………………………………………………..607

CHAPTER 15

Risk Mitigation ……………………………………………………………………………….651

APPENDIX A

CompTIA SY0-501 Certification Exam Objectives ……………………………..691

GLOSSARY …………………………………………………………………………………………… 713

INDEX …………………………………………………………………………………………………..741

iv

88781_fm_hr_i-xxvi.indd 4 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contents
INTRODUCTION……………………………………………………………………………………………..xv

PART 1

SECURITY AND ITS THREATS …………………………………………….. 1

CHAPTER 1

Introduction to Security ………………………………………………….. 3
Challenges of Securing Information ………………………………………………………… 8

Todays Security Attacks …………………………………………………………………………8
Reasons for Successful Attacks ………………………………………………………………12
Difficulties in Defending Against Attacks ………………………………………………. 14

What Is Information Security? ……………………………………………………………….. 17
Understanding Security …………………………………………………………………………18
Defining Information Security ……………………………………………………………….18
Information Security Terminology …………………………………………………………21
Understanding the Importance of Information Security ………………………….. 24

Who Are the Threat Actors? …………………………………………………………………… 28
Script Kiddies ……………………………………………………………………………………… 29
Hactivists …………………………………………………………………………………………… 29
Nation State Actors ………………………………………………………………………………30
Insiders ………………………………………………………………………………………………30
Other Threat Actors ………………………………………………………………………………31

Defending Against Attacks ……………………………………………………………………. 32
Fundamental Security Principles ………………………………………………………….. 32
Frameworks and Reference Architectures ……………………………………………… 35

Chapter Summary …………………………………………………………………………………. 35

Key Terms …………………………………………………………………………………………….. 37

Review Questions………………………………………………………………………………….. 37

Case Projects ………………………………………………………………………………………… 46

CHAPTER 2

Malware and Social Engineering Attacks ……………………….. 51
Attacks Using Malware ………………………………………………………………………….. 53

Circulation………………………………………………………………………………………….. 55
Infection …………………………………………………………………………………………….. 61

v

88781_fm_hr_i-xxvi.indd 5 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contentsvi

Concealment ………………………………………………………………………………………. 65
Payload Capabilities ……………………………………………………………………………..66

Social Engineering Attacks …………………………………………………………………….. 73
Psychological Approaches ……………………………………………………………………. 74
Physical Procedures ……………………………………………………………………………..80

Chapter Summary …………………………………………………………………………………. 82

Key Terms …………………………………………………………………………………………….. 84

Review Questions …………………………………………………………………………………. 84

Case Projects ………………………………………………………………………………………… 92

PART 2

CRYPTOGRAPHY ……………………………………………………………. 97

CHAPTER 3

Basic Cryptography ……………………………………………………….. 99
Defining Cryptography ………………………………………………………………………… 101

What Is Cryptography? ……………………………………………………………………….. 101
Cryptography and Security …………………………………………………………………. 105
Cryptography Constraints …………………………………………………………………….107

Cryptographic Algorithms ……………………………………………………………………. 108
Hash Algorithms …………………………………………………………………………………110
Symmetric Cryptographic Algorithms ………………………………………………….. 113
Asymmetric Cryptographic Algorithms ………………………………………………… 116

Cryptographic Attacks …………………………………………………………………………. 123
Algorithm Attacks ………………………………………………………………………………. 123
Collision Attacks ………………………………………………………………………………… 125

Using Cryptography …………………………………………………………………………….. 126
Encryption through Software ………………………………………………………………. 127
Hardware Encryption ………………………………………………………………………….128

Chapter Summary ……………………………………………………………………………….. 130

Key Terms …………………………………………………………………………………………… 132

Review Questions………………………………………………………………………………… 133

Case Projects ………………………………………………………………………………………. 142

CHAPTER 4

Advanced Cryptography and PKI …………………………………. 145
Implementing Cryptography ……………………………………………………………….. 147

Key Strength ……………………………………………………………………………………….147
Secret Algorithms ……………………………………………………………………………….148

88781_fm_hr_i-xxvi.indd 6 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contents vii

Block Cipher Modes of Operation ……………………………………………………….. 149
Crypto Service Providers…………………………………………………………………….. 150
Algorithm Input Values ………………………………………………………………………. 151

Digital Certificates ………………………………………………………………………………. 152
Defining Digital Certificates …………………………………………………………………. 152
Managing Digital Certificates ……………………………………………………………….154
Types of Digital Certificates ………………………………………………………………….158

Public Key Infrastructure (PKI) …………………………………………………………….. 165
What Is Public Key Infrastructure (PKI)? ………………………………………………. 166
Trust Models …………………………………………………………………………………….. 166
Managing PKI ……………………………………………………………………………………..168
Key Management ……………………………………………………………………………….. 171

Cryptographic Transport Protocols ……………………………………………………… 174
Secure Sockets Layer (SSL) …………………………………………………………………… 174
Transport Layer Security (TLS) …………………………………………………………….. 175
Secure Shell (SSH) ……………………………………………………………………………….176
Hypertext Transport Protocol Secure (HTTPS) ………………………………………..176
Secure/Multipurpose Internet Mail Extensions (S/MIME) ………………………. 177
Secure Real-time Transport Protocol (SRTP) ………………………………………….. 177
IP Security (IPsec) ………………………………………………………………………………. 177

Chapter Summary ……………………………………………………………………………….. 179

Key Terms …………………………………………………………………………………………… 181

Review Questions………………………………………………………………………………… 181

Case Projects ………………………………………………………………………………………. 187

PART 3

NETWORK ATTACKS AND DEFENSES ……………………………… 189

CHAPTER 5

Networking and Server Attacks …………………………………… 191
Networking-Based Attacks ………………………………………………………………….. 193

Interception ……………………………………………………………………………………….194
Poisoning …………………………………………………………………………………………. 196

Server Attacks …………………………………………………………………………………….. 201
Denial of Service (DoS) ………………………………………………………………………..201
Web Server Application Attacks ………………………………………………………….. 203
Hijacking ………………………………………………………………………………………….. 209
Overflow Attacks ……………………………………………………………………………….. 213
Advertising Attacks …………………………………………………………………………….. 215
Browser Vulnerabilities ………………………………………………………………………. 218

Chapter Summary ……………………………………………………………………………….. 222

88781_fm_hr_i-xxvi.indd 7 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contentsviii

Key Terms …………………………………………………………………………………………… 223

Review Questions………………………………………………………………………………… 223

Case Projects ………………………………………………………………………………………. 229

CHAPTER 6

Network Security Devices, Design, andTechnology ……… 233
Security Through Network Devices ……………………………………………………… 235

Standard Network Devices …………………………………………………………………. 236
Network Security Hardware ……………………………………………………………….. 246

Security Through Network Architecture ………………………………………………. 260
Security Zones ………………………………………………………………………………….. 260
Network Segregation …………………………………………………………………………. 263

Security Through Network Technologies ……………………………………………… 265
Network Access Control (NAC) ……………………………………………………………. 265
Data Loss Prevention (DLP)…………………………………………………………………. 267

Chapter Summary ……………………………………………………………………………….. 269

Key Terms …………………………………………………………………………………………… 271

Review Questions………………………………………………………………………………… 271

Case Projects ………………………………………………………………………………………. 279

CHAPTER 7

Administering a SecureNetwork …………………………………. 281
Secure Network Protocols …………………………………………………………………… 283

Simple Network Management Protocol (SNMP) ……………………………………. 285
Domain Name System (DNS) ……………………………………………………………… 286
File Transfer Protocol (FTP)…………………………………………………………………. 288
Secure Email Protocols ………………………………………………………………………. 290
Using Secure Network Protocols …………………………………………………………..291

Placement of Security Devices and Technologies …………………………………. 292

Analyzing Security Data ………………………………………………………………………. 295
Data from Security Devices ………………………………………………………………… 296
Data from Security Software ………………………………………………………………. 297
Data from Security Tools ……………………………………………………………………. 298
Issues in Analyzing Security Data ……………………………………………………….. 298

Managing and Securing Network Platforms ………………………………………… 300
Virtualization …………………………………………………………………………………….300
Cloud Computing ………………………………………………………………………………. 304
Software Defined Network (SDN) ………………………………………………………… 306

Chapter Summary ……………………………………………………………………………….. 309

88781_fm_hr_i-xxvi.indd 8 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contents ix

Key Terms …………………………………………………………………………………………… 310

Review Questions………………………………………………………………………………… 311

Case Projects ………………………………………………………………………………………. 318

CHAPTER 8

Wireless Network Security ………………………………………….. 321
Wireless Attacks ………………………………………………………………………………….. 324

Bluetooth Attacks………………………………………………………………………………. 324
Near Field Communication (NFC) Attacks ……………………………………………..327
Radio Frequency Identification (RFID) Attacks ……………………………………… 330
Wireless Local Area Network Attacks …………………………………………………….332

Vulnerabilities of IEEE Wireless Security ………………………………………………. 341
Wired Equivalent Privacy …………………………………………………………………… 342
Wi-Fi Protected Setup ………………………………………………………………………… 343
MAC Address Filtering ……………………………………………………………………….. 344
SSID Broadcasting ……………………………………………………………………………… 345

Wireless Security Solutions …………………………………………………………………. 346
Wi-Fi Protected Access (WPA) …………………………………………………………….. 347
Wi-Fi Protected Access 2 (WPA2) …………………………………………………………. 349
Additional Wireless Security Protections ……………………………………………….352

Chapter Summary ……………………………………………………………………………….. 356

Key Terms …………………………………………………………………………………………… 359

Review Questions………………………………………………………………………………… 359

Case Projects ………………………………………………………………………………………. 368

PART 4

DEVICE SECURITY …………………………………………………………. 371

CHAPTER 9

Client and ApplicationSecurity ……………………………………. 373
Client Security …………………………………………………………………………………….. 375

Hardware System Security …………………………………………………………………..375
Securing the Operating System Software ……………………………………………… 379
Peripheral Device Security ………………………………………………………………….. 388

Physical Security …………………………………………………………………………………. 392
External Perimeter Defenses ………………………………………………………………. 393
Internal Physical Access Security ………………………………………………………… 395
Computer Hardware Security …………………………………………………………….. 400

Application Security …………………………………………………………………………….. 401
Application Development Concepts …………………………………………………….. 402

88781_fm_hr_i-xxvi.indd 9 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contentsx

Secure Coding Techniques …………………………………………………………………..404
Code Testing ……………………………………………………………………………………… 405

Chapter Summary ……………………………………………………………………………….. 406

Key Terms …………………………………………………………………………………………… 409

Review Questions………………………………………………………………………………… 410

Case Projects ………………………………………………………………………………………. 417

CHAPTER 10

Mobile and Embedded Device Security ………………………… 421
Mobile Device Types and Deployment …………………………………………………. 423

Types of Mobile Devices …………………………………………………………………….. 424

Mobile Device Risks …………………………………………………………………………….. 432
Mobile Device Vulnerabilities……………………………………………………………… 432
Connection Vulnerabilities …………………………………………………………………. 436
Accessing Untrusted Content ……………………………………………………………… 436
Deployment Model Risks ……………………………………………………………………. 438

Securing Mobile Devices ……………………………………………………………………… 439
Device Configuration …………………………………………………………………………. 439
Mobile Management Tools …………………………………………………………………. 446
Mobile Device App Security ……………………………………………………………….. 448

Embedded Systems and the Internet of Things ……………………………………. 449
Embedded Systems……………………………………………………………………………. 449
Internet of Things ……………………………………………………………………………….451
Security Implications …………………………………………………………………………. 452

Chapter Summary ……………………………………………………………………………….. 455

Key Terms …………………………………………………………………………………………… 457

Review Questions………………………………………………………………………………… 457

Case Projects ………………………………………………………………………………………. 465

PART 5

IDENTITY AND ACCESS MANAGEMENT ………………………….. 469

CHAPTER 11

Authentication and Account Management ………………….. 471
Authentication Credentials …………………………………………………………………. 473

What You Know: Passwords ……………………………………………………………….. 475
What You Have: Tokens, Cards, and Cell Phones …………………………………… 489
What You Are: Biometrics ………………………………………………………………….. 492
What You Do: Behavioral Biometrics …………………………………………………… 498

88781_fm_hr_i-xxvi.indd 10 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contents xi

Where You Are: Geolocation ………………………………………………………………. 499

Single Sign-on ……………………………………………………………………………………… 500

Account Management …………………………………………………………………………. 502

Chapter Summary ……………………………………………………………………………….. 505

Key Terms ……………………………………………………………………………………………. 506

Review Questions………………………………………………………………………………… 507

Case Projects ………………………………………………………………………………………. 517

CHAPTER 12

Access Management ……………………………………………………. 521
What Is Access Control? ………………………………………………………………………. 523

Access Control Terminology ……………………………………………………………….. 524
Access Control Models …………………………………………………………………………527

Managing Access Through Account Management………………………………… 533
Account Setup …………………………………………………………………………………….533
Account Auditing ………………………………………………………………………………. 539

Best Practices for Access Control …………………………………………………………. 540
Separation of Duties ………………………………………………………………………….. 540
Job Rotation ……………………………………………………………………………………… 540
Mandatory Vacations…………………………………………………………………………..541
Clean Desk Policy ………………………………………………………………………………..541

Implementing Access Control ……………………………………………………………… 542
Access Control Lists (ACLs) …………………………………………………………………. 542
Group-Based Access Control ………………………………………………………………. 543

Identity and Access Services ……………………………………………………………….. 544
RADIUS …………………………………………………………………………………………….. 545
Kerberos …………………………………………………………………………………………… 547
Terminal Access Control Access Control System+ (TACACS+) …………………. 548
Lightweight Directory Access Protocol (LDAP) ………………………………………. 549
Security Assertion Markup Language (SAML) ……………………………………….. 550
Authentication Framework Protocols …………………………………………………… 551

Chapter Summary ……………………………………………………………………………….. 552

Key Terms …………………………………………………………………………………………… 554

Review Questions………………………………………………………………………………… 554

Case Projects ………………………………………………………………………………………. 561

88781_fm_hr_i-xxvi.indd 11 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contentsxii

PART 6

RISK MANAGEMENT …………………………………………………….. 563

CHAPTER 13

Vulnerability Assessment and Data Security ……………….. 565
Assessing the Security Posture ……………………………………………………………. 567

What Is Vulnerability Assessment? ……………………………………………………… 567
Vulnerability Assessment Tools ……………………………………………………………573

Vulnerability Scanning ………………………………………………………………………… 584

Penetration Testing …………………………………………………………………………….. 586

Practicing Data Privacy and Security ……………………………………………………. 588
What Is Privacy? ………………………………………………………………………………… 589
Risks Associated with Private Data ……………………………………………………… 590
Maintaining Data Privacy and Security ………………………………………………… 592

Chapter Summary ……………………………………………………………………………….. 596

Key Terms …………………………………………………………………………………………… 598

Review Questions………………………………………………………………………………… 598

Case Projects ………………………………………………………………………………………. 604

CHAPTER 14

Business Continuity …………………………………………………….. 607
What Is Business Continuity? ………………………………………………………………. 609

Business Continuity Planning (BCP) …………………………………………………….609
Business Impact Analysis (BIA) ……………………………………………………………. 611
Disaster Recovery Plan (DRP) ……………………………………………………………….612

Fault Tolerance Through Redundancy …………………………………………………. 615
Servers …………………………………………………………………………………………….. 616
Storage ………………………………………………………………………………………………617
Networks ……………………………………………………………………………………………621
Power ………………………………………………………………………………………………. 622
Recovery Sites …………………………………………………………………………………… 622
Data …………………………………………………………………………………………………. 623

Environmental Controls ………………………………………………………………………. 628
Fire Suppression ……………………………………………………………………………….. 628
Electromagnetic Disruption Protection ………………………………………………….631
HVAC …………………………………………………………………………………………………631

Incident Response ………………………………………………………………………………. 633
What Is Forensics? …………………………………………………………………………….. 633

88781_fm_hr_i-xxvi.indd 12 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Table of Contents xiii

Incident Response Plan ……………………………………………………………………… 633
Forensics Procedures …………………………………………………………………………. 634

Chapter Summary ……………………………………………………………………………….. 640

Key Terms …………………………………………………………………………………………… 642

Review Questions………………………………………………………………………………… 643

Case Projects ………………………………………………………………………………………. 649

CHAPTER 15

Risk Mitigation ……………………………………………………………. 651
Managing Risk …………………………………………………………………………………….. 653

Threat Assessment ……………………………………………………………………………. 654
Risk Assessment ……………………………………………………………………………….. 656

Strategies for Reducing Risk ………………………………………………………………… 664
Using Control Types…………………………………………………………………………… 664
Distributing Allocation ……………………………………………………………………….666
Implementing Technology ………………………………………………………………….666

Practices for Reducing Risk………………………………………………………………….. 668
Security Policies ………………………………………………………………………………… 669
Awareness and Training …………………………………………………………………….. 675
Agreements ………………………………………………………………………………………. 677
Personnel Management ……………………………………………………………………… 679

Troubleshooting Common Security Issues …………………………………………… 679

Chapter Summary ……………………………………………………………………………….. 680

Key Terms …………………………………………………………………………………………… 682

Review Questions………………………………………………………………………………… 682

Case Projects ………………………………………………………………………………………. 688

APPENDIX A

CompTIA SY0-501 Certification Exam Objectives ………….. 691

GLOSSARY …………………………………………………………………………………………… 713

INDEX ………………………………………………………………………………………………….. 741

88781_fm_hr_i-xxvi.indd 13 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

88781_fm_hr_i-xxvi.indd 14 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

The number one concern of computer professionals today continues to
be information security, and with good reason. Consider the evidence:
over 1.5 billion Yahoo user accounts were compromised in just two
separate attacks.1 A ransom of $1 million dollars was paid to unlock
files that had been encrypted by ransomware.2 A global payment sys-
tem used to transfer money between countries was compromised by
attackers who stole $81 billion from the central bank of Bangladesh.3 It
is estimated that global spending on products and services to prevent
these attacks will exceed $1 trillion cumulatively between 2017 and
2021. But despite the huge sum spent on protection, cybercrime will
still cost businesses over $6 trillion by 2021.4

As attacks continue to escalate, the need for trained security per-
sonnel also increases. It is estimated that there are currently over
1.5 million unfilled security jobs worldwide and this will grow by 20
percent to 1.8 million by the year 2022.5 According to the U.S. Bureau of
Labor Statistics (BLS) Occupational Outlook Handbook, the job out-
look for information security analysts through 2024 is expected to grow
by 18 percent, faster than the average growth rate.6

To verify security competency, most organizations use the Comput-
ing Technology Industry Association (CompTIA) Security+ certification,
a vendor-neutral credential. Security+ is one of the most widely recog-
nized security certifications and has become the security foundation
for todays IT professionals. It is internationally recognized as validat-
ing a foundation level of security skills and knowledge. A successful
Security+ candidate has the knowledge and skills required to identify
threats, attacks and vulnerabilities; use security technologies and tools;
understand security architecture and design; perform identity and access
management; know about risk management; and use cryptography.

Security+ Guide to Network Security Fundamentals, Sixth Edition is
designed to equip learners with the knowledge and skills needed to
be information security professionals. Yet it is more than an exam
prep book. While teaching the fundamentals of information security
by using the CompTIA Security+ exam objectives as its framework, it
takes a comprehensive view of security by examining in-depth the
attacks against networks and computer systems and the necessary
defense mechanisms. Security+ Guide to Network Security Fundamen-
tals, Sixth Edition is a valuable tool for those who want to learn about
security and who desire to enter the field of information security. It
also provides the foundation that will help prepare for the CompTIA
Security+ certification exam.

xv

INTRODUCTION

88781_fm_hr_i-xxvi.indd 15 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introductionxvi

Intended Audience
This book is designed to meet the needs of students and professionals who want to
master basic information security. A fundamental knowledge of computers and net-
works is all that is required to use this book. Those seeking to pass the CompTIA Secu-
rity+ certification exam will find the texts approach and content especially helpful; all
Security+ SY0-501 exam objectives are covered in the text (see Appendix A). Security+
Guide to Network Security Fundamentals, Sixth Edition covers all aspects of network and
computer security while satisfying the Security+ objectives.

The books pedagogical features are designed to provide a truly interactive learning
experience to help prepare you for the challenges of network and computer security.
In addition to the information presented in the text, each chapter includes Hands-On
Projects that guide you through implementing practical hardware, software, network,
and Internet security configurations step by step. Each chapter also contains case stud-
ies that place you in the role of problem solver, requiring you to apply concepts pre-
sented in the chapter to achieve successful solutions.

Chapter Descriptions
Here is a summary of the topics covered in each chapter of this book:

Chapter 1, Introduction to Security, introduces the network security fundamen-
tals that form the basis of the Security+ certification. It begins by examining the cur-
rent challenges in computer security and why security is so difficult to achieve. It then
defines information security in detail and explores why it is important. Finally, the
chapter looks at the fundamental attacks, including who is responsible for them, and
defenses.

Chapter 2, Malware and Social Engineering Attacks, examines attacks that use
different types of malware, such as viruses, worms, Trojans, and botnets. It also looks
at the different types of social engineering attacks.

Chapter 3, Basic Cryptography, explores how encryption can be used to protect
data. It covers what cryptography is and how it can be used for protection, and then
examines how to protect data using three common types of encryption algorithms:
hashing, symmetric encryption, and asymmetric encryption. It also covers how to use
cryptography on files and disks to keep data secure.

Chapter 4, Advanced Cryptography and PKI, examines how to implement cryp-
tography and use digital certificates. It also looks at public key infrastructure and key
management. This chapter covers different transport cryptographic algorithms to see
how cryptography is used on data that is being transported.

Chapter 5, Networking and Server Attacks, explores the different attacks that
are directed at enterprises. It includes networking-based attacks as well as server
attacks.

88781_fm_hr_i-xxvi.indd 16 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introduction xvii

Chapter 6, Network Security Devices, Design, and Technology, examines how
to protect networks through standard network devices and network security hard-
ware. It also covers implementing security through network architectures and network
technologies.

Chapter 7, Administering a Secure Network, looks at the techniques for admin-
istering a network. This includes understanding common network protocols and the
proper placement of security devices and technologies. It also looks at analyzing secu-
rity data and securing network platforms such as virtualization, cloud computing, and
software defined networks.

Chapter 8, Wireless Network Security, investigates the attacks on wireless
devices that are common today and explores different wireless security mechanisms
that have proven to be vulnerable. It also covers several secure wireless protections.

Chapter 9, Client and Application Security, examines securing the client
through hardware and peripherals through hardware and the operating system. It also
looks at physical security to create external perimeter defenses and internal physical
access security. This chapter also covers application security vulnerabilities and the
development of secure apps.

Chapter 10, Mobile and Embedded Device Security, looks at the different types
of mobile devices and the risks associated with these devices. It also explores how to
secure these devices and the applications running on them. Finally, it examines how
embedded systems and the Internet of Things devices can be secured.

Chapter 11, Authentication and Account Management, looks at authentication
and the secure management of user accounts to enforce authentication. It covers the
different types of authentication credentials that can be used to verify a users identity
and how a single sign-on might be used. It also examines the techniques and technol-
ogy used to manage user accounts in a secure fashion.

Chapter 12, Access Management, introduces the principles and practices of
access control by examining access control terminology, the standard control mod-
els, and managing access through account management. It also covers best practices,
implementing access control, and identity and access services.

Chapter 13, Vulnerability Assessment and Data Security, explains what vulner-
ability assessment is and examines the tools and techniques associated with it. It also
explores the differences between vulnerability scanning and penetration testing. The
chapter concludes with an examination of data privacy.

Chapter 14, Business Continuity, covers the importance of keeping business
processes and communications operating normally in the face of threats and disrup-
tions. It explores business continuity, fault tolerance, environmental controls, and inci-
dent response.

Chapter 15, Risk Mitigation, looks at how organizations can establish and main-
tain security in the face of risk. It defines risk and the strategies to control it. This chap-
ter also covers practices for reducing risk and troubleshooting common security issues.

88781_fm_hr_i-xxvi.indd 17 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introductionxviii

Appendix A, CompTIA SY0-501 Certification Examination Objectives, provides
a complete listing of the latest CompTIA Security+ certification exam objectives and
shows the chapters and headings in the book that cover material associated with each
objective, as well as the Blooms Taxonomy level of that coverage.

Features
To aid you in fully understanding computer and network security, this book includes
many features designed to enhance your learning experience.

Maps to CompTIA Objectives. The material in this text covers all the CompTIA
Security+ SY0-501 exam objectives.

Chapter Objectives. Each chapter begins with a detailed list of the concepts to be
mastered in that chapter. This list provides you with both a quick reference to the
chapters contents and a useful study aid.

Todays Attacks and Defenses. Each chapter opens with a vignette of an actual
security attack or defense mechanism that helps to introduce the material covered
in that chapter.

Illustrations and Tables. Numerous illustrations of security vulnerabilities,
attacks, and defenses help you visualize security elements, theories, and concepts.
In addition, the many tables provide details and comparisons of practical and
theoretical information.

Chapter Summaries. Each chapters text is followed by a summary of the concepts
introduced in that chapter. These summaries provide a helpful way to review the
ideas covered in each chapter.

Key Terms. All the terms in each chapter that were introduced with bold text are
gathered in a Key Terms list, providing additional review and highlighting key con-
cepts. Key Term definitions are included in the Glossary at the end of the text.

Review Questions. The end-of-chapter assessment begins with a set of review
questions that reinforce the ideas introduced in each chapter. These questions help
you evaluate and apply the material you have learned. Answering these questions
will ensure that you have mastered the important concepts and provide valuable
practice for taking CompTIAs Security+ exam.

Hands-On Projects. Although it is important to understand the theory behind
network security, nothing can improve on real-world experience. To this end,
each chapter provides several Hands-On Projects aimed at providing you with
practical security software and hardware implementation experience. These proj-
ects use the Windows 10 operating system, as well as software downloaded from
the Internet.

Case Projects. Located at the end of each chapter are several Case Projects. In these
extensive exercises, you implement the skills and knowledge gained in the chapter
through real design and implementation scenarios.

88781_fm_hr_i-xxvi.indd 18 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introduction xix

New to This Edition
Maps fully to the latest CompTIA Security+ exam SY0-501
Completely revised and updated with expanded coverage on attacks and defenses
New chapter units: Security and Its Threats, Cryptography, Network Attacks and

Defenses, Device Security, Identity and Access Management, and Risk Management
Earlier coverage of cryptography and advanced cryptography
All new Todays Attacks and Defenses opener in each chapter
New and updated Hands-On Projects in each chapter covering some of the latest

security software
More Case Projects in each chapter
Expanded Information Security Community Site activity in each chapter allows

learners to interact with other learners and security professionals from around the
world

All SY0-501 exam topics fully defined
Linking of each exam sub-domain to Blooms Taxonomy (see Appendix A)

Text and Graphic Conventions
Wherever appropriate, additional information and exercises have been added to this
book to help you better understand the topic at hand. Icons throughout the text alert
you to additional materials. The following icons are0 used in this textbook:

The Note icon draws your attention to additional helpful material
related to the subject being described.

Tips based on the authors experience provide extra informa-
tion about how to attack a problem or what to do in real-world
situations.

The Caution icons warn you about potential mistakes or prob-
lems, and explain how to avoid them.

Hands-On Projects help you understand the theory behind network
security with activities using the latest security software and hardware.

The Case Projects icon marks Case Projects, which are scenario-
based assignments. In these extensive case examples, you are
asked to implement independently what you have learned.

Certification icons indicate CompTIA Security+ objectives covered
under major chapter headings.

Hands-On Projects

Case Projects

Certification

Note

Tip

Caution

88781_fm_hr_i-xxvi.indd 19 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introductionxx

Instructors Materials
Everything you need for your course in one place. This collection of book-specific
lecture and class tools is available online. Please visit login.cengage.com and log in to
access instructor-specific resources on the Instructor Companion Site, which includes
the Instructors Manual, Solutions Manual, test creation tools, PowerPoint Presenta-
tions, Syllabus, and figure files.

Electronic Instructors Manual. The Instructors Manual that accompanies this
textbook includes the following items: additional instructional material to assist in
class preparation, including suggestions for lecture topics.

Solutions Manual. The instructors resources include solutions to all end-of-
chapter material, including review questions and case projects.

Cengage Testing Powered by Cognero. This flexible, online system allows you to
do the following:
Author, edit, and manage test bank content from multiple Cengage solutions.
Create multiple test versions in an instant.
Deliver tests from your LMS, your classroom, or wherever you want.

PowerPoint Presentations. This book comes with a set of Microsoft PowerPoint
slides for each chapter. These slides are meant to be used as a teaching aid for
classroom presentations, to be made available to students on the network for
chapter review, or to be printed for classroom distribution. Instructors are also at
liberty to add their own slides for other topics introduced.

Figure Files. All the figures and tables in the book are reproduced. Similar to Power-
Point presentations, these are included as a teaching aid for classroom presentation,
to make available to students for review, or to be printed for classroom distribution.

Total Solutions For Security
To access additional course materials, please visit www.cengagebrain.com. At the
cengagebrain.com home page, search for the ISBN of your title (from the back cover of
your book) using the search box at the top of the page. This will take you to the product
page where these resources can be found.

MindTap
MindTap for Security+ Guide to Network Security Fundamentals, Sixth Edition is a per-
sonalized, fully online digital learning platform of content, assignments, and services
that engages students and encourages them to think critically, while allowing you to
easily set your course through simple customization options.

MindTap is designed to help students master the skills they need in todays workforce.
Research shows employers need critical thinkers, troubleshooters, and creative problem solv-
ers to stay relevant in our fast paced, technology-driven world. MindTap helps you achieve
this with assignments and activities that provide hands-on practice, real-life relevance, and
certification test prep. Students are guided through assignments that help them master basic
knowledge and understanding before moving on to more challenging problems.

88781_fm_hr_i-xxvi.indd 20 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introduction xxi

The live virtual machine labs provide real-life application and practice as well
as more advanced learning. Students work in a live environment via the Cloud with
real servers and networks that they can explore. The IQ certification test preparation
engine allows students to quiz themselves on specific exam domains, and the pre- and
post-course assessments measure exactly how much they have learned. Readings, lab
simulations, capstone projects, and videos support the lecture, while In the News
assignments encourage students to stay current.

MindTap is designed around learning objectives and provides the analytics and
reporting to easily see where the class stands in terms of progress, engagement, and
completion rates.

Students can access eBook content in the MindTap Reader, which offers
highlighting, note-taking, search and audio, as well as mobile access. Learn more
at www.cengage.com/mindtap/.

Instant Access Code: (ISBN: 9781337289306)
Printed Access Code: (ISBN: 9781337289313)

Lab Manual
Hands-on learning is necessary to master the security skills needed for both Comp-
TIAs Security+ Exam and for a career in network security. Security+ Guide to Network
Security Fundamentals Lab Manual, 6th Edition contains hands-on exercises that use
fundamental networking security concepts as they are applied in the real world. Each
chapter offers review questions to reinforce your mastery of network security topics
and to sharpen your critical thinking and problem-solving skills. (ISBN: 9781337288798)

Blooms Taxonomy
Blooms Taxonomy is an industry-standard classification system used to help iden-
tify the level of ability that learners need to demonstrate proficiency. It is often used
to classify educational learning objectives into different levels of complexity. Blooms
Taxonomy reflects the cognitive process dimension. This represents a continuum of
increasing cognitive complexity, from remember (lowest level) to create (highest level).
There are six categories in Blooms Taxonomy as seen in Figure A.

In all instances, the level of coverage the domains in Security+ Guide to Network
Security Fundamentals, Sixth Edition meets or exceeds the Blooms Taxonomy level
indicated by CompTIA for that objective. See Appendix A for more detail.

Information Security Community Site
Stay secure with the Information Security Community Site. Connect with students, profes-
sors, and professionals from around the world, and stay on top of this ever-changing field.

Visit http://community.cengage.com/Infosec2/ to:
Download resources such as instructional videos and labs.
Ask authors, professors, and students the questions that are on your mind in the

Discussion Forums.
See up-to-date news, videos, and articles.

88781_fm_hr_i-xxvi.indd 21 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introductionxxii

Domain % of Examination
1.0 Threats, Attacks & Vulnerabilities 21%

2.0 Technologies & Tools 22%

3.0 Architecture & Design 15%

4.0 Identity & Access Management 16%

5.0 Risk Management 14%

6.0 Cryptography & PKI 12%

Total 100%

Read regular blogs from author Mark Ciampa.
Listen to podcasts on the latest Information Security topics.
Review textbook updates and errata.

Each chapters Case Projects include information on a current security topic and
ask the learner to post reactions and comments to the Information Security Com-
munity Site. This allows users from around the world to interact and learn from other
users as well as security professionals and researchers.

Whats New With Comptia Security+ Certification
The CompTIA Security+ SY0-501 exam was updated in October 2017. Several significant
changes have been made to the exam objectives. The exam objectives have been sig-
nificantly expanded to more accurately reflect current security issues and knowledge
requirements. These exam objectives place importance on knowing how to rather
than just knowing or recognizing security concepts.

Here are the domains covered on the new Security+ exam:

Produce new or original work
Design, assemble, construct, conjecture, develop, formulate, author, investigatecreate

Blooms Taxonomy

evaluate

analyze

apply

understand

remember

Justify a stand or decision
appraise, argue, defend, judge, select, support, value, critique, weigh

Draw connections among ideas
differentiate, organize, relate, compare, contrast, distinguish,
examine, experiment, question, test

Use information in new situations
execute, implement, solve, use, demonstrate, interpret,
operate, schedule, sketch

Explain ideas or concepts
classify, describe, discuss, explain, identify, locate,
recognize, report, select, translate

Recall facts and basic concepts
define, duplicate, list, memorize, repeat, state

Figure ABlooms taxonomy

88781_fm_hr_i-xxvi.indd 22 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introduction xxiii

88781_fm_hr_i-xxvi.indd 23 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introductionxxiv

About The Author
Dr. Mark Ciampa is an Associate Professor of Information Systems in the Gordon Ford Col-
lege of Business at Western Kentucky University in Bowling Green, Kentucky. Prior to this,
he was an Associate Professor and served as the Director of Academic Computing at Vol-
unteer State Community College in Gallatin, Tennessee for 20 years. Mark has worked in
the IT industry as a computer consultant for businesses, government agencies, and educa-
tional institutions. He has published over 20 articles in peer-reviewed journals and is also
the author of 25 technology textbooks, including Security+ Guide to Network Security Fun-
damentals 6e, CWNA Guide to Wireless LANs 3e, Guide to Wireless Communications, Security
Awareness: Applying Practical Security in Your World 5e, and Networking BASICS. Dr. Ciampa
holds a PhD in technology management with a specialization in digital communication
systems from Indiana State University and has certifications in Security+ and HIT.

Acknowledgments
A large team of dedicated professionals all contributed to the creation of this book. I am
honored to be part of such an outstanding group of professionals. First, thanks go to
Product Manager Kristin McNary for giving me the opportunity to work on this project
and for providing her continual support, and to Associate Product Manager Amy Savino
for answering all my questions. Also thanks to Senior Content Developer Michelle Ruelos
Cannistraci who was very supportive, to Senior Content Product Manager Brooke Green-
house who helped keep this fast-moving project on track, and to Dr. Andy Hurd who
performed the technical reviews. To everyone on the team I extend my sincere thanks.

Special recognition again goes to the very best developmental editor, Deb
Kaufmann, who is a true professional in every sense of the word. She made many
helpful suggestions, found all my errors, watched every small detail, and even took on
additional responsibilities so that this project could accelerate to be completed even
before its deadlines. Without question, Deb is simply the very best there is.

And finally, I want to thank my wonderful wife, Susan. Her love, interest, support,
and patience gave me what I needed to complete this project. I could not have written
this book without her.

Dedication
To Braden, Mia, Abby, Gabe, Cora, and Will.

To The User
This book should be read in sequence, from beginning to end. Each chapter builds on
those that precede it to provide a solid understanding of networking security funda-
mentals. The book may also be used to prepare for CompTIAs Security+ certification
exam. Appendix A pinpoints the chapters and sections in which specific Security+
exam objectives are covered.

Hardware and Software Requirements
Following are the hardware and software requirements needed to perform the end-of-
chapter Hands-On Projects.

88781_fm_hr_i-xxvi.indd 24 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introduction

Microsoft Windows 10
An Internet connection and web browser
Microsoft Office

Free Downloadable Software Requirements
Free, downloadable software is required for the Hands-On Projects in the following
chapters.

Chapter 1:
Microsoft Safety Scanner
Oracle VirtualBox

Chapter 2:
Irongeek Thumbscrew
Refog Keylogger

Chapter 3:
OpenPuff Steganography
HashCalc
Jetico BestCrypt

Chapter 4:
Comodo Secure Email Certificate

Chapter 5:
Qualys Browser Check
GRC Securable

Chapter 6:
GlassWire
K9 Web Protection

Chapter 7:
VMware vCenter Converter
VMware Workstation Player

Chapter 8:
Xirrus Wi-Fi Inspector
Vistumbler

Chapter 9:
EICAR AntiVirus Test File

Chapter 10:
Prey Project
Bluestacks
Andy Android emulator
Lookout Security & Antivirus

xxv

88781_fm_hr_i-xxvi.indd 25 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Introduction

Chapter 11:
Hashcat
HashcatGUI
BioID Facial Recognition Authenticator
GreyC-Keystroke
KeePass

Chapter 13:
Flexera Personal Software Inspector
Macrium Reflect
Nmap

Chapter 14:
Directory Snoop
Nmap

Chapter 15:
Browzar
UNetbootin
Linux Mint

References
1. Newman, Lilly, Hack brief: Hackers breach a billion Yahoo accounts, Wired, Dec. 14, 2016,

retrieved Jul. 3, 2017, https://www.wired.com/2016/12/yahoo-hack-billion-users/.
2. Chang, Ziv, Sison, Gilbert, Jocson, Jeanne, Erebus resurfaces as Linux ransomware,

TrendLabs Security Intelligence Blog, Jun. 19, 2017, retrieved Jul. 3, 2017, http://blog.trendmicro
.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/.

3. Corkery, Michael, and Goldstein, Matthew, North Korea said to be target of inquiry over
$81 million cyberheist, New York Times, Mar. 22, 2017, retrieved Jul. 3, 2017, https://www.
nytimes.com/2017/03/22/business/dealbook/north-korea-said-to-be-target-of-inquiry
-over-81-million-cyberheist.html.

4. Cybersecurity market report, Cybersecurity Ventures, Q2 2017, retrieved Jul. 3, 2017,
http://cybersecurityventures.com/cybersecurity-market-report/.

5. Nash, Kim, Firms vie in hiring of cyber experts, Wall Street Journal, May 15, 2017,
retrieved Jul. 10, 2017, https://www.wsj.com/articles/for-many-companies-a-
good-cyber-chief-is-hard-to-find-1494849600.

6. Information security analysts: Occupational outlook handbook, Bureau of Labor Statistics,
Dec. 17, 2015, retrieved Jul. 3, 2017, https://www.bls.gov/ooh/computer-and-information
-technology/information-security-analysts.htm.

xxvi

88781_fm_hr_i-xxvi.indd 26 8/16/17 7:01 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

SECURITY AND ITS THREATS
Chapter 1 Introduction to Security
Chapter 2 Malware and Social Engineering Attacks

The security of the data and information contained on computers and digital devices
today is threatened more than ever before, and the attacks are escalating every day.
The chapters in this part introduce security and outline many of these threats. The
chapters in later parts will give you the understanding and tools you need to defend
against these attacks.

1

P A R T I

88781_ch01_hr_001-050.indd 1 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

88781_ch01_hr_001-050.indd 2 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

INTRODUCTION TO SECURITY

After completing this chapter you should be able
to do the following:

Explain the challenges of securing information

Define information security and explain why it is important

Identify the types of threat actors that are common today

Describe how to defend against attacks

C H A P T E R 1

Todays Attacks and Defenses

Almost everyone would assume that the director of the Central Intelligence Agency (CIA)
would be well-versed in security procedures and would practice these to the letter of the
law. This is because of the extreme danger that would result from a compromise or theft of
highly classified information about active CIA agents or sensitive activities that are underway.
The exposure of this information could result in a serious international incident or even the
capture and torture of secret agents. However, a former CIA director who failed to follow
basic security procedures put sensitive CIA information at risk.

Former CIA Director John Brennan had recently completed a sensitive 47-page SF-86
application to update his own top-secret government security clearance. These applications
are used by the federal government for conducting a background check on individuals

3

88781_ch01_hr_001-050.indd 3 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security4

requesting such a security clearance. The forms contain a wealth of sensitive data about
the personcriminal history, psychological records, any past drug use, information about
the applicants interactions with foreign nationalsas well as information on their spouses,
family members, and even friends. In the wrong hands this information could easily be
used as blackmail material. Despite government restrictions Brennan routinely forwarded
classified emails from his CIA email account to his less-secure personal AOL email account.
One of the emails contained his own SF-86 application as an attachment, a serious breach of
CIA security protocol.

An attacker who claimed to be under the age of 20 along with two friends decided to
see if they could uncover classified CIA documents. The attacker first did a reverse lookup of
Brennans public phone number to reveal that the phone was served by the carrier Verizon
Wireless. The attacker called Verizons customer service number and pretended to be a
Verizon technician. He said he had a customer lined up on a scheduled callback but was
unable to access Verizons customer database on his own because our tools were down.
So, could Verizon customer service give him the email address that was linked to Brennans
phone number? The friendly and helpful Verizon customer service representative said,
Sure, no problem. The pretender then asked if the Verizon representative would also
give him the last four digits of the customers bank card that was on file. Once again, the
representative was glad to help. By the time the call was over the pretender had Brennans
Verizon account number, his four-digit personal identification number, the backup private
mobile cellphone number on the account, his AOL email address, and the last four digits on
his bank card.

The attacker now had the information that he needed. Knowing that Brennan had an
AOL email account he next called AOL and said he was locked out of that account. The AOL
representative asked him to verify his identity by answering two questions: the name and
phone number associated with the account and the last four digits of the bank card on file
all of which had been provided by Verizon. The AOL representative then reset the password
on the email account to a new password for the attacker.

The attacker then logged into Brennans AOL email account, where he read several
dozen emails, some of which the director had forwarded from his government work
email and that contained attachments. Among the attachments was Brennans own SF-86
application and a spreadsheet containing names and Social Security numbers of several
U.S. intelligence officials. It is speculated that the spreadsheet might have been a list of
guests who were visiting the White House when Brennan was the Presidents counter-
terrorism adviser. Another attachment was a letter from the U.S. Senate asking the CIA to
halt its controversial use of torture tactics as interrogation techniques. The hacker posted
screenshots of some of the documents on a Twitter account along with portions of the
directors AOL email contact list.

88781_ch01_hr_001-050.indd 4 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 5

Today our world is one in which citizens from all nations are compelled to
continually protect themselves and their property from attacks by adversaries. Random
shootings, suicide bombings, assassinations, and other types of physical violence
occur almost daily around the world with no end in sight. To counteract this violence,
new types of security defenses have been implemented. Passengers using public
transportation are routinely searched. Borders are closely watched. Telephone calls are
secretly monitored. These attacks and security defenses have significantly impacted
how all of us work, play, and live.

These attacks are not just physical. One area that has also been an especially
frequent target of attacks is information technology (IT). A seemingly endless
array of attacks is directed at individuals, schools, businesses, and governments
through desktop computers, laptops, and smartphones. Internet web servers must
resist thousands of attacks every day. Identity theft using stolen electronic data has
skyrocketed. An unprotected computer connected to the Internet may be infected in
fewer than 60 seconds. Viruses, phishing, worms, and botnetsvirtually unheard of
just a few years agoare now part of our everyday technology vocabulary.

The need to defend against these attacks directed toward our technology devices
has created an element of IT that is now at the very core of the industry. Known as
information security, it is focused on protecting the electronic information of enterprises
and users.

Two broad categories of information security personnel are responsible for
providing protection for an enterprise like a business or nonprofit organization.
Information security managerial personnel administer and manage plans, policies, and
people, while information security technical personnel are concerned with designing,
configuring, installing, and maintaining technical security equipment. Within these
two broad categories are four generally recognized security positions:

Chief Information Security Officer (CISO). This person reports directly to the
CIO (large enterprises may have more layers of management between this
person and the CIO). This person is responsible for assessing, managing,
andimplementing security.

When Brennan realized that this information came from his AOL email account and that
it had been compromised, he reset his AOL password. However, he failed to change the cell
phone number and bank card number on file that was used to reset the password. Once the
attacker discovered the password had been changed, he simply reset the password again,
locking out Brennan. This back-and-forth of password resets was repeated three times
between the attacker and the CIA director until he finally deleted the email account.

In one last act, the attacker called Brennans private mobile phone number that he had
received from Verizon and told the former director of the CIA that he had been hacked.
According to the attacker, the conversation was brief.1

88781_ch01_hr_001-050.indd 5 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security6

Security manager. The security manager reports to the CISO and supervises
technicians, administrators, and security staff. Typically, a security manager
works on tasks identified by the CISO and resolves issues identified by
technicians. This position requires an understanding of configuration and
operation but not necessarily technical mastery.

Security administrator. The security administrator has both technical knowledge
and managerial skills. A security administrator manages daily operations of
security technology, and may analyze and design security solutions within a
specific entity as well as identifying users needs.

Security technician. This position is generally an entry-level position for a person
who has the necessary technical skills. Technicians provide technical support
to configure security hardware, implement security software, and diagnose and
troubleshoot problems.

Note

Individuals in these positions provide protection but are not the only employees responsible
for security. It is the job of every employeeboth IT and non-ITto know and practice basic
security defenses.

Note

The job outlook for security professionals is exceptionally strong. According to the U.S.
Bureau of Labor Statistics (BLS) Occupational Outlook Handbook, the job outlook for
information security analysts through 2024 is expected to grow by 18 percent, much faster
than the average growth rate.2 One report states that by the end of the decade demand for
security professionals worldwide will rise to 6 million, with a projected shortfall of 1.5 million
unfilled positions.3

As attacks continue to escalate, the need for trained security personnel also
increases. Unlike some IT positions, security is rarely offshored or outsourced: because
security is such a critical element, security positions generally remain within the
enterprise. In addition, security jobs typically do not involve on-the-job training
where employees can learn as they go; the risk is simply too great.

Employment trends indicate that security personnel who also have a certification
in security are in high demand. IT employers want and pay a premium for certified
security personnel. An overwhelming majority of enterprises use the Computing

88781_ch01_hr_001-050.indd 6 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 7

Technology Industry Association (CompTIA) Security+ certification to verify security
competency. Of the hundreds of security certifications currently available, Security+ is
one of the most widely acclaimed. Because it is internationally recognized as validating
a foundation level of security skills and knowledge, the Security+ certification has
become the security baseline for todays IT professionals.

Note

The value for an IT professional who holds a security certification is significant. The extra pay
awarded to IT professions who hold an IT certification is 3.5 percent over someone who does
not hold that certification. However, those who hold a security certification earn 8.7percent
more than their counterparts who do not have a security certification.4

The CompTIA Security+ certification is a vendor-neutral credential that requires
passing the current certification exam SY0-501. A successful candidate has the knowledge
and skills required to identify risks and participate in risk mitigation activities; provide
infrastructure, application, operational and information security; apply security controls
to maintain confidentiality, integrity, and availability; identify appropriate technologies
and products; troubleshoot security events and incidents; and operate with an awareness
of applicable policies, laws, and regulations. The CompTIA Security+ certification is aimed
at an IT security professional who has a recommended background of a minimum of two
years experience in IT administration with a focus on security.

Note

CompTIA Security+ meets the ISO 17024 standard and is approved by U.S. Department of
Defense to fulfill Directive 8570.01-M requirements. It is also compliant with government
regulations under the Federal Information Security Management Act (FISMA).

This chapter introduces the security fundamentals that form the basis of the
Security+ certification. It begins by examining the current challenges in computer
security. It then defines information security in detail and explores why it is important.
Finally, the chapter looks at who is responsible for these attacks and the fundamental
defenses against such attacks.

88781_ch01_hr_001-050.indd 7 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security8

Challenges of Securing Information
Certification

1.6Explain the impact associated with types of vulnerabilities.

A silver bullet refers to an action that provides an immediate solution to a problem
by cutting through the complexity that surrounds it. Why shouldnt there be such a
silver bullet for securing computers? Why cant users just install an improved hardware
device or use a more secure version of software to stop attacks? Unfortunately, no
single and simple solution exists for securing devices. This can be illustrated by
looking at the different types of attacks that users face today as well as the reasons
why these attacks are successful and the difficulties in defending against attacks.

Todays Security Attacks
Even though information security continues to rank as the number one concern of IT
managers and tens of billions of dollars are spent annually on computer security, the
number of successful attacks continues to increase. Consider the following examples of
recent attacks:

In order to demonstrate how easy it is to remotely control a car, a reporter
drove a Jeep Cherokee outside St. Louis while two security researchers 10 miles
away remotely connected to it and started manipulating its controls. The air
conditioning on the Jeep suddenly switched to its maximum setting. Next, the
cars radio changed stations and the volume increased, even though the driver
repeatedly tried to turn the volume down and change the station to no avail.
Then the windshield wipers suddenly turned on and wiper fluid squirted out.
While on an Interstate highway the driver pressed the accelerator but the Jeep
instead started slowing down so that is was almost rammed from behind by a
large truck. The researchers even remotely disabled the brakes so that the Jeep
finally ended up in a ditch. The security researchers had taken advantage of the
cars Internet-connection feature that controls its entertainment and navigation
systems, enables phone calls, and can be used to create a Wi-Fi hot spot. Due to
a vulnerability, anyone could gain access remotely to the cars control systems
from virtually anywhere. This demonstration immediately caused the National
Highway Traffic Safety Administration (NHTSA) to recall 1.4 million vehicles to
patch this vulnerability. This was the first time a car was recalled because of a
security vulnerability.5

A security researcher boarded a United Airlines flight from Denver to Syracuse
with a stop in Chicago. On the second leg of the trip the researcher tweeted
that he was probing the aircraft systems of his flight. The United Airlines

88781_ch01_hr_001-050.indd 8 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 9

Cyber Security Intelligence Department, which monitors social media, saw the
tweet, and alerted the FBI. According to the FBI, a special agent later examined
the first-class cabin seat where the researcher was seated and found that
he had tampered with the Seat Electronic Box (SEB), which is located under
some passenger seats. This allowed him to connect his laptop to the in-flight
entertainment (IFE) system via the SEB. Once he accessed the IFE he could then
access other systems on the plane. The researcher claimed that he could have
caused the airplane to change altitude after manipulating its software. United
Airlines has permanently banned him from any future flights.6

Yahoo announced that a then-record half a billion Yahoo accounts were
compromised by attackers who gained unauthorized access to its web
servers. Information stolen included names, email addresses, phone
numbers, birth dates, answers to security questions, and passwords.
Yahoo believed the breach occurred two years prior but had only recently
discovered it. Two months later Yahoo announced that after an investigation
into data provided by law enforcement officials and outside experts they
determined that yet another previously undetected data breach compromised
over 1 billion Yahoo user accounts three years earlier. It was not known how
law enforcement officials came across this evidence, but security researchers
speculate that it was discovered by someone who was watching for data on
underground dark web markets that attackers use to buy and sell stolen
data. If that was the case, then this data had been for sale for several years,
and likely had been used by attackers in targeted attacks to gain access to
other web accounts. Yahoos response to the attacks was, We continuously
enhance our safeguards and systems that detect and prevent unauthorized
access to user accounts.7

It is not uncommon for attackers to install their malware onto a USB flash
drive and then leave it in a parking lot, cafeteria, or another public place.
An unsuspecting victim finds the drive and inserts it into her computer,
either to discover the rightful owner or to snoop around its contents,
suddenly finds her computer infected. Now the results can be even worse
if the drive is a device called the USB Killer. Resembling a regular flash
drive, the USB Killer, if inserted into any USB port, starts drawing power
from the computer using a DC-to-DC converter. The flash drive stores the
electricity in its capacitors, and when those reach a certain voltage level then
USB Killer sends all the stored electricity back to the computer in a single
burst. The result is that the computer is destroyed, typically burning up the
motherboard. And if the computer is not destroyed on the first attempt, USB
Killer will keep charging and sending the electricity over and over until the
computer is fried.8

The AVS WINVote voting machine passed state voting system standards and
has been used in Virginia, Pennsylvania, and Mississippi. However, the security

88781_ch01_hr_001-050.indd 9 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security10

on the machine was alarmingly weak. Easily guessed passwords like admin,
abcde, and shoup were used to lock down its administrator account and wireless
network settings, as well as the voting results database. Because these passwords
were hard-coded into the machines they could not be changed. The wireless
network settings used to transmit results relied upon a configuration that could
easily be broken in fewer than 10 minutes. These tabulating machines lacked
even basic security like a firewall and exposed several Internet openings to
attackers. In addition, WINVote ran a version of an operating system that had
not received a security update since 2004.9

The educational toy maker VTech revealed that millions of accounts containing
information on children were stolen. Approximately 11.6 million accounts were
compromised in an attack that included information on 6.4 million children.
The data on children that was stolen included name, gender, birth date, profile
photo, and progress log. As with many recent breaches, VTech did not know that
it had been a victim until it was approached by a security research firm that had
discovered the attack.10

The European Space Agency (ESA) is an intergovernmental organization made
up of 22 countries and states that explores space. They are involved in the
International Space Station and launch unmanned space exploration missions to
different planets through their spaceport in French Guiana. A group of attackers
stole data from the ESA, including information on 8107 of its users, and then posted
it online. Even though the ESA information regarding space exploration needed
to be kept secure so that it was not altered, the passwords used by ESA scientists
were alarmingly weak. Of the passwords exposed, 39 percent (or 3191) were only
three characters long, such as 410, 832, 808, and 281. Only 22 total users had a strong
password of a recommended length of 20 characters.11

The Internal Revenue Service (IRS) reported that through its online Get
Transcript program, used by taxpayers who need a transcript to view tax
account transactions or line-by-line tax return information for a specific tax
year, attackers were able to steal 104,000 tax transcripts while an additional
100,000 attempts were unsuccessful. The attacks were made possible because
in order to access the information online the inquirer had only to prove their
identity by entering personal information (Social Security number, date of
birth, tax filing status, and street address) and out-of-wallet information
(such as the amount of a current car payment). Both types of information can
be easily obtained online from a variety of sources. Once attackers had the
information they began filing fake tax returns under the victims name and
stealing their tax refund. The IRS later revealed that the situation was much
worse than first reported: up to 390,000 individuals had their tax information
stolen out of 600,000 attempts.12

Hyatt Hotels Corporation reported that cybercriminals successfully attacked
restaurants, front desks, spas, and parking facilities at 250 of their hotels

88781_ch01_hr_001-050.indd 10 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 11

worldwide over a four-month period. The attackers software was installed on the
Hyatt computers and could capture payment card details like cardholder names,
card numbers, expiration dates, and verification codes when the cards were
swiped. Other hotel chains have likewise been compromised. Security researchers
speculate that attackers are keenly interested in attacking the hospitality industry.
Hotels today are rarely owned by the big companies themselves, but instead the
hotels are owned by separate investors with the hotel chains simply collecting
management and franchise fees. This creates uneven security at the different
hotels, and even within the hotels: hotel-based restaurants, spas, and gift
shops are often owned and managed by third-party companies. While the hotel
brands may require property owners to follow specific standardssuch as using
pillowcases of 100 percent Egyptian cotton with a 1500 thread countthey often
do not have the same requirements for security. There is even speculation that
the hotel brands are hesitant to mandate strict security guidelines, because if a
hotel is attacked then the hotel brand may be legally liable. Another reason for
the popularity of hacking hotels is that hotel brands cater to high-end, frequent
business travelers. These customers often make charges on their trips using a
corporate credit card and can be slower to spot unusual transactions compared to
using their personal card. And many hotels keep multiple cards on file for their
frequent guests. This makes it easy to not only check in and out, but also allows
guests to use their door key card to make purchases instead of giving a specific
credit card. Having multiple instances of credit card data scattered throughout the
hotel makes for multiple targets for attackers.13

Apple recently announced in one month a long list of security update patches. One
of its operating systems patched 11 security vulnerabilities, most of them rated as
critical while several vulnerabilities were ranked as serious. Another of its operating
systems fixed 18 security flaws, with 13 of them related to its web browser. Apple
also announced that it will pay those who uncover critical vulnerabilities found
in the latest version of iOS and the newest iPhones. The rewards range up to
$200,000 for critical flaws discovered in its hardware and software.14

Note

Like many software and hardware vendors, Apple maintains a lengthy online list of security
vulnerabilities that have been corrected. Apples list going back to 2003 and earlier is at
support.apple.com/en-us/HT201222.

The number of security breaches that have exposed users digital data to attackers
continues to rise. From 2005 through early 2017, over 907 million electronic data
records in the United States had been breached, exposing to attackers a range of

88781_ch01_hr_001-050.indd 11 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security12

personal electronic data, such as addresses, Social Security numbers, health records,
and credit card numbers. Table 1-1 lists some recent major security breaches, according
to the Privacy Rights Clearinghouse.15

Organization Description of security breach Number of
identities
exposed

Michigan State
University, MI

A database was compromised that contained names, Social
Security numbers, MSU identification numbers, and date of
birth of current and former students and employees.

Potentially
400,000

Poway Unified
School District, CA

The district inadvertently sent information to unauthorized
recipients that included childrens names, nicknames,
addresses, phone numbers, hearing and vision exam results,
dates of birth, language fluency, academic test results, and
occupation of parents.

70,000

University of
Central Florida, FL

Unauthorized access to the universitys system exposed financial
records, medical records, grades, and Social Security numbers.

63,000

Southern New
Hampshire
University, NH

Due to a third-party vendors configuration error a database
that contained student informationstudent names,
email addresses, and IDs, course name, course selection,
assignment details and assignment score, instructor names
and email addresseswas exposed.

140,000

Quest
Diagnostics,NJ

An unknown error resulted in the exposure of the name, date of
birth, lab results, and telephone numbers of customers.

34,000

Anchor Loans, CA A publicly exposed database revealed customers name,
address, email address, Social Security number, check routing
number, bank account number, bank statement data, birth
date, and birth place.

Unknown

United States
Navy Career
Waypoints
Database, DC

A re-enlistment approval database was stolen from a
contractors laptop, which included the names and Social
Security numbers of 134,386 current and former sailors.

134,000

Internal Revenue
Service, DC

IRS employees sent unencrypted emails that contained
different taxpayers personally identifiable information.

Potentially
28 million

Selected security breaches involving personal information
in a one-monthperiod

Table 1-1

Reasons for Successful Attacks
Why do attacks like these continue to be successful, despite all the efforts to stop them?
There are several reasons:

Widespread vulnerabilities. Because vulnerabilities are so common in hardware
and software, attackers can virtually choose which vulnerability to exploit for

88781_ch01_hr_001-050.indd 12 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 13

an attack. And because of the sheer number of vulnerabilities it is difficult to
identify and correct all of them. This is made even worse by the fact that not
all hardware and software can be corrected once a vulnerability is uncovered.
Some devices, particularly consumer devices, have no support from the company
that made the device (called lack of vendor support). This means that no
effort is made to fix any vulnerabilities that are found. Other systems have no
capabilities to receive security updates when a vulnerability is found. And some
systems are so old (called end-of-life systems) that vendors have dropped all
support for security updates, or else charge an exorbitant fee to provide updates.

Note

Microsoft provides two types of security support for its software. It offers mainstream support
for a minimum of five years from the date of a products general availability and extended
support for an additional five years. For example, Windows 10, which was released in July
2015, will have mainstream support until October 2020 and extended support until October
2025. After this time, Microsoft will no longer provide security updates, automatic fixes,
updates, or online technical assistance.

Configuration issues. Hardware and software that does have security features often
are not properly configured, thus allowing attacks to be successful. Almost all devices
come with out-of-the-box configuration settings, or default configurations. These
are generally simple configurations that are intended to be changed by the user;
however, often they are left in place. Some devices have weak configuration options
that provide limited security choices. Users who incorrectly configure devices, known
as a misconfiguration, find that these errors allow the device to be compromised.
Misconfiguration is commonly seen in improperly configured accounts that are
set up for a user that provide more access than is necessary, such as providing total
access over the entire device when the access should be more limited.

Poorly designed software. Successful attacks are often the result of software that is
poorly designed and has architecture/design weaknesses. Software that allows
the user to enter data but has improper input handling features does not filter or
validate user input to prevent a malicious action. For example, a webpage on a web
server with improper input handling that asks for the users email address could
allow an attacker to instead enter a direct command that the server would then
execute. Other software may not properly trap an error condition and thus provide
an attacker with underlying access to the system. This is known as improper error
handling. Suppose an attacker enters a string of characters that is much longer than
expected. Because the software has not been designed for this event the program

88781_ch01_hr_001-050.indd 13 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security14

could crash or suddenly halt its execution and then display an underlying operating
system prompt, giving an attacker access to the computer. A race condition in
software occurs when two concurrent threads of execution access a shared resource
simultaneously, resulting in unintended consequences. For example, in a program
with two threads that have access to the same location in memory, Thread #1 stores
the value A in that memory location. But since Thread #2 is also executing it may
overwrite the same memory location with the value Z. When Thread #1 retrieves
the value stored it is then given Thread #2s Z instead of its own A.

Hardware limitations. Hardware with limited resources (CPU, memory, file
system storage, etc.) could be exploited by an attacker who intentionally tries to
consume more resources than intended. This might cause the system to become
slow or even unable to respond to other users, thus prevent valid users from
accessing the device. This is called resource exhaustion.

Enterprise-based issues. Often attacks are successful not because of compromised
technology but because of the manipulation of processes that an enterprise
performs. Vulnerable business processes, also called business process
compromise (BPC), occurs when an attacker manipulates commonplace actions
that are routinely performed. For example, late on a Friday afternoon an attacker
in India could make a request to New York to have money transferred to Taiwan.
Because these transactions are in different countries, time zones, and even on
different days, it can be difficult for this process to be quickly verified. Another
problem in the enterprise is the rapid acquisition and deployment of technology
devices without proper documentation. This results in undocumented assets,
or devices that are not formally identified, and results in system sprawl, or
the widespread proliferation of devices across the enterprise. Often servers,
computers, and other devices are purchased and quickly installed without
adequate forethought regarding how they can be protected.

Difficulties in Defending Against Attacks
The challenge of keeping computers secure has never been greater, not only because of
continual attacks but also because of the difficulties faced in defending against these
attacks. These difficulties include the following:

Universally connected devices. Today virtually every technology devicenot only
traditional computers but even programmable thermostats and light bulbsis
connected to the Internet. Although this provides enormous benefits, it also
makes it easy for an attacker halfway around world to silently launch an attack
against a connected device.

Increased speed of attacks. With modern tools at their disposal, attackers can
quickly scan millions of devices to find weaknesses and launch attacks with
unprecedented speed. Most attack tools initiate new attacks without any human
participation, thus increasing the speed at which systems are attacked.

88781_ch01_hr_001-050.indd 14 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 15

Greater sophistication of attacks. Attacks are becoming more complex, making it
more difficult to detect and defend against them. Many attackers use common
protocols to distribute their attacks, making it more difficult to distinguish an
attack from legitimate traffic. Other attack tools vary their behavior so the same
attack appears differently each time, further complicating detection.

Availability and simplicity of attack tools. At one time an attacker needed to have
an extensive technical knowledge of networks and computers as well as the
ability to write a program to generate an attack. Today that is no longer the case.
Modern software attack tools do not require sophisticated knowledge on the
part of the attacker. In fact, many of the tools, such as the Kali Linux interface
shown in Figure 1-1, have a graphical user interface (GUI) that allows the user
to easily select options from a menu. These tools are generally freely available.

Figure 1-1Menu of attack tools
Source: Kali Linux

88781_ch01_hr_001-050.indd 15 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security16

In addition, attackers who create attacks tools will often then sell these tools to
other attackers.

Faster detection of vulnerabilities. Weaknesses in hardware and software can be
more quickly uncovered and exploited with new software tools and techniques.
Often an attacker may find a vulnerability and initiate an attack taking advantage
of it even before users or security professionals are aware of the vulnerability.
This is called a zero day attack, since there are no days of warning ahead of this
new threat.

Delays in security updating. Hardware and software vendors are overwhelmed
trying to keep pace with updating their products against attacks. One antivirus
software security institute receives more than 390,000 submissions of potential
malware each day.16 At this rate the antivirus vendors would have to create and
distribute updates every few seconds to keep users fully protected. This delay in
distributing security updates adds to the difficulties in defending against attacks.

Weak security update distribution. Vendors of mainstream products, such as
Microsoft, Apple, and Adobe, have a system for notifying users of security
updates for their products and distributing them on a regular basis, but few other
software vendors have invested in these costly distribution systems. Users are
generally unaware that a security update even exists for a product because there
is no reliable means for the vendor to alert the user. Also, these vendors often do
not create small security updates that patch the existing software; instead, they
fix the problem in an entirely new version of the softwareand then require the
user to pay for the updated version that contains the patch.

Note

Smartphones, unlike computers and laptops, do not give the owner of the device the ability
to download security updates. Instead, these must be sent out from the wireless carriers.
Many carriers do not provide security updates on a timely basis, if at all.

Distributed attacks. Attackers can use millions of computers or devices under
their control in an attack against a single server or network. This many against
one approach makes it virtually impossible to stop an attack by identifying and
blocking a single source.

Use of personal devices. Many enterprises allow employees to use and connect
their personal devices to the companys network. This has made it difficult for IT
departments to provide adequate security for an almost endless array of devices
that they do not own.

User confusion. Increasingly, users are called upon to make difficult security
decisions regarding their computer systems, sometimes with little or no

88781_ch01_hr_001-050.indd 16 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 17

What Is Information Security?
Certification

5.3Explain risk management processes and concepts.

Reason Description

Universally connected devices Attackers from anywhere in the world can send attacks.

Increased speed of attacks Attackers can launch attacks against millions of
computers within minutes.

Greater sophistication of attacks Attack tools vary their behavior so the same attack
appears differently each time.

Availability and simplicity of attack
tools

Attacks are no longer limited to highly skilled attackers.

Faster detection of vulnerabilities Attackers can discover security holes in hardware or
software more quickly.

Delays in security updating Vendors are overwhelmed trying to keep pace updating
their products against the latest attacks.

Weak security update distribution Many software products lack a means to distribute
security updates in a timely fashion.

Distributed attacks Attackers use thousands of computers in an attack
against a single computer or network.

Use of personal devices Enterprises are having difficulty providing security for a
wide array of personal devices.

User confusion Users are required to make difficult security decisions
with little or no instruction.

Difficulties in defending against attacks Table 1-2

Before it is possible to defend against attacks, it is necessary to understand exactly
what security is and how it relates to information security. Also, knowing the
terminology used can be helpful when creating defenses for computers. Understanding
the importance of information security is also critical.

information to guide them. It is not uncommon for a user to be asked security
questions such as Do you want to view only the content that was delivered
securely? or Is it safe to quarantine this attachment? or Do you want to install this
add-on? With little or no direction, these untrained users are inclined to provide
answers to questions without understanding the security risks.

Table 1-2 summarizes the reasons why it is difficult to defend against todays attacks.

88781_ch01_hr_001-050.indd 17 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security18

Understanding Security
What is security? The word comes from the Latin, meaning free from care. Sometimes
security is defined as the state of being free from danger, which is the goal of security. It
is also defined as the measures taken to ensure safety, which is the process of security.
Since complete security can never be fully achieved, the focus of security is more often
on the process instead of the goal. In this light, security can be defined as the necessary
steps to protect from harm.

It is important to understand the relationship between security and convenience.
As security is increased, convenience is often decreased. That is, the more secure
something is, the less convenient it may become to use (security is said to be inversely
proportional to convenience). This is illustrated in Figure 1-2. Consider a typical house.
A homeowner might install an automated alarm system that requires a code to be
entered on a keypad within 30 seconds of entering the house. Although the alarm
system makes the house more secure, it is less convenient than just walking into the
house. Thus, security may be understood as sacrificing convenience for safety.

Figure 1-2Relationship of security to convenience

Security

Convenience

Defining Information Security
Several terms are used when describing security in an IT environment: computer security,
IT security, cybersecurity, and information assurance, to name just a few. Whereas each
has its share of proponents and slight variations of meanings, the term information
security may be the most appropriate because it is the broadest: protecting information
from harm. Information security is often used to describe the tasks of securing
information that is in a digital format, whether it be manipulated by a microprocessor
(such as on a personal computer), preserved on a storage device (like a hard drive or USB
flash drive), or transmitted over a network (such as a local area network or the Internet).

Information security cannot completely prevent successful attacks or guarantee
that a system is totally secure, just as the security measures taken for a house can

88781_ch01_hr_001-050.indd 18 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 19

never guarantee complete safety from a burglar. The goal of information security is
to ensure that protective measures are properly implemented to ward off attacks and
prevent the total collapse of the system when a successful attack does occur. Thus,
information security is first protection.

Second, information security is intended to protect information that provides value
to people and enterprises. There are three protections that must be extended over
information: confidentiality, integrity, and availabilityor CIA:

1. Confidentiality. It is important that only approved individuals can access
important information. For example, the credit card number used to make an
online purchase must be kept secure and not made available to other parties.
Confidentiality ensures that only authorized parties can view the information.
Providing confidentiality can involve several different security tools, ranging
from software to scramble the credit card number stored on the web server to
door locks to prevent access to those servers.

2. Integrity. Integrity ensures that the information is correct and no unauthor-
ized person or malicious software has altered the data. In the example of the
online purchase, an attacker who could change the amount of a purchase from
$10,000.00 to $1.00 would violate the integrity of the information.

3. Availability. Information has value if the authorized parties who are assured of its
integrity can access the information. Availability ensures that data is accessible
to authorized users. This means that the information cannot be locked up so
tight that no one can access it. It also means that attackers have not performed
an attack so that the data cannot be reached. In this example the total number of
items ordered as the result of an online purchase must be made available to an
employee in a warehouse so that the correct items can be shipped to the customer.

Because this information is stored on computer hardware, manipulated by software,
and transmitted by communications, each of these areas must be protected. The third
objective of information security is to protect the integrity, confidentiality, and availability
of information on the devices that store, manipulate, and transmit the information.

This protection is achieved through a process that is a combination of three
entities. As shown in Figure 1-3 and Table 1-3, information and the hardware, software,

Note

Information security should not be viewed as a war to be won or lost. Just as crimes such as
burglary can never be completely eradicated, neither can attacks against technology devices.
The goal is not a complete victory but instead maintaining equilibrium: as attackers take
advantage of a weakness in a defense, defenders must respond with an improved defense.
Information security is an endless cycle between attacker and defender.

88781_ch01_hr_001-050.indd 19 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security20

Figure 1-3Information security layers

yAvv

y

Transmitted

Policies and procedures

People

Products

Confidentiality Integrity

Information

Availabilityit

StoredProcessed

ailabil

Layer Description

Products Form the security around the data. May be as basic as door locks or
as complicated as network security equipment.

People Those who implement and properly use security products to
protect data.

Policies and procedures Plans and policies established by an enterprise to ensure that
people correctly use the products.

Information security layers Table 1-3

88781_ch01_hr_001-050.indd 20 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 21

and communications are protected in three layers: products, people, and policies and
procedures. The procedures enable people to understand how to use products to protect
information.

Thus, information security may be defined as that which protects the integrity,
confidentiality, and availability of information through products, people, and procedures
on the devices that store, manipulate, and transmit the information.

Information Security Terminology
As with many advanced subjects, information security has its own set of terminology. The
following scenario helps to illustrate information security terms and how they are used.

Suppose that Ellie wants to purchase a new motorized Italian scooter to ride from
her apartment to school and work. However, because several scooters have been
stolen near her apartment she is concerned about its protection. Although she parks
the scooter in the gated parking lot in front of her apartment, a hole in the fence
surrounding the apartment complex makes it possible for someone to access the
parking lot without restriction. The threat to Ellies scooter is illustrated in Figure 1-4.

Ellies new scooter is an asset, which is defined as an item that has value. In an
enterprise, assets have the following qualities: they provide value to the enterprise;
they cannot easily be replaced without a significant investment in expense, time,
worker skill, and/or resources; and they can form part of the enterprises corporate
identity. Based on these qualities not all elements of an enterprises information
technology infrastructure may be classified as an asset. For example, a faulty desktop
computer that can easily be replaced would generally not be considered an asset,
yet the information contained on that computer can be an asset. Table 1-4 lists a
description of the elements of an enterprises information technology infrastructure
and whether they would normally be considered as an asset.

Figure 1-4Information security components analogy

Stolen scooter (risk)
Attack vector
(go through
fence hole)

Thief (threat actor)

Scooter (asset)

Theft of scooter
(threat)

Fence hole
(vulnerability)

88781_ch01_hr_001-050.indd 21 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security22

What Ellie is trying to protect her scooter from is a threat, which is a type of action
that has the potential to cause harm. Information security threats are events or actions
that represent a danger to information assets. A threat by itself does not mean that
security has been compromised; rather, it simply means that the potential for creating
a loss is real. For Ellie, the threat could result in the theft of her scooter; in information
security, a threat can result in the corruption or theft of information, a delay in
information being transmitted, or even the loss of good will or reputation.

A threat actor is a person or element that has the power to carry out a threat.
For Ellie, the threat actor is a thief. In information security, a threat actor could be a
person attempting to break into a secure computer network. It could also be malicious
software that attacks the computer network, or even a force of nature such as a
hurricane that could destroy computer equipment and its information.

Ellie wants to protect her scooter and is concerned about a hole in the fencing
around her apartment. The hole in the fencing is a vulnerability, which is a flaw or
weakness that allows a threat actor to bypass security. An example of a vulnerability
that information security must deal with is a software defect in an operating system
that allows an unauthorized user to gain control of a computer without the users
knowledge or permission.

If a thief can get to Ellies scooter because of the hole in the fence, then that thief
is taking advantage of the vulnerability. This is known as exploiting the vulnerability
through an attack vector, or the means by which an attack can occur. The attack surface
is the sum of all the different attack vectors. An attacker, knowing that a flaw in a web

Element name Description Example Critical asset?

Information Data that has been
collected, classified,
organized, and stored in
various forms

Customer, personnel,
production, sales,
marketing, and finance
databases

Yes: Extremely
difficult to replace

Customized
business
software

Software that supports the
business processes of the
enterprise

Customized order
transaction application

Yes: Unique and
customized for the
enterprise

System software Software that provides the
foundation for application
software

Operating system No: Can be easily
replaced

Physical items Computers equipment,
communications
equipment, storage media,
furniture, and fixtures

Servers, routers, DVDs,
and power supplies

No: Can be easily
replaced

Services Outsourced computing
services

Voice and data
communications

No: Can be easily
replaced

Information technology assets Table 1-4

88781_ch01_hr_001-050.indd 22 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 23

servers operating system has not been patched, is using the attack vector (exploiting
the vulnerability) to steal user passwords.

Ellie must decide: what is the likelihood that the threat will come to fruition and
her scooter stolen? This can be understood in terms of risk. A risk is a situation that
involves exposure to some type of danger. There are different options available when
dealing with risks, called risk response techniques:

Accept. To accept risk simply means that the risk is acknowledged but no steps
are taken to address it. In Ellies case, she could accept the risk and buy the new
scooter, knowing there is the chance of it being stolen by a thief entering through
a hole in the fence.

Transfer. Ellie could transfer the risk to a third party. She can do this by
purchasing insurance so that the insurance company absorbs the loss and pays if
the scooter is stolen. This is known as risk transfer.

Avoid. To avoid risk involves identifying the risk but making the decision to not
engage in the activity. Ellie could decide based on the risk of the scooter being
stolen that she will not purchase the new scooter.

Mitigate. To mitigate risk is the attempt to address risk by making the risk less
serious. Ellie could complain to the apartment manager about the hole in the
fence to have it repaired.

Note

If the apartment manager posted signs in the area that said Trespassers will be punished
to the full extent of the law this would be called risk deterrence. Risk deterrence involves
understanding something about attackers and then informing them of the harm that could
come their way if they attack an asset.

Table 1-5 summarizes these information security terms.

Term Example in Ellies scenario Example in information security

Asset Scooter Employee database

Threat Steal scooter Steal data

Threat actor Thief Attacker, hurricane

Vulnerability Hole in fence Software defect

Attack vector Climb through hole in fence Access web server passwords through flaw
in operating system

Likelihood Probability of scooter stolen Likelihood of virus infection

Risk Stolen scooter Virus infection or stolen data

Information security terminology Table 1-5

88781_ch01_hr_001-050.indd 23 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security24

Understanding the Importance of Information Security
Information security is important to enterprises as well as to individuals. That is
because information security can be helpful in preventing data theft, thwarting identity
theft, avoiding the legal consequences of not securing information, maintaining
productivity, and foiling cyberterrorism.

Preventing Data Theft
Security is often associated with theft prevention: Ellie could park her scooter in
a locked garage to prevent it from being stolen. The same is true with information
security: preventing data from being stolen is often cited by enterprises as a
primary objective of their information security. Enterprise data theft involves
stealing proprietary business information, such as research for a new drug or a list
of customers that competitors would be eager to acquire. Stealing user personal
data such as credit card numbers is also a prime action of attackers. This data can
then be used to purchase thousands of dollars of merchandise online before the
victim is even aware the number has been stolen.

Note

There are different types of fraud associated with credit card theft. Creating counterfeit debit
and credit cards is called existing-card fraud, while new-account fraud occurs when new card
accounts are opened in the name of the victim without their knowledge. Card-not-present
fraud occurs when a thief uses stolen card information in an online purchase and does not
actually have the card in hand.

Note

In some instances, thieves have bought cars and even houses by taking out loans in someone
elses name.

Thwarting Identity Theft
Identity theft involves stealing another persons personal information, such as a Social
Security number, and then using the information to impersonate the victim, generally
for financial gain. The thieves often create new bank or credit card accounts under
the victims name and then large purchases are charged to these accounts, leaving the
victim responsible for the debts and ruining his credit rating.

One of the areas of identity theft that is growing most rapidly involves identity
thieves filing fictitious income tax returns with the U.S. Internal Revenue Service (IRS).
Identity thieves who steal a filers Social Security number will then file a fake income

88781_ch01_hr_001-050.indd 24 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 25

tax return claiming a large refundoften larger than the victim is entitled tothat is
sent to the attacker. Because the IRS has been sending refunds more quickly than in
the past, thieves can receive the refund and then disappear before the victim files a
legitimate return and the fraud is detected. The IRS delivered over $5.8 billion in refund
checks to identity thieves who filed fraudulent tax returns in one year, even though
it stopped about 3 million fraudulent returns for that year.17 Tax identity thieves are
also known to set up fake tax preparation service centers to steal tax information from
victims. One group filed $3.4 million worth of fraudulent returns through a sham tax
preparation business.18

Note

There have also been instances of identity thieves filing fake tax returns while using the
victims actual mailing addresses, then bribing postal workers to intercept the refund checks
before they are delivered. One postal employee was convicted of stealing over 100 refund
envelopes sent to addresses along his route.19

Avoiding Legal Consequences
Several federal and state laws have been enacted to protect the privacy of electronic
data. Businesses that fail to protect data they possess may face serious financial
penalties. Some of these laws include the following:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under
the Health Insurance Portability and Accountability Act (HIPAA), healthcare
enterprises must guard protected healthcare information and implement policies
and procedures to safeguard it, whether it be in paper or electronic format.
Those who wrongfully disclose individually identifiable health information can
be fined up to $50,000 for each violation up to a maximum of $1.5 million per
calendar year and sentenced up to 10 years in prison.

Note

HIPAA regulations have been expanded to include all third-party business associate
organizations that handle protected healthcare information. Business associates are
defined as any subcontractor that creates, receives, maintains, or transmits protected health
information on behalf of a covered HIPAA entity. These associates must now comply with the
same HIPAA security and privacy procedures.

88781_ch01_hr_001-050.indd 25 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security26

The Sarbanes-Oxley Act of 2002 (Sarbox). As a reaction to a rash of corporate
fraud, the Sarbanes-Oxley Act (Sarbox) is an attempt to fight corporate
corruption. Sarbox covers the corporate officers, auditors, and attorneys of
publicly traded companies. Stringent reporting requirements and internal
controls on electronic financial reporting systems are required. Corporate officers
who willfully and knowingly certify a false financial report can be fined up to
$5million and serve 20 years in prison.

The Gramm-Leach-Bliley Act (GLBA). Like HIPAA, the Gramm-Leach-Bliley
Act (GLBA) passed in 1999 protects private data. GLBA requires banks and
financial institutions to alert customers of their policies and practices in
disclosing customer information. All electronic and paper data containing
personally identifiable financial information must be protected. The penalty for
noncompliance for a class of individuals is up to $500,000.

Payment Card Industry Data Security Standard (PCI DSS). The Payment Card
Industry Data Security Standard (PCI DSS) is a set of security standards that all
companies that process, store, or transmit credit or debit card information must
follow. PCI applies to any enterprise or merchant, regardless of its size or number
of card transactions, that processes transactions either online or in person. The
maximum penalty for not complying is $100,000 per month.

State notification and security laws. Since the passage of Californias Database
Security Breach Notification Act in 2003, all other states (except for Alabama,
New Mexico, and South Dakota) have passed similar notification laws. These
laws typically require businesses to inform residents within a specific period
(typically 48 hours) if a breach of personal information has or is believed to have
occurred. In addition, several states are strengthening their information security
laws. For example, Connecticut requires any enterprise doing business in the
state to scramble (encrypt) all sensitive personal data that is being transmitted
over a public Internet connection or stored on portable devices like a USB flash
drive, and companies must notify any potential victims of a data breach within
90 days of the attack and offer at least one year of identity theft prevention
services. Oregons law includes protection of an individuals healthcare
information while New Hampshire requires the states education department to
notify students and teachers if their personal data was possibly stolen.

The penalties for violating these laws can be sizeable. Enterprises must make every
effort to keep electronic data secure from hostile outside forces to ensure compliance
with these laws and avoid serious legal consequences.

Maintaining Productivity
Cleaning up after an attack diverts time, money, and other resources away from normal
activities. Employees cannot be productive and complete important tasks during or
after an attack because computers and networks cannot function properly. Table 1-6

88781_ch01_hr_001-050.indd 26 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 27

provides a sample estimate of the lost wages and productivity during an attack and the
subsequent cleanup.

Number of total
employees

Average
hourly
salary

Number of
employees to
combat attack

Hours required
to stop attack
and clean up

Total lost
salaries

Total lost hours
of productivity

100 $25 1 48 $4066 81

250 $25 3 72 $17,050 300

500 $30 5 80 $28,333 483

1000 $30 10 96 $220,000 1293

Cost of attacks Table 1-6

Note

One of the challenges in combatting cyberterrorism is that many of the prime targets are not
owned and managed by the federal government. Because these are not centrally controlled,
it is difficult to coordinate and maintain security.

Note

The single most expensive malicious attack was the Love Bug in 2000, which cost an
estimated $8.7 billion.20

Foiling Cyberterrorism
The FBI defines cyberterrorism as any premeditated, politically motivated attack
against information, computer systems, computer programs, and data which results in
violence against noncombatant targets by subnational groups or clandestine agents.21
Unlike an attack that is designed to steal information or erase a users hard disk drive,
cyberterrorism attacks are intended to cause panic or provoke violence among citizens.
Attacks are directed at targets such as the banking industry, military installations,
power plants, air traffic control centers, and water systems. These are desirable targets
because they can significantly disrupt the normal activities of a large population.
For example, disabling an electrical power plant could cripple businesses, homes,
transportation services, and communications over a wide area.

88781_ch01_hr_001-050.indd 27 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security28

Note

Some security experts maintain that East European threat actors are mostly focused on
activities to steal money from individuals, whereas cybercriminals from East Asia are
more interested in stealing data from governments or enterprises. This results in different
approaches to their attacks. East European cybercriminals tend to use custom-built,
highly complex malware while East Asian attackers use off-the-shelf malware and simpler
techniques. Also, East European attackers work in small, tightly knit teams that directly profit
from their attacks. East Asian threat actors usually are part of a larger group of attackers
who work at the direction of large institutions from which they receive instructions and
financial backing.

Who Are the Threat Actors?
Certification

1.3Explain threat actor types and attributes.

Threat actor is a generic term used to describe individuals who launch attacks against
other users and their computers (another generic word is simply attackers). Many threat
actors belong to organized gangs of young attackers, often clustered in Eastern European,
Asian, and Third World regions, who meet in hidden online dark web forums to trade
information, buy and sell stolen data and attacker tools, and even coordinate attacks.

Whereas at one time the reason for attacking a computer was to show off their
technology skills (fame), today threat actors have a more focused goal of financial gain:
to exploit vulnerabilities that can generate income (fortune). This financial cybercrime is
often divided into two categories. The first category focuses on individuals as the victims.
The threat actors steal and use stolen data, credit card numbers, online financial account
information, or Social Security numbers to profit from its victims or send millions of spam
emails to peddle counterfeit drugs, pirated software, fake watches, and pornography. The
second category focuses on enterprises and governments. Threat actors attempt to steal
research on a new product from an enterprise so that they can sell it to an unscrupulous
foreign supplier who will then build an imitation model of the product to sell worldwide.
This deprives the legitimate business of profits after investing hundreds of millions of
dollars in product development, and because these foreign suppliers are in a different
country they are beyond the reach of domestic enforcement agencies and courts.
Governments are also the targets of threat actors: if the latest information on a new missile
defense system can be stolen it can be soldat a high priceto that governments enemies.

The attributes, or characteristic features, of the different groups of threat actors
can vary widely. Some groups are very sophisticated (have developed a high degree of

88781_ch01_hr_001-050.indd 28 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 29

complexity) and have created a massive network of resources, while others are simply
individuals just seeing what they can do. In addition, some groups have deep funding
and resources while others have none. And whereas some groups of threat actors may
work within the enterprise (internal) others are strictly external. Finally, the intent and
motivationthe reason why behind the attacksof the threat actors vary widely.

In the past, the term hacker referred to a person who used advanced computer skills to
attack computers, and variations of that term were also introduced (black hat hackers, white
hat hackers, gray hat hackers). However, that term did not accurately reflect the different
motives and goals of the attackers. Today threat actors are recognized in more distinct
categories, such as script kiddies, hactivists, nation state actors, insiders, and others.

Script Kiddies
Script kiddies are individuals who want to attack computers yet they lack the
knowledge of computers and networks needed to do so. Script kiddies instead do their
work by downloading freely available automated attack software (called open-source
intelligence or scripts) from websites and using it to perform malicious acts. Figure 1-5
illustrates the skills needed for creating attacks. Over 40 percent of attacks require low
or no skills and are frequently conducted by script kiddies.

Figure 1-5Skills needed for creating attacks

Low skills (28%)

High skills
(15%)

No skills
(13%)

Moderate skills (44%)

Hactivists
A group that is strongly motivated by ideology (for the sake of their principles or
beliefs) is hactivists. Hactivists (a combination of the words hack and activism) are
generally not considered to be a well-defined and well-organized group of threat
agents. Attacks by hactivists can involve breaking into a website and changing the
contents on the site as a means of making a political statement (one hactivist group
changed the website of the U.S. Department of Justice to read Department of Injustice).
In addition to attacks as a means of protest or to promote a political agenda, other
attacks can be retaliatory. For example, hactivists may disable the website belonging to
a bank because that bank stopped accepting online payments that were deposited into
accounts belonging to the hactivists.

88781_ch01_hr_001-050.indd 29 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security30

Note

Most hactivists do not explicitly call themselves hacktivists. The term is more commonly used
by security researchers and journalists to distinguish them from other types of threat actors.

Note

Many security researchers believe that nation state actors might be the deadliest of any
threat actors. When fortune motivates a threat actor but the targets defenses are too strong,
the attacker simply moves on to another promising target with less-effective defenses.
With nation state actors, however, the target is very specific and the attackers keep working
until they are successful, showing both deep resources and tenacity. This is because state-
sponsored attackers are highly skilled and have enough government resources to breach
almost any security defense.

It is estimated that there are thousands of hacktivist groups worldwide supporting
a wide variety of causes. Some groups are opposing a specific government, country, or
other entity, while others express no particular allegiances.

Nation State Actors
Instead of using an army to march across the battlefield to strike an adversary,
governments are increasingly employing their own using state-sponsored attackers
for launching computer attacks against their foes. These are known as nation state
actors. Their foes may be foreign governments or even citizens of its own nation that
the government considers hostile or threatening. A growing number of attacks from
nation states actors are directed toward businesses in foreign countries with the goal of
causing financial harm or damage to the enterprises reputation.

Nation state actors are known for being well-resourced and highly trained attackers.
They often are involved in multiyear intrusion campaigns targeting highly sensitive
economic, proprietary, or national security information. This has created a new class of
attacks called Advanced Persistent Threat (APT). These attacks use innovative attack
tools (advanced) and once a system is infected it silently extracts data over an extended
period (persistent). APTs are most commonly associated with nation state actors.

Insiders
Another serious threat to an enterprise comes from its own employees, contractors,
and business partners, called insiders. For example, a healthcare worker disgruntled
about being passed over for a promotion might illegally gather health records on

88781_ch01_hr_001-050.indd 30 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 31

celebrities and sell them to the media, or a securities trader who loses billions of
dollars on bad stock bets could use her knowledge of the banks computer security
system to conceal the losses through fake transactions. In one study, it was determined
that 58 percent of the breaches of an enterprise were attributed to insiders who abused
their right to access corporate information.22 These attacks are harder to recognize
because they come from within the enterprise yet may be costlier than attacks from
the outside.

Although some insider attacks consist of sabotage (from employees who have been
formally reprimanded or demoted) or the result of bribery or blackmail, most insider
attackers involve the theft of data. Because most of these thefts occur within 30 days of
an employee resigning, the offenders may actually believe that the accumulated data is
owned by them and not the enterprise.

Note

In recent years insiders have stolen large volumes of sensitive information and then published
it. The purpose is to alert citizens about clandestine governmental actions and to pressure the
government to change its policies.

Other Threat Actors
In addition, there are other categories of threat actors. These are summarized in Table 1-7.

Threat Actor Description Explanation

Competitors Launch attack against an
opponents system to steal
classified information.

Competitors may steal new product research
or a list of current customers to gain a
competitive advantage.

Organized
crime

Moving from traditional
criminal activities to more
rewarding and less risky
online attacks.

Criminal networks are usually run by a small
number of experienced online criminal
networks who do not commit crimes
themselves but act as entrepreneurs.

Brokers Sell their knowledge of
a vulnerability to other
attackers or governments.

Individuals who uncover vulnerabilities do not
report it to the software vendor but instead sell
them to the highest bidder, who are willing to
pay a high price for the unknown vulnerability.

Cyberterrorists Attack a nations network
and computer infrastructure
to cause disruption and
panic among citizens.

Targets may include a small group of computers
or networks that can affect the largest number
of users, such as the computers that control the
electrical power grid of a state or region.

Descriptions of other attackers Table 1-7

88781_ch01_hr_001-050.indd 31 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security32

Defending Against Attacks
Certification

3.1 Explain use cases and purpose for frameworks, best practices and
secure configuration guides.

How can a computer or network be defended against the many attacks from a variety
of threat actors? Protection calls for following five fundamental security principles. In
addition, following established frameworks and architectures is important.

Fundamental Security Principles
Although multiple defenses may be necessary to withstand an attack, these defenses should
be based on five fundamental security principles: layering, limiting, diversity, obscurity, and
simplicity. These principles provide a foundation for building a secure system.

Layering
The Crown Jewels of England, which are worn during coronations and important state
functions, have a dollar value of over $32 million yet are virtually priceless as symbols
of English culture. How are precious stones like the Crown Jewels protected from
theft? They are not openly displayed on a table for anyone to pick up. Instead, they are
enclosed in protective cases with 2-inch thick glass that is bullet-proof, smash-proof,
and resistant to almost any outside force. The cases are in a special room with massive
walls and sensors that can detect slight movements or vibrations. The doors to the
room are monitored around the clock by remote security cameras, and the video images
from each camera are recorded. The room itself is in the Tower of London, surrounded
by roaming guards and fences. In short, these precious stones are protected by layers of
security. If one layer is penetratedsuch as the thief getting into the buildingseveral
more layers must still be breached, and each layer is often more difficult or complicated
than the previous. A layered approach has the advantage of creating a barrier of
multiple defenses that can be coordinated to thwart a variety of attacks.

Note

The Jewel House, which holds the Crown Jewels in the Tower of London, is actually located
inside an Army barracks that is staffed with soldiers.

Likewise, information security must be created in layers. If only one defense
mechanism is in place, an attacker only has to circumvent that single defense. Instead,
a security system must have layers, making it unlikely that an attacker has the tools

88781_ch01_hr_001-050.indd 32 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 33

and skills to break through all the layers of defenses. A layered security approach, also
called defense-in-depth, can be useful in resisting a variety of attacks. Layered security
provides the most comprehensive protection.

Limiting
Consider again protecting the Crown Jewels of England. Although the jewels may be
on display for the general public to view, permitting anyone to touch them increases
the chances that they will be stolen. Only approved personnel should be authorized to
handle the jewels. Limiting who can access the jewels reduces the threat against them.

The same is true with information security. Limiting access to information reduces
the threat against it. This means that only those personnel who must use the data
should have access to it. In addition, the type of access they have should be limited
to what those people need to perform their jobs. For example, access to the human
resource database for an enterprise should be limited to only employees who have a
genuine need to access it, such as human resource personnel or vice presidents. And,
the type of access also should be restricted: human resource employees may be able to
view employee salaries but not change them.

Note

What level of access should users have? The correct answer is the least amount necessary to
do their jobs, and no more.

Some ways to limit access are technology-based, such as assigning file
permissions so that a user can only read but not modify a file, while others are
procedural, such as prohibiting an employee from removing a sensitive document
from the premises. The key is that access must be restricted to the bare minimum.
And although some personnel may balk at not being able to freely access any file or
resource that they may choose, it is important that user training help instruct the
employees as to the security reasons behind the restrictions.

Diversity
Diversity is closely related to layering. Just as it is important to protect data with layers
of security, the layers also must be different (diverse). This means that if attackers
penetrate one layer, they cannot use the same techniques to break through all other
layers. A jewel thief, for instance, might be able to foil the security camera by dressing
in black clothing but should not be able to use the same technique to trick the motion
detection system. Using diverse layers of defense means that breaching one security
layer does not compromise the whole system.

Information security diversity may be achieved in several ways. For example, some
enterprises use security products provided by different manufacturers (vendor diversity).

88781_ch01_hr_001-050.indd 33 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security34

An attacker who can circumvent a security device from Manufacturer A could then use
those same skills and knowledge to defeat all of the same devices used by the enterprise.
However, if devices from Manufacturer A and similar devices from Manufacturer B were
both used by the same enterprise, the attacker would have more difficulty trying to break
through both types of devices because they would be different. Or, the groups who are
responsible for regulating access to a system (control diversity) are also different, so that
those who perform technical controls (using technology as a basis for controlling the
access and usage of sensitive data) are different from those personnel who administer the
broad administrative controls (regulating the human factors of security).

Obscurity
Suppose a thief plans to steal the Crown Jewels during a shift change of the security
guards. When the thief observes the guards, however, she finds that the guards do not
change shifts at the same time each night. On a given Monday they rotate shifts at 2:13
AM, while on Tuesday they rotate at 1:51 AM, and the following Monday at 2:24AM.
Because the shift changes cannot be known for certain in advance, the planned
attack cannot be carried out. This technique is sometimes called security by obscurity:
obscuring to the outside world what is on the inside makes attacks that much more
difficult.

An example of obscurity in information security would be not revealing the type of
computer, version of operating system, or brand of software that is used. An attacker
who knows that information could use it to determine the vulnerabilities of the system
to attack it. However, if this information is concealed it is more difficult to attack the
system, since nothing is known about it and it is hidden from the outside. Obscuring
information can be an important means of protection.

Note

Although obscurity is an important element of defense, it is not the only element. Sometimes
the design or implementation of a device is kept secret with the thinking that if attackers do
not know how it works, then it is secure. This attempt at security through obscurity is flawed
because it depends solely on secrecy as a defense.

Simplicity
Because attacks can come from a variety of sources and in many ways, information
security is by its very nature complex. Yet the more complex it becomes, the
more difficult it is to understand. A security guard who does not understand how
motion detectors interact with infrared trip lights may not know what to do when
one system alarm shows an intruder but the other does not. In addition, complex
systems allow many opportunities for something to go wrong. In short, complex
systems can be a thief s ally.

88781_ch01_hr_001-050.indd 34 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 35

The same is true with information security. Complex security systems can be
hard to understand, troubleshoot, and even feel secure about. As much as possible,
a secure system should be simple for those on the inside to understand and use.
Complex security schemes are often compromised to make them easier for trusted
users to work with, yet this can also make it easier for the attackers. In short, keeping
a system simple from the inside, but complex on the outside, can sometimes be
difficult but reaps a major benefit.

Frameworks and Reference Architectures
The field of information security contains various supporting structures for
implementing security. Known as industry-standard frameworks and reference
architectures, these provide a resource of how to create a secure IT environment.
Some frameworks/architectures give an overall program structure and security
management guidance to implement and maintain an effective security program,
while others contain in-depth technical guidelines. Various frameworks/architectures
are specific to a particular sector (industry-specific frameworks) such as the
financial industry and may be required by external agencies that regulate the industry
(regulatory), others are not required (non-regulatory). Finally, some of the framework/
architectures are domestic while others are world wide (national vs. international).

Note

Common security frameworks include ISO, NIST, COBIT, ETSI, RFC, and ISA/IEC.

Chapter Summary
Attacks against information security

have grown exponentially in recent
years, even though billions of dollars are
spent annually on security. No computer
system is immune from attacks or can be
considered completely secure.

There are many reasons for the high
number of successful attacks. One
reason is the number of widespread
vulnerabilities that exist today. Because

of the sheer number of vulnerabilities,
it is difficult to identify and correct all of
them. And not all hardware and software
can even be corrected once a vulnerability
is uncovered. Another reason is that
hardware and software are not always
properly configured, either because the
default configurations are not strengthened
or there is a misconfiguration, allowing
the device to be compromised. Successful

88781_ch01_hr_001-050.indd 35 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

attacks are often the result of software that
is poorly designed and has architecture/
design weaknesses. These weaknesses
include not properly handling input or
handling errors. Hardware limitations can
be exploited by attackers who consume
more resources than intended, causing
the system to become slow or even unable
to respond to other users. There are also
enterprise-based issues, such as vulnerable
business processes that an attacker can
exploit or the widespread sprawl of
devices that have not been properly
protected.

It is difficult to defend against todays
attacks for several reasons. These reasons
include the fact that virtually all devices are
connected to the Internet, the speed of the
attacks, greater sophistication of attacks,
the availability and simplicity of attack
tools, faster detection of vulnerabilities by
attackers, delays in security updating, weak
security update distribution, distributed
attacks coming from multiple sources, and
user confusion.

Information security can be defined
as that which protects the integrity,
confidentiality, and availability of
information through products, people,
and procedures on the devices that
store, manipulate, and transmit the
information. As with many advanced
subjects, information security has its
own set of terminology. A threat is an
event or action that represents a danger
to information assets, which is something
that has value. A threat actor is a person
or element that has the power to carry

out a threat, usually by exploiting
a vulnerability, which is a flaw or
weakness, through a threat vector. A risk
is the likelihood that a threat agent will
exploit a vulnerability.

The main goals of information security
are to prevent data theft, thwart identify
theft, avoid the legal consequences of
not securing information, maintain
productivity, and foil cyberterrorism.

The threat actors, or individuals
behind computer attacks, fall into
several categories and exhibit different
attributes. Script kiddies do their work by
downloading automated attack software
from websites and then using it to break
into computers. Hactivists are strongly
motivated by their ideology and often
attack to make a political statement.
Nation state actors are employed by
governments as state-sponsored attackers
for launching computer attacks against
foes. One serious threat to an enterprise
comes from its employees, contractors,
and business partners, known as
insiders. Other threat actors include
competitors, organized crime, brokers, and
cyberterrorists.

Although multiple defenses may be
necessary to withstand the steps of an
attack, these defenses should be based
on five fundamental security principles:
layering, limiting, diversity, obscurity,
and simplicity. In addition, there are
various industry-standard frameworks
and reference architectures that provide
resources for how to create a secure IT
environment.

CHAPTER 1 Introduction to Security36

88781_ch01_hr_001-050.indd 36 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Key Terms
accept
administrative controls
Advanced Persistent

Threat(APT)
architecture/design

weaknesses
asset
attributes
availability
avoid
competitors
confidentiality
control diversity
default configurations
defense-in-depth
end-of-life system
external
funding and resources
hactivists
improper error

handling
improper input handling

improperly configured
accounts

industry-specific
frameworks

industry-standard
frameworks

insiders
integrity
intent and motivation
internal
international
lack of vendor support
layered security
misconfiguration
mitigate
nation state actors
national
new threat
non-regulatory
open-source intelligence
organized crime
race condition

reference architectures
regulatory
resource exhaustion
risk
risk response

techniques
script kiddies
sophisticated
system sprawl
technical controls
threat
threat actor
transfer
undocumented assets
untrained users
user training
vendor diversity
vulnerability
vulnerable business

processes
weak configuration
zero day

Review Questions
1. Ian recently earned his security

certification and has been offered a
promotion to a position that requires
him to analyze and design security
solutions as well as identifying users
needs. Which of these generally
recognized security positions has Ian
been offered?
a. Security administrator
b. Security technician
c. Security officer
d. Security manager

2. Alyona has been asked by her
supervisor to give a presentation
regarding reasons why security
attacks continue to be successful. She
has decided to focus on the issue of
widespread vulnerabilities. Which of the
following would Alyona NOT include in
her presentation?
a. Large number of vulnerabilities
b. End-of-life systems
c. Lack of vendor support
d. Misconfigurations

CHAPTER 1 Introduction to Security 37

88781_ch01_hr_001-050.indd 37 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

3. Tatyana is discussing with her
supervisor potential reasons why a
recent attack was successful against
one of their systems. Which of the
following configuration issues would
NOT covered?
a. Default configurations
b. Weak configurations
c. Vulnerable business

processes
d. Misconfigurations

4. What is a race condition?
a. When a vulnerability is discovered

and there is a race to see if it can
be patched before it is exploited by
attackers.

b. When two concurrent threads of
execution access a shared resource
simultaneously, resulting in
unintended consequences.

c. When an attack finishes its operation
before antivirus can complete its
work.

d. When a software update is distributed
prior to a vulnerability being
discovered.

5. Which the following is NOT a reason
why it is difficult to defend against
todays attackers?
a. Delays in security updating
b. Greater sophistication of defense

tools
c. Increased speed of attacks
d. Simplicity of attack tools

6. Which of the following is NOT true
regarding security?
a. Security is a goal.
b. Security includes the necessary steps

to protect from harm.
c. Security is a process.
d. Security is a war that must be won at

all costs.

7. Adone is attempting to explain to his
friend the relationship between security
and convenience. Which of the following
statements would he use?
a. Security and convenience are not

related.
b. Convenience always outweighs

security.
c. Security and convenience are

inversely proportional.
d. Whenever security and convenience

intersect, security always wins.
8. Which of the following ensures that only

authorized parties can view protected
information?
a. Authorization
b. Confidentiality
c. Availability
d. Integrity

9. Which of the following is NOT a
successive layer in which information
security is achieved?
a. Products
b. People
c. Procedures
d. Purposes

10. Complete this definition of information
security: That which protects the
integrity, confidentiality, and availability
of information .
a. on electronic digital devices and limited

analog devices that can connect via the
Internet or through a local area network

b. through a long-term process that
results in ultimate security

c. using both open-sourced as well
as supplier-sourced hardware and
software that interacts appropriately
with limited resources

d. through products, people, and procedures
on the devices that store, manipulate,
and transmit the information

CHAPTER 1 Introduction to Security38

88781_ch01_hr_001-050.indd 38 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

11. Which of the following is an enterprise
critical asset?
a. System software
b. Information
c. Outsourced computing services
d. Servers, routers, and power supplies

12. Gunnar is creating a document that
explains risk response techniques.
Which of the following would he NOT
list and explain in his document?
a. Extinguish risk
b. Transfer risk
c. Mitigate risk
d. Avoid risk

13. Which act requires banks and financial
institutions to alert their customers of their
policies in disclosing customer information?
a. Sarbanes-Oxley Act (Sarbox)
b. Financial and Personal Services

Disclosure Act
c. Health Insurance Portability and

Accountability Act (HIPAA)
d. Gramm-Leach-Bliley Act (GLBA)

14. Why do cyberterrorists target powerplants,
air traffic control centers, and watersystems?
a. These targets are government-

regulated and any successful attack
would be considered a major victory.

b. These targets have notoriously weak
security and are easy to penetrate.

c. They can cause significant disruption
by destroying only a few targets.

d. The targets are privately owned and
cannot afford high levels of security.

15. Which tool is most commonly associated
with nation state threat actors?
a. Closed-Source Resistant and

Recurrent Malware (CSRRM)
b. Advanced Persistent Threat (APT)
c. Unlimited Harvest and Secure Attack

(UHSA)
d. Network Spider and Worm Threat

(NSAWT)

16. An organization that practices
purchasing products from different
vendors is demonstrating which security
principle?
a. Obscurity
b. Diversity
c. Limiting
d. Layering

17. What is an objective of state-sponsored
attackers?
a. To right a perceived wrong
b. To amass fortune over of fame
c. To spy on citizens
d. To sell vulnerabilities to the highest

bidder
18. Signe wants to improve the security of

the small business where she serves as
a security manager. She determines that
the business needs to do a better job
of not revealing the type of computer,
operating system, software, and network
connections they use. What security
principle does Signe want to use?
a. Obscurity
b. Layering
c. Diversity
d. Limiting

19. What are industry-standard
frameworks and reference architectures
that are required by external agencies
known as?
a. Compulsory
b. Mandatory
c. Required
d. Regulatory

20. What is the category of threat actors that
sell their knowledge of vulnerabilities to
other attackers or governments?
a. Cyberterrorists
b. Competitors
c. Brokers
d. Resource managers

CHAPTER 1 Introduction to Security 39

88781_ch01_hr_001-050.indd 39 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

40 CHAPTER 1 Introduction to Security

Hands-On Projects

Project 1-1: Examining Data BreachesTextual

The Privacy Rights Clearinghouse (PRC) is a nonprofit organization whose goals are to raise
consumers awareness of how technology affects personal privacy and empower consumers
to take action to control their own personal information. The PRC maintains a searchable
database of security breaches that impact consumers privacy. In this project, you gather
information from the PRC website.

1. Open a web browser and enter the URL www.privacyrights.org (if you are no longer
able to access the site through the web address, use a search engine to search for
Privacy Rights Clearinghouse data breach.

2. First spend time reading about the PRC by clicking LEARN MORE.
3. Click Data Breaches at the top of the page.
4. In the search bar enter a school, organization, or business with which you are familiar

to determine if it has been the victim of an attack in which your data has been
compromised.

5. Click Data Breaches to return to the main Data Breaches page.
6. Now create a customized list of the data that will only list data breaches of educational

institutions. Under Select organization type(s), check only EDU- Educational
Institutions.

7. Click Search Data Breaches.
8. Read the Breach Subtotal information. How many breaches that were made public

pertain to educational institutions? How many total records were stolen?
9. Scroll down and observe the breaches for educational institutions.

10. Scroll back to the top of the page. Click New Data Breach Search.
11. Now search for breaches that were a result of lost, discarded, or stolen equipment

that belonged to the government and military. Under Choose the type of
breaches to display, check Portable device (PORT) – Lost, discarded or stolen
laptop, PDA, smartphone, portable memory device, CD, hard drive, data
tape,etc.

12. Under Select organization type(s), check GOV – Government & Military.
13. Click Search Data Breaches.
14. Read the Breach Subtotal by clicking the Download Results (CSV) file.
15. Open the file and then scroll down the different breaches. What should the government

be doing to limit these breaches?
16. Scroll back to the top of the page. Click New Data Breach Search.
17. Now create a search based on criteria that you are interested in, such as the Payment

Card Fraud against Retail/Merchants during the current year.
18. When finished, close all windows.

88781_ch01_hr_001-050.indd 40 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 41

Project 1-2: Examining Data BreachesVisual

In this project, you view the biggest data breaches resulting in stolen information through a
visual format.

1. Open your web browser and enter the URL http://www.informationisbeautiful.net
/visualizations/worlds-biggest-data-breaches-hacks/ (if you are no longer able to
access the site through this web address, use a search engine to search for Information
Is Beautiful Worlds Biggest Data Breaches.”

2. Click Hide Filter to display a visual graphic of the data breaches, as shown in Figure 1-6.

3. Scroll down the page to view the data breaches. Note that the size of the breach is
indicated by the size of the bubble.

4. Scroll back up to the top and note the color of the bubbles that have an Interesting
Story. Click one of the bubbles and read the story.

5. Click Read a bit more.
6. Click Click to see the original report.
7. Read about the data breach. When finished, close only this tab in your browser.
8. Click Show Filter to display the filter menu.
9. Under Organisation, click Government.

Figure 1-6Worlds biggest data breaches
Source: Information is Beautiful

88781_ch01_hr_001-050.indd 41 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security

10. Under Method of Leak, click All.
11. Click one of the bubbles and read the story.
12. Uncheck Government. Under Organisation, now click Tech to see the breaches that

have targeted the technology industry. Click one of the bubbles and read the story.
13. At the top of the graphic, click Method of Leak so that the bubbles display how the leak

occurred. Which type of leak is the most common? Why do you think this is the case?
14. Create your own filters to view different types of breaches. Does this graphic convey a

better story than the textual data in the previous project?
15. How does this visualization help you with the understanding of threats?
16. Close all windows.

Project 1-3: Scanning for Malware Using the Microsoft Safety Scanner

In this project, you download and run the Microsoft Safety Scanner to determine if there is
any malware on the computer.

1. Determine which system type of Windows you are running. Click Start, Settings,
System, and then About this PC. Look under System type for the description.

Open your web browser and enter the URL www.microsoft.com/security/scanner
/en-us/default.asp (if you are no longer able to access the site through the URL, use a
search engine to search for Microsoft Safety Scanner).

2. Click Download Now.
3. Select either 32-bit or 64-bit, depending upon which system type of Windows you are

running.
4. When the program finishes downloading, right-click Start and click File Explorer.
5. Click the Downloads icon in the left pane.
6. Double-click the msert.exe file.
7. If the User Account Control dialog box appears, click Yes. Click Run.
8. Click the check box to accept the license terms for this software. Click Next.
9. Click Next.

10. Select Quick scan if necessary.
11. Click Next.
12. Depending on your computer this scan may take several minutes. Analyze the results of

the scan to determine if there is any malicious software found in your computer.
13. If you have problems, you can click View detailed results of the scan. After reviewing

the results, click OK. If you do not find any problems, click Finish.
14. If any malicious software was found on your computer run the scan again and select

Full scan. After the scan is complete, click Finish to close the dialog box.
15. Close all windows.

Project 1-4: Creating a Virtual Machine of Windows 10 for Security TestingPart 1

Installing and running new security applications may not always be desirable on a normal
production computer or in an environment in which the security configuration settings of
a computer should not be changed. As an alternative, a virtual machine can be created
in which new applications can be installed or configuration settings changed without

42

88781_ch01_hr_001-050.indd 42 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

impacting the regular computer. In a virtual machine environment, the host computer runs
a guest operating system. Security programs and testing can be conducted within this guest
operating system without any impact on the regular host operating system. In this project,
you create a virtual machine using Oracle VirtualBox software.

43CHAPTER 1 Introduction to Security

Notes

The operating system of the host computer can be the same or different from
that of the guest operating system. That is, a computer that already has installed
Windows 10 as its host operating system can still create a virtual machine of
Windows 10 that is used for testing.

1. Open a web browser and enter the URL www.virtualbox.org (if you are no longer able
to access the site through this web address, use a search engine to search for Oracle
VirtualBox download).

2. Click Downloads.
3. Under VirtualBox binaries select the latest version of VirtualBox to download for your

specific host operating system. For example, if you are running Windows, select the
version for Windows hosts.

4. Under VirtualBox x.x.x Oracle VM VirtualBox Extension Pack click All supported
platforms to download the extension package.

5. Navigate to the folder that contains the downloads and launch the VirtualBox
installation program VirtualBox-xxx-nnnnn-hhh.exe.

6. Accept the default configurations from the installation Wizard to install the program.
7. If you are asked Would you like to install this device software? on one or more

occasions, click Install.
8. When completed click Finish to launch VirtualBox, as seen in Figure 1-7.
9. Now install the VirtualBox extensions. Click File and Preferences.

10. Click Extensions.
11. Click the Add a package icon on the right side of the screen.
12. Navigate to the folder that contains the extension pack downloaded earlier to select

that file. Click Open.
13. Click Install. Follow the necessary steps to complete the default installation.
14. Remain in VirtualBox for the next project to configure VirtualBox and install the guest

operating system.

88781_ch01_hr_001-050.indd 43 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security44

Figure 1-7VirtualBox
Source: VirtualBox software developed by Oracle Corporation

Project 1-5: Creating a Virtual Machine of Windows 10 for Security TestingPart 2

After installing VirtualBox the next step is to create the guest operating system. For this project
Windows 10 will be installed. Different options are available for obtaining a copy of Windows 8.1:

A retail version of the software can be purchased.
If your school is a member of the Microsoft Imagine the operating system software and

a license can be downloaded (www.imagine.microsoft.com). See your instructor or lab
supervisor for more information.

A 90-day evaluation copy can be downloaded and installed from the Microsoft TechNet
Evaluation Center (www.microsoft.com/en-US/evalcenter/evaluate-windows-10 -enterprise).

1. Obtain the ISO image of Windows 10 using one of the options above and save it on the
hard drive of the computer.

2. Launch VirtualBox.
3. Click New.
4. In Name: enter Windows 10 as the name of the virtual machine.
5. Be sure that Type: says Microsoft Windows and Version: changes to Windows 10

(xx-bit). Click Next.
6. Under Memory size accept the recommended size or increase the allocation if you

have sufficient RAM on your computer. Click Next.
7. Under Hard disk accept Create a virtual hard drive now. Click Create.

88781_ch01_hr_001-050.indd 44 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security 45

8. Under Hard drive file type accept the default VID (VirtualBox Disk Image). Click Next.
9. Under Storage on physical hard drive accept the default Dynamically allocated. Click Next.

10. Under File location and size accept Windows 10. Click Create.
11. Now the configuration settings for the virtual machine are set, as seen in Figure 1-8.
12. Next you will load the Windows 10 ISO image. Click Settings.
13. In the left pane click Storage.
14. Under Controller: click Empty.
15. In the right page under Attributes click the icon of the optical disc.
16. Click Choose Virtual Optical Disk File . . .
17. Navigate to the location of the Windows 10 ISO file and click Open.
18. Click OK.
19. Click Start to launch the Windows 10 ISO.
20. Follow the Windows 10 installation wizard to complete the installation.
21. To close the Windows 10 guest operating system in VirtualBox click File and then Exit.
22. Close all windows.

Figure 1-8VirtualBox virtual machine settings
Source: VirtualBox software developed by Oracle Corporation

88781_ch01_hr_001-050.indd 45 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security46

Case Project 1-1: Personal Attack Experiences
What type of computer attack have you (or a friend or another student) experienced? When
did it happen? What type of computer or device was involved? What type of damage did it
inflict? What had to be done to clean up following the attack? How was the computer fixed
after the attack? What could have prevented it? Using the information in Table 1-2, list the
reason or reasons you think that the attack was successful. Write a one-page paper about
these experiences.

Case Project 1-2: Personal Information Security Terminology
The scenario of Ellie protecting her scooter was used in this chapter to introduce important
key terms used in information security: asset, threat, threat actor, vulnerability, attack vector,
attack surface, likelihood, and risk. Create your own one-paragraph scenario with those key
terms using a situation with which you are familiar. Also, create a table similar to Table 1-5
that lists these terms and how they are used in your scenario.

Case Project 1-3: Security Podcasts or Video Series
Many different security vendors and security researchers now post weekly audio podcasts or
video series on YouTube on security topics. Locate two different podcasts and two different
video series about computer security. Listen and view one episode of each. Then, write
a summary of what was discussed and a critique of the podcasts and videos. Were they
beneficial to you? Were they accurate? Would you recommend them to someone else? Write
a one-page paper on your research.

Case Project 1-4: What Are Your Layers?
Security defenses should be based on five fundamental security principles: layering, limiting,
diversity, obscurity, and simplicity. Analyze these principles for the computers that you use.
Create a table that lists the five fundamental security principles across the top, and then list down
the side at least three computers that you commonly use at school, your place of employment,
home, a friends house, etc. Then enter the security element of each principle for each of the
computers (such as, for Limiting you may indicate the number of people who have keys to the
door of the office or apartment that contains the computer). Leave blank any box for which that
security layer does not exist. Based on your analysis, what can you say regarding the security of
these computers? Finally, for each of the elements that you think is inadequate or missing, add
what you believe would improve security. Write a one-paragraph analysis of your findings.

Case Project 1-5: Sources of Security Information
The following is a partial overall list of some of the sources for security information:
Security content (online or printed articles that deal specifically with unbiased security content)
Consumer content (general consumer-based magazines or broadcasts not devoted to

security but occasionally carry end-user security tips)

Case Projects

88781_ch01_hr_001-050.indd 46 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Vendor content (material from security vendors who sell security services, hardware, or
software)

Security experts (IT staff recommendations or newsletters)
Direct instruction (college classes or a workshop conducted by a local computer vendor)
Friends and family
Personal experience

Create a table with each of these sources and columns listed Advantages, Disadvantages,
Example, and Rating. Use the Internet to complete the entire table. The Rating column is
a listing from 1-7 (with 1 being the highest) of how useful each of these sources is in your
opinion. Compare your table with other learners.

Case Project 1-6: Preventing Attacks
Select one of the recent attacks listed under Todays Security Attacks earlier in the chapter.
How could the attack been prevented if the five fundamental security principleslayering,
limiting, diversity, obscurity, and simplicityhad been applied? Create a table that lists each
of these security principles and how they could have been used to mitigate the attack. You
may need to be creative in your thinking.

Case Project 1-7: Security Frameworks and Architectures
There are several security frameworks and architectures available to use as templates for
creating a secure environment. These include ISO, NIST, COBIT, ETSI, RFC, and ISA/IEC. Select
three security frameworks/architectures and use the Internet to research each of them. How
are they predominately used? What are their strengths? What are their weaknesses? Are they
general or specific? What is a setting (small business, school, home office, etc.) that you would
recommend for each of these? Write a one-page paper on your comparison and analysis.

Case Project 1-8: Lake Point Consulting Services
Lake Point Consulting Services (LPCS) provides security consulting and assurance services to
over 500 clients across a wide range of enterprises in more than 20 states. A new initiative
at LPCS is for each of its seven regional offices to provide internships to students who are in
their final year of the security degree program at the local college.

As part of National Cybersecurity Awareness Month LPCS has been conducting a series
of Lunch-and-Learn meetings each Monday and Friday for local citizens and small business
owners to learn more about security. LPCS has asked you to present an introductory session
on the fundamentals of security: what it is, why it is important today, who are the attackers,
what types of attacks do they launch, etc.

1. Create a PowerPoint presentation that explains what IT security is and why it is
important today. Include who is responsible for attacks and their attack techniques.
Your presentation should be seven to ten slides in length.

2. As a follow-up to your presentation, create a Frequently Asked Questions (FAQ) sheet
that outlines general principles that can be used to protect valuable assets. Write a one-
page FAQ about security protections.

CHAPTER 1 Introduction to Security 47

88781_ch01_hr_001-050.indd 47 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 1 Introduction to Security48

References
1. Zetter, Kim, Teen who hacked CIA directors email tells how he did it, Wired, Oct. 19,

2015,accessed Feb. 16, 2017, www.wired.com/2015/10/hacker-who-broke-into
– cia-director-john-brennan-email-tells-how-he-did-it/.

2. Information security analysts, Bureau of Labor Statistics, Dec. 17, 2015, accessed Feb. 16,
2017, www.bls.gov/ooh/computer-and-information-technology/information-security-
analysts.htm

3. Morgan, Steve, One million cybersecurity job openings in 2016, Forbes, Jan. 2, 2016,
accessed Feb. 16, 2017, www.forbes.com/sites/stevemorgan/2016/01/02/one-million
-cybersecurity-job-openings-in-2016/#1118fc737d27.

4. 2017 IT skills demand and pay trends report, Foote Partners, accessed Feb. 16, 2017,
footepartners.com/fp_pdf/FooteNewsrelease_2Q16ITSkillsTrends_09182016.pdf.

5. Greenberg, Andy, Hackers remotely kill a jeep on the highwaywith me in it, Wired,
Jul. 21, 2015, accessed Feb. 16, 2017, www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.

6. Zetter, Kim, Feds say that banned researcher commandeered a plane, Wired, May 15,
2015, accessed Mar. 6, 2017, www.wired.com/2015/05/feds-say-banned
-researcher-commandeered-plane/.

7. Goodin, Dan, Yahoo says half a billion accounts breached by nation-sponsored hackers,
ArsTechnica, Sep. 22, 2016, accessed Sep. 23, 2016, arstechnica.com/security/2016/09
/yahoo-says-half-a-billion-accounts-breached-by-nation-sponsored-hackers/.

Case Project 1-9: Information Security Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains
a wide variety of tools, information, discussion boards, and other features to assist learners.
To gain the most benefit from the site you will need to set up a free account.

Go to community.cengage.com/Infosec2. Click Join the Community. On the Join the
Community page, enter the requested information to create your account.

Explore the various features of the Information Security Community Site and become
familiar with it. Visit the blog section and read the blog postings to learn about some of the
latest events in IT security.

Caution

Your instructor may have a specific naming convention that you should use, such as
the name of your course followed by your initials. Check with your instructor before
creating your sign-in name.

88781_ch01_hr_001-050.indd 48 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

8. USB Killer v3, USB Kill, accessed Dec. 2, 2016, www.usbkill.com/usb-killer
/13-usb-killer-v3.html.

9. Security assessment of WINVvote voting equipment for Department of Elections, Virginia
Information Technologies Agency, Apr. 14, 2015, accessed Sep. 16, 2016, www.elections
.virginia.gov/WebDocs/VotingEquipReport/WINVote-final.pdf.

10. FAQ about cyber attack on VTech Learning Lodge, VTech, updated
Dec.16, 2016, accessed Feb. 17, 2017, www.vtech.com/en/press_release/2016/
faq-about-cyber-attack-on-vtech-learning-lodge/#9

11. Storm, Darlene, Attackers hack European Space Agency, leak thousands of credentials for
the lulz, Computerworld, Dec. 14, 2015, accessed Feb. 17, 2017, www.computerworld.com
/article/3014539/cybercrime-hacking/attackers-hack-european-space-agency-leak
-thousands-of-credentials-for-the-lulz.html.

12. IRS statement on Get Transcript, IRS, Feb. 26, 2016, accessed Mar. 6, 2017, www.irs.gov
/uac/newsroom/irs-statement-on-get-transcript.

13. Constantin, Lucian, Hyatt hackers hit payment processing systems, scooped cards used
at 250 locations, PC World, Jan. 15, 2016, accessed Jan. 20, 2016, www.pcworld.com
/article/3023204/security/hyatt-hackers-hit-payment-processing-systems-scooped-cards-
used-at-250-locations.html.

14. Cluley, Grahan, Apple issues security patches for . . . just about everything, We Live
Security, Jan. 24, 2017, accessed. Mar. 6, 2017, www.welivesecurity.com/2017/01/24/
apple-issues-security-patches-just-everything/.

15. Data Breaches, Privacy Rights Clearinghouse, updated Feb. 16, 2017, accessed Feb. 16, 2017,
www.privacyrights.org/data-breaches.

16. Malware, AVTest, Feb. 8, 2017, accessed Feb. 17, 2017, www.av-test.org/en/statistics
/malware/.

17. Ohlemacher, Stephen, IRS to delay tax refunds for millions of low-income families, The
Seattle Times, Jan. 10, 2017, retrieved May 4, 2017, http://www.seattletimes.com/business
/irs-to-delay-tax-refunds-for-millions-of-low-income-families/

18. Rubin, Richard and Gambrell, Dorothy, Ripping off Uncle Sam, Bloomberg Business,
retrieved Aug. 5, 2015, http://www.bloomberg.com/graphics/2015-web-comic-irs-tax-fraud/

19. Ripping off Uncle Sam, Bloomberg BusinessWeek, Apr. 13, 2015, accessed Jun. 9, 2015,
http://www.ritholtz.com/blog/2015/04/ripping-off-uncle-sam/.

20. The cost of Code Red: $1.2 billion, USA Today, Aug. 1, 2001, accessed Feb. 28, 2011,
www.usatoday.com/tech/news/2001-08-01-code-red-costs.htm.

21. Reed, John, Cyber terrorism now at the top of the list of security concerns,
Defensetech, accessed Jan. 27, 2013, http://defensetech.org/2011/09/12/cyber-terrorism
-now-at-the-top-of-the-list-of-security-concerns/.

22. 58% Information Security Incidents Attributed to Insider Threat, Infosecurity, May 3,
2013, accessed Feb. 18, 2017, www.infosecurity-magazine.com/news/58-information
-security-incidents-attributed-to/.

CHAPTER 1 Introduction to Security 49

88781_ch01_hr_001-050.indd 49 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

88781_ch01_hr_001-050.indd 50 8/10/17 4:10 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

MALWARE AND SOCIAL
ENGINEERING ATTACKS
After completing this chapter, you should be able
to do the following:

Define malware

List the different types of malware

Identify payloads of malware

Describe the types of psychological social engineering attacks

Explain physical social engineering attacks

C H A P T E R 2

Todays Attacks and Defenses

The term customer service would lead one to think that service is what is being provided to
customers. However, with increasing frequency, customer service is turning into the latest new
security vulnerability.

Kevin, a journalist, wanted to determine how difficult it would be to have his information
stolen. He sat down with Jessica, a security researcher, and laid out the challenge: could
Jessica find Kevins personal email address just by having his cell phone number?

Jessica started her attack in an unconventional way. Instead of searching the Internet for
hints of Kevins email address or using sophisticated hacking techniques to uncover a link to
his email address from his cell phone number, Jessica determined who Kevins wireless cell

51

88781_ch02_hr_051-096.indd 51 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks52

Most successful attacks on computers today fall into one of two categories. The first
category is malicious software programs that are created by threat actors to infiltrate
the victims computers silently and without their knowledge. Once onboard, this

phone provider was by using a simple Internet lookup. Then she used software on her laptop
computer to spoof Kevins cell phone number from her device, so that to the recipient of
a call it looked like it was coming from Kevins phone. Finally, Jessica pulled out her ace: she
accessed a website of sounds of a baby crying, and turned up the volume.

Now she was ready. Jessica dialed Kevins cell phone provider and started a dialog with a
customer service representative that went something like this:

Jessica: Hello? Im sorry, can you hear me OK? My baby is crying. Im so sorry.

Customer Service Rep: Yes, I can barely hear you. What can I do for you today?

Jessica: Were about to apply for a loan, and weve just had a new babythats whos
crying!and my husband told me that I need to get this done today. Im so sorry, I cant
call you back later. Im just trying to log into our account for our user information. I dont
seem to remember the email we use to log in, and now the babys crying more, andcan
you please help me?

Customer Service Rep: Sure. I have your phone number showing up on my screen. Let me
look up the email address we have on file for this account. Here it is.

Jessica: Thank you so much. Oh, and we need to add an older daughter on this account so
she can call in and make changes to it.

Customer Service Rep: I will need to send you a secure PIN to this cell phone number to
verify that you have the phone.

Jessica: But I cant receive a text while Im talking on this phone. And there goes the baby
again. Can you please help me just this once?

Customer Service Rep: OK. Oh, it looks like youre not on the account either. Would you like
for me to also add you to this account?

Jessica: My husband was supposed to add me but I guess he forgot. Yes, if you could add me
that would be great! But whats the password on the account so I can get to it?

Customer Service Rep: Since I just added you to this account Ill reset the account password
to Jess for you.

Jessica: Thank you so much! Youve been a big help.

Customer Service Rep: My pleasure. Anything else I can do for you today?

Starting with just Kevins cell phone number, Jessica was able to not only get his email address
but also reset his entire account with a new password, locking Kevin out of his own account.
And she did it all in less than two minutes.

88781_ch02_hr_051-096.indd 52 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 53

software can intercept data, steal information, launch other attacks, or even damage
the computer so that it no longer properly functions.

The other category may be overlooked but is equally deadly: tricking users into
performing a compromising action or providing sensitive information. These attacks take
advantage of user confusion about good security practices and deceive them into opening
the door for the attacks. Defeating security through a person instead of technology is the
most cost-effective approach and can generate some of the highest success rates.

This chapter examines attacks that fall into these two categories of malicious
software programs and tricking users. It begins by looking at attacks that utilize
malicious software. Then it explores how attacks through users are being conducted
today. Later chapters detail the defenses against these attacks.

Attacks Using Malware

Note

Many jurisdictions use the legal term computer contaminant instead of malware to be as
encompassing and precise as possible so that offenders cannot find a loophole to escape
prosecution. A typical definition is: Computer contaminant means any data, information,
image, program, signal or sound that is designed or has the capability to: (a) Contaminate,
corrupt, consume, damage, destroy, disrupt, modify, record or transmit; or (b) Cause to be
contaminated, corrupted, consumed, damaged, destroyed, disrupted, modified, recorded
or transmitted, any other data, information, image, program, signal or sound contained in a
computer, system or network without the knowledge or consent of the person who owns the
other data, information, image, program, signal or sound or the computer, system or network.1

Certification

1.1 Given a scenario, analyze indicators of compromise and determine the
type of malware.

Malware (malicious software) is software that enters a computer system without the
users knowledge or consent and then performs an unwanted and harmful action.
Malware is most often used as the general term that refers to a wide variety of
damaging software programs.

As security defenses have continued to evolve in order to repel malware, so too has
malware continued to become more complex, with new malware being written and
distributed. This has resulted in an enormous number of different instances of malware

88781_ch02_hr_051-096.indd 53 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks54

that have emerged (an example is the malware ZeuS). Yet there has been no standard
established for the classification of these different instances of malware; many
malware classifications are simply lists of different types of malware (virus) instead
of broader categories in which like instances can be grouped together. As a result, the
attempts to classify malware can be confusing.

Note

Because threat actors often tweak their malware so that it evades the latest security
defenses, many instances of malware are similar. These similar instances of malware are
sometimes referred to as malware families.

One method of classifying the various instances of malware is by using the
primary trait that the malware possesses. These traits are circulation, infection,
concealment, and payload capabilities.

Circulation. Some malware has as its primary trait spreading rapidly to other
systems to impact a large number of users. Malware can circulate through a
variety of means: by using the network to which all the devices are connected,
through USB flash drives that are shared among users, or by sending the
malware as an email attachment. Malware can be circulated automatically or it
may require an action by the user.

Infection. Once the malware reaches a system through circulation, then it must
infect or embed itself into that system. The malware might run only one
time, or it might remain on the system and be launched an infinite number of
times. Some malware attaches itself to a benign program while other malware
functions as a stand-alone process.

Concealment. Some malware has as its primary trait avoiding detection by
concealing its presence from software scanners that are looking for malware.
Some malware attempts to avoid detection by changing itself, while other
malware can embed itself within existing processes or modify the underlying
host operating system.

Payload capabilities. When payload capabilities are the primary trait of malware,
the goal is the nefarious actions the malware performs. Does it steal passwords
and other valuable data from the users system? Does it delete programs so
the computer can no longer function properly? Does the malware modify the
systems security settings? In some cases, the purpose of the malware is to use
the infected system to launch attacks against other computers.

The sections that follow give more details and examples of malware classified by
circulation, infection, concealment, and payload capabilities.

88781_ch02_hr_051-096.indd 54 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 55

Circulation
Two types of malware have the primary trait of circulation. These are viruses and
worms.

Virus
A biological virus is an agent that reproduces inside a cell. When a cell is infected
by a virus, the virus takes over the operation of that cell, converting it into a virtual
factory to make more copies of it. The cell is forced to produce thousands or hundreds
of thousands of identical copies of the original virus very rapidly (the polio virus can
make more than one million copies of itself inside one single infected human cell).
Biologists often say that viruses exist only to make more viruses. A computer virus is
malicious computer code that, like its biological counterpart, reproduces itself on the
same computer. Strictly speaking a computer virus replicates itself (or an evolved copy
of itself ) without any human intervention.

Note

Some types of malware have more than one of these traits: that is, the malware both
circulates and carries a payload. However, in terms of classification the primary trait of the
malware is used here.

Note

Strictly speaking, virus and malware are not interchangeable terms. A virus is only one type of
malware.

Almost all viruses infect by inserting themselves into a computer file, either
an executable program file or a user-created data file. A virus that infects an
executable program file is called a program virus. When the program is launched,
the virus is activated. A virus can also be part of a data file. One of the most
common is a macro virus. A macro is a series of instructions that can be grouped
together as a single command. Often macros are used to automate a complex set of
tasks or a repeated series of tasks. Macros can be written by using a macro scripting
language, such as Visual Basic for Applications (VBA), and are stored within the
user document (such as in an Excel .xlsx worksheet or Word .docx file). Once the
document is opened, the macro instructions execute, whether those instructions
are benign or a macro virus.

88781_ch02_hr_051-096.indd 55 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks56

A very large number of different file types can contain a virus. Table 2-1 lists some
of the 50 different Microsoft Windows file types that can be infected with a virus.

Note

The first macro virus appeared in 1995. Macro viruses infecting Microsoft Word documents
became the dominant type of virus until 2000 when Microsoft disabled macros by default
in its Office products. However, a macro virus is not a relic of the past; it has recently made
a resurgence as threat actors have discovered new ways to trick their victims into enabling
macros that will then allow the macro virus to run.

Note

One of the first viruses found on a microcomputer was written for the Apple II in 1982. Rich
Skrenta, a ninth-grade student in Pittsburgh, wrote Elk Cloner, which displayed his poem
on the screen after every 50th use of the infected floppy disk. Unfortunately, the virus leaked
out and found its way onto the computer used by Skrentas math teacher.2 In 1984, the
mathematician Dr. Frederick Cohen introduced the term virus based on a recommendation
from his advisor, who came up with the name from reading science fiction novels.

File extension Description

.docx or .xlsx Microsoft Office user documents

.exe Executable program file

.msi Microsoft installer file

.msp Windows installer patch file

.scr Windows screen saver

.cpl Windows Control Panel file

.msc Microsoft Management Console file

.wsf Windows script file

.ps1 Windows PowerShell script

Windows file types that can be infected Table 2-1

Early viruses were relatively straightforward in how they infected files. One basic
type of infection is the appender infection. The virus first attaches or appends itself to
the end of the infected file. It then inserts at the beginning of the file a jump instruction

88781_ch02_hr_051-096.indd 56 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 57

that points to the end of the file, which is the beginning of the virus code. When the
program is launched, the jump instruction redirects control to the virus. Figure 2-1
shows how an appender infection works.

Figure 2-1Appender infection

Program Code

Virus Code

Jump
Code Line 1
Code Line 2
Code Line 3
Code Line 4
etc.

However, these types of viruses could be detected by virus scanners relatively
easily. Most viruses today go to great lengths to avoid detection; this type of virus is
called an armored virus. Some of the armored virus infection techniques include:

Swiss cheese infection. Instead of having a single jump instruction to the plain
virus code, some armored viruses perform two actions to make detection more
difficult. First, they scramble (encrypt) the virus code to make it more difficult to
detect. Then they divide the engine to unscramble (decrypt) the virus code into
different pieces and inject these pieces throughout the infected program code.
When the program is launched, the different pieces are then tied together and
unscramble the virus code. A Swiss cheese infection is shown in Figure 2-2.

Split infection. Instead of inserting pieces of the decryption engine throughout
the program code, some viruses split the malicious code itself into several parts
(along with one main body of code), and then these parts are placed at random

88781_ch02_hr_051-096.indd 57 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks58

positions throughout the program code. To make detection even more difficult
these parts may contain unnecessary garbage code to mask their true purpose.
A split infection virus is shown in Figure 2-3.

Mutation. Instead of just hiding itself within a fire, some viruses can mutate or
change. An oligomorphic virus changes its internal code to one of a set number
of predefined mutations whenever it is executed, while a polymorphic virus
completely changes from its original form whenever it is executed. A metamorphic
virus can actually rewrite its own code and thus appears different each time it is
executed by creating a logical equivalent of its code whenever it is run.

Figure 2-2Swiss cheese infection

Jump

PROGRAM CODE
VIRUS CODE

(Encrypted)

Decrypt
Part 1

Decrypt
Part 2

Decrypt
Part 3

Decrypt
Part 4

Decrypt
Part 5

Note

Some armored viruses scan for the presence of files that security researchers typically use.
If those files are present, then it is assumed that the virus is being examined for weaknesses
and the virus will then automatically self-destruct by deleting itself.

88781_ch02_hr_051-096.indd 58 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 59

Each time the infected program is launched or the data file is openedeither by
the user or the computers operating systemthe virus performs two actions. First,
it unloads a payload to perform a malicious action. Although early viruses often
did nothing more than display an annoying message, viruses today are much more
harmful. Viruses can corrupt or delete files, prevent programs from launching, steal
data to be sent to another computer, cause a computer to crash repeatedly, and even
turn off the computers security settings.

Note

Sometimes a virus will remain dormant for a period before unleashing its payload.

Figure 2-3Split infection

Jump

Virus code part C

Virus code part B

Virus code part D

Virus code part A

Virus code main body

Program Code

The second action a virus takes when executed is to reproduce itself by inserting
its code into another file, but only on the same computer. A virus can only replicate
itself on the host computer on which it is located; it cannot automatically spread to
another computer by itself. Instead, it must rely on the actions of users to spread to other
computers. Because viruses are attached to files they are spread when a user transfers
those files to other devices. For example, a user might send an infected file as an email
attachment or copy an infected file to a USB flash drive and give the drive to another user.
Once the virus reaches a new computer it begins to infect it. Thus, a virus must have two
carriers: a file to which it attaches and a human to transport it to other computers.

88781_ch02_hr_051-096.indd 59 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks60

Worm
A second type of malware that has as its primary purpose to spread is a worm. A
worm is a malicious program that uses a computer network to replicate (worms are
sometimes called network viruses). A worm is designed to enter a computer through
the network and then take advantage of vulnerability in an application or an operating
system on the host computer. Once the worm has exploited the vulnerability on one
system, it immediately searches for another computer on the network that has the
same vulnerability.

Note

Several similarities between biological and computer viruses exist: both must enter their host
passively (by relying on the action of an outside agent), both must be on the correct host
(ahorse virus cannot make a human sick, just as an Apple Mac virus cannot infect a Windows
computer), both can only replicate when inside the host, both may remain dormant for a
period of time, and both types of viruses replicate at the expense of the host.

Note

One of the first wide-scale worms occurred in 1988. This worm exploited a misconfiguration
in a program that allowed commands emailed to a remote system to be executed on that
system, and it also carried a payload that contained a program that attempted to determine
user passwords. Almost 6000 computers, or 10 percent of the devices connected to the
Internet at that time, were affected. The threat actor who was responsible was later convicted
of federal crimes in connection with this incident.

Note

Although viruses and worms are said to be automatically self-replicating, where they replicate is
different. A virus self-replicates on the host computer but does not spread to other computers
by itself. A worm self-replicates between computers (from one computer to another).

Early worms were relatively benign and designed simply to spread quickly but not
corrupt the systems they infected. These worms slowed down the network through
which they were transmitted by replicating so quickly that they consumed all network
resources. Todays worms can leave behind a payload on the systems they infect and
cause harm, much like a virus. Actions that worms have performed include deleting
files on the computer or allowing the computer to be remotely controlled by an attacker.

88781_ch02_hr_051-096.indd 60 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 61

Infection
There are three examples of malware that have the primary trait of infection. These are
Trojans, ransomware, and crypto-malware.

Trojans
According to ancient legend, the Greeks won the Trojan War by hiding soldiers in a
large hollow wooden horse that was presented as a gift to the city of Troy. Once the
horse was wheeled into the fortified city, the soldiers crept out of the horse during the
night and attacked the unsuspecting defenders.

A computer Trojan is an executable program that masquerades as performing
a benign activity but also does something malicious. For example, a user might
download what is advertised as a calendar program, yet when it is installed, in
addition to installing the calendar it also installs malware that scans the system for
credit card numbers and passwords, connects through the network to a remote system,
and then transmits that information to the attacker.

A special type of Trojan is a remote access Trojan (RAT). A RAT has the basic
functionality of a Trojan but also gives the threat actor unauthorized remote access to
the victims computer by using specially configured communication protocols. This
creates an opening into the victims computer, allowing the threat actor unrestricted
access. The attacker can not only monitor what the user is doing but also can change
computer settings, browse and copy files, and even use the computer to access other
computers connected on the network.

Ransomware
One of the fastest-growing types of malware is ransomware. Ransomware prevents a
users device from properly and fully functioning until a fee is paid. The ransomware
embeds itself onto the computer in such a way that it cannot be bypassed, and even
rebooting causes the ransomware to launch again.

Action Virus Worm

What does it do? Inserts malicious code into a
program or data file

Exploits a vulnerability in an
application or operating system

How does it spread to
other computers?

User transfers infected files to
other devices

Uses a network to travel from
one computer to another

Does it infect a file? Yes No

Does there need to be user
action for it to spread?

Yes No

Differences between viruses and worms Table 2-2

Table 2-2 lists the differences between viruses and worms.

88781_ch02_hr_051-096.indd 61 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks62

Although it existed earlier, ransomware became widespread around 2010. This
earliest ransomware displays a screen and prevents the user from accessing the
computers resources (called blocker ransomware). The screen contains instructions that
pretend to be from a reputable third party, giving a valid reason for blocking the users
computer. One example is ransomware that purports to come from a law enforcement
agency. This message, using official-looking imagery, states that the user had performed
an illegal action such as downloading pornography and must immediately pay a fine
online by entering a credit card number. Figure 2-4 shows a ransomware message.

Figure 2-4Ransomware message
Source: Symantec Security Response

Note

Users who provide a credit card number to pay the online fine or make the required purchaseusually
findthat the threat actors simply steal the card information and then make purchases using it.

Another variation of this type of ransomware pretends to come from a software
vendor and displays a fictitious warning that a software license has expired or there
is a problem with the computer such as imminent hard drive failure orin a touch
of ironya malware infection. This ransomware variation tells users that they must
immediately renew their license or purchase additional software online to fix a non-
existent problem. The ransomware example in Figure 2-5 uses color schemes and icons
like those found on legitimate Windows software.

88781_ch02_hr_051-096.indd 62 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 63

As ransomware became more widespread the threat actors dropped the pretense
that the ransomware was from a reputable third party requiring a fine or a purchase.
Instead, they simply blocked the users computer and demanded a fee for its release.
Ransomware attackers have determined what they consider the optimal price point for
payment to unblock a computer: the amount must be small enough that most victims
will begrudgingly pay to have their systems unblocked, but large enough that when
thousands of victims pay up the attackers can garner a handsome sum.

Figure 2-5Ransomware computer infection
Source: Microsoft Security Intelligence Report

Note

Initially for individuals the price was around $500 while for enterprises the range was
between $8000 to $17,000. However, the demanded ransoms have been significantly
increasing. For example, recent well-publicized ransomware attacks demanding higher
ransoms were against Hollywood Presbyterian Medical Center ($17,000), Los Angeles Valley
College ($28,000), and San Franciscos Municipal Transportation Agency ($73,000).3

Ransomware continues to be a serious threat to users. One recent report estimated
that $1 billion was paid in ransom in one year, yet only 42 percent of those who paid the
ransom could then retrieve their data. Enterprises are also prime targets. A recent survey
revealed that almost half of all enterprises have been a victim of a ransomware attack.4

88781_ch02_hr_051-096.indd 63 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks64

Crypto-malware
Blocker ransomware, the earliest form of ransomware, displayed a screen and
prevented the user from accessing the computer. However, there were limitations to
blocker ransomwares continued success. Due to the way in which blocker ransomware
functions, security researchers were able to develop automated technologies that help
to fight against it, even after infection. And in a worst-case scenario, the user of an
infected computer could reinstall the operating system to gain control again of her
computer and files.

Threat actors then developed a more malicious form of ransomware: instead of just
blocking the user from accessing the computer, they encrypted all the files on the device
so that none of them could be opened. This is called crypto-malware. A screen appears
telling the victim that his files are now encrypted and a fee must be paid to receive a
key to unlock them. In addition, threat actors increased the urgency for payment: the
cost for the key to unlock the crypto-malware increases every few hours or several
of the encrypted user files are deleted every few hours, with the number continually
increasing. And if the ransom is not paid promptly (often within 36 to 96hours) the key
can never be retrieved. Figure 2-6 shows a crypto-ransomware message.

Once infected with crypto-malware, the software connects to the threat actors
command and control (C&C) server to receive instructions or updated data. Crypto-
malware first generates a locking key for the encrypted files and then encrypts the
locking key with another key that has been downloaded from the C&C. This second
key, which remains on the C&C server, is what is sent to the victims once they pay
the ransom. However, this process poses problems for attackers. If the address of the
C&C server is known it can be blocked by the network so that once the computer is
infected the malware could not communicate back with the C&C, thus preventing
the encryption process from even starting. To circumvent this problem some crypto-
malware started using locking encryption keys that were hard-coded into the malware
itself. But once one victim paid for the unlocking key, it could be distributed to other
victims to unlock their files. Now new forms of crypto-malware have circumvented
these limitations by adding a second round of encryption.

Note

The FBI does not support paying a ransom in response to a ransomware attack. It states,
Paying a ransom doesnt guarantee an organization that it will get its data backweve seen
cases where organizations never got a decryption key after having paid the ransom. Paying
a ransom not only emboldens current cyber criminals to target more organizations, it also
offers an incentive for other criminals to get involved in this type of illegal activity. And finally,
by paying a ransom, an organization might inadvertently be funding other illicit activity
associated with criminals.5

88781_ch02_hr_051-096.indd 64 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 65

Two additional recent enhancements to crypto-malware are causing increasing
concern. First, instead of encrypting files only on the users local hard drive, now crypto-
malware encrypts all files on any network or attached device that is connected to that
computer. This includes secondary hard disk drives, USB hard drives, network-attached
storage devices, network servers, and even cloud-based data repositories. This means if a
users computer in an enterprise is infected with crypto-malware potentially all files for the
enterpriseand not just those on one computercan be locked. In addition, threat actors
are also using crypto-malware to infect mobile devices such as smartphones and tablets.

Figure 2-6Crypto-malware message
Source: PC Risk

Note

The specific techniques for using multiple keys for crypto-malware encryption and decryption
are covered in Chapter 3, while the defenses for protecting against crypto-malware from
encrypting all files are covered in Chapter 9.

Concealment
Some types of malware have as a primary trait avoiding detection. One example
of this type of malware is a rootkit. A rootkit can hide its presence or the presence
of other malware (like a virus) on the computer by accessing lower layers of the

88781_ch02_hr_051-096.indd 65 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks66

operating system or even using undocumented functions to make alterations. This
enables the rootkit and its accompanying software to become undetectable by the
operating system and common antimalware scanning software that is designed to
seek and find malware.

Consider the following example. A rootkit infects a computer and hides its
presence from the operating system so that the rootkit files are not visible to
the operating system, as illustrated in Figure 2-7. Scanning software looking for
malicious files is installed on the computer, and it then requests from the operating
system a list of all files. However, because the rootkit files are hidden from the
operating system, those files are not provided to the scanning software, thus eluding
detection.

Figure 2-7Computer infected with rootkit

Actual list of files Files visible to operating system

Note

The risks of rootkits have significantly diminished today due to protections built into
operating systems. Such techniques as preventing unauthorized kernel drivers from loading,
stopping modifications to certain kernel areas used by rootkits to hide, and preventing
rootkits from modifying the bootloader program have limited the impact of rootkits.

Payload Capabilities
The true destructive power of malware is to be found in its payload capabilities. The
primary payload capabilities are to collect data, delete data, modify system security
settings, and launch attacks.

88781_ch02_hr_051-096.indd 66 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 67

Collect Data
Different types of malware are designed to collect important data from the users
computer and make it available to the threat actor. This malware includes spyware and
adware.

Spyware
Spyware is tracking software that is deployed without the consent or control of the
user. Spyware typically secretly monitors users by collecting information without their
approval by using the computers resources, including programs already installed on
the computer, to collect and distribute personal or sensitive information. Table 2-3 lists
different technologies used by spyware.

Technology Description Impact

Automatic download
software

Used to download and install software
without the users interaction

Could install unauthorized
applications

Passive tracking
technologies

Used to gather information about
user activities without installing any
software

Could collect private
information such as websites
a user has visited

System modifying
software

Modifies or changes user
configurations, such as the web
browser home page or search page,
default media player, or lower-level
system functions

Changes configurations to
settings that the user did not
approve

Tracking software Used to monitor user behavior or
gather information about the user,
sometimes including personally
identifiable or other sensitive
information

Could collect personal
information that can be
shared widely or stolen,
resulting in fraud or identity
theft

Technologies used by spyware Table 2-3

Note

Not all spyware is necessarily malicious. For example, spyware monitoring tools can help
parents keep track of the online activities of their children.

One type of nefarious spyware is a keylogger that silently captures and stores
each keystroke that a user types on the computers keyboard. The threat actor can then
search the captured text for any useful information such as passwords, credit card
numbers, or personal information.

88781_ch02_hr_051-096.indd 67 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks68

A keylogger can be a software program or a small hardware device. The most
common are software keyloggers, which are programs installed on the computer
that silently capture sensitive information. Today software keyloggers go far beyond
just capturing a users keystrokes. These programs can also make screen captures of
everything that is on the users screen and silently turn on the computers web camera
to record images of the user. A software keylogger is illustrated in Figure 2-8. Software
keylogger programs generally conceal themselves so that the user cannot detect them.
An advantages of software keyloggers is that they do not require physical access to the
users computer and can often be installed remotely as a Trojan or by a virus, and they
can routinely send captured information back to the attacker through the computers
Internet connection.

Figure 2-8Software keylogger
Source: Ecodsoft

The original keyloggers were hardware devices inserted between the computer
keyboard connection and USB port, as shown in Figure 2-9. Because the device
resembles an ordinary keyboard plug and the computer keyboard USB port is often on
the back of the computer, a hardware keylogger can easily go undetected. In addition,
the device is beyond the reach of the computers antimalware scanning software and
thus raises no alarms. But because the attacker who installed the hardware keylogger

88781_ch02_hr_051-096.indd 68 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 69

must return later and physically remove the device in order to access the information it
has gathered, hardware keyloggers are rarely used today.

Figure 2-9Hardware keylogger

Hardware
keylogger

Adware
Adware delivers advertising content in a manner that is unexpected and unwanted by
the user. Once the adware malware becomes installed, it typically displays advertising
banners, popup ads, or opens new web browser windows at random intervals. Users
generally disapprove of adware because:

Adware can display objectionable content, such as gambling sites or
pornography.

Frequent popup ads can interfere with a users productivity.
Popup ads can slow a computer or even cause crashes and the loss of data.
Unwanted advertisements can be a nuisance.

Note

Some adware goes beyond affecting the users computer experience. This is because
adware programs can also perform a tracking function, which monitors and tracks a users
online activities and then sends a log of these activities to third parties without the users
authorization or knowledge. For example, a user who visits online automobile sites to view
specific types of cars can be tracked by adware and classified as someone interested in
buying a new car. Based on the sequence and type of websites visited, the adware can also
determine whether the surfers behavior suggests they are close to making a purchase or are
also looking at competitors cars. This information is gathered by adware and then sold to
automobile advertisers, who send the users regular mail advertisements about their cars or
even call the user on the telephone.

88781_ch02_hr_051-096.indd 69 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks70

As the volume of ads has steadily increased on many websites, it has resulted in
user backlash. More users are installing ad blocking software in their web browsers
to prevent the ads from displaying. Ad blocking grew by 41 percent worldwide in one
year (198 million users), while U.S. ad blocking grew by 48 percent (45 million users),
and it is estimated that ad blocking cost website publishers nearly $22 billion each
year.6 In order to combat this, web marketers are increasingly including adding pay
walls (forcing the user to pay to view the content instead of watching ads), displaying
friendly reminders to users about the purpose of ads (that ads are the price to pay
for free content), or notices that content will be blocked if the site detects ad blockers
being used.

Note

One of the popular ad blocking software packages recently announced that it is launching an
online advertising service to help marketers place acceptable ads on a website. Advertisers
must pay a fee to have their ads tagged as acceptable and these ads must be of a certain
size, placement, and labeling. If a user has ad blocking software, these acceptable ads will
not be blocked.

Delete Data
Whereas spyware and adware are designed to collect data, the payload of other types
of malware are designed to do just the opposite: delete data. This may involve deleting
important user data files, such as documents or photos, or erasing vital operating
system files so that the computer will no longer function properly.

One type of malware that is frequently used to delete data is a logic bomb. A logic
bomb is computer code that is typically added to a legitimate program but lies dormant
until a specific logical event triggers it. Once it is triggered, the program then deletes
data or performs other malicious activities. In one example, a Maryland government
employee tried to destroy the contents of more than 4000 servers by planting a logic
bomb script that was scheduled to activate 90 days after he was terminated.7

One of the recent high-profile attacks based on a logic bomb simultaneously
erased the hard drives of computers belonging to three banks and two media
broadcasting companies in South Korea. The malware consisted of four files, including
AgentBase.exe that triggered the attack. Contained within the file was a hexadecimal
string (4DAD4678) that was the date and time the attack was to begin: 2013-3-20
14:00:00 (March 20, 2013 at 2:00 PM). As soon as the internal clock on the computers
reached 2:01 PM the logic bomb was triggered to overwrite the hard drive and master
boot record on Microsoft Windows computers and then reboot the system, rendering
them useless. The malware also included a module for deleting data from remote
Linux machines. Other famous logic bombs are listed in Table 2-4.

88781_ch02_hr_051-096.indd 70 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 71

Logic bombs are difficult to detect before they are triggered. This is because logic
bombs are often embedded in very large computer programs, some containing tens
of thousands of lines of code, and a trusted employee can easily insert a few lines of
computer code into a long program without anyone detecting it. In addition, these
programs are not routinely scanned for containing malicious actions.

Description Reason for attack Results

A logic bomb was planted
in a financial services
computer network that
caused 1000 computers to
delete critical data.

A disgruntled employee had
counted on this to cause the
companys stock price to
drop; he planned to use that
event to earn money.

The logic bomb detonated but
the employee was caught and
sentenced to eight years in prison
and ordered to pay $3.1 million in
restitution.8

A logic bomb at a defense
contractor was designed
to delete important rocket
project data.

The employees plan was
to be hired as a highly paid
consultant to fix the problem.

The logic bomb was discovered
and disabled before it triggered.
The employee was charged
with computer tampering and
attempted fraud and was fined
$5000.9

A logic bomb at a health
services firm was set to
go off on the employees
birthday.

The employee was angered
that he might be laid off
(although he was not).

The employee was sentenced to
30 months in a federal prison and
paid $81,200 in restitution to the
company.10

Famous logic bombsTable 2-4

Note

Logic bombs should not be confused with an Easter egg, which refers to an undocumented,
yet benign hidden feature that launches by entering a set of special commands, key
combinations, or mouse clicks. Usually programmers insert Easter eggs for their own
recreation or notoriety during the softwares development. For example, in a Google search
engine entering the phrase do a barrel roll will cause the screen to rotate 360 degrees. A
previous version of Microsoft Excel contained an entire Easter egg game called The Hall of
Tortured Souls.

Modify System Security
The payload of some types of malware attempts to modify the systems security
settings so that more insidious attacks can be made. One type of malware in this
category is called a backdoor. A backdoor gives access to a computer, program, or
service that circumvents any normal security protections. Backdoors that are installed
on a computer allow the attacker to return later and bypass security settings.

88781_ch02_hr_051-096.indd 71 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks72

Launch Attacks
One of the more popular payloads of malware today is software that will allow the
infected computer to be placed under the remote control of an attacker for the purpose
of launching attacks. This infected robot computer is known as a bot or zombie. When
hundreds, thousands, or even millions of bot computers are gathered into a logical
computer network, they create a botnet under the control of a bot herder.

Note

Creating a legitimate backdoor is a common practice by developers, who may need to access
a program or device on a regular basis, yet do not want to be hindered by continual requests
for passwords or other security approvals. The intent is for the backdoor to be removed once
the application is finalized. However, in some instances backdoors have been left installed,
and attackers have used them to bypass security.

Note

Due to the multitasking capabilities of modern computers, a computer can act as a bot while
at the same time carrying out the tasks of its regular user. The user is completely unaware
that his or her computer is being used for malicious activities.

Table 2-5 lists some of the attacks that can be generated through botnets.

Type of attack Description

Spamming Botnets are widely recognized as the primary source of spam email.
A botnet consisting of thousands of bots enables an attacker to send
massive amounts of spam.

Spreading malware Botnets can be used to spread malware and create new bots and
botnets. Bots can download and execute a file sent by the attacker.

Manipulating online
polls

Because each bot has a unique Internet Protocol (IP) address, each
vote by a bot will have the same credibility as a vote cast by a real
person. Online games can be manipulated in a similar way.

Denying services Botnets can flood a web server with thousands of requests and
overwhelm it to the point that it cannot respond to legitimate requests.

Uses of botnets Table 2-5

88781_ch02_hr_051-096.indd 72 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 73

Infected bot computers receive instructions through a C&C structure from the bot
herders regarding which computers to attack and how. There are a variety of ways for
this communication to occur, including:

A bot can receive its instructions by automatically signing in to a website that
the bot herder operates on which information has been placed that the bot
knows how to interpret as commands.

Bots can sign in to a third-party website; this has an advantage in that the bot
herder does not need to have a direct affiliation with that website.

Commands can be sent via blogs, specially coded attack commands through
posts on Twitter, or notes posted in Facebook.

Bot herders are increasing using a dead drop C&C mechanism by creating a
Google Gmail email account and then creating a draft email message that is
never sent but contains commands that the bot receives when it logs in to Gmail
and reads the draft. Because the email message is never sent there is no record of
it and all Gmail transmissions are protected so that outsiders cannot view them.

The number of bots and botnets worldwide is staggering. According to the FBIs cyber
division, every second 18 computers worldwide are being infected and added to a botnet,
which amounts to hundreds of millions of compromised computers each year.11 One
single botnet had under its control between 3 and 4 million bots. Another botnet that was
used primarily to send email spam was sending upwards of 60 billion emails daily.12

Note

When the hosting service was taken offline that was supporting the bot sending the billions
of spam emails, the worldwide spam volume immediately dropped by 75 percent.13

Social Engineering Attacks
Certification

1.2Compare and contrast types of attacks.

One morning a small group of strangers walked into the corporate office of a large
shipping firm and soon walked out with access to the firms entire computer network,
which contained valuable and highly sensitive information. Here is how they could
accomplish this feat with no technical tools or skills:

1. Before entering the building, one person of the group called the companys
Human Resource (HR) office and asked for the names of key employees. The
office willingly gave out the information without asking any questions.

88781_ch02_hr_051-096.indd 73 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks74

2. As the group walked up to the building, one of them pretended to have lost the
key code to the door, so a friendly employee let them in. When they entered a
secured area on the third floor, they claimed to have misplaced their identity
badges, so another smiling employee opened the door for them.

3. Because these strangers knew that the chief financial officer (CFO) was out of
town because of his voicemail greeting message, they walked unchallenged into
his office and gathered information from his unprotected computer. They also
dug through trash receptacles and retrieved useful documents. A custodian was
even stopped and asked for a box in which to place these documents so they
could be carried out of the building.

4. One of the groups members then called the companys help desk from the
CFOs office and pretended to be the CFO (they had listened to his voice from
his voicemail greeting message and knew how he spoke). The imposter CFO
claimed that he desperately needed his password because he had forgotten
it and was on his way to an important meeting. The help desk gave out the
password, and the group left the building with complete access to the network.

This true story illustrates that technology is not always needed for attacks on IT.14
Social engineering is a means of gathering information for an attack by relying on
the weaknesses of individuals. Social engineering attacks can involve psychological
approaches as well as physical procedures.

Psychological Approaches
Many social engineering attacks rely on psychology, which is the mental and emotional
approach rather than the physical. At its core, social engineering relies on an attackers
clever manipulation of human nature to persuade the victim to provide information
or take actions. Several basic principles make psychological social engineering highly
effective. These are listed in Table 2-6 with the example of an attacker pretending to be the
chief executive officer (CEO) calling the organizations help desk to have a password reset.

Because many of the psychological approaches involve person-to-person contact,
attackers use a variety of techniques to gain trust. For example:

Provide a reason. Many social engineering threat actors are careful to add a reason
along with their request. By giving a rationalization and using the word because it
is much more likely for the victim to provide the information. For example, I was
asked to call you because the directors office manager is out sick today.

Project confidence. A threat actor is unlikely to generate suspicion if she enters
a restricted area but calmly walks through the building as if she knows exactly
where she going (without looking at signs, down hallways, or reading door
labels) and even greets people she sees with a friendly Hi, how are you doing?

Use evasion and diversion. When challenged, a threat actor might evade a
question by giving a vague or irrelevant answer. They could also feign innocence
or confusion, or just keep denying any allegations, until the victim eventually

88781_ch02_hr_051-096.indd 74 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 75

believes his suspicions are wrong. Sometimes a threat actor can resort to anger
and cause the victim to drop the challenge. Who are you to ask that? Connect
me with your supervisor immediately!

Make them laugh. Humor is an excellent tool to put people at ease and to
develop a sense of trust. I cant believe I left my badge in my office again! You
know, some mistakes are too much fun to only make once!

Social engineering psychological approaches often involve impersonation,
phishing, spam, hoaxes, and watering hole attacks.

Impersonation
Social engineering impersonation means to masquerade as a real or fictitious character and
then play out the role of that person on a victim. For example, an attacker could impersonate
a help desk support technician who calls the victim, pretends that there is a problem with
the network, and asks her for her user name and password to reset the account.

Common roles that are often impersonated include a repairperson, IT support, a
manager, a trusted third party, or a fellow employee. Often attackers will impersonate
individuals whose roles are authoritative because victims generally resist saying no
to anyone in power.

Phishing
One of the most common forms of social engineering is phishing. Phishing is sending
an email or displaying a web announcement that falsely claims to be from a legitimate
enterprise in an attempt to trick the user into surrendering private information. Users

Principle Description Example

Authority Directed by someone
impersonating an authority figure
or falsely citing their authority

Im the CEO calling.

Intimidation To frighten and coerce by threat If you dont reset my password, I will call
your supervisor.

Consensus Influenced by what others do I called last week and your colleague reset
my password.

Scarcity Something is in short supply I cant waste time here.

Urgency Immediate action is needed My meeting with the board starts in
5minutes.

Familiarity Victim is well-known and well-
received

I remember reading a good evaluation on
you.

Trust Confidence You know who I am.

Social engineering effectiveness Table 2-6

88781_ch02_hr_051-096.indd 75 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks76

are asked to respond to an email or are directed to a website where they are requested
to update personal information, such as passwords, credit card numbers, Social
Security numbers, bank account numbers, or other information. However, the email or
website is actually an imposter and is set up to steal what information the user enters.

Note

The word phishing is a variation on the word fishing, with the idea being that bait is thrown
out knowing that while most will ignore it, some will bite.

Whereas at one time phishing messages were easy to spot with misspelled words
and obvious counterfeit images, that is no longer the case. In fact, one of the reasons
that phishing is so successful today is that the emails and the fake websites are difficult
to distinguish from those that are legitimate: logos, color schemes, and wording seems
to be almost identical. Figure 2-10 illustrates an actual phishing email message that
looks like it came from a genuine source.

Figure 2-10Phishing email message
Source: Email sent to Dr. Mark Revels

88781_ch02_hr_051-096.indd 76 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 77

Several variations on phishing attacks are:

Spear phishing. Whereas phishing involves sending millions of generic email
messages to users, spear phishing targets specific users. The emails used in
spear phishing are customized to the recipients, including their names and
personal information, to make the message appear legitimate.

Whaling. One type of spear phishing is whaling. Instead of going after the
smaller fish, whaling targets the big fish, namely, wealthy individuals or
senior executives within a business who typically would have larger sums of
money in a bank account that an attacker could access if the attack is successful.
By focusing upon this smaller group, the attacker can invest more time in the
attack and finely tune the message to achieve the highest likelihood of success.

Vishing. Instead of using email to contact the potential victim, a telephone call
can be used instead. Known as vishing (voice phishing), an attacker calls a victim
who, upon answering, hears a recorded message that pretends to be from the
users bank stating that her credit card has experienced fraudulent activity or
that her bank account has had unusual activity. The victim is instructed to call
a specific phone number immediately (which has been set up by the attacker).
When the victim calls, it is answered by automated instructions telling her to
enter her credit card number, bank account number, Social Security number, or
other information on the telephones key pad.

Note

Phishing is also used to validate email addresses. A phishing email can display an image
retrieved from a website that is requested when the user opens the email message. A unique
code is used to link the image to the recipients email address, which then tells the phisher
that the email address is active and valid. This is the reason most email today does not
automatically display images that are received in emails.

Note

A new variation on vishing now uses short message service (SMS) text messages in conjunction
with callback recorded phone messages. The threat actors first send a text message to a users
cellphone that pretends to come from their bank saying that their account has been broken
into or their credit card number has been stolen. Along with the text message is a callback
telephone number the customer is instructed to call immediately. That phone number plays a
recording telling the customer to enter their Social Security number or credit card number for
verification. The attackers then simply capture the information that is entered.

88781_ch02_hr_051-096.indd 77 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks78

Phishing continues to be a primary weapon used by threat actors. About 97percent
of all attacks start with phishing, and with 5000 new phishing sites appearing daily,
the number of phishing incidents exceeds 58 million annually.15 Approximately
30percent of all phishing emails are opened by unsuspecting users. About 84 percent
of all enterprises reported that they have been the victims of a successful spear
phishing attack,16 and the average cost of a successful spear phishing campaign against
an enterprise is $1.6 million.17

Note

Although most web browsers automatically block known phishing websites, because so many
sites are appearing so rapidly it is difficult for the browsers to stay up-to-date.

Spam
Spam is unsolicited email that is sent to a large number of recipients. Spam continues
to flood the email inboxes of Internet users. Statistics about spam that bear this out
include the following:18

Volume of total email. Worldwide the volume of spam as a percentage of all
email traffic peaked in 2008, when 92 percent of all email was spam. Since that
time, due to aggressive efforts to take down botnets, the percentage is around
61percent, which is still a staggering amount.

Daily spam emails. The number of spam messages sent each day is about
28billion emails.

Content categories. The most common category of spam content is healthcare
products (38 percent), followed by dating solicitations (18 percent), adult products
(12 percent), and advertisements for stocks (6 percent).

User actions. When frustrated about receiving spam, about 60 percent of users
attempt to unsubscribe from future emails, while 45 percent simply ignore any
future emails. More extreme user actions are to stop using the product being
advertised (14 percent), completely boycott the company doing the advertising
(13 percent), tell their friends (9 percent), or hit the computer or mobile device in
frustration (4 percent).

The reason users receive so many spam messages is because sending spam is
lucrative. It costs spammers very little to send millions of spam email messages. Almost
all spam is sent from botnets, and a spammer who does not own his own botnet can
lease time from other attackers ($40 per hour) to use a botnet of up to 100,000 infected
computers to launch a spam attack. And even if spammers receive only a very small
percentage of responses, they still make a large profit. For example, if a spammer sent
spam to 6 million users for a product with a sale price of $50 that cost only $5 to make,

88781_ch02_hr_051-096.indd 78 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 79

and if only 0.001 percent of the recipients responded and bought the product (a typical
response rate), the spammer would still make more than $270,000 in profit.

Text-based spam messages that include words such as Viagra or investments can
easily be trapped by filters that look for these words and block the email. Because of
the increased use of these filters, spammers have turned to image spam, which uses
graphical images of text to circumvent text-based filters. Image spam cannot be filtered
based on the textual content of the message because it appears as an image instead
of text. These spam messages often include nonsense text so that it appears the email
message is legitimate (an email with no text can prompt the spam filter to block it).
Figure 2-11 shows an example of an image spam.

Figure 2-11Image spam

Beyond being annoying and interfering with work productivity as users spend
time reading and deleting spam messages, spam can be a security vulnerability. This
is because spam can be used to distribute malware. Spam sent with attachments that
contain malware is one of the most common means by which threat actors distribute
their malware today.19

Hoaxes
Threat actors can use hoaxes as a first step in an attack. A hoax is a false warning,
often contained in an email message claiming to come from the IT department. The
hoax purports that there is a deadly virus circulating through the Internet and that

88781_ch02_hr_051-096.indd 79 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks80

the recipient should erase specific files or change security configurations, and then
forward the message to other users. However, changing configurations allows an
attacker to compromise the system. Or, erasing files may make the computer unstable,
prompting the victim to call the telephone number in the hoax email message for help,
which is actually the phone number of the attacker.

Watering Hole Attack
In the natural world, similar types of animals are known to congregate around a pool of
water for refreshment. In a similar manner, a watering hole attack is directed toward
a smaller group of specific individuals, such as the major executives working for a
manufacturing company. These executives all tend to visit a common website, such as
that of a parts supplier to the manufacturer. An attacker who wants to target this group
of executives will attempt to determine the common website that they frequent and
then infect it with malware that will make its way onto the groups computers.

Physical Procedures
Just as some social engineering attacks rely on psychological manipulation, other
attacks rely on physical acts. These attacks take advantage of user actions that can
result in compromised security. Two of the most common physical procedures are
dumpster diving and tailgating.

Dumpster Diving
Dumpster diving involves digging through trash receptacles to find information that
can be useful in an attack. Table 2-7 lists the different items that can be retrieved
many of which appear to be uselessand how they can be used.

An electronic variation of physical dumpster diving is to use Googles search
engine to look for documents and data posted online that can be used in an attack.
This is called Google dorking and it uses advanced Google search techniques to look for
information that unsuspecting victims have carelessly posted on the web.

Note

Google dorking is from a slang term that originally was used to refer to someone who is not
considered intelligent (a dork) and later came to refer to uncovering security vulnerabilities
that are the result of the actions of such a person.

For example, to find on the web any Microsoft Excel spreadsheets (.xlsx) that
contain the column heading SSN (Social Security number) the Google search term
intext:SSN filetype:xlsx can be used, or to find any Microsoft Word documents
(.docx) that contained the word passwords as part of the title the Google search term
allintitle: passwords filetype:docx is used.

88781_ch02_hr_051-096.indd 80 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks 81

Tailgating
Organizations can invest tens of thousands of dollars to install specialized doors that permit
access only to authorized users who possess a special card or who can enter a specific
code. These automated access control systems are designed to restrict entry into an area.
However, a weakness of these systems is that they cannot always control how many people
enter the building when access is allowed; once an authorized person opens the door, one
or more individuals can follow behind and also enter. This is known as tailgating.

Several ways in which tailgating can occur are:

A tailgater waits at the end of the sidewalk until an authorized user opens
thedoor. She then calls out to him to Please hold the door! as she hurries up
to the door. In most cases, good etiquette wins out over good security practices,
and the door is held open for the tailgater.

A tailgater waits near the outside of the door and then quickly enters once the
authorized employee leaves the area. This technique is used most commonly
during weekends and at nights, where the actions of the more overt tailgater
would be suspicious.

A tailgater stands outside the door and waits until an employee exits the
building. He then slips behind the person as he is walking away and grabs the
door just before it closes to gain access to the building.

Item retrieved Why useful

Calendars A calendar can reveal which employees are out of town at
a particular time.

Inexpensive computer hardware,
such as USB flash drives or portal
hard drives

These devices are often improperly disposed of and might
contain valuable information.

Memos Seemingly unimportant memos can often provide small
bits of useful information for an attacker who is building
an impersonation.

Organizational charts These identify individuals within the organization who are
in positions of authority.

Phone directories A phone directory can provide the names and telephone
numbers of individuals in the organization to target or
impersonate.

Policy manuals These may reveal the true level of security within the
organization.

System manuals A system manual can tell an attacker the type of computer
system that is being used so that other research can be
conducted to pinpoint vulnerabilities.

Dumpster diving items and their usefulness Table 2-7

88781_ch02_hr_051-096.indd 81 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 2 Malware and Social Engineering Attacks82

An employee conspires with an unauthorized person to allow him to walk in
with him through the open door (called piggybacking).

If an attacker cannot enter a building as a tailgater without raising suspicion, an
alternative is to watch an individual entering the security code on a keypad. Known
as shoulder surfing, it can be used in any setting in which a user casually observes
someone entering secret information, such as the security code on a door keypad.
Attackers are also using webcams and smartphone cameras to shoulder surf users of
ATM machines to record keypad entries.

Note

A defense against shoulder surfing is an application that uses the computers web cam to
watch if anyone nearby is looking at the computer screen. If someone is detected, the user
can be alerted with a popup window message or the screen will automatically blur so that it
cannot be read.

Chapter Summary
Malware is malicious software that enters

a computer system without the users
knowledge or consent and includes
an unwanted and harmful action. One
method of classifying the various types of
malware is by using the primary trait that
the malware possesses. These traits are
circulation, infection, concealment, and
payload capabilities.

One of the types of malware that has the
primary trait of circulation is a computer
virus. A virus is malicious computer
code that reproduces itself on the same
computer. A virus inserts itself into a
computer file (a data file or program)
and then looks to reproduce itself on
the same computer as well as unload its
malicious payload. Most viruses go to

great lengths to avoid detection. Another
type of such malware is a worm, which
travels through a network and is designed
to take advantage of vulnerability in an
application or an operating system to enter
a users computer. Once the worm has
exploited the vulnerability on one system,
it immediately searches for another
computer that has the same vulnerability.

Another category of malware has
infection as its primary trait. A Trojan is
a program advertised as performing one
activity but in addition does something
malicious. A special type of Trojan is a
remote access Trojan (RAT), which has
the basic functionality of a Trojan but
also gives the threat actor unauthorized
remote access to the victims computer

88781_ch02_hr_051-096.indd 82 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

by using specially configured
communication protocols. Ransomware
prevents a users device from properly
and fully functioning until a fee is paid.
Ransomware embeds itself onto the
computer in such a way that the it cannot
be bypassed, and even rebooting still
causes the ransomware to launch again.
Crypto-malware encrypted all the files on
the device so that none of them could be
opened until a ransom is paid.

Some malware has as its primary trait
avoiding detection. A rootkit can hide its
presence or the presence of other malware
(like a virus) on the computer by accessing
lower layers of the operating system or
even using undocumented functions to
make alterations.

The destructive power of malware is
to be found in its payload capabilities.
Different types of malware are designed
to collect important data from the users
computer and make it available at the
attacker. Spyware is tracking software
that is deployed without the consent or
control of the user. One type of spyware
is a keylogger, which silently captures and
stores each keystroke that a user types
on the computers keyboard. A keylogger
can be a software program or a small
hardware device. Adware is a software
program that delivers advertising content
in a manner that is unexpected and
unwanted by the user.

The payload of other types of malware
deletes data on the computer. A logic bomb
is computer code that is typically added to
a legitimate program but lies dormant until
it is triggered by a specific logical event.
Once it is triggered, the program then
deletes data or performs other malicious
activities. The payload of some types of

malware attempts to modify the systems
security settings so that more insidious
attacks can be made. One type of malware
in this category is called a backdoor. A
backdoor gives access to a computer,
program, or service that circumvents any
normal security protections.

One of the most popular payloads of malware
is software that will allow the infected
computer to be placed under the remote
control of an attacker. This infected robot
computer is known as a bot. When multiple
bot computers are gathered into a logical
computer network, they create a botnet.

Social engineering is a means of gathering
information for an attack by relying on the
weaknesses of individuals. Many social
engineering attacks rely on psychology,
which is the mental and emotional
approach rather than the physical. At
its core, social engineering relies on an
attackers clever manipulation of human
nature to persuade the victim to provide
information or take actions. Several basic
principles make psychological social
engineering highly effective. These include
authority, intimidation, consensus,
scarcity, urgency, familiarity, and trust.
Impersonation means to masquerade as
a real or fictitious character and then play
out the role of that person on a victim.
Phishing is sending an email or displaying
a web announcement that falsely claims
to be from a legitimate enterprise in an
attempt to trick the user into surrendering
private information. Several variations
on phishing attacks exist, such as spear
phishing, whaling, and vishing. Spam,
or unsolicited email that is sent to a
large number of recipients, is annoying,
interferes with work productivity, and can
be a security vulnerability.

CHAPTER 2 Malware and Social Engineering Attacks 83

88781_ch02_hr_051-096.indd 83 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Attackers can use hoaxes (false
warnings) as a first step in an attack,
often contained in an email message
claiming to come from the IT department.
Recipients are told that they should
erase specific files or change security
configurations, and then forward the
message to other users. A watering hole
attack is directed toward a smaller group
of specific individuals, such as the major
executives working for a manufacturing
company.

Some social engineering attacks rely on
physical acts. Dumpster diving involves
digging through trash receptacles to find

information that can be useful in an attack.
Organizations invest large sums of money
to install specialized doors that only permit
access to authorized users who possess
a special card or who can enter a specific
code, yet they do not always control how
many people enter the building when
access is allowed. Following an authorized
person through an open door is known
as tailgating. If an attacker cannot enter
a building as a tailgater without raising
suspicion, an alternative is to watch an
individual entering secret information,
such as the security code on a keypad. This
is known as shoulder surfing.

Key Terms
adware
authority
backdoor
bot
consensus
crypto-malware
dumpster diving
familiarity
hoax
impersonation
intimidation

keylogger
logic bomb
malware
phishing
ransomware
remote access

Trojan (RAT)
rootkit
scarcity
shoulder surfing
social engineering

spear phishing
spyware
tailgating
Trojan
trust
urgency
virus
vishing
watering hole attack
whaling
worm

Review Questions
1. Which of the following is NOT a primary

trait of malware?
a. Diffusion
b. Circulation
c. Infection
d. Concealment

2. Which type of malware requires a user to
transport it from one computer to another?
a. Worm
b. Rootkit
c. Adware
d. Virus

CHAPTER 2 Malware and Social Engineering Attacks84

88781_ch02_hr_051-096.indd 84 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

3. Which type of mutation completely
changes a virus from its original form
by rewriting its own code whenever it is
executed?
a. Betamorphic
b. Oligomorphic
c. Polymorphic
d. Metamorphic

4. Ebba received a message from one of her
tech support employees. In violation of
company policy, a user had downloaded
a free program to receive weather
reports, but the program had also
installed malware on the computer that
gave the threat actor unrestricted access
to the computer. What type of malware
had been downloaded?
a. Virus
b. Ransomware
c. RAT
d. Trojan

5. Linneas father called her to say that
a message suddenly appeared on his
screen that says his software license has
expired and he must immediately pay
$500 to have it renewed before control
of the computer will be returned to him.
What type of malware is this?
a. Persistent virusware
b. Trojanware
c. Blocking ransomware
d. Lockoutware

6. Astrids computer screen suddenly says
that all files are now locked until money
is transferred to a specific account, at
which time she will receive a means to
unlock the files. What type of malware
has infected her computer?
a. Bitcoin malware
b. Crypto-malware

c. Blocking virus
d. Networked worm

7. What is the name of the threat actors
computer that gives instructions to an
infected computer?
a. Command and control (C&C) server
b. Resource server
c. Regulating Net Server (RNS)
d. Monitoring and Infecting (M&I) server

8. Which of these could NOT be defined as
a logic bomb?
a. If the companys stock price drops below

$100, then credit Junis account with 10
additional years of retirement credit.

b. Erase all data if Matildas name is
removed from the list of employees.

c. Reformat the hard drive three months
after Sigrid left the company.

d. Send spam email to Moas inbox on
Tuesday.

9. Which of the following is NOT correct
about a rootkit?
a. A rootkit is able to hide its presence

or the presence of other malware.
b. A rootkit accesses lower layers of

the operating system.
c. A rootkit is always the payload of a

Trojan.
d. The risk of a rootkit is less today than

previously.
10. Which of these is a general term used

for describing software that gathers
information without the users consent?
a. Gatherware
b. Adware
c. Spyware
d. Scrapeware

CHAPTER 2 Malware and Social Engineering Attacks 85

88781_ch02_hr_051-096.indd 85 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

11. Which statement regarding a keylogger
is NOT true?
a. Keyloggers can be used to capture

passwords, credit card numbers, or
personal information.

b. Software keyloggers are generally
easy to detect.

c. Hardware keyloggers are installed
between the keyboard connector and
computer keyboard USB port.

d. Software keyloggers can be designed
to send captured information
automatically back to the attacker
through the Internet.

12. A watering hole attack is directed
against .
a. wealthy individuals
b. a smaller group of specific users
c. all users of a large corporation
d. attackers who send spam

13. sends phishing messages only to
wealthy individuals.
a. Whaling
b. Spear phishing
c. Target phishing
d. Microing

14. Lykke receives a call while working at
the helpdesk from someone who needs
his account reset immediately. When
Lykke questions the caller, he says, If
you dont reset my account immediately,
I will call your supervisor! What
psychological approach is the caller
attempting to use on Lykke?
a. Familiarity
b. Scarcity
c. Intimidation
d. Consensus

15. Hedda pretends to be the help desk
manager and calls Steve to trick him
into giving her his password. What
social engineering attack has Hedda
performed?

a. Aliasing
b. Duplicity
c. Impersonation
d. Luring

16. How can an attacker use a hoax?
a. A hoax could convince a user that a

bad Trojan is circulating and that he
should change his security settings.

b. By sending out a hoax, an attacker
can convince a user to read his email
more often.

c. A user who receives multiple hoaxes
could contact his supervisor for help.

d. Hoaxes are not used by attackers
today.

17. Which of these items retrieved through
dumpster diving would NOT provide
useful information?
a. Calendars
b. Organizational charts
c. Memos
d. Books

18. is following an authorized person
through a secure door.
a. Tagging
b. Tailgating
c. Backpacking
d. Caboosing

19. Each of these is a reason why adware is
scorned EXCEPT .
a. it displays objectionable content
b. it displays the attackers programming

skills
c. it can interfere with a users

productivity
d. it can cause a computer to crash or

slow down
20. What is the term used for a threat actor

who controls multiple bots in a botnet?
a. Bot herder
b. Zombie shepherd
c. Rogue IRC
d. Cyber-robot

CHAPTER 2 Malware and Social Engineering Attacks86

88781_ch02_hr_051-096.indd 86 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Hands-On Projects

Project 2-1: Analyzing Files and URLs for Viruses Using VirusTotal
VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs to
identify potential malware. VirusTotal scans and detects any type of binary content, including
a Windows executable program, Android, PDFs, and images. VirusTotal is designed to provide
a second opinion on a file or URL that may have been flagged as suspicious by other
scanning software. In this project, you use VirusTotal to scan a file and a URL.

1. First view several viruses from 20 years ago and observe their benign but annoying
impact. Open your web browser and enter the URL archive.org/details
/malwaremuseum&tab=collection (if you are no longer able to access the site
through the web address, use a search engine to search for Malware Museum).

2. Click several of the viruses and notice what they do (all of the viruses have been
rendered ineffective and will not harm a computer).

3. When finished close your web browser.
4. Use Microsoft Word to create a document that contains the above paragraph about

VirusTotal. Save the document as VirusTotal.docx.
5. Now save this document as a PDF. Click File and Save As.
6. Under Save as type: select PDF (*.pdf).
7. Save this file as YourName-VirusTotal.pdf.
8. Exit Word.
9. Open your web browser and enter the URL www.virustotal.com (if you are no longer

able to access the site through the web address, use a search engine to search for Virus
Total).

10. If necessary, click the File tab.
11. Click Choose File.
12. Navigate to the location of YourName-VirusTotal.pdf and click Open.
13. Click Scan it!
14. If the File already analysed dialog box opens, click Reanalyse.
15. Wait until the analysis is completed.
16. Scroll through the list of AV vendors that have been polled regarding this file. A green

checkmark means no malware was detected.

Note

If you are concerned about installing any of the software in these projects on your
regular computer, you can instead install the software in the Windows virtual
machine created in the Chapter 1 Hands-On Projects 1-3 and 1-4. Software installed
within the virtual machine will not impact the host computer.

CHAPTER 2 Malware and Social Engineering Attacks 87

88781_ch02_hr_051-096.indd 87 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

17. Click the File detail tab and read through the analysis.
18. Use your browsers back button to return to the VirusTotal home page.
19. Click URL.
20. Enter the URL of your school, place of employment, or another site with which you are

familiar.
21. Click Scan it! If the URL already analysed dialog box opens, click Reanalyse.
22. Wait until the analysis is completed.
23. Scroll through the list of vendor analysis. Do any of these sites indicate Unrate site or

Malware site?
24. Click Additional information.
25. How could VirusTotal be useful to users? How could it be useful to security researchers?

Could it also be used by attackers to test their own malware before distributing it to
ensure that it does not trigger an AV alert? What should be the protections against this?

26. Close all windows.

Project 2-2: Write-Protecting a USB Flash Drive and Disabling a USB Port
Viruses and other malware are often spread from one computer to another by infected USB
flash drives. This can be controlled by either disabling the USB port or by write-protecting the
drive so that no malware can be copied to it. Disabling the port can be accomplished through
changing a Windows registry setting, while write-protecting the drive can be done through
third-party software that can control USB device permissions. In this project, you download
and install a software-based USB write blocker to prevent data from being written to a USB
device and disable the USB port. You will need a USB flash drive for this project.

1. Open your web browser and enter the URL www.irongeek.com/i.php?page=security
/thumbscrew-software-usb-write-blocker (if you are no longer able to access the
program through the URL, use a search engine to search for Irongeek Thumbscrew).

2. Click Download Thumbscrew.
3. If the File Download dialog box appears, click Save and follow the instructions to save

this file in a location such as your desktop or a folder designated by your instructor.
4. When the file finishes downloading, extract the files in a location such as your desktop

or a folder designated by your instructor. Navigate to that location and double-click
thumbscrew.exe and follow the default installation procedures.

5. After installation, notice that a new icon appears in the system tray in the lower right
corner of the screen.

6. Insert a USB flash drive into the computer.
7. Navigate to a document on the computer.
8. Right-click the document and then select Send to.
9. Click the appropriate Removable Disk icon of the USB flash drive to copy the file to the

flash drive.
10. Now make the USB flash drive write protected so it cannot be written to. Click the icon

in the system tray.

88 CHAPTER 2 Malware and Social Engineering Attacks

88781_ch02_hr_051-096.indd 88 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

11. Click Make USB Read Only. Notice that a red circle now appears over the icon to
indicate that the flash drive is write protected.

12. Navigate to a document on the computer.
13. Right-click the document and then select Send to.
14. Click the appropriate Removable Disk icon of the USB flash drive to copy the file to the

flash drive. What happens?
15. Click the icon in the system tray to change the permissions so that the USB drive is no

longer read only.
16. Now disable the USB port entirely. First remove the flash drive from the USB port.
17. In the Windows Run dialog box enter regedit.
18. In the left pane double-click HKEY_LOCAL_MACHINE to expand it.
19. Double-click SYSTEM.
20. Double-click ControlSet001.
21. Double-click Services.
22. Double-click USBSTOR as shown in Figure 2-12.

89CHAPTER 2 Malware and Social Engineering Attacks

Figure 2-12Windows Registry Editor

23. In the right pane double-click Start.
24. In Value data: change the number of 3 to 4. Be sure that Hexadecimal under Base is

selected.
25. Click OK.
26. Now insert a USB flash drive into the USB port. What happens?

88781_ch02_hr_051-096.indd 89 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

27. To reactivate the port, change the Value data: back to 3 and click OK.
28. Close all windows.

Project 2-3: Using a Software Keylogger

A keylogger program captures everything that a user enters on a computer keyboard. In this
project, you download and use a software keylogger.

CHAPTER 2 Malware and Social Engineering Attacks90

Caution

The purpose of this activity is to provide information regarding how these programs
function in order that adequate defenses can be designed and implemented. These
programs should never be used in a malicious fashion against another user.

1. Open your web browser and enter the URL refog.com (if you are no longer able to access
the program through the URL, use a search engine to search for Refog Keylogger).

2. Click Read More to see the features of the product.
3. Under Keylogger click Download.
4. Click Create an account and enter the requested information.
5. Click Download.
6. When the file finishes downloading, run the installation program.
7. When asked Im going to use this software to monitor: select My own computer.
8. Click Hide program icon from Windows tray. Click Next.
9. Click I Agree.

10. Enter the Windows account password. Click Install.
11. Click Restart Now.
12. After the computer has restarted use the keystroke combination Ctrl + Alt + Shift + K to

launch Refog Keylogger. The Refog Keylogger screen appears as seen in Figure 2-13.
13. Click Tools and then click Settings.
14. Note the default settings regarding what is captured.
15. Click Back to log.
16. Minimize Refog Keylogger.
17. Use your computer normally by opening a web browser to surf to a website. Open Microsoft

Word and type several sentences. Open and close several programs on the computer.
18. Maximize Keylogger and note the information that was captured.
19. In the left pane click through the different items that were captured.
20. Under Settings click Websites Visited.
21. Under Websites Visited click Make website screenshots.
22. Click Apply.
23. Open a web browser to surf to multiple websites.
24. Under Users click Websites visited. Note the screen captures of the different sites.
25. What type of information would a software keylogger provide to a threat actor? How

could it be used against the victim?
26. Click File and then Exit to close Keylogger.
27. Close all windows.

88781_ch02_hr_051-096.indd 90 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Project 2-4: Exploring Ransomware Sites

There are a variety of sites that provide information about ransomware along with tools for
counteracting some types of infection. In this project, you explore different ransomware sites.

1. Open your web browser and enter the URL ransomwaretracker.abuse.ch (if you are
no longer able to access the program through the URL, use a search engine to search
for Ransomware Tracker).

2. Read about the features of Ransomware Tracker on the home page.
3. Click Tracker.
4. Scroll through the list of ransomware malware.
5. Under Filter by threat: click Payment Sites to display those payment sites.
6. Under Filter by malware: click Locky or another of the ransomware families.
7. Select one of the instances of malware and click it to view the details. What can you tell

from it?

CHAPTER 2 Malware and Social Engineering Attacks 91

Figure 2-13Refog Keylogger
Source: Refog

88781_ch02_hr_051-096.indd 91 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Case Projects

Case Project 2-1: Preventing Vishing Attacks
Vishing, or voice phishing, continues to increase as an attack against users. What would
you do to help prevent users from becoming victims? First, access the online SoundCloud
repository by NumberCop that contains several different recordings of vishing attacks
(soundcloud.com/numbercop). After listening to several of the recordings to understand what
attackers typically ask and how they craft their attacks, create guidelines for not falling prey to
these attacks. What messages do the attackers commonly use? How do they trick users into
entering their information? What social engineering effectiveness reasons do they use? Then
write a series of steps that would help users resist these attacks. Write a one-page paper on
your research.

Case Project 2-2: Social Engineering Psychological Approaches
Several basic principles or reasons make psychological social engineering effective. These
include authority, intimidation, consensus, scarcity, urgency, familiarity, and trust. Table 2-6 uses
these principles in a scenario of an attacker pretending to be the chief executive officer (CEO)
calling the organizations help desk to have a password reset. Create two additional scenarios,
such as an attacker impersonating a help desk employee who wants access to an employees
protected information, and create a dialog example for each of the seven principles.

8. Now visit a site that provides user information about ransomware. Open your web
browser and enter the URL www.nomoreransom.org.

9. Click Crypto Sheriff. How could this be useful to a user who has suffered a ransomware
infection?

10. Click Ransomware: Q&A. Read through the information. Which statements would you
agree with? Which statements would you disagree with?

11. Click Decryption Tools. This contains a list of different tools that may help restore a
computer that has been infected by a specific type of ransomware. Click Download to
download one of the tools. Note that these tools change frequently based on the latest
types of ransomware that is circulating.

12. Run the program to understand how these decryption tools function. Note that you
will not be able to complete the process because there are no encrypted files on the
computer. Close the program.

13. Now visit another site that provides ransomware information and tools. Open your web
browser and enter the URL id-ransomware.malwarehunterteam.com

14. What features does this site provide?
15. How could these sites be useful?
16. Close all windows.

CHAPTER 2 Malware and Social Engineering Attacks92

88781_ch02_hr_051-096.indd 92 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Case Project 2-3: Your Social Engineering Attack
Todays Attacks and Defenses at the beginning of this chapter illustrated how a security
researcher could manipulate a help desk support technician into compromising security. If
you were to create your own social engineering attack, what would it be? Using your place
of employment or school, first determine exactly what your goal would be in the attack, and
then craft a detailed description of how you would carry out the attack using only social
engineering to achieve your goal. You might want to search the Internet for examples of
previously successful attacks that used social engineering. Why do you think your attack
would be successful? Who would be involved? What would be the problems in achieving your
goal? Why? Write a one-page paper on your research.

Case Project 2-4: Google Dorking
Google dorking, or using advanced Google search techniques to find sensitive information, has
been likened to online dumpster diving. Use the Internet to research Google dorking. First, use
the Internet to determine how the following advanced Google search engine operators are used:
allintext, allintitle, allinurl, cache, filetype, inanchor, intest, intitle, link, site, +, |, and *. Then, use
at least five of the operators to create potential Google dorking searches. Finally, try out your
searches to see if they are effective. How easy is it for a threat actor to use Google dorking? How
can users and organizations combat this? List your Google dorking searches, the results, and the
defenses that should be used against it. Write a one-page paper on your activity.

Case Project 2-5: Crypto-malware Attacks
Use the Internet to research some of the recent different crypto-malware ransomware
attacks. What do they do? Why are they so successful? How are they being spread? What can
users do to protect themselves? Write a one-page summary of your research.

Case Project 2-6: Online Phishing Tests
Detecting phishing emails can often be difficult. Point your web browser to the following
three online phishing tests: www.sonicwall.com/phishing/, www.opendns.com/phishing-quiz/,
and www.komando.com/tips/361345/can-you-spot-a-fake-email-take-our-phishing-iq-test (or
search the Internet for others). What did you learn from these tests? Were they helpful? What
do you think general users would think about these tests? Write a one-paragraph summary
on what you learned about phishing from these tests.

Case Project 2-7 Lake Point Consulting Services
Lake Point Consulting Services (LPCS) provides security consulting and assurance services to
over 500 clients across a wide range of enterprises in more than 20 states. A new initiative
at LPCS is for each of its seven regional offices to provide internships to students who are in
their final year of the information security degree program at the local college.

Manna is a regional bakery and caf. Although Manna has used an outside security
consultant to help their small IT team with security they nevertheless have been the victims of
several attacks over the last two quarters. Manna decided not to renew the consultants contract
and has now turned to LPCS for assistance. While LPCS is performing an audit and evaluating

CHAPTER 2 Malware and Social Engineering Attacks 93

88781_ch02_hr_051-096.indd 93 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

the enterprises current security position, LPCS has asked you to conduct a presentation about
malware to the staff of three of Mannas retail sites during their annual regional meeting.

1. Create a PowerPoint presentation that lists 15 different types of malware and defines
each type in detail regarding what the malware can do, how it spreads, its dangers, etc.
Your presentation should contain at least 10 slides.

2. After your presentation, it is apparent that some of the attacks were the result of social
engineering. Manna has asked you to create a one-page cheat sheet that describes
social engineering attacks and how they may be performed, including a list of practical
tips to resist these attacks. This sheet paper will be posted in the stores in which
employees can make quick reference to when necessary. Create the paper for Manna,
using a format that is easy to reference.

Case Project 2-8: Information Security Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains
a wide variety of tools, information, discussion boards, and other features to assist learners.
Go to community.cengage.com/Infosec2 and click the Join or Sign in icon to log in, using your
login name and password that you created in Chapter 1. Click Forums (Discussion) and click
on Security+ Case Projects (6th edition). Read the following case study.

Eric received an email from Amazon Customer Service that said “Thank you for
contacting us.” But Eric did not contact them. Instead, an attacker had contacted them and
pretended to be Eric. When Amazon Customer Service asked the attacker to identify himself
all he had to do was give Erics name, email address, and mailing addresswhich the attacker
got from Whois, which contains Erics registration information for his website. However, Eric
knew to protect his actual mailing address so the registration information on Whois was
actually a hotel close to Erics house. Because the information matched what was on file,
Customer Service told the attacker the mailing address of Erics order, which was his real
home address. Eric contacted Amazon, found out these details, and told them not to release
any of his information to anyone who contacted Customer Service, to which Amazon agreed.

Fast forward two months. Eric again received another “Thank you for contacting us”
email. After contacting Amazon again, he found that this time the attacker had tried to get
the last four digits of Erics credit card number on file through more social engineering tricks.
Fortunately, this time Amazon did not surrender that specific piece of information (although
they had ignored his previous instruction not to give out any information). Had they provided
the credit card number the attacker would have had enough information to pass the “Im-the-
real-Eric” test on almost any of Erics online accounts (using his name, email address, mailing
address, and last four digits of his credit card) and trick their Customer Service into resetting
Erics password. This would then allow the attacker to get into Erics online accounts and
purchase a virtually unlimited number of items charged to Erics credit card.

What went wrong? Should the first Amazon Customer Service representative have been
reprimanded? What policies should Amazon have had in place to prevent this? What technologies
should there be in place to prevent this? As a customer, what should you do to protect your
online accounts? Enter your answers on the InfoSec Community Server discussion board.

CHAPTER 2 Malware and Social Engineering Attacks94

88781_ch02_hr_051-096.indd 94 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

References
1. 2010 Nevada Code, Title 15 Crimes and punishments, Chapter 205 Crimes against property,

NRS 205.4737 Computer contaminant defined, Justia US Law, accessed Feb. 24, 2017, law
.justia.com/codes/nevada/2010/title15/chapter205/nrs205-4737.html.

2. The first computer virus, accessed Mar. 3, 2011, www.worldhistorysite.com/virus.html.
3. Storm, Darlene, LA college pays $28,000 ransom demand; new sophisticated Spora

ransomware, Computerworld, Jan. 11, 2017, accessed Jan. 14, 2017, www.computerworld
.com/article/3156829/security/la-college-pays-28-000-ransom-demand-new-sophisticated
-spora-ransomware.html.

4. Crowe, Jonathan, Ransomeware by the numbers: Must-know ransomware statistics for
2016, Barkly, Nov. 15, 2016, accessed Feb. 25, 2017, blog.barkly.com/ransomware
-statistics-2016.

5. Incidents of ransomware on the rise: Protect yourself and your organization,
FBINews,Apr. 29, 2016, accessed Feb. 25, 2017, www.fbi.gov/news/stories
/incidents -of-ransomware-on-the-rise.

6. The 2015 ad blocking report, PageFair, Aug. 10, 2015, accessed Dec. 4, 2015, pagefair.com
/blog/2015/ad-blocking-report/.

7. Cluley, Graham, Fannie Mae worker accused of planting malware timebomb, Naked
Security Sophos Blog, accessed Mar. 3, 2011, http://nakedsecurity.sophos.com/2009/01/29
/fannie-mae-worker-accused-planting-malware-timebomb/.

8. History and milestones, About RSA Conference, accessed Mar. 3, 2011, www.rsaconference
.com/about-rsa-conference/history-and-milestones.htm.

9. Logic bombs, Computer Knowledge, accessed Mar. 3, 2011, www.cknow.com/cms/vtutor
/logic-bombs.html.

10. Vijayan, Jaikumar, Unix admin pleads guilty to planting logic bomb, Computerworld,
Sep. 21, 2007, accessed Mar. 3, 2011, www.pcworld.com/article/137479/unix_admin_pleads_
guilty_to_planting_logic_bomb.html.

11. Khandelwal, Swati. FBI: Botnets Infecting 18 Computers per Second. But How Many of
Them NSA Holds? The Hacker News, Jul. 17, 2014, accessed Feb. 27, 2017, thehackernews
.com/2014/07/fbi-botnets-infecting-18-computers-per.html

12. Thomas, Karl, Nine bad botnets and the damage they did, Welivesecurity, Feb. 25, 2015,
retrieved Feb. 27, 2017, www.welivesecurity.com/2015/02/25/nine-bad-botnets-damage/.

13. Ibid.
14. Granger, Sarah, Social engineering fundamentals, part 1: Hacker tactics, Symantec, Dec. 18,

2001, accessed Mar. 3, 2011, www.symantec.com/connect/articles/social-engineering
-fundamentals-part-i-hacker-tactics.

15. Fowler, Geoffrey, Phishing: Youre still at risk, Wall Street Journal, Feb. 23, 2017.

CHAPTER 2 Malware and Social Engineering Attacks 95

88781_ch02_hr_051-096.indd 95 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

16. The year in phishing, RSA Online Fraud Report, Jan. 2013, accessed Jan. 7, 2014,
www.emc.com/collateral/fraud-report/online-rsa-fraud-report-012013.pdf.

17. Crowe, Jonathan, Phishing by the numbers: Must-known phishing statistics 2016, Barkly,
accessed Feb. 27, 2017, blog.barkly.com/phishing-statistics-2016.

18. Global spam, Statista, accessed Feb. 27, 2017, www.statista.com/statistics/420391
/spam-email-traffic-share/.

19. Crowe, Jonathan, Phishing by the numbers: Must-known phishing statistics 2016, Barkly,
accessed Feb. 27, 2017, blog.barkly.com/phishing-statistics-2016.

CHAPTER 2 Malware and Social Engineering Attacks96

88781_ch02_hr_051-096.indd 96 8/10/17 4:12 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CRYPTOGRAPHY
Chapter 3: Basic Cryptography
Chapter 4: Advanced Cryptography and PKI

This part introduces you to an essential element of modern security, that of
cryptography. The importance of cryptography has increased over time to become
a key defense in securing data from threat actors. Chapter 3 defines cryptography,
explains different cryptographic algorithms, looks at attacks on cryptography, and
shows how cryptography is implemented. Chapter 4 continues with more advanced
cryptography topics such as digital certificates, public key infrastructure (PKI), and
transport encryption algorithms.

97

P A R T I I

88781_ch03_hr_097-144.indd 97 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

88781_ch03_hr_097-144.indd 98 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

BASIC CRYPTOGRAPHY

After completing this chapter, you should be able
to do the following:

Define cryptography

Describe hash, symmetric, and asymmetric cryptographic algorithms

Explain different cryptographic attacks

List the various ways in which cryptography is used

C H A P T E R 3

Todays Attacks and Defenses

One of the most highly publicized recent events involving cryptography pitted the federal
government against a major computer vendor. A terrorist attack in San Bernardino, California
in December, 2015 resulted in the death of 14 individuals and the two terrorists and the
injury of 24 more. One of the attackers used an Apple iPhone 5C owned by his employer that
was recovered by police. About six weeks prior to the attack the terrorists had turned off the
online backup feature so that the phones contents were no longer copied to Apples iCloud
online servers; the data was stored only on the iPhone itself. The FBI was given permission
from the employer who owned the device to examine the phones contents to determine if
this attacker was connected to other terrorists at home or abroad.

99

88781_ch03_hr_097-144.indd 99 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography100

However, the iPhone had protections that prevented the FBI from easily viewing its
contents. Access to this iPhone was protected by a passcode, which serves two functions: it is
used as authentication to access the phone and is used to create a decryption key that allows
data on the phone to be viewed. To prevent anyone from randomly guessing passcodes,
there were more security protections on the phone. In addition to delays incorporated
between incorrect passcode attempts, to prevent someone from randomly guessing
passwords indefinitely until the right code was entered, the iPhone was configured to make it
permanently inaccessible after 10 failed passcode attempts.

The FBI asked a court to compel Apple to create custom iPhone firmware that would
remove the delays and prevent device lockup after 10 incorrect attempts. Apples CEO said the
governments legal position was setting a dangerous precedent and refused to comply. He went
on to say that building this capability to bypass security would undeniably create a backdoor, and
while the government might argue that its use would be limited to this case, there was no way to
guarantee such control. Once created, the CEO said, the technique could be used over and over,
on any number of devices. He concluded, No reasonable person would find that acceptable.
Apple said it would appeal the court order, all the way to the Supreme Court if necessary.

After several weeks of contentious back-and-forth drama played out in the courts between
Apple and the FBI, an unexpected turn of events occurred. The FBI suddenly asked a judge to
postpone a court hearing scheduled that same day. After several more days the FBI said in a
court filing that an outside party demonstrated to the FBI a possible method for unlocking the
iPhone, but it did not indicate what the method was. There was much speculation by security
researchers of what it could be. The most likely method involves a cloning technique called
NAND mirroring. The memory chip on the iPhone is removed (by de-soldering it), put into a
chip reader/programmer device, and then its contents are copied. This would allow multiple
copies to be made of the iPhones memory so that the FBI could make multiple attempts on the
phone by guessing passcodes. When one copy locks up (because it only allows 10 attempts of
a passcode) then they simply move on to the next copy. After several days, the FBI asked the
courts to completely drop the order by stating, It no longer requires the assistance from Apple.

Did the FBI break into the iPhone and view its contents? Who was the outside party who
was responsible for assisting the FBI? Was it a broker who knew a zero-day vulnerability? Has
this outside party broken into other iPhones so that these devices are no longer secure? The
FBI provided no detailed information.

And in another twist Apple, who refused to give the FBI the help it wanted, then decided it
might need the FBIs help. Attorneys for Apple starting researching legal tactics to compel the FBI
to turn over the specifics of how the phone was compromised so that Apple would know how
to build better defenses on its iPhone. Legal experts agreed that because the government faces
no legal obligation to provide any information to Apple, it was unlikely the FBI would share this
information with Apple or the public. Besides, if the government gave Apple the information
and Apple built stronger devices, it could be that much more difficult to break into an iPhone the
next time. Apple ultimately decided not to sue the FBI to try to gain access to the solution.1

88781_ch03_hr_097-144.indd 100 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 101

Information security can be defined as that which protects the integrity, confidentiality,
and availability of information through products, people, and procedures on the devices
that store, manipulate, and transmit the information. In most instances the focus of
that protection is keeping the threat actors as far away as possible from the information
by building barriers around it. This may include technology barriers (like firewalls) or
physical defenses (such as erecting a fence that surrounds the property) to keep threat
actors at bay.

Whereas these technology and physical defenses are critical, what if another
element was added so that if the attackers were able to get to the information it would
nevertheless be useless to them? What if the information was scrambled in such a way
that while authorized individuals could read it the attackers still could not?

This is the protection that cryptography affords: it masks the data so that if a threat
actor could access it they still cannot read it. As such, cryptography provides an even
deeper level of protection, and this has made it a critical element in protecting data.
Yet there is still significant room for growth: if more of our information were properly
encrypted it would significantly reduce the impact of any data loss.

In this chapter, you learn how cryptography can be used to protect data. You first
learn what cryptography is and how it can be used for protection. Then you examine
how to protect data using different types of cryptography algorithms. After that, the
chapter details the attacks on cryptography, followed by how to use cryptography on
files and disks to keep data secure.

Defining Cryptography
Certification

6.1Compare and contrast basic concepts of cryptography.

6.2Explain cryptography algorithms and their basic characteristics.

Defining cryptography involves understanding what it is and what it can do. It also
involves understanding how cryptography can be used as a security tool to protect data
as well as knowing its limitations.

What Is Cryptography?
Cryptography (from Greek words meaning hidden writing) is the practice of
transforming information so that it is secure and cannot be accessed by unauthorized
parties. This is accomplished through scrambling the information in such a way that
only approved recipients can access it.

Whereas cryptography scrambles a message so that it cannot be understood,
steganography hides the existence of the data. What appears to be a harmless image

88781_ch03_hr_097-144.indd 101 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography102

can contain hidden data, usually some type of message, embedded within the image.
Steganography typically takes the data, divides it into smaller pieces, and hides these
in unused portions of the file, as shown in Figure 3-1. Steganography may hide data
in the file header fields that describe the file, between sections of the metadata (data
that is used to describe the content or structure of the actual data), or in the areas of a
file that contain the content itself. Steganography can use a wide variety of file types
image files, audio files, video files, etc.to hide messages and data.

Figure 3-1Data hidden by steganography
Photo: Chris Parypa Photography/Shutterstock.com

Message to
be hidden

The secret password…

Message in
binary form

Metadata Header 1

Metadata Header 2

Image width 00111001
00110000
00110101

00110101

00110101
00110101

00000000
01100100
00000000

01101100

00100000
00000000

Image height
Number of graphic
planes
Number of bits per
pixel
Compression type
Number of colors

Message hidden
in metadata

Header size 00110011
00110001

00100000
00110111

01110101
01101100

01101111

00000000
01011001

01110011
00000000

01110101
File size
Reserved space 1
Reserved space 2
Offset address for
start data

01011001
01101111
01110101
00100000
01110011
01101000
01101111
01110101
01101100
01100100

Note

Steganography is sometimes used together with cryptography so that the information is
doubly protected. By using cryptography to first encrypt the data and then steganography to
hide it this requires someone seeking the information to first find the data and then decrypt it.

When using cryptography, the process of changing the original text into a
scrambled message is known as encryption (the reverse process is decryption, or
changing the message back to its original form). In addition, there is other terminology
that applies to cryptography:

Plaintext. Unencrypted data that is input for encryption or is the output of
decryption is called plaintext.

Ciphertext. Ciphertext is the scrambled and unreadable output of encryption.
Cleartext. Readable (unencrypted) data that is transmitted or stored in the clear

and is not intended to be encrypted is called cleartext.

88781_ch03_hr_097-144.indd 102 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 103

Plaintext data is input into a cryptographic algorithm (also called a cipher), which
consists of procedures based on a mathematical formula to encrypt and decrypt
the data. A key is a mathematical value entered into the algorithm to produce the
ciphertext. Just as a key is inserted into a door lock to lock the door, in cryptography
a unique mathematical key is input into the encryption algorithm to lock down the
data by creating the ciphertext. When the ciphertext is to be returned to plaintext, the
reverse process occurs with a decryption algorithm and key. The cryptographic process
is illustrated in Figure 3-2.

Figure 3-2Cryptographic process

Decryption
algorithm

Encryption
algorithm

Confidential Memo
Layoffs at the Lakeview
store will begin…

Confidential Memo
Layoffs at the Lakeview
store will begin…

626vscc*7&5
2#hdkP0)…

626vscc*7&5
2#hdkP0)…

Transmitted to
remote user

Plaintext

Plaintext

Ciphertext

Ciphertext

Key

Key

There are different categories of algorithms and within those different types.
One category is a substitution cipher that substitutes one character for another.
By substituting 1 for the letter A, 2 for the letter B, etc., the word security becomes
1804022017081924. One type of substitution cipher is a ROT13, in which the entire
alphabet is rotated 13 steps: A N5 , B O5 , etc., so that the word security becomes
frphevgl. Another common algorithm is the XOR cipher. This is based on the binary
operation eXclusive OR that compares two bits: if the bits are different a 1 is returned,
but if they are identical then a 0 is returned. For example, to encrypt the word security
by XOR-ing it with the word flapjack the binary equivalent of the first letter s
(01110011) is compared with that of the letter f (01100110) to return 00010101. Then the
letter e is compared with the l, etc., followed by a comparison of each remaining letter.
These algorithms are illustrated in Figure 3-3.

88781_ch03_hr_097-144.indd 103 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography104

The strength of a cryptographic algorithm depends upon several factors. Modern
cryptographic algorithms rely upon underlying mathematical formulas. For these
formulas to provide strong security they depend upon the quality of random numbers,
or numbers for which there is no identifiable pattern or sequence. The primary
property of a truly random number is that the probability of it being selected is the
same as any other number being selected, so that it is not possible to predict a future
number based on a previous number. However, the fundamental nature of computer
software is to always be predictable (a mouse click on an icon today will achieve the
same results as a mouse click on an icon tomorrow) so that they cannot produce

Figure 3-3Cryptographic algorithms

1509020518081712
F L A P KCAJ
S E C U YTIR

F R P H LGVE
S E C U YTIR

19 5 3 21 2520918

1 2 3 4 262524232221201918171615141312111098765

S E C U YTIR

Combinator

XOR Cipher

Result

Example

Result
Example

Result
Example

Substitution Cipher
A B C D

ZYXWVUTSRQPON

ZYXWVUTSRQPONMLKJIHGFE

ROT13 A B C D MLKJIHGFE

0
1
1
0

1
0
1
0

1
1
0
0
a b a XOR b

Note

The entire result of security XOR flapjack is 00010101 00001001 00000010 00000101 00011000
00001000 00010111 00010010.

88781_ch03_hr_097-144.indd 104 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 105

numbers that are truly random. Software instead relies upon a pseudorandom
number generator (PRNG), which is an algorithm for creating a sequence of numbers
whose properties approximate those of a random number.

Note

PRNGs attempt to create numbers that are as random as possible.

Threat actors often use sophisticated statistical analysis on the ciphertext
(cryptoanalysis) to try to discover the underlying key to the cryptographic algorithm.
There are two factors that can thwart statistical analysis to make a strong algorithm. One
factor is diffusion. Diffusion means that if a single character of plaintext is changed then
it should result in multiple characters of the ciphertext changing. Eliminating a one-to-
one correspondence between the plaintext and the ciphertext makes it more difficult
for a threat actor to perform cryptoanalysis, since the plaintext is diffused across several
characters of the ciphertext. Another factor is confusion, which means that the key does
not relate in a simple way to the ciphertext. Each character of the ciphertext should depend
upon several different parts of the key. This forces the threat actor to create the entire key
simultaneously, a difficult task, rather than trying to recreate the key piece by piece.

Cryptography and Security
Cryptography can provide a range of security protections. Cryptography can support
the following basic protections:

Confidentiality. Cryptography can protect the confidentiality of information by
ensuring that only authorized parties can view it. When private information,
such as a list of employees to be laid off, is transmitted across the network
or stored on a file server, its contents can be encrypted, which allows only
authorized individuals who have the key to see it.

Integrity. Cryptography can protect the integrity of information. Integrity
ensures that the information is correct and no unauthorized person or malicious
software has altered that data. Because ciphertext requires that a key must be
used to open the data before it can be changed, cryptography can ensure its
integrity. The list of employees to be laid off, for example, can be protected so
that no names can be added or deleted by unauthorized personnel.

Authentication. The authentication of the sender can be verified through
cryptography. Specific types of cryptography, for example, can prevent a situation
such as circulation of a list of employees to be laid off that appears to come from
a manager, but in reality, was sent by an imposter.

Non-repudiation. Cryptography can enforce non-repudiation. Repudiation is
defined as denial; non-repudiation is the inability to deny. In information
technology, non-repudiation is the process of proving that a user performed

88781_ch03_hr_097-144.indd 105 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography106

an action, such as sending an email message. Non-repudiation prevents an
individual from fraudulently reneging on an action. The non-repudiation
features of cryptography can prevent a manager from claiming he never sent the
list of employees to be laid off to an unauthorized third party.

Note

A practical example of non-repudiation is Astrid taking her car into a repair shop for service
and signing an estimate form of the cost of repairs and authorizing the work. If Astrid later
returns and claims she never approved a specific repair, the signed form can be used as non-
repudiation.

Obfuscation. Obfuscation is making something obscure or unclear. One example
may be disguising the operational details of software so that a threat actor
cannot reverse engineer the program to determine how it is functioning to
bypass its security protections. Cryptography can help ensure obfuscation by
hiding the details so that the original code cannot be determined in order that an
unauthorized user cannot see the list of employees to be laid off.

The concept of obfuscation has led to an approach in security called security
through obscurity, or the notion that virtually any system can be made secure so long
as outsiders are unware of it or how it functions. However, this is a flawed approach
since it is essentially impossible to keep secrets from everyone.

The security protections afforded by cryptography are summarized in Table 3-1.

Characteristic Description Protection

Confidentiality Ensures that only authorized
parties can view the information

Encrypted information can only be
viewed by those who have been
provided the key.

Integrity Ensures that the information
is correct and no unauthorized
person or malicious software has
altered that data

Encrypted information cannot be
changed except by authorized users
who have the key.

Authentication Provides proof of the genuineness
of the user

Proof that the sender was legitimate
and not an imposter can be obtained.

Non-repudiation Proves that a user performed an
action

Individuals are prevented from
fraudulently denying that they were
involved in a transaction.

Obfuscation Makes something obscure or
unclear

By hiding the details the original
cannot be determined.

Information protections by cryptography Table 3-1

88781_ch03_hr_097-144.indd 106 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 107

Cryptography can provide protection to data as that data resides in any of three states:

Data in-use. Data-in-use is data actions being performed by endpoint devices,
such as printing a report from a desktop computer.

Data in-transit. Actions that transmit the data across a network, like an email
sent across the Internet, are called data-in-transit.

Data at-rest. Data-at-rest is data that is stored on electronic media.
Because cryptography can provide protection to data in these three states and not

in just one single state this make cryptography a key defense against threat actors.

Cryptography Constraints
Despite providing widespread protections cryptography faces constraints (limitations)
that can impact its effectiveness. In recent years, the number of small electronic devices
that consume very small amounts of power (low-power devices) has grown significantly.
These devices range from tiny sensors that control office heating and lighting to consumer
devices such as wireless security cameras and even lightbulbs. Increasingly, these devices
need to be protected from threat actors who could use data accumulated from these devices
in nefarious ways, such as intercepting the signal from a wireless security camera to
determine if an individual is home alone. Cryptography is viewed as a necessary feature to
be added to these devices to enable them to provide a higher level of security.

Note

Compared with the average energy requirements of a laptop computer (60 watts) the typical
wireless sensor draws only .001 watt.

In addition, many applications require extremely fast response times. These
include communication applications (like collecting car toll road payments), high-
speed optical networking links, and secure storage devices such as solid-state disks.
Again, cryptography is a very important feature of these applications.

However, adding cryptography to low-power devices or those that have near
instantaneous response times can be a problem. To perform their computations,
cryptographic algorithms require both time and energy, which are typically in short
supply for low-power devices and applications needing ultra-fast response times.
This results in a resource vs. security constraint, or a limitation in providing strong
cryptography due to the tug-of-war between the available resources (time and energy)
and the security provided by cryptography. Ideally, for a cryptographic algorithm there
should be low latency, or a small amount of time that occurs between when something
is input into a cryptographic algorithm and the time the output is obtained. However,
some algorithms require multiple (even 10 or higher) cycles on sections of the plaintext,
each of which draws power and delays the output. One way to decrease latency is to

88781_ch03_hr_097-144.indd 107 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography108

make the cryptographic algorithm run faster. But this increases power consumption,
which is either not available to low-power devices or would slow down the normal
operations of the device. The resource vs. security constraint is illustrated in Figure 3-4.

Figure 3-4Resource vs. security constraint

Security

Strong security

Low
latency

Low
power

LatencyEnergy

Note

One of the techniques proposed in lightweight cryptography is to include simpler operations
like XOR instead of more complex operations.

Certification

6.1Compare and contrast basic concepts of cryptography.

6.2Explain cryptography algorithms and their basic characteristics.

6.4Given a scenario, implement public key infrastructure.

It is important that there be high resiliency in cryptography, or the ability to
quickly recover from these resource vs. security constraints. Due to the importance of
incorporating cryptography in low-power devices, a new subfield of cryptography is being
developed called lightweight cryptography. This has the goal of providing cryptographic
solutions that are uniquely tailored for low-power devices that need to manage resource
vs. security constraints. Lightweight cryptography is not a weakened cryptography but
may have fewer features and be less robust than normal cryptography.

Cryptographic Algorithms

There are many variations of cryptographic algorithms. One variation is based on the
deviceif anythat is used in the cryptographic process. During the last half of the
20th century all cryptography has become computer-based, whereas for the first half

88781_ch03_hr_097-144.indd 108 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 109

of that century calculating machines were being used. Prior to this, cryptographic
algorithms were entirely hand-calculated. An example is a one-time pad (OTP) that
combines plaintext with a random key. A pad is a long sequence of random letters.
These letters are combined with the plaintext message to produce the ciphertext. To
decipher the message, the recipient must have a copy of the pad to reverse the process.

To encipher a message, the position in the alphabet of the first letter in the plaintext
message is added to the position in the alphabet of the first random letter from the
pad. For example, if SECRET is to be encrypted using the pad CBYFEA, the first letterS
(#19 of the alphabet) is added to the first letter of the pad C (#3 of the alphabet) and
then 1 is subtracted (19 3 1 21)1 2 5 . This results in U (#21 of the alphabet). Each letter
is similarly encrypted (any number larger than 26 is wrapped around to the start of the
alphabet). To decipher a message, the recipient takes the first letter of the ciphertext
and subtracts the first random letter from the pad (any negative numbers are wrapped
around to the end of the alphabet). An OTP is illustrated in Table 3-2.

Note

As its name implies, the pad should be used only one time and then destroyed. Because OTP
can be hand-calculated and is the only known method to perform encryption that cannot be
broken mathematically, OTPs were used by special operations teams and resistance groups
during World War II as well as by intelligence agencies and spies during the Cold War.

Another variation in cryptographic algorithms is the amount of data that is
processed at a time. Some algorithms use a stream cipher that takes one character and
replaces it with one character. Other algorithms make use of a block cipher. Whereas
a stream cipher works on one character at a time, a block cipher manipulates an entire
block of plaintext at one time. The plaintext message is divided into separate blocks of
8 to 16 bytes, and then each block is encrypted independently. For additional security,

Plaintext
Position in
alphabet Pad

Position in
alphabet Calculation Result

S 19 C 3 19 1 3 2 1 5 21 U

E 5 B 2 5 1 2 2 1 5 6 F

C 3 Y 25 3 1 25 2 1 5 1 A

R 18 F 6 18 1 6 2 1 5 23 W

E 5 E 5 5 1 5 2 1 5 9 I

T 20 A 1 20 1 1 2 1 5 20 T

OTP Table 3-2

88781_ch03_hr_097-144.indd 109 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography110

the blocks can be randomized. Recently a third type has been introduced called a
sponge function. A sponge function takes as input a string of any length, and returns a
string of any requested variable length. This function repeatedly applies a process on
the input that has been padded with additional characters until all characters are used
(absorbed in the sponge).

Note

Stream ciphers are less secure because the engine that generates the stream does not vary;
the only change is the plaintext itself. Block ciphers are considered more secure because the
output is more random, particularly because the cipher is reset to its original state after each
block is processed.

Note

Although hashing and checksums are similar in that they both create a value based on the
contents of a file, hashing is not the same as creating a checksum. A checksum is intended
to verify (check) the integrity of data and identify data-transmission errors, while a hash is
designed to create a unique digital fingerprint of the data.

There are three broad categories of cryptographic algorithms. These are hash
algorithms, symmetric cryptographic algorithms, and asymmetric cryptographic
algorithms.

Hash Algorithms
One type of cryptographic algorithm is a one-way hash algorithm. A hash algorithm
creates a unique digital fingerprint of a set of data. This process is called hashing, and
the resulting fingerprint is a digest (sometimes called a message digest or hash) that
represents the contents. Hashing is used primarily for comparison purposes.

Although hashing is a cryptographic algorithm, its purpose is not to create
ciphertext that can later be decrypted. Instead, hashing is intended to be oneway in
that its digest cannot be reversed to reveal the original set of data. For example, when
12 is multiplied by 34 the result is 408. If a user were asked to determine the two
numbers used to create the number 408, it would not be possible to work backward
and derive the original numbers with absolute certainty because there are too many
mathematical possibilities (2041204, 40711, 999591, 361147, etc.). Hashing is similar
in that it is not possible to determine the plaintext from the digest.

88781_ch03_hr_097-144.indd 110 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 111

A hashing algorithm is considered secure if it has these characteristics:

Fixed size. A digest of a short set of data should produce the same size as
a digest of a long set of data. For example, a digest of the single letter a is
86be7afa339d0fc7cfc785e72f578d33, while a digest of 1 million occurrences of the
letter a is 4a7f5723f954eba1216c9d8f6320431f, the same length.

Unique. Two different sets of data cannot produce the same digest. Changing
a single letter in one data set should produce an entirely different digest. For
example, a digest of Sunday is 0d716e73a2a7910bd4ae63407056d79b while a
digest of sunday (lowercase s) is 3464eb71bd7a4377967a30da798a1b54.

Original. It should not be possible to produce a data set that has a desired or
predefined hash.

Secure. The resulting hash cannot be reversed to determine the original plaintext.

Hashing is often used as a check to verify that the original contents of an item has
not been changed. For example, digests are often calculated and then posted on websites
for files that can be downloaded. After downloading the file a user can create her own
digest on the file and then compare it with the digest value posted on the website. A match
indicates that there has been no change to the original file. This is shown in Figure 3-5.

Figure 3-5Verifying file integrity with digests
Source: https://www.kali.org/downloads/

The most common hash algorithms are Message Digest 5, Secure Hash Algorithm,
RACE Integrity Primitives Evaluation Message Digest, and Hashed Message
Authentication Code.

Message Digest 5 (MD5)
One of the earliest hash algorithms is actually a family of algorithms known as
Message Digest (MD). Four different versions of MD hashes were introduced over
almost 20 years: MD2 (1989), MD4 (1990), MD5 (1992), and MD6 (2008). The most well-
known of these algorithms is Message Digest 5 (MD5). A revision of MD4, MD5 was

88781_ch03_hr_097-144.indd 111 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography112

designed to address MD4s weaknesses. Like MD4, the length of a message is padded
to 512 bits in length. The hash algorithm then uses four variables of 32 bits each in a
round-robin fashion to create a value that is compressed to generate the digest. Serious
weaknesses have been identified in MD5 and is no longer considered suitable for use.

Secure Hash Algorithm (SHA)
Another family of hashes is the Secure Hash Algorithm (SHA). The first version
was SHA-0, which due to a flaw was withdrawn shortly after it was first released.
Its successor, SHA-1, was developed in 1993 by the U.S. National Security Agency
(NSA) and the National Institute of Standards and Technology (NIST). It is patterned
after MD4 and MD5, but creates a digest that is 160 bits instead of 128 bits in length.
SHA pads messages of less than 512 bits with zeros and an integer that describes the
original length of the message. The padded message is then processed through the SHA
algorithm to produce the digest.

Note

In early 2017 security researchers decisively demonstrated that SHA-1 could create the same
digest from two different plaintexts, although this weakness had been theorized for over
10years. The compromise of SHA-1 has rendered it no longer suitable for use.

Another family of SHA hashes is known as SHA-2. SHA-2 is comprised of six
variations: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256
(the last number indicates the length in bits of the digest that is generated). SHA-2 is
currently considered to be a secure hash.

In 2015, after eight years of competition between 51 original entries, SHA-3 was
announced as a new standard. One of the design goals of SHA-3 was for it to be
dissimilar to previous hash algorithms to prevent threat actors from building upon any
previous work of compromising these algorithms. Because SHA-3 is relatively compact,
it may be suitable for some low-power devices.

RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
Another hash was developed by the Research and Development in Advanced
Communications Technologies (RACE), an organization that is affiliated with the
European Union (EU). RIPEMD stands for RACE Integrity Primitives Evaluation
Message Digest, which was designed after MD4.

The primary design feature of RIPEMD is two different and independent parallel
chains of computation, the results of which are then combined at the end of the
process. There are several versions of RIPEMD, all based on the length of the digest
created. RIPEMD-128 is a replacement for the original RIPEMD and is faster than
RIPEMD-160. RIPEMD-256 and RIPEMD-320 reduce the risk of collisions but do not
provide any higher levels of security.

88781_ch03_hr_097-144.indd 112 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 113

Hashed Message Authentication Code (HMAC)
As its name implies, a Hashed Message Authentication Code (HMAC) uses hashing
to authenticate the sender. It does this by using both a hash function and a secret
cryptographic key. A message authentication code (MAC) combines the original message
with a shared secret key that only the sender and receiver know. A hash function is then
applied to both the key and the message, and for added security they are hashed in
separate steps. When the receiver gets the HMAC it then creates its own HMAC to compare
with what was sent: if they match then it knows that the MAC came from the sender
(because only the sender has the secret key), thus authenticating the sender of the message.

Note

Any cryptographic hash function can be used in the calculation of an HMAC. For example,
ifSHA-2 is used, the result would be called HMAC-SHA2.

Table 3-3 illustrates the digests generated from several different one-way hash
algorithms using the original phrase CengageLearning.

Hash Digest

MD2 c4b4c4568a42895c68e5d507d7f0a6ca

MD4 9a5b5cec21dd77d611e04e10f902e283

MD5 0e41799d87f1179c1b8c38c318132236

RIPEMD-160 d4ec909f7b0f7dfb6fa45c4c91a92962649001ef

SHA-1 299b20adfec43b1e8fade03c0e0c61fc51b55420

SHA-256 133380e0ebfc19e91589c2feaa346d3e679a7529fa8d03617fcd661c997d7287

SHA-512 867f14c0ae57b960ba22539b0f321660e08bc6f298846cae8e10f71e57e0c2b27d
d344c577bfab1ddbd3517e0e1d0da9393fbd04a467a270744ff2e78da4b08b

SHA3-512 e7e2ca148c6b40d191d6e8e414d3db9e4c10191547a86fbee810b00a7530ff83ef
43321f00ec4c9ee15d8292b68a0b77bb42b6cbbd5c889d52856e9a08695574

Digests generated from one-way hash algorithms Table 3-3

Symmetric Cryptographic Algorithms
The original cryptographic algorithms for encrypting and decrypting data are
symmetric cryptographic algorithms. Symmetric cryptographic algorithms use the
same single key to encrypt and decrypt a document. Unlike hashing, in which the hash
is not intended to be decrypted, symmetric algorithms are designed to encrypt and
decrypt the ciphertext. Data encrypted with a symmetric cryptographic algorithm by

88781_ch03_hr_097-144.indd 113 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography114

Alice will be decrypted when received by Bob. It is therefore essential that the key be
kept private (confidential), because if an attacker obtained the key he could read all the
encrypted documents. For this reason, symmetric encryption is also called private key
cryptography. Symmetric encryption is illustrated in Figure 3-6 where identical keys are
used to encrypt and decrypt a document.

Figure 3-6Symmetric (private key) cryptography

Decryption
algorithm

Encryption
algorithm

Confidential Memo
Layoffs at the Lakeview
store will begin…

Confidential Memo
Layoffs at the Lakeview
store will begin…

626vscc*7&5
2#hdkP0)…

626vscc*7&5
2#hdkP0)…

Transmitted to
remote user

Plaintext

Plaintext

Ciphertext

Ciphertext

Key – 134706242008

Bob (sender)

Identical
key

Identical
key

Alice (receiver)

Key – 134706242008

Symmetric cryptography can provide strong protections against attacks if
the key is kept secure. Common symmetric cryptographic algorithms include the
Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption
Standard, and several other algorithms.

Data Encryption Standard (DES)
One of the first widely popular symmetric cryptography algorithms was the Data
Encryption Standard (DES). The predecessor of DES was a product originally
designed in the early 1970s by IBM called Lucifer that had a key length of 128 bits.
The key was later shortened to 56 bits and renamed DES. The U.S. government
officially adopted DES as the standard for encrypting non-classified information.

88781_ch03_hr_097-144.indd 114 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 115

Although DES was once widely implemented, its 56-bit key is no longer considered
secure and has been broken several times. It is no longer considered suitable for use.

Triple Data Encryption Standard (3DES)
Triple Data Encryption Standard (3DES) is designed to replace DES. As its name
implies, 3DES uses three rounds of encryption instead of just one. The ciphertext of
one round becomes the entire input for the second iteration. 3DES employs a total of
48 iterations in its encryption (3 iterations times 16 rounds). The most secure versions
of 3DES use different keys for each round, as shown in Figure 3-7. By design 3DES
performs better in hardware than as software.

Note

DES effectively catapulted the study of cryptography into the public arena. Until the
deployment of DES, cryptography was studied almost exclusively by military personnel. The
popularity of DES helped move cryptography implementation and research to academic and
commercial organizations.

Figure 3-73DES

Encryption
algorithm 1

Encryption
algorithm 2

Confidential Memo
Layoffs at the Lakeview
store will begin…

626vscc*7&5
2#hdkP0)…

626vscc*7&5
2#hdkP0)…

87Uidy^54#$
51,>kUysE…

Plaintext
Ciphertext 1

Ciphertext 1 Ciphertext 2

Key – 16081

Key – 65329

Key – 98730

Encryption
algorithm 3

ijUdys&65$2
@3vgHY6…

87Uidy^54#$
51,>kUysE…

Ciphertext 2 Ciphertext 3

88781_ch03_hr_097-144.indd 115 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography116

Although 3DES addresses several of the key weaknesses of DES, it is no longer
considered the most secure symmetric cryptographic algorithm.

Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is a symmetric cipher that was approved
by the NIST in late 2000 as a replacement for DES. AES performs three steps on every
block (128 bits) of plaintext. Within step 2, multiple rounds are performed depending
upon the key size: a 128-bit key performs 9 rounds, a 192-bit key performs 11 rounds,
and a 256-bit key, known as AES-256, uses 13 rounds. Within each round, bytes are
substituted and rearranged, and then special multiplication is performed based on the
new arrangement. To date, no attacks have been successful against AES.

Other Algorithms
Rivest Cipher (RC) is a family of six algorithms, ranging from RC1 to RC6 (however there
was no release of RC1 and RC3). RC2 is a block cipher that processes blocks of 64 bits.
RC4 is a stream cipher that accepts keys up to 128 bits in length. RC5 is a block cipher
that can accept blocks and keys of different lengths. RC6 has three key sizes (128, 192,
and 256 bits) and performs 20 rounds on each block.

Blowfish is a block cipher algorithm that operates on 64-bit blocks and can have
a key length from 32 to 448 bits. Blowfish was designed to run efficiently on 32-bit
computers. To date, no significant weaknesses have been identified. A later derivation
of Blowfish known as Twofish is also considered to be a strong algorithm, although it
has not been used as widely as Blowfish.

The International Data Encryption Algorithm (IDEA) dates back to the early 1990s
and is used in European nations. It is a block cipher that processes 64 bits with a
128-bit key with 8 rounds. It is generally considered to be secure.

Asymmetric Cryptographic Algorithms
If Bob wants to send an encrypted message to Alice using symmetric encryption, he
must be sure that she has the key to decrypt the message. Yet how should Bob get the
key to Alice? He cannot send it electronically through the Internet, because that would
make it vulnerable to interception by attackers. Nor can he encrypt the key and send
it, because Alice would not have a way to decrypt the encrypted key. This example
illustrates the primary weakness of symmetric encryption algorithms: distributing

Note

In some versions of 3DES, only two keys are used, but the first key is repeated for the third
round of encryption. The version of 3DES that uses three keys is estimated to be 2 to the
power of 56 times stronger than DES.

88781_ch03_hr_097-144.indd 116 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 117

and maintaining a secure single key among multiple users, who are often scattered
geographically, poses significant challenges.

A completely different approach from symmetric cryptography is asymmetric
cryptographic algorithms, also known as public key cryptography. Asymmetric
encryption uses two keys instead of only one. These keys are mathematically related
and are called the public key and the private key. The public key is known to everyone
and can be freely distributed, while the private key is known only to the individual
to whom it belongs. When Bob wants to send a secure message to Alice, he uses
Alices public key to encrypt the message. Alice then uses her private key to decrypt it.
Asymmetric cryptography is illustrated in Figure 3-8.

Figure 3-8Asymmetric (public key) cryptography

Decryption
algorithm

Encryption
algorithm

Confidential Memo
Layoffs at the Lakeview
store will begin…

Confidential Memo
Layoffs at the Lakeview
store will begin…

626vscc*7&5
2#hdkP0)…

626vscc*7&5
2#hdkP0)…

Transmitted to
remote user

Plaintext

Plaintext

Ciphertext

Ciphertext

Alices public key

Bob (sender)

Different
keys

Different
keys

Alice (receiver)

Alices private key

Note

Different cryptographers were working on the idea of asymmetric encryption in the early
1970s. The development is often credited to Whitfield Diffie and Martin Hellman based on a
publication of their paper New Directions in Cryptography in November 1976.

88781_ch03_hr_097-144.indd 117 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography118

The RSA algorithm multiplies two large prime numbers (a prime number is a
number divisible only by itself and 1), p and q, to compute their product ( )n pq5 .
Next, a number e is chosen that is less than n and a prime factor to (p1)(q1). Another
number d is determined, so that (ed1) is divisible by (p1)(q1). The values of e and d
are the public and private exponents. The public key is the pair (n,e) while the private
key is (n,d). The numbers p and q can be discarded.

An illustration of the RSA algorithm using very small numbers is as follows:

1. Select two prime numbers, p and q (in this example 7p 5 and 19q 5 )

2. Multiply p and q together to create (7 * 19 133)5n
3. Calculate m as p1 * q1 ([71]*[191] or 6 * 18 1085 )

Several important principles regarding asymmetric cryptography are:

Key pairs. Unlike symmetric cryptography that uses only one key, asymmetric
cryptography requires a pair of keys.

Public key. Public keys by their nature are designed to be public and do not
need to be protected. They can be freely given to anyone or even posted on the
Internet.

Private key. The private key should be kept confidential and never shared.
Both directions. Asymmetric cryptography keys can work in both directions. A

document encrypted with a public key can be decrypted with the corresponding
private key. In the same way, a document encrypted with a private key can be
decrypted with its public key.

Note

RSA stands for the last names of its three developers, Ron Rivest, Adi Shamir, and Leonard Adleman.

Note

No user other than the owner should ever have the private key.

The common asymmetric cryptographic algorithms include RSA, Elliptic Curve
Cryptography, Digital Signature Algorithm, and those relating to Key Exchange.

RSA
The asymmetric algorithm RSA was published in 1977. RSA is the most common
asymmetric cryptography algorithm and is the basis for several products.

88781_ch03_hr_097-144.indd 118 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 119

Figure 3-9Elliptic curve cryptography (ECC)

A
(2, 2)

(1, 1)

C

(2, 2)
C

B

4. Find a number e so that it and m have no common positive divisor other than
1(e=5)

5. Find a number d so that (1 * )/d n m e5 1 or ([1 1 133*108]/5 or 14,364/5 28755 )

For this example, the public key n is 133 and e is 5, while for the private key n is 133
and d is 2873.

Note

RSA is slower than other algorithms. DES is approximately 100 times faster than RSA in
software and between 1000 and 10,000 times as fast in hardware.

Elliptic Curve Cryptography (ECC)
Elliptic curve cryptography (ECC) was first proposed in the mid-1980s. Instead of
using large prime numbers as with RSA, elliptic curve cryptography uses sloping
curves. An elliptic curve is a function drawn on an X-Y axis as a gently curved line. By
adding the values of two points on the curve, a third point on the curve can be derived,
of which the inverse is used as illustrated in Figure 3-9. With ECC, users share one
elliptic curve and one point on the curve. One user chooses a secret random number
and computes a public key based on a point on the curve; the other user does the
same. They can now exchange messages because the shared public keys can generate a
private key on an elliptic curve.

88781_ch03_hr_097-144.indd 119 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography120

ECC is considered as an alternative for prime-number-based asymmetric
cryptography for mobile and wireless devices. Because mobile devices are limited
in terms of computing power due to their smaller size, ECC offers security that is
comparable to other asymmetric cryptography but with smaller key sizes. This can
result in faster computations and lower power consumption.

Digital Signature Algorithm (DSA)
Asymmetric cryptography also can be used to provide proofs. Suppose that Alice
receives an encrypted document that says it came from Bob. Although Alice can be sure
that the encrypted message was not viewed or altered by someone else while being
transmitted, how can she know for certain that Bob was the sender? Because Alices
public key is widely available, anyone could use it to encrypt the document. Another
individual could have created a fictitious document, encrypted it with Alices public
key, and then sent it to Alice while pretending to be Bob. Alices key can verify that no
one read or changed the document in transport, but it cannot verify the sender.

Proof can be provided with asymmetric cryptography, however, by creating a
digital signature, which is an electronic verification of the sender. A handwritten
signature on a paper document serves as proof that the signer has read and agreed
to the document. A digital signature is much the same, but can provide additional
benefits. A digital signature can:

Verify the sender. A digital signature serves to confirm the identity of the person
from whom the electronic message originated.

Prevent the sender from disowning the message. The signer cannot later attempt to
disown it by claiming the signature was forged (nonrepudiation).

Prove the integrity of the message. A digital signature can prove that the message
has not been altered since it was signed.

The Digital Signature Algorithm (DSA) is a U.S. federal government standard for
digital signatures. DSA was proposed by NIST in 1991 for use in their Digital Signature
Standard (DSS). Although patented, NIST has made this patent available world wide
royalty-free. The standard continues to be revised and updated periodically by NIST.

The basis for a digital signature rests on the ability of asymmetric keys to work
in both directions (a public key can encrypt a document that can be decrypted with a
private key, and the private key can encrypt a document that can be decrypted by the
public key).

The steps for Bob to send a digitally signed message to Alice are:

1. After creating a memo, Bob generates a digest on it.

2. Bob then encrypts the digest with his private key. This encrypted digest is the
digital signature for the memo.

3. Bob sends both the memo and the digital signature to Alice.
4. When Alice receives them, she decrypts the digital signature using Bobs public

key, revealing the digest. If she cannot decrypt the digital signature, then she

88781_ch03_hr_097-144.indd 120 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 121

knows that it did not come from Bob (because only Bobs public key can decrypt
the digest generated with his private key).

5. Alice then hashes the memo with the same hash algorithm Bob used and
compares the result to the digest she received from Bob. If they are equal, Alice can
be confident that the message has not changed since he signed it. If the digests are
not equal, Alice will know the message has changed since it was signed.

These steps are illustrated in Figure 3-10.

Figure 3-10Digital signature

Digest

Bobs private key

Bobs private key

Digest

Digest

Digests match
Step 5

Confidential Memo
Layoffs at the Lakeview
store will begin…

Confidential Memo
Layoffs at the Lakeview
store will begin…

93827653

93827653

93827653

3&6%[emailprotected]
Q[9}[0x872…

Confidential Memo
Layoffs at the Lakeview
store will begin…

Confidential Memo
Layoffs at the Lakeview
store will begin…

3&6%[emailprotected]
Q[9}[0x872…

Plaintext

Step 1 Step 2

Step 3
Transmitted to
remote user

Step 4

Bob (sender)

Asymmetric
cryptographic
algorithm

Hash
algorithm

Asymmetric
cryptographic
algorithm

Digital
signature

Digital
signature

Hash
algorithmAlice (receiver)

Note

Using a digital signature does not encrypt the message itself. In the example, if Bob wanted
to ensure the privacy of the message, he also would have to encrypt it using Alices public key.

88781_ch03_hr_097-144.indd 121 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography122

Key Exchange
Even though asymmetric cryptography allows two users to send encrypted messages
using separate public and private keys, it does not completely solve the problem of
sending and receiving keys (key exchange), such as exchanging a symmetric private
key. One solution is to make the exchange outside of the normal communication
channels (for example, Alice could hire Charlie to carry a USB flash drive containing
the key directly to Bob).

Action
Whose key
touse

Which key
touse Explanation

Bob wants to send Alice
an encrypted message

Alices key Public key When an encrypted message
is to be sent, the recipients,
and not the senders, key is
used.

Alice wants to read an
encrypted message sent
by Bob

Alices key Private key An encrypted message can
be read only by using the
recipients private key.

Bob wants to send a
copy to himself of the
encrypted message that
he sent to Alice

Bobs key Public key to
encrypt

Private key to
decrypt

An encrypted message
can be read only by the
recipients private key. Bob
would need to encrypt it with
his public key and then use
his private key to decrypt it.

Bob receives an
encrypted reply
message from Alice

Bobs key Private key The recipients private key
is used to decrypt received
messages.

Bob wants Susan
to read Alices reply
message that he
received

Susans key Public key The message should be
encrypted with Susans key
for her to decrypt and read
with her private key.

Bob wants to send Alice
a message with a digital
signature

Bobs key Private key Bobs private key is used to
encrypt the hash.

Alice wants to see Bobs
digital signature

Bobs key Public key Because Bobs public and
private keys work in both
directions, Alice can use his
public key to decrypt the
hash.

Asymmetric cryptography practices Table 3-4

Public and private keys may result in confusion regarding whose key to use and
which key should be used. Table 3-4 lists the practices to be followed when using
asymmetric cryptography.

88781_ch03_hr_097-144.indd 122 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 123

There are different solutions for a key exchange that occurs within the normal
communications channel of cryptography, including:

Diffie-Hellman (DH). The Diffie-Hellman (DH) key exchange requires Alice
and Bob to each agree upon a large prime number and related integer. Those
two numbers can be made public, yet Alice and Bob, through mathematical
computations and exchanges of intermediate values, can separately create the
same key.

Diffie-Hellman Ephemeral (DHE). Whereas DH uses the same keys each time,
Diffie-Hellman Ephemeral (DHE) uses different keys. Ephemeral keys are
temporary keys that are used only once and then discarded.

Elliptic Curve Diffie-Hellman (ECDH). Elliptic Curve DiffieHellman (ECDH) uses
elliptic curve cryptography instead of prime numbers in its computation.

Perfect forward secrecy. Public key systems that generate random public keys that
are different for each session are called perfect forward secrecy. The value of
perfect forward secrecy is that if the secret key is compromised, it cannot reveal
the contents of more than one message.

Cryptographic Attacks

Certification

1.2Compare and contrast types of attacks.

1.6Explain the impact associated with types of vulnerabilities.

6.1Compare and contrast basic concepts of cryptography.

Because cryptography provides a high degree of protection, it is a defense that
remains under attack by threat actors for any vulnerabilities. Several of the more
common cryptographic attacks include those that target algorithm weaknesses or
implementations and those that exploit collisions.

Algorithm Attacks
Modern cryptographic algorithms are typically reviewed, tested, and vetted by
specialists in cryptography over several years before they are released to the public
for use. And very few threat agents have the advanced skills needed to even attempt
to break an algorithm. However, there are other methods by which attackers can
focus on circumventing strong algorithms. These include known ciphertext attacks,
downgrade attacks, using deprecated algorithms, and taking advantage of improperly
implemented algorithms.

88781_ch03_hr_097-144.indd 123 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography124

Known Ciphertext Attack
When properly implemented, cryptography prevents the threat actor from knowing
the plaintext or the key; the only item that she can see is the ciphertext itself. Yet there
are statistical tools that can be used to attempt to discover a pattern in the ciphertexts,
which then may be useful in revealing the plaintext text or key. This is called a known
ciphertext attack (sometimes called a ciphertext-only attack), because all that is
known is the ciphertextbut this can still reveal clues that may be mined.

Note

Wireless data networks are particularly susceptible to known ciphertext attacks. This is
because threat actors can capture large sets of ciphertexts to be analyzed, and the attackers
may be able to inject their own frames into the wireless transmissions.

The type of information that can be used in a known ciphertext attack is listed in
Table 3-5.

Statistic Example How Used

Underlying language of
plaintext

English By knowing which language is used
for the plaintext message inferences
can be made regarding statistical
values of that language.

Distribution of characters In English E is most
commonly used letter, Q is
least commonly used

Patterns can emerge when more
common letters are used more
frequently.

Null ciphertexts Distinguishing between
actual ciphertexts and
injected null messages

Attacks may inject a frame that
contains null values to compare
it with the frames containing
ciphertext.

Management frames Analyze content of network
management information

Because network management
frames typically contain information
that remains constant this can help
establish patterns.

Known ciphertext analysis Table 3-5

Downgrade Attack
Because of the frequent introduction of new hardware and software often they include
backwards compatibility so that a newer version can still function with the older
version. However, in most instances this means that the newer version must revert
to the older and less secure version. In a downgrade attack a threat actor forces the

88781_ch03_hr_097-144.indd 124 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 125

system to abandon the current higher security mode of operation and instead fall
back to implementing an older and less secure mode. This then allows the threat actor
to attack the weaker mode.

Using Deprecated Algorithms
Deprecated means something that is disapproved of. Using deprecated algorithms
means to use a cryptographic algorithm that, although still available, should not be
used because of known vulnerabilities. Selecting weak algorithms, like DES or SHA-1,
should be avoided since these could be broken by a threat actor.

Note

It is the duty of all security professionals to stay current on the status of the viability of
cryptographic algorithms.

Improper Implementation
Many breaches of cryptography are the result not of weak algorithms but instead of
incorrect configurations or uses of the cryptography, known as misconfiguration
implementation. Many cryptographic algorithms have several configuration options,
and unless careful consideration is given to these options the cryptography may be
improperly implemented. Also, careless users who, for example, choose SHA-224 when
a much stronger SHA-512/256 can instead be used by a simple menu choice or those
who expose their asymmetric private key can also seriously weaken cryptography.

Collision Attacks
One of the foundations of a hash algorithm is that each digest must be unique. If
it were not unique then a threat actor could trick users into performing an action
that was assumed to be safe but in reality, was not. For example, digests are often
calculated and then posted on websites for files that can be downloaded. After
downloading the file a user can create her own digest on the file and then compare it
with the digest value posted on the website, assuring that there has been no change
to the original file. Suppose an attacker could infiltrate that website and post her own
malicious file for download, but when the digest was generated for this malicious file
it created the same as that posted for the legitimate file. When two files have the same
hash this is known as a collision. A collision attack is an attempt to find two input
strings of a hash function that produce the same hash result.

A hash digest of a short set of data will produce the same size as a digest of a long
set of data (a digest of the single letter a is the same length as a digest of 1 million
occurrences of the letter a). This means that there is a possibility that there could be
a collision of hash digests. While for hash algorithms that produce long digests, like

88781_ch03_hr_097-144.indd 125 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography126

SHA3-512, the odds of such a collision are very low, yet for hash algorithms that produce
shorter digests, such as MD5, the odds increase, although it would still be difficult.

Note

Table 3-3 shows a comparison of the lengths of various digests.

Typically, a threat actor would be forced to try all possible combinations until a
collision was found. However, there is a statistical phenomenon that makes it easier.
This is called the birthday attack. It is based on the birthday paradox, which says that
for there to be a 50 percent chance that someone in a given room shares your birthday,
253 people would need to be in the room. If, however, you are looking for a greater than
50 percent chance that any two people in the room have the same birthday, you only
need 23 people. Thats because the matches are based on pairs. If you choose yourself
as one side of the pair, then you will need 253 people to have 253 pairs (in other
words, it is you combined with 253 other people to make up all 253 sets). But if you are
only concerned with matches and not concerned with matching someone with you
specifically, then you only need 23 people in the room, because it only takes 23people
to form 253 pairs when cross-matched with each other. This applies to hashing
collisions in that it is much harder to find something that collides with a specific hash
than it is to find any two inputs that hash to the same value.

Note

With the birthday paradox, the question is whether each person must link with every other
person. If so, only 23 people are needed; if not, comparing only your single birthday to
everyone elses, 253 people are needed.

Using Cryptography

Certification

3.3Given a scenario, implement secure systems design.

Ideally cryptography should be used to secure data-in-transit, data-at-rest, and
when possible data-in-use. This includes individual files, databases, removable
media, or data on mobile devices. Cryptography can be applied through either
software or hardware.

88781_ch03_hr_097-144.indd 126 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 127

Encryption through Software
Encryption can be implemented through cryptographic software running on a system
so that it can be applied to individual files by using the software to encrypt and decrypt
each file. The encryption also can be performed on a larger scale through the file
system or by encrypting the entire disk drive itself.

File and File System Cryptography
Encryption software can be used to encrypt or decrypt files one by one. However, this
can be a cumbersome process. Instead, protecting groups of files, such as all files in a
specific folder, can take advantage of the operating systems file system. A file system is
a method used by operating systems to store, retrieve, and organize files.

Protecting individual files or multiple files through file system cryptography
can be performed using software such as Pretty Good Privacy and operating system
encryption features.

Pretty Good Privacy (PGP)
One widely used asymmetric cryptography software for encrypting files and email
messages is a commercial product called Pretty Good Privacy (PGP). It uses both
asymmetric and symmetric cryptography. PGP generates a random symmetric key
and uses it to encrypt the message. The symmetric key is then encrypted using the
receivers public key and sent along with the message. When the recipient receives
a message, PGP first decrypts the symmetric key with the recipients private key. The
decrypted symmetric key is then used to decrypt the rest of the message.

Note

PGP uses symmetric cryptography because it is faster than asymmetric cryptography.

There are similar programs to PGP that are available. GNU Privacy Guard (which
was originally abbreviated GPG but is now GNuPG) is an open-source product that
runs on different operating systems. OpenPGP is another open-source alternative that
is based on PGP.

Operating System Encryption
Modern operating systems provide encryption support natively. Microsofts Encrypting
File System (EFS) is a cryptography system for Windows operating systems that use
the Windows NTFS file system, while Apples FileVault performs a similar function.
Because these are tightly integrated with the file system, file encryption and decryption
are transparent to the user. Any file created in an encrypted folder or added to an
encrypted folder is automatically encrypted. When an authorized user opens a file, it

88781_ch03_hr_097-144.indd 127 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography128

is decrypted by as data is read from a disk; when a file is saved, the operating system
encrypts the data as it is written to a disk.

Full Disk Encryption
Cryptography can also be applied to entire disks instead of individual files or groups of
files. This is known as full disk encryption (FDE) and protects all data on a hard drive.
One example of full disk encryption software is that included in Microsoft Windows
known as BitLocker drive encryption software. BitLocker encrypts the entire system
volume, including the Windows Registry and any temporary files that might hold
confidential information. BitLocker prevents attackers from accessing data by booting
from another operating system or placing the hard drive in another computer.

Note

A fundamental difference between FDE and software products like PGP and operating system
encryption is that FDE is a set it and forget it system: it automatically encrypts everything.
PGP and operating system encryption require the user to select and then encrypt individual
files and directories one by one.

Hardware Encryption
Software encryption suffers from the same fate as any application program: it can be
subject to attacks to exploit its vulnerabilities. As a more secure option, cryptography
can be embedded in hardware. Hardware encryption cannot be exploited like software
encryption. Hardware encryption can be applied to USB devices and standard hard
drives. More sophisticated hardware encryption options include self-encrypting drives,
the trusted platform module, and the hardware security model.

USB Device Encryption
Many instances of data leakage are the result of USB flash drives being lost or stolen.
Although this data can be secured with software-based cryptographic application programs,
vulnerabilities in these programs can open the door for attackers to access the data.

As an alternative, encrypted hardware-based USB devices like flash drives can
be used to prevent these types of attacks. These drives resemble standard USB flash
drives, with several significant differences:

Encrypted hardware-based USB drives will not connect to a computer until the
correct password has been provided.

All data copied to the USB flash drive is automatically encrypted.
The external cases are designed to be tamper-resistant so attackers cannot

disassemble the drives.

88781_ch03_hr_097-144.indd 128 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography 129

Self-Encrypting Drives (SEDs)
Just as an encrypted hardware-based USB flash drive will automatically encrypt any
data stored on it, self-encrypting drives (SEDs) can protect all files stored on them.
When the computer or other device with an SED is initially powered up, the drive and
the host device perform an authentication process. If the authentication process fails,
the drive can be configured to simply deny any access to the drive or even perform
a cryptographic erase on specified blocks of data (a cryptographic erase deletes the
decryption keys so that no data can be recovered). This also makes it impossible to
install the drive on another computer to read its contents.

Note

One hardware-based USB encrypted drive allows administrators to remotely prohibit
accessing the data on a device until it can verify its status, to lock out the user completely the
next time the device connects, or even to instruct the drive to initiate a self-destruct sequence
to destroy all data.

Note

SEDs are commonly found in copiers and multifunction printers as well as point-of-sale
systems used in government, financial, and medical environments.

Trusted Platform Module (TPM)
The Trusted Platform Module (TPM) is essentially a chip on the motherboard of the
computer that provides cryptographic services. For example, TPM includes a true
random number generator instead of a PRNG as well as full support for asymmetric
encryption (TPM can also generate public and private keys). Because all of this is
done in hardware and not through the software of the operating system, malicious
software cannot attack it. Also, TPM can measure and test key components as
the computer is starting up. It will prevent the computer from booting if system
files or data have been altered. With TPM, if the hard drive is moved to a different
computer, the user must enter a recovery password before gaining access to the
system volume.

Administrators can remotely control and track activity on the devices.
Compromised or stolen drives can be remotely disabled.

88781_ch03_hr_097-144.indd 129 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography130

Hardware Security Module (HSM)
A Hardware Security Module (HSM) is a secure cryptographic processor. An HSM
includes an onboard key generator and key storage facility, as well as accelerated
symmetric and asymmetric encryption, and can even back up sensitive material in
encrypted form. Most HSMs are local area network (LAN)-based appliances that can
provide services to multiple devices.

Chapter Summary
Cryptography is the practice of

transforming information into a secure
form so that unauthorized persons cannot
access it. Unlike steganography, which
hides the existence of data, cryptography
masks the content of documents or
messages so that they cannot be read or
altered. The original data, called plaintext,
is input into a cryptographic encryption
algorithm that has a mathematical value
(a key) used to create ciphertext. There
are different categories and types of
algorithms. A substitution cipher exchanges
one character for another. One type of
substitution cipher is a ROT13, in which the
entire alphabet is rotated 13 steps. Another
common algorithm is the XOR cipher,
which uses the binary operation eXclusive
OR that compares two bits.

The strength of a cryptographic algorithm
depends upon several factors. Because

modern cryptographic algorithms rely
upon underlying mathematical formulas
using random numbers, a strong
random number generator is critical. A
method used by threat actors to break
a cryptographic algorithm is to uncover
the underlying key is to use sophisticated
statistical analysis on the ciphertext
(cryptoanalysis). This can be thwarted by
diffusion, which means that if a single
character of plaintext is changed then it
should result in multiple characters of the
ciphertext changing and by confusion,
which means that the key does not relate
in a simple way to the ciphertext.

Cryptography can provide confidentiality,
integrity, authentication, non-repudiation,
and obfuscation. It can also protect data
as it resides in any of three states: data-
in-use, data-in-transit, and data-in-rest.
Yet despite providing these protections

Note

Apples Secure Enclave is a coprocessor that uses encrypted memory, contains a hardware-
based random number generator, and provides all cryptographic operations. Because it is
critical for cryptographic functions Apple will pay up to $100,000 to anyone for exposing
exploits that can extract confidential material from its Secure Enclave processor. And Apple is
willing to double the payout for researchers who donate their reward to a charity.

88781_ch03_hr_097-144.indd 130 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

cryptography faces constraints that
can impact its effectiveness. Adding
cryptography to low-power devices or
those that have near instantaneous
response times can be a problem because
the algorithms require both time and
energy, which are typically in short supply
for low-power devices and applications
needing ultra-fast response times. This
results in a resource vs. security constraint.
Due to the importance of incorporating
cryptography in low-power devices, a new
subfield of cryptography is being developed
called lightweight cryptography.

There are many variations of cryptographic
algorithms. One variation is based on
the device (if any) that is used in the
cryptographic process. Another variation
is the amount of data that is processed at a
time. A stream cipher takes one character
and replaces it with another character
while a block cipher manipulates an entire
block of plaintext at one time.

Hashing creates a unique digital fingerprint
called a digest that represents the contents
of the original material. Hashing is not
designed for encrypting material that will
be later decrypted. If a hash algorithm
produces a fixed-size hash that is unique,
and the original contents of the material
cannot be determined from the hash,
the hash is considered secure. Common
hashing algorithms are Message Digest
5, Secure Hash Algorithm, RACE Integrity
Primitives Evaluation Message Digest, and
Hashed Message Authentication Code.

Symmetric cryptography, also called private
key cryptography, uses a single key to
encrypt and decrypt a message. Symmetric
cryptographic algorithms are designed
to decrypt the ciphertext. Symmetric
cryptography can provide strong

protections against attacks if the key is kept
secure. Common symmetric cryptographic
algorithms include Data Encryption
Standard, Triple Data Encryption Standard,
Advanced Encryption Standard, and several
other algorithms.

Asymmetric cryptography, also known
as public key cryptography, uses two
keys instead of one. These keys are
mathematically related and are known as
the public key and the private key. The public
key is widely available and can be freely
distributed, while the private key is known
only to the recipient of the message and must
be kept secure. Asymmetric cryptography
also can be used to create a digital signature,
which verifies the sender, proves the integrity
of the message, and prevents the sender
from disowning the message. Common
asymmetric cryptographic algorithms include
RSA, Elliptic Curve Cryptography, Digital
Signature Algorithm, and those relating to
Key Exchange.

Because cryptography provides a high
degree of protection, it remains under attack.
A known ciphertext attack uses statistical
tools to attempt to discover a pattern in
the ciphertexts, which then may be useful
in revealing the plaintext text or key. In a
downgrade attack, a threat agent forces
the system to abandon the current higher
security mode of operation and instead fall
back to implementing an older and less
secure mode. Using deprecated algorithms
means to use a cryptographic algorithm
that, although still available, should not
be used because of known vulnerabilities.
Many breaches of cryptography are the
result not of weak algorithms but instead
of incorrect configuration or uses of the
cryptography, known as misconfiguration
implementation.

CHAPTER 3 Basic Cryptography 131

88781_ch03_hr_097-144.indd 131 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Cryptography can be applied through
either software or hardware. Software-
based cryptography can protect large
numbers of files on a system or an
entire disk. One of the most widely
used asymmetric cryptography systems
is a commercial product called Pretty
Good Privacy (PGP); similar open-source
programs are GNU Privacy Guard (GNuPG)
and OpenPGP. Modern operating systems
provide encryption support natively.

Cryptography also can be applied to entire
disks, known as full disk encryption
(FDE).

Hardware encryption cannot be exploited
like software cryptography. Hardware
encryption devices can protect USB
devices and standard hard drives. More
sophisticated hardware encryption options
include self-encrypting drives, the Trusted
Platform Module, and the Hardware
Security Model.

Advanced Encryption
Standard (AES)

algorithm
asymmetric cryptographic

algorithm
birthday attack
block cipher
Blowfish
cipher
collision
collision attack
confusion
cryptography
Data Encryption Standard

(DES)
data-at-rest
data-in-transit
data-in-use
deprecated algorithm
Diffie-Hellman (DH)
Diffie-Hellman Ephemeral

(DHE)
diffusion
digital signature
Digital Signature Algorithm

(DSA)
downgrade attack

elliptic curve cryptography
(ECC)

Elliptic Curve Diffie
Hellman (ECDH)

encryption
ephemeral key
full disk encryption (FDE)
GNU Privacy Guard
(GNuPG)
Hardware Security Module

(HSM)
hash
Hashed Message

Authentication Code (HMAC)
high resiliency
key exchange
known ciphertext attack
low latency
low-power devices
Message Digest 5 (MD5)
misconfiguration

implementation
non-repudiation
obfuscation
perfect forward secrecy
Pretty Good Privacy (PGP)
private key

pseudorandom number
generator (PRNG)

public key
RACE Integrity Primitives

Evaluation Message Digest
(RIPEMD)

random numbers
RC4
resource vs. security

constraint
ROT13
RSA
Secure Hash Algorithm

(SHA)
security through obscurity
self-encrypting drives (SEDs)
steganography
stream cipher
substitution cipher
symmetric cryptographic
algorithm
Triple Data Encryption

Standard (3DES)
Trusted Platform Module

(TPM)
Twofish
XOR cipher

Key Terms

CHAPTER 3 Basic Cryptography132

88781_ch03_hr_097-144.indd 132 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Review Questions
1. The Hashed Message Authentication

Code (HMAC) ________.
a. encrypts only the message
b. encrypts only the key
c. encrypts the key and the message
d. encrypts the DHE key only

2. What is the latest version of the Secure
Hash Algorithm?
a. SHA-2
b. SHA-3
c. SHA-4
d. SHA-5

3. Alexei was given a key to a substitution
cipher. The key showed that the entire
alphabet was rotated 13 steps. What type
of cipher is this?
a. AES
b. XAND13
c. ROT13
d. Alphabetic

4. Abram was asked to explain to one
of his coworkers the XOR cipher. He
showed his coworker an example of
adding two bits, 1 and 1. What is the
result of this sum?
a. 2
b. 1
c. 0
d. 16

5. Which of the following key exchanges
uses the same keys each time?
a. Diffie-Hellman-RSA (DHRSA)
b. Diffie-Hellman Ephemeral (DHE)
c. Diffie-Hellman (DH)
d. Elliptic Curve Diffie-Hellman (ECDH)

6. Public key systems that generate
random public keys that are different for
each session are called ________.
a. Public Key Exchange (PKE)
b. perfect forward secrecy

c. Elliptic Curve Diffie-Hellman
(ECDH)

d. Diffie-Hellman (DH)
7. What is data called that is to be

encrypted by inputting it into a
cryptographic algorithm?
a. Opentext
b. Plaintext
c. Cleartext
d. Ciphertext

8. Which of these is NOT a basic security
protection for information that
cryptography can provide?
a. Authenticity
b. Risk loss
c. Integrity
d. Confidentiality

9. Which areas of a file cannot be used by
steganography to hide data?
a. In areas that contain the content data

itself
b. In the file header fields that describe

the file
c. In data that is used to describe the

content or structure of the actual
data

d. In the directory structure of the file
system

10. Proving that a user sent an email
message is known as ________.
a. Non-repudiation
b. Repudiation
c. Integrity
d. Availability

11. A(n) ________ is not decrypted but is
only used for comparison purposes.
a. Key
b. Stream
c. Digest
d. Algorithm

CHAPTER 3 Basic Cryptography 133

88781_ch03_hr_097-144.indd 133 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

12. Which of these is NOT a characteristic of
a secure hash algorithm?
a. Collisions should be rare.
b. A message cannot be produced from

a predefined hash.
c. The results of a hash function should

not be reversed.
d. The hash should always be the same

fixed size.
13. Alyosha was explaining to a friend the

importance of protecting a cryptographic
key from cryptoanalysis. He said that the
key should not relate in a simple way
to the cipher text. Which protection is
Alyosha describing?
a. Diffusion
b. Confusion
c. Integrity
d. Chaos

14. Which of these is the strongest
symmetric cryptographic
algorithm?
a. Data Encryption Standard
b. Triple Data Encryption Standard
c. Advanced Encryption Standard
d. RC 1

15. If Bob wants to send a secure message to
Alice using an asymmetric cryptographic
algorithm, which key does he use to
encrypt the message?
a. Alices private key
b. Bobs public key
c. Alices public key
d. Bobs private key

16. Egor wanted to use a digital signature.
Which of the following benefits will the
digital signature not provide?
a. Verify the sender
b. Prove the integrity of the

message
c. Verify the receiver
d. Enforce nonrepudiation

17. Illya was asked to recommend the
most secure asymmetric cryptographic
algorithm to his supervisor. Which of
the following did he choose?
a. SHA-2
b. ME-312
c. BTC-2
d. RSA

18. At a staff meeting one of the technicians
suggested that the enterprise protect
its new web server by hiding it and not
telling anyone where it is located. Iosif
raised his hand and said that security
through obscurity was a poor idea. Why
did he say that?
a. It is an unproven approach and has

never been tested.
b. It would be too costly to have one

isolated server by itself.
c. It would be essentially impossible to

keep its location a secret from everyone.
d. It depends too heavily upon non-

repudiation in order for it to succeed.
19. What is a characteristic of the Trusted

Platform Module (TPM)?
a. It provides cryptographic services in

hardware instead of software.
b. It allows the user to boot a corrupted

disk and repair it.
c. It is available only on Windows

computers running BitLocker.
d. It includes a pseudorandom number

generator (PRNG).
20. Which of these has an onboard key

generator and key storage facility, as
well as accelerated symmetric and
asymmetric encryption, and can back up
sensitive material in encrypted form?
a. Trusted Platform Module (TPM)
b. Hardware Security Module (HSM)
c. Self-encrypting hard disk drives (SED)
d. Encrypted hardware-based USB devices

CHAPTER 3 Basic Cryptography134

88781_ch03_hr_097-144.indd 134 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Hands-On Projects

Note

If you are concerned about installing any of the software in these projects on your
regular computer, you can instead install the software in the Windows virtual
machine created in the Chapter 1 Hands-On Projects 1-3 and 1-4. Software installed
within the virtual machine will not impact the host computer.

Project 3-1: Using OpenPuff Steganography

Unlike cryptography that scrambles a message so that it cannot be viewed, steganography
hides the existence of the data. In this project, you use OpenPuff to create a hidden
message.

1. Use your web browser to go to embeddedsw.net/OpenPuff_Steganography_Home
.html.

135CHAPTER 3 Basic Cryptography

2. Click Manual to open the OpenPuff manual. Save this file to your computer. Read
through the manual to see the different features available.

3. Click OpenPuff to download the program.
4. Click Screenshot to view a screen capture of OpenPuff. Right-click on this image and

save this image OpenPuff_Screenshot.jpg to your computer. This will be the carrier file
that will contain the secret message.

5. Navigate to the location of the download and uncompress the Zip file on your
computer.

6. Now create the secret message to be hidden. Open Notepad and enter This is a secret
message.

7. Save this file as Message.txt and close Notepad.
8. Create a Zip file from the Message file. Navigate to the location of this file through

Windows Explorer and click the right mouse button.
9. Click Send to and select Compressed (zipped) folder to create the Zip file.

Note

It is not unusual for websites to change the location of where files are stored. If the
URL above no longer functions, open a search engine and search for OpenPuff.

Note

For added security OpenPuff allows a message to be spread across several carrier files.

88781_ch03_hr_097-144.indd 135 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 3 Basic Cryptography136

Figure 3-11OpenPuff
Source: EmbeddedSW.net

10. Navigate to the OpenPuff directory and double-click OpenPuff.exe.
11. Click Hide.

Note

Under Bit selection options, note the wide variety of file types that can be used to
hide a message.

12. Under (1) create three unrelated passwords and enter them into Cryptography (A), (B),
and (C). Be sure that the Scrambling (C) password is long enough to turn the Password
check bar from red to green.

13. Under (2) locate the message to be hidden. Click Browse and navigate to the file
Message.zip. Click Open.

14. Under (3) select the carrier file. Click Add and navigate to OpenPuff_Screenshot.jpg as
shown in Figure 3-11.

15. Click Hide Data!
16. Navigate to a different location than that of the carrier files and click OK.
17. After the processing has completed, navigate to the location of the carrier file that

contains the message and open the file. Can you detect anything different with the file
now that it contains the message?

88781_ch03_hr_097-144.indd 136 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

18. Now uncover the message. Close the OpenPuff Data Hiding screen to return to the main
menu.

19. Click Unhide.
20. Enter the three passwords.
21. Click Add Carriers and navigate to the location of Carrier1 that contains the hidden

message.
22. Click Unhide! and navigate to a location to deposit the hidden message. When it has

finished processing click OK.
23. Click Done after reading the report.
24. Go to that location and you will see Message.zip.
25. Close OpenPuff and close all windows.

Project 3-2: Running an RSA Cipher Demonstration

The steps for encryption using RSA can be illustrated in a Java applet on a website. In this
project, you observe how RSA encrypts and decrypts.

Note

It is recommended that you review the section earlier in this chapter regarding the
steps in the RSA function.

1. Use your web browser to go to people.cs.pitt.edu/~kirk/cs1501/notes/rsademo/.

Note

It is not unusual for websites to change the location of where files are stored. If the
URL above no longer functions, open a search engine and search for RSA Cipher
Demonstration.

2. Read the information about the demonstration.
3. Click key generation page.
4. Change the first prime number (P) to 7.
5. Change the second prime number (Q) to 5.
6. Click Proceed.
7. Read the information in the popup screen and record the necessary numbers. Close the

screen when finished.
8. Click Encryption Page.
9. Next to Enter Alices Exponent key, E: enter 5 as the key value from the previous

screen.
10. Under Enter Alices N Value: enter 35.
11. Click Encrypt. Read the message and record the values. Close the screen when finished.
12. Click Decryption Page.

CHAPTER 3 Basic Cryptography 137

88781_ch03_hr_097-144.indd 137 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

13. Next to Enter the encrypted message enter 1.
14. Next to Enter your N value: enter 35.
15. Next to Enter your private key, D: enter 5.
16. Click Proceed. Note that 1 has been decrypted to A.
17. Close all windows.

Project 3-3: Installing GUI Hash Generator and Comparing Digests

In this project, you download a GUI hash generator and compare the results of various hash
algorithms.

1. Create a Microsoft Word document with the contents Now is the time for all good
men to come to the aid of their country.

2. Save the document as Country1.docx on the desktop or in a directory specified by your
instructor.

3. Now make a single change to Country1.docx by removing the period at the end of the
sentence so it says Now is the time for all good men to come to the aid of their
country and then save the document as Country2.docx in the same directory.

4. Close the document and Microsoft Word.
5. Use your web browser to go to hashcalc.soft112.com.

Note

It is not unusual for websites to change the location of where files are stored. If the
URL above no longer functions, open a search engine and search for HashCalc.

6. Click Download.
7. Click Download 1.
8. Click External Download Link 1.
9. Follow the default instructions to install HashCalc.

10. Launch HashCalc to display the HashCalc window as seen in Figure 3-12.
11. In addition to the hash algorithms selected by default check the box next to the

following hash algorithms to add them: MD5, SHA256, SHA384, SHA512, and MD2.
12. Click the file explore button next to Data:.
13. Navigate to the document Country1.docx.
14. Click Open.
15. In the HashCalc window click Calculate.
16. Review the different digests generated. If necessary, expand the size of the window.

What can you say about these digests? Compare MD2 with SHA512. What makes
SHA512 better than MD2? Why?

17. Click the file explore button next to Data:.
18. Navigate to the document Country2.docx.
19. Click Open.
20. In the HashCalc window click Calculate.

CHAPTER 3 Basic Cryptography138

88781_ch03_hr_097-144.indd 138 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Figure 3-12HashCalc
Source: SlavaSoft

21. This file is the same as the previous except a single period was removed. Are the digests
different? What does this tell you about hashing digests?

22. Close all windows.

Project 3-4: Using Microsofts Encrypting File System (EFS)

Microsofts Encrypting File System (EFS) is a cryptography system for Windows operating
systems that uses the Windows NTFS file system. Because EFS is tightly integrated with the
file system, file encryption and decryption are transparent to the user. In this project, you
turn on and use EFS.

CHAPTER 3 Basic Cryptography 139

88781_ch03_hr_097-144.indd 139 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

1. Create a Word document with the contents of the first two paragraphs under Todays
Attacks and Defenses on the first page of this chapter.

2. Save the document as Encrypted.docx.
3. Save the document again as Not Encrypted.docx.
4. Right-click the Start button and then click File Explorer.
5. Navigate to the location of Encrypted.docx.
6. Right-click Encrypted.docx.
7. Click Properties.
8. Click the Advanced button.
9. Check the box Encrypt contents to secure data. This document is now protected with

EFS. All actions regarding encrypting and decrypting the file are transparent to the user
and should not noticeably affect any computer operations. Click OK.

10. Click OK to close the Encrypted Properties dialog box.
11. Launch Microsoft Word and then open Encrypted.docx. Was there any delay in the

operation?
12. Now open Not Encrypted.docx. Was it any faster or slower?
13. Retain these two documents for use in the next project. Close Word.

Project 3-5: Using BestCrypt

Third-party software applications can be downloaded to protect files with cryptography. In
this project, you download and install Jetico BestCrypt.

1. Use your web browser to go to www.jetico.com.

Note

Note that this is a limited-time evaluation copy. Any files that are encrypted will only
be available as read-only after the time limit expires.

2. Click Products.
3. Click Personal Privacy.
4. Click BestCrypt Container Encryption.
5. Click Download.
6. Click the Encryption tab.
7. Under BestCrypt Container Encryption click Download.
8. Follow the default installation procedures to install BestCrypt. A computer restart will be

necessary.

Note

It is not unusual for websites to change the location of where files are stored. If the
URL above no longer functions, open a search engine and search for Jetico BestCrypt.

CHAPTER 3 Basic Cryptography140

88781_ch03_hr_097-144.indd 140 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

9. Launch BestCrypt to display the BestCrypt control panel, as seen in Figure 3-13.

Figure 3-13BestCrypt control panel
Source: Jetico Software

10. Files to be automatically encrypted are placed in a BestCrypt container. To create a
container in the left pane right-click on the drive in which you want the container to be
created, then click Container and New.

11. Note the default file path for this container. Click Show Advanced Settings.
12. In the Security Options tab click the arrow next to Algorithm: to display the different

cryptographic algorithms. Change to Blowfish-448.
13. Click Create.
14. The Enter password dialog box appears. Enter a strong password and confirm it.

Click OK.
15. The Seed value generation window appears. Read carefully the instructions. What is the

purpose of this? Follow the instructions by pressing random keys or moving your cursor.
16. The Format Local Disk dialog box appears. This is to format the virtual drive that will

contain your files. Click Start and then OK. When completed click Close.
17. Note that you now have a new drive letter added to your computer, which is where you

will place the files you want to encrypt. This container is entirely encrypted, including file
names and free space, and functions like a real disk. You can copy, save, or move files to
this container disk and they will be encrypted as they are being written.

18. Right-click Start and then File Explorer.
19. Click on the drive letter of the drive that BestCrypt created.
20. Now drag a file into this drive (BestCrypt container). The file is automatically encrypted.
21. Open the document from your BestCrypt container. Did it take any longer to open now

that it is encrypted? Close the document again.
22. Maximize the BestCrypt window and then click Container and Dismount to stop your

container. A container will also be unmounted when you log off.
23. Based on your experiences with BestCrypt and EFS, which do you prefer? Why? What

advantages and disadvantages do you see for both applications?
24. Close all windows.

CHAPTER 3 Basic Cryptography 141

88781_ch03_hr_097-144.indd 141 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Case Projects

Case Project 3-1: Broken SHA-1
In early 2017 security researchers decisively demonstrated that SHA-1 could create the same
digest from two different plaintexts, although this weakness had been theorized for over
10years. The compromise of SHA-1 has rendered it no longer suitable for use. How did they
do it? Visit the website Shattered (shattered.io) that provides information about how it was
breached. Read the Q&A section and view the Infographic. Try dragging one of your files to
the File Tester to see if it is part of the collision attack. What did you learn? How serious is a
collision? What is the impact? Write a one to two paragraph explanation of what you learned.

Case Project 3-2: Compare Cipher Tools
There are a variety of online cipher tools that demonstrate different cryptographic
algorithms. Visit the website Cipher Tools (rumkin.com/tools/cipher/) and explore the
different tools. Select three tools, one of which is mentioned in this chapter (ROT13, One-
Time Pad, etc.). Experiment with the three different tools. Which is easy to use? Which is more
difficult? Which tool would you justify to be more secure than the others? Why? Write a one-
page paper on your analysis of the tools.

Case Project 3-3: Lightweight Cryptography
Due to the importance of incorporating cryptography in low-power devices, a new subfield
of cryptography is being developed called lightweight cryptography. This has the goal of
providing cryptographic solutions that are uniquely tailored for low-power devices that need
to manage resource vs. security constraints. Research lightweight cryptography. What are its
goals? How will it work? Who is behind it? Will it be standardized? When will it appear? Write a
one-page paper on your findings.

Case Project 3-4: Twofish and Blowfish
Research Twofish and Blowfish. How secure are they? What are their features? What are their
strengths and weaknesses? How are they currently being used? How would you compare
them? Write a one-page paper on your findings.

Case Project 3-5: Hash Algorithm Comparison
Research the different hash algorithms (Message Digest, Secure Hash Algorithm, and
RIPEMD) and then create a table that compares them. Include the size of the digest, the
number of rounds needed to create the hash, block size, who created it, what previous hash it
was derived from, its strengths, and its weaknesses.

Case Project 3-6: One-Time Pad (OTP) Research
Use the Internet to research OTPs: who was behind the initial idea, when they were first used,
in what applications they were found, how they are used today, etc. Then visit an online OTP

CHAPTER 3 Basic Cryptography142

88781_ch03_hr_097-144.indd 142 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

creation site such as www.braingle.com/brainteasers/codes/onetimepad.php and practice
creating your own ciphertext with OTP. If possible exchange your OTPs with other students
to see how you might try to break them. Would it be practical to use OTPs? Why or why not?
Write a one-page paper on your findings.

Case Project 3-7: Diffie-Hellman Research
How does Diffie-Hellman work? Use the Internet to research this this key-sharing function.
Then visit the website dkerr.home.mindspring.com/diffie_hellman_calc.html to see how
values are created. Write a one-page paper on Diffie-Hellman.

Case Project 3-8: USB Device Encryption
Use the Internet to select four USB flash drives that support hardware encryption. Create a
table that compares all four and their features. Be sure to include any unique features that the
drives may have along with their costs. Which would you recommend? Why? Write a one-page
paper on your research.

Case Project 3-9: Lake Point Consulting Services
Lake Point Consulting Services (LPCS) provides security consulting and assurance services to
over 500 clients across a wide range of enterprises in more than 20 states. A new initiative at
LPCS is for each of its seven regional offices to provide internships to students who are in their
final year of the security degree program at the local college.

National Meteorological Services (NMS) offers in-depth weather forecasting services to
airlines, trucking firms, event planners, and other organizations that need the latest and most
accurate weather forecasting services. NMS has discovered that their forecast information,
which was being sent out as email attachments to its customers, was being freely distributed
without NMSs permission, and in some instances, was being resold by their competitors.
NMS wants to look into encrypting these weather forecast documents, but is concerned that
its customers may find decrypting the documents cumbersome. The company also wants to
provide to their customers a level of assurance that these documents originate from NMS and
have not been tampered with. NMS has asked LPSC to make a presentation about different
solutions, and BPSC has asked you to help them prepare it.

1. Create a PowerPoint presentation about encryption and the different types of
encryption. Include the advantages and disadvantages of each. Your presentation should
contain at least 10 slides.

2. After the presentation, an NMS officer asks for your recommendation regarding meeting
their needs for encryption. Create a memo communicating the actions you believe would
be best for the company to take.

Case Project 3-10: Information Security Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains a
wide variety of tools, information, discussion boards, and other features to assist learners. Go
to community.cengage.com/Infosec2 and click the Join or Sign in icon to log in, using your

CHAPTER 3 Basic Cryptography 143

88781_ch03_hr_097-144.indd 143 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

login name and password that you created in Chapter 1. Click Forums (Discussion) and click
on Security1 Case Projects (6th edition). Read the following case study.

This is a true story (with minor details changed). Microsoft had uncovered several
licensing discrepancies in its software that clients were using while claiming they had
purchased it from an authorized software retailer. The sale of one software package to a
company in Tampa was traced back to a retailer in Pennsylvania, and yet the retailer had no
record of any sales to the Tampa company. A private security consulting agency was called
in, and they discovered that the network system administrator Ed in Pennsylvania was
downloading pirated software from the Internet and selling it to customers as legitimate
software behind the companys back. Ed had sold almost a half-million dollars in illegal
software. The security firm also noticed a high network bandwidth usage. Upon further
investigation, they found that Ed was using one of the companys servers as a pornographic
website with more than 50,000 images and 2500 videos. In addition, a search of Eds
desktop computer uncovered a spreadsheet with hundreds of credit card numbers from the
companys e-commerce site. The security firm speculated that Ed was either selling these
card numbers to attackers or using them himself.

The situation was complicated by the fact that Ed was the only person who knew certain
administrative passwords for the core network router and firewall, network switches, the
corporate virtual private network (VPN), the entire Human Resources system, the email
server, and the Windows Active Directory. In addition, the company had recently installed a
Hardware Security Module (HSM) to which only Ed had the password. The security consultant
and the Pennsylvania company were worried about what Ed might do if he was confronted
with the evidence, since essentially he could hold the entire organization hostage or destroy
virtually every piece of useful information.

A plan was devised. The company invented a fictitious emergency at one of their offices
in California that required Ed to fly there overnight. The long flight gave the security team a
window of about five and a half hours during which Ed could not access the system (the flight
that was booked for Ed did not have wireless access). Working as fast as they could, the team
mapped out the network and reset all the passwords. When Ed landed in California, the chief
operating officer was there to meet him and Ed was fired on the spot.

Now its your turn to think outside of the box. What would you have done to keep Ed
away so you could reconfigure the network? Or how could you have tricked Ed into giving up
the passwords without revealing to him that he was under suspicion? Record your answers
on the Community Site discussion board.

References
1. Nakashima, Ellen, FBI paid professional hackers one-time fee to crack San Bernardino

iPhone, The Washington Post, Apr. 12, 2016, accessed Mar. 6, 2017, www.washingtonpost.
com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san
-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?utm
_term=.5ee2e09d6415.

CHAPTER 3 Basic Cryptography144

88781_ch03_hr_097-144.indd 144 8/12/17 7:24 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

ADVANCED CRYPTOGRAPHY
AND PKI

After completing this chapter, you should be able
to do the following:

Explain how to implement cryptography

Define digital certificates

Describe the components of Public Key Infrastructure (PKI)

Describe the different transport encryption algorithms

C H A P T E R 4

Todays Attacks and Defenses

Although encryption can help safeguard users data, it is also being used by threat actors in
a new and more malicious form of ransomware. Recall that ransomware embeds itself on a
users device, prevents the user from accessing the devices files and resources, and continues
to deny access unless a fee is paid. Now, instead of just blocking the user from accessing
the computer or device, threat actors have developed ransomware that encrypts all the files
on the deviceor any attached removable storage device or serverso that no files can be
opened. This is called crypto-malware.

145

88781_ch04_hr_145-188.indd 145 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI146

The crypto-malware Spora truly stands out from the crowd. Most ransomware
generates an Advanced Encryption Standard (AES) key for each encrypted file and then
encrypts these keys with an RSA public key that has been generated by a command and
control (C&C) server and then downloaded to the local computer. The private key stays
on the server, and this is what is sent to the victims once they pay the ransom. However,
this process posed a problem for attackers. If the C&C server is known and blocked by a
firewall, the encryption process could not begin. To get around this, some ransomware used
encryption with the same RSA public key that was hard-coded into the malware. However,
once one victim paid for the decryptor tool, it could be distributed to other victims to unlock
their files.

Spora ransomware has circumvented these limitations by adding a second round of
AES and RSA encryption. This malware contains a hard-coded RSA public key, but this is
used to encrypt a unique AES key that is locally generated for every victim. This AES key in
turn is used to encrypt the private key from a public-private RSA key pair that is also unique
and locally created for each victim. Then the victims public RSA key is used to encrypt the
AES keys that are used to encrypt the victims files. When victims want to pay the ransom,
they must upload their encrypted AES keys to the attackers payment website. The attackers
then use their master RSA private key to decrypt it and return it to the victim with a
decryptor tool. The decryptor uses this AES key to decrypt the victims unique RSA private
key (that was generated locally) and that key is then used to decrypt the AES keys needed to
recover the files.

So, what defenses are there for crypto-malware? The No More Ransom project1 is a
coalition of law enforcement and security companies and has 32 new decryption tools for
various ransomware variants (of course, these are no defense against Spora). As of 2017 the
delivery of ransomware is now illegal in California (previous lawsuits were brought under
existing extortion statutes). The maximum penalty for ransomware usage is four years in
state prison. California is the second state to outlaw computer ransomware, with Wyoming
passing a similar statute in 2014.

For end users, cryptography has clear benefits for safeguarding sensitive data. Users
can generate a digest on a downloaded file to compare it with that displayed on a
website to ensure that the downloaded file has not been altered. Users can also take
advantage of symmetric encryption software to encrypt sensitive documents stored
on their computers. And they can also use asymmetric encryption to send and receive
confidential email messages.

However, when cryptography is utilized in the enterprise, a new level of
complexity is added. What happens if an employee has encrypted an important
proposal but suddenly falls ill and cannot return to work? Where is her key stored?

88781_ch04_hr_145-188.indd 146 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 147

Who can have access to it? And how can the encryption keys of hundreds or even
thousands of employees be managed?

These and other issues relating to using cryptography in the enterprise move
the discussion from the basics of cryptography to a higher level of cryptographic
procedures. In this chapter, you are introduced to advanced cryptography. First you
learn about how cryptography is implemented. Next, you explore digital certificates
along with public key infrastructure. Finally, you look at different transport
cryptographic algorithms to see how cryptography is used on data-in-transit.

Implementing Cryptography
Certification

6.1Compare and contrast basic concepts of cryptography.

6.2Explain cryptography algorithms and their basic characteristics.

Note

A key is different from a password. Passwords are designed to be created and remembered
by humans so that the passwords can be reproduced when necessary. A key is used by
hardware or software that is running the cryptographic algorithm; as such, human readability
is not required.

Cryptography that is improperly applied can lead to vulnerabilities that threat actors
will exploit. Thus, it is essential to understand the different options that relate to
cryptography so that it can be implemented correctly. Implementing cryptography
includes understanding key strength, secret algorithms, block cipher modes of
operation, cryptographic service providers, and the use of algorithm input values.

Key Strength
A cryptographic key is a value that serves as input to an algorithm, which then
transforms plaintext into ciphertext (and vice versa for decryption). A key, which is
essentially a random string of bits, serves as an input parameter for symmetric and
asymmetric crytographic algorithms and selected hash algorithms.

There are three primary characteristics that determine the resiliency of the key to
attacks (called key strength). The first is its randomness. For a key to be considered
strong, it must be random with no predictable pattern. This thwarts an attacker from
attempting to uncover the key.

88781_ch04_hr_145-188.indd 147 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI148

The second characteristic is the length of the key. Shorter keys can be more
easily broken than longer keys. All the possible values for a specific key make up its
key space. The formula for determining a given key space for symmetric algorithms
is character-setkey-length. For example, suppose a key has a length of 3 and is using a
26-character alphabet. The list of possible keys (aaa, aab, aac, etc.) would be 263 or
17,576 possible outcomes. Thus, the key length in this example is 3 and the key space is
17,576.

On average, half the key space must be searched to discover the key. In the
example, a key with a length of only 3 that has a key space of 17,576 requires only 8788
keys to be searched (on average) until the correct key is discovered. This number of
searches is very small and can easily be compromised by a threat actor.

However, if the key length of 3 was increased by just 1 character to 4, the key space
increases to 456,976 requiring on average 228,488 attempts. Table 4-1 illustrates the key
strength for different key lengths, the key space, and average attempts necessary to
break the key for a 26-character alphabet.

Note

Different cryptoperiods are recommended for different types of keys.

Key length Key space Average number of attempts needed to break

3 17,576 8788

4 456,976 228,488

5 11,881,376 5,940,688

6 308,915,776 154,457,888

7 8,031,810,176 4,015,905,088

8 208,827,064,576 104,413,532,288

Key strength Table 4-1

A third characteristic that determines key strength is its cryptoperiod, or the length
of time for which a key is authorized for use. Having a limited cryptoperiod helps
protect the ciphertext from extended cryptanalysis and limits the exposure time if a
key is compromised.

Secret Algorithms
Although keys need to be kept secret (except for public keys), does the same apply to
algorithms? That is, should an enterprise invest in hiring a cryptographer to create
a new cryptographic algorithm and then hide the existence of that algorithm from

88781_ch04_hr_145-188.indd 148 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 149

everyone? Wouldnt such a secret algorithm enhance security in the same way as
keeping a key or password secret?

The answer is no. In the past, cryptographers have often attempted to keep their
algorithms or the workings of devices that encrypted and decrypted documents
a secret. However, this approach has always failed. One reason is because for
cryptography to be useful it needs to be widespread: a military force that uses
cryptography must by nature allow many users to know of its existence to use it.
And the more users who know about it, the more difficult it is to keep it a secret. In
contrast, a password only requires one personthe userto keep it confidential.

Note

In 1883, Auguste Kerckhoffs, a Dutch linguist and cryptographer, published what is known
as the Kerchhoff Principles, which were six design standards for military ciphers. One of his
principles stated that systems should not require secrecy so that it should not be a problem if
it falls into enemy hands. This principle is still applied today by splitting algorithms from keys:
algorithms are public while keys are private.

Note

Stream and block ciphers are covered in Chapter 3.

Block Cipher Modes of Operation
One variation in cryptographic algorithms is the amount of data that is processed at
a time. Some algorithms use a stream cipher while other algorithms make use of a
block cipher. Whereas a stream cipher works on one character at a time, a block cipher
manipulates an entire block of plaintext at one time. Because the size of the plaintext
is usually larger than the block size itself, the plaintext is divided into separate blocks
of specific lengths, and then each block is encrypted independently.

A block cipher mode of operation specifies how block ciphers should handle
these blocks. Some of the most common modes are:

Electronic Code Book (ECB). The Electronic Code Book (ECB) mode is the most
basic approach: the plaintext is divided into blocks, and each block is then
encrypted separately. However, this can result in two identical plaintext blocks
being encrypted into two identical ciphertext blocks. Attackers can use this
repetition to their advantage. They could modify the encrypted message by
modifying a block or even reshuffle the order of the blocks of ciphertext. ECB is
not considered suitable for use.

88781_ch04_hr_145-188.indd 149 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI150

Cipher Block Chaining (CBC). Cipher Block Chaining (CBC) is a common cipher mode.
After being encrypted, each ciphertext block gets fed back into the encryption
process to encrypt the next plaintext block. Using CBC, each block of plaintext is
XORed with the previous block of ciphertext before being encrypted. Unlike ECB
in which the ciphertext depends only upon the plaintext and the key, CBC is also
dependent on the previous ciphertext block, making it much more difficult to break.

Note

Using ECB is like assigning code words from a codebook to create an encrypted message, and
was the basis for naming this process Electronic Code Book.

Note

XOR ciphers are covered in Chapter 3.

Note

There are a variety of block cipher modes, with specific modes specializing in encryption, data
integrity, privacy and integrity, and hard drive encryption. There are even specialized modes
that gracefully recover from errors in transmission while other modes are designed to stop
upon encountering transmission errors.

Counter (CTR). Counter (CTR) mode requires that both the message sender and
receiver access a counter, which computes a new value each time a ciphertext
block is exchanged. The weakness of CTR is that it requires a synchronous
counter for both the sender and receiver.

Galois/Counter (GCM). The Galois/Counter (GCM) mode both encrypts plaintext
and computes a message authentication code (MAC) to ensure that the
message was created by the sender and that it was not tampered with during
transmission. Like CTR, GCM uses a counter. It adds a plaintext string called
additional authentication data (AAD) to the transmission. The AAD may contain
the addresses and parameters of a network protocol that is being used.

Crypto Service Providers
A crypto service provider allows an application to implement an encryption algorithm for
execution. Typically, crypto service providers implement cryptographic algorithms, generate
keys, provide key storage, and authenticate users by calling various crypto modules to

88781_ch04_hr_145-188.indd 150 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 151

perform the specific tasks. Crypto service providers can be implemented in software,
hardware, or both, and are often part of the operating system. Figure 4-1 shows the
cryptographic services enabled on a Microsoft Windows 10 computer. Providers may also be
created and distributed by third parties, allowing for a broader algorithm selection.

Note

Applications cannot manipulate the keys created by crypto service providers or alter the
cryptographic algorithm itself.

Algorithm Input Values
Some cryptographic algorithms require that in addition to a key another value can or
must be input. These may be called algorithm input values. A unique characteristic of
these input values is that even though it is often possible to hide them, they do not
need to be kept secret; in fact, it is generally assumed that these values are visible to
attackers. As such, the strength of the cryptographic algorithms should not depend on
the secrecy of these values.

A salt is a value that can be used to ensure that plaintext, when hashed, will not
consistently result in the same digest. Salt is most often used in password-based
systems: it prevents an attacker from generating digests of commonly used passwords
or dictionary words that can be compared to the digest of a stolen password. By
adding a salt to the beginning or end of a password prior to hashing it, the password
is strengthened from being broken by a specific type of attack. Although a salt is not
required to be random, a randomized salta different value input for each userwill
give added protection.

A nonce (number used once) is an input value that must be unique within some
specified scope, such as for a given period or for an entire session. An initialization
vector (IV) is the most widely used algorithm input. An IV may be considered as a
nonce with an additional requirement: it must be selected in a non-predictable way.
Most block cipher modes of operation require an IV that is random and unpredictable,
or at least unique for each message encrypted with a given key.

Figure 4-1Microsoft Windows 10 cryptographic services

88781_ch04_hr_145-188.indd 151 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI152

Digital Certificates

Note

Salts are not required to be randomized and can be repeated (but unique and random salts
can improve security). A nonce is not required to be randomized but can never be repeated.
An IV should be randomized and never repeated.

Note

Digital signatures are covered in Chapter 3.

One of the common applications of cryptography is digital certificates. Using digital
certificates involves understanding their purpose, knowing how they are managed, and
determining which type of digital certificate is appropriate for different situations.

Defining Digital Certificates
Suppose that Alice receives an encrypted document that says it came from Bob.
Although Alice can be sure that the encrypted message was not viewed or altered by
someone else while being transmitted, how can she know for certain that Bob was
actually the sender? Because Alices public key is widely available, an attacker could
have created a fictitious document, encrypted it with Alices public key, and then sent it
to Alice while pretending to be Bob. Although Alices key can verify that no one read or
changed the document in transport, it cannot verify the sender.

Proof can be provided with asymmetric cryptography by creating a digital
signature. However, there is a weakness with digital signatures: they do not confirm
the true identity of the sender. Digital signatures only show that the private key of the
sender was used to encrypt the digital signature, but they do not definitively prove
who the sender was. If Alice receives a message with a digital signature claiming to be
from Bob, she cannot know for certain that it is the real Bob whose public key she is
retrieving.

Certification

6.1Compare and contrast basic concepts of cryptography.

6.4Given a scenario, implement public key infrastructure.

88781_ch04_hr_145-188.indd 152 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 153

For example, suppose Bob created a message along with a digital signature and
sent it to Alice. However, Mallory intercepted the message. He then created his own
set of public and private keys using Bobs identity. Mallory could then create a new
message and digital signature (with the imposter private key) and send them to Alice.
Upon receiving the message and digital signature, Alice would unknowingly retrieve
the imposter public key (thinking it belonged to Bob) and decrypt it. Alice would
be tricked into thinking Bob had sent it when in reality, it came from Mallory. This
interception and imposter public key are illustrated in Figure 4-2.

Figure 4-2Imposter public key

Bobs public key 2111984

1. Bob creates and
sends real message

2. Mallory
intercepts
message
and creates
imposter
keys

3. Mallory
sends
different
message

Buy stock now Sell stock now

Imposter public key 01071981
4. Alice retrieves
imposter public key

Suppose that Bob wanted to ensure that Alice receives his real public key and not
the imposter public key. He could travel to Alices city, knock on her front door, and say,
Im Bob and heres my key.

Yet how would Alice even know this was the real Bob and not Mallory in disguise?
For verification, she could ask to see Bobs passport. This is a document that is
provided by a trusted third party. Although Alice may not initially trust Bob because she
does not know him, she will trust the government agency that required Bob to provide
proof of his identity when he applied for the passport. Using a trusted third party who
has verified Bob, and who Alice also trusts, would help to solve the problem.

This is the concept behind a digital certificate. A digital certificate is a technology
used to associate a users identity to a public key and that has been digitally signed by
a trusted third party. This third party verifies the owner and that the public key belongs
to that owner. When Bob sends a message to Alice, he does not ask her to retrieve
his public key from a central site. Instead, Bob attaches the digital certificate to the
message. When Alice receives the message with the digital certificate, she can check
the signature of the trusted third party on the certificate. If the signature was signed
by a party that she trusts, then Alice can safely assume that the public keycontained
in the digital certificateis actually from Bob. Digital certificates make it possible
for Alice to verify Bobs claim that the key belongs to him and prevent an attack that
impersonates the owner of the public key.

88781_ch04_hr_145-188.indd 153 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI154

Managing Digital Certificates
Several entities and technologies are used to manage digital certificates. These include
the certificate authorities and tools for managing certificates.

Certificate Authorities
Alice purchases a new car and visits the local county courthouse to fill out the car title
application paperwork to register her car. After signing the application and verifying her
identity, the information is forwarded to the state capital, where the states department
of motor vehicles (DMV) issues an official car title that is sent to the new owner.

This scenario illustrates some of the entities involved with digital certificates. If a
user wants a digital certificate she must, after generating the public and private keys to
be used, complete a request with information such as name, address, email address,
etc., known as a Certificate Signing Request (CSR). The user electronically signs the
CSR by affixing her public key and then sending it to an intermediate certificate
authority (CA). The intermediate CA, of which there are many, processes the CSR and
verifies the authenticity of the user. The intermediate CAs perform functions on behalf
of a certificate authority (CA) that is responsible for digital certificates. A CA may
also be called a root CA. A comparison between the earlier car title scenario and the
elements of a digital certificate are shown in Table 4-2.

Note

A digital certificate is basically a container for a public key and can be used to identify objects
other than users, such as servers and applications. Typically, it contains information such as the
owners name or alias, the owners public key, the name of the issuer, the digital signature of the
issuer, the serial number of the digital certificate, and the expiration date of the public key. It can
contain other user-supplied information, such as an email address, postal address, and basic
registration information, such as the country or region, postal code, age, and gender of the user.

Car title scenario Digital certificate element Explanation

Car title application Certificate Signing Request (CSR) Formal request for digital
certificate

Sign car title application Create and affix public key to
certificate

Added to digital certificate for
security

Visit county courthouse Intermediate certificate
authority

Party that can process CSR on
behalf of CA

Title sent from state DMV Certificate authority (CA) Party responsible for digital
certificates

Digital certificate elements Table 4-2

88781_ch04_hr_145-188.indd 154 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 155

Intermediate CAs are subordinate entities designed to handle specific CA tasks
such as processing certificate requests and verifying the identity of the individual.
Depending upon the type of digital certificate, the person requesting a digital certificate
can be authenticated by:

Email. In the simplest form, the owner might be identified only by an email
address. Although this type of digital certificate might be sufficient for basic
email communication, it is insufficient for other activities, such as transferring
money online.

Documents. An intermediate CA can confirm the authenticity of the person
requesting the digital certificate by requiring specific documentation such as a
birth certificate or a copy of an employee badge that contains a photograph.

In person. In some instances, the intermediate CA might require the applicant to
apply in person to prove his existence and identity by providing a government-
issued passport or drivers license.

Note

Just as there are many county courthouses across a state, there are many intermediate CAs.

Note

Although the registration function could be implemented directly with the CA, there are
advantages to using separate intermediate CAs. If there are many entities that require
a digital certificate, or if these are spread out across geographical areas, using a single
centralized CA could create bottlenecks or inconveniences. Using multiple intermediate
CAs, who can off-load these registration functions, can create an improved workflow. This
process functions only because the CAs trust the intermediate CAs.

Just as a breach at a state DMV could result in many fraudulent car titles being
distributed, so too the consequences of a compromised root CA are very significant.
A compromised root CA would likewise taint all its intermediate CAs along with all
the digital certificates that they issued. This makes it essential that all root CAs must
be kept safe from unauthorized access. A common method to ensure the security and
integrity of a root CA is to keep it in an offline state from the network (offline CA).
It is only brought online (online CA) when needed for specific and infrequent
tasks, typically limited to the issuance or re-issuance of certificates authorizing
intermediate CAs.

88781_ch04_hr_145-188.indd 155 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI156

Certificate Management
There are multiple entities that make up strong certificate management. These include
a certificate repository and a means for certificate revocation.

Certificate Repository (CR)
A certificate repository (CR) is a publicly accessible centralized directory of digital
certificates that can be used to view the status of a digital certificate. This directory can
be managed locally by setting it up as a storage area that is connected to the CA server.

Certificate Revocation
Digital certificates normally have an expiration date, such as one year from the date
they were issued. However, there are circumstances that might be cause for the
certificate to be revoked before it expires. Some reasons might be benign, such as
when the certificate is no longer used or the details of the certificate, such as the users
address, have changed. Other circumstances could be more dangerous. For example, if
someone were to steal a users private key, she could impersonate the victim through
using digital certificates without the other users being aware of it. In addition, what
would happen if digital certificates were stolen from a CA? The thieves could then issue
certificates to themselves that would be trusted by unsuspecting users. It is important
that the CA publishes approved certificates as well as revoked certificates in a timely
fashion; otherwise, it could lead to a situation in which security may be compromised.

Note

As an added measure of protection, offline root CAs can still issue certificates to removable
media devices such as a USB drive or DVD, which are then physically transported to the
intermediate CAs that need the certificate to perform their tasks. In this way, the root CA
never needs to be online.

Note

There have been several incidences of digital certificates being stolen from CAs or
intermediate CAs. The thieves can then trick unsuspecting users into connecting with an
imposter site, thinking it is a legitimate site. There have also been charges that nation state
actors have stolen digital certificates to trick their own citizens nation into connecting with a
fraudulent email site to monitor their messages and to locate and crack-down on dissidents.

There are two means by which the status of a certificate can be checked to see if
it has been revoked. The first is to use a Certificate Revocation List (CRL), which is a
list of certificate serial numbers that have been revoked. Many CAs maintain an online

88781_ch04_hr_145-188.indd 156 8/11/17 8:36 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 157

CRL that can be queried by entering the certificates serial number. In addition, a local
computer receives updates on the status of certificates and maintains a local CRL, as
illustrated in Figure 4-3.

Figure 4-3Certificate Revocation List (CRL)

The second method is an Online Certificate Status Protocol (OCSP), which
performs a real-time lookup of a certificates status. OCSP is called a request-response
protocol. The browser sends the certificates information to a trusted entity like the
CA, known as an OCSP Responder. The OCSP Responder then provides immediate
revocation information on that one specific certificate.

Note

Initially all modern web browsers (Internet Explorer, Edge, Firefox, Safari on macOS, some
versions of Opera, and Google Chrome) used OCSP. However, if the web browser cannot
reach the OCSP Responder server, such as when the server is down, then the browser
receives back the message that there is a network error (called a soft-fail) and the revocation
check is simply ignored. Because of this weakness, Google Chrome decided that it would no
longer support OCSP but instead would rely entirely on CRLs that are downloaded to Chrome.

A variation of OCSP is called OCSP stapling. OCSP requires the OCSP Responder to
provide responses to every web client of a certificate in real time, which may create a
high volume of traffic. With OCSP stapling, web servers send queries to the Responder
OCSP server at regular intervals to receive a signed time-stamped OCSP response.
When a clients web browser attempts to connect to the web server, the server can

88781_ch04_hr_145-188.indd 157 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI158

include (staple) in the handshake with the web browser the previously received OCSP
response. The browser then can evaluate the OCSP response to determine if it is
trustworthy. OCSP stapling is illustrated in Figure 4-4.

Figure 4-4OCSP stapling

Yes, here is a
signed approval

Approved

Here is the
approval

Approved

Web browser

Web server

Step 1

Step 2

Step 3

Step 4

OCSP
Responder

I want to connect

Is this certificate valid?

Types of Digital Certificates
There are several different types of digital certificates. These can be grouped into the
broad categories of root certificates, domain certificates, and hardware and software
certificates. In addition, there are several certificate formats.

Root Digital Certificates
Suppose that Alice is shopping online and wants to make a purchase. The online
retailer asks her to enter her credit card number to complete the transaction. However,
how can Alice be certain that she is at the authentic website and not an imposters
look-alike site that only wants to steal her credit card number? The answer is for the
online retailers web server to issue to Alices web browser a digital certificate that
has been signed by a trusted third-party. In this way, Alice can rest assured that her
connection is to the authentic online retailers site.

The process of verifying that a digital certificate is genuine depends upon
certificate chaining. As its name implies, certificate chaining links several certificates
together to establish trust between all the certificates involved. The endpoint of the
chain is the user digital certificate itself. The beginning point of the chain is a specific
type of digital certificate known as a root digital certificate. A root digital certificate
is created and verified by a CA. And because there is no higher-level authority than a
CA, root digital certificates are self-signed and do not depend upon any higher-level

88781_ch04_hr_145-188.indd 158 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 159

authority for authentication. Between the root digital certificate and the user certificate
can be one or more intermediate certificates that have been issued by intermediate CAs.
The root digital certificate (verified by a CA) trusts the intermediate certificate (verified
by an intermediate CA), which may validate another lower-level intermediate CA, etc.,
until it reaches the user digital certificate. Certificate chaining is illustrated in Figure 4-5.

Figure 4-5Certificate chaining

Equifax
Root digital certificate

GeoTrust Global CA
Intermediate digital certificate

GeoTrust SSL CA GA
Intermediate digital certificate

GeoTrust SSL CA GA TN
Intermediate digital certificate

www.buy_online.com
User digital certificate

Note

Why not issue all certificates off the root digital certificate and eliminate the need for
certificate chaining? This would require an online CA that could compromise its security.

Root digital certificates and intermediate certificates are packaged as part of
modern operating systems. The trusted root digital certificates for a Windows 10
operating system are seen in Figure 4-6. In addition, web browser software also
contains root and intermediate digital certificates. Another option is pinning, in which
a digital certificate is hard-coded (pinned) within the app (program) that is using the
certificate. Pinning is common for securing mobile messaging apps and for certain
web-based services and browsers.

Note

Some browsers use the operating systems list of root digital certificates to determine which
CAs are trusted, while other browsers use their own facilities.

88781_ch04_hr_145-188.indd 159 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI160

Certificate chaining and root digital certificates can be seen by using a web
browser to access the Cengage website. The root digital certificate (DigiCert) verifies
the intermediate certificate (DigiCert SHA2 High Assurance Server CA) which in turn
authenticates the digital certificate for the Cengage site (*.cengage.com). This certificate
chaining is seen in Figure 4-7. The details of the certificate can be seen in Figure 4-8
with the public key detail information displayed.

Domain Digital Certificates
Most digital certificates are web server digital certificates that are issued from a web
server to a client (as illustrated in the previous example). Web server digital certificates
perform two primary functions. First, they ensure the authenticity of the web server
to the client. Second, web server digital certificates can ensure the authenticity
of the cryptographic connection to the web server. Web servers can set up secure
cryptographic connections so that all transmitted data is encrypted by providing the
servers public key with a digital certificate to the client. This handshake setup between
web browser and web server, also called a key exchange, is illustrated in Figure 4-9:

1. The web browser sends a message (ClientHello) to the server that contains
information including the list of cryptographic algorithms that the client supports.

Figure 4-6Microsoft Windows 10 trusted root digital certificates

88781_ch04_hr_145-188.indd 160 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 161

Figure 4-7Certificate chaining for cengage.com

Figure 4-8Certificate details

88781_ch04_hr_145-188.indd 161 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI162

2. The web server responds (ServerHello) by indicating which cryptographic
algorithm will be used. It then sends the server digital certificate to the browser.

3. The web browser verifies the server certificate (such as making sure it has not
expired) and extracts the servers public key. The browser generates a random
value (called the pre-master secret), encrypts it with the servers public key, and
sends it back to the server (ClientKeyExchange).

4. The server decrypts the message and obtains the browsers pre-master secret.
Because both the browser and server now have the same pre-master secret,
they can each create the same master secret. The master secret is used to create
session keys, which are symmetric keys to encrypt and decrypt information
exchanged during the session and to verify its integrity.

Note

One of the goals of the handshake is to generate keys for symmetric encryption using 3DES
or AES. No public keys or certificates are involved once the handshake is completed.

Figure 4-9Key exchange

Web browser Web server

1. ClientHello

Cryptographic information

2. ServerHello

Algorithms supported
Server digital certificate

3. ClientKeyExchange

Pre-master secret

3. Verifies certificate
and creates
pre-master secret

4. Creates master
secret and
session keys

4. Creates master
secret and
session keys

In order to address the security of web server digital certificates there are several
types of domain digital certificates. These include domain validation digital certificates,
extended validation digital certificates, wildcard digital certificates, and subject
alternative names digital certificates.

88781_ch04_hr_145-188.indd 162 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 163

Domain Validation
Some CAs issue only entry-level certificates that provide domain-only validation.
These digital certificates only authenticate that a specific organization has the right
to use a particular domain name. A domain validation digital certificate verifies the
identity of the entity that has control over the domain name. These certificates indicate
nothing regarding the trustworthiness of the individuals behind the site; they simply
verify who has control of that domain.

Note

Because domain validation digital certificates are not verifying the identity of a person
but only the control over a site, they often can be generated automatically and are very
inexpensive or even free.

A domain validation digital certificate displays a green padlock icon in the web
browser. This is shown in Figure 4-10 for a Google Chrome browser.

Figure 4-10Domain validation padlock
Source: Google Chrome web browser

Extended Validation (EV)
An enhanced type of domain digital certificate is the Extended Validation (EV)
certificate. This type of certificate requires more extensive verification of the
legitimacy of the business. Requirements include:

The CA must pass an independent audit verifying that it follows the EV standards.
The existence and identity of the website owner, including its legal existence,

physical address, and operational presence, must be verified by the CA.
The CA must verify that the website is the registered holder and has exclusive

control of the domain name.
The authorization of the individual(s) applying for the certificate must be verified

by the CA, and a valid signature from an officer of the company must accompany
the application.

When a web browser indicates to users that they are connected to a website that
uses the higher-level EV, a green padlock along with the sites name is displayed, as
seen in Figure 4-11.

Figure 4-11EV validation padlock
Source: Google Chrome web browser

88781_ch04_hr_145-188.indd 163 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI164

Wildcard
A wildcard digital certificate is used to validate a main domain along with all
subdomains. For example, a domain validation digital certificate for www.example.com
would only cover that specific site. A wildcard digital certificate for *.example.com would
cover www.example.com, mail.example.com, ftp.example.com, and any other subdomains.

Subject Alternative Name (SAN)
A Subject Alternative Name (SAN) digital certificate, also known as a Unified
Communications Certificate (UCC), is primarily used for Microsoft Exchange servers or unified
communications (the integration of different types of electronic communication like email,
SMS text messaging, fax, etc.). This certificate allows multiple server or domain names to use
the same secure certificate by allowing different values to be associated with the certificate.

Hardware and Software Digital Certificates
In addition to root digital certificates and domain digital certificates, there are more
specific digital certificates that relate to hardware and software. These include:

Machine digital certificate. A machine digital certificate is used to verify the
identity of a device in a network transaction. For example, a laser printer may
use a machine digital certificate to verify to the client that it is an authentic and
authorized device on the network.

Note

Many network devices can create their own self-signed machine digital certificates.

Code signing digital certificate. Digital certificates are used by software developers
to digitally sign a program to prove that the software comes from the entity that
signed it and no unauthorized third party has altered or compromised it. This
is known as a code signing digital certificate. When the installation program is
launched that contains a code digital certificate, a popup window appears that
says Verified publisher while an installation program that lacks a code digital
certificate says Publisher: Unknown.

Email digital certificate. An email digital certificate allows a user to digitally sign
and encrypt mail messages. Typically, only the users name and email address
are required to receive this certificate.

Note

In addition to email messages, digital certificates also can be used to authenticate the authors
of documents. For example, a user can create a Microsoft Word or Adobe Portable Document
Format (PDF) document and then use a digital certificate to create a digital signature.

88781_ch04_hr_145-188.indd 164 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 165

Digital Certificate Formats
The most widely accepted digital certificates are defined by a division of the International
Telecommunication Union (ITU) known as the Telecommunication Standardization
Sector (ITU-T). These digital certificates adhere to the X.509 standard. Digital certificates
following this standard can be read or written by any application that follows X.509.

Note

X.509 systems also include a method for creating a Certificate Revocation List (CRL).

All X.509 certificates follow the standard ITU-T X.690, which specifies one of three
different encoding formats: Basic Encoding Rules (BER), Canonical Encoding Rules (CER),
and Distinguished Encoding Rules (DER). The X.509 certificates themselves can be
contained within different file formats. Table 4-3 shows several of the different formats.

Name File extension Comments

Privacy
Enhancement
Mail (PEM)

.pem Designed to provide confidentiality and integrity to
emails, it uses DER encoding and can have multiple
certificates.

Personal
Information
Exchange (PFX)

.pfx The preferred file format for creating certificates to
authenticate applications or websites, PFX is password
protected because it contains both private and public keys.

PKCS#12 .p12 One of a numbered set of 15 standards defined by RSA
Corporation, it is based on the RSA public key algorithm
and like PFX contains both private and public keys.

X.509 file formats Table 4-3

Public Key Infrastructure (PKI)
Certification

1.6Explain the impact associated with types of vulnerabilities.

6.4 Given a scenario, implement public key infrastructure.

One of the important management tools for the use of digital certificates and
asymmetric cryptography is public key infrastructure. It is important to understand
public key infrastructure, how it is managed and how key management is performed,
as well as knowing PKI trust models.

88781_ch04_hr_145-188.indd 165 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI166

What Is Public Key Infrastructure (PKI)?
One single digital certificate between Alice and Bob involves multiple entities and
technologies. Asymmetric cryptography must be used to create the public and
private keys, an intermediate CA must verify Bobs identity, the CA must issue the
certificate, the digital certificate must be placed in a CR and moved to a CRL when
it expires, and so on. In an organization where multiple users have multiple digital
certificates, it can quickly become overwhelming to individually manage all of
these entities. In short, there needs to be a consistent means to manage digital
certificates.

Public key infrastructure (PKI) is what you might expect from its name: it is
the underlying infrastructure for the management of public keys used in digital
certificates. PKI is a framework for all the entities involved in digital certificates for
digital certificate managementincluding hardware, software, people, policies, and
proceduresto create, store, distribute, and revoke digital certificates. In short, PKI is
digital certificate management.

Note

PKI is sometimes erroneously applied to a broader range of cryptography topics beyond
managing digital certificates. It is sometimes defined as that which supports other public
key-enabled security services or certifies users of a security application. PKI should be
understood as the framework for digital certificate management only.

Trust Models
Trust may be defined as confidence in or reliance on another person or entity. One of
the principal foundations of PKI is that of trust: Alice must trust that the public key in
Bobs digital certificate actually belongs to him.

A trust model refers to the type of trust relationship that can exist between
individuals or entities. In one type of trust model, direct trust, a relationship exists
between two individuals because one person knows the other person. Because
Alice knows Bobshe has seen him, she can recognize him in a crowd, she has
spoken with himshe can trust that the digital certificate that Bob personally gives
to her contains his public key. A third-party trust refers to a situation in which two
individuals trust each other because each trusts a third party. If Alice does not know
Bob, this does not mean that she can never trust his digital certificate. Instead, if
she trusts a third-party entity who knows Bob, then she can trust that his digital
certificate with the public key is Bobs.

88781_ch04_hr_145-188.indd 166 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 167

Essentially three PKI trust models use a CA. These are the hierarchical trust model,
the distributed trust model, and the bridge trust model.

Note

A less secure trust model that uses no CA is called the web of trust model and is based on
direct trust. Each user signs his digital certificate and then exchanges certificates with all
other users. Because all users trust each other, each user can sign the certificate of all other
users. Pretty Good Privacy (PGP) uses the web of trust model.

Note

An example of a third-party trust is a courtroom. Although the defendant and prosecutor may
not trust one another, they both can trust the judge (a third party) to be fair and impartial. In that
case, they implicitly trust each other because they share a common relationship with the judge.

Hierarchical Trust Model
The hierarchical trust model assigns a single hierarchy with one master CA called the
root. This root signs all digital certificate authorities with a single key. A hierarchical
trust model is illustrated in Figure 4-12.

Figure 4-12Hierarchical trust model

Certificate Authority (CA)

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

A hierarchical trust model can be used in an organization where one CA is
responsible for only the digital certificates for that organization. However, on a
larger scale, a hierarchical trust model has several limitations. First, if the CAs single
private key were to be compromised, then all digital certificates would be worthless.

88781_ch04_hr_145-188.indd 167 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI168

Also, having a single CA who must verify and sign all digital certificates may create a
significant backlog.

Distributed Trust Model
Instead of having a single CA, as in the hierarchical trust model, the distributed trust
model has multiple CAs that sign digital certificates. This essentially eliminates
the limitations of a hierarchical trust model. The loss of a CAs private key would
compromise only those digital certificates for which it had signed, and the workload of
verifying and signing digital certificates can be distributed. In addition, these CAs can
delegate authority to other intermediate CAs to sign digital certificates. The distributed
trust model is the basis for most digital certificates used on the Internet. A distributed
trust model is illustrated in Figure 4-13.

Figure 4-13Distributed trust model

Intermediate CA

Certificate Authority (CA)

Intermediate CA

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Bridge Trust Model
The bridge trust model is similar to the distributed trust model in that there is no single
CA that signs digital certificates. However, with the bridge trust model there is one CA
that acts as a facilitator to interconnect all other CAs. This facilitator CA does not issue
digital certificates; instead, it acts as the hub between hierarchical trust models and
distributed trust models. This allows the different models to be linked together. The
bridge trust model is shown in Figure 4-14.

Managing PKI
An organization that uses multiple digital certificates on a regular basis needs to
properly manage those digital certificates. This includes establishing policies and
practices and determining the life cycle of a digital certificate.

88781_ch04_hr_145-188.indd 168 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 169

Figure 4-14Bridge trust model

Certificate Authority (CA)

Distributed trust model

Hierarchical trust model

Certificate Authority (CA)

Bridge CA

Intermediate CAIntermediate CA

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Public key
Digital certificate

Note

One application of the bridge trust model involves linking federal and state governments.
The U.S. Department of Defense (DOD) has issued millions of identification cards to military
personnel known as Common Access Cards (CAC), based on the Personal Identity Verification
(PIV) standard, that are linked to a digital certificate. Some states have begun issuing IDs
compatible with the CAC cards to emergency service personnel, and one state has cross-
certified with the federal PKI through a trust bridge for authenticating digital certificates.

88781_ch04_hr_145-188.indd 169 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI170

Certificate Policy (CP)
A certificate policy (CP) is a published set of rules that govern the operation of a
PKI. The CP provides recommended baseline security requirements for the use and
operation of CA, intermediate CA, and other PKI components. A CP should cover
such topics as CA or intermediate CA obligations, user obligations, confidentiality,
operational requirements, and training.

Note

Many organizations create a single CP to support not only digital certificates but also digital
signatures and all encryption applications.

Certificate Practice Statement (CPS)
A certificate practice statement (CPS) is a more technical document than a CP. A CPS
describes in detail how the CA uses and manages certificates. Additional topics for
a CPS include how end users register for a digital certificate, how to issue digital
certificates, when to revoke digital certificates, procedural controls, key pair generation
and installation, and private key protection.

X.509 certificates contain a specific field that can link to the associated CP. Another
field can contain an object identifier (OID), which names an object or entity. OIDs
are made up of a series of numbers separated with a dot, such as 1.2.840.113585, and
correspond to a node in a hierarchy tree structure. OIDs can name every object type in
an X.509 certificate, including the CPS.

Note

A large standardized set of OIDs exists, or an enterprise can have a root OID assigned to it
and then create its own sub-OIDs, much like creating subdomains beneath a domain.

Certificate Life Cycle
Digital certificates should not last forever. Employees leave, new hardware is installed,
applications are updated, and cryptographic standards evolve. Each of these changes
affects the usefulness of a digital certificate. The life cycle of a certificate is typically
divided into four parts:

1. Creation. At this stage the certificate is created and issued to the user. Before
the digital certificate is generated, the user must be positively identified. The
extent to which the users identification must be confirmed can vary, depending
upon the type of certificate and any existing security policies. Once the users

88781_ch04_hr_145-188.indd 170 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 171

identification has been verified, the request is sent to the CA for a digital
certificate. The CA can then apply its appropriate signing key to the certificate,
effectively signing the public key. The relevant fields can be updated by the CA,
and the certificate is then forwarded to the RA (if one is being used). The CA also
can keep a local copy of the certificate it generated. A certificate, once issued,
can be published to a public directory if necessary.

2. Suspension. This stage could occur once or multiple times throughout the life
of a digital certificate if the certificates validity must be temporarily suspended.
This may occur, for example, when an employee is on a leave of absence. Dur-
ing this time, it may be important that the users digital certificate not be used
for any reason until she returns. Upon the users return, the suspension can be
withdrawn or the certificate can be revoked.

3. Revocation. At this stage the certificate is no longer valid. Under certain situations a
certificate may be revoked before its normal expiration date, such as when a users
private key is lost or compromised. When a digital certificate is revoked, the CA up-
dates its internal records and any CRL with the required certificate information and
timestamp (a revoked certificate is identified in a CRL by its certificate serial number).
The CA signs the CRL and places it in a public repository so that other applications
using certificates can access this repository to determine the status of a certificate.

Caution

Either the user or the CA can initiate a revocation process.

4. Expiration. At the expiration stage the certificate can no longer be used. Every
certificate issued by a CA must have an expiration date. Once it has expired, the
certificate may not be used any longer for any type of authentication and the
user will be required to follow a process to be issued a new certificate with a
new expiration date.

Key Management
One common vulnerability that allows threat actors to compromise a PKI is improper
certificate and key management. Because keys form the foundation of PKI systems,
it is important that they be carefully managed. Proper key management includes key
storage, key usage, and key handling procedures.

Key Storage
The means of storing keys in a PKI system is important. Public keys can be stored by
embedding them within digital certificates, while private keys can be stored on the
users local system. The drawback to software-based storage is that it can leave keys

88781_ch04_hr_145-188.indd 171 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI172

open to attacks: vulnerabilities in the client operating system, for example, can expose
keys to attackers.

Storing keys in hardware is an alternative to software-based storage. For storing
public keys, special CA root and intermediate CA hardware devices can be used. Private
keys can be stored on smart cards or in tokens.

Note

Whether private keys are stored in hardware or software, it is important that they be
adequately protected. To ensure basic protection, never share the key in plaintext, always
store keys in files or folders that are themselves password protected or encrypted, do not
make copies of keys, and destroy expired keys.

Key Usage
If more security is needed than a single set of public and private keys, multiple pairs of
dual keys can be created. One pair of keys may be used to encrypt information, and the
public key can be backed up to another location. The second pair would be used only
for digital signatures, and the public key in that pair would never be backed up.

Key Handling Procedures
Certain procedures can help ensure that keys are properly handled. These procedures
include:

Escrow. Key escrow refers to a process in which keys are managed by a third
party, such as a trusted CA. In key escrow, the private key is split and each half is
encrypted. The two halves are registered and sent to the third party, which stores
each half in a separate location. A user can then retrieve the two halves, combine
them, and use this new copy of the private key for decryption. Key escrow relieves
the end user from the worry of losing her private key. The drawback to this system
is that after the user has retrieved the two halves of the key and combined them to
create a copy of the key, that copy of the key can be vulnerable to attacks.

Expiration. Keys have expiration dates. This prevents an attacker who may have
stolen a private key from being able to decrypt messages for an indefinite period.
Some systems set keys to expire after a set period by default.

Renewal. Instead of letting a key expire and then creating a new key, an existing
key can be renewed. With renewal, the original public and private keys can
continue to be used and new keys do not have to be generated. However,
continually renewing keys makes them more vulnerable to theft or misuse.

Revocation. Whereas all keys should expire after a set period, a key may need to
be revoked prior to its expiration date. For example, the need for revoking a key
may be the result of an employee being terminated from his position. Revoked
keys cannot be reinstated. The CA should be immediately notified when a key is
revoked and then the status of that key should be entered on the CRL.

88781_ch04_hr_145-188.indd 172 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 173

Recovery. What happens if an employee is hospitalized, yet the organization for
which she works needs to transact business using her keys? Different techniques
may be used. Some CA systems have an embedded key recovery system in which a
key recovery agent (KRA) is designated, who is a highly trusted person responsible
for recovering lost or damaged digital certificates. Digital certificates can then
be archived along with the users private key. If the user is unavailable or if the
certificate is lost, the certificate with the private key can be recovered. Another
technique is known as M-of-N control. A users private key is encrypted and
divided into a specific number of parts, such as three. The parts are distributed to
other individuals, with an overlap so that multiple individuals have the same part.
For example, the three parts could be distributed to six people, with two people
each having the same part. This is known as the N group. If it is necessary to
recover the key, a smaller subset of the N group, known as the M group, must meet
and agree that the key should be recovered. If a majority of the M group can agree,
they can then piece the key together. M-of-N control is illustrated in Figure 4-15.

Figure 4-15M-of-N control

Public key
Digital certificate

Part 1

N group

M group

Part 2

Part 3

Part 1

Part 2

Part 3

88781_ch04_hr_145-188.indd 173 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI174

Suspension. The revocation of a key is permanent; key suspension is for a set
period. For example, if an employee is on an extended medical leave it may
be necessary to suspend the use of her key for security reasons. A suspended
key can be later reinstated. As with revocation, the CA should be immediately
notified when a key is suspended, and the status of that key should be checked
on the CRL to verify that it is no longer valid.

Destruction. Key destruction removes all private and public keys along with the
users identification information in the CA. When a key is revoked or expires, the
users information remains on the CA for audit purposes.

Cryptographic Transport Protocols

Note

The reason for distributing parts of the key to multiple users is that the absence of one
member would not prevent the key from being recovered.

Certification

2.1 Install and configure network components, both hardware- and
software-based, to support organizational security.

2.6Given a scenario, implement secure protocols.

In addition to protecting data-in-use and data-at-rest, cryptography is most often used
to protect data-in-transit across a network. The most common cryptographic transport
algorithms include Secure Sockets Layer, Transport Layer Security, Secure Shell,
Hypertext Transport Protocol Secure, S/MIME, Secure Real-time Transport Protocol,
and IP security.

Secure Sockets Layer (SSL)
One of the early and most widespread cryptographic transport algorithms is Secure
Sockets Layer (SSL). This protocol was developed by Netscape in 1994 in response to
the growing concern over Internet security. The design goal of SSL was to create an
encrypted data path between a client and a server that could be used on any platform
or operating system. SSL took advantage of the relatively new cryptographic algorithm
Advanced Encryption Standard (AES) instead of the weaker Data Encryption Standard
(DES). Over time updates to SSL were released; SSL version 3.0 is the current version.

88781_ch04_hr_145-188.indd 174 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 175

Transport Layer Security (TLS)
Transport Layer Security (TLS) is another widespread cryptographic transport
algorithm. SSL v3.0 served as the basis for TLS v1.0. Although the algorithms SSL and
TLS are often used interchangeably or even in conjunction with each other (TLS/SSL),
this is not correct. Although TLS v1.0 was considered marginally more secure than
SSL v3.0, subsequent versions of TLS (v1.1 and v1.2) are significantly more secure and
address several vulnerabilities present in SSL v3.0 and TLS v1.0.

Even though TLS v1.2 is the current version of the protocol, many websites
continue to support older and weaker versions of TLS and SSL in order to provide the
broadest range of compatibility for older web browsers. However, most websites are
migrating away from older versions and protocols to support TLS v1.2. Table 4-4 lists a
survey of web servers that used SSL and TLS in 2014 compared to current usage (servers
may support multiple protocols).2

Protocol supported
Percentage of
websites 2014

Percentage of
current websites Protocol security strength

SSL v2.0 24.2 5.3 Should not be used

SSL v3.0 99.4 17.4 Considered obsolete

TLS v1.0 99.3 95.0 Must be carefully configured

TLS v1.1 25.7 81.9 No known vulnerabilities

TLS v1.2 28.2 84.6 No known vulnerabilities

Website support of SSL and TLS Table 4-4

A cipher suite is a named combination of the encryption, authentication, and
message authentication code (MAC) algorithms that are used with SSL and TLS. These
are negotiated between the web browser and web server during the initial connection
handshake. Depending on the different algorithms that are selected, the overall
security of the transmission may be either strong or weak. For example, using RC4
instead of AES would significantly weaken the cipher suite. Another factor is the length
of the keys. Keys of less than 2048 bits are considered weak, keys of 2048 bits are
considered good, while keys of 4096 bits are strong.

Note

As noted in steps 1 and 2 in Figure 4-9, the web browser provides a list of all the
cryptographic algorithms that it supports, but the web server makes the ultimate decision of
which will be used.

88781_ch04_hr_145-188.indd 175 8/11/17 8:37 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI176

Secure Shell (SSH)
Secure Shell (SSH) is an encrypted alternative to the Telnet protocol that is used to
access remote computers. SSH is a Linux/UNIX-based command interface and protocol
for securely accessing a remote computer. SSH is actually a suite of three utilities
slogin, ssh, and scpthat are secure versions of the unsecure UNIX counterpart utilities.
These commands are summarized in Table 4-5. Both the client and server ends of the
connection are authenticated using a digital certificate, and passwords are protected by
being encrypted. SSH can even be used as a tool for secure network backups.

UNIX
command
name Description Syntax

Secure
command
replacement

rlogin Log on to remote computer rlogin remotecomputer slogin

Rcp Copy files between remote
computers

rcp [options] localfile
remotecomputer:filename

scp

Rsh Executing commands on a remote
host without logging on

rsh remotecomputer
command

Ssh

SSH commandsTable 4-5

Hypertext Transport Protocol Secure (HTTPS)
One common use of TLS and SSL is to secure Hypertext Transport Protocol (HTTP)
communications between a browser and a web server. This secure version is actually
plain HTTP sent over SSL or TLS and is called Hypertext Transport Protocol Secure
(HTTPS). HTTPS uses port 443 instead of HTTPs port 80. Users must enter URLs with
https:// instead of http://.

Note

The first version of SSH was released in 1995 by a researcher at the Helsinki University of
Technology after his university was the victim of a password-sniffing attack.

Note

Cipher suites typically use descriptive names to indicate their components. For example,
CipherSuite SSL_RSA_WITH_RC4_128_MD5 specifies that RSA will be used for key exchange and
authentication algorithm, RC4 encryption algorithm using a 128bit key will be used, and MD5
will be the MAC algorithm.

88781_ch04_hr_145-188.indd 176 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 177

Secure/Multipurpose Internet Mail Extensions (S/MIME)
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol for securing
email messages. It allows users to send encrypted messages that are also digitally signed.

Note

Another cryptographic transport protocol for HTTP was Secure Hypertext Transport Protocol
(SHTTP). However, it was not as secure as HTTPS and is now considered obsolete.

Note

MIME is a standard for how an electronic message will be organized, so S/MIME describes
how encryption information and a digital certificate can be included as part of the message
body.

Secure Real-time Transport Protocol (SRTP)
The Secure Real-time Transport Protocol (SRTP) has several similarities to S/MIME.
Just as S/MIME is intended to protect MIME communications, SRTP is a secure
extension protecting transmissions using the Real-Time Transport Protocol (RTP).
Also, as S/MIME is designed to protect only email communications, SRTP provides
protection for Voice over IP (VoIP) communications. SRTP adds security features, such
as message authentication and confidentiality, for VoIP communications.

Note

The SRTP protocol was first published in 2004.

IP Security (IPsec)
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications. IPsec encrypts and authenticates each IP packet of a session between
hosts or networks. IPsec can provide protection to a much wider range of applications
than SSL or TLS.

88781_ch04_hr_145-188.indd 177 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI178

IPsec is considered to be a transparent security protocol. It is transparent to the
following entities:

Applications. Programs do not have to be modified to run under IPsec.
Users. Unlike some security tools, users do not need to be trained on specific

security procedures (such as encrypting with PGP).
Software. Because IPsec is implemented in a device such as a firewall or router,

no software changes must be made on the local client.

Unlike SSL, which is implemented as a part of the user application, IPsec is in the
operating system or the communication hardware. IPsec is more likely to operate at
a faster speed because it can cooperate closely with other system programs and the
hardware.

IPsec provides three areas of protection that correspond to three IPsec protocols:

Authentication. IPsec authenticates that packets received were sent from the
source. This is identified in the header of the packet to ensure that no specific
attacks took place to alter the contents of the packet. This is accomplished by the
Authentication Header (AH) protocol.

Confidentiality. By encrypting the packets, IPsec ensures that no other parties
could view the contents. Confidentiality is achieved through the Encapsulating
Security Payload (ESP) protocol. ESP supports authentication of the sender and
encryption of data.

Key management. IPsec manages the keys to ensure that they are not intercepted
or used by unauthorized parties. For IPsec to work, the sending and receiving
devices must share a key. This is accomplished through a protocol known as
Internet Security Association and Key Management Protocol/Oakley (ISAKMP/
Oakley), which generates the key and authenticates the user using techniques
such as digital certificates.

IPsec supports two encryption modes: transport and tunnel. Transport mode
encrypts only the data portion (payload) of each packet yet leaves the header
unencrypted. The more secure tunnel mode encrypts both the header and the data
portion. IPsec accomplishes transport and tunnel modes by adding new headers to the
IP packet. The entire original packet (header and payload) is then treated as the data
portion of the new packet.

Note

Because tunnel mode protects the entire packet, it is generally used in a network-to-network
communication, while transport mode is used when a device must see the source and
destination addresses to route the packet.

88781_ch04_hr_145-188.indd 178 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 179

Cryptography that is improperly
applied can lead to vulnerabilities that
will be exploited. It is necessary to
understand the different options that
relate to cryptography so that it can be
implemented correctly. A key must be
strong to resist attacks. A strong key must
be random with no predictable pattern.
Keys should also be long and the length of
time for which a key is authorized for use
should be limited. Any attempt to keep an
algorithm secret will not result in strong
security. A block cipher mode of operation
specifies how block ciphers should handle
blocks of plaintext. Some of the most
common are Electronic Code Book (ECB),
Cipher Block Chaining (CBC), Counter
(CTR), and the Galois/Counter (GCM)
mode. A crypto service provider allows an
application to implement an encryption
algorithm for execution. Typically, crypto
service providers implement cryptographic
algorithms by calling crypto modules
to perform the specific tasks. Some
cryptographic algorithms require that in
addition to a key another value can or
must be input. A salt is a value that can
be used to ensure that plaintext, when
hashed, will not consistently result in the
same digest. A nonce is a value that must
be unique within some specified scope,
such as for a given period or for an entire
session. An initialization vector (IV) is
a nonce that must be selected in a non-
predictable way.

A digital certificate is the users public key
that has been digitally signed by a trusted
third party who verifies the owner and that
the public key belongs to that owner. It

also binds the public key to the certificate.
A user who wants a digital certificate
generate the public and private keys to be
used and then complete a request known
as a Certificate Signing Request (CSR). The
user electronically signs the CSR by affixing
her public key and then sending it to an
intermediate certificate authority (CA),
who processes the CSR and verifies the
authenticity of the user. The intermediate
CAs perform functions on behalf of a
certificate authority (CA) that is responsible
for digital certificates. A common method
to ensure the security and integrity of a root
CA is to keep it in an offline state from the
network (offline CA) rather than having it
directly connected to a network (online CA).

A certificate repository (CR) is a list of
approved digital certificates. Revoked
digital certificates are listed in a Certificate
Revocation List (CRL), which can be
accessed to check the certificate status of
other users. The status also can be checked
through the Online Certificate Status
Protocol (OCSP). Because digital certificates
are used extensively on the Internet, all
modern web browsers are preconfigured
with a default list of CAs and the ability
to automatically update certificate
information. When using OCSP stapling
web servers send queries to the Responder
OCSP server at regular intervals to receive a
signed time-stamped OCSP response.

There are several different types of digital
certificates. The process of verifying that
a digital certificate is genuine depends
upon certificate chaining, or linking several
certificates together to establish trust
between all the certificates involved. The

Chapter Summary

88781_ch04_hr_145-188.indd 179 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

endpoint of the chain is the user digital
certificate itself. The beginning point of the
chain is a specific type of digital certificate
known as a root digital certificate, which is
created and verified by a CA and also self-
signed. Between the root digital certificate
and the user certificate can be one or more
intermediate certificates that have been
issued by intermediate CAs. Root digital
certificates and intermediate certificates
are packaged as part of modern operating
systems, can be part of web browser
software, or hard-coded within the app
(program) that is using the certificate.

Domain validation digital certificates
verify the identity of the entity that has
control over the domain name but indicate
nothing regarding the trustworthiness of
the individuals behind the site. Extended
Validation (EV) certificates requires more
extensive verification of the legitimacy of
the business. A wildcard digital certificate
is used to validate a main domain along
with all subdomains. A Subject Alternative
Name (SAN) digital certificate, also
known as a Unified Communications
Certificate (UCC), is primarily used for
Microsoft Exchange servers or unified
communications. A machine digital
certificate is used to verify the identity of
a device in a network transaction. Digital
certificates are used by software developers
to digitally sign a program to prove that the
software comes from the entity that signed
it and no unauthorized third party has
altered or compromised it are called code
signing digital certificates. An email digital
certificate allows a user to digitally sign and
encrypt mail messages. The most widely
accepted format for digital certificates is the
X.509 international standard.

A public key infrastructure (PKI) is a
framework for all the entities involved in

digital certificatesincluding hardware,
software, people, policies, and procedures
to create, store, distribute, and revoke digital
certificates. One of the principal foundations
of PKI is that of trust. Three basic PKI trust
models use a CA. The hierarchical trust
model assigns a single hierarchy with one
master CA called the root, who signs all
digital certificate authorities with a single
key. The bridge trust model is similar to the
distributed trust model. No single CA signs
digital certificates, and yet the CA acts as a
facilitator to interconnect all other CAs. The
distributed trust model has multiple CAs
that sign digital certificates.

An organization that uses multiple digital
certificates on a regular basis needs to
properly manage those digital certificates.
Such management includes establishing
policies and practices and determining the
life cycle of a digital certificate. Because
keys form the very foundation of PKI
systems, it is important that they be
carefully managed.

Cryptography is commonly used to protect
data-in-transit. Secure Sockets Layer(SSL)
was an early cryptographic transport
protocol but is being replaced with the
more secure Transport Layer Security
(TLS). Secure Shell (SSH) is a Linux/UNIX-
based command interface and protocol
for securely accessing a remote computer
communicating over the Internet. Hypertext
Transport Protocol Secure (HTTPS), a secure
version for web communications, is HTTP
sent over SSL or TLS. Secure/Multipurpose
Internet Mail Extensions (S/MIME) is a
protocol for securing email messages.
IP security (IPsec) is a set of protocols
developed to support the secure exchange
of packets. The Secure Real-time Transport
Protocol (SRTP) provides protection for
Voice over IP (VoIP) communications.

CHAPTER 4 Advanced Cryptography and PKI180

88781_ch04_hr_145-188.indd 180 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Authentication Header (AH)
block cipher mode of

operation
Canonical Encoding Rules

(CER)
certificate authority (CA)
certificate chaining
Certificate Revocation List

(CRL)
Certificate Signing Request

(CSR)
Cipher Block Chaining (CBC)
code signing digital

certificate
Counter (CTR)
crypto modules
crypto service provider
digital certificate
Distinguished Encoding

Rules (DER)
domain validation digital

certificate
Electronic Code Book (ECB)
email digital certificate
Encapsulating Security

Payload (ESP)

Extended Validation (EV)
certificate

Galois/Counter (GCM)
Hypertext Transport

Protocol Secure (HTTPS)
initialization vector (IV)
intermediate certificate

authority (CA)
Internet Protocol Security

(IPsec)
key escrow
key exchange
key strength
machine digital certificate
nonce
object identifier (OID)
offline CA
online CA
Online Certificate Status

Protocol (OCSP)
Personal Information

Exchange (PFX)
pinning
PKCS#12
Privacy Enhancement Mail

(PEM)

public key infrastructure
(PKI)

root digital certificate
salt
secret algorithm
Secure Real-time Transport

Protocol (SRTP)
Secure Shell (SSH)
Secure Sockets Layer (SSL)
Secure/Multipurpose

Internet Mail Extensions
(S/MIME)

self-signed
session keys
stapling
Subject Alternative Name

(SAN)
Transport Layer Security

(TLS)
transport mode
trust model
tunnel mode
user digital certificate
wildcard digital certificate

Key Terms

Review Questions
1. Which of the following is NOT a method

for strengthening a key?
a. Randomness
b. Cryptoperiod
c. Length
d. Variability

2. Which of the following block ciphers
XORs each block of plaintext with the
previous block of ciphertext before being
encrypted?

a. Electronic Code Book (ECB)
b. Galois/Counter (GCM)
c. Counter (CTR)
d. Cipher Block Chaining (CBC)

3. What entity calls in crypto modules to
perform cryptographic tasks?
a. Certificate Authority (CA)
b. OCSP Chain
c. Intermediate CA
d. Crypto service provider

CHAPTER 4 Advanced Cryptography and PKI 181

88781_ch04_hr_145-188.indd 181 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

4. are symmetric keys to encrypt and
decrypt information exchanged during
the session and to verify its integrity.
a. Encrypted signatures
b. Session keys
c. Digital certificates
d. Digital digests

5. Which of these is considered the
strongest cryptographic transport
protocol?
a. TLS v1.2
b. TLS v1.0
c. SSL v2.0
d. SSL v2.0

6. The strongest technology that would
assure Alice that Bob is the sender of a
message is a(n) .
a. digital signature
b. encrypted signature
c. digest
d. digital certificate

7. A digital certificate associates .
a. a users public key with his private

key
b. the users identity with his public key
c. a users private key with the public

key
d. a private key with a digital signature

8. Digital certificates can be used for each
of these EXCEPT .
a. to verify the authenticity of the

Registration Authorizer
b. to encrypt channels to provide secure

communication between clients and
servers

c. to verify the identity of clients and
servers on the Web

d. to encrypt messages for secure email
communications

9. An entity that issues digital certificates
is a .
a. certificate signatory (CS)
b. digital signer (DS)

c. certificate authority (CA)
d. signature authority (SA)

10. A centralized directory of digital
certificates is called a(n) .
a. Digital Signature Permitted

Authorization (DSPA)
b. Digital Signature Approval List (DSAP)
c. Certificate Repository (CR)
d. Authorized Digital Signature (ADS)

11. performs a real-time lookup of a
digital certificates status.
a. Certificate Revocation List (CRL)
b. Real-Time CA Verification (RTCAV)
c. Online Certificate Status Protocol

(OCSP)
d. CA Registry Database (CARD)

12. What is a value that can be used to
ensure that hashed plaintext will not
consistently result in the same digest?
a. Algorithm
b. Initialization vector (IV)
c. Nonce
d. Salt

13. Which digital certificate displays the
name of the entity behind the website?
a. Online Certificate Status Certificate
b. Extended Validation (EV) Certificate
c. Session Certificate
d. X.509 Certificate

14. Which trust model has multiple CAs,
one of which acts as a facilitator?
a. Bridge
b. Hierarchical
c. Distributed
d. Web

15. Which statement is NOT true regarding
hierarchical trust models?
a. It is designed for use on a large scale.
b. The root signs all digital certificate

authorities with a single key.
c. It assigns a single hierarchy with one

master CA.
d. The master CA is called the root.

CHAPTER 4 Advanced Cryptography and PKI182

88781_ch04_hr_145-188.indd 182 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

16. Public key infrastructure (PKI) .
a. generates public/private keys

automatically
b. creates private key cryptography
c. is the management of digital

certificates
d. requires the use of an RA instead of

a CA
17. A(n) is a published set of rules that

govern the operation of a PKI.
a. signature resource guide (SRG)
b. enforcement certificate (EF)
c. certificate practice statement (CPS)
d. certificate policy (CP)

18. Which of these is NOT part of the
certificate life cycle?
a. Wxpiration
b. Revocation

c. Authorization
d. Creation

19. refers to a situation in which keys
are managed by a third party, such as a
trusted CA.
a. Key authorization
b. Key escrow
c. Remote key administration
d. Trusted key authority

20. is a protocol for securely accessing
a remote computer.
a. Transport Layer Security (TLS)
b. Secure Shell (SSH)
c. Secure Sockets Layer (SSL)
d. Secure Hypertext Transport Protocol

(SHTTP)

Hands-On Projects

Project 4-1: Using SSL Server and Client Tests
In this project, you will use online tests to determine the security of web servers and your
local web browser.

1. Go to www.ssllabs.com.

Note

If you are concerned about installing any of the software in these projects on your
regular computer, you can instead install the software in the Windows virtual
machine created in the Chapter 1 Hands-On Projects 1-3 and 1-4. Software installed
within the virtual machine will not impact the host computer.

Note

It is not unusual for websites to change the location of where files are stored. If the
URL above no longer functions, open a search engine and search for Qualys SSL
Server Test.

2. Click Test your server >>.
3. Click the first website listed under Recent Best-Rate.

CHAPTER 4 Advanced Cryptography and PKI 183

88781_ch04_hr_145-188.indd 183 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI184

4. Note the grade given for this site. Under Summary note the Overall Rating along with
the scores for Certificate, Protocol Support, Key Exchange, and Cipher Strength,
which make up the cipher suite.

5. If this site did not receive an Overall Rating of A under Summary, you will see the
reasons listed. Read through these. Would you agree? Why?

6. Scroll down through the document and read through the Certificate #1 information.
Note the information supplied regarding the digital certificates. Under Certification
Paths click Click here to expand if necessary to view the certificate chaining. What can
you tell about it?

7. Scroll down to Configuration. Note the list of protocols supported and not supported. If
this site was to increase its security, which protocols should it no longer support? Why?

8. Under Cipher Suites interpret the suites listed. Notice that they are given in server-preferred
order. In order to increase its security, which cipher suite should be listed first? Why?

9. Under Handshake Simulation select the web browser and operating system that you
are using or is similar to what you are using. Read through the capabilities of this client
interacting with this web server. Note particularly the order of preference of the cipher
suites. Click the browsers back button when finished.

10. Scroll to the top of the page, then click Scan Another >>.
11. This time select one of the Recent Worst-Rated sites. As with the previous excellent

example, now review the Summary, Authentication, Configuration, Cipher Suites,
and Handshake Simulation. Would you agree with this sites score?

12. If necessary, return to the SSL Report page and click Scan Another >>.
13. Enter the name of your school or work URL and generate a report. What score did it receive?
14. Review the Summary, Authentication, Configuration, Cipher Suites, and Handshake

Simulation. Would you agree with this sites score?
15. Make a list of the top five vulnerabilities that you believe should be addressed in order

of priority. If possible, share this with any IT personnel who may be able to take action.
16. Click Projects.
17. Now test the capabilities of your web browser. Click SSL Client Test. Review the

capabilities of your web browser. Print or take a screen capture of this page.
18. Close this web browser.
19. Now open a different web browser on this computer or on another computer.
20. Return to www.ssllabs.com and click Projects and then SSL Client Test to compare

the two scores. From a security perspective, which browser is better? Why?
21. Close all windows.

Project 4-2: Viewing Digital Certificates
In this project, you will view digital certificate information using the Google Chrome web
browser.

1. Use the Google Chrome web browser to go to www.google.com.
2. Note the green padlock in the address bar. Although you did not enter https://,

nevertheless Google created a secure HTTPS connection. Why would it do that?

88781_ch04_hr_145-188.indd 184 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 185

3. Click the three vertical buttons at the far edge of the address bar.
4. Click More tools.
5. Click Developer tools.
6. Click the Security tab (if the tab does not appear click the >> button to display more

tabs).
7. Read the information under Security Overview.
8. Click View certificate.
9. Note the general information displayed under the General tab.

10. Now click the Details tab. The fields are displayed for this X.509 digital certificate.
11. Click Valid to to view the expiration date of this certificate.
12. Click Public key to view the public key associated with this digital certificate. Why is this

site not concerned with distributing this key? How does embedding the public key in a
digital certificate protect it from impersonators?

13. Click the Certification Path tab. Because web certificates are based on the distributed
trust model, there is a path to the root certificate. Click the root certificate and click
the View Certificate button. Click the Details tab and then click Valid to. Why is the
expiration date of this root certificate longer than that of the website certificate? Click
OK and then click OK again to close the Certificate window.

14. Click Copy to File . . .
15. Click Next.
16. Note the different file formats that are available. What do you know about each of these

formats?
17. Click Cancel to close this window.
18. Close all windows.

Project 4-3: Viewing Digital Certificate Revocation Lists (CRL) and Untrusted
Certificates
Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be
accessed to check the certificate status of other users. In this project, you will view the CRL
and any untrusted certificates on your Microsoft Windows computer.

1. Click the Windows + X keys.
2. Click Command Prompt (Admin).
3. Type certmgr.msc and then press Enter.
4. In the left pane, expand Trusted Root Certification Authorities.
5. In the left pane, double click Certificates. These are the CAs approved for this

computer. Scroll through this list. How many of these have your heard of before?
6. In the left pane, expand Intermediate Certification Authorities.
7. Double-click Certificates to view the intermediate CAs. Scroll through this list.
8. Click Certificate Revocation List.
9. In the right pane, all revoked certificates will display. Select a revoked certificate and

double-click it.

88781_ch04_hr_145-188.indd 185 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI186

10. Read the information about it and click fields for more detail if necessary. Why do you
think this certificate has been revoked? Close the Certificate Revocation List by clicking
the OK button.

11. In the left pane, expand Untrusted Certificates.
12. Click Certificates. The certificates that are no longer trusted are listed in the right pane.
13. Double-click one of the untrusted certificates. Read the information about it and click

fields for more detail if necessary. Why do you think this certificate is no longer trusted?
14. Click OK to close the Certificate dialog box.
15. Close all windows.

Project 4-4: Downloading and Installing a Digital Certificate
In this project, you will download and install a free S/MIME email digital certificate. Note that
the Google Chrome browser must be used for downloading the certificate.

1. Use the Google Chrome web browser to go to www.comodo.com/home
/email-security/free-email-certificate.php.

Note

It is not unusual for websites to change the location of where files are stored. If the
URL above no longer functions, open a search engine and search for Comodo Free
Secure Email Certificate.

2. Click Sign Up Now.
3. You will be taken to the Application for Secure Email Certificate. Read through the

information regarding your browser giving the website permission to generate a key.
Follow its instructions.

4. Enter the requested information. Based on the information requested, how secure
would you rate this certificate? Under which circumstances would you trust it? Why?
Click I ACCEPT and then click Next.

5. Open your email account that you entered in the application and open the email from
Comodo.

6. Click Click & Install Comodo Email Certificate.
7. Verify that the certificate is installed. Click Start and then type cmd and press Enter.
8. Type certmgr.msc and then press Enter.
9. In the left pane, expand Personal.

10. In the left pane, click Certificates. Your personal certificate should display.
11. Go to www.comodo.com/support/products/email_certs/outlook.php to view how to

assign a personal certificate to a Microsoft Outlook email account.
12. Read through the steps for assigning a certificate, signing an email and encrypting an

email. Do you think an average user would be able to follow these steps? Why or why
not? What could be done to simplify the process?

13. Close all windows.

88781_ch04_hr_145-188.indd 186 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 4 Advanced Cryptography and PKI 187

Case Projects

Case Project 4-1: Algorithm Input Values
The most common input values for cryptographic algorithms are salts, nonces, and
initialization vectors. Search the Internet for information regarding each of these. How are
they used? What are their strengths? How can they be compromised? Write a one paragraph
description of each of three values.

Case Project 4-2: Recommended Cryptoperiods
How long should a key be used before it is replaced? Search the Internet for information
regarding cryptoperiods for hash, symmetric, and asymmetric algorithms. Find at least
three sources for each of the algorithms. Draw a table that lists the algorithms and the
recommended time, and then calculate the average for each. Do you agree or disagree? What
would be your recommendation on cryptoperiods for each? Why?

Case Project 4-3: Certificate Authorities (CAs)
Operating systems come packaged with many digital certificates from certificate authorities
(CAs). Use the Internet to determine how to view the CAs for the type and version of
operating system that you are using and view the list. How many have you heard of? How
many are unknown? Select three of the publishers and research their organizations on the
Internet. Write a one-paragraph summary of each CA.

Case Project 4-4: HTTPS
Hypertext Transport Protocol Secure (HTTPS) is becoming increasingly popular as a security
protocol for web traffic. Some sites automatically use HTTPS for all transactions (like Google),
while others require that users must configure it in their settings. Some argue that HTTPS should
be used on all web traffic. What are the advantages of HTTPS? What are its disadvantages? How
is it different from HTTP? How must the server be set up for HTTPS transactions? How would
it protect you using a public Wi-Fi connection at a local coffee shop? Should all web traffic be
required to use HTTPS? Why or why not? Write a one-page paper of your research.

Case Project 4-5: Block Cipher Modes of Operation
Research block cipher modes of operation. Find information regarding how ECB can be
compromised and write a detailed description of that. Then research one of the other modes
(CBC, CTR, or GCM) in detail. Draw a picture of how this mode functions by turning plaintext
into ciphertext. Write a detailed description of your research.

Case Project 4-6: Digital Certificate Costs
Use the Internet to research the costs of the different types of digital certificates: domain
validation, EV, wildcard, SAM, machine, code signing, and email. Look up at least three
different providers of each, and create a table listing the type of certificate, the costs, and the
length of time the certificate is valid.

Case Project 4-7: Lake Point Consulting Services
Lake Point Consulting Services (LPCS) provides security consulting and assurance services to
over 500 clients across a wide range of enterprises in more than 20 states. A new initiative

88781_ch04_hr_145-188.indd 187 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

at LPCS is for each of its seven regional offices to provide internships to students who are in
their final year of the security degree program at the local college.

Guardian Travel provides emergency assistance to travelers who need help with last-
minute travel changes, rebooking flights, ground transportation, and emergency medical
services. They are now considering expanding into personalized concierge services to aid
travelers with restaurant reservations, tickets to shows, and spa reservations. Guardian Travel
would like to create a specialized smartphone app to support their concierge services. One of
the contract programmers working on the app has told Guardian Travel that a code signing
digital certificate is a waste of money, but one of Guardian Travels IT staff members says that
it is essential. After hearing the discussion in a meeting an executive vice president has asked
for LCPS for their help in reviewing all the digital certificates that Guardian Travel uses and
how they are currently being managed. Guardian Travel has asked you to conduct a training
session to the executive staff and IT personnel about digital certificates

1. Create a PowerPoint presentation that provides an overview of cryptography with
specific emphasis on digital signatures, digital certificates, and PKI. The presentation
should be at least eight slides in length.

2. The security manager of Guardian Travel has now proposed that all email correspondence,
both internal between employees and external to all business partners and customers,
should use digital certificates. Several IT staff employees are concerned about this proposal.
They have asked you for your opinion on using digital certificates for all email messages.
Write a one-page memo to Guardian Travel about the pros and cons of this approach.

Case Project 4-8: Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains
a wide variety of tools, information, discussion boards, and other features to assist learners.
Go to community.cengage.com/Infosec2 and click the Join or Sign in icon to login, using
your login name and password that you created in Chapter 1. Click Forums (Discussion) and
click on Security+ Case Projects (6th edition). Read the following case study.

Read again Todays Attacks and Defenses at the beginning of the chapter. What if your
computer was infected with Spora? Some argue that paying a ransom does not guarantee
that you will get your data back. It not only emboldens criminals to spread their crypto-
malware but it also offers an incentive for other criminals to get involved in this type of
illegal activity. By paying a ransom you may be funding other illicit activity associated with the
criminals. Do you agree or disagree? Would you pay or not? Take both the pro and con sides
to this argument and present three to five reasons for each side. Then, give your opinion.
Record your answer on the Community Site discussion board.

CHAPTER 4 Advanced Cryptography and PKI188

References
1. No More Ransom, retrieved Jan. 14, 2017, https://www.nomoreransom.org/.
2. SSL Pulse, Trustworthy Internet Movement, Mar. 3, 2017, retrieved Mar. 21, 2017, www

.trustworthyinternet.org/ssl-pulse/.

88781_ch04_hr_145-188.indd 188 8/11/17 8:38 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

NETWORK ATTACKS
AND DEFENSES
Chapter 5Networking and Server Attacks

Chapter 6Network Security Devices, Technologies, and Design

Chapter 7Administering a Secure Network

Chapter 8Wireless Network Security

The chapters in Part 3 deal with securing an enterprise computer network. In
Chapter 5, you learn about the attacks that target networks and servers. Chapter6
demonstrates how to protect a network through network devices, architecture,
and technologies. In Chapter 7, you learn how to manage network security as a
network administrator. Finally, in Chapter 8 you explore the concepts and tools for
protecting wireless networks.

189

P A R T I I I

88781_ch05_hr_189-232.indd 189 8/10/17 4:18 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

88781_ch05_hr_189-232.indd 190 8/10/17 4:18 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

NETWORKING AND SERVER
ATTACKS

After completing this chapter, you should be able
to do the following:

Describe the different types of networking-based attacks

Explain how servers are attacked

C H A P T E R 5

Todays Attacks and Defenses

Normally, an enterprise would leap at the opportunity to protect its customers information
by plugging vulnerabilities that have been exposed. And government prosecutors would
equally be anxious to bring charges against threat actors who steal confidential material. But
in a strange twist, tech companies and government agencies are sometimes prohibited from
protecting users from attacks.

A group of hactivists known as WikiLeaks posted online 8761 documents, called
Vault7, purportedly to expose how the Central Intelligence Agency (CIA) conducted covert
operations on other nations and U.S. citizens. Several security researchers, after analyzing the
documents, confirmed the claims that these documents demonstrated that the CIA exploited

191

88781_ch05_hr_189-232.indd 191 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks192

zero day vulnerabilities, created their own attack software, and even used attackers malware,
all for spying purposes. By using existing attack software, the CIA could trick investigators into
thinking that the attacks came from outside attackers instead of the CIA. However, others
claimed that these documents did not conclusively show that CIA operatives masqueraded as
attackers. Rather, they say the CIA used a library of malware samples and techniques gleaned
from attackers that could be modified by the CIA to save time in programing their own spying
software. The CIA declined comment.

In addition to security researchers, several vendors also analyzed the Vault 7 WikiLeaks
documents to determine if any of their products were at risk from the exposed software
exploits. After studying the documents, Cisco Systems, a manufacturer of networking
equipment, discovered a vulnerability in 318 models of Cisco switches that allowed remote
attackers to execute code that runs with elevated (administrative) privileges. Cisco announced
that it planned to release a fix for the vulnerability.

Not so fast, said the U.S. government.
A statement from the White House press secretary two days after the leak warned that

any company that accepted classified material from WikiLeaks could be in violation of the law.
Thats because the companies would be working with stolen government secrets. Although
it was unclear if the government would prosecute a company for using leaked classified
documents to patch its products to protect users from attack, it served as an ominous
warning to Cisco and other technology vendors.1

And in another strange twist, the U.S. Securities and Exchange Commission (SEC) and the
Department of Justice (DOJ) filed civil and criminal actions in the largest securities fraud scheme of
its kind ever prosecuted. The fraud scheme was the result of online attackers stealing information.
This information included the secret plans of organizations, such as the merger or acquisition of
another company that could make their stock prices skyrocket. However, the attackers got this
information not from servers maintained by these organizations, but from third-party newswires.
A newswire is a company that is used by an organization to spread its stories across the Internet
and to print sources. It is common practice for public companies to upload draft releases of their
proposed actions, such as a merger or acquisition, to the newswires. Because these releases often
contain material that is not yet known to the public, such as unreleased earnings and revenue, the
newswires agree to keep the information confidential until it is publicly released.

According to the government, attackers used phishing attacks and a type of web server
attack known as a SQL injection attack, among other schemes, to access the newswires
servers. Attackers stole the confidential but soon-to-be-released information and quickly
purchased the companys stock at a lower cost before the information was publicly released
(and the stock price rose). In one instance, the attackers stole and then bought stock in a
36-minute window between the time when the newswire received the information and its
public release. In five years over 150,000 confidential press releases from three newswire
companies were stolen, resulting in 1000 trades that netted $30 million in profits.

88781_ch05_hr_189-232.indd 192 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Although the SEC would normally be the agency to investigate and prosecute the threat
actors, a recent federal court decision said that these threat actors must use deceptive methods
to break into a computer in order for the SEC to have jurisdiction. That means that if the threat
actors sent malware as an email attachment the SEC could step in, but if the attacker just exploited
an existing vulnerability in a web server, the SEC would be prohibited from taking any action.2

The impact of the Internet on our world has been nothing short of astonishing.
Todays Internet has its roots all the way back in the late 1960s, but it was only used by
researchers and the military for almost a quarter of a century. With the introduction of
web browser software in the early 1990s, along with the spread of telecommunication
connections at work and home, the Internet became useable and accessible to almost
everyone. This created a seismic shift across society. First, a virtually limitless amount
of information was suddenly available at users fingertips. Second, not only did it give
unprecedented access to information, but the Internet also created a collective force of
tremendous proportions. For the first time in human history, mass participation and
cooperation across space and time is possible, empowering individuals and groups all
over the world. The Internet has truly had a revolutionary impact on how we live.

But for all of the benefits that the Internet has provided, it also has become the
primary pathway for threat actors to spread their malware. The Internet has opened
the door for them to reach around the world invisibly and instantaneously to launch
attacks on any device connected to it. And just as users can surf the web without
openly identifying themselves, attackers can also use anonymity to cloak their identity
and prevent authorities from finding and prosecuting them.

This chapter begins a study of network attacks and defenses. First the chapter
explores some of the common attacks that are launched against networks today. Then
it looks specifically at attacks that target network-based servers and the applications
that run on those devices.

Networking-Based Attacks

Threat actors place a high priority on targeting networks in their attacks. This is
because exploiting a single vulnerability could expose hundreds or thousands of
devices. There are several types of attacks that target a network or a process that relies
on a network. These can be grouped into interception attacks and poisoning attacks.

Certification

1.2 Compare and contrast types of attacks.

2.6 Given a scenario, implement secure protocols.

CHAPTER 5 Networking and Server Attacks 193

88781_ch05_hr_189-232.indd 193 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks194

Interception
Some attacks are designed to intercept network communications. Three of the most
common interception attacks are man-in-the-middle, man-in-the-browser, and replay
attacks.

Man-in-the-Middle (MITM)
Suppose that Angie, a high school student, is in danger of receiving a poor grade
in math. Her teacher, Mr. Ferguson, mails a letter to Angies parents requesting
a conference regarding her performance. However, Angie waits for the mail and
retrieves the letter from the mailbox before her parents come home. She forges her
parents signature on the original letter declining a conference and mails it back to her
teacher. Angie then replaces the real letter with a counterfeit pretending to be from
Mr.Ferguson that compliments Angie on her math work. The parents read the fake
letter and tell Angie they are proud of her, while Mr. Ferguson is puzzled why Angies
parents are not concerned about her grades. Angie has conducted a man-in-the-middle
(MITM) attack by intercepting legitimate communication and forging a fictitious
response to the sender.

A network-based MITM attack involves a threat actor who inserts himself into a
conversation between two parties. The actor impersonates both parties to gain access to
information they are sending to each other. Neither of the legitimate parties is aware of
the presence of the threat actor and thus communicate freely, thinking they are talking
only to the authentic party. A conceptual MITM attack is illustrated in Figure 5-1.

Figure 5-1Conceptual MITM attack

A MITM could occur between two users. Figure 5-2 illustrates an attack in which a
threat actor impersonates both Bob and Alice to intercept a public key. However, many
MITM attacks are between a user and a server.

88781_ch05_hr_189-232.indd 194 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 195

Man-in-the-Browser (MITB)
Like a MITM attack, a man-in-the-browser (MITB) attack intercepts communication
between parties to steal or manipulate the data. But whereas a MITM attack occurs
between two computerssuch as between two user laptops or a users computer and
a web servera MITB attack occurs between a browser and the underlying computer.
Specifically, a MITB attack seeks to intercept and then manipulate the communication
between the web browser and the security mechanisms of the computer.

Figure 5-2MITM attack intercepting public key

Send me your public key

My public key is WXYZ

My account number is 1234Bob AliceMy account number is 6789

My public key is ABCD

Send me your public key

Note

Instead of the malicious agent being external to the two communicating computers as in a
MITM, a MITB is internal between web browser and the computer that is running the browser.

A MITB attack usually begins with a Trojan infecting the computer and installing
an extension into the browser configuration, so that when the browser is launched
the extension is activated. When a user enters the URL of a site, the extension checks
to determine if this is a site that is targeted for attack. After the user logs in to the
site, the extension waits for a specific webpage to be displayed in which a user enters
information, such as the account number and password for an online financial
institution (a favorite target of MITB attacks). When the user clicks Submit the
extension captures all the data from the fields on the form and may even modify some
of the entered data. The browser then proceeds to send the data to the server, which
performs the transaction and generates a receipt that is sent back to the browser. The
malicious extension again captures the receipt data and modifies it (with the data the
user originally entered) so that it appears that a legitimate transaction has occurred.

There are several advantages to a MITB attack:

Most MITB attacks are distributed through a Trojan browser extension, which
provides a valid function to the user but also installs the MITB malware, making
it difficult to recognize that malicious code has been installed.

Because MITB malware is selective as to which websites are targeted, an infected
MITB browser might remain dormant for months until triggered by the user
visiting a targeted site.

88781_ch05_hr_189-232.indd 195 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks196

MITB software resides exclusively within the web browser, making it difficult for
standard anti-malware software to detect it.

Replay
A replay attack is a variation of a MITM attack. Whereas a MITM attack alters and then
sends the transmission immediately, a replay attack makes a copy of the legitimate
transmission before sending it to the recipient. This copy is then used at a later time (the
MITM replays the transmission). A simple replay would involve the MITM capturing
logon credentials between the users computer and the server. Once that session has
ended, the MITM would attempt to log on and replay the captured user credentials.

Note

Although cryptography can be used to thwart a replay attack, there are instances in which
cryptographic communications can be manipulated by a replay attack. A threat actor could
capture an encrypted administrative message sent from an approved network device to
a server. Later, the attacker can send or resend that same message to the server, and the
server may respond, thinking it came from the valid device. The response may be such that
the threat actor can obtain valuable information about the type of server and the network
that can then be used in subsequent attacks.

There are methods to prevent replay attacks. Both sides can negotiate and create a
random key that is valid for a limited period or for a specific process. Another option
is to use timestamps in all messages and reject any messages that fall outside of a
normal window of time.

Poisoning
Poisoning is the act of introducing a substance that harms or destroys a functional
living organism. Three types of attacks inject poison into a normal network process to
facilitate an attack. These are ARP poisoning, DNS poisoning, and privilege escalation.

ARP Poisoning
The TCP/IP protocol suite requires that logical Internet Protocol (IP) addresses be
assigned to each host on a network. However, an Ethernet LAN uses the physical media
access control (MAC) address to send packets. In order for a host using TCP/IP on an
Ethernet network to find the MAC address of another device based on the IP address, it
uses the Address Resolution Protocol (ARP). If the IP address for a device is known but
the MAC address is not, the sending computer sends an ARP packet to all computers
on the network that in effect says, If this is your IP address, send me back your MAC
address. The computer with that IP address sends back a packet with the MAC address
so the packet can be correctly addressed. This IP address and the corresponding

88781_ch05_hr_189-232.indd 196 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 197

MAC address are stored in an ARP cache for future reference. In addition, all other
computers that hear the ARP reply also cache that data.

A MAC address is permanently burned into a network interface card (NIC) so
that there is not a means of altering the MAC address on a NIC. However, because the
MAC address is stored in a software ARP cache, it can be changed there, which would
then result in the corresponding IP address pointing to a different computer. This
attack is known as ARP poisoning and relies upon MAC spoofing (or imitating another
computer by means of changing the MAC address). Table 5-1 illustrates the ARP cache
before and after a MITM attack using ARP poisoning.

Note

A variety of different attacks use spoofing. For example, because most network systems keep
logs of user activity, attackers may spoof their addresses so that their malicious actions will
be attributed to valid users, or spoof their network addresses with addresses of known and
trusted hosts so that the target computers will accept their packets and act on them.

Device IP and MAC address ARP cache before attack ARP cache after attack

Attacker 192.146.118.2

00-AA-BB-CC-DD-02

192.146.118.3=>00-AA-BB-CC-
DD-03

192.146.118.4=>00-AA-BB-CC-
DD-04

192.146.118.3=>00-AA-
BB-CC-DD-03

192.146.118.4=>00-AA-
BB-CC-DD-04

Victim 1 192.146.118.3

00-AA-BB-CC-DD-03

192.146.118.2=>00-AA-BB-CC-
DD-02

192.146.118.4=>00-AA-BB-CC-
DD-04

192.146.118.2=>00-AA-
BB-CC-DD-02

192.146.118.4=>00-AA-
BB-CC-DD-02

Victim 2 192.146.118.4

00-AA-BB-CC-DD-04

192.146.118.2=>00-AA-BB-CC-
DD-02

192.146.118.3=>00-AA-BB-CC-
DD-03

192.146.118.2=>00-AA-
BB-CC-DD-02

192.146.118.3=>00-AA-
BB-CC-DD-02

ARP poisoning attackTable 5-1

Some types of attacks that can be generated using ARP poisoning are listed in Table 5-2.

Note

ARP poisoning is successful because there are no authentication procedures to verify ARP
requests and replies.

88781_ch05_hr_189-232.indd 197 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks198

DNS Poisoning
The predecessor to todays Internet was the network ARPAnet. This network was
completed in 1969 and linked together single computers located at each of four different
sites (the University of California at Los Angeles, the Stanford Research Institute, the
University of California at Santa Barbara, and the University of Utah) with a 50 Kbps
connection. Referencing these computers was originally accomplished by assigning an
identification number to each computer (IP addresses were not introduced until later).
However, as additional computers were added to the network it became more difficult
for humans to accurately recall the identification number of each computer.

Note

On Labor Day in 1969, the first test of the ARPAnet was conducted. A switch was turned on,
and to almost everyones surprise, the network worked. Researchers in Los Angeles then
attempted to type the word login on the computer in Stanford. A user pressed the letter L and
it appeared on the screen in Stanford. Next, the letter O was pressed, and it too appeared.
When the letter G was typed, however, the network crashed.

Attack Description

Steal data An attacker can substitute her own MAC address and steal data
intended for another device.

Prevent Internet access An attacker can substitute an invalid MAC address for the network
gateway so that no users can access external networks.

Man-in-the-middle A man-in-the-middle device can be set to receive all
communications by substituting that MAC address.

Denial of Service attack The valid IP address of the target can be substituted with an invalid
MAC address, causing all traffic destined for the target to fail.

Attacks from ARP poisoningTable 5-2

What was needed was a name system that would allow computers on a network
to be assigned both numeric addresses and more friendly human-readable names
composed of letters, numbers, and special symbols (called a symbolic name). In the
early 1970s, each computer site began to assign simple names to network devices
and also manage its own host table that mapped names to computer numbers.
However, because each site attempted to maintain its own local host table, there were
inconsistencies between the sites. A standard master host table was then created
that could be downloaded to each site. When TCP/IP was developed, the host table
concept was expanded to a hierarchical name system for matching computer names

88781_ch05_hr_189-232.indd 198 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 199

and numbers known as the Domain Name System (DNS), which is the basis for domain
name resolution of names-to-IP addresses used today.

Because of the important role it plays, DNS can be the focus of attacks. Like ARP
poisoning, DNS poisoning substitutes a DNS address so that the computer is automatically
redirected to another device. Whereas ARP poisoning substitutes a fraudulent MAC address
for an IP address, DNS poisoning substitutes a fraudulent IP address for a symbolic name.

DNS poisoning can be done in two different locations: the local host table, or the
external DNS server. TCP/IP still uses host tables stored on the local computer. When
a user enters a symbolic name, TCP/IP first checks the local host table to determine if
there is an entry; if no entry exists, then the external DNS system is used. Attackers can
target a local HOSTS file to create new entries that will redirect users to a fraudulent
site. A sample local HOSTS file is shown in Figure 5-3.

Figure 5-3Sample HOSTS file

127.0.0.1 localhost
161.6.18.20 www.wku.edu # Western Kentucky University
74.125.47.99 www.google.com # My favorite search engine
216.77.188.41 www.att.net # Internet service provider

A second location that can be attacked is the external DNS server. Instead of
attempting to break into a DNS server to change its contents, attackers use a more basic
approach. Because DNS servers exchange information among themselves (known as
zone transfers), attackers attempt to exploit a protocol flaw and convince the authentic
DNS server to accept fraudulent DNS entries sent from the attackers DNS server. If the
DNS server does not correctly validate DNS responses to ensure that they have come
from an authoritative source, it will store the fraudulent entries locally, serve them to
users, and spread them to other DNS servers.

Note

Host tables are found in the /etc/ directory in UNIX, Linux, and macOS, and are located in the
Windows\System32\drivers\etc directory in Windows.

Note

The Chinese government uses DNS poisoning to prevent Internet content that it considers
unfavorable from reaching its citizenry.

88781_ch05_hr_189-232.indd 199 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks200

Figure 5-4DNS server poisoning

Attackers
computer

ns.evil.net

1. What is the address of www.evil.net?

2. Please send IP address of www.evil.net

3. Here are all evil addresses

Attackers
DNS server

192.168.1.1
(An attackers address)

4. What is the address
of www.good.net?

Good user

Valid DNS
server

www.good.net 192.168.1.1
www.better.net 192.168.1.1
www.best.net 192.168.1.1

Privilege Escalation
Access rights are privileges to access hardware and software resources that are granted
to users or devices. For example, Ian may be given access rights to only read a file,
while Jaxon has access rights to add content to the file. Operating systems and many
applications have the ability to restrict a users privileges in accessing its specific
functions. Privilege escalation is exploiting a vulnerability in software to gain access
to resources that the user normally would be restricted from accessing.

There are different types of privilege escalation. One type is when a user with a
lower privilege uses privilege escalation to grant herself access to functions reserved

The process of a DNS poisoning attack from an attacker who has a domain name
of www.evil.net with her own DNS server ns.evil.net is shown in Figure 5-4:

1. The attacker sends a request to a valid DNS server asking it to resolve the name
www.evil.net.

2. Because the valid DNS server does not know the address, it asks the responsible
name server, which is the attackers ns.evil.net, for the address.

3. The name server ns.evil.net sends the address of not only www.evil.net but also all
of its records (a zone transfer) to the valid DNS server, which then accepts them.

4. Any requests to the valid DNS server will now respond with the fraudulent
addresses entered by the attacker.

88781_ch05_hr_189-232.indd 200 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 201

for higher-privilege users (sometimes called vertical privilege escalation). Another type
of privilege escalation is when a user with restricted privileges accesses the different
restricted functions of a similar user; that is, Mia does not have privileges to access
a payroll program but uses privilege escalation to access Lis account that does have
these privileges (horizontal privilege escalation).

Sometimes privilege escalation is the result of an unintentional relationship between
multiple systems. System 1 can access System 2, and because System 2 can access System
3, then System 1 can access System 3. However, the intention may not be for System 1 to
access System 3, but instead for System 1 to be restricted to accessing only System 2. This
sometimes inadvertent and unauthorized access can result in a privilege escalation, in which
threat actors take advantage of access that occurs through succeeding systems. By exploiting
the sometimes confusing nature of this access, attackers can often reach restricted resources.

Certification

1.2Compare and contrast types of attacks.

Server Attacks

Note

Suppose Gabe is having a conversation with Cora in a coffee shop when a flash mob of
friends suddenly descends upon them and all start talking to Gabe at the same time. He would
be unable to continue his conversation with Cora because he is overwhelmed by the number
of voices with which he would have to contend. This is like what happens in a DDoS attack.

Whereas some attacks are directed at the network itself, other attacks are directed
specifically at network servers. As its name implies, a server serves or provides resources
and services to clients on a network. A compromised server can provide threat actors with
its privileged contents or provide an opening for attacking any of the devices that access
that server. Typical server attacks include denial of service, web server application attacks,
hijacking, overflow attacks, advertising attacks, and exploiting browser vulnerabilities.

Denial of Service (DoS)
A denial of service (DoS) attack is a deliberate attempt to prevent authorized users
from accessing a system. It does this by overwhelming that system with such a
very high number of bogus requests that the system cannot respond to legitimate
requests. Most DoS attacks today are distributed denial of service (DDoS) attacks:
instead of only one computer making a bogus request, a DDoS involves hundreds or
even tens of thousands of devices flooding the server with requests.

88781_ch05_hr_189-232.indd 201 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks202

There are different types of DoS attacks:

Smurf attack. In a smurf attack, an attacker broadcasts a network request to
multiple computers but changes the address from which the request came (called
IP spoofing because it imitates another computers IP address) to the victims
computer. This makes it appear as if it is asking for a response. Each of the
computers then sends a response to the victims computer so that it is quickly
overwhelmed.

DNS amplification attack. Like a smurf attack, a DNS amplification attack
floods an unsuspecting victim by redirecting valid responses to it. A DNS
amplification attack uses publicly accessible and open DNS servers to flood a
system with DNS response traffic. A threat agent sends a DNS name lookup
request to an open DNS server with the source address spoofed to the victims
address. When the DNS server sends the DNS record response, it is instead
sent to the target. As an added step attackers often craft the DNS name lookup
request so that it returns all known information about a DNS zone in a single
request. This dramatically increases the volume of data sent, which can more
quickly overwhelm the victim.

SYN flood attack. An SYN flood attack takes advantage of the procedures for
initiating a session. Under normal network conditions using TCP/IP, a device
contacts a network server with a request that uses a control message, called a
synchronize message (SYN), to initialize the connection. The server responds
with its own SYN along with an acknowledgment (ACK) that it received the
initial request, called a SYN+ACK. The server then waits for a reply ACK from
the device indicating that it received the servers SYN. To allow for a slow
connection, the server might wait for a period of time for the reply. In an SYN
flood attack the attacker sends SYN segments in IP packets to the server but
modifies the source address of each packet to computer addresses that do not
exist or cannot be reached. The server continues to hold the line open and
wait for a response (which is never coming) while receiving more false requests
and keeping more lines open for responses. After a period of time, the server
runs out of resources and can no longer respond to legitimate requests or
function properly. Figure 5-5 shows a server waiting for responses during a SYN
flood attack.

Note

One report found that almost three out of every four DoS attack victims also saw at least one
security incident at the same time as the DoS attack. This may indicate that DoS attacks often
serve as decoys to divert attention away from other attacks.3

88781_ch05_hr_189-232.indd 202 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 203

Web Server Application Attacks
On the international global Internet network, a web server provides services that are
implemented as web applications through software applications running on the server.
Most web applications create dynamic content based on input from the user. For
example, a webpage might ask a user to enter a zip code of his vacation destination to
receive the latest weather forecast for that region. These dynamic operations of a web
application depend heavily upon inputs provided by users.

A typical dynamic web application infrastructure is shown in Figure 5-6. The
clients web browser makes a request using the Hypertext Transport Protocol (HTTP) to
a web server, which may be connected to one or more web application servers. These
application servers run the specific web apps, which in turn are directly connected to
database servers on the internal network. Information from these database servers is
retrieved and returned to the web server so that the dynamic information can be sent
back to the users web browser.

Securing web applications is more difficult than protecting other systems. First,
by design the dynamic web applications accept user input, such as the zip code
of the region for which a weather forecast is needed. Most other systems would
categorically reject any user input as being potentially dangerous, not knowing if the

Figure 5-5SYN flood attack

Server

Attackers computer

STN+ACK
Computer ADoes not exist

Does not exist

Does not exist

Does not exist

Does not exist

Computer B

Computer C

Computer D

Computer E

STN+ACK

STN+ACK

STN+ACK

STN+ACK

Waiting for reply from A

Waiting for reply from B

Waiting for reply from C

Waiting for reply from D

Waiting for reply from E

Sends SYN segments in IP packets to
server with modified source addresses

88781_ch05_hr_189-232.indd 203 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks204

user is a friend or foe. By accepting user input, the web application is exposing itself
to threat actors. Second, many web application attacks attempt to exploit previously
unknown vulnerabilities. Known as zero day attacks, these attacks give victims no
timezero daysto defend against the attacks. Finally, although traditional network
security devices can block traditional network attacks, they cannot always block web
application attacks. This is because many traditional network security devices ignore
the content of HTTP traffic, which is the vehicle of web application attacks.

Several different web server application attacks target the input from users. These
can be grouped into two categories: cross-site attacks and injection attacks.

Cross-Site Attacks
There are two types of cross-site attacks. These are cross-site scripting attacks and
cross-site request forgery attacks.

Cross-Site Scripting (XSS)
Many web applications are designed to customize content for the user by taking what
the user enters and then displaying that input back to the user. Typical customized
responses are listed in Table 5-3.

Figure 5-6Web server application infrastructure

HTTP traffic

Client

Web server

App server Database server

Database serverApp server

Database serverApp server

User input Variable that
contains input

Web application response Coding example

Search term search_term Search term provided in output Search results for search_term

Incorrect
input

user_input Error message that contains
incorrect input

user_input is not valid

Users name name Personalized response Welcome back name

Customized responsesTable 5-3

88781_ch05_hr_189-232.indd 204 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 205

Figure 5-7 illustrates a fictitious web application that allows friends to share their
favorite bookmarks with each other online. Users can enter their name, a description,
and the URL of the bookmark, and then receive a personalized Thank You screen. In
Figure 5-8 the code that generates the Thank You screen is illustrated.

Figure 5-7Bookmark page that accepts user input

In a cross-site scripting (XSS) attack, the threat actor takes advantage of web
applications that accept user input without validating it before presenting it back
to the user. In the previous example, the input that the user enters for Name is not
verified but instead is automatically added to a code segment that becomes part of an
automated response. An attacker can take advantage of this in an XSS attack by tricking
a valid website into feeding a malicious script to another users web browser, which
will then execute it.

Note

The term cross-site scripting refers to an attack using scripting that originates on one site (the
web server) to impact another site (the users computer).

88781_ch05_hr_189-232.indd 205 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks206

For example, an XSS attack might target a bloggers website that asks for user
comments. A threat actor posts a comment to the site. However, within the comment
the attacker crafts a script that performs a malicious action or even redirects the user
to the attackers website. When an unsuspecting victim visits the bloggers site and
clicks on the threat actors comment, the malicious script is downloaded to the victims
web browser where it is executed. Besides redirecting the victim to a malicious site,
other XSS attacks are designed to steal sensitive information that was retained by the
browser when visiting specific sites, such as data from an online site where a purchase
was made. The XSS attack can steal this information and allow it to be used by an
attacker to impersonate the legitimate user.

Figure 5-8Input used in response

Note

Some security experts note that XSS is like a phishing attack but without needing to trick the
user into visiting a malicious website. Instead, the user starts at a legitimate website and XSS
automatically directs her to the malicious site.

An XSS attack requires a website that meets two criteria: it accepts user input
without validating it, and it uses that input in a response. Despite the fact that XSS is a
widely known type of attack, the number of websites that are vulnerable remains very

88781_ch05_hr_189-232.indd 206 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 207

large. Users can turn off active scripting in their browsers to reduce the risk of XSS, but
this limits their ability to use dynamic websites.

Note

The malicious content of an XSS URL is not confined to material posted on a website; it can be
embedded into virtually any hyperlink, such as one in an email or text message. That is why
users should not blindly click on a URL that they receive.

Cross-Site Request Forgery (XSRF)
A similar attack is a cross-site request forgery (XSRF). This attack uses the users web
browser settings to impersonate that user. If a user is currently authenticated on a
website and is then tricked into loading another webpage, the new page inherits the
identity and privileges of the victim to perform an undesired function on the attackers
behalf. Figure 5-9 illustrates a cross-site request forgery.

Figure 5-9Cross-site request forgery

3. Victim unknowingly clicks on email hyperlink

2. Attacker sends email
to victim who is logged in
to Bank As website 4. Request is sent to Bank A

with victims verified credentials

5. Bank A validates request
with victims credentials and
sends funds to attacker1. Attacker forges a fund

transfer request from Bank A
and embeds it into email
hyperlink

Injection Attacks
In addition to cross-site attacks on web server applications there are also injection
attacks that introduce new input to exploit a vulnerability. One of the most common
injection attacks, called SQL injection, inserts statements to manipulate a database
server. SQL stands for Structured Query Language, a language used to view and
manipulate data that is stored in a relational database. SQL injection targets SQL
servers by introducing malicious commands into them.

88781_ch05_hr_189-232.indd 207 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks208

Most webpages that require users to log on by entering a user name and password
typically offer a solution for the user who has forgotten his password by providing
an online form, as shown in Figure 5-10. The user enters a valid email address that is
already on file. The submitted email address is compared to the stored email address,
and if they match, a reset URL is emailed to that address.

Figure 5-10Request form for forgotten password

Forgot your password?

Enter your username:

Enter your email address on file:

Submit

If the email address entered by the user into the form is stored in the variable
$EMAIL, then the underlying SQL statement to retrieve the stored email address from
the database would be similar to:

SELECT fieldlist FROM table WHERE field $EMAIL =

The WHERE clause is meant to limit the database query to only display
information when the condition is considered true (that is, when the email address in
$EMAIL matches an address in the database).

An attacker using a SQL injection attack would begin by first entering a fictitious email
address on this webpage that included a single quotation mark as part of the data, such
as [emailprotected]. If the message E-mail Address Unknown is displayed, it
indicates that user input is being properly filtered and a SQL attack cannot be rendered on
the site. However, if the error message Server Failure is displayed, it means that the user
input is not being filtered and all user input is sent directly to the database. This is because
the Server Failure message is due to a syntax error created by the additional single quotation
mark: the fictitious email address entered would be processed as [emailprotected]
com (with two single quotation marks) and generate the Server Failure error message.

Armed with the knowledge that input is sent unfiltered to the database, the
attacker knows that anything he enters into the Enter your username: field on the
Forgot your password? form would be sent to and then processed by the SQL database.
Now, instead of entering a user name, the attacker would enter this command, which
would let him view all the email addresses in the database: whatever or a a = . This
command is stored in the variable $EMAIL. The expanded SQL statement would read:

SELECT fieldlist FROM table WHERE field whatever or a a = =

88781_ch05_hr_189-232.indd 208 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 209

These values are:

whatever. This can be anything meaningless.
or. The SQL or means that as long as either of the conditions are true, the entire

statement is true and will be executed.
a a = . This is a statement that will always be true.
Because a a = is always true, the WHERE clause is also true. It is not limited as it

was when searching for a single email address before it would become true. The result
can be that all user email addresses will then be displayed.

SQL injection statement Result

whatever AND email IS NULL; Determine the names of different fields in the
database

whatever AND 1=(SELECT COUNT(*) FROM
tabname);

Discover the name of the table

whatever OR full name LIKE Mia Find specific users

whatever; DROP TABLE members; Erase the database table

whatever; UPDATE members SET email =
[emailprotected] WHERE email =
[emailprotected];

Mail password to attackers email account

SQL injection statements Table 5-4

Note

Whereas this example shows how an attacker could retrieve all email addresses, a more
catastrophic attack would be if user passwords were not stored as encrypted and the attacker
were able to use SQL injection to extract all these values. This type of attack has been used to
steal millions of user passwords. Plaintext passwords should never be stored in a database.

By entering crafted SQL statements as user input, information from the database
can be extracted or the existing data can be manipulated. SQL injection statements that
can be entered and stored in $EMAIL and their pending results are shown in Table 5-4.

Hijacking
The word hijacking means to illegally seize, commandeer, or take control over
something to use it for a different purpose. Several server attacks are the result of
threat actors commandeering a technology and then using it for an attack. Common

88781_ch05_hr_189-232.indd 209 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks210

hijacking attacks include session hijacking, URL hijacking, domain hijacking, and
clickjacking.

Session Hijacking
It is important that a user who is accessing a secure web application, such as an online
retailer order form, can be verified so as to prevent an imposter from jumping in
to the interaction and ordering items that are charged to the victim but are sent to
another address. This verification is accomplished through a session token, which is a
random string assigned to that interaction between the user and the web application
currently being accessed (a session). When the user logs on to the online retailers
web server with her account user name and password, the web application server
assigns a unique session token, such as 64da9DACOqgoipxqQDdywg. Each subsequent
request from the users web browser to the web application contains the session token
verifying the identity of the user until she logs out.

Note

A session token is usually a string of letters and numbers of variable length. It can be
transmitted in different ways: in the URL, in the header of the HTTP requisition, or in the body
of the HTTP requisition.

Session hijacking is an attack in which an attacker attempts to impersonate the
user by using her session token. An attacker can attempt to obtain the session token
in several different ways. One of the most common methods is to use XSS or other
attacks to steal the session token cookie from the victims computer and then use it to
impersonate the victim. Other means include eavesdropping on the transmission or
even guessing the session token. Guessing is successful if the generation of the session
tokens is not truly random. In such a case, an attacker can accumulate multiple session
tokens and then make a guess at the next session token number.

Note

In a highly publicized attack on Yahoo.com, threat actors penetrated Yahoos network and
stole a portion of its User Database (UDB) that contained Yahoo subscriber information. This
included users names, recovery email accounts, and information needed to manually create
session tokens for over 500 million Yahoo user accounts. They also accessed Yahoos Account
Management Tool (AMT). Using these tools, the threat actors manufactured session cookies
and accessed at least 6500 user accounts.4

88781_ch05_hr_189-232.indd 210 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 211

URL Hijacking
What happens when a user makes a typing error when entering a uniform resource
locator (URL) address in a web browser, such as typing goggle.com (a misspelling) or
google.net (incorrect domain) instead of the correct google.com? In the past, an error
message like HTTP Error 404 Not Found would appear. However, today most often
the user will be directed to a fake look-alike site filled with ads for which the attacker
receives money for traffic generated to the site. These fake sites exist because attackers
purchase the domain names of sites that are spelled similarly to actual sites. This is
called URL hijacking or typo squatting. A well-known site like google.com may have
to deal with more than 1000 typo squatting domains.

Note

The cost of typo squatting is significant because of the large number of misspellings. In
one month the typo squatting site goggle.com received almost 825,000 unique visitors. It is
estimated that typo squatting costs the 250 top websites $285 million annually in lost sales
and other expenses.5

Enterprises have tried to preempt typo squatting by registering the domain names
of close spellings of their website. At one time top-level domains (TLDs) were limited to
.com, .org, .net, .int, .edu, .gov and .mil, so it was fairly easy to register close-sounding
domain names. However, today there are over 1200 generic TLDs (gTLDs), such as
.museum, .office, .global, and .school. Organizations must now attempt to register a
very large number of sites that are a variation of their registered domain name.

Note

Some of the most popular new gTLDs are .xyz, .top, .loan, and .win.6

In addition to registering names that are similar to the actual names (like goggle
.com for google.com), threat actors are now registering domain names that are one bit
different (called bitsquatting). This is because the billions of devices that are part of the
Internet have multiple instances of a domain name in a DNS servers memory at any
time, so the likelihood increases of a RAM memory error of a bit being flipped. Figure
5-11 illustrates that the change of one bit in the letter g (01100111) results in the change
of the entire character from g to f. In this example, a threat agent would register the
domain foo.gl as a variation of the actual goo.gl.

88781_ch05_hr_189-232.indd 211 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks212

Domain Hijacking
Domain hijacking occurs when a domain pointer that links a domain name to
a specific web server is changed by a threat actor. When a domain name is first
registered, the owner is given access to a domain control panel. From this panel
the owner can point the domain name to the physical web server that contains the
websites data, such as the webpages, photos, scripts, etc. When a domain name is
hijacked, a threat actor gains access to the domain control panel and redirects the
registered domain to a different physical web server.

Clickjacking
Hijacking a mouse click is called clickjacking, when the user is tricked into clicking a link
that is other than what it appears to be. Suppose a threat actor builds a website with a
button labeled Click here to play music video. However, the attacker also creates a second
page that overlays the first page with a transparent layer that contains a button that
purchases an online item sent to the attacker but charged to the victim. When the user
clicks the button Click here to play music video, that click invokes the purchase button that
overlays it. This results in an item bought and charged to the victims online account.

Note

An increasing number of registered attacker domains are the result of bitsquatting, such as
aeazon.com (for amazon.com) and microsmft.com (for microsoft.com). Security researchers
found that 20 percent of a sample of 433 registered attacker domains were the result of
bitsquatting.7

Figure 5-11Character change by bit flipping

01100111
Results in change
of entire character

01101111

Change of one bit

01101111 0101110 01100111 01101100

og o . g l

01100110 01101111 01101111 0101110 01100111 01101100

of o . g l

Note

For the above scenario to function the victim must be logged into the online retailer and have
1-click ordering turned on.

88781_ch05_hr_189-232.indd 212 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 213

Clickjacking often relies upon threat actors who craft a zero-pixel IFrame. IFrame
(short for inline frame) is an HTML element that allows for embedding another HTML
document inside the main document. A zero-pixel IFrame is virtually invisible to the
naked eye, making it easier to overlay a button in a webpage.

Overflow Attacks
Some attacks are designed to overflow areas of memory with instructions from the
attacker. This type of attack includes buffer overflow attacks and integer overflow attacks.

Note

Overflow attacks can target either a server or a client.

Buffer Overflow
Consider a teacher working in his office who manually grades a lengthy written
examination by marking incorrect answers with a red pen. Because he is frequently
interrupted in his grading by students, the teacher places a ruler on the test question
he is currently grading to indicate his return point, or the point at which he should
resume the grading. Suppose that two devious students enter his office as he is grading
examinations. While one student distracts him, the second student silently slides the
ruler down from question 4 to question 20. When the teacher returns to grading, he
will resume at the wrong return point and not look at the answers for questions 4
through 19.

This scenario is similar to how a buffer overflow attacker attempts to compromise
a computer. A storage buffer on a computer typically contains the memory location of
the software program that was being executed when another function interrupted the
process; that is, the storage buffer contains the return address where the computers
processor should resume once the new process has finished. An attacker can substitute
her own return address in order to point to a different area in the computers
memory that contains his malware code.

A buffer overflow attack occurs when a process attempts to store data in RAM
beyond the boundaries of a fixed-length storage buffer. This extra data overflows into
the adjacent memory locations (a buffer overflow). Because the storage buffer typically
contains the return address memory location of the software program that was being
executed when another function interrupted the process, an attacker can overflow the
buffer with a new address pointing to the attackers malware code. A buffer overflow
attack is shown in Figure 5-12.

88781_ch05_hr_189-232.indd 213 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks214

Figure 5-12Buffer overflow attack

Program instructions Buffer storing integer data

Program jumps to address of next instruction

Normal process

Buffer overflow

Buffer storing character data Return address pointer

Program instructions Buffer storing integer data

Program jumps to
attacker malware

Buffer storing character data

Malware New
pointer

Fill and overflow buffer

Return address pointer

Note

The return address is not the only element that can be altered in a buffer overflow attack,
but it is one of the most commonly altered elements.

Integer Overflow
Consider a digital clock that can display the hours only as 1 to 12. What happens when the
time moves past 12:59? The clock then wraps around to the lowest hour value of 1 again.

On a computer, an integer overflow is the condition that occurs when the result of
an arithmetic operationlike addition or multiplicationexceeds the maximum size
of the integer type used to store it. When this integer overflow occurs, the interpreted
value then wraps around from the maximum value to the minimum value.

Note

For example, an 8-bit signed integer has a maximum value of 127 and a minimum value
of 128. If the value 127 is stored in a variable and 1 is added to it, the sum exceeds the
maximum value for this integer type and wraps around to become 128.

In an integer overflow attack, an attacker changes the value of a variable to
something outside the range that the programmer had intended by using an integer
overflow. This type of attack could be used in the following situations:

An attacker could use an integer overflow attack to create a buffer overflow
situation. If an integer overflow could be introduced during the calculations for

88781_ch05_hr_189-232.indd 214 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 215

the length of a buffer when a copy is occurring, it could result in a buffer that is
too small to hold the data. An attacker could then use this to create his buffer
overflow attack.

A program that calculates the total cost of items purchased would use the
number of units sold times the cost per unit. If an integer overflow were
introduced when tallying the number of items sold, it could result in a
negative value and a resulting negative total cost, indicating that a refund is
due the customer.

A large positive value in a bank transfer could be wrapped around by an integer
overflow attack to become a negative value, which could then reverse the flow of
money: instead of adding this amount to the victims account, it could withdraw
that amount and later transfer it to the attackers account.

Note

An extreme example of an integer overflow attack would be withdrawing $1 from an account
that has a balance of 0, which could cause a new balance of $4,294,967,295!

Advertising Attacks
Most websites today rely heavily upon advertising revenue. Ad revenue for Google,
which was only $10.4 billion in 2006, had skyrocketed to almost $80 billion just
10years later.8 This has not gone unnoticed by threat actors. There are several attacks
that attempt to use ads or manipulate the advertising system. Two of the most
common are malvertising and ad fraud.

Malvertising
When visiting a typical website it is common for advertisements to be displayed
around the pages. For example, visiting a fitness-tracking website often results in ads
promoting athletic shoes, sports drinks, weight loss, and other related products being
displayed, even when you browse other sites. These ads do not usually come from
the main site itself; instead, most mainstream and high-trafficked websites outsource
the ad content on their pages to different third-party advertising networks. When
a user goes to the sites page, the users web browser silently connects to dozens of
advertising network sites from which ad banners, popup ads, video files, and pictures
are sent to the users computer.

Threat actors have turned to using these third-party advertising networks to
distribute their malware to unsuspecting users who visit a well-known website. The
threat actors may infect the third-party advertising networks so that their malware
is distributed through ads sent to users web browsers. Or the threat actors might

88781_ch05_hr_189-232.indd 215 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks216

promote themselves as reputable third-party advertisers while in reality they are
distributing their malware through the ads. This is known as malvertising (for malicious
advertising) or a poisoned ad attack. An ad that contains malware redirects visitors who
receive it to the attackers webpage that then downloads Trojans and ransomware onto
the users computer, often through vulnerabilities in the web browser.

Note

The New York Times, Reuters, Yahoo!, Bloomberg, and Google, among many others, have all
been infected with malvertising. In one year, 12.4 billion malvertisements were distributed,
an increase of over 300 percent from the previous year. The growth of malvertising is also
credited with a 41 percent increase in ad-blocking software, now used by 198 million users.9

Malvertising has a number of advantages for the attacker:

Malvertising occurs on big-name websites, such as news publications that
attract many visitors each day. These unsuspecting users, who would avoid or be
suspicious of less popular sites, are deceived into thinking that because they are
on a reputable site they are free from attacks.

Usually the website owners have no knowledge of malvertising being distributed
through their website. This is because they do not know what type of ad content
a third-party ad network is displaying on their site at any given time.

Ad networks rotate content very quickly, so that not all visitors to a site are
infected, making it difficult to determine if malvertising was actually the
source of an attack. And even when an ad is pinpointed in an investigation as
malicious, it is virtually impossible to prove which ad network was responsible.

Because advertising networks configure ads to appear according to the users
computer (which browser or operating system they are using) or identifying
attributes (their country locations or search keywords they used to find the
site) attackers can narrowly target their victims. For example, an attacker who
wants to target U.S. federal government employees might distribute ads with
malicious content for anyone who entered Government travel allowance into
a search engine.

Note

Because these attacks can precisely target their victims, often high value victims are
pinpointed. For example, an attacker might place malicious ads before individuals who are
conducting a keyword-search for hotel rates at an upcoming security conference.

88781_ch05_hr_189-232.indd 216 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 217

Preventing malvertising is a difficult task. Website operators are unaware of the
types of ads that are being displayed, users have a false sense of security going to a
mainstream website, and turning off ads that support plug-ins such as Adobe Flash
often disrupts the users web experience.

Ad Fraud
Suppose that Mario wants to do some online shopping. Using his web browser he
goes to his favorite online store, Gear.org. The home page of Gear.org appears, along
with a small video window, tempting Mario to click the video to watch it. When
he clicks on the video he first sees a short (1015 second) advertising video called a
pre-roll. The pre-roll ad is a promotional video that plays before the content Mario
wants to see.

Note

Pre-roll ads are often repurposed TV ads that have been shortened, because the 30-second
standard TV ad is too long for pre-rolls, which precede videos that are usually only about two
minutes long. Despite the fact that many pre-rolls support a video format called TrueView
that allows users to skip the ad after five seconds, almost half of all viewers watch the entire
pre-roll ad.

When Mario clicks on the video to view it, an automated advertising auction
occurs in the background between the advertiser and the website over what pre-roll
video will be displayed. The pre-roll slot is offered by the website and then sold to
the advertiser (with the highest bid) within 100 milliseconds. The web browser then
directly receives the pre-roll from the advertiser that wins the auction, and the web
browser also verifies what site the user is visiting and that the user actually received
the pre-roll ad.

Threat actors manipulate this process to earn ad revenue that is directed back
to them. Attackers have created essentially a robo-browser called Methbot that
spoofs all the necessary interactions needed to initiate, carry out, and complete the
ad auction. Acting like the website, Methbot contacts an advertiser and says it needs a
pre-roll for a video on Gear.org. The super-fast auction occurs and the pre-roll is sent
to Methbot. But Methbot also pretends to be the valid web browser and verifies that
it received the pre-roll and played it. The advertiser pays the website that the browser
claimed to be visiting, but actually the money is sent to the attackers behind Methbot
and not to Gear.org. It is estimated that the threat actors sell between 200 million to
300 million false ads each day at 1.3 cents per view, which generates up to $5 million
dollars a day in revenue.10

88781_ch05_hr_189-232.indd 217 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks218

Browser Vulnerabilities
In the early days of the web, users viewed static content (information that does not change)
such as text and pictures through a web browser. As the Internet increased in popularity, the
demand rose for dynamic content that can change, such as animated images or customized
information. However, basic HTML code could not provide these dynamic functions.

The solution came in several different forms. One solution was to allow scripting
code to be downloaded from the web server into the users web browser. Another
solution took the form of different types of additions that could be added to a web
browser to support dynamic content. However, these additions have introduced
vulnerabilities in browsers that access servers. These web browser additions are
extensions, plug-ins, and add-ons.

Scripting Code
One means of adding dynamic content is for the web server to download a script
or series of instructions in the form of computer code that commands the browser
to perform specific actions. JavaScript is the most popular scripting code. Because
JavaScript cannot create separate stand-alone applications, the JavaScript
instructions are embedded inside HTML documents. When a website that uses
JavaScript is accessed, the HTML document that contains the JavaScript code is
downloaded onto the users computer. The users web browser then executes that code.
Figure 5-13 illustrates how JavaScript works.

Note

Attackers use IP spoofing to mask the fact that Methbot traffic is generated by servers and
not by users.

Figure 5-13JavaScript

Web server

(JavaScript)

HTML document
with JavaScript
downloaded to

users computer

Users computer

HTML document Browser

88781_ch05_hr_189-232.indd 218 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 219

Visiting a website that automatically downloads code to run on a local computer
can obviously be dangerous: an attacker could write a malicious script and have
it downloaded and executed on the users computer. There are different defense
mechanisms intended to prevent JavaScript programs from causing serious harm.
These defenses are listed in Table 5-5.

Defense Explanation

Limit capabilities JavaScript does not support certain capabilities. For example,
JavaScript running on a local computer cannot read, write, create,
delete, or list the files on that computer.

Sandboxing Only permitting JavaScript to run in a restricted environment
(sandbox) can limit what computer resources it can access or
actionsit can take.

Same origin This defense restricts a JavaScript downloaded from Site A from
accessing data that came from Site B.

JavaScript defenses Table 5-5

However, there are security concerns with JavaScript. A malicious JavaScript
program could capture and remotely transmit user information without the users
knowledge or authorization. For example, an attacker could capture and send the users
email address to a remote source or even send a fraudulent email from the users email
account. Other JavaScript attacks can be even more malicious. An attackers JavaScript
program could scan the users network and then send specific commands to disable
security settings, or redirect a users browser to an attackers malicious website.

Extensions
Extensions expand the normal capabilities of a web browser for a specific webpage.
Most extensions are written in JavaScript so that the browser can support dynamic
actions. Because extensions act as part of the browser itself, they generally have wider
access privileges than JavaScript running in a webpage. Extensions are browser-
dependent, so that an extension that works in the Google Chrome web browser will not
function in the Microsoft Edge browser.

Plug-Ins
A plug-in adds new functionality to the web browser so that users can play music,
view videos, or display special graphical images within the browser that normally it
could not play or display. Technically a plug-in is a third-party binary library that lives
outside of the space that a browser uses on the computer for processing and serves
as the link to external programs that are independent of the browser. A single plug-in
can be used on different web browsers, such as Google Chrome, Mozilla Firefox, and
Microsoft Internet Explorer.

88781_ch05_hr_189-232.indd 219 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks220

One common plug-in supports Java. Unlike JavaScript, Java is a complete
programming language that can be used to create stand-alone applications. Whereas
JavaScript is embedded in an HTML document, Java can also be used to create a
separate program called a Java applet. Java applets are stored on the web server and
then downloaded onto the users computer along with the HTML code, as shown
in Figure 5-14. Java applets can perform interactive animations, mathematical
calculations, or other simple tasks very quickly because the users request does not
have to be sent to the web server for processing and then returned; instead, all of the
processing is done on the local computer by the Java applet.

Note

One popular blogging tool for users to post their personal blogs supports 39,848 plug-ins.11

Figure 5-14Java applet

Web server

import java.applet.*;
import.java.awt.*;

public class Applet {
int width, height,
public void init() {

Java applet

HTML document
and Java applet
downloaded to

users computer

Users computer

HTML document
Browser

The most widely used plug-ins for web browsers are Java, Adobe Flash player,
Apple QuickTime, and Adobe Acrobat Reader. However, there are tens of thousands
of freely available plug-ins, created by not only well-known organizations but also by
individual coders.

Add-Ons
Another category of tools that add functionality to the web browser are called add-
ons. Add-ons add a greater degree of functionality to the entire browser and not just
to a single webpage as with a plug-in. In contrast to plug-ins, add-ons can do the
following:

Create additional web browser toolbars
Change browser menus

88781_ch05_hr_189-232.indd 220 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks 221

Be aware of other tabs open in the same browser process
Process the content of every webpage that is loaded

Table 5-6 compares browser extensions, plug-ins, and add-ons.

Name Description Location Browser support Examples

Extension Written in JavaScript
and has wider
access to privileges

Part of web
browser

Only works with a
specific browser

Download selective
links on webpage,
display specific fonts

Plug-in Links to external
programs

Outside of web
browser

Compatible with
many different
browsers

Audio, video, PDF file
display

Add-on Adds functionality to
browser itself

Part of web
browser

Only works with a
specific browser

Dictionary and
language packs

Browser additions Table 5-6

It is easy to see how extensions, plug-ins, and add-ons can be security risks.
Because of the large number of these browser tools available, created by a large
number of programmers, they often have serious security vulnerabilities. Attackers
have targeted vulnerable plug-ins as a means to insert malware into a users computer
or in some instances take over complete control of the computer.

Note

Adobe Flash is one of the most popular plug-ins that attackers target. In one five-year span
over 324 vulnerabilities in Flash were exploited by attackers.12

Due to the risks associated with extensions, plug-ins, and add-ons, efforts are
being made to minimize them. Some web browsers now block plug-ins like Adobe
Flash, while other browsers use a Click to Play feature that enables a plug-in only
after the user gives approval. In addition, the most recent version of HTML known as
HTML5 standardizes sound and video formats so that plug-ins like Flash are no longer
needed. Yet with the large number of these browser tools still available they will likely
continue to remain a target of attackers.

88781_ch05_hr_189-232.indd 221 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Chapter Summary
Some attacks are designed to intercept

network communications. A man-in-the-
middle (MITM) attack intercepts legitimate
communication and forges a fictitious
response to the sender. A man-in-the-
browser (MITB) attack occurs between a
browser and the underlying computer.
A MITB attack seeks to intercept and
then manipulate the communication
between the web browser and the security
mechanisms of the computer. A replay
attack makes a copy of the legitimate
transmission before sending it to the
recipient and then this copy is used at a
later time.

Some types of attacks inject poison into
a normal network process to facilitate an
attack. ARP poisoning changes the ARP
cache so the corresponding IP address
is pointing to a different computer. DNS
poisoning substitutes a DNS address
so that the computer is automatically
redirected to another device. Privilege
escalation is exploiting a vulnerability in
software to gain access to resources that
the user normally would be restricted from
accessing.

Whereas some attacks are directed at the
network itself, other attacks are directed at
network servers. A denial of service (DoS)
attack is a deliberate attempt to prevent
authorized users from accessing a system
by overwhelming that system with such
a very high number of bogus requests
so that the system is overwhelmed and
cannot respond to legitimate requests.
Most DoS attacks today are distributed

denial of service (DDoS) attacks using
hundreds or even tens of thousands of
devices flooding the server with requests.
A DNS amplification attack uses publicly
accessible and open DNS servers to flood
a system with DNS response traffic. An
SYN flood attack takes advantage of the
procedures for initiating a session.

A cross-site scripting (XSS) attack is
focused not on attacking a web application
server to compromise it, but on using
the server to launch other attacks on
computers that access it. An XSS attack
uses websites that accept user input
without validating it and uses that input
in a response without encoding it. A cross-
site request forgery (XSRF) uses the users
web browser settings to impersonate the
user. Injection attacks introduce new
input to exploit a vulnerability. One of the
most common injection attacks, called
SQL injection, inserts SQL statements to
manipulate a database server.

Several server attacks are the result
of threat actors commandeering a
technology and then using it for an attack.
Session hijacking is an attack in which an
attacker attempts to impersonate the user
by using the users session token. Attackers
who purchase the domain names of sites
that are spelled similarly to actual sites
are performing a URL hijacking or typo
squatting attack. Domain hijacking occurs
when a domain pointer that links a domain
name to a specific web server is changed
by a threat agent. Hijacking a mouse click
is called clickjacking.

CHAPTER 5 Networking and Server Attacks222

88781_ch05_hr_189-232.indd 222 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Some attacks can target either a server
or a client by overflowing areas of
memory with instructions from the
attacker. A buffer overflow occurs when
a process attempts to store data in RAM
beyond the boundaries of a fixed-length
storage buffer. This extra data overflows
into the adjacent memory locations and,
under certain conditions, may cause
the computer to stop functioning. An
integer overflow attack is the result of an
attacker changing the value of a variable
to something outside the range that the
programmer had intended by using an
integer overflow.

Most websites today rely heavily upon
advertising revenue. There are several
attacks that attempt to use ads or

manipulate the advertising system.
Malvertising (for malicious advertising) is
an attack that uses third-party advertising
networks to distribute malware to
unsuspecting users who are visiting a
well-known website. Threat actors also
manipulate the advertising auction process
to earn ad revenue that is directed back to
them.

To provide enhanced features, virtually all
websites today allow scripting code to be
downloaded from the web server into the
users web browser. Another solution to
provide these features are different types of
additions that are added to a web browser
to support dynamic content. However,
these have introduced vulnerabilities in
browsers that access servers.

Key Terms
Address Resolution

Protocol (ARP)
ARP poisoning
buffer overflow attack
clickjacking
cross-site request

forgery (XSRF)
cross-site scripting (XSS)
denial of service (DoS)

distributed denial
of service (DDoS)

DNS amplification attack
DNS poisoning
domain hijacking
domain name

resolution
injection attack
integer overflow attack

IP spoofing
MAC spoofing
man-in-the-browser (MITB)
man-in-the-middle (MITM)
privilege escalation
replay
session hijacking
URL hijacking

(typo squatting)

Review Questions
1. Which attack intercepts communications

between a web browser and the
underlying computer?
a. Man-in-the-middle (MITM)
b. Man-in-the-browser (MITB)
c. Replay
d. ARP poisoning

2. Olivia was asked to protect the system
from a DNS poisoning attack. What are
the locations she would need to protect?
a. Web server buffer and host DNS server
b. Reply referrer and domain buffer
c. Web browser and browser add-on
d. Host table and external DNS server

CHAPTER 5 Networking and Server Attacks 223

88781_ch05_hr_189-232.indd 223 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

3. Newton is concerned that attackers
could be exploiting a vulnerability in
software to gain access to resources that
the user normally would be restricted
from accessing. What type of attack is he
worried about?
a. Privilege escalation
b. Session replay
c. Scaling exploit
d. Amplification

4. Which of the following adds new
functionality to the web browser so that
users can play music, view videos, or
display special graphical images within
the browser?
a. Extensions
b. Scripts
c. Plug-ins
d. Add-ons

5. An attacker who manipulates the
maximum size of an integer type would
be performing what kind of attack?
a. Integer overflow
b. Buffer overflow
c. Number overflow
d. Heap overflow

6. What kind of attack is performed by
an attacker who takes advantage of the
inadvertent and unauthorized access
built through three succeeding systems
that all trust one another?
a. Privilege escalation
b. Cross-site attack
c. Horizontal access attack
d. Transverse attack

7. Which statement is correct regarding
why traditional network security devices
cannot be used to block web application
attacks?
a. The complex nature of TCP/IP allows

for too many ping sweeps to be
blocked.

b. Web application attacks use web
browsers that cannot be controlled on
a local computer.

c. Network security devices cannot
prevent attacks from web resources.

d. Traditional network security
devices ignore the content of HTTP
traffic, which is the vehicle of web
application attacks.

8. What is the difference between a DoS
and a DDoS attack?
a. DoS attacks are faster than DDoS

attacks
b. DoS attacks use fewer computers than

DDoS attacks
c. DoS attacks do not use DNS servers as

DDoS attacks do
d. DoS attacks user more memory than

a DDoS attack
9. John was explaining about an attack that

accepts user input without validating it
and uses that input in a response. What
type of attack was he describing?
a. SQL
b. XSS
c. XSRF
d. DDoS DNS

10. Which attack uses the users web browser
settings to impersonate that user?
a. XDD
b. XSRF
c. Domain hijacking
d. Session hijacking

11. What is the basis of an SQL injection
attack?
a. To expose SQL code so that it can be

examined
b. To have the SQL server attack client

web browsers
c. To insert SQL statements through

unfiltered user input
d. To link SQL servers into a botnet

CHAPTER 5 Networking and Server Attacks224

88781_ch05_hr_189-232.indd 224 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

12. Which action cannot be performed
through a successful SQL injection attack?
a. Discover the names of different fields

in a table
b. Reformat the web application servers

hard drive
c. Display a list of customer telephone

numbers
d. Erase a database table

13. Attackers who register domain names
that are similar to legitimate domain
names are performing .
a. address resolution
b. HTTP manipulation
c. HTML squatting
d. URL hijacking

14. What type of attack involves
manipulating third-party ad networks?
a. Session advertising
b. Malvertising
c. Clickjacking
d. Directory traversal

15. Why are extensions, plug-ins, and add-
ons considered to be security risks?
a. They are written in Java, which is a

weak language.
b. They have introduced vulnerabilities

in browsers.
c. They use bitcode.
d. They cannot be uninstalled.

16. What is a session token?
a. XML code used in an XML injection

attack
b. A random string assigned by a web

server

c. Another name for a third-party
cookie

d. A unique identifier that includes the
users email address

17. Which of these is not a DoS attack?
a. SYN flood
b. DNS amplification
c. Smurf attack
d. Push flood

18. What type of attack intercepts legitimate
communication and forges a fictitious
response to the sender?
a. SIDS
b. interceptor
c. MITM
d. SQL intrusion

19. A replay attack .
a. can be prevented by patching the web

browser
b. is considered to be a type of DoS

attack
c. makes a copy of the transmission for

use at a later time
d. replays the attack over and over to

flood the server
20. DNS poisoning .

a. floods a DNS server with requests
until it can no longer respond

b. is rarely found today due to the use of
host tables

c. substitutes DNS addresses so that the
computer is automatically redirected
to another device

d. is the same as ARP poisoning

CHAPTER 5 Networking and Server Attacks 225

88781_ch05_hr_189-232.indd 225 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Hands-On Projects

Project 5-1: Testing Browser Security
One of the first steps in securing a web browser is to conduct an analysis to determine if any
security vulnerabilities exist. These vulnerabilities may be a result of missing patches or out-
of-date plug-ins. In this project, you use a plug-in to scan the Firefox or Chrome browser.

1. Open the Firefox or Chrome web browser and enter the URL browsercheck.qualys
.com (if you are no longer able to access the site through the web address, use a search
engine to search for Qualys Browser Check).

2. Click FAQ.
3. Read the information on this page about what the Qualys browser check plug-in will do.
4. Return to the home page.
5. Click Install Plugin.
6. Check the box I have read and accepted the Service User Agreement.
7. Click Continue. An analysis of the browsers security appears.
8. If there are any security issues detected, click the Fix It buttons to correct the problem.

Follow the instructions on each page to correct the problems.
9. Return to the Qualys scan results page.

10. When the scan is finished click each of the tabs (Browser/Plugins, System Checks, and
MS Updates) for each of the browsers listed. Be sure to correct any security problems.

11. Close all windows.

Project 5-2: Configuring Microsoft Windows Data Execution Prevention (DEP)
Data Execution Prevention (DEP) is a Microsoft Windows feature that prevents attackers from
using buffer overflow to execute malware. Most modern CPUs support an NX (No eXecute)
bit to designate a part of memory for containing only data. An attacker who launches a buffer
overflow attack to change the return address to point to his malware code stored in the
data area of memory would be defeated because DEP will not allow code in the memory area
to be executed. If an older computer processor does not support NX, then a weaker software-
enforced DEP will be enabled by Windows. Software-enforced DEP protects only limited
system binaries and is not the same as NX DEP.

Note

If you are concerned about installing any of the software in these projects on your
regular computer, you can install the software in the Windows virtual machine
created in the Chapter 1 Hands-On Projects 1-3 and 1-4. Software installed within the
virtual machine will not impact the host computer.

CHAPTER 5 Networking and Server Attacks226

88781_ch05_hr_189-232.indd 226 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

DEP provides an additional degree of protection that reduces the risk of buffer overflows.
In this project, you determine if a Microsoft Windows system can run DEP. If it can, you learn
how to configure DEP

1. The first step is to determine if the computer supports NX. Use your web browser to go
to www.grc.com/securable. Click Download now and follow the default settings to
download the application on your computer.

CHAPTER 5 Networking and Server Attacks 227

Note

The location of content on the Internet may change without warning. If you are no
longer able to access the program through the above URL, use a search engine to
search for GRC securable.

2. Double-click Securable.exe to launch the program. If it reports that Hardware D.E.P. is
No, then that computers processor does not support NX. Close the SecurAble application.

3. The next step is to check the DEP settings in Microsoft Windows. Right-click Start and
System and Control Panel.

4. Click System and Security and then click System.
5. Click Advanced system settings in the left pane.
6. Click the Advanced tab if necessary.
7. Click Settings under Performance and then click the Data Execution Prevention tab.
8. Windows supports two levels of DEP controls: DEP enabled for only Windows programs

and services and DEP enabled for Windows programs and services as well as all other
application programs and services. If the configuration is set to Turn on DEP for essential
Windows programs and services only, click Turn on DEP for all programs and services
except those I select. This will provide full protection to all programs.

9. If an application does not function properly, it may be necessary to make an exception
for that application and not have DEP protect it. If this is necessary, click the Add button
and then search for the program. Click on the program to add it to the exception list.

10. Close all windows and applications and restart your computer to invoke DEP protection.

Project 5-3: Simulating a Hosts File Attack
Substituting a fraudulent IP address can be done by either attacking the Domain Name
System (DNS) server or the local host table. Attackers can target a local hosts file to create
new entries that will redirect users to their fraudulent site. In this project, you add a
fraudulent entry to the local hosts file.

1. Start your web browser.
2. Go to the Cengage website at www.cengage.com and then go to MSN at www.msn

.com to verify that the names are correctly resolved.
3. Now search based on IP address. Go to http://69.32.208.74 for Cengage and

http://13.82.28.61 for MSN.

88781_ch05_hr_189-232.indd 227 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

4. Click Start and then Windows Accessories.
5. Right-click Notepad and then More and select Run as administrator. If you receive the

message Do you want to allow this app to make changes to the device? click Yes.
6. Click File and then Open. Click the File Type drop-down arrow to change from Text

Documents (*.txt) to All Files (*.*).
7. Navigate to the file C:\Windows\System32\drivers\etc\hosts and open it.
8. At the end of the file following all hashtags (#) in the first column enter the IP address of

13.82.28.61. This is the IP address of MSN.
9. Press Tab and enter www.cengage.com. In this hosts table, www.cengage.com is now

resolved to the IP address of MSN, 13.82.28.61.
10. Click File and then Save.
11. Open your web browser and then enter the URL www.cengage.com. What website

appears?
12. Return to the hosts file and remove this entry.
13. Click File and then Save.
14. Close all windows.

Project 5-4: Exploring ARP Poisoning
Attackers frequently modify the Address Resolution Protocol (ARP) table to redirect
communications away from a valid device to an attackers computer. In this project, you view
the ARP table on your computer and make modifications to it. You will need to have another
victims computer running on your network (and know the IP address), as well as a default
gateway that serves as the switch to the network

1. Open a Command Prompt window by right-clicking Start and select Command Prompt
(Admin).

2. To view your current ARP table, type arp -a and then press Enter. The Internet Address
is the IP address of another device on the network while the physical address is the
MACaddress of that device.

3. To determine network addresses, type ipconfig/all and then press Enter.
4. Record the IP address of the default gateway.
5. Delete the ARP table entry of the default gateway by typing arp -d followed by the IP

address of the gateway, such as arp -d 192.168.1.1 and then press Enter.
6. Create an automatic entry in the ARP table of the victims computer by typing ping

followed by that computers IP address, such as ping 192.168.1.100, and then press
Enter.

CHAPTER 5 Networking and Server Attacks228

Note

IP addresses are sometimes based on the region in which you live. If you cannot
access the above sites by these IP addresses, go to ipaddress.com/ip_lookup/ and
enter the domain name to receive the correct IP address.

88781_ch05_hr_189-232.indd 228 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Case Projects

Case Project 5-1: DoS Attacks
Denial of service (DoS) attacks can cripple an organization that relies heavily on its web
application servers, such as online retailers. What are some of the most widely publicized DoS
attacks that have occurred recently? Who was the target? How many DoS attacks occur on a
regular basis? What are some ways in which DoS attacks can be prevented? Write a one-page
paper on your research.

Case Project 5-2: DNS Services
Many organizations offer a free domain name resolution service that resolves DNS requests
through a worldwide network of redundant DNS servers. The claim is that this is faster and
more reliable than using the DNS servers provided by Internet Service Providers (ISP). They
also claim that their DNS servers improve security by maintaining a real-time blacklist of
harmful websites and will warn users whenever they attempt to access a site containing
potentially threatening content. They also say that using this service can reduce exposure to
types of DNS poisoning attacks. Research free DNS services. Identify at least three providers
and create a table comparing their features. Are the claims of providing improved security
valid? How do they compare with your ISPs DNS service?

Case Project 5-3: Cross-Site Attack Defenses
Use the Internet to research defenses against cross-site attacks (XSS and XSRF). What are the
common defenses? How difficult are they to implement? Why are these defenses not used
extensively? Write a one-page paper on your research.

Case Project 5-4: SQL Injection Attacks
SQL injection attacks continue to be a significant attack vector for threat actors. Use the
Internet to research these attacks. What are some recent attacks that have been initiated by
SQL injection? How were they conducted? What defenses are there against them? Write a
one-page paper on your research.

Case Project 5-5: Buffer Overflow Attacks
Research the Internet regarding buffer overflow attacks. How do the various types of overflow
attacks differ? When did they first start to occur? What can they do and not do? What must a

7. Verify that this new entry is now listed in the ARP table by typing arp -a and then press
Enter. Record the physical address of that computer.

8. Add that entry to the ARP table by entering arp -s followed by the IP address and then
the MAC address.

9. Delete all entries from the ARP table by typing arp -d.
10. Close all windows.

CHAPTER 5 Networking and Server Attacks 229

88781_ch05_hr_189-232.indd 229 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 5 Networking and Server Attacks230

programmer do to prevent a buffer overflow in a program she has written? Write a one-page
paper on your research.

Case Project 5-6: Lake Point Consulting Services
Lake Point Consulting Services (LPCS) provides security consulting and assurance services to
over 500 clients across a wide range of enterprises in more than 20 states. A new initiative
at LPCS is for each of its seven regional offices to provide internships to students who are in
their final year of the security degree program at the local college.

Like Magic is a national repair shop that specializes in repairing minor car door dings,
windshield repair, interior fabric repair, and scratch repair. Like Magic allows customers to
file a claim through a smartphone app and its website. Recently, however, Like Magic was the
victim of an SQL injection attack that resulted in customer account information and credit
card numbers being stolen. Several security personnel were fired due to this breach. The
vice president of Like Magic is adamant that this will never happen again to them, and has
contacted LPSC to help provide training to the technology staff to prevent further attacks.

1. Create a PowerPoint presentation for Like Magic about cross-site attacks, injection
attacks, hijacking, and DoS attacks, explaining what they are, how they occur, and what
defenses can be set up to prevent them. Your presentation should contain 8 to 10
slides.

2. After the presentation Like Magic asks LPSC to address other weaknesses in their
system. You have been placed on the team to examine potential networking-based
attacks. One of your tasks is to create a report for a presentation; you are asked to write
a one-page narrative providing an overview of the different types of networking-based
attacks of interception and poisoning.

Case Project 5-7: Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains
a wide variety of tools, information, discussion boards, and other features to assist learners.
Go to community.cengage.com/Infosec2 and click the Join or Sign in icon to log in, using
your login name and password that you created in Chapter 1. Click Forums (Discussion) and
click on Security+ Case Projects (6th edition). Read the following case study.

Read again Todays Attacks and Defenses at the beginning of the chapter. Should the
government restrict vendors from addressing vulnerabilities in their products, even if the
source was from leaked classified material? How would you respond to the charge that this is
simply an attempt to keep products vulnerable so that intelligence agencies can manipulate
them? To what extent should vendors be pursuing uncovering vulnerabilities in their
products? How is this any different from vendors paying security researchers who uncover
vulnerabilities? Enter your answers on the InfoSec Community Server discussion board.

88781_ch05_hr_189-232.indd 230 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

References
1. Goodin, Dan, A simple command allows the CIA to commandeer 318 models of Cisco

switches, Ars Technica, Mar. 20, 2017, accessed Mar. 20, 2017, arstechnica.com
/security/2017/03/a-simple-command-allows-the-cia-to-commandeer-318-models
-of-cisco-switches/.

2. Krotoski, Mark and Presley, Susan, SEC and DOJ hacking prosecutions highlight SECs
increased interest in cybersecurity risks, Morgan Lewis, Sep. 15, 2015, accessed Dec. 28,
2015, www.morganlewis.com/pubs/sec-and-doj-hacking-prosecutions-highlight
-secs-increased-interest-in-cybersecurity-risks.

3. Denial of service: How businesses evaluate the threat of DDoS attacks, Kaspersky,
Sep. 2015, accessed Sep. 9, 2015, press.kaspersky.com/files/2015/09/IT_Risks_Survey
_Report_Threat_of_DDoS_Attacks.pdf.

4. U.S. charges Russian FSB officers and their criminal conspirators for hacking Yahoo
and millions of email accounts, Department of Justice, Mar. 15, 2017, accessed Apr.12,
2017, https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their
-criminal-conspirators-hacking-yahoo-and-millions.

5. McNichol, Tom, Friend me on Facebook, Bloomberg Businessweek, Nov. 7, 2011.
6. New gTLD Overview, nTLDStats, retrieved Mar. 28, 2017, ntldstats.com/tld.
7. Domabirg, Artem, Bitsquatting: DNS hijacking without exploitation, Diaburg.org,

accessed Mar. 27, 2017, dinaburg.org/bitsquatting.html.
8. Googles ad revenue from 2001 to 2016, Statista, accessed Mar. 28, 2017, www.statista

.com/statistics/266249/advertising-revenue-of-google/.
9. Pauli, Darren, Malware menaces poison ads as Google, Yahoo! look away, The

Register, accessed Sep. 1, 2015, www.theregister.co.uk/2015/08/27/malvertising_
feature/?page=1.

10. The Methbot operation, WhiteOps, Dec. 20, 2016, accessed Dec. 24, 2016, go.whiteops
.com/rs/179-SQE-823/images/WO_Methbot_Operation_WP.pdf.

11. Plugin Directory, WordPress, accessed Aug. 30, 2015, wordpress.org/plugins/
12. Cisco 2015 Midyear Security Report, Cisco, accessed Aug. 30, 2015, www.cisco.com

/web/offers/lp/2015-midyear-security-report/index.html.

CHAPTER 5 Networking and Server Attacks 231

88781_ch05_hr_189-232.indd 231 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

88781_ch05_hr_189-232.indd 232 8/10/17 4:19 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

NETWORK SECURITY
DEVICES, DESIGN,
AND TECHNOLOGY
After completing this chapter, you should be able
to do the following:

List the different types of network security devices and how
theycanbe used

Describe secure network architectures

Explain how network technologies can enhance security

C H A P T E R 6

Todays Attacks and Defenses

There has been much debate regarding governments and cryptography. Many governments
claim that terrorists are encrypting their electronic correspondence when planning attacks.
To protect their citizens, these governments want to eavesdrop on suspected terrorists
who use encryption, either by holding the decryption keys themselves so that they can
decrypt conversations or by planting a backdoor in the encryption algorithm so that it can
be compromised. However, a recent event revealed an unintended consequence of such a
government-sponsored cryptographic backdoor.

The Computer Security Law of 1987 was passed by the U.S. Congress to improve the
security and privacy of sensitive data on federal computer systems. One part of this law

233

88781_ch06_hr_233-280.indd 233 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology234

tasked the U.S. National Institute of Standards and Technology (NIST) to work with the
National Security Agency (NSA) to create standards for federal data security. One of these
standards was the pseudo-random number generator Dual_EC_DRBG.

Soon after Dual_EC_DRBG was released in 2006, however, it was demonstrated that this
algorithm was not only slow but had a bias in that some numbers appeared more often than
other numbers and thus were not truly random. Although some argued that the Dual_EC_
DRBG standard should be dropped, it was kept at the NSAs insistence. The agency said that
it was worth including because of its theoretical basis and that it should be difficult to predict
the numbers the algorithm would generate. (Leaked 2013 documents suggested that the NSA
intentionally sabotaged Dual_EC_DRBG to create a cryptographic backdoor but this has never
been proved.1)

Meanwhile, two vulnerabilities were uncovered in networking hardware devices
manufactured by Juniper Networks. The first was a hardcoded master password in
the Juniper operating system (ScreenOS) that would open a backdoor to allow remote
administrative access to the device via Secure Shell (SSH). The second vulnerability would
allow an attacker who can monitor traffic through a virtual private network (VPN) to decrypt
it. This second vulnerability uses elliptic curve cryptography (ECC) that requires two random
numbers, P and Q. The pseudo-random number generator Dual_EC_DRBG was used by
ScreenOS to create these values.

In 2007 two Microsoft researchers discovered that if Q was known then someone
could examine the random numbers generated by the algorithm and subsequently
predict the numbers that would be generated in the future, breaking the encryption.
Thus, any algorithm that used random numbers generated by Dual_EC_DRBG could be
compromised.

Even though Dual_EC_DRBG was known to have a potential vulnerability, Juniper chose to
incorporate Dual_EC_DRBG in its ScreenOS. However, Juniper said that it was using a different
point Q, thus preventing anyone from breaking the encryption. Yet, in August 2012 it appears
that Juniper changed its Q value back to the original (and vulnerable) value, so that encrypted
traffic could have been easily broken. In fact, an attacker would only have to examine 30
bytes of raw output to have the necessary data to initiate the attack. Juniper eventually
patched both vulnerabilities.

In a touch of irony, many U.S. government institutions use Juniper devices. This means
that government network trafficmuch of which was confidential and was protected by
ScreenOSs ECC using Dual_EC_DRBGmay also have been compromised for several years.
If the U.S. government was behind weakening Dual_EC_DRBG, did it also make its own
traffic vulnerable? Many security researchers are wondering if a government-sponsored
cryptographic backdoor could come back to haunt them.

88781_ch06_hr_233-280.indd 234 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 235

At one time the terms information security and network security were virtually
synonymous. That was because the network was viewed as the protecting wall around
which client computers could be kept safe. A secure network would keep attackers
away from the devices on the inside.

This approach, however, has proved to be untenable. There are simply too
many entry points that circumvent the network and allow malware to enter. For
example, users could bring an infected USB flash drive and insert it into their
computer, thus introducing malware while bypassing the secure network. Also,
malware started taking advantage of common network protocols, such as Hypertext
Transfer Protocol (HTTP), and could not always be detected or blocked by network
security devices.

This is not to say that network security is unimportant. Having a secure network
is essential to a comprehensive information security posture. Not all applications
are designed and written with security and reliability in mind, so it falls on the
network to provide protection. Also, network-delivered services can scale better
for larger environments and can complement server and application functionality.
And because an attacker who can successfully penetrate a computer network might
have access to hundreds or even thousands of desktop systems, servers, and storage
devices, a secure network defense remains a critical element in any enterprises
security plan. Enterprises should make network defenses one of the first priorities
in protecting information.

This chapter explores network security, and investigates how to build a secure
network through network devices, network architectures, and network technologies.

Security Through Network Devices
Certification

2.1 Install and configure network components, both hardware- and
software-based, to support organizational security.

2.4 Given a scenario, analyze and interpret output from security
technologies.

3.2Given a scenario, implement secure network architecture concepts.

Different network devices can be used to protect a network and its contents. Security
can be achieved through using the security features found in standard networking
devices as well as hardware designed primarily for security or that provides a
significant security function.

88781_ch06_hr_233-280.indd 235 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology236

Standard Network Devices
Standard network devices are often classified based on their function in the seven-
layer Open Systems Interconnection (OSI) reference model: Application (Layer 7),
Presentation (Layer 6), Session (Layer 5), Transport (Layer 4), Network (Layer 3), Data
Link (Layer 2), and Physical (Layer 1). The security functions of these network devices
can be used to provide a degree of network security. However, improperly configured
standard network devices can also introduce vulnerabilities. These devices include
bridges, switches, routers, load balancers, and proxies.

Note

Using both standard networking devices and hardware designed specifically for security
can result in a layered security approach, which can significantly improve security. If only
one defense mechanism is in place, an attacker has to circumvent only a single defense. A
network with layered security makes it more difficult for an attacker because the attacker
must have the tools, knowledge, and skills to break through the various layers. A layered
approach also can be useful in resisting a variety of types of attacks.

Note

Several different data units are represented at the various layers of the OSI model. These
data units include bit (Physical), bit/frame (Data Link), packet/datagram (Network), segment
(Transport), and data (Session, Presentation, and Application).

Bridges
A network bridge is a hardware device or software that is used to join two separate
computer networks to enable communication between them. Bridges can connect
two local area networks (LANs) or two network segments (like subnets) of a single
LAN. A bridge allows a LAN to extend its footprint to cover a larger physical area.
Because bridges operate at the Data Link layer (Layer 2) of the OSI model, all networks
or segments being connected must use the same Data Link layer protocol, such as
Ethernet.

Many laptop computers have both wired and wireless network interface cards.
These two adapters allow the laptop to establish simultaneous wired and wireless
connections to two different networks. Most operating systems allow for a software
network bridge to connect the two networks. Figure 6-1 illustrates the software bridge
option for a Microsoft Windows 10 computer.

88781_ch06_hr_233-280.indd 236 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 237

Creating a software network bridge could create a security vulnerability. A bridge
that links, for example, a secure wired LAN network with an unsecured wireless
network could create an unprotected link between the two, thus permitting access to
the secure wired network from the unsecured wireless network.

Figure 6-1Microsoft Windows software network bridge

Note

A feature of Microsoft Windows known as Internet Connection Sharing (ICS) allows a single
Internet connection on a computer to be shared with other computers on the same LAN.
However, a software network bridge cannot link ICS connections.

Note

Enterprises can configure a wired Ethernet connection to automatically shut off if it detects
that the device connecting to it is using software network bridging.

Switches
Early LANs used a hub, which is a standard network device for connecting multiple
network devices so that they function as a single network segment. Because hubs
worked at the Physical layer (Layer 1) of the OSI model, they did not read any of the

88781_ch06_hr_233-280.indd 237 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology238

data passing through them and thus were ignorant of the source and destination of
the frames. A hub would receive only incoming frames, regenerate the electrical signal,
and then send all the frames received out to all other devices connected to the hub.
Each device would then decide if the frame was intended for it (and retain it) or if it
was for another device (and then ignore it). In essence, a hub was a multiport repeater:
whatever it received, it then passed on.

Because a hub repeated all frames to all the attached network devices, it
significantlyand unnecessarilyincreased network traffic. But hubs were also a
security risk: a threat actor could install software or a hardware device that captured
and decoded packets on a client connected to the hub and view all network traffic. This
would enable the threat actor to read or capture sensitive communications.

Note

Because of their impact on network traffic and inherent security vulnerability, hubs are rarely
used today.

Like a hub, a network switch is a device that connects network hosts. However,
unlike a hub, a switch has a degree of intelligence. Operating at the Data Link layer
(Layer 2), a switch can learn which device is connected to each of its ports. A switch learns
by examining the media access control (MAC) address of frames that it receives and then
associates its port with the MAC address of the device connected to that port, storing that
information in a MAC address table. It can then forward only frames intended for one
specific device (unicast) or send frames to all devices (broadcast). This not only improves
network performance but also provides better security. A threat actor who installs
software to capture packets on a computer attached to a switch will see only frames that
are directed to that device and not those intended for any other network device.

It is important for switches to be properly configured to provide a high degree of
security. Proper configuration includes loop prevention and providing a flood guard.

Loop Prevention
In Figure 6-2, computer Alpha, which is connected to Switch A, wants to send frames to
computer Beta on Segment 2. Because Switch A does not know where Beta is located, it
floods the network with the packet (sends it to all destinations). The packet then travels
down Segment 1 to Switch B and Segment 2 to Switch C. Switch B then adds Alpha to its
lookup table that it maintains for Segment 1, and Switch C also adds it to its lookup table
for Segment 3. Yet if Switch B or C has not yet learned the address for Alpha, they will
both flood Segment 2 looking for Beta; that is, each switch will take the packet sent by
the other switch and flood it back out again because they still do not know where Beta
is located. Switch A then will receive the packet from each segment and flood it back
out on the other segment. This switching loop causes a broadcast storm as the frames

88781_ch06_hr_233-280.indd 238 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 239

are broadcast, received, and rebroadcast by each switch. Broadcast storms can cripple a
network in a matter of seconds to the point that no legitimate traffic can occur.

Note

Because the headers that a Layer 2 switch examines do not have a time to live (TTL) value, a
packet could loop through the network indefinitely.

Broadcast storms can be mitigated with loop prevention, which uses the IEEE
802.1d standard spanning-tree algorithm (STA). STA can determine that a switch has
multiple ways to communicate with a host and then determine the best path of
communication while blocking out other paths.

Note

Although STA determines the best path, it also registers the other paths if the primary path is
unavailable.

Flood Guard
A MAC address table in a switch contains the MAC-to-port associations that the switch has
learned. A threat agent may attempt a MAC flooding attack by overflowing the switch with
Ethernet frames that have been spoofed so that each frame contains a different source MAC
address, each appearing to come from a different computer. This can quickly consume all

Figure 6-2Broadcast storm

Switch A

Switch B Switch C

Beta

Alpha

Segment 1

Segment 3

Segment 2

88781_ch06_hr_233-280.indd 239 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology240

the memory (called the content addressable memory or CAM) for the MAC address table.
Once the MAC address table is full and is unable to store any additional MAC address, the
switch enters a fail-open mode and functions like a network hub, broadcasting frames to
all ports. A threat actor could then install software or a hardware device that captures and
decodes packets on one client connected to the switch and view all traffic.

The defense against a MAC flooding attack is a flood guard. Several vendors of
switches have implemented a flood guard technology known as port security. Switches
that support port security can be configured to limit the number of MAC addresses that
can be learned on ports. Restricting the number of incoming MACaddresses for a port
prevents overwhelming the MAC address table. If additional MAC addresses are sent to
a switch, the port security feature can be configured to ignore the new MAC addresses
while allowing normal traffic from the single preapproved MAC address (restrict mode),
record new MAC addresses up to a specific limit (sticky mode), or block the port entirely
(shutdown mode). MAC address tables can also be converted from a dynamic learning
mode to a static permanent mode when necessary.

Note

Sometimes users who have only a single network connection port in their office might bring their
own personal switch to connect to that port so they can then attach more network devices. Port
security can usually prevent these personal switches from connecting to the corporate network.

Because a switch can be used for capturing traffic, it is important that the
necessary defenses be implemented to prevent unauthorized users from gathering this
data. These attacks and defenses are summarized in Table 6-1.

Type of attack Description Security defense

MAC flooding An attacker can overflow the switchs address table
with fake MAC addresses, forcing it to act like a hub,
sending packets to all devices.

Use a switch that can
close ports with too
many MAC addresses.

MAC address
spoofing

If two devices have the same MAC address, a switch
may send frames to each device. An attacker can
change the MAC address on her device to match the
target devices MAC address.

Configure the switch so
that only one port can
be assigned per MAC
address.

ARP poisoning The attacker sends a forged ARP packet to the
source device, substituting the attackers computer
MAC address.

Use an ARP detection
appliance.

Port mirroring An attacker connects his device to the switchs port. Secure the switch in a
locked room.

Protecting a switch Table 6-1

88781_ch06_hr_233-280.indd 240 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 241

Routers
Operating at the Network layer (Layer 3), a router is a network device that can forward
packets across different computer networks. When a router receives an incoming
packet, it reads the destination address and then, using information in its routing table,
sends the packet to the next network toward its destination.

Routers can also perform a security function by using an Access Control List
(ACL). An ACL is as a set of rules that acts like a network filter to permit or restrict
data flowing into and out of the router network interfaces. When an ACL is configured
on an interface, the router analyzes the data passing through the interface, compares it
to the criteria described in the ACL, and either permits the data to continue or prohibits
it. Whereas a separate security device can provide more in-depth protection, these
separate devices can slow the flow of data as the data must be routed through this
device. A router using an ACL, on the other hand, can operate at the higher speed of
the router and not delay network traffic.

On external routers that face the Internet, router ACLs can restrict known
vulnerable protocols from entering the network. They can also be used to limit
traffic entering the network from unapproved networks. When used to protect
against IP spoofing that imitates another computers IP address this defense is
called antispoofing. Because IP spoofing attacks often utilize known unused and
untrusted addresses, an external router ACL can help block these addresses (usually by
designating a range of IP addresses) and thus minimize IP spoofing attacks.

Note

Antispoofing ACLs on external routers require frequent monitoring because the address
ranges that are denied can frequently change.

Router ACLs can also be used on internal routers that process interior network
traffic. These router ACLs usually are less restrictive but more specific than those on
external routers because the devices on the internal network are generally considered
to be friendly. Internal router ACLs are often configured with explicit permit and deny
statements for specific addresses and protocol services. Internal router ACLs can also
limit devices on the network from performing IP spoofing by applying outbound ACLs
that limit the traffic to known valid local IP addresses.

Load Balancers
Load balancing is a technology that can help to evenly distribute work across a
network. Requests that are received can be allocated across multiple devices such as
servers. To the user, this distribution is transparent and appears as if a single server

88781_ch06_hr_233-280.indd 241 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology242

is providing the resources. Load-balancing technology reduces the probability of
overloading a single server and ensuring that each networked server benefits from
having optimized bandwidth.

Load balancing can be performed either through software running on a
computer or as a dedicated hardware device known as a load balancer. Load
balancers are often grouped into two categories known as Layer 4 load balancers
and Layer 7 load balancers. Layer 4 load balancers act upon data found in Network
and Transport layer protocols such as Internet Protocol (IP), Transmission Control
Protocol (TCP), File Transfer Protocol (FTP), and User Datagram Protocol (UDP).
Layer 7 load balancers distribute requests based on data found in Application layer
protocols such as HTTP.

There are different scheduling protocols that are used in load balancers:

Round-robin. In a round-robin scheduling protocol, the rotation applies to all
devices equally.

Affinity. A scheduling protocol that distributes the load based on which devices
can handle the load more efficiently is known as affinity scheduling. Affinity
scheduling may be based on which load balancers have the least number of
connections at a given point in time.

Other. Layer 7 load balancers also can use HTTP headers, cookies, or data within
the application message itself to make a decision on distribution.

Note

Load balancing that is used for distributing HTTP requests received is also called IP spraying.

When multiple load balancers are used together to achieve high availability (HA)
they can be placed in different configurations. In an active-passive configuration, the
primary load balancer distributes the network traffic to the most suitable server while
the secondary load balancer operates in a listening mode. This second load balancer
constantly monitors the performance of the primary load balancer and will step in
and take over the load balancing duties should the primary load balancer start to
experience difficulties or fail. The active-passive configuration allows for uninterrupted
service and can also handle planned or unplanned service outages. In an active-active
configuration, all load balancers are always active. Network traffic is combined and the
load balancers then work together as a team.

88781_ch06_hr_233-280.indd 242 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 243

The servers behind load balancers are often given a virtual IP (VIP) address. As
its name suggests, this is not an actual IP address. Instead, it is an IP address and
a specific port number that can be used to reference different physical servers. A
VIP with the address and port 172.32.250.1:80 can be configured to accept one type
of traffic while the VIP 172.32.250.1:443 can accept another type of traffic. Multiple
VIPs can be created using the same IP address as long as a different port number is
being used.

The use of a load balancer has security advantages. Because load balancers
generally are located between routers and servers, they can detect and stop attacks
directed at a server or application. A load balancer can be used to detect and prevent
protocol attacks that could cripple a single server. Some load balancers can hide HTTP
error pages or remove server identification headers from HTTP responses, denying
attackers additional information about the internal network.

Proxies
In the human world, a proxy is a person who is authorized to act as the substitute or
agent on behalf of another person. For example, an individual who has been granted
the power of attorney for a sick relative can make decisions and take actions on behalf
of that person as her proxy.

There are also proxies that are used in computer networking. These devices act
as substitutes on behalf of the primary device. A forward proxy is a computer or an
application program that intercepts user requests from the internal secure network
and then processes that request on behalf of the user. When an internal client
requests a service such as a file or a webpage from an external web server, it normally
would connect directly with that remote server. In a network using a forward proxy
server, the client first connects to the proxy server, which checks its memory to see if
a previous request already has been fulfilled and whether a copy of that file or page
is residing on the proxy server in its temporary storage area (cache). If it is not, the
proxy server connects to the external web server using its own IP address (instead
of the internal clients address) and requests the service. When the proxy server

Note

Load balancers in an active-active configuration can also remember previous requests
from users. In the event the user returns requesting the same information, the user is
directed to the load balancer that previously served the request and the information can be
immediately provided.

88781_ch06_hr_233-280.indd 243 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology244

Figure 6-3Forward and reverse proxy servers

Web
server 1

Web
server 2

Web
server 3

IP = 192.146.118.20 Internet

User makes
request

Forward proxy server
replaces

Source IP with its own IP

Reverse proxy
server routes to
correct server

Forward proxy
server

IP = 192.146.118.254

Reverse proxy
server 123.org

Source IP =
192.146.118.20
Get webpage
from 123.org

Source IP =
192.146.118.254
Get webpage
from 123.org

Source IP =
192.146.118.254
Get webpage
from Web server 1

Note

Encrypted traffic entering the network must first be decrypted for a load balancer to
direct requests to different servers. A reverse proxy can be the point at which this traffic is
decrypted.

receives the requested item from the web server, the item is then forwarded to the
client. An application/multipurpose proxy is a special proxy server that knows the
application protocols that it supports. For example, an FTP proxy server implements
the protocol FTP.

A reverse proxy routes requests coming from an external network to the
correct internal server. To the outside user, the IP address of the reverse proxy is
the final IP address for requesting services, yet only the reverse proxy can access
the internal servers. Forward proxy and reverse proxy servers are illustrated in
Figure 6-3.

Access to forward proxy servers is usually configured in the operating system,
as shown in Figure 6-4, or in a users web browser. However, a transparent proxy
does not require any configuration on the users computer. It is often used for content
filtering in schools and libraries.

88781_ch06_hr_233-280.indd 244 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 245

Although forward proxy servers have some disadvantages, such as the added expense
and the fact that caches may not always be current, they have several advantages:

Increased speed. Because forward proxy servers can cache material, a request can
be served from the cache instead of retrieving the webpage through the Internet.

Reduced costs. A proxy server can reduce the amount of bandwidth usage
because of the cache.

Figure 6-4Configuring access to forward proxy servers

88781_ch06_hr_233-280.indd 245 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology246

Improved management. A forward proxy server can block specific webpages and/
or entire websites. Some proxy servers can block entire categories of websites
such as entertainment, pornography, or gaming sites.

Stronger security. Acting as the intermediary, a proxy server can protect clients
from malware by intercepting it before it reaches the client. In addition, a proxy
server can hide the IP address of client systems inside the secure network. Only
the proxy servers IP address is used on the open Internet.

Network Security Hardware
Although standard networking devices can provide a degree of security, hardware
devices that are specifically designed for security can give a much higher level of
protection. These devices include firewalls, virtual private network concentrators,
mail gateways, network intrusion detection and prevention systems, security and
information event management devices, and other devices.

Firewalls
Both national and local building codes require commercial buildings, apartments,
and other similar structures to have a firewall. In building construction, a firewall is
usually a brick, concrete, or masonry unit positioned vertically through all stories of
the building. Its purpose is to contain a fire and prevent it from spreading. A computer
firewall serves a similar purpose: it is designed to limit the spread of malware.

There are two types of firewalls: software firewalls and hardware firewalls. A
software firewall runs as a program or service on a device, such as a computer or router.
Hardware firewalls are specialized separate devices that inspect traffic. Because they are
specialized devices, hardware firewalls tend to be more expensive and more difficult to
configure and manage. An enterprise hardware firewall is shown in Figure 6-5.

Figure 6-5Enterprise hardware firewall
Source: https://www.juniper.net/assets/img/products/image-library/srx-series/srx3400/srx3400-frontwtop-high.

88781_ch06_hr_233-280.indd 246 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 247

Software firewalls running on a device provide protection to that device only. One
common example is a software firewall that runs as a program on the local computer to
block or filter traffic coming into and out of the computer. All modern operating systems
include a software firewall, usually called a host-based firewall or personal firewall. The
settings for the Windows personal firewall are shown in Figure 6-6. If an application or
program running on a computer needs to communicate with another computer on the LAN

Note

A disadvantage of a software firewall is that a malware infection on the device on which
it is running, such as a computer, could also compromise the software firewall. Because
a hardware firewall does not depend upon an underlying device, this is not an issue with
hardware firewalls.

Figure 6-6Windows personal firewall settings

88781_ch06_hr_233-280.indd 247 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology248

or an Internet server, the user can create an opening (port) in that personal firewall for that
application or program only, approving the application to transmit (called unblocking). This
is more secure than permanently opening a port in the firewall: when a permanent firewall
opening is made it always remains open and is then susceptible to attackers, but when a
port is unblocked by a personal firewall it is opened only when an application requires it.

Personal firewalls can limit the spread of malware into the computer as well as
preventing a users infected computer from attacking other computers. For many
personal firewalls, inbound connections (data coming in from another source)
are always blocked unless there is a specific firewall rule that allows them in. This
principle of being always blocked by default is called implicit deny. That is, an action
is always denied unless it is definitively and explicitly allowed. Outbound connections
(data going out to another source) are always allowed unless there is a rule that blocks
them and the outbound rules are turned on.

A firewall that protects an entire network is typically a separate hardware device.
These hardware firewalls are usually located outside the network security perimeter as
the first line of defense, as illustrated in Figure 6-7.

Figure 6-7Network firewall

Web
server

Database
server

Application
server

Router

Switch Switch

Internet

Firewall

Email
server

Note

Figure 6-7 is not the optimal security configuration. This will be explained below in the
discussion of demilitarized zones (DMZ).

Different firewalls provide different functions, which leads to different levels of
protection. These can be divided into Network layer-based firewalls and Application
layer-based firewalls.

88781_ch06_hr_233-280.indd 248 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 249

Network-Based Firewalls
A network-based firewall functions at the Network layer (Layer 3). Its job is to screen
packets based on specific criteria, making it essentially a packet filter.

Note

Network-based firewalls are not the same as network firewalls that protect entire networks
(discussed in the previous section). A network-based firewall is one that operates at the OSI
Network layer (Layer 3).

Packets can be filtered by a firewall in one of two ways. Stateless packet filtering looks
at the incoming packet and permits or denies it based on the conditions that have been set
by the administrator. Stateful packet filtering keeps a record of the state of a connection
between an internal computer and an external device and then makes decisions based
on the connection as well as the conditions. For example, a stateless packet filter firewall
might allow a packet to pass through because it is intended for a specific computer on
the network. However, a stateful packet filter would not let the packet pass if that internal
network computer did not first request the information from the external server.

A firewall can take different actions when it receives a packet: allow (let the packet
pass through and continue its journey), drop (prevent the packet from passing into the
network and send no response to the sender), reject (prevent the packet from passing
into the network but send a message to the sender that the destination cannot be
reached), or ask (inquire what action to take).

Much like routers, some firewalls use criteria for accepting or rejecting a packet
based on an ACL. Sometimes called rule-based firewalls, they use a set of individual
instructions to control actions. These firewall ACL rules are a single line of textual
information containing such information as:

Source address. The source address is the location of the origination of the packet
(where the packet is from). Addresses generally can be indicated by a specific IP
address or range of addresses, an IP mask, the MAC address, or host name.

Destination address. This is the address the connection is attempting to reach
(where the packet is going to). These addresses can be indicated in the same way
as the source address.

Source port. The source port is the TCP/IP port number being used to send
packets of data through. Options for setting the source port often include a
specific port number, a range of numbers, or Any (port).

Destination port. This setting gives the port on the remote computer or device
that the packets will use. Options include the same as for the source port.

Protocol: The protocol defines the protocol (such as TCP, UDP, TCP or UDP, ICMP,
IP, etc.) that is being used when sending or receiving packets of data.

88781_ch06_hr_233-280.indd 249 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology250

Direction. The direction shows the direction of traffic for the data packet (In, Out,
or Both).

Action. The action setting indicates what the firewall should do when the conditions
of the rule are met. These options may be the following: allow, drop, reject, or ask.

Each firewall ACL rule is a separate instruction processed in sequence that tells the
firewall precisely what action to take with each packet that comes through it. The rules
are stored together in one or more text file(s) that are read when the firewall starts.
Rule-based systems are static in nature and cannot do anything other than what they
have been expressly configured to do. Although this makes them more straightforward
to configure, they are less flexible and cannot adapt to changing circumstances.

Note

Firewall rules are essentially an IF-THEN construction. IF these rule conditions are met, THEN
the action occurs.

Application-Based Firewalls
A more intelligent firewall is an application-based firewall, operating at the
Application layer (Layer 7). Application-based firewalls operate at a higher level
by identifying the applications that send packets through the firewall and then
make decisions about the application instead of filtering packets based on granular
rule settings like the destination port or protocol. Applications can be identified
by application-based firewalls through predefined application signatures, header
inspection, or payload analysis. In addition, application-based firewalls can learn
new applications by watching how they behave and even create a baseline of normal
behaviors so that an alert can be raised if the application deviates from the baseline.

An example of how an application-based firewall and a network-based ACL
firewall compare can be seen in how they filter specific web applications. An
organization might frown upon employees using the network during normal business
hours to stream online movies, but still need to provide employees with access
to an online sales application. Setting an ACL rule in a network-based firewall to
prevent streaming video (HTTP on Port 80) would also stop access to the online sales
application. An application-based firewall, in contrast, could distinguish between these
two applications and allow access to the sales application while blocking streaming
video, social networking, and gaming. Or it could allow these applications but limit
bandwidth consumption to give priority to business applications.

A special type of application-based firewall is a web application firewall that
looks at the applications using HTTP. A web application firewall, which can be a
separate hardware appliance or a software plugin, can block specific websites or
attacks that attempt to exploit known vulnerabilities in specific client software, and
can even block cross-site scripting (XSS) and SQL injection attacks.

88781_ch06_hr_233-280.indd 250 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 251

Note

Cross-site scripting (XSS) and SQL injection attacks are covered in Chapter 5.

Virtual Private Network (VPN) Concentrator
An unsecured public network should never be used for sensitive data transmissions.
One solution could be to encrypt documents before transmitting them. However,
there are drawbacks. First, the user must consciously perform a separate action (such
as encrypt a document) or use specific software (such as PGP) to transmit a secure
document. The time and effort required to do so, albeit small, may discourage users
from protecting their documents. A second drawback is that these actions protect only
documents that are transmitted; all other communications, such as accessing corporate
databases, are not secure.

A more secure solution is to use a virtual private network (VPN). A virtual private
network (VPN) is a technology that enables authorized users to use an unsecured
public network, such as the Internet, as if it were a secure private network. It does this
by encrypting all data that is transmitted between the remote device and the network
and not just specific documents or files. This ensures that any transmissions that are
intercepted will be indecipherable. There are two common types of VPNs. A remote
access VPN is a user-to-LAN connection used by remote users. The second type is a
site-to-site VPN, in which multiple sites can connect to other sites over the Internet.
Some VPNs allow the user to always stay connected instead of connecting and
disconnecting from it. These are called always-on VPNs.

VPN transmissions are achieved through communicating with endpoints.
An endpoint is the end of the tunnel between VPN devices. An endpoint can
be software on a local computer, a dedicated hardware device such as a VPN
concentrator (which aggregates hundreds or thousands of VPN connections), or
integrated into another networking device such as a firewall. Depending upon the
type of endpoint that is being used, client software may be required on the devices
that are connecting to the VPN. Hardware devices that have a built-in VPN endpoint
handle all VPN setup, encapsulation, and encryption in the endpoint. Client
devices are not required to run any special software and the entire VPN process is
transparent to them.

Note

Software-based VPNs are often used on mobile devices and offer the most flexibility in how
network traffic is managed. However, hardware-based VPNs, typically used for site-to-site
connections, are more secure, have better performance, and can offer more flexibility.

88781_ch06_hr_233-280.indd 251 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology252

When using a VPN, there are two options depending upon which traffic is to be
protected. When all traffic is sent to the VPN concentrator and protected this is called a
full tunnel. However, not all trafficsuch as web surfing or reading personal email
may need to be protected through a VPN. In this case, split tunneling, or routing only
some traffic over the secure VPN while other traffic directly accesses the Internet, may
be used instead. This can help to preserve bandwidth and reduce the load on the VPN
concentrator.

Note

The most common protocols used for VPNs are IPsec and SSL or the weaker TLS.

Note

SMTP servers can forward email sent from an email client to a remote domain, known as
SMTP relay. However, if SMTP relay is not controlled, an attacker can use it to forward spam
and disguise his identity to make himself untraceable. An uncontrolled SMTP relay is known
as an SMTP open relay. The defenses against SMTP open relay are to turn off the mail relay
altogether so that all users send and receive email from the local SMTP server only or to limit
relays to only local users.

Mail Gateway
Since developer Ray Tomlinson sent the first email message in 1971, email has become
an essential part of everyday life. It is estimated that over 2.3 million emails are sent
every second, increasing at a rate of 5 percent each year. By 2019 it is estimated that
there will be 246 billion emails sent daily by over 2.9 billion email users.2

There are two different electronic email systems that are in use today. An earlier
email system uses two TCP/IP protocols to send and receive messages: the Simple
Mail Transfer Protocol (SMTP) handles outgoing mail, while the Post Office Protocol
(POP), (more commonly known as POP3 for the current version) is responsible for
incoming mail. POP3 is a basic protocol that allows users to retrieve messages sent to
an email server by using a local program running on their computer called an email
client. The email client connects to the POP3 server and downloads the messages onto
the local computer. After the messages are downloaded, they may be erased from the
POP3 server. The SMTP server listens on port 25 while POP3 listens on port 110.

IMAP (Internet Mail Access Protocol) is a more recent and advanced electronic
email system for incoming mail. While POP3 is a store-and-forward service, IMAP is
a remote email storage. With IMAP, the email remains on the email server and is not

88781_ch06_hr_233-280.indd 252 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 253

downloaded to the users computer like POP3 does. Mail can be organized into folders
on the mail server and read from any device: desktop computer, tablet, smartphone,
etc. IMAP users can even work with email while offline. This is accomplished by
downloading a local copy only for display onto the local device without erasing
the email on the IMAP server. A user can read and reply to email offline. The next
time a connection is established, the new messages are sent and any new email is
downloaded. The current version of IMAP is IMAP4.

Note

Older email clients typically used only POP3. Using a web browser to view email messages
on an email server, like Google Gmail, generally utilizes IMAP. Most mobile devices are
configured to use IMAP.

A mail gateway monitors emails for unwanted content and prevents these
messages from being delivered. Many mail gateways have monitoring capabilities for
both inbound as well as outbound emails. For inbound emails, a mail gateway can
search the content in email messages for various types of malware, spam, and phishing
attacks. For outbound email, a mail gateway can detect and block the transmission of
sensitive data, such as Social Security numbers or healthcare records. In addition, a
mail gateway can automatically and transparently encrypt outbound email messages.

Note

One of the primary tasks of a mail gateway is blocking spam. Beyond being annoying and
disruptive, spam can pose a serious security risk. Threat actors distribute malware through
their email messages as attachments and use spam for social engineering attacks.

There are several different forms of mail gateways. An enterprise may elect to
install its own corporate mail gateway on its premises. This filter works with the
receiving email server, which is typically based on SMTP for sending email and the
IMAP for retrieving email. Another method is for the enterprise to contract with
a third-party entity that filters out spam. All email is directed to the third partys
remote spam filter where it is cleansed before it is redirected to the organization. This
redirection can be accomplished by changing the MX (mail exchange) record. The MX
record is an entry in the Domain Name System (DNS) that identifies the mail server
responsible for handling that domain name. To redirect mail to the third partys remote
server, the MX record is changed to show the new recipient. Multiple MX records can

88781_ch06_hr_233-280.indd 253 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology254

be configured in DNS to enable the use of primary and backup mail servers. Each MX
record can be prioritized with a preference number that indicates the order in which
the mail servers should be used.

Note

Prior to the more comprehensive mail gateways, enterprises often installed basic spam
filters with the SMTP server as the simplest and most effective approach. The spam filter
and SMTP server could run together on the same computer or on separate computers. The
filter (instead of the SMTP server) was configured to listen on port 25 for all incoming email
messages and then pass the non-spam email to the SMTP server that is listening on another
port (such as port 26). This configuration prevented the SMTP server from notifying the
spammer that it was unable to deliver the message.

Network Intrusion Detection and Prevention
An intrusion detection system (IDS) can detect an attack as it occurs. An inline
IDS is connected directly to the network and monitors the flow of data as it occurs.
A passive IDS is connected to a port on a switch, which receives a copy of network
traffic. Table 6-2 lists the differences between inline and passive systems. In addition,
IDS systems can be managed in-band (through the network itself by using network
protocols and tools) or out-of-band (using an independent and dedicated channel to
reach the device).

Function Inline Passive

Connection Directly to network Connected to port on switch

Traffic flow Routed through the device Receives copy of traffic

Blocking Can block attacks Cannot block attacks

Detection error May disrupt service May cause false alarm

Inline vs. passive IDS Table 6-2

IDS systems can use different methodologies for monitoring for attacks. In
addition, IDS can be installed on either local hosts or networks.

Monitoring Methodologies
Monitoring involves examining network traffic, activity, transactions, or behavior to
detect security-related anomalies. There are four monitoring methodologies: anomaly-
based monitoring, signature-based monitoring, behavior-based monitoring, and
heuristic monitoring.

88781_ch06_hr_233-280.indd 254 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 255

Anomaly monitoring is designed for detecting statistical anomalies. First, a
baseline of normal activities is compiled over time. (A baseline is a reference set of
data against which operational data is compared.) Whenever there is a significant
deviation from this baseline, an alarm is raised. An advantage of this approach is that
it can detect the anomalies quickly without trying to first understand the underlying
cause. However, normal behavior can change easily and even quickly, so anomaly-
based monitoring is subject to false positives, or alarms that are raised when there is
no actual abnormal behavior. (A false negative is the failure to raise an alarm when
there is abnormal behavior.) In addition, anomaly-based monitoring can impose heavy
processing loads on the systems where they are being used. Finally, because anomaly-
based monitoring takes time to create statistical baselines, it can fail to detect events
before the baseline is completed.

A second method for auditing usage is to examine network traffic, activity,
transactions, or behavior and look for well-known patterns, much like antivirus
scanning. This is known as signature-based monitoring because it compares
activities against a predefined signature. Signature-based monitoring requires access
to an updated database of signatures along with a means to actively compare and
match current behavior against a collection of signatures. One of the weaknesses
of signature-based monitoring is that the signature databases must be constantly
updated, and as the number of signatures grows, the behaviors must be compared
against an increasingly large number of signatures. Also, if the signature definitions are
too specific, signature-based monitoring can miss variations.

Behavioral monitoring attempts to overcome the limitations of both anomaly-
based monitoring and signature-based monitoring by being adaptive and proactive
instead of reactive. Rather than using statistics or signatures as the standard by which
comparisons are made, behavior-based monitoring uses the normal processes
and actions as the standard. Behavior-based monitoring continuously analyzes the
behavior of processes and programs on a system and alerts the user if it detects
any abnormal actions, at which point the user can decide whether to allow or block
the activity. One of the advantages of behavior-based monitoring is that it is not
necessary to update signature files or compile a baseline of statistical behavior before
monitoring can take place. In addition, behavior-based monitoring can more quickly
stop new attacks.

The final method takes a completely different approach and does not try to
compare actions against previously determined standards (like anomaly-based
monitoring and signature-based monitoring) or behavior (like behavior-based
monitoring). Instead, it is founded on experience-based techniques. Known as heuristic
monitoring, it attempts to answer the question, Will this do something harmful if it
is allowed to execute? Heuristic (from the Greek word for find or discover) monitoring
uses an algorithm to determine if a threat exists. Table 6-3 illustrates how heuristic
monitoring could trap an application that attempts to scan ports that the other
methods might not catch.

88781_ch06_hr_233-280.indd 255 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology256

Types of IDS
Two basic types of IDS exist. A host-based intrusion detection system (HIDS) is a
software-based application that runs on a local host computer that can detect an attack as
it occurs. A HIDS is installed on each system, such as a server or desktop, that needs to be
protected. A HIDS relies on agents installed directly on the system being protected. These
agents work closely with the operating system, monitoring and intercepting requests in
order to prevent attacks. HIDSs typically monitor the following desktop functions:

System calls. Each operation in a computing environment starts with a system
call. A system call is an instruction that interrupts the program being executed
and requests a service from the operating system. HIDS can monitor system calls
based on the process, mode, and action being requested.

File system access. System calls usually require specific files to be opened to
access data. A HIDS works to ensure that all file openings are based on legitimate
needs and are not the result of malicious activity.

System Registry settings. The Windows Registry maintains configuration
information about programs and the computer. HIDS can recognize
unauthorized modification of the Registry.

Host input/output. HIDS monitors all input and output communications to watch
for malicious activity. For example, if the system never uses instant messaging
and suddenly a threat attempts to open an IM connection from the system, the
HIDS would detect this as anomalous activity.

Monitoring
methodology

Trap application
scanning ports? Comments

Anomaly-based
monitoring

Depends Only if this application has tried to scan
previously and a baseline has been established

Signature-based
monitoring

Depends Only if a signature of scanning by this
application has been previously created

Behavior-based
monitoring

Depends Only if this action by the application is different
from other applications

Heuristic monitoring Yes IDS is triggered if any application tries to scan
multiple ports

Methodology comparisons to trap port scanning application Table 6-3

Note

HIDSs are designed to integrate with existing antivirus, antispyware, and firewalls that are
installed on the local host computer.

88781_ch06_hr_233-280.indd 256 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 257

However, there are disadvantages to HIDS. It cannot monitor any network traffic
that does not reach the local system. Any data that it accumulates is stored locally and
not in a single central repository. And HIDS tend to be resource-intensive and can slow
down the system.

Just as a software-based HIDS monitors attacks on a local system, a network
intrusion detection system (NIDS) watches for attacks on the network. As network
traffic moves through the network, NIDS sensorsusually installed on network devices
such as firewalls and routersgather information and report back to a central device. A
NIDS may use one or more of the evaluation techniques listed in Table 6-4.

Technique Description

Protocol stack verification Some attacks use invalid IP, TCP, UDP, or ICMP protocols. A
protocol stack verification can identify and flag invalid packets,
such as several fragmented IP packets.

Application protocol
verification

Some attacks attempt to use invalid protocol behavior or have a
telltale signature (such as DNS poisoning). The NIDS will
re-implement different application protocols to find a pattern.

Creating extended log files A NIDS can log unusual events and then make these available to
other network logging monitoring systems.

NIDS evaluation techniques Table 6-4

Once an attack is detected, a NIDS can perform different actions to sound an alarm and
log the event. These alarms may include sending email, page, or a cell phone message to
the network administrator or even playing an audio file that says Attack is taking place.

An application-aware IDS is a specialized IDS. Instead of applying all IDS rules to all
traffic flows, an application-aware IDS can use contextual knowledge in real time. It
can know the version of the operating system or which application is running as well as
what vulnerabilities are present in the systems being protected. This context improves
the speed and accuracy of IDS decisions and reduces the risk of false positives.

Intrusion Prevention Systems (IPSs)
As its name implies, an intrusion prevention system (IPS) not only monitors to detect
malicious activities like an IDS, but also attempts to prevent them by stopping the attack.
A network intrusion prevention system (NIPS) is like an active NIDS in that it monitors

Note

A NIDS is not limited to inspecting incoming network traffic. Often, valuable information
about an ongoing attack can be gained from observing outgoing traffic as well, such as when
a system had been infected and is attacking other devices, producing large amounts of
outgoing traffic. A NIDS that examines both incoming and outgoing traffic can detect this.

88781_ch06_hr_233-280.indd 257 8/12/17 2:57 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology258

network traffic to immediately react to block a malicious attack by following established
rules (a host-based intrusion prevention system (HIPS) likewise performs a similar
function for hosts). One of the major differences between a NIDS and a NIPS is its location.
A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports
back to the central device for analysis. A NIPS, on the other hand, would be located inline
on the firewall itself. This allows the NIPS to act more quickly to block an attack.

Like an application-aware IDS, an application-aware IPS knows such information
as the applications that are running as well as the underlying operating systems so that
it can provide more accuracy regarding potential attacks.

Security and Information Event Management (SIEM)
Different network security hardware devicessuch as firewalls, NIDS, and NIPS
generate continual security alerts as an enterprise is the target of daily attacks. How
can these continual alerts, all from different sources and generated at different points
of time, be monitored and managed?

The answer is a Security and Information Event Management (SIEM) product.
A SIEM consolidates real-time monitoring and management of security information
with analysis and reporting of security events. A SIEM product can be a separate device,
software that runs on a computer, or even a service that is provided by a third party. A
SIEM dashboard is shown in Figure 6-8.

Figure 6-8SIEM dashboard
https://cdn.alienvault.com/images/uploads/home/screen1

88781_ch06_hr_233-280.indd 258 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 259

A SIEM typically has the following features:

Aggregation. SIEM aggregation combines data from multiple data sources
(network security devices, servers, software applications, etc.) to build a
comprehensive picture of attacks.

Correlation. The SIEM correlation feature searches the data acquired through
SIEM aggregation to look for common characteristics, such as multiple attacks
coming from a specific source.

Automated alerting and triggers. SIEM automated alerting and triggers can
inform security personnel of critical issues that need immediate attention. A
sample trigger may be Alert when a firewall, router, or switch indicates 40 or more
drop/reject packet events occur from the same IP source address occurring within
60seconds.

Time synchronization. Because alerts occur over a wide spectrum of time, SIEM
time synchronization can show the order of the events.

Event duplication. When the same event occurs that is detected by multiple
devices each will generate an alert. The SIEM event duplication feature can help
filter the multiple alerts into a single alarm.

Logs. SIEM logs or records of events can be retained for future analysis and to
show that the enterprise has complied with regulations.

Other Network Security Hardware Devices
There are other network security hardware devices that can also be used for security.
These are listed in Table 6-5.

Name Description Comments

Hardware
security
module

A dedicated cryptographic
processor that provides protection
for cryptographic keys

A tamper-resistant device that can
securely manage, process, and store
cryptographic keys

SSL decryptor A separate device that decrypts SSL
traffic

Helps reduce performance
degradation and eliminates the need
to have multiple decryption licenses
spread across multiple devices

SSL/TLS
accelerator

A separate hardware card that inserts
into a web server that contains one or
more co-processors to handle SSL/TLS
processing

Used to accelerate the computationally
intensive initial SSL connection
handshake, during which keys are
generated for symmetric encryption
using 3DES or AES

Media
gateway

A device that converts media data
from one format to another

Sometimes called a softswitch, converts
data in audio or video format

Other network security hardware devices Table 6-5

(continues)

88781_ch06_hr_233-280.indd 259 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology260

Security Through Network Architecture
Certification

3.2Given a scenario, implement secure network architecture concepts.

Name Description Comments

Unified
Threat
Management
(UTM)

Integrated device that combines
several security functions

Multipurpose security appliance that
provides an array of security functions,
such as antispam, antiphishing,
antispyware, encryption, intrusion
protection, and web filtering

Internet content
filter

Monitors Internet traffic and block
access to preselected websites and
files

Restricts unapproved websites based
on URL or by searching for and
matching keywords such as sex or hate
as well as looking for malware

Web security
gateway

Blocks malicious content in real time
as it appears without first knowing
the URL of a dangerous site

Enables a higher level of defense
by examining the content through
application-level filtering

Table 6-5 (continued)

The design of a network can provide a secure foundation for resisting attackers.
Elements of a secure network architectural design include creating security zones and
using network segregation.

Security Zones
A serious security mistake is to create one network that all users can access. A more
secure approach is to create zones to partition the network so that certain users may enter
one zone while access is prohibited to other users. The most common security zones are
demilitarized zones, using network address translation to create zones, and other zones.

Demilitarized Zone (DMZ)
Imagine a bank that located its automated teller machine (ATM) in the middle of their
vault. This would be an open invitation for disaster by inviting every outside user to
enter the secure vault to access the ATM. Instead, the ATM and the vault should be
separated so that the ATM is in a public area that anyone can access, while the vault
is restricted to trusted individuals. In a similar fashion, locating public-facing servers
such as web and email servers inside the secure network is also unwise. An attacker
must only break out of the security of the server to access the secure network.

88781_ch06_hr_233-280.indd 260 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 261

To allow untrusted outside users access to resources such as web and email
servers, most networks employ a demilitarized zone (DMZ). The DMZ functions as a
separate network that rests outside the secure network perimeter: untrusted outside
users can access the DMZ but cannot enter the secure network.

Figure 6-7 (shown earlier) illustrates a DMZ that contains a web server and an
email server that are accessed by outside users. In this configuration, a single firewall
with three network interfaces is used: the link to the Internet is on the first network
interface, the DMZ is formed from the second network interface, and the secure
internal LAN is based on the third network interface. However, this makes the firewall
device a single point of failure for the network, and it also must take care of all the
traffic to both the DMZ and internal network. A more secure approach is to have two
firewalls, as seen in Figure 6-9. In this configuration, an attacker would have to breach
two separate firewalls to reach the secure internal LAN.

Figure 6-9DMZ with two firewalls

Web
server

DMZ

Database
server

Application
server

Router

Switch Switch

Internet

Firewall Firewall

Email
server

Note

Some consumer routers advertise support to configure a DMZ. However, this is not a DMZ.
Rather, it allows only one local device to be exposed to the Internet for Internet gaming or
videoconferencing by forwarding all the ports at the same time to that one device.

Network Address Translation (NAT)
Network address translation (NAT) is a technique that allows private IP addresses to
be used on the public Internet. Private IP addresses, which are listed in Table 6-6, are
IP addresses that are not assigned to any specific user or organization; instead, they

88781_ch06_hr_233-280.indd 261 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology262

can be used by anyone on the private internal network. Private addresses function as
regular IP addresses on an internal network; however, if a packet with a private address
makes its way to the Internet, the routers drop that packet.

Note

Strictly speaking, NAT is not a specific device, technology, or protocol. It is a technique for
substituting IP addresses.

Class Beginning address Ending address

Class A 10.0.0.0 10.255.255.255

Class B 172.16.0.0 172.31.255.255

Class C 192.168.0.0 192.168.255.255

Private IP addresses Table 6-6

NAT replaces a private IP address with a public IP address. As a packet leaves a network,
NAT removes the private IP address from the senders packet and replaces it with an alias IP
public address, as shown in Figure 6-10. The NAT software maintains a table of the private
IP addresses and alias public IP addresses. When a packet is returned to NAT, the process is
reversed. A variation of NAT is port address translation (PAT). Instead of giving each outgoing
packet a different IP address, each packet is given the same IP address but a different TCP
port number. This allows a single public IP address to be used by several users.

Note

PAT is typically used on home routers that allow multiple users to share one IP address
received from an Internet service provider (ISP).

Figure 6-10Network address translation (NAT)

IP address =
192.168.0.3

Sender IP =
192.168.0.3

Sender IP =
192.146.118.20

1. Packet created
on computer
with private IP
address 192.168.0.3

2. NAT replaces IP
address with alias

3. Packet sent
with alias
address

Internet

Original
IP address

192.168.0.3 192.146.118.20

Alias
IP address

88781_ch06_hr_233-280.indd 262 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 263

A device using NAT, such as a NAT router, also can provide a degree of security.
Because all outgoing traffic flows through the NAT router, it knows which packets were
sent out and what it expects to receive. What happens if a packet arrives at the NAT
router for an internal network device but the request for that packet was not first sent
out through the router? If the initial request did not come through the NAT router, the
router discards all unsolicited packets so that they never enter the internal network. In
this way, the NAT router acts like a firewall by discarding unwanted packets. Another
element of security that NAT provides is masking the IP addresses of internal devices.
An attacker who captures the packet on the Internet cannot determine the actual IP
address of the sender. Without that address, it is more difficult to identify and attack a
computer. These security advantages enable NAT to create secure zones of a network.

Other Zones
There are other zones that can also be used for security. These are listed in Table 6-7.

Name Description Security benefits

Intranet A private network that belongs to
an organization that can only be
accessed by approved internal users

Closed to the outside public, thus
data is less vulnerable to external
threat actors

Extranet A private network that can also be
accessed by authorized external
customers, vendors, and partners

Can provide enhanced security
for outside users compared to a
publicly accessible website

Guest network A separate open network that
anyone can access without prior
authorization

Permits access to general network
resources like web surfing without
using the secure network

Other network zones Table 6-7

Network Segregation
Another means of providing security is to segregate the network and its resources.
Physical network segregation simply isolates the network so that it is not accessible
by outsiders. A secure government network, for example, might be physically
segregated so that it is not connected to any other networks or the Internet. This means
that a potential intruder could not access the network remotely. This is sometimes
known as an air gap, or the absence of any type of connection between devices, in this
case the secure network and another network.

Although physically segregating networks provides a high degree of security, it is
not usually practical: not being able to access any other networks or the Internet would
be an unworkable solution for almost all enterprises. Instead of segregating a network
physically, a much more practical approach is to segregate the network logically.
Networks can be segmented by using switches to divide the network into a hierarchy.
Core switches reside at the top of the hierarchy and carry traffic between switches, while

88781_ch06_hr_233-280.indd 263 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology264

workgroup switches are connected directly to the devices on the network. It is often
beneficial to group similar users together, such as all the members of the Accounting
department. However, grouping by user sometimes can be difficult because all users
might not be in the same location and served by the same switch.

Note

Core switches must work faster than workgroup switches because core switches must handle
the traffic of several workgroup switches.

It is possible to segment a network by separating devices into logical groups.
This is known as creating a virtual LAN (VLAN). A VLAN allows scattered users to
be logically grouped together even though they are physically attached to different
switches. This can reduce network traffic and provide a degree of security. VLANs can
be isolated so that sensitive data is transported only to members of the VLAN.

Note

Although network subnetting and VLANs are often considered to be similar, there are
differences between them. Subnets are subdivisions of IP address classes (Class A, B, or C)
and allow a single Class A, B, or C network to be used instead of multiple networks. VLANs are
devices that are connected logically rather than physically, either through the port they are
connected to or by their media access control (MAC) address.

VLAN communication can take place in two ways. If multiple devices in the same
VLAN are connected to the same switch, the switch itself can handle the transfer of
packets to the members of the VLAN group. However, if VLAN members on one switch
need to communicate with members connected to another switch, a special tagging
protocol must be used, either a proprietary protocol or the vendor-neutral IEEE 802.1Q.
These special protocols add a field to the packet that tags it as belonging to the VLAN.

Note

Another security advantage of VLANs is that they can be used to prevent direct
communication between servers, which can bypass firewall or IDS inspection. Servers that are
placed in separate VLANs will require that any traffic headed toward the default gateway for
inter-VLAN routing be inspected.

88781_ch06_hr_233-280.indd 264 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 265

Security Through Network Technologies

Note

NAC also can be used to ensure that systems not owned by the organization, such as those owned
by customers, visitors, and contractors, can be granted access without compromising security.

Network technologies can also help to secure a network. Two such technologies are
network access control and data loss prevention.

Network Access Control (NAC)
The waiting room at a doctors office is an ideal location for the spread of germs. The
patients waiting in this confined space are obviously ill and many have weakened
immune systems. During the cold and flu season, doctors routinely post notices that
anyone who has flu-like symptoms should not come to the waiting room so that other
patients will not be infected. Suppose that a physician decided to post a nurse at the
door of the waiting room to screen patients. Anyone who came to the waiting room and
exhibited flu-like symptoms would be directed to a separate quarantine room away from
other patients. Here the person could receive specialized care without impacting others.

This is the logic behind network access control (NAC). NAC examines the current
state of a system or network device before it can connect to the network. Any device
that does not meet a specified set of criteria, such as having the most current antivirus
signature or the software firewall properly enabled, can connect only to a quarantine
network where the security deficiencies are corrected. After the problems are solved, the
device is connected to the normal network. The goal of NAC is to prevent computers with
suboptimal security from potentially infecting other computers through the network.

Certification

2.1 Install and configure network components, both hardware- and
software-based, to support organizational security.

NAC uses software agents that are installed on devices to gather information and
report back (host agent health checks). An agent may be a permanent NAC agent
and reside on end devices until uninstalled or it may be a dissolvable NAC agent and
disappears after reporting information to the NAC. Instead of installing agents on each
device, the NAC technology can be embedded within a Microsoft Windows Active
Directory domain controller. When a device joins the domain and a user logs in, NAC
uses Active Directory to scan the device to verify that it is in compliance. This is called
agentless NAC.

88781_ch06_hr_233-280.indd 265 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology266

An example of the NAC process is illustrated in Figure 6-11:

1. The client performs a self-assessment using a System Health Agent (SHA) to
determine its current security posture.

2. The assessment, known as a Statement of Health (SoH), is sent to a server called
the Health Registration Authority (HRA). This server enforces the security policies
of the network. It also integrates with other external authorities such as antivirus
and patch management servers to retrieve current configuration information.

3. If the client is approved by the HRA, it is issued a Health Certificate.
4. The Health Certificate is then presented to the network servers to verify that the

clients security condition has been approved.
5. If the client is not approved, it is connected to a quarantine network where the

deficiencies are corrected, and then the computer is allowed to connect to the
network.

Figure 6-11Network access control (NAC) framework

5. If no Health
Certificate, client
sent to quarantine 2. Statement of Health sent

to Health Registration
Authority

Antivirus server

Health Registration
Authority

3. Health Certificate
issued to client Patch management

server
4. Health Certificate presented
to network server

1. Security self-
assessment
by System
Health Agent

Health
Certificate

Health
Certificate

Statement
of Health

Quarantine network

NAC typically uses one of two methods for directing the client to a quarantine
network and then later to the production network. The first method is the use of a
Dynamic Host Configuration Protocol (DHCP) server. The unapproved client is first

88781_ch06_hr_233-280.indd 266 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 267

leased an IP address to the quarantine network and then later leased an IP address to
the production network. The second method uses a technique often used by attackers
known as Address Resolution Protocol (ARP) poisoning. With this method, the ARP
table is manipulated on the client so that it connects to the quarantine network.

Note

ARP poisoning is covered in Chapter 5.

NAC can be an effective tool for identifying and correcting systems that do not
have adequate security installed and preventing these devices from infecting others.

Data Loss Prevention (DLP)
In previous generations, most employees drove to the office for a nine-to-five workday
to meet with colleagues and create reports at a desk. That has all changed. Work today
involves electronic collaboration using mobile technologiessmartphones, tablets,
and laptopsover wireless data networks from virtually any location. This means
that data, once restricted to papers in the office filing cabinet, now flows freely both
in and out of organizations between employees, customers, contractors, and business
partners around the world. In addition, the volume of sensitive data has grown
exponentially. How can all this data flowing in and out of the organization be protected
so that it does not fall into the wrong hands?

One means of securing data is through data loss prevention (DLP). DLP is a
system of security tools that is used to recognize and identify data that is critical to
the organization and ensure that it is protected. This protection involves monitoring
who is using the data and how it is being accessed. DLPs goal is to protect data
from unauthorized users. It does this by examining data as it resides in any of three
states: data-in-use, data-in-transit, and data-at-rest. Data that is considered critical
to the organization or needs to be confidential can be tagged as such. A user who
then attempts to access the data to disclose it to another unauthorized user will
be prevented from doing so. Two of the most common uses of DLP are monitoring
emails through a mail gateway and blocking the copying of files to a USB flash drive
(USB blocking).

Most DLP systems use content inspection. Content inspection is defined as a security
analysis of the transaction within its approved context. Content inspection looks at not only
the security level of the data, but also who is requesting it, where the data is stored, when it
was requested, and where it is going. DLP systems also can use index matching. Documents
that have been identified as needing protection, such as the program source code for a
new software application, are analyzed by the DLP system and complex computations are
conducted based on the analysis. Thereafter, if even a small part of that document is leaked,
the DLP system can recognize the snippet as being from a protected document.

88781_ch06_hr_233-280.indd 267 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology268

DLP begins with an administrator creating DLP rules based on the data (what is
to be examined) and the policy (what to check for). DLPs can be configured to look
for specific data (such as Social Security and credit card numbers), lines of computer
software source code, words in a sequence (to prevent a report from leaving the
network), maximum file sizes, and file types. Because it can be difficult to distinguish
a Social Security number from a mistyped telephone number or a nine-digit online
order number, DLP can use fingerprinting to more closely identify important data. A
fingerprint may consist of a Social Security number along with a name to trigger an
alarm. In addition, whitelists and blacklists can be created to prevent specific files from
being scanned. These rules are then loaded into a DLP server.

Because the data can be leaked by different means, there are three types of DLP
sensors:

DLP network sensors. DLP network sensors are installed on the perimeter of
the network to protect data-in-transit by monitoring all network traffic. This
includes monitoring email, instant messaging, social media interactions,
and other web applications. DLP network sensors can even monitor multiple
protocols (including HTTP, SMTP, POP, IMAP, FTP, and Telnet).

DLP storage sensors. Sensors on network storage devices are designed to protect
data-at-rest. These sensors monitor the devices to ensure that the files on the
hard drives that store sensitive data are encrypted. They also scan the drives to
determine where specific data is stored.

DLP agent sensors. These sensors are installed on each host device (desktop, laptop,
tablet, etc.) and protect data-in-use. The DLP agent sensors watch for actions such
as printing or copying to a USB flash drive. They can also read inside compressed
(ZIP) files and binary files (such as older Microsoft Office non-XML files).

Note

One of the drawbacks of DLP agent sensors is that the host device must communicate with
the DLP server, which can result in performance issues and may not scale well when more
devices are added. To limit the performance impact, DLP agent sensors are event driven so
that the sensor monitors only for specific user actions, such as copying a file to a USB device
or printing a document.

Note

Index matching is so sensitive that if even a handful of lines of source code from 10,000 lines
of protected code are entered in an email message, the DLP system will identify it.

88781_ch06_hr_233-280.indd 268 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 269

When a policy violation is detected by the DLP agent, it is reported back to the
DLP server. Different actions can then be taken. This could include blocking the data,
redirecting it to an individual who can examine the request, quarantining the data
until later, or alerting a supervisor of the request.

Chapter Summary
Standard network security devices can

be used to provide a degree of network
security. Hubs should not be used in a
network because they repeat all frames
to all attached network devices, allowing
an attacker to easily capture traffic and
analyze its contents. A more secure
network device is a switch. A switch
forwards frames only to specific devices
instead of all devices. A router can forward
packets across computer networks. Because
packets move through the router, the router
can be configured to filter out specific types
of network traffic.

A load balancer can direct requests to
different servers based on a variety
of factors. Because load balancers are
generally located between routers and
servers they can detect and stop attacks
directed at a server or application. A
forward proxy server is a computer or an
application program that intercepts user
requests from the internal secure network
and then processes that request on behalf
of the user. Acting as the intermediary,
a proxy server can protect clients from
malware by intercepting it before it reaches
the client. In addition, a proxy server
can hide the IP address of client systems
inside the secure network. A reverse proxy
does not serve clients but instead routes
incoming requests to the correct server.

Hardware devices that are specifically
designed for security can give a much
higher level of protection. A hardware-
based network firewall is designed to
inspect packets and either accept or deny
entry, and these are generally located
outside the network security perimeter
as the first line of defense. All modern
operating systems include a software
firewall usually called a host-based
firewall or personal firewall. A network-
based firewall functions at the Network
layer (Layer 3) of the OSI model. A more
intelligent firewall is an application-
based firewall, operating at the Application
layer (Layer 7). Firewalls can either be rule-
based or application-aware, and can use
stateless packet filtering or stateful packet
filtering. A virtual private network (VPN) is
a technology that enables authorized users
to use an unsecured public network, such
as the Internet, as if it were a secure private
network.

A mail gateway monitors emails for
unwanted content and prevents these
messages from being delivered. Many mail
gateways have monitoring capabilities for
both inbound as well as outbound emails.
An intrusion detection system (IDS) is
designed to detect an attack as it occurs.
Monitoring involves examining network
traffic, activity, transactions, or behavior

88781_ch06_hr_233-280.indd 269 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

to detect security-related anomalies.
There are four monitoring methodologies:
anomaly monitoring, signature-based
monitoring, behavior monitoring, and
heuristic monitoring. A host intrusion
detection system (HIDS) is a software-
based application that runs on a local host
computer. A network intrusion detection
system (NIDS) watches for attacks on the
network. As network traffic moves through
the network, NIDS sensors (usually
installed on network devices such as
firewalls and routers) gather information
and report back to a central device. A
network intrusion prevention system
(NIPS) is like a NIDS in that it monitors
network traffic to immediately react to
block the malicious attack, but it can react
more quickly than a NIDS.

A Security and Information Event
Management (SIEM) product consolidates
real-time monitoring and management
of security information along with an
analysis and reporting of security events.
Other network security hardware devices
include hardware security modules, SSL
decryptors, SSL/TLS accelerators, media
gateways, Unified Threat Management
(UTM) products, Internet content filters,
and web security gateways.

The design of a network can provide a
secure foundation for resisting attackers.
A secure approach is to create zones to
partition the network so that certain users
may enter one zone while that access is

prohibited to other users. A demilitarized
zone (DMZ) functions as a separate
network that rests outside the secure
network perimeter, so that untrusted
outside users can access the DMZ but
cannot enter the secure network. Network
address translation (NAT) discards packets
that were not requested by an internal
network device and hides the IP addresses
of internal network devices from attackers
by substituting a private address with
a public address. Other security zones
include intranets, extranets, and guest
networks.

Another means of providing security is to
segregate the network and its resources.
Physical network segregation simply
isolates the network so that it is not
accessible by outsiders. Logical network
segregation segments a network by
separating devices into logical groups,
known as creating a virtual LAN (VLAN).

Network technologies can also help to
secure a network. Network access control
(NAC) examines the current state of a
system or network device before it can
connect to the network. Any device that
does not meet a specified set of criteria
can connect only to a quarantine
network where the security deficiencies
are corrected. Data loss prevention (DLP)
is a system of security tools that is used to
recognize and identify data that is critical
to the organization and ensure that it is
protected.

CHAPTER 6 Network Security Devices, Design, andTechnology270

88781_ch06_hr_233-280.indd 270 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Key Terms
Access Control List (ACL)
active-active
active-passive
affinity
agentless NAC
air gap
always-on VPN
anomaly monitoring
antispoofing
application/multipurpose

proxy
application-based firewall
behavioral monitoring
bridge
data loss prevention (DLP)
demilitarized zone (DMZ)
dissolvable NAC agent
extranet
false negative
false positive
firewall
flood guard
forward proxy
full tunnel
guest network
hardware security

module
heuristic monitoring
host agent health checks
host-based firewall
host-based intrusion

detection system (HIDS)

host-based intrusion
prevention system (HIPS)

IMAP (Internet Mail Access
Protocol)

implicit deny
in-band IDS
inline IDS
intranet
intrusion detection system

(IDS)
load balancer
loop prevention
mail gateway
media gateway
network access control

(NAC)
network address

translation (NAT)
network intrusion

detection system (NIDS)
network intrusion

prevention system (NIPS)
network-based firewall
out-of-band IDS
passive IDS
permanent NAC agent
physical network

segregation
port security
Post Office Protocol (POP)
remote access VPN
reverse proxy

round-robin
router
Security and Information

Event Management (SIEM)
SIEM aggregation
SIEM automated alerting

and triggers
SIEM correlation
SIEM event duplication
SIEM logs
SIEM time synchronization
signature-based monitoring
Simple Mail Transfer

Protocol (SMTP)
site-to-site VPN
split tunneling
SSL decryptor
SSL/TLS accelerator
stateful packet filtering
stateless packet filtering
switch
transparent proxy
Unified Threat Management

(UTM)
USB blocking
virtual IP (VIP)
virtual LAN (VLAN)
virtual private network (VPN)
VPN concentrator
web application firewall

Review Questions
1. Isabella is a security support manager

for a large enterprise. In a recent
meeting, she was asked which of the
standard networking devices already
present on the network could be
configured to supplement the specific
network security hardware devices that

were recently purchased. Which of these
standard networking devices would
Isabella recommend?
a. Router
b. Hub
c. Virtual private network
d. SIEM device

CHAPTER 6 Network Security Devices, Design, andTechnology 271

88781_ch06_hr_233-280.indd 271 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

2. Ximena noticed that Sofia had created
a network bridge on her new laptop
between the unsecured wireless network
and the organizations secure intranet.
Ximena explained to Sofia the problem
associated with setting up the bridge.
What did Ximena tell Sofia?
a. A bridge will block packets between

two different types of networks.
b. A bridge cannot be used on any

Internet connection.
c. A bridge would block packets from

reaching the Internet.
d. A bridge could permit access to

the secure wired network from the
unsecured wireless network.

3. Which of these would NOT be a filtering
mechanism found in a firewall ACL rule?
a. Source address
b. Direction
c. Date
d. Protocol

4. Which of the following devices can
identify the application that send
packets and then make decisions about
filtering based on it?
a. Internet content filter
b. Application-based firewall
c. Reverse proxy
d. Web security gateway

5. Which function does an Internet content
filter NOT perform?
a. Intrusion detection
b. URL filtering
c. Malware inspection
d. Content inspection

6. How does network address translation
(NAT) improve security?
a. It filters based on protocol.
b. It discards unsolicited packets.
c. It masks the IP address of the NAT

device.
d. NATs do not improve security.

7. Francisco was asked by a student intern to
explain the danger of a MAC flooding attack
on a switch. What would Francisco say?
a. Once the MAC address table is full the

switch functions like a network hub.
b. A MAC flooding attack with filter to

the local host computers MAC-to-IP
address tables and prevent these
hosts from reaching the network.

c. In a defense of a MAC flooding attack
network routers will freeze and not
permit any incoming traffic.

d. A MAC flooding attack will prevent
load balances from identifying the
correct VIP of the servers.

8. Which device is easiest for an attacker to
take advantage of to capture and analyze
packets?
a. Router
b. Hub
c. Switch
d. Load balancer

9. Sebastian was explaining to his
supervisor why the enterprise needed to
implement port security. His supervisor
asked what security action a flood guard
could do when a MAC flooding attack
occurred. Which of the following was NOT
an answer that was given by Sebastian?
a. Ignore the new MAC addresses while

allowing normal traffic from the
single pre-approved MAC address

b. Cause the device to enter a fail-open
mode

c. Record new MAC addresses up to a
specific limit

d. Block the port entirely
10. Which statement regarding a

demilitarized zone (DMZ) is NOT true?
a. It can be configured to have one or

two firewalls.
b. It typically includes an email or web

server.

CHAPTER 6 Network Security Devices, Design, andTechnology272

88781_ch06_hr_233-280.indd 272 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

c. It provides an extra degree of security.
d. It contains servers that are used only

by internal network users.
11. Which statement about network address

translation (NAT) is true?
a. It substitutes MAC addresses for IP

addresses.
b. It can be stateful or stateless.
c. It can be found only on core routers.
d. It removes private addresses when

the packet leaves the network.
12. Which of these is NOT used in

scheduling a load balancer?
a. The IP address of the destination

packet
b. Data within the application message

itself
c. Round-robin
d. Affinity

13. In which of the following configurations
are all the load balancers always active?
a. Active-active
b. Active-passive
c. Passive-active-passive
d. Active-load-passive-load

14. Which device intercepts internal user
requests and then processes those
requests on behalf of the users?
a. Forward proxy server
b. Reverse proxy server
c. Host detection server
d. Intrusion prevention device

15. Raul was asked to configure the
VPN to preserve bandwidth. Which
configuration would he choose?
a. Split tunnel
b. Full tunnel
c. Narrow tunnel
d. Wide tunnel

16. Which device watches for attacks and
sounds an alert only when one occurs?
a. Firewall
b. Network intrusion detection system

(NIDS)
c. Network intrusion prevention system

(NIPS)
d. Proxy intrusion device

17. Which of the following is a multipurpose
security device?
a. Hardware security module
b. Unified Threat Management (UTM)
c. Media gateway
d. Intrusion Detection/Prevention (ID/P)

18. Which of the following CANNOT be used
to hide information about the internal
network?
a. Network address translation (NAT)
b. Protocol analyzer
c. Subnetter
d. Proxy server

19. What is the difference between a
network intrusion detection system
(NIDS) and a network intrusion
prevention system (NIPS)?
a. A NIDS provides more valuable

information about attacks.
b. There is no difference; a NIDS and a

NIPS are equal.
c. A NIPS can take actions more quickly

to combat an attack.
d. A NIPS is much slower because it

uses protocol analysis.
20. Which is the most secure type of

firewall?
a. Stateless packet filtering
b. Stateful packet filtering
c. Network intrusion detection system

replay
d. Reverse proxy analysis

CHAPTER 6 Network Security Devices, Design, andTechnology 273

88781_ch06_hr_233-280.indd 273 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Hands-On Projects

Project 6-1: Using AlienVault SIEM Tools
Security and Information Event Management (SIEM) product consolidates real-time
monitoring and management of security information along with an analysis and reporting of
security events. In this activity, you access online AlienVault, a SIEM product.

1. Use your web browser to go to www.alienvault.com (if you are no longer able to
access the site through the URL, use a search engine to search for Alienvault).

2. Click Explore the Online Demo.
3. Enter the required information and click Start Online Demo.
4. The Alienvault online demo appears. Review the information displayed and scroll to the

bottom of the screen.
5. Under Sort click the icon beneath Intent on the first line of information that brings up a

description of this alarm.
6. Click Recommendations for suggestions regarding how to mitigate this attack. Is this

information helpful?
7. Click Create Rule to create a SIEM rule.
8. Under Rule Name enter Rule-1.
9. Under Suggested From Alarms scroll down and view the different categories.

10. Click Destination Countries. This will allow you to set a rule for an attack coming from
a specific country.

11. Under Matching Conditions change the Destination Countries to IT (for Italy).
12. Select several other suggestions and note how the rule is automatically built as you

proceed. How does a system like this prevent configuration errors?
13. Click Cancel.
14. Close the Suspicious Behavior window.
15. Under Dashboards click NIDS to display information from the network intrusion

detection system. What type of useful information is found here?
16. Click Environment and then Assets. What does this screen tell you? Where is the

sensor located? How can this be valuable?
17. Under Dashboards click Overview.
18. Click the Export as Report button.

Note

If you are concerned about installing any of the software in these projects on your
regular computer, you can instead install the software in the Windows virtual
machine created in the Chapter 1 Hands-On Projects 1-3 and 1-4. Software installed
within the virtual machine will not impact the host computer.

CHAPTER 6 Network Security Devices, Design, andTechnology274

88781_ch06_hr_233-280.indd 274 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

19. Under Title enter Report-1.
20. Click Export.
21. Click Print (you can also select to print to a PDF if your computer has that option).
22. View the report. How could this information be helpful in understanding data from

different sensors?
23. How can SIEM data be useful in consolidating real-time attack information?

Project 6-2: Using GlassWire SIEM Tools
Another Security and Information Event Management (SIEM) product is GlassWire. In this
activity, you download and install Glasswire.

1. Use your web browser to go to www.glasswire.com (if you are no longer able to access
the site through the URL, use a search engine to search for GlassWire).

2. Click Features and scroll through the page to read about the different features and
configuration options in this product.

3. Explore the Online Demo.
4. Click Download GlassWire
5. Navigate to the location of the downloaded file GlassWireSetup.ext and launch this

program to install GlassWire by accepting the default settings.
6. Click Finish to run GlassWire.
7. Note that the information scrolls horizontally to the left regarding events that are

occurring. Open a web browser and surf the Internet for several minutes.
8. Return to GlassWire.
9. Slide the scroller at the bottom of the screen to consolidate the views, as illustrated in

Figure 6-12.
10. Click Apps. What information is given in the left pane? How can this be useful?
11. Click Traffic to view an analysis of the different traffic types.
12. Click the Resize button on the GlassWire window and snap this window to the left side

of your physical computer screen.
13. Open a web browser, click the Resize button, and snap this windows to the right side of

your computer screen.
14. Use your web browser to surf the web, and watch the GlassWire screen as well. What

can you learn from this?
15. Close the browser window and maximize GlassWire.
16. Click the Firewall button. What apps or services have recently gone through your

firewall?
17. Click the Usage button to see a summary of the local Apps utilized, the Hosts accessed,

and the Traffic Type.
18. Click Alerts. Scroll through any alerts that have been issued. What can you tell about them?
19. How valuable is this information from GlassWire? How does it compare to AlienVault?

Although they are two different products they each may have their own respective place
in viewing information about attacks.

20. Close all windows.

CHAPTER 6 Network Security Devices, Design, andTechnology 275

88781_ch06_hr_233-280.indd 275 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Project 6-3: Configuring Windows Firewall

In this project, you edit configuration settings on Windows Firewall.

CHAPTER 6 Network Security Devices, Design, andTechnology276

Figure 6-12GlassWire
Source: GlassWire

1. Click Start, click the search icon, and enter Firewall.
2. Click Windows Firewall Control panel.
3. Click Turn Windows Firewall on or off. Be sure that the Windows Firewall is turned on

for both private and public networks.

Note

Windows Firewall uses three different profiles: domain (when the computer is
connected to a Windows domain), private (when connected to a private network,
such as a work or home network), and public (used when connected to a public
network, such as a public Wi-Fi). A computer may use multiple profiles, so that a
business laptop computer may use the domain profile at work, the private profile
when connected to the home network, and the public profile when connected to a
public Wi-Fi network. Windows asks whether a network is public or private when you
first connect to it.

88781_ch06_hr_233-280.indd 276 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 277

4. Under Public network settings check Block all incoming connections, including
those in the list of allowed apps. This provides an extra level of security when using
a public network such as a free Wi-Fi network by preventing a malicious incoming
connection from another computer on the network. Click OK.

5. To allow an inbound connection from an installed application, in the left pane click
Allow an app or feature through Windows Firewall.

6. Each program or feature of Windows can be chosen to allow an incoming connection on
public or private networks. Click Allow another app.

7. From here you can select an app that will permit an incoming connection. Because this
is a security risk, click Cancel and then OK.

8. Now check the configuration properties of Windows Firewall. Click Advanced
settings.

9. Click Properties in the right pane.
10. Note the settings on each of the profiles by clicking the Domain Profile, Private

Profile, and Public Profile tabs. Is there any difference in the settings between these
profiles? Why?

11. On each tab under Settings, click Customize. Be sure that Display a notification is set
to Yes. Why would this be important?

12. Click OK to return to the Windows Firewall with Advanced Security page.
13. In addition to being application-aware, Windows Firewall also can be configured for

firewall rules. Click Outbound Rules in the left pane to block a program from reaching
the Internet.

14. In the right pane, click New Rule.
15. Click Port and then click Next.

16. If necessary, click TCP.
17. Next to Specific remote ports: enter 80. Click Next.
18. If necessary, click Block the connection. Click Next.
19. Be sure that this new rule applies to all three domains. Click Next.
20. Under Name: enter Blocking Port 80. Click Finish.
21. Now open a web browser and try to connect to the Internet. What happens?
22. Click the Back button to return to the Windows Firewall screen and click Action and

Restore Default Policy to disable this rule. If a warning dialog box appears, click Yes.
Click OK.

23. Select Outbound Rules in the left pane. In the right pane, click New Rule.
24. Click Custom and Next.
25. If necessary, click All programs and Next.

Note

In addition to ports, the Windows Firewall also can block by program (Program) or
even by program, port, and IP address (Custom).

88781_ch06_hr_233-280.indd 277 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology278

26. Note that you can configure a firewall rule based on protocol, protocol number, local
port, and remote port.

27. Click Cancel.
28. Close all windows.

Project 6-4: Using an Internet Content Filter

Internet content filters are used to block inappropriate content. In this project, you download
and install the filter K9 Web Protection.

1. Use your web browser to go to wwwl.k9webprotection.com.

Note

The location of content on the Internet may change without warning. If you are no
longer able to access the program through the above URL, use a search engine to
search for K9 Web Protection.

2. Click Free Download.
3. Be sure the radio button Get K9 Free for your home is selected. Enter the requested

information and then click Request License.
4. Go to the email account that you entered and click Download K9 Web Protection.
5. Click the operating system that you are using.
6. Click Save and save the file to your computer.
7. Click Run and follow the instructions to install it to your computer. Accept all default

settings.
8. When the installation is complete, reboot the computer.
9. Launch Blue Coat K9 Web Protection Admin.

10. Click SETUP.
11. Enter your password.
12. Under Web Categories to Block, note the different levels of options available.
13. Click Custom.
14. Under Other Categories, click Block All.
15. Click on the other options under Setup and note the different configuration settings.
16. Click Logout.
17. Open your web browser. Enter the URL www.google.com. What happens now that the

filter is installed?
18. Close all windows.

88781_ch06_hr_233-280.indd 278 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 6 Network Security Devices, Design, andTechnology 279

Case Projects

Case Project 6-1: Data Loss Prevention Comparison
Research at least four different data loss prevention (DLP) products from four different
vendors. Create a table that compares at least six different functions and options. Based on
your research which would you choose? What features make this product the optimum? Why?
Write a short paragraph that summarizes your research.

Case Project 6-2: UTM Comparison
Create a table of four UTM devices available today. Include the vendor name, pricing, a list
of features, the type of protections it provides, etc. Based on your research, assign a value of
15 (lowest to highest) that you would give that UTM. Include a short explanation of why you
gave it that ranking.

Case Project 6-3: Load-Balancing Algorithms
Different algorithms are used to make decisions on load balancing. These include random
allocation, round-robin, weighted round-robin, round-robin DNS load balancing, and others.
Use the Internet to research load-balancing algorithms. Create a table that lists at least five
algorithms and their advantages and disadvantages. Do any of these algorithms compromise
security? Write a one-page paper on your research.

Case Project 6-4: Network Firewall Comparison
Use the Internet to identify three network firewalls, and create a chart that compares their
features. Note if they are rule-based or application-aware, perform stateless or stateful
packet filtering, what additional features they include (IDS, content filtering, etc.), their costs,
etc. Which would you recommend? Why?

Case Project 6-5: Lake Point Consulting Services
Lake Point Consulting Services (LPCS) provides security consulting and assurance services to
over 500 clients across a wide range of enterprises in more than 20 states. A new initiative
at LPCS is for each of its seven regional offices to provide internships to students who are in
their final year of the security degree program at the local college.

Blue Ridge Real Estate is a statewide residential and commercial real estate company.
Because the company was the victim of several recent attacks, Blue Ridge wants to
completely change its network infrastructure. Currently the company has a small IT staff, so
they have contracted with LPSC to make recommendations and install the new equipment.
First, however, they have asked LPSC to give a presentation to their executive staff about
network security.

1. Create a PowerPoint presentation for the executive staff about network security.
Include what it is, why it is important, and how it can be achieved using network devices,
technologies, and design elements. Because the staff does not have an IT background,

88781_ch06_hr_233-280.indd 279 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

References
1. Zetter, Kim, How a crypto backdoor pitted the tech world against the NSA, Wired,

Aug. 24, 2013, accessed Apr. 5, 2017, www.wired.com/2013/09/nsa-backdoor/.
2. Email Market, 2015-2019, The Radicati Group, accessed Aug. 30, 2015. http://www

.radicati.com/wp/wp-content/uploads/2015/07/Email-Market-2015-2019-Executive
-Summary.pdf.

the presentation cannot be too technical in nature. Your presentation should contain at
least 10 slides.

2. Blue Ridge has been working with LPSC and is debating if they should use UTM
network security appliances or separate devices (firewall, Internet content filters, NIDS,
etc.). Because they appreciated your first presentation, they want your opinion on
this subject. Create a memo that outlines the advantages and disadvantages of each
approach, and give your recommendation.

Case Project 6-6: Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains
a wide variety of tools, information, discussion boards, and other features to assist learners.
Go to community.cengage.com/Infosec2 and click the Join or Sign in icon to log in, using
your login name and password that you created in Chapter 1. Click Forums (Discussion) and
click on Security+ Case Projects (6th edition). Read the following case study.

Some schools and libraries use Internet content filters to prohibit users from accessing
undesirable websites. These filters are designed to protect individuals, but some claim it
is a violation of their freedom. What are your opinions about Internet content filters? Do
they provide protection for users or are they a hindrance? Who should be responsible for
determining which sites are appropriate and which are inappropriate? And what punishments
should be enacted against individuals who circumvent these filters? Visit the Community Site
discussion board and post how you feel about Internet content filters.

CHAPTER 6 Network Security Devices, Design, andTechnology280

88781_ch06_hr_233-280.indd 280 8/12/17 2:58 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

ADMINISTERING A
SECURE NETWORK

After completing this chapter, you should be able
to do the following:

List and describe the functions of secure network protocols

Explain the placement of security devices and technologies

Tell how security data can be analyzed

Explain how to manage and secure network platforms

C H A P T E R 7

Todays Attacks and Defenses

Who hasnt seen a Western movie that involves robbing a bank? The criminals enter the
bank, flashing their guns and crying This is a holdup! as the robbers leap over the counter
and scoop bills and coins into a burlap sack. They then dart out the door and leap onto their
horses, only to have a posse hot on their tail with guns blazing. Modern bank robberies
except for the horses and posseare very much the same. But recently a group of threat
actors robbed a major bank in a new way: they changed the banks web address so all the
banks customers came to them.

The Domain Name System (DNS) is a critical service for web users. It translates domain
names in alphanumeric characters (like www.cengage.com) to its corresponding IP addresses
(like 69.32.208.74), which represent the actual locations of the computers hosting websites

281

88781_ch07_hr_281-320.indd 281 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork282

or other services. Imagine what would happen if threat actors could somehow alter the
translation so that a name points not to the correct IP address but one that was owned by the
threat actors. Anyone entering the domain name in a web browser would be directed to the
attackers site instead. This is just what has happened in some cases. In 2013, for instance,
the Syrian Electronic Army group altered the DNS registration of The New York Times to
redirect visitors to a page that contained the Armys logo.

And this DNS poisoning attack is evidently what occurred at a major Brazilian financial
company that has 5 million customers with hundreds of branches, overseas operations in the
United States and the Cayman Islands, and over $27 billion in total assets. One afternoon in the
Fall of 2016, attackers compromised the banks DNS account at Registro.br, which is the domain
registration service of NIC.br. NIC.br is the registrar for sites ending in the top-level domain
(TLD) .br (Brazil). The threat actors changed the DNS registration of 36 of the banks online
properties to redirect to their own sites (a later blog post from NIC.br admitted to a vulnerability
in its website that would have in some circumstances allowed changes to clients settings).

The attackers went to great lengths to make their sites appear authentic. These sites
even had valid digital certificates, which are intended to verify the identity of the owner by
displaying a green padlock along with the banks name in the web browser, just as they would
on the authentic sites. These certificates had been issued six months earlier by a nonprofit
certificate authority who had made obtaining a domain validation digital certificate easier in
the hopes of increasing HTTPS adoption.

Bank customers using a desktop computer or mobile device to visit the banks websites
were redirected to the attackers look-alike websites that had been set up on Googles Cloud
Platform. Once there, the unknowing victims would enter their user names and passwords
right into the hands of the waiting attackers, who could then use the information to log into
the user’s accounts and clean out their accounts by transferring money to an account set up
by the attackers.

Aside from capturing the customer’s login information through this phishing attack,
the spoofed websites also infected the victim’s devices by downloading malware that
disguised itself as an update to a browser security plug-in that the Brazilian bank offered its
customers for enhanced security. This malware Trojan gathered login information not only
from this Brazilian bank but also from eight other banks. It also captured email and FTP login
credentials, as well as contact lists from Microsoft Outlook and Exchange accounts, which
were sent to a command and control server hosted in Canada. And just for good measure,
the Trojan also included a function to disable the user’s antivirus software.

Five hours after the onset of the attack, the Brazilian bank regained control of its domains,
likely by calling NIC.br and convincing it to correct the DNS registrations. How many of the
banks millions of customers were caught up in the DNS attack remains unknown; the bank
has not shared that information with any external security firms, nor has it publicly disclosed
the attack. Its possible that the attackers could have harvested hundreds of thousandsor
even millionsof customers account details from their phishing scheme and malware.

88781_ch07_hr_281-320.indd 282 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 283

Some evidence indicates that the threat actors may have even simultaneously redirected all
transactions at automated teller machines (ATMs) and retail point-of-sale (PoS) systems to the
attackers servers so that they could easily collect the payment card details of anyone who
used their card that Saturday afternoon. And the Trojan malware that was downloaded to the
victims computers continued to live on well past the afternoon nightmare.1

This type of attack is a known threat on the web, but has not until now been exploited on
a massive scale. But half of the top 20 banks (ranked by total assets) do not manage their own
DNS but instead leave it in the hands of a third party that could possibly be compromised.
Banks should regularly check the security of their DNS and be sure that they have a registry
lock that some registrars provide to prevent such an attack.

Bank robbery today no longer requires guns or getaway cars. A simple change to a DNS
record is sometimes all that it takes.

As you learned in the previous chapter, building a secure network through network
devices, architectures, and technologies is important for keeping information secure.
But the job does not end there. Properly administering the network is also critical for
security. A network that is not properly maintained through proven administrative
procedures is at high risk to be compromised.

This chapter looks at administering a secure network. First, you explore secure
network protocols and the proper locations for installing security devices. Next, you
study the steps for analyzing security data. Finally, you look at how to secure three
popular types of network applications: virtualization, cloud computing, and software
defined networks.

Secure Network Protocols
Certification

2.6 Given a scenario, implement secure protocols.

In the world of international politics, protocols are the forms of ceremony and
etiquette. These rules of conduct and communication are to be observed by foreign
diplomats and heads of state while in a different country. If they were to ignore these
protocols, they would risk offending the citizens of the host country, which might lead
to a diplomatic incident or, even worse, a war.

Computer networks also have protocols, or rules for communication. These
protocols are essential for proper communication to take place between network

88781_ch07_hr_281-320.indd 283 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork284

devices. The most common protocol used today for both local area networks (LANs)
and the Internet is Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is not
one single protocol; instead, it comprises several protocols that all function together
(called a protocol suite). The two major protocols that make up its name, TCP and IP, are
considered the most important protocols. IP is the protocol that functions primarily at
the Open Systems Interconnection (OSI) Network layer (Layer 3) to provide addressing
and routing. TCP is the main Transport layer (Layer 4) protocol that is responsible for
establishing connections and the reliable data transport between devices.

Note

IP is responsible for addressing packets and sending them on the correct route to the
destination, while TCP is responsible for reliable packet transmission.

Figure 7-1OSI model vs. TCP/IP model

Application

Application

Internet

Network Interface

TCP/IP model

Presentation

Session

Transport

Network

Data Link

Physical

OSI model

1

2

3

4

5

6

7

Transport

Note

The Physical layer is omitted in the TCP/IP model. This is because TCP/IP views the Network
Interface layer as the point where the connection between the TCP/IP protocol and the
networking hardware occurs.

TCP/IP uses its own four-layer architecture that includes the Network Interface,
Internet, Transport, and Application layers. This corresponds generally to the OSI
reference model, as illustrated in Figure 7-1. The TCP/IP architecture gives a framework
for the dozens of protocols and several high-level applications that comprise the suite.

88781_ch07_hr_281-320.indd 284 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 285

Some basic TCP/IP protocols that relate to security are Simple Network Management
Protocol, Domain Name System, and File Transfer Protocol. There are also email protocols
that are not natively secure, but steps can be taken to protect email correspondence. For
all these protocols, there are use cases regarding when they should be implemented.

Note

There are other TCP/IP security-related protocols such as Secure Sockets Layer (SSL),
Transport Layer Security (TLS), Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS),
Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Real-time Transport Protocol
(SRTP), and Internet Protocol Security (IPsec). These are covered in Chapter 4.

Simple Network Management Protocol (SNMP)
The Simple Network Management Protocol (SNMP) is a popular protocol used
to manage network equipment and is supported by most network equipment
manufacturers. It allows network administrators to remotely monitor, manage, and
configure devices on the network. SNMP functions by exchanging management
information between networked devices.

Note

SNMP can be found not only on core network devices such as switches, routers, and wireless
access points, but also on some printers, copiers, fax machines, and even uninterruptible
power supplies (UPSs).

Each SNMP-managed device must have an agent or a service that listens for
commands and then executes them. These agents are protected with a password,
called a community string, to prevent unauthorized users from taking control of
a device. There are two types of community strings: a read-only string allows
information from the agent to be viewed, and a read-write string allows settings on the
device to be changed.

There were several security vulnerabilities with the use of community strings in
the first two versions of SNMP, known as SNMPv1 and SNMPv2. First, the default SNMP
community strings for read-only and read-write were public and private, respectively.
Administrators who did not change these default strings left open the possibility
of an attacker taking control of the network device. Also, community strings were
transmitted as cleartext with no attempt to encrypt the contents.

Because of the security vulnerabilities of SNMPv1 and SNMPv2, significant security
enhancements were made to the next (and now current) version known as SNMPv3.

88781_ch07_hr_281-320.indd 285 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork286

SNMPv3 supports authentication and encryption. Authentication is used to ensure
that SNMPv3 information is available only to the intended recipient, while encryption
ensures that any messages cannot be read by threat actors.

Note

Because some applications require SNMP messages to be sent through the Internet, the
security features of authentication and encryption in SNMPv3 are essential.

Figure 7-2DNS lookup

Local DNS server

Top-level DNS server
IP address = 60.1.4.2 206.26.119.3

Address is
206.23.119.3

10.35.83.77

Address is
10.35.83.77

What is the address
of COM server?

60.1.4.2

www.nashville.com = 158.24.3.9
www.memphis.com = 35.6.89.10
www.knoxville.com = 211.65.78.9
etc.

Nashville IP address = 206.23.119.3
Microsoft IP address = 34.89.45.2
Atlanta IP address = 230.79.21.43
etc.

COM IP address = 10.35.83.77
EDU IP address = 16.25.98.201
MIL IP address = 29.1.4.78
etc.

What is the address of
NASHVILLE.COM server?

Step 4

Step 3Step 2

Address is
158.24.3.9

Need IP address of
WWW.NASHVILLE.COM

Step 5

Step 1

Address is
158.24.3.9

What is the address of
WWW.NASHVILLE.COM?

Domain Name System (DNS)
The Domain Name System (DNS) is a TCP/IP protocol that resolves (maps) a symbolic
name (www.cengage.com) with its corresponding IP address (69.32.208.74). The most
popular implementation of DNS is BIND, or Berkeley Internet Name Domain. BIND
software is open source and is the most widely deployed DNS server software. The
current version is BIND9.

The DNS database is organized as a hierarchy (tree). Yet to store the entire database
of names and IP addresses in one location would present several problems. First, it
would cause a bottleneck and slow down the Internet with all users trying to access a
single copy of the database. Second, if something happened to this one database, the
entire Internet would be affected. Instead of being on a single server, the DNS database
is divided and distributed to many different servers on the Internet, each of which is
responsible for a different area of the Internet. The steps of a DNS lookup (which uses
TCP/IP port 53) are as follows, illustrated in Figure 7-2.

88781_ch07_hr_281-320.indd 286 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 287

Step 1. The request for the IP address of the site www.nashville.com is first compared
against the local host table to determine if there is an entry. If no entry exists,
the request travels from the users computer to the local DNS server that is part
of the LAN to which it is connected.

Step 2. The local DNS server does not know the IP address of www.nashville.com, yet it
does know the IP address of a DNS server that contains the top-level domains
and their IP numbers. A request is sent to this top-level domain DNS server.

Step 3. This top-level DNS server sends back the IP address of the DNS server that
contains information about addresses that end in .COM. The local DNS server
then sends a request to this second DNS server, which contains the IP address
of the DNS server that contains the information about nashville.com.

Step 4. After receiving back that information, the local DNS server contacts the third DNS
server responsible for nashville, which looks up the IP address of www.nashville.com.

Step 5. This information is finally returned to the local DNS server, which sends it back
to the users computer.

Because of the important role it plays, DNS is often the focus of attacks. DNS
poisoning substitutes addresses so that the computer is redirected to another device
and is illustrated in this chapters Todays Attacks and Defenses segment. That is, an
attacker replaces a valid IP address with a fraudulent IP address for a symbolic name.
Substituting a fraudulent IP address can be done in two different locations: the local
host table, or the external DNS server.

Note

DNS poisoning is covered in Chapter 5.

DNS poisoning can be thwarted by using Domain Name System Security Extensions
(DNSSEC), which is fully supported in BIND9. DNSSEC adds additional resource records
(these records define the data types being used) and message header information, which
can be used to verify that the requested data has not been altered in transmission. Using
asymmetric cryptography, a private key that is specific to a zone is used in encrypting a
hash of a set of resource records, which is then used to create the digital signature to be
stored in the resource record (along with the corresponding public key).

Note

DNSSEC is now widely implemented. About 89 percent of top-level domains (TLDs) zones
are signed with digital signatures, and four out of every five requests from a client for a DNS
record request DNSSEC digital signature records.2

88781_ch07_hr_281-320.indd 287 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork288

A second attack using DNS is almost the reverse of DNS poisoning; instead of
sending a zone transfer to a valid DNS server, an attacker asks the valid DNS server for
a zone transfer, known as a DNS transfer. With this information, it would be possible
for the attacker to map the entire internal network of the organization supporting
the DNS server. A zone transfer could also contain hardware and operating system
information for each network device, providing the attacker with even more valuable
information.

File Transfer Protocol (FTP)
In its early days, prior to the development of the World Wide Web and Hypertext
Transfer Protocol (HTTP), the Internet was primarily a medium for transferring
files from one device to another. Today transferring files is still an important task.
Transferring files can be performed using the File Transfer Protocol (FTP), which is an
unsecure TCP/IP protocol. FTP is used to connect to an FTP server, much in the same
way that HTTP links to a web server.

Note

A light version of FTP known as Trivial File Transfer Protocol (TFTP) uses a small amount
of memory, but has limited functionality. It is often used for the automated transfer of
configuration files between devices.

Note

FTP servers can be configured to allow unauthenticated users to transfer files, known as
anonymous FTP or blind FTP.

There are several different methods for using FTP on a local computer:

From a command prompt. Commands can by typed at an operating system
prompt, such as ls (list files), get (retrieve a file from the server), and put (transfer
a file to the server).

Using a web browser. Instead of prefacing a URL with the protocol http://, the FTP
protocol is entered with a preface of ftp://.

Using an FTP client. A separate FTP client application can be installed that displays
files on the local host as well as the remote server. These files can be dragged and
dropped between devices. The FTP client FileZilla is shown in Figure 7-3.

88781_ch07_hr_281-320.indd 288 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 289

Using FTP behind a firewall can present a set of challenges. FTP typically uses two
ports: TCP port 21 is the FTP control port used for passing FTP commands, and TCP
port 20 is the FTP data port through which data is sent and received. Using FTP active
mode, an FTP client initiates a session to a server by opening a command channel
connection to the servers TCP port number 21. A file transfer is requested by the client
by sending a PORT command to the server, which then attempts to initiate a data
channel connection back to the client on TCP port 20. The clients firewall, however,
might see this data channel connection request from the server as unsolicited and
drop the packets. This can be avoided by using FTP passive mode. In passive mode, the
client initiates the data channel connection, yet instead of using the PORT command,
the client sends a PASV command on the command channel. The server responds with
the TCP port number to which the client should connect to establish the data channel
(typically port 1025 to 5000).

Figure 7-3FTP client
Source: FileZilla

88781_ch07_hr_281-320.indd 289 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork290

Several security vulnerabilities are associated with using FTP. First, FTP does
not use encryption, so any user names, passwords, and files being transferred are
in cleartext and could be accessed by using a protocol analyzer. Also, files being
transferred by FTP are vulnerable to man-in-the-middle attacks where data is
intercepted and then altered before being sent to the destination.

There are two options for secure transmissions over FTP. FTP Secure (FTPS)
uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt
commands sent over the control port (port 21) in an FTP session. FTPS is a file
transport layer resting on top of SSL or TLS, meaning that it uses the FTP protocol
to transfer files to and from SSL-, or TLS-enabled FTP servers. However, a weakness
of FTPS is that although the control port commands are encrypted, the data port
(port 20) may or may not be encrypted. This is because a file that has already been
encrypted by the user would not need to be encrypted again by FTPS and incur the
additional overhead.

The second option is to use Secure FTP (SFTP). There are several differences between
SFTP and FTPS. First, FTPS is a combination of two technologies (FTP and SSL or TLS),
whereas SFTP is an entire protocol itself and is not pieced together with multiple parts.
Second, SFTP uses only a single TCP port instead of two ports like FTPS. Finally, SFTP
encrypts and compresses all data and commands (FTPS might not encrypt data).

Secure Email Protocols
Proof that the email protocols POP and IMAP are not secure can be seen by the large
number of high-profile celebrities and politicians whose careers have been damaged
or destroyed by the theft of cleartext email messages. And this also highlights the fact
that due to the inconvenience of encrypting email messages, few users encrypt their
messages.

Securing email messages involves the transmission of the messages as well
as the storage of those messages. Whereas Secure/Multipurpose Internet Mail
Extensions (S/MIME) is a protocol for securing email messages, it has limitations.
S/MIME cannot be used when mail is accessed through a web browser instead of
through a dedicated email application. Also, because S/MIME encrypts the entire
message, this makes it difficult for any third-party tools that inspect email for
malware because it also would be encrypted.

Note

Increased security can be established by restricting the port range used by the FTP
service and then creating a firewall rule that allows FTP traffic only on those allowed port
numbers.

88781_ch07_hr_281-320.indd 290 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 291

Because email protocols are not secure and most users find encrypting and
decrypting email cumbersome, some enterprises and government agencies automate
the process. All emails are routed through a gateway appliance that automatically
encrypts and decrypts messages (but only those messages to and from users within
the enterprise).

Note

POP, IMAP, and S/MIME are covered in Chapter 6.

Note

Some automatic encryption services encrypt any emails that have the word Secure in the
subject line. Users can also register a personal email address so that forwarded encrypted
emails can be read.

Using Secure Network Protocols
Different applications require different secure network protocols. Several of the
recommended protocols for specific applications or technologies are summarized in
Table 7-1.

Application or technology Recommended secure protocol

Voice and video Secure Real-time Transport Protocol (SRTP)

Time synchronization Network Time Protocol (NTP)

Email Secure/Multipurpose Internet Mail Extensions (S/MIME)

Web browsing Hypertext Transport Protocol Secure (HTTPS)

File transfer Secure FTP (SFTP)

Remote access Virtual Private Network (VPN)

Domain name resolution DNS Security Extensions (DNSSEC)

Routing and switching IP Security (IPsec)

Network address translation IP Security (IPsec)

Subscription services IP Security (IPsec)

Secure network protocol recommendations Table 7-1

88781_ch07_hr_281-320.indd 291 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork292

Placement of Security Devices and Technologies
Certification

3.2Given a scenario, implement secure network architecture concepts.

Note

On peak days, the online retailer Amazon sells over 600 items each second, or over 54 million
items daily.3

The use of network deviceswhether it be using the security features found in
standard networking devices like bridges, switches, routers, load balancers, and
proxies, or using hardware designed primarily for security such as firewalls, virtual
private network concentrators, mail gateways, network intrusion detection and
prevention systems, and security and information event management (SIEM) devices
is absolutely essential in protecting a network. Whereas improperly configured devices
can introduce vulnerabilities, so too can the incorrect placement of these devices
within the network. The protection that a firewall provides, for example, can easily be
negated if that device is not in the proper location in the network architecture.

The recommended placement for security devices and technologies includes:

SSL/TLS accelerator. In many instances an SSL/TLS accelerator is a separate
hardware card that inserts into a web server that contains one or more
co-processors to handle SSL/TLS processing. In settings such as a large online
retailer selling millions of items daily, a separate SSL/TLS hardware module can
be installed as a virtual SSL/TLS server alongside the forward proxy server
between the users device and the web servers.

Taps and port mirrors. Although a switch limits the frames that are sent to
devices, it is still important for a network administrator to be able to monitor
network traffic. Monitoring traffic on switches generally can be done in two
ways. First, a managed switch on an Ethernet network that supports port
mirroring allows the administrator to configure the switch to copy traffic that
occurs on some or all ports to a designated monitoring port on the switch.
Port mirroring is illustrated in Figure 7-4, where the monitoring computer is
connected to the mirror port and can view all network traffic moving through the
switch (the monitoring computer can be a standalone device or a computer that
runs protocol analyzer software). A second method for monitoring traffic is to
install a network tap (test access point). A network tap is a separate device that
can be installed on the network. A network tap is illustrated in Figure 7-5.

88781_ch07_hr_281-320.indd 292 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 293

Figure 7-4Port mirroring

Internet

Network switch
with mirror port

To network

Network analyzer

Figure 7-5Network tap

Internet

Network switch

To internal network

Network tap

Network analyzer

Sensors, collectors, and filters. The location of sensors to monitor traffic (for
network intrusion detection and prevention devices), collectors to gather traffic
(for SIEM devices), and filters to block traffic (for Internet content filters) should
be placed in the network where the stream of data is largest, allowing them to
view, gather, or block traffic. In Figure 7-6 locating a sensor/collector/filter at

Note

A network tap is generally best for high-speed networks that have a large volume of traffic,
while port mirroring is better for networks with light traffic.

88781_ch07_hr_281-320.indd 293 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork294

Location 1 behind the first firewall would allow monitoring traffic between the
internal network and the Internet but would miss traffic between the Internet
and DMZ, so that an attack on a web server would be missed. If devices were
placed in Location 2 between the first firewall and the DMZ they would miss
traffic between the Internet and the internal network. However, placing the
sensor/collector/filter at Location 3 would allow them to view all traffic from
the Internet and DMZ and the internal network, providing a higher degree of
visibility and protection.

Note

Having a sensor/collector/filter at Location 3 still leaves a blind spot: the traffic between the
DMZ and internal network could not be monitored. Therefore, multiple sensor/collector/filter
devices are needed.

Figure 7-6Sensor/collector/filter locations

Web
server

Database
server

Application
server

Switch Switch

DMZ Internal network

Internet

FirewallLocation 3 Location 1

Location 2

Firewall

Email
server

Router

Aggregation switch. As its name implies, an aggregation switch is used to
combine multiple network connections into a single link. An example of a device
that forms a function like an aggregation switch is a load balancer. Aggregation
switches, like load balancers, should be located between routers and servers,
where they can detect and stop attacks directed at a server or application.

Correlation engine. Like a SIEM, a correlation engine aggregates and correlates
content from different sources to uncover an attack. Correlation engines should
be in the protected internal network using data collected from the logs of
different hardware devices.

88781_ch07_hr_281-320.indd 294 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 295

DDoS mitigator. A DDoS mitigator is a hardware device that identifies and blocks
real-time distributed denial of service (DDoS) attacks. These devices should be in
the network where they can monitor the largest stream of data.

Note

The placement of proxies, firewalls, load balancers, and VPN concentrators is covered in
Chapter 6.

Analyzing Security Data
Certification

2.4Given a scenario, analyze and interpret output from security technologies.

Data accumulated by a network or computer can be extremely valuable. Much of the
data is accumulated into a log, which is a record of events that occur. Security logs
are particularly important because they can reveal the types of attacks that are being
directed at the network and if any of the attacks were successful. A security access log
can provide details regarding requests for specific files on a system while an audit log
is used to record which user performed what actions. System event logs document
any unsuccessful events and the most significant successful events (some system
event logs can be tailored to specify the types of events that are recorded). The types
of information that can be recorded might include the date and time of the event, a
description of the event, its status, error codes, service name, and the user or system
responsible for launching the event.

This security data can be analyzed to sound an alert of an attack as well as to later
determine how the attack occurred and what can be done to prevent similar future
attacks. Other ways in which logs can benefit enterprises include:

A routine review and analysis of logs helps to identify security incidents, policy
violations, fraudulent activity, and operational problems shortly after they have
occurred.

Logs can be useful for performing auditing analysis, supporting the
organizations internal investigations, and identifying operational trends and
long-term problems.

Logs can provide documentation that the organization is complying with laws
and regulatory requirements.

Data can be accumulated by security devices, security software, and security tools,
but there are also some issues involved in the analysis of security data.

88781_ch07_hr_281-320.indd 295 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork296

Data from Security Devices
Virtually every hardware device designed primarily for security can generate logs,
including host-based intrusion detection systems (HIDS), host-based intrusion
prevention systems (HIPS), Unified Threat Management (UTM) systems, web
application firewalls, host-based firewalls, and to a lesser degree standard networking
devices such as bridges, switches, routers, load balancers, and proxies. For example,
the types of items that could be examined in a firewall log include:

IP addresses that are being rejected and dropped. It is not uncommon for the
owner of a firewall to track down the owner of the site from which the packets
are originating and ask why someone at his site is probing these ports. The
owner may be able to pinpoint the perpetrator of the probe, even if the owner is
an Internet Service Provider (ISP).

Probes to ports that have no application services running on them. Attackers often
try to determine if specific ports are already in use to target them for attack. If
several probes appear directed at an obscure port number, it may be necessary to
investigate if malware is associated with it.

Source-routed packets. Packets with a source address internal to the network
but that originates from outside the network could indicate that an attacker
is attempting to spoof an internal address to gain access to the internal
network.

Suspicious outbound connections. Outbound connections from a public web
server could be an indication that an attacker is launching attacks against others
from the web server.

Unsuccessful logins. If several unsuccessful logins come from the same domain, it
may be necessary to create a new rule to drop all connections from that domain
or IP address.

Network device logs that provide the most beneficial security data, in order of
importance, are listed in Table 7-2.

Device Explanation
Firewalls Firewall logs can be used to determine whether new IP

addresses are attempting to probe the network and if
stronger firewall rules are necessary to block them. Outgoing
connections, incoming connections, denied traffic, and
permitted traffic should all be recorded.

Host-based intrusion detection
systems (HIDS) and host-based
intrusion prevention systems
(HIPS)

Intrusion detection and intrusion prevention systems record
detailed security log information on suspicious behavior as
well as any attacks that are detected. In addition, these logs
also record any actions used to stop the attacks.

Device logs with beneficial security data Table 7-2

(continues)

88781_ch07_hr_281-320.indd 296 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 297

Data from Security Software
In addition to hardware devices generating data, security software can also produce
important data that can be analyzed. At the very heart of a data loss prevention (DLP)
system is logging and monitoring who is using the data and how it is being accessed. A
user who repeatedly attempts to send sensitive data by emails through a mail gateway
or copy the files to a USB flash drive can be flagged. Data Execution Prevention (DEP)
is a Microsoft Windows feature that prevents attackers from using buffer overflow to
execute malware. DEP events and those from similar software can be logged along with
the level of severity, such as information (logging the software is starting), warning
(when configuration changes are made), and alert (an active attack has been blocked).
File integrity check (FIC) is a service that can monitor any changes made to computer
files, such as operating system files. These changes can compromise security and
indicate a security breach has occurred, and are routinely included in FIC log files.

Note

Because in modern operating systems, system files are routinely modified in the normal course
of the computers operation, an FIC system must be highly customizable, allowing the user to
choose which folders and files to monitor and manage the type of alerts that are generated.

Web servers Web servers are usually the primary target of attackers. Web
server logs can provide valuable information about the type of
attack that can help in configuring good security on the server.

DHCP servers DHCP server logs can identify new systems that mysteriously
appear and then disappear as part of the network. They can also
show what hardware device had which IP address at a specific
time.

VPN concentrators VPN logs can be monitored for attempted unauthorized
access to the network.

Proxies As intermediate hosts through which websites are accessed,
these devices keep a log of all URLs that are accessed through
them. This information can be useful when determining if a
zombie is calling home.

Domain Name System (DNS) A DNS log can show all queries that are received. Some DNS
servers also can create logs for error and alert messages.

Email servers Email servers can show the latest malware attacks that are
being launched using attachments.

Routers and switches Router and switch logs provide general information about
network traffic.

Table 7-2 (continued)

88781_ch07_hr_281-320.indd 297 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork298

Data from Security Tools
There are other security tools that can produce output to be analyzed. Several of these
tools are listed in Table 7-3.

Tool Description Explanation

Application
whitelisting

An application whitelist is an
inventory of applications and
associated components (libraries,
configuration files, etc.) that have
been pre-approved and authorized
to be active and present on the
device.

Unlike most security technologies
such as a firewall that attempts to
block known malicious activity while
permitting all others, application
whitelisting technologies are designed
to permit only known good activity and
block everything else.

Removable
media control

Removable media control is a tool
that can be used to restrict which
removable media, such as USB
flash drives, can be attached to a
system.

Because removable media can not
only introduce malware into a system
but also can be used to steal valuable
information, removable media control
can help prevent these vulnerabilities.

Advanced
malware
management

Often a third-party service,
advanced malware management
tools monitor a network for any
unusual activity.

Advanced malware management tools
often use experience-based techniques
such as heuristic monitoring to
determine if a threat exists.

Security tools Table 7-3

Issues in Analyzing Security Data
There are issues associated with log management, or generating, transmitting, storing,
analyzing, and disposing of computer security log data. This is due to:

Multiple devices generating logs. As noted, virtually every network device, both
standard network devices and network security devices, can create logs. And
each device might interpret an event in a different context, so that a router looks
at a single event differently than a firewall does. This can create a confusing mix
of log data.

Very large volume of data. Because each device generates its own data, a very
large amount of log data can accumulate in a very short period. In addition,
many devices record all events, even those that are not security-related, which
increases even more the amount of data that is generated. Filtering through this
large volume of data can be overwhelming.

Different log formats. Perhaps the biggest obstacle to log management is
thatdifferent devices record log information in different formats and even
withdifferent data captured. Combining multiple logs, each with a different format,
can be a major challenge.

88781_ch07_hr_281-320.indd 298 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 299

One solution to log management is to use a centralized device log analyzer. These
systems are designed to collect and consolidate logs from multiple sources for easy
analysis. An example of a centralized device log manager is illustrated in Figure 7-7.

Figure 7-7Centralized device log analyzer
Source: ManageEngine.com

A greater issue is that too often this data is used only after the fact: that is, data
is analyzed to determine how an attack occurred but not to prevent an attack. As threat
actors continue to modify their attacks so that no two attacks appear the same, it is
increasingly difficult for enterprises, relying upon traditional static signature-based
solutions, to identify a modified attack that has not appeared before. Many enterprises
are victims of attacks but are not even aware of it, because their signature-based
security tools did not detect it.

Note

Per one study, it takes an enterprise an average of 229 days before it knows that it has been
compromised.4

88781_ch07_hr_281-320.indd 299 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork300

However, that is now beginning to change. An analytics-based approach is
becoming increasingly important. Using data gathered from multiple hardware
devices, software security applications, and security tools, an analytics-based approach
attempts to differentiate between the false positives and false negatives that are often
reported by popular network monitoring tools. Applying statistical behavioral analytics
to the data can better identify attacks as they occur to block them.

Note

A new CompTIA certification called Cybersecurity Analyst+ (CSA+) builds upon the foundational
knowledge gained from the Security+ certification to help security professionals learn to
use this analytics-based approach. The formal description of the CSA+ exam is, This exam
will certify that the successful candidate has the knowledge and skills required to configure
and use threat detection tools, perform data analysis, and interpret the results to identify
vulnerabilities, threats, and risks to an organization with the end goal of securing and
protecting applications and systems within an organization. Additional information can be
found at https://certification.comptia.org/certifications/cybersecurity-analyst.

Managing and Securing Network Platforms
Certification

2.1 Install and configure network components, both hardware- and software-based, to
support organizational security.

3.2Given a scenario, implement secure network architecture concepts.

3.7Summarize cloud and virtualization concepts.

Some applications and platforms require special security considerations. These include
virtualization, cloud computing, and software defined networking.

Virtualization
Virtualization is a means of managing and presenting computer resources by function
without regard to their physical layout or location. One type of virtualization in which an
entire operating system environment is simulated is known as host virtualization. Instead
of using a physical computer, a virtual machine, which is a simulated software-based
emulation of a computer, is created instead. The host system (the operating system installed
on the computers hardware) runs a virtual machine monitor program that supports one or

88781_ch07_hr_281-320.indd 300 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 301

more guest systems (a foreign virtual operating system) that run applications. For example,
a computer that boots to Windows 10 (host) could support a virtual machine of Linux
(guest) as well as Windows 8 (guest) or another Windows 10 (guest) system.

Note

Virtualization is used extensively to consolidate network and web servers so that multiple virtual
servers can run on a single physical computer. Because a typical server utilizes only about10percent
of its capacity, there is excess capacity for running virtual machines on a physical server.

The virtual machine monitor program is called a hypervisor, which manages the
virtual machine operating systems. Hypervisors use a small layer of computer code
in software or firmware to allocate resources in real time as needed, such as input/
output functions and memory allocations. There are two types of hypervisors:

Type I. Type I hypervisors run directly on the computers hardware instead
of the underlying operating system. Type I hypervisors are sometimes called
native or bare metal hypervisors.

Type II. Instead of running directly on the computer hardware, Type II
hypervisors run on the host operating system, much like a regular application.
Type I and Type II hypervisors are illustrated in Figure 7-8.

Figure 7-8Type I and Type II hypervisors

Hardware

Type I Hypervisor

Guest 1 OS Guest 2 OS

Application Application

Hardware

Host OS

Type II Hypervisor

Guest 1 OS Guest 2 OS

Application Application

Note

Initially, Type II hypervisors, which run on a host operating system, were popular because
network administrators could purchase a Type II hypervisor and install it on an existing file
server. However, Type I hypervisors are now more widely used because they provide better
performance, as they do not have to rely on the underlying host operating system.

88781_ch07_hr_281-320.indd 301 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork302

An even more reduced instance of virtualization is a container or application cell.
With both Type I and Type II hypervisors, the entire guest operating system must be
started and fully functioning before an application can be launched. A container, on
the other hand, holds only the necessary operating system components (such as binary
files and libraries) that are needed for that specific application to run. And in some
instances, containers can even share binary files and libraries. This not only reduces
the necessary hard drive storage space and Random Access Memory (RAM) needed but
also allows for containers to start more quickly because the entire operating system
does not have to be started. Containers can be easily moved from one computer to
another. These are illustrated in Figure 7-9.

Figure 7-9Containers

Hardware

Host OS

Container engine

Binaries,
Iibraries Binaries, Iibraries

Application Application Application

Container

Another application of virtual machines is known as Virtual Desktop Infrastructure
(VDI). VDI is the process of running a user desktop inside a virtual machine that
resides on a server. This enables personalized desktops for each user to be available on
any computer or device that can access the server. From the users standpoint, their
personalized desktop and files can be accessed from almost any location, as if they were
sitting at their own computer. From the enterprises perspective, VDI allows centralized
management of all virtual desktops (as opposed to the need for technical support
personnel to access a system remotely or even visit a users desk to troubleshoot), saving
substantial time and money. Another application is Virtual Distributed Ethernet (VDE).
VDE is an Ethernet-compliant virtual network that can connect physical computers
and/or virtual machines together. For example, a VDE can be used to connect computers
in a virtual Ethernet environment over the Internet to create and use a VPN.

Virtualization has several advantages. First, new virtual server machines can be quickly
made available (host availability), and resources such as the amount of RAM or hard drive
space can easily be expanded or contracted as needed (host elasticity). Also, virtualization
can reduce costs. Instead of purchasing one physical server to run one network operating
system and its applications, a single physical server can run multiple virtual machines
and host multiple operating systems. This results in a significant cost savings in that fewer
physical computers must be purchased and maintained. In addition, the cost of electricity
to run these servers as well as keep data center server rooms cool is also reduced.

88781_ch07_hr_281-320.indd 302 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 303

Another advantage of server virtualization is that it can be beneficial in providing
uninterrupted server access to users. Data centers must schedule planned downtime
for servers to perform maintenance on the hardware or software. Often it is difficult,
however, to find a time when users will not be inconvenienced by the downtime.
This can be addressed by virtualization that supports live migration; this technology
enables a virtual machine to be moved to a different physical computer with no impact
to the users. The virtual machine stores its current state onto a shared storage device
immediately before the migration occurs. The virtual machine is then reinstalled on
another physical computer and accesses its storage with no noticeable interruption to
users. Live migration also can be used for load balancing; if the demand for a service or
application increases, network managers can quickly move this high-demand virtual
machine to another physical server with more RAM or CPU resources.

Host virtualization also has several security-related advantages:

The latest security updates can be downloaded and run in a virtual machine to
determine compatibility, or the impact on other software or even hardware. This
is used instead of installing the update on a production computer and then being
forced to roll back to the previous configuration if it does not work properly.

A snapshot of a state of a virtual machine can be saved for later use. A user can
make a snapshot before performing extensive modifications or alterations to
the virtual machine, and then the snapshot can be reloaded so that the virtual
machine is at the beginning state before the changes were made. Multiple
snapshots can be made, all at different states, and loaded as needed.

Testing the existing security configuration, known as security control testing,
can be performed using a simulated network environment on a computer using
multiple virtual machines. For example, one virtual machine can virtually attack
another virtual machine on the same host system to determine vulnerabilities
and security settings. This is possible because all the virtual machines can be
connected through a virtual network.

Virtual machines can promote security segregation and isolation. Separating
virtual machines from other machines can reduce the risk of infections
transferring from one device to another.

A virtual machine can be used to test for potential malware. A suspicious
program can be loaded into an isolated virtual machine and executed
(sandboxing). If the program is malware, it will impact only the virtual machine,
and it can easily be erased and a snapshot reinstalled. This is how antivirus
software using heuristic detection can spot the characteristics of a virus.

Note

Heuristic detection is covered in Chapter 6.

88781_ch07_hr_281-320.indd 303 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork304

However, there are security concerns for virtualized environments:

Not all hypervisors have the necessary security controls to keep out determined
attackers. If a single hypervisor is compromised, multiple virtual servers are
atrisk.

Existing security tools, such as antivirus, antispam, and IDS, were designed
for single physical servers and do not always adapt well to multiple virtual
machines.

Virtual machines must be protected from both outside networks and other
virtual machines on the same physical computer. In a network without virtual
machines, external devices such as firewalls and IDS that reside between
physical servers can help prevent one physical server from infecting another
physical server, but no such physical devices exist between virtual machines.

Virtual machines may be able to escape from the contained environment and
directly interact with the host operating system. It is important to have virtual
machine escape protection so that a virtual machine cannot directly interact
with the host operating system and potentially infect it, which could then be
transmitted to all other virtual machines running on the host operating system.

Because virtual machines can easily and quickly be created and launched, this
has led to virtual machine sprawl, or the widespread proliferation of virtual
machines without proper oversight or management. It is often easy for a virtual
machine to be created and then forgotten. A guest operating system that has
remained dormant for a period may not contain the latest security updates, even
though the underlying host operating system has been updated. When the guest
is launched, it will be vulnerable until properly updated.

Cloud Computing
Forty years ago, as computing technology become widespread, enterprises employed
an on-premises model, in which they purchased all the hardware and software
necessary to run the organization. As more resources were needed more purchases
were made and more personnel were hired to manage the technology. Because this
resulted in spiraling costs, some enterprises turned to hosted services. In a hosted
services environment, servers, storage, and the supporting networking infrastructure
are shared by multiple enterprises over a remote network connection that had been
contracted for a specific period. As more resources are needed (such as additional
storage space or computing power), the enterprise contacted the hosted service and
negotiated an additional fee as well as sign a new contract for those new services.

Today a new model is gaining widespread use. Known as cloud computing, this is
a pay-per-use computing model in which customers pay only for the online computing
resources they need. As computing needs increase or decrease, cloud computing
resources can be quickly scaled up or scaled back. Although various definitions of
cloud computing have been proposed, the definition from the National Institute of
Standards and Technology (NIST) may be the most comprehensive: Cloud computing

88781_ch07_hr_281-320.indd 304 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 305

is a model for enabling convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal management effort or
service provider interaction.5

Table 7-4 lists different characteristics of cloud computing.

Characteristic Explanation

On-demand self-service The consumer can make changes, such as increasing or
decreasing computing resources, without requiring any human
interaction from the service provider.

Universal client support Virtually any networked device (desktop, laptop, smartphone,
tablet, etc.) can access the cloud computing resources.

Invisible resource pooling The physical and virtual computing resources are pooled together
to serve multiple, simultaneous consumers that are dynamically
assigned or reassigned based on the consumers needs; the
customer has little or no control or knowledge of the physical
location of the resources.

Immediate elasticity Computing resources can be increased or decreased quickly to
meet demands.

Metered services Fees are based on the computing resources used.

Cloud computing characteristicsTable 7-4

There are different types of clouds. A public cloud is one in which the services
and infrastructure are offered to all users with access provided remotely through
the Internet. Unlike a public cloud that is open to anyone, a community cloud is a
cloud that is open only to specific organizations that have common concerns. For
example, because of the strict data requirements of the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), a community cloud open only to hospitals may
be used. A private cloud is created and maintained on a private network. Although
this type offers the highest level of security and control (because the company must
purchase and maintain all the software and hardware), it also reduces any cost savings.
A hybrid cloud is a combination of public and private clouds. Cloud storage has no
computational capabilities but only provides remote file storage.

There are at least four service models in cloud computing:

Software as a Service (SaaS). In the Software as a Service (SaaS) model the cloud
computing vendor provides access to the vendors software applications running
on a cloud infrastructure. These applications, which can be accessed through
a web browser, do not require any installation, configuration, upgrading, or
management from the user.

Platform as a Service (PaaS). Unlike SaaS in which the application software belonging
to the cloud computing vendor is used, in the Platform as a Service (PaaS) model

88781_ch07_hr_281-320.indd 305 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork306

consumers can install and run their own specialized applications on the cloud
computing network. Although customers have control over the deployed applications,
they do not manage or configure any of the underlying cloud infrastructure (network,
servers, operating systems, storage, etc.).

Infrastructure as a Service (IaaS). In the Infrastructure as a Service (IaaS) model,
the customer has the highest level of control. The cloud computing vendor
allows customers to deploy and run their own software, including operating
systems and applications. Consumers have some control over the operating
systems, storage, and their installed applications, but do not manage or control
the underlying cloud infrastructure.

Security as a Service (SECaaS). With the Security as a Service (SECaaS) model
all security servicessuch as intrusion detection and SIEMare delivered from
the cloud to the enterprise. This relieves the enterprise from purchasing and
managing security hardware and software.

Cloud computing has several potential security issues. It is important that the cloud
provider guarantee that the means are in place by which authorized users are given
access while imposters are denied. Also, all transmissions to and from the cloud must
be adequately protected. Finally, the customers data must be isolated from that of other
customers, and the highest level of application availability and security must be maintained.

Note

Another security concern with cloud computing is that often employees, frustrated by the
delays in securing computing resources for a project, will privately purchase cloud resources
without the knowledge or consent of the enterprise. This can introduce significant security
issues if the enterprises data in the cloud is not properly managed and secured.

One security protection for cloud computing is for an organization to use a cloud
access security broker (CASB). A CASB is a set of software tools or services that
resides between the enterprises on-premises infrastructure and the cloud providers
infrastructure. Acting as the gatekeeper, a CASB ensures that the security policies of
the enterprise extend to its data in the cloud. For example, if the enterprise has a policy
regarding encrypting data, a CASB can enforce that control so that data copied from
the cloud to a local device is encrypted. Another security protection is to utilize cloud-
based DLP to extend the enterprises policies to data stored in the cloud.

Software Defined Network (SDN)
Virtualization has been an essential technology in changing the face of computing
over the last decade. Racks of individual physical servers running a single application
have been replaced by only a few hardware devices running multiple virtual machines,

88781_ch07_hr_281-320.indd 306 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 307

simulated software-based emulations of computers. Virtual machines have made cloud
computing possible; as computing needs increase or decrease, cloud computing resources
on virtual machines can be quickly scaled up or back. Networks can also be configured
into logical groups to create a virtual LAN (VLAN). A VLAN allows scattered users to be
logically grouped together even though they are physically attached to different switches.
The computing landscape today would simply not be possible without virtualization.

Yet virtual machines and virtual LANs run into a bottleneck: the physical network.
Dating back over forty years, networks comprised of physical hardware like bridges,
switches, and routers has collided with the world of virtual machines and VLANs.

Consider this problem. A network manager needs to make sure the VLAN used by
a virtual machine is assigned to the same port on a switch as the physical server that is
running the virtual machine. But if the virtual machine needs to be migrated, the manager
must reconfigure the VLAN every time that a virtual server is moved. In a large enterprise,
whenever a new virtual machine is installed it can take hours for managers to perform
the necessary reconfiguration. In addition, these managers must configure each vendors
equipment separately, tweaking performance and security configurations for each session
and application. This process is difficult to do with conventional network switches
because the control logic for each switch is bundled together with the switching logic.

What is needed is for the flexibility of the virtual world to be applied to the
network. This would allow the network manager to quickly and dynamically add, drop,
and change network resources on the fly.

The solution is a software defined network (SDN). An SDN virtualizes parts of
the physical network so that it can be more quickly and easily reconfigured. This is
accomplished by separating the control plane from the data plane, as illustrated in
Figure 7-10. The control plane consists of one or more SDN servers and performs the
complex functions such as routing and security checks. It also defines the data flows
through the data plane.

Figure 7-10Software defined network

Packet switch

Data plane Control plane

Protocols

Applications

Router

LAN switchOther network
device

API
Routing

Traffic control

Business
applications

SDN
applications

88781_ch07_hr_281-320.indd 307 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork308

If traffic needs to flow through the network, it first receives permission from the
SDN controller, which verifies that the communication is permitted by the network
policy of the enterprise. Once approved, the SDN controller computes a route for the
flow to take, and adds an entry for that flow in each of the switches along the path.
Because all the complex networking functions are handled by the SDN controller, the
switches simply manage flow tables whose entries are created by the controller. The
communication between the SDN controller and the SDN switches uses a standardized
protocol and application program interface (API).

Note

The architecture of SDN is very flexible, using different types of switches from different
vendors at different protocol layers. SDN controllers and switches can be implemented
for Ethernet switches (Layer 2), Internet routers (Layer 3), Transport (Layer 4) switching, or
Application layer switching and routing.

Note

In an SDN, the control plane is essentially an application running on a computer that can
manage the physical plane.

With the decoupling of the control and data planes, SDN enables applications to
deal with one abstracted network device without any care for the details of how
the device operates. This is because the network applications see only a single API to
the controller. This makes it possible to quickly create and deploy new applications
to orchestrate network traffic flow to meet specific enterprise requirements for
performance or security.

From a security perspective SDNs can provide stronger protection. SDN technology
can simplify extending VLANs beyond just the perimeter of a building, which can
help secure data. Also, an SDN can ensure that all network traffic is routed through
a firewall. And because all network traffic flows through a single point, it can help
capture data for NIDS and NIPS.

88781_ch07_hr_281-320.indd 308 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Chapter Summary
The most common protocol used today

for local area networks (LANs) and the
Internet is Transmission Control Protocol/
Internet Protocol (TCP/IP). TCP/IP is not a
single protocol; it is a suite of protocols
that all function together. The Simple
Network Management Protocol (SNMP)
allows network administrators to remotely
monitor, manage, and configure devices
on the network. SNMP functions by
exchanging management information
between networked devices. There were
several security vulnerabilities with the
use of community strings in early versions
of SNMP that have been addressed in the
most recent version. The Domain Name
System (DNS) is a TCP/IP protocol that
resolves an IP address with its equivalent
symbolic name. The DNS is a database,
organized as a hierarchy or tree, of the
name of each site on the Internet and its
corresponding IP number. Because of the
important role it plays, DNS can be the
focus of attacks, several of which can be
thwarted by using Domain Name System
Security Extensions (DNSSEC).

Transferring files is most commonly
performed using the File Transfer Protocol
(FTP), which is part of the TCP/IP suite. FTP
is used to connect to an FTP server, much
in the same way that HTTP links to a web
server. Several vulnerabilities are associated
with using FTP. There are two options for
secure transmissions over FTP. FTPS (FTP
using Secure Sockets Layer) is a file transport
layer resting on top of SSL/TLS. SFTP
(Secure FTP) is an entire secure file transfer

protocol and not separate elements added
together. Securing email messages involves
both the transmission of the messages and
the storage of those messages. The S/MIME
protocol can be used for securing email
messages, but it has limitations. Different
applications require different secure network
protocols.

The correct placement of security
devices is essential for protection. An
SSL/TLS accelerator can be a separate
hardware card or a separate SSL/TLS
hardware module installed as a virtual
SSL server alongside the forward proxy
server between the users device and
the web. Monitoring traffic on switches
generally can be done in two ways. First,
a managed switch on an Ethernet network
that supports port mirroring allows the
administrator to configure the switch to
copy traffic that occurs on some or all
ports to a designated monitoring port on
the switch. A second method is to install
a network tap (test access point). Sensors
to monitor traffic, collectors to gather
traffic, and filters to block traffic should
be placed in the network where the largest
stream of data will allow them to perform
their functions. An aggregation switch
is used to combine multiple network
connections into a single link and
should be located between routers and
servers. A correlation engine aggregates
and correlates content from different
sources to uncover an attack and should
be in the protected internal network. A
DDoS mitigator is a hardware device that

CHAPTER 7 Administering a SecureNetwork 309

88781_ch07_hr_281-320.indd 309 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

identifies and blocks real-time DDoS
attacks. These devices should be located
in the network where they can monitor
the largest stream of traffic.

A log is a record of events that occur.
Security logs are particularly important
because they can reveal the types of
attacks that are being directed at the
network and if any of the attacks were
successful. Data can be accumulated by
security devices, security software, and
security tools. There are issues associated
with log management, or generating,
transmitting, storing, analyzing, and
disposing of computer security log data.
One solution to log management is to
use a centralized device log analyzer. A
greater issue is that too often this data
is only used to determine how an attack
occurred but it is not used in preventing
an attack. An analytics-based approach is
becoming increasingly important. Using
data gathered from multiple hardware
devices, software security applications,
and security tools, an analytics-based
approach attempts to differentiate
between the false positives and false

negatives that are often reported by
popular network monitoring tools.

Some applications and platforms
require special security considerations.
Virtualization is a means of managing and
presenting computer resources by function
without regard to their physical layout
or location. One type of virtualization
in which an entire operating system
environment is simulated is known as
host virtualization. A reduced instance of
virtualization is a container or application
cell. Security for virtualized environments
can be a concern. A growing number of
virtualization security tools are available.
Cloud computing is a revolutionary
concept. Cloud computing is a pay-per-
use model in which customers pay only
for the online computing resources that
they need at any time. Despite its dramatic
impact on IT, cloud computing also has
security concerns. A software defined
network (SDN) virtualizes parts of the
physical network so that it can be more
quickly and easily reconfigured. This is
accomplished by separating the control
plane from the data plane.

Key Terms
advanced malware

management
aggregation switch
application cell
application

whitelisting
cloud access security

broker (CASB)
cloud computing
cloud storage
community cloud
container
correlation engine

Data Execution Prevention
(DEP)

DDoS mitigator
Domain Name System

Security Extensions
(DNSSEC)

file integrity check (FIC)
File Transfer Protocol

(FTP)
FTP Secure (FTPS)
hosted services
hybrid cloud
hypervisor

Infrastructure as a Service
(IaaS)

log
network tap (test access

point)
on-premises
Platform as a Service

(PaaS)
port mirroring
private cloud
public cloud
removable media control
Secure FTP (SFTP)

CHAPTER 7 Administering a SecureNetwork310

88781_ch07_hr_281-320.indd 310 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Security as a Service (SECaaS)
Simple Network Management

Protocol (SNMP)
SNMPv3
Software as a Service

(SaaS)

software defined network
(SDN)

Type I hypervisor
Type II hypervisor
Virtual Desktop

Infrastructure (VDI)

Virtual Distributed Ethernet
(VDE)

virtual machine escape
protection

virtual machine sprawl
virtualization

Review Questions
1. Which of the following TCP/IP protocols

do not relate to security?
a. IP
b. SNMP
c. HTTPS
d. FTP

2. Aideen sent an email to her supervisor
explaining the Domain Name System
Security Extensions (DNSSEC). Which of
the following statements would Aideen
have NOT included in her email?
a. It is fully supported in BIND9.
b. It adds additional resource records.
c. It adds message header information.
d. It can prevent a DNS transfer attack.

3. What is the recommended secure
protocol for voice and video
applications?
a. Secure Real-time Transport Protocol

(SRTP)
b. Hypertext Transport Protocol Secure

(HTTPS)
c. Network Time Protocol (NTP)
d. Secure/Multipurpose Internet Mail

Extensions (S/MIME)
4. Which type of log can provide details

regarding requests for specific files on a
system?
a. Audit log
b. Event log
c. Access log
d. SysFile log

5. Which type of device log contains the
most beneficial security data?

a. Firewall log
b. Email log
c. Switch log
d. Router log

6. Which type of cloud is offered to specific
organizations that have common concerns?
a. Public cloud
b. Hybrid cloud
c. Private cloud
d. Community cloud

7. Which of these is NOT correct about an
SSL accelerator?
a. It can be a separate hardware card

that inserts into a web server.
b. It can be a separate hardware module.
c. It should reside between the users

device and the web servers.
d. It can only handle the SSL protocol.

8. Catriona needed to monitor network
traffic. She did not have the resources
to install an additional device on
the network. Which of the following
solutions would meet her needs?
a. Network tap
b. Port mirroring
c. Aggregation switch
d. Correlation engine

9. Which version of Simple Network
Management Protocol (SNMP) is
considered the most secure?
a. SNMPv2
b. SNMPv3
c. SNMPv4
d. SNMPv5

CHAPTER 7 Administering a SecureNetwork 311

88781_ch07_hr_281-320.indd 311 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

10. Which Domain Name System (DNS)
attack replaces a fraudulent IP address
for a symbolic name?
a. DNS replay
b. DNS masking
c. DNS poisoning
d. DNS forwarding

11. Which of these is the most secure
protocol for transferring files?
a. FTPS c. TCP
b. SFTP d. FTP

12. Which of the following can be used to
prevent a buffer overflow attack?
a. DEP
b. FIM
c. VPN
d. DNS

13. Which of the following is NOT a service
model in cloud computing?
a. Software as a Service (SaaS)
b. Hardware as a Service (HaaS)
c. Platform as a Service (PaaS)
d. Infrastructure as a Service (IaaS)

14. Eachna is showing a new security intern
the log file from a firewall. Which of the
following entries would she tell him do
not need to be investigated?
a. Suspicious outbound connections
b. IP addresses that are being rejected

and dropped
c. Successful logins
d. IP addresses that are being rejected

and dropped
15. Which type of hypervisor does not run

on an underlying operating system?
a. Type I
b. Type II
c. Type III
d. Type IV

16. Which application stores the users
desktop inside a virtual machine that
resides on a server and is accessible
from multiple locations?

a. Application cell
b. Container
c. VDE
d. VDI

17. Kyle asked his supervisor which type of
computing model was used when the
enterprise first started. She explained
that the organization purchased all the
hardware and software necessary to run
the company. What type of model was
she describing to Kyle?
a. Virtual services
b. Off-premises
c. On-premises
d. Hosted services

18. DNSSEC adds additional and
message header information, which can
be used to verify that the requested data
has not been altered in transmission.
a. resource records
b. field flags
c. hash sequences
d. zone transfers

19. What functions of a switch does a
software defined network separate?
a. Host and virtual
b. Control plane and physical plane
c. RAM and hard drive
d. Network level and resource level

20. Which of the following is NOT a security
concern of virtualized environments?
a. Virtual machines must be protected

from both the outside world and from
other virtual machines on the same
physical computer.

b. Physical security appliances are not
always designed to protect virtual
systems.

c. Virtual servers are less expensive
than their physical counterparts.

d. Live migration can immediately move
one virtualized server to another
hypervisor.

CHAPTER 7 Administering a SecureNetwork312

88781_ch07_hr_281-320.indd 312 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Hands-On Projects

Project 7-1: Creating a Virtual Machine from a Physical Computer
The VMware vCenter Converter creates a virtual machine from an existing physical computer.
In this project, you download and install vCenter to create a virtual machine.

1. Use your web browser to go to www.vmware.com. (The location of content on the
Internet may change without warning. If you are no longer able to access the program
through this URL, use a search engine to search for VMware.)

2. Click Downloads.
3. Click vCenter Converter.
4. If necessary, click Create an account, enter the requested information, and log into

VMware.
5. If necessary, accept the terms of use and click I agree.
6. Click Manually Download.
7. When the download completes, run the installation program to install vCenter by

accepting the default settings.
8. Launch vCenter to display the VMware vCenter Converter Standalone menu.
9. Click Convert machine.

10. Under Select source type, choose This local machine. Click Next.
11. Next to Select destination type:, choose VMware Workstation or other VMware

virtual machine.
12. Under Select a location for the virtual machine:, click Browse.
13. Navigate to a location to store the new virtual machine. Click Next and then click Next

again.
14. Click Finish to create the virtual machine from the physical machine.

Note

If you are concerned about installing any of the software in these projects on your
regular computer, you can instead install the software in the Windows virtual
machine created in the Chapter 1 Hands-On Projects 1-3 and 1-4. Software installed
within the virtual machine will not impact the host computer.

Note

Note that depending upon the computer configuration it could take up to 60 minutes
to create the virtual machine.

CHAPTER 7 Administering a SecureNetwork 313

88781_ch07_hr_281-320.indd 313 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork314

15. When the vCenter has finished, note the location of the image, which will be one or
more *.vmx and *.vmdk files in the destination folder. It will be used in the next project.

16. Close all windows.

Project 7-2: Loading the Virtual Machine
In this project, you download a program to load the virtual machine created in Project 7-1.

1. Use your web browser to go to my.vmware.com. (The location of content on the
Internet may change without warning. If you are no longer able to access the program
through this URL, use a search engine to search for VMware Workstation.)

2. Click All Downloads.
3. Click View Download Components.
4. Select the Workstation Player for your computers operating system. Click Download.
5. When the download completes, launch the installation program to install VMware

Workstation Player.
6. Start VMware Workstation Player after the installation completes.
7. Click Open a Virtual Machine.
8. Navigate to the location of the virtual machine that you created in Project 7-1. Click

Open.
9. Click Edit virtual machine settings. Note the different options for configuring the

hardware of the virtual machine. Click through these options and if desired change any
of the settings. Click Close.

Note

Note that to run this virtual machine, a previously unlicensed version of the operating
system must first be installed.

10. How easy was it to create a virtual machine from a physical machine?
11. Close all windows.

Project 7-3: Viewing SNMP Management Information Base (MIB) Elements
SNMP information is stored in a management information base (MIB), which is a database for
different objects. In this project, you view MIBs.

1. Use your web browser to go to www.mibdepot.com. (The location of content on the
Internet may change without warning. If you are no longer able to access the program
through this URL, use a search engine to search for MIB Depot.)

2. In the left pane, click Single MIB View.
3. Scroll down and click Linksys in the right pane. This will display the Linksys MIBs

summary information.
4. In the left pane, click v1 & 2 MIBs to select the SNMP Version 1 and Version 2 MIBs.
5. In the right pane, click LINKSYS-MIB under MIB Name (File Name). This will display a

list of the Linksys MIBs.

88781_ch07_hr_281-320.indd 314 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 315

6. Click Tree under Viewing Mode in the left pane. The MIBs are now categorized by Object
Identifier (OID). Each object in a MIB file has an OID associated with it, which is a series of
numbers separated by dots that represent where on the MIB tree the object is located.

7. Click Text in the left pane to display textual information about the Linksys MIBs.
Scroll through the Linksys MIBs and read several of the descriptions. How could this
information be useful in troubleshooting?

8. Now look at the Cisco MIBs. Click Vendors in the left pane to return to a vendor list.
9. Scroll down and click Cisco Systems in the right pane. How many total Cisco MIB

objects are listed? Why is there a difference?
10. In the right pane, click the link Traps.
11. Scroll down to Trap 74, which begins the list of Cisco wireless traps. Notice the

descriptive names assigned to the wireless traps.
12. Now scroll down to Traps 142-143 and click the name bsnAPIfDown. Read the

description for this SNMP trap. When would it be invoked? Click the browsers Back
arrow to return to the listing.

13. Close all windows.

Project 7-4: Viewing Logs Using the Microsoft Windows Event Viewer
In this project, you view logs on a Microsoft Windows computer.

1. Launch Event Viewer by clicking Start and then type Administrative Tools in the Search
programs and files box.

2. Click the Administrative Tools folder and then double-click Event Viewer.
3. The Event Viewer opens to the Overview and Summary page that displays all events

from all Windows logs on the system. The total number of events for each type that
have occurred is displayed along with the number of events of each type that have
occurred over the last seven days, the last 24 hours, or the last hour. Click the > sign
under each type of event in the Summary of Administrative Events to view events that
have occurred on this system.

4. Select a specific event and then double-click it to display detailed information on the
event. Is this information in a format that a custodian could use when examining a
system? Is it in a format that an enduser would find helpful?

5. When finished, click the Back arrow to return to the Overview and Summary page.
6. In the left pane under Event Viewer (Local), double-click Windows Logs to display the

default generated logs, if necessary.
7. Double-click Security.
8. Select a specific event and then double-click it to display detailed information on the

event. When finished, click Close and the Back arrow to return to the Overview and
Summary page.

9. In the left pane under Event Viewer (Local), double-click Applications and Services
Logs to display the default generated logs, if necessary.

10. Select a specific event and double-click it to display detailed information on the event.
When finished, click Close and then double-click Event Viewer (Local) in the left pane.
Leave this window open for the next project.

88781_ch07_hr_281-320.indd 315 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork316

Project 7-5: Creating a Custom View in Microsoft Windows Event Viewer
Microsoft Windows Event Viewer also can be used to create custom logs and collect copies of
events from different systems. In this project, you use the Event Viewer to create a custom log.

1. If necessary, launch Event Viewer by clicking Start and then typing Administrative
Tools in the Search programs and files box. Click the Administrative Tools folder and
then double-click Event Viewer.

2. In the right pane entitled Actions, click Create Custom View.
3. Under Logged click the drop-down arrow next to Any time. Several options appear

of times to log the events. Click Custom range and note that you can create a specific
period to log these events. Click Cancel and be sure the Logged setting is Any time to
capture all events.

4. Under Event level, check each box (Critical, Error, Warning, Information, Verbose) to
capture all levels of events.

5. Under By source, click the radio button if necessary and then click the drop-down
arrow next to Event sources. Scroll through the list of sources that can be used to
create a log entry.

6. For this custom view, instead of selecting specific sources, you will use log entries
collected from default logs. Under By log, click the radio button if necessary and then
click the drop-down arrow next to Event logs.

7. Click the > sign by Windows Logs and Applications and Services Logs. Any of these
logs can be used as input into your custom logs. Click the box next to Windows Logs to
select all the available Windows logs.

8. You also can include or exclude specific events. Be sure that is selected.
9. Next to Keywords select Classic.

10. Next to User be sure that is selected so that any user who logs in to this
system will have log entries created.

11. Your completed dialog box will look like that shown in Figure 7-11. Click OK. If an Event
Viewer dialog box appears, click Yes.

12. In the Save Filter to Custom View dialog box, next to Name, enter All Events.
13. Next to Description, enter All Events. Click OK.
14. In the left pane under Event Viewer (Local), double-click Custom Views if necessary to

display the custom view. Display your view by clicking on it.
15. Close Event Viewer and all windows.
16. Reboot the system.
17. If necessary, launch Event Viewer by clicking Start and then typing Administrative

Tools in the Search programs and files box. Click the Administrative Tools folder and
then double-click Event Viewer.

88781_ch07_hr_281-320.indd 316 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 317

Figure 7-11Create Custom View dialog box

18. In the left pane under Event Viewer (Local), double-click Custom Views if necessary
to display the custom views. Display your view by clicking it. What new events have
occurred?

19. Close all windows.

88781_ch07_hr_281-320.indd 317 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

Case Projects

Case Project 7-1: Software Defined Network (SDN)
Use the Internet to research software defined network (SDN). How do they function? What are
their features? What are the advantages of each type? What are the disadvantages? Create a
table comparing SDNs with traditional networks. If you were to recommend a SDN for your
school or business, what would be the reason(s)?

Case Project 7-2: Securing Email
Use the Internet to research different options for encrypting and securing email. Create a
table that lists at least five options. Include the advantages and disadvantages of each. Which
would you recommend? Why? Write a one-paragraph explanation along with your table.

Case Project 7-3: Comparing Cloud Computing Features
As cloud computing increases in popularity, enhanced features are continually being added.
Compare Microsoft Azure with Amazon Web Services (AWS). Create a table that lists at least
five features. What are the advantages of each? What are the disadvantages? Which would
you recommend? Why? Write a one-page summary of your research.

Case Project 7-4: Centralized Device Log Analyzers
Use the Internet to research four different centralized device log analyzers. Create a table
comparing their benefits, the platforms they support, their advantages and disadvantages,
and costs. Which would you recommend? Why?

Case Project 7-5: Cloud Computing Benefits
Would your school or place of work benefit from cloud computing? Identify at least two cloud
computing vendors and research their features and costs. Then look at one element of your
school or work network infrastructure and apply it to cloud computing. Would it be feasible?
Why or why not? Write a one-page paper on your research and opinions.

Case Project 7-6: Lake Point Security Consulting
Lake Point Consulting Services (LPCS) provides security consulting and assurance services to
over 500 clients across a wide range of enterprises in more than 20 states. A new initiative
at LPCS is for each of its seven regional offices to provide internships to students who are in
their final year of the security degree program at the local college.

Performance Engineered Lubricants (PEL) is a regional petroleum manufacturing
and distribution company. PEL is interested in moving to cloud computing, and they have
contracted with BPSC to make recommendations.

1. Create a PowerPoint presentation for PEL regarding cloud computing. Include a
definition of cloud computing, how it can be used, and why it is important. Your
presentation should contain at least 10 slides.

CHAPTER 7 Administering a SecureNetwork318

88781_ch07_hr_281-320.indd 318 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 7 Administering a SecureNetwork 319

2. PEL is enthusiastic about cloud computing, but is unsure about whether SaaS, PaaS,
or IaaS would be best for them. They have multiple customized software applications
for the blending of different petroleum products. Create a memo that outlines the
advantages and disadvantages of each approach, and give your recommendation.

Case Project 7-7: Information Security Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains
a wide variety of tools, information, discussion boards, and other features to assist learners.
Go to community.cengage.com/Infosec2 and click the Join or Sign in icon to log in, using
your login name and password that you created in Chapter 1. Click Forums (Discussion) and
click on Security+ Case Projects (6th edition). Read the following case study.

A hospital decided to use cloud computing for processing and storage to save costs.
After several months, it was discovered that the cloud providers storage facilities were
compromised and patient information was stolen. The hospital maintained that the cloud
provider should be punished and fined for the breach, while the provider responded that
it was still the hospitals responsibility under HIPAA to secure patient information and the
hospital was ultimately responsible.

Who do you think should be responsible? The cloud provider or the hospital? If the cloud
provider is responsible, then should software companies like Microsoft be held liable for a
vulnerability in their software that results in a data breach on a Microsoft server in a LAN?
Where does the responsibility for the user end and the vendor begin?

References
1. Greenberg, Andy, How hackers hijacked a banks entire online operation, Wired,

Apr. 4, 2017, accessed Apr. 22, 2017, https://www.wired.com/2017/04/hackers-hijacked
-banks-entire-online-operation/.

2. State of DNSSEC Deployment 2016, Internet Society, Dec. 2016, accessed Apr. 21, 2017,
https://www.internetsociety.org/sites/default/files/ISOC-State-of-DNSSEC-Deployment
-2016-v1.pdf.

3. Popomaronis, Tom, Prime day gives Amazon over 600 reasons per second to
celebrate, Inc., Jul. 13, 2016, accessed Apr. 22, 2017, https://www.inc.com/tom
-popomaronis/amazon-just-eclipsed-records-selling-over-600-items-per-second.
html.

4. Kahn, Jeremy, A sentinel that cuts through clutter, BusinessWeek, Mar. 14, 2016,
accessed Mar. 21, 2016.

5. Mell, Peter, and Grance, Tim, The NIST definition of cloud computing, NIST
Computer Security Division Computer Security Resource Center. Oct. 7, 2009, accessed
Apr. 2, 2011, http://csrc.nist.gov/groups/SNS/cloud-computing/.

88781_ch07_hr_281-320.indd 319 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

88781_ch07_hr_281-320.indd 320 8/10/17 12:09 AM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

WIRELESS NETWORK
SECURITY

After completing this chapter, you should be able
to do the following:

Describe the different types of wireless network attacks

List the vulnerabilities in IEEE 802.11 security

Explain the solutions for securing a wireless network

C H A P T E R 8

Todays Attacks and Defenses

Attacks on wireless systems are certainly not uncommon. But it may be surprising to learn
that the first recorded attack on a wireless system occurred over 100 years ago, and involved
the person credited as the inventor of the radio.

Guglielmo Marconi was an Italian electrical engineer and inventor who pioneered work
on long-distance radio transmission. In 1895 Marconi could transmit and receive a signal
only less than one mile (1.6 kilometers or km), but through persistence and applying new
techniques he was able to increase that distance the following year to 3.7 miles (6km).
Over the next several years the distances gradually became longer, so that by 1900 Marconi
was experimenting with transmissions across the Atlantic Ocean, which was achieved
the following year. However, skeptics challenged this experiment because it was not

321

88781_ch08_hr_321-370.indd 321 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security322

independently verified. One of Marconi’s skeptics was Nevil Maskelyne, who likewise was
an inventor interested in wireless systems. Maskelyne was the manager of a rival wireless
company that had been involved in several disputes with Marconi over patents that covered
wireless telegraphy systems.

In 1903 Marconi decided to put on a public demonstration of his wireless system. He
wanted to show that it could indeed transmit over long distances. But he also wanted to
demonstrate that his wireless system was secure. Marconi had often claimed that other
signals would not interfere with his wireless transmissions. Maskelyne, on the other hand,
was not convinced that Marconi’s signal was secure. So, Maskelyne decided to “hack”
Marconi’s public demonstration.

The demonstration was on June 4, 1903 at the lecture theater of the Royal Institution in
London. Marconi was in Cornwall, over 300 miles (482 km) away. The plan was for Marconi’s
colleague Professor Fleming to be in the theater to receive Marconi’s Morse code message
sent wirelessly and to be printed on an attached printer. But Maskelyne had his own ideas.
He set up a wireless transmitter not far from the lecture theatre. He later claimed that he did
not run it at full power because he did not want to block Marconi’s signal; instead, he wanted
to send his own signal to show that Marconi’s signal was not secure.

Toward the end of Fleming’s lecture, signals started coming inbut they were not
from Marconi. First a brass slide projector arc lamp in the theater, used to display Fleming’s
presentation, started a rhythmic ticking noise. The audience assumed that the projector was
just malfunctioning. But Arthur Blok, Flemings assistant, quickly recognized it as the “tap-tap”
of a human hand keying a message in Morse code. Blok realized that someone was sending
powerful wireless pulses into the theatre, strong enough to interfere with the electric arc
lamp. Then the wireless receiver came to life, and the Morse code printer started printing
but it was from Maskelyne instead of from Marconi. One word was repeated over and over
on the printer: Rats. Then the printer spelled out an insulting limerick. Marconis supposedly
secure wireless system had been hacked.

Fleming later complained to the London Times of scientific hooliganism. Fleming and
Maskelyne exchanged letters, many of which were printed in the Times, arguing over the
source of the interference (Fleming argued that it was caused by electrical lighting in the
theater). It was also discovered that the receiver Fleming was using was not tuned to the
specific frequency on which Marconi was transmitting, but was a receiver that could pick up
signals across the frequency spectrum. Because this fact was not disclosed to the audience,
there was feeling that Marconi had been deceptive in his demonstration. When Maskelyne
later wrote about the incident, he ended his account with a Latin legal phrase translated as,
“Let him be deceived who wishes to be deceived.

Maskelyne’s attack had little impact on Marconis work or reputation. After sending the
first wireless signal across the Atlantic in 1901, Marconi started a commercial transatlantic
wireless service 1907. In 1909 he shared the Nobel Prize in Physics in recognition of his
contributions to the development of wireless telegraphy. When Marconi died in 1937, the
British Broadcasting Company (BBC) observed two minutes of radio silence in respect.

88781_ch08_hr_321-370.indd 322 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 323

It is difficult to think of a technology over the last decade with a greater impact on our
lives than wireless data communications. Because it is no longer necessary to remain
connected by cable to a network, users are free to surf the web, check email, download
electronic books, or watch videos from virtually anywhere. Free wireless Internet
connections are available in coffee shops and libraries across the country. Students use
wireless data services on their school campus to access instructional material as well as
remain connected to friends. Travelers have wireless access while waiting in airports,
traveling on airplanes and trains, and working in their hotel rooms. At work, employees
can access remote data during meetings and in conference rooms, thus significantly
increasing their productivity. Wireless also has spurred the growth of many other new
technologies, such as portable tablet devices. Although wireless voice communication
started the revolution in the 1990s, wireless data communications are the driving force in
the twenty-first century. It has truly become a wireless world.

Statistics confirm how widespread wireless data technology has become. Over the
past five years, mobile data traffic has grown 18-fold, with the amount of global mobile
data traffic now exceeding 7.2 exabytes each month (one exabyte is equal to one billion
gigabytes). However, not all this traffic is through smartphones on cellular networks.
In fact, smartphones represented only 45 percent of the total number of mobile devices
and connections; other devices like laptops and tablet computers accounted for a
significant percentage of mobile devices. And 60 percent of total mobile data traffic
is offloaded onto a fixed network through Wi-Fi, which accounts for 10.7 exabytes of
mobile data traffic offloaded each month.2

What Maskelyne’s attack did do, however, was to make the scientific community realize
that Marconi’s claim that wireless signals were secure and could not be interfered with was
false. Researchers started looking at ways wireless signals could be monitored, jammed,
or manipulated. Eventually this led to the development of wireless security measures that
were first used in World War I and continue today.1

Caution

Mobile video traffic accounts for about 60 percent of all mobile data traffic. And the top
20percent of mobile users generate 56 percent of mobile data traffic, and the top 1 percent
of mobile users generate 6 percent of total traffic.3

Due to the popularity of wireless data, coupled with of the natively unsecure
nature of wireless transmissions and the vulnerabilities of early wireless networking
standards, wireless networks continue to be targets for attackers. There have been

88781_ch08_hr_321-370.indd 323 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security324

significant changes in wireless network security, however, to the point that today
wireless security technology and standards provide users with security comparable to
that their wired counterparts enjoy.

This chapter explores wireless network security. You first investigate the attacks on
wireless devices that are common today. Next, you explore different wireless security
mechanisms that have proven to be vulnerable. Finally, you examine several secure
wireless protections.

Wireless Attacks
Certification

1.2Compare and contrast types of attacks.

2.1 Install and configure network components, both hardware- and
software-based, to support organizational security.

2.5Given a scenario, deploy mobile devices securely.

3.2Given a scenario, implement secure network architecture concepts.

Note

Many CompTIA exam objectives include the phrase, Given a scenario. This indicates that a
hands-on simulation related to this objective will likely appear on the Security+ exam. The
Hands-On Projects at the end of each chapter serve as training for these scenarios.

There are several attacks that can be directed against wireless data systems. These
attacks can be directed against Bluetooth systems, near field communication devices,
radio frequency identification systems, and wireless local area networks.

Bluetooth Attacks
Bluetooth is the name given to a wireless technology that uses short-range radio
frequency (RF) transmissions and provides rapid device pairings. Named after the
tenth-century Danish King Harald “Bluetooth” Gormsson, who was responsible for
unifying Scandinavia, it was originally designed in 1994 by the cellular telephone
company Ericsson to replace wires with radio-based technology. Bluetooth has moved
well beyond its original design. Bluetooth is a Personal Area Network (PAN) technology
designed for data communication over short distances and enables users to connect
wirelessly to a wide range of computing and telecommunications devices. It provides

88781_ch08_hr_321-370.indd 324 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 325

for virtually instantaneous connections between a Bluetooth-enabled device and
receiver. Several of these Bluetooth-enabled product pairings are listed in Table 8-1.

Category Bluetooth pairing Usage

Automobile Hands-free car system
with cell phone

Drivers can speak commands to browse the cell
phones contact list, make and receive hands-
free phone calls, or use its navigation system.

Home
entertainment

Stereo headphones with
portable music player

Users can create a playlist on a portable music
player and listen through a set of wireless
headphones or speakers.

Photographs Digital camera with
printer

Digital photos can be sent directly to a photo
printer or from pictures taken on one cell
phone to another phone.

Computer
accessories

Computer with keyboard
and mouse

Small travel mouse can be linked to a laptop
or a full-size mouse and keyboard that can be
connected to a desktop computer.

Gaming Video game system with
controller

Gaming devices and video game systems can
support multiple controllers, while Bluetooth
headsets allow gamers to chat as they play.

Sports and fitness Heart-rate monitor with
wristwatch

Athletes can track heart rates while exercising
by glancing at their watch.

Medical and
health

Blood pressure monitors
with smartphones

Patient information can be sent to a
smartphone, which can then send an
emergency phone message if necessary.

Bluetooth productsTable 8-1

Note

Bluetooth is also finding its way into unlikely devices. A Victorinox Swiss Army pocketknife
model has Bluetooth technology that can be used to remotely control a computer when
projecting a PowerPoint presentation. Bluetooth can be found in items that require tracking
in the event they are lost or misplaced, such as luggage and key rings.

The current version is Bluetooth 5 (yet all Bluetooth devices are backward
compatible with previous versions). There are two implementations of Bluetooth 5.
Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is designed for devices needing
short-range continuous connectivity (such as streaming music to a Bluetooth headset)
while Bluetooth low energy (LE) is for devices that require short bursts of data over
longer distances (such as inventory control devices at a retail store). Compared with the
previous version of Bluetooth (4.2) the current Bluetooth 5 has a faster speed of 2 million

88781_ch08_hr_321-370.indd 325 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security326

bits per second (Mbps) vs. 1 Mbps as well as a broader range of coverage of 800 feet
(243meters) vs. 200 feet (60 meters). However, Bluetooth 5 devices can either transmit at
a faster speed or have a broader area of coverage, but not both simultaneously.

The primary type of Bluetooth network topology is a piconet. When two Bluetooth
devices come within range of each other, after an initial pairing confirmation they
automatically connect whenever they meet. One device is the master, and controls
all the wireless traffic. The other device is known as a slave, which takes commands
from the master. Slave devices that are connected to the piconet and are sending
transmissions are known as active slaves; devices that are connected but are not
actively participating are called parked slaves. Devices can also switch roles so that
a slave temporarily becomes a master but then switches back to a slave role or vice
versa. An example of a piconet is illustrated in Figure 8-1.

Figure 8-1Bluetooth piconet

M

AS

M

PS AS
AS AS

AS

M = Master
AS = Active slave
PS = Parked slave

Note

The Bluetooth specification also allows for a device to a member in two or more overlaying
piconets that cover the same area. This group of piconets in which connections exist between
different piconets is called a scatternet. However, scatternets are rarely used.

The ability for Bluetooth piconets to be established dynamically and automatically
on the fly as needed (called an ad hoc topology) whenever Bluetooth devices enter
and leave the coverage area gives Bluetooth its greatest flexibility. However, due to the
ad hoc nature of Bluetooth piconets, attacks on wireless Bluetooth technology are not
uncommon. Two Bluetooth attacks are bluejacking and bluesnarfing.

Bluejacking
Bluejacking is an attack that sends unsolicited messages to Bluetooth-enabled
devices. Usually bluejacking involves sending text messages, but images and sounds
also can be transmitted. Bluejacking is usually considered more annoying than

88781_ch08_hr_321-370.indd 326 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 327

harmful because no data is stolen; however, many Bluetooth users resent receiving
unsolicited messages.

Note

Bluejacking has been used for advertising purposes by vendors.

Note

To prevent bluesnarfing, a mobile device like a smartphone should have Bluetooth turned off
when not being used or set to undiscoverable, which keeps Bluetooth turned on, yet it cannot
be detected by another device.

Bluesnarfing
Bluesnarfing is an attack that accesses unauthorized information from a wireless
device through a Bluetooth connection, often between cell phones and laptop
computers. In a bluesnarfing attack, the attacker copies emails, calendars, contact
lists, cell phone pictures, or videos by connecting to the Bluetooth device without the
owners knowledge or permission.

Near Field Communication (NFC) Attacks
Near field communication (NFC) is a set of standards used to establish communication
between devices in very close proximity. Once the devices are brought within
4centimeters of each other or tapped together, two-way communication is established.
Devices using NFC can be active or passive. A passive NFC device, such as an NFC tag,
contains information that other devices can read but the tag does not read or receive
any information. Active NFC devices can read information as well as transmit data.

The NFC communication between a smartphone and an NFC tag functions as
follows:

1. The smartphone (interrogator) sends out a signal to the tag, which becomes
powered by the energy in the interrogators wireless signal.

Note

The ability of an NFC tag to be powered by the interrogators signal allows tags to be very
small in size. It also does not require a tag to have its own battery or another power source.

88781_ch08_hr_321-370.indd 327 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security328

2. The interrogator and tag each create a high frequency magnetic field from an in-
ternal antenna. Once the fields are created, a connection can be formed between
the devices (known as magnetic induction). This is illustrated in Figure 8-2 (in this
figure the antennas are pictured outside of the interrogator and tag for clarity).

Figure 8-2NFC magnetic induction

Magnetic fields

Interrogator
Tag

Antenna

Note

NFC can use one of three types of communication, known as Type A, Type B, or FeliCa, which
is more commonly used in Japan.

3. The interrogator sends a message to the tag to find out what type of communication
the tag uses. When the tag responds, the interrogator sends its first commands
based on that type.

4. When the tag receives the instruction, it checks to determine if the instruction is
valid. If it is not, the tag ignores the communication. If it is a valid request, the
tag responds with the requested information. For sensitive transactions, such
as credit card payments, a secure communication channel is established and all
transmitted information is encrypted.

Examples of NFC uses include the following:

Automobile. NFC technology can be used to unlock a car door or adjust seats.
Entertainment. NFC devices can be used as a ticket to a stadium or concert, for

purchasing food and beverages, and downloading upcoming events by tapping a
smart poster.

Office. An NFC-enabled device can be used to enter an office, clock in and out on
a factory floor, or purchase snacks from a vending machine.

88781_ch08_hr_321-370.indd 328 8/11/17 8:48 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 329

Retail stores. Coupons or customer reward cards can be provided by tapping the
point-of-sale (PoS) terminal.

Transportation. On a bus or train NFC can be used to quickly pass through
turnstiles and receive updated schedules by tapping the device on a kiosk.

NFC devices are most often associated with contactless payment systems.
Users store payment card numbers in a virtual wallet on a smartphone to pay
for purchases at an NFC-enabled PoS checkout device. Figure 8-3 shows one such
contactless payment system.

Figure 8-3Contactless payment system
REDPIXEL.PL/Shutterstock.com

The use of NFC has risks because of the nature of this technology. The risks and
defenses of using NFC are listed in Table 8-2.

88781_ch08_hr_321-370.indd 329 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security330

Radio Frequency Identification (RFID) Attacks
Another wireless technology like NFC is radio frequency identification (RFID). RFID
is commonly used to transmit information between employee identification badges,
inventory tags, book labels, and other paper-based tags that can be detected by a
proximity reader. An RFID tag can easily be affixed to the inside of an ID badge and can
be read by an RFID proximity reader as the user walks through the turnstile with the
badge in a pocket.

Most RFID tags are passive and do not have their own power supply; instead,
the electrical current induced in the antenna by the incoming signal from the
transceiver provides enough power for the tag to send a response. Because it does not

Note

Even though contactless payment systems using NFC were initially touted as replacing
cash and payment cards, acceptance has been slow. Two years after Apple introduced its
NFC-based Apple Pay only 13 percent of 680 million iPhone users have used it, and over
60 percent said they are unfamiliar with it. A significant barrier to acceptance is security:
over40 percent of consumers have indicated a concern about the security risks of contactless
payment systems.4

Vulnerability Explanation Defense

Eavesdropping Unencrypted NFC communication
between the device and terminal
can be intercepted and viewed.

Because an attacker must be extremely
close to pick up the signal, users should
remain aware of their surroundings
while making a payment.

Data theft Attackers can bump a portable
reader to a users smartphone in a
crowd to make an NFC connection
and steal payment information
stored on the phone.

This can be prevented by turning off
NFC while in a large crowd.

Man-in-the-
middle attack

An attacker can intercept the NFC
communications between devices
and forge a fictitious response.

Devices can be configured in pairing
so one device can only send while the
other can only receive.

Device theft The theft of a smartphone could
allow an attacker to use that phone
for purchases.

Smartphones should be protected with
passwords or strong PINs.

NFC risks and defenses Table 8-2

88781_ch08_hr_321-370.indd 330 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 331

require a power supply, passive RFID tags can be very small, only 0.4 mm 0.4 mm
and thinner than a sheet of paper, as illustrated in Figure 8-4. The amount of data
transmitted typically is limited to just an ID number. Passive tags have ranges from
about 1/3 inch to 19 feet (10 millimeters to 6 meters). Active RFID tags must have their
own power source.

RFID tags are susceptible to different attacks. Table 8-3 lists several attacks that
could occur in a retail store that uses RFID inventory tags.

The current version of RFID standards known as Generation 2 contains some
security enhancements over the previous version. These include the ability to
permanently render inoperable (kill) an RFID tag when an item is purchased by a
consumer at the PoS terminal and to disguise the tag identifier number. However,
Generation 2 does contain significant security vulnerabilities. The disguised tag
identifier number is only a pseudo-random number transmitted by the tag, data is not
encrypted, and users accessing tag data are not required to prove their identity and
authorization to access the data.

Figure 8-4RFID tag
Nor Gal/Shutterstock.com

88781_ch08_hr_321-370.indd 331 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security332

Wireless Local Area Network Attacks
A wireless local area network (WLAN), commonly called Wi-Fi, is designed to replace
or supplement a wired local area network (LAN). Devices such as tablets, laptop
computers, and smartphones that are within range of a centrally located connection
device can send and receive information at varying transmission speeds.

It is important to know a brief history and the specifications of IEEE WLANs, the
hardware necessary for a wireless network, and the different types of WLAN attacks
directed at both the enterprise and home users.

IEEE WLANs
For computer networking and wireless communications, the most widely known and
influential organization is the Institute of Electrical and Electronics Engineers (IEEE),
which dates to 1884. In the early 1980s, the IEEE began work on developing computer
network architecture standards. This work was called Project 802, and quickly
expanded into several different categories of network technology.

Note

One of the most well-known IEEE standards is 802.3, which set specifications for Ethernet
local area network technology.

RFID attack type Description of attack Implications of RFID attack

Unauthorized
tag access

A rogue RFID reader can
determine the inventory on a
store shelf to track the sales of
specific items.

Sales information could be used by a
rival product manufacturer to negotiate
additional shelf space or better product
placement.

Fake tags Authentic RFID tags are replaced
with fake tags that contain
fictitious data about products
that are not in inventory.

Fake tags undermine the integrity of the
stores inventory system by showing data
for items that do not exist.

Eavesdropping Unauthorized users could listen
in on communications between
RFID tags and readers.

Confidential data, such as a politicians
purchase of antidepressants, could be sold
to a rival candidate in a smear campaign.

RFID attacks in retail store Table 8-3

In 1990, the IEEE started work to develop a standard for WLANs operating at 1 and
2 Mbps. Several proposals were recommended before a draft was developed. This draft,
which went through seven different revisions, took seven years to complete. In 1997,
the IEEE approved the final draft known as IEEE 802.11.

88781_ch08_hr_321-370.indd 332 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 333

Although bandwidth of 2 Mbps was acceptable in 1990 for wireless networks, by
1997 it was no longer sufficient for more recent network applications. The IEEE body
revisited the 802.11 standard shortly after it was released to determine what changes
could be made to increase the speed. In 1999, a new IEEE 802.11b amendment was
created, which added two higher speeds (5.5 Mbps and 11 Mbps) to the original 802.11
standard. At the same time the IEEE also issued another standard with even higher
speeds, the IEEE 802.11a standard with a speed of 54 Mbps.

The success of the IEEE 802.11b standard prompted the IEEE to reexamine the 802.11b
and 802.11a standards to determine if a third intermediate standard could be developed.
This best of both worlds approach would preserve the stable and widely accepted features
of 802.11b but increase the data transfer rates to those similar to 802.11a. The IEEE 802.11g
standard was formally ratified in 2003 and can support devices transmitting at 54 Mbps.

In 2004, the IEEE began work on a new WLAN standard that would significantly
increase the speed, range, and reliability of wireless local area networks. This standard,
known as IEEE 802.11n, was ratified in 2009. The 802.11n standard has four significant
improvements over previous standards: speed (600 Mbps), coverage area (doubles
the indoor range and triples the outdoor range of coverage), increased resistance to
interference, and stronger security.

Work on an updated standard to support the demand for wireless video delivery
was started in 2011 called IEEE 802.11ac. Building upon many of the enhancements
introduced in 802.11n, this standard, ratified in early 2014, has data rates over 7 Gbps.
IEEE 802.11ad is intended for short-range indoor use. Table 8-4 compares several
different IEEE WLAN standards.

802.11 802.11b 802.11a 802.11g 802.11n 802.11ad 802.11ac

Frequency 2.4 GHz 2.4 GHz 5 GHz 2.4 GHz 2.4 & 5 GHz 60 GHz 5 GHz

Maximum
data rate

2 Mbps 11 Mbps 54 Mbps 54 Mbps 600 Mbps 7 Gbps 7.2 Gbps

Indoor range
(feet/meters)

65/20 125/38 115/35 115/35 230/70 32/10 115/35

Outdoor range
(feet/meters)

328/100 460/140 393/120 460/140 820/250 N/A 460/140

Ratification
date

1997 1999 1999 2003 2009 2013 2014

IEEE WLAN standards Table 8-4

WLAN Hardware
Different types of hardware are used in WLANs. A wireless client network interface card or
wireless adapter performs the same functions as a wired adapter with one major exception:
there is no external cable RJ-45 connection. In its place is an antenna (embedded into the
adapter or the device) to send and receive signals through the airwaves.

88781_ch08_hr_321-370.indd 333 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security334

An access point (AP) is a centrally located WLAN connection device that can send
and receive information. It consists of three major parts:

An antenna and a radio transmitter/receiver to send and receive wireless signals
Special bridging software to interface wireless devices to other devices
A wired network interface that allows it to connect by cable to a standard wired network

An AP has two basic functions. First, it acts as the base station for the wireless
network. All wireless devices with a wireless NIC transmit to the AP, which in turn
redirects the signal if necessary to other wireless devices. The second function of an AP
is to act as a bridge between the wireless and wired networks. The AP can be connected
to the wired network by a cable, allowing all the wireless devices to access through the
AP the wired network (and vice versa), as shown in Figure 8-5.

Figure 8-5Access point (AP) in WLAN

Internet

File server Desktop

Laptop

AP

Wired network

Wireless network

Smartphone

Note

Ad hoc mode is useful for quickly and easily setting up a wireless network anywhere that users
need to share data between themselves but do not need a connection to the Internet or an
external network. An example might be when a wireless user needs to quickly send a last-minute
document to an associate across the table in a meeting room. However, this mode is rarely used.

A WLAN using an AP is operating in infrastructure mode. The IEEE specifications
also define networks that are not using an AP. This is called an Independent Basic
Service Set (IBSS) or more commonly ad hoc mode. In ad hoc mode, devices can only
communicate between themselves and cannot connect to another network. The Wi-Fi
Alliance has also created a similar technical specification called Wi-Fi Direct.

88781_ch08_hr_321-370.indd 334 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 335

For a small office or home, instead of using an enterprise-grade AP, another device is
commonly used. This device combines multiple features into a single hardware device. These
features often include those of an AP, firewall, router, dynamic host configuration protocol
(DHCP) server, along with other features. Strictly speaking these devices are residential WLAN
gateways as they are the entry point from the Internet into the wireless network. However,
most vendors instead choose to label their products as simply wireless routers.

WLAN Enterprise Attacks
In a traditional wired network, a well-defined boundary or hard edge protects data
and resources. There are two types of hard edges. The first is a network hard edge.
Awired network typically has one point (or a limited number of points) through which
data must pass from an external network to the secure internal network. This single
data entry point makes it easier to defend against because any attack must likewise
pass through this one point. A device like a firewall can be used to block attacks from
entering the network. The combination of a single entry point plus security devices
that can defend it make up a networks hard edge, which protects important data and
resources. This is illustrated in Figure 8-6.

Figure 8-6Network hard edge

Internet

Firewall

Single entry point

Printer

Network device

Server

Corporate
laptop

Desktop

Desktop

Network hard edge

The second hard edge is made up of the walls of the building that houses the
enterprise. Because these walls keep out unauthorized personnel, attackers cannot
access the network. In other words, the walls serve to physically separate computing
resources from attackers.

88781_ch08_hr_321-370.indd 335 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security336

The introduction of WLANs in enterprises, however, has changed these hard edges
to blurred edges. Instead of a network hard edge with a single data entry point, a
WLAN can contain multiple entry points. As shown in Figure 8-7, the RF signals from
APs create several data entry points into the network through which attackers can
inject attacks or steal data. This makes it difficult to create a hard network edge. In
addition, because RF signals extend beyond the boundaries of the building, the walls
cannot be considered as a physical hard edge to keep away attackers. A threat actor
sitting in a car well outside of the buildings security perimeter can still easily pick up
a wireless RF signal to eavesdrop on data transmissions or inject malware behind the
firewall. An AP whose security settings have not been set or have been improperly
configured can allow attackers access to the network.

Figure 8-7Network blurred edge

Listens to
data

transmissions
Access
pointDesktop

Corporate
laptop

Access
point

Network blurred edge

Injects
infections

behind rewall

Server

Network deviceFirewall

Desktop

Printer

Attacker
laptop

Attacker
laptop

Internet

Several different wireless attacks can be directed at the enterprise. These include
rogue access points, evil twins, intercepting wireless data, wireless replay attacks, and
wireless denial of service attacks.

Rogue Access Point
Lejla is the manager of a recently opened retail storefront and wants to add wireless
access in the employee break room. However, her employers IT staff turns down her
request for a wireless network. Lejla decides to take the matter into her own hands:
she purchases an inexpensive wireless router and secretly brings it into the store and
connects it to the wired network, thus providing wireless access to her employees.

88781_ch08_hr_321-370.indd 336 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 337

Unfortunately, Lejla also has provided open access to an attacker sitting in his car in
the parking lot who picks up the wireless signal. This attacker can then circumvent the
security protections of the companys network.

Lejla has installed a rogue AP (rogue means someone or something that is
deceitful or unreliable). A rogue AP is an unauthorized AP that allows an attacker to
bypass many of the network security configurations and opens the network and its
users to attacks. For example, although firewalls are typically used to restrict specific
attacks from entering a network, an attacker who can access the network through a
rogue AP is behind the firewall.

Note

Rogue APs do not even have to be separate network devices. The wireless Hosted Network
function in Microsoft Windows makes it possible to virtualize the physical wireless network
interface card (NIC) into multiple virtual wireless NICs (Virtual Wi-Fi) that can be accessed by a
software-based wireless AP (SoftAP). This means that any computer can easily be turned into
a rogue AP. And some smartphone apps allow these devices to also function as APs.

Evil Twin
Whereas a rogue AP is set up by an internal user, an evil twin is an AP that is set up by
an attacker. This AP is designed to mimic an authorized AP, so a users mobile device
like a laptop or tablet will unknowingly connect to this evil twin instead. Attackers can
then capture the transmissions from users to the evil twin AP.

Figure 8-8 illustrates rogue AP and evil twin attacks on an enterprise network,
which further create a blurred edge to a corporate network.

Intercepting Wireless Data
One of the most common wireless attacks is intercepting and reading data that is being
transmitted. An attacker can pick up the RF signal from an open or misconfigured
AP and read any confidential wireless transmissions. To make matters worse, if the
attacker manages to connect to the enterprise wired network through a rogue AP, she
also could read broadcast and multicast wired network traffic that leaks from the wired
network to the wireless network. Using a WLAN to read this data could yield significant
information to an attacker regarding the wired enterprise network.

Wireless Replay Attack
Another wireless attack is hijacking the wireless connection. Using an evil twin, an
attacker can trick a corporate mobile device into connecting to the imposter device
instead. The attacker could then perform a wireless man-in-the-middle attack. This
type of attack makes it appear that the wireless device and the network computers
are communicating with each other, when actually they are sending and receiving

88781_ch08_hr_321-370.indd 337 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security338

Fi
gu

re
8

-8

R
o

gu
e

ac
ce

ss
p

o
in

t
an

d
e

vi
l t

w
in

a
tt

ac
ks

A
cc

e
ss

p
o
in

t
D

e
sk

to
p

C
o
rp

o
ra

te
la

p
to

p
A

cc
e
ss

p
o
in

t

R
o
g
u
e

A
P

N
e
tw

o
rk

b
lu

rr
e
d

e
d

g
e

In
je

ct
s

in
fe

ct
io

n
s

b
e
h
in

d

re
w

a
ll

S
e

rv
e

r

N
e

tw
o

rk
d

e
vi

ce
F

ir
e
w

a
ll

D
e

sk
to

p

P
ri

n
te

r

A
tta

ck
e
r

la
p
to

p

A
tta

ck
e
r

la
p
to

p

In
te

rn
e
t

R
u
n
n
in

g
s

o
ft
w

a
re

-b
a
se

d
ro

g
u
e
A

P

C
o
n
n
e
ct

s
to

n
e
tw

o
rk

t
h
ro

u
g
h

la
p
to

p
r

o
g
u
e
A

P

C
o
n
n
e
ct

s
to

e
vi

l
tw

in
b

y
m

is
ta

ke

E
vi

l t
w

in

A
tta

ck
e
r

la
p
to

p
C

o
rp

o
ra

te
la

p
to

p
C

o
rp

o
ra

te
la

p
to

p

L
is

te
n
s

to
d

a
ta

tr
a
n
sm

is
si

o
n
s

A
tta

ck
e
r

la
p
to

p

88781_ch08_hr_321-370.indd 338 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 339

data through an evil twin AP (the man-in-the-middle). As the man-in-the-middle
receives data from the devices, it passes it on to the recipient so that neither computer
is aware of the man-in-the-middles existence.

Man-in-the-middle attacks can be active or passive. In an active attack, the
contents are intercepted and altered before they are forwarded to the recipient. In
a passive attack, the attacker captures the data that is being transmitted (such as
user names and passwords), records it, and then sends it on to the original recipient
without the attackers presence being detected. This is called a wireless replay attack.

Note

Wired man-in-the-middle and replay attacks are covered in Chapter 5.

Just as an active man-in-the-middle attack modifies or injects content into a
message, another type of wireless attack can inject wireless packets into the enterprise
network. For example, an attackers application could examine incoming wireless
packets, and, if the packet data matches a pattern specified in a configuration file,
inject custom content into the network to redirect traffic to an attackers server. In yet
another type of attack, a routing protocol attack, the attacker injects specific packets
into the network to redirect a traffic stream through another router that is controlled by
the attacker.

Wireless Denial of Service Attack
Because wireless devices operate using RF signals, there is the potential for two types
of signal interference. The wireless device itself may be the source of interference
for other devices, and signals from other devices can disrupt wireless transmissions.
Several types of devices transmit a radio signal that can cause incidental interference
with a WLAN. These devices include microwave ovens, elevator motors, photocopying
machines, and certain types of outdoor lighting systems, to name a few. These may
cause errors or completely prevent transmission between a wireless device and an AP.

Note

Interference is nothing new for computer networks. Even when using cables to connect
network devices, interference from fluorescent light fixtures and electric motors can
disrupt data transmission. The solution for wireless devices is the same as that for
standard cabled network devices: locate the source of the interference and eliminate the
interference. This can be done by moving an AP away from a photocopying machine or
microwave oven, for example.

88781_ch08_hr_321-370.indd 339 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security340

Attackers can likewise use intentional RF interference to flood the RF spectrum
with enough interference to prevent a device from effectively communicating with
the AP. This wireless DoS attack prevents the transmission of data to or from network
devices. In one type of wireless DoS attack, an attacker can intentionally flood the RF
spectrum with extraneous RF signal noise that creates interference and prevents
communications from occurring. This is called jamming.

Note

Jamming attacks generally are rare because sophisticated and expensive equipment is
necessary to flood the RF spectrum with enough interference to impact the network. In
addition, because a very powerful transmitter must be used at a relatively close range to
execute the attack, it is possible to identify the location of the transmitter and therefore
identify the source of the attack.

Another wireless DoS attack takes advantage of an IEEE 802.11 design weakness. This
weakness is the implicit trust of management frames that are transmitted across the
wireless network, which includes information such as the senders source address. Because
IEEE 802.11 requires no verification of the source devices identity (and so all management
frames are sent in an unencrypted format), an attacker can easily craft a fictitious frame
that pretends to come from a trusted client when it is in fact from a malicious attacker.
Different types of frames can be spoofed by an attacker to prevent a client from being
able to remain connected to the WLAN. A client must be both authenticated and associated
with an AP before being accepted into the wireless network, and de-authenticated and
disassociated when the client leaves the network. An attacker can create false
de-authentication or disassociation management frames that appear to come from
another client device, causing the client to disconnect from the AP (called a disassociation
attack). Although the client device can send another authentication request to an AP, an
attacker can continue to send spoofed frames to sever any reconnections.

Note

The IEEE 802.11w amendment was designed to protect against wireless DoS attacks.
However, it only protects specific management frames instead of all management frames,
it requires updates to both the AP and the wireless clients, and it might interfere with other
security devices. For these reasons, it has not been widely implemented.

Manipulating duration field values is another wireless DoS attack. The 802.11
standard provides an option using the Request to Send/Clear to Send (RTS/CTS)
protocol. A Request to Send (RTS) frame is transmitted by a mobile device to an AP that

88781_ch08_hr_321-370.indd 340 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 341

contains a duration field indicating the length of time needed for both the transmission
and the returning acknowledgment frame. The AP, as well as all stations that receive
the RTS frame, are alerted that the medium will be reserved for a specific period. Each
receiving station stores that information in its net allocation vector (NAV) field, and no
station can transmit if the NAV contains a value other than zero. An attacker can send
a frame with the duration field set to an arbitrarily high value (the maximum is 32,767),
thus preventing other devices from transmitting for lengthy periods of time.

Wireless Home Attacks
Attacks against home WLANs are considered easy because many home users fail to
properly configure security on their home wireless networks. Home users face several
risks from attacks on their insecure wireless networks. Among other things, attackers can:

Steal data. On a computer in the home WLAN, an attacker could access any
folder with file sharing enabled. This essentially provides an attacker full access
to steal sensitive data from the computer.

Read wireless transmissions. User names, passwords, credit card numbers, and
other information sent over the WLAN could be captured by an attacker.

Inject malware. Because attackers could access the network behind a firewall,
they could inject viruses and other malware onto the computer.

Download harmful content. In several instances, attackers have accessed a home
computer through an unprotected WLAN and downloaded child pornography
to the computer, and then turned that computer into a file server to distribute
the content. When authorities have traced the files back to that computer, the
unsuspecting owner has been arrested and his equipment confiscated.

Note

Attackers can easily identify unprotected home wireless networks through war driving, or
searching for wireless signals from an automobile or on foot using a portable computing device.

Vulnerabilities of IEEE Wireless Security
Certification

1.2Compare and contrast types of attacks.

2.1 Install and configure network components, both hardware- and
software-based, to support organizational security.

The original IEEE 802.11 committee recognized that wireless transmissions could be
vulnerable. Because of this, they implemented several wireless security protections in
the 802.11 standard, while leaving other protections to be applied at the WLAN vendors

88781_ch08_hr_321-370.indd 341 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security342

discretion. Several of these protections, though well intended, were vulnerable and led
to multiple attacks. These vulnerabilities can be divided into Wired Equivalent Privacy
(WEP), Wi-Fi Protected Setup (WPS), MAC address filtering, and SSID broadcasting.

Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) is an IEEE 802.11 security protocol designed to
ensure that only authorized parties can view transmitted wireless information. WEP
accomplishes this confidentiality by encrypting the transmissions. WEP relies on
a shared secret key that is known only by the wireless client and the AP. The same
secret key must be entered on the AP and on all devices before any transmissions can
occur, because it is used to encrypt any packets to be transmitted as well as decrypt
packets that are received. IEEE 802.11 WEP shared secret keys must be a minimum of
64 bits in length. Most vendors add an option to use a longer 128-bit shared secret key
for higher security.

The shared secret key is combined with an initialization vector (IV), which is a 24-bit
value that changes each time a packet is encrypted. The IV and the key are combined
and used as a seed for generating a random number necessary in the encryption
process. The IV and encrypted ciphertext are both transmitted to the receiving device.
Upon arrival, the receiving device first separates the IV from the encrypted text and
then combines the IV with its own shared secret key to decrypt the data.

Note

Initialization vectors are covered in Chapter 4.

WEP has several security vulnerabilities. First, to encrypt packets, WEP can use
only a 64-bit or 128-bit number, which is made up of a 24-bit IV and either a 40-bit
or 104-bit default key. Even if a longer 128-bit number is used, the length of the IV
remains at 24 bits. The relatively short length of the IV limits its strength, since shorter
keys are easier to break than longer keys.

Second, WEP implementation violates the cardinal rule of cryptography:
anything that creates a detectable pattern must be avoided at all costs. This is
because patterns provide an attacker with valuable information to break the
encryption. The implementation of WEP creates a detectable pattern for attackers.
Because IVs are 24-bit numbers, there are only 16,777,216 possible values. An AP
transmitting at only 11 Mbps can send and receive 700 packets each second. If a
different IV were used for each packet, then the IVs would start repeating in fewer
than seven hours (a busy AP can produce duplicates in fewer than five hours). An
attacker who captures packets for this length of time can see the duplication and use
it to crack the code.

88781_ch08_hr_321-370.indd 342 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 343

Wi-Fi Protected Setup
Wi-Fi Protected Setup (WPS) is an optional means of configuring security on wireless
local area networks. Introduced by the Wi-Fi Alliance in early 2007, it is designed to
help users who have little or no knowledge of security to quickly and easily implement
security on their WLANs.

There are two common WPS methods. The PIN method utilizes a Personal
Identification Number (PIN) printed on a sticker of the wireless router or displayed through
a software setup wizard. The user types the PIN into the wireless device (like a wireless
tablet, laptop computer, or smartphone) and the security configuration automatically
occurs. This is the mandatory model, and all devices certified for WPS must support it. The
second method is the push-button method: the user pushes a button (usually an actual
button on the wireless router and a virtual one displayed through a software setup wizard
on the wireless device) and the security configuration takes place. Support for this model is
mandatory for wireless routers and optional for connecting devices.

Note

More than 19,677 wireless devices have been certified by the Wi-Fi Alliance to run WPS.

However, there are significant design and implementation flaws in WPS using the
PIN method:

There is no lockout limit for entering PINs, so an attacker can make an unlimited
number of PIN attempts.

The last PIN character is only a checksum.
The wireless router reports the validity of the first and second halves of the

PIN separately, so essentially an attacker must break only two short PIN values
(a4-character PIN and a 3-character PIN).

Due to the PIN being broken down into two shorter values, only 11,000 different
PINs must be attempted before determining the correct value. If the attacker’s
computer can generate 1.3 PIN attempts per second (or 46 attempts per minute), the
attacker can crack the PIN in less than four hours and become connected to the WLAN.
This effectively defeats security restrictions regarding allowing only authorized users to
connect to the wireless network.

Note

Some wireless vendors are implementing additional security measures for WPS, such as
limiting the number and frequency of PIN guesses. However, unless it can be verified that
WPS supports these higher levels of security, it is recommended that WPS be disabled
through the wireless routers configuration settings.

88781_ch08_hr_321-370.indd 343 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security344

MAC Address Filtering
One means of protecting a WLAN is to control which devices are permitted to join the
network. Wireless access control is intended to limit a users admission to the AP: only
those who are authorized can connect to the AP and thus become part of the wireless LAN.

The most common type of wireless access control is Media Access Control (MAC)
address filtering. The MAC address is a hardware address that uniquely identifies each
node of a network. The MAC address is a unique 48-bit number that is burned into
the network interface card adapter when it is manufactured. This number consists
of two parts: a 24-bit organizationally unique identifier (OUI), sometimes called a
company ID, which references the company that produced the adapter, and a 24-bit
individual address block (IAB), which uniquely identifies the card itself. A typical MAC
address is illustrated in Figure 8-9.

Figure 8-9MAC address

00-50-F2-7C-62-E1

Organizationally Unique
Identifier (OUI)

Individual Address
Block (IAB)

Note

Other names for the MAC address are vendor address, vendor ID, NIC address, Ethernet
address, hardware address, and physical address.

The IEEE 802.11 standard permits controlling but does not specify how it is
to be implemented. Since a wireless device can be identified by its MAC address,
however, virtually all wireless AP vendors implement MAC address filtering as
the means of access control. A wireless client devices MAC address is entered
into software running on the AP, which then is used to permit or deny a device
from connecting to the network. As shown in Figure 8-10, restrictions can be
implemented in one of two ways: a specific device can be permitted access into the
network or the device can be blocked.

Filtering by MAC address has several vulnerabilities. First, MAC addresses are
initially exchanged between wireless devices and the AP in an unencrypted format.
An attacker monitoring the airwaves could easily see the MAC address of an approved
device and then substitute it on her own device.

Another weakness of MAC address filtering is that managing several MAC
addresses can pose significant challenges. The sheer number of users often makes
it difficult to manage all the MAC addresses. As new users are added to the network

88781_ch08_hr_321-370.indd 344 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security 345

Figure 8-10MAC address filtering

Filter: Allow only stations in list

Block all stations in list

Remove

Add

Stations List:

MAC Address: : : : : :

Note

MAC address filtering is usually implemented by permitting instead of preventing, because it
is not possible to know the MAC addresses of all the devices that are to be excluded.

Note

MAC address substitution is possible on Microsoft Windows computers because the MAC
address of the wireless NIC is read and then that value is stored in the Windows Registry
database, which can easily be changed.

and old users leave, keeping track of MAC address filtering demands almost constant
attention. For this reason, MAC address filtering is not always practical in a large and
dynamic wireless network.

SSID Broadcasting
Another means of controlling access to the WLAN uses the Service Set Identifier
(SSID) of the wireless network. The SSID is the user-supplied network name of a
wireless network and generally can be any alphanumeric string up to 32 characters.
Although normally the SSID is broadcast so that any device can see it, the broadcast
can be restricted. Then only those users that know the secret SSID in advance would
be allowed to access the network.

Some wireless security sources encourage users to configure their APs to prevent the
broadcast (beaconing) of the SSID, and instead require the user to enter the SSID manually

88781_ch08_hr_321-370.indd 345 8/11/17 8:49 PM

Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203

CHAPTER 8 Wireless Network Security346

on the wireless device. Although this might seem to provide protection by not advertising
the SSID, it provides only a weak degree of security and has several limitations:

The SSID can be easily discovered even when it is not contained in beacon
frames because it is transmitted in other management frames sent by the AP.

Turning off the SSID broadcast might prevent users from being able to freely
roam from one AP coverage area to another.

It is not always possible or convenient to turn off SSID beaconing. SSID
beaconing is the default mode in virtually every AP, and not all APs allow
beaconing to be turned off.

Note

Older versions of Microsoft Windows, when receiving signals from both a wireless network
that is broadcasting an SSID and one that is not broadcasting the SSID, will always connect
to the AP that is broadcasting its SSID. If such a device is connected to an AP that is not
broadcasting its SSID, and another AP is turned on that is broadcasting its SSID, the device will
automatically disconnect from the first AP and connect to the AP that is broadcasting.

Wireless Security Solutions
Certification

1.5Given a scenario, troubleshoot security issues related to wireless networking.

2.1 Install and configure network components, both hardware- and software-based,
tosupport organizational security.

2.2 Given a scenario, use appropriate software tools to assess the security posture
ofan organization.

2.3Given a scenario, troubleshoot common