Blog moved to sy0201.blogspot.com. 

Added blog on BlueTooth Concerns for CompTIA Security+ (SY0-201 exam) here: http://sy0201.blogspot.com/2009/10/bluetooth-concerns.html

 When studying for Security+, you'll come across using RAID for disk redundancy.   RAID is short for redundant array of independent (or inexpensive) disks. Redundancy provides fault tolerance.  In other words, if a fault occurs in one drive, your system can tolerate the fault and continue to operate. Several different RAID types are available. When studying for Security+, you should be aware of the following topics.

• RAID-0 (also known as striping) does not provide any fault tolerance but increased performance.
• RAID-1 (also known as mirroring) uses two disks and provides fault tolerance. 
• RAID-5 (also known as striping with parity) uses at least three disks and provides fault tolerance while also providing increased performance. The equivalent of one drive is dedicated to parity.
• RAID-10 (also called 1+0) combines RAID 1 and RAID-0.  A variant is 0+1.  Both provide fault tolerance and increased performance for specific applications.

Both hardware and software RAID solutions are avaialble.  Hardware RAID is more expensive provides significantly better performance than sofware RAID.

Darril

One of the Security+ objectives is "Explain the purpose and application of virtualization technology."

 You may be wondering what this is about.  First, virtualization centers around virtualization desktop infrastructure (VDI) where a single physical computer can host multiple computer operating systems.  Many virtualization technologies exist such as VMWare and Microsoft's Virtual PC (upgraded and renamed to Windows Virtual PC in Windows 7).  I'm more familiar with Virtual PC (VPC) but the uses between brands are common. One great feature is that if something goes wrong with the virtual system, changes can be easily rolled back or undone.

As a simple example, I am running Windows 7 on my desktop PC and have a virtual mini-lab running on the system with Windows Server 2008 in one virtual system running as a domain controller, and a Windows 7 computer running as a client in the virtual domain. I have configured both of these two be able to communicate with each other but they are isolated from the host system or the Internet. 

From a security perspective, virtualization can be use for a few purposes.

• Testing of patches.  When patches for the operating system or applications are released, they can be applied in a virtual environment.  They can be tested here in a safe environment without any impact on the production environment.
• Testing of malware.  Once malware is discovered, security professionals want to know what it does and how it does it.  This often entails releasing it and observing what happens.  Again, a virtual environment is safe and won't impact the performance of the host operating system or the regular network.

Darril

Cryptography has several elements and an important one is the use of encryption.

 Encryption is used to enforce confidentiality (one of the three elements in the security triad of confidentiality, integrity and availability). If you want to keep your data secure and prevent unauthorized disclosure, you can encrypt the data to make it unreadable.

Encryption uses an algorithm and a key.  If either the algorithm is weak or the key is weak, the encryption can easily be broken.  Most algorthms are well known but keys are either frequently changed, or kept secret.

 Two major types of encryption are used: symmetric and assymmetric.

• Symmetric encryption uses a single key to both encrypt the data and decrypt the data.
• Asymmetric encryption uses two keys that are created as a matched pair (a public key and a private key).  Data encrypted with a public key can only be decrypted with the matching private key. Data encrypted with the private key can only be decrypted with the public key

The most popular type of symmetric encryption is AES.   AES is considered a fast, highly secure encryption algorithm. It is significantly faster (using less processor and memory resources) than both DES and 3DES. AES256 uses a key size of 256 bits.

 A Public Key Infrastrcuture (PKI) is required to support asymmetric encryption. Any entity can have a private key (which is always kept private). The matching public key is embedded in a certificate issued from a certificate authority (CA).

Darril

Web sites use certificates to create SSL sessions.  When a user clicks a HTTPS link, it initiates the SSL handshake process.

 The web site will then send the client a certificate with a public key that can be used in the asymmdtric portion of the SSL session to create a session key. (The session key will then be used in the symmetric portion of the SSL session.)  The client needs to verify the certificate is trusted and valid:

Trusted.  First, the certificate must have been issued from a trusted certificate authority (CA). A list of trusted CAs can be viewed in Internet Explorer by clicking Tools -> Internet Options, selecting the Content tab, click the Certificates button, and selecting Trusted Root Certification Authorities.  If the certificate was issued to the web site from a company with a certificate in the Trusted Root Certification Authority store, it will be trusted. If the certificate is not trusted, the user will be notified that it's not trusted and encouraged not to continue.

Valid.  Next, the client attempts to validate the certificate. CAs can revoke certificates if they become compromised in some way. A revoked certificate is considered invalid and shouldn't be used. Revoked certificates are published on a certificate revocation list (CRL). Clients can check if a certificate is valid using one of two methods:

• Requesting the CRL.  The client requests a copy of the CRL from the CA.  The CA sends the CRL and the client then checks the CRL to see if the certificate is on the list.  If it's on the list, it's considered invalid and wouldn't be used.
• Online Certificate Status Protocol (OCSP). OCSP is an improved streamlined process. Instead of the client requesting a copy of the CRL, the client queries the CA about the certificate. Certificates are uniquely identified with a serial number. The CA then replies indicating the certificate is healthy (not revoked), not healthy (revoked), or unknown (the serial number is not known by the CA.

Once the certificate is verified to be trusted and valid, the public key embedded in the certificate is used to encrypt the session key.  Imagine the client wants to use a key of 1234. The client then encrypts this key with the public key to result in something like "AF4D2D0F3EB304". (Both the session key and the encrypted session would be much larger but are shortened for illustration purposes. )

 At this point, only the client knows the session key.  The encrypted session key is sent back to the web server.  Since this key was encrypted with the public key (which is matched to the private key held by the server and unknown to anyone else) it can't be decrypted if anyone intercepts it.  When the web server receives the encrypted key, it decrypts it with the private key.  Use of the public and private key is known as asymmetric encryption.

 For the remainder of the session, the client and server use the session key (symmetric encryption).

 Darril Gibson

Security+ Tip of day Tweets
twitter.com/DarrilGibson

Authentication is used to verify a user’s identity by providing a previously known identifier.  Basically, there are three ways to do this which are commonly referred to as the three factors of authentication.

• Something you know.  As an example, a user would know their username and password.  This is considered the weakest form of authentication.  One of the primary reasons is that users often use weak passwords or write their passwords down.

•  Something you have. Smart cards and fobs are common examples. A smart card is a credit card sized card that holds key information about the user.  Smart cards have certificates embedded in them using TLS and provide very strong authentication. A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server.  When the user logs into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.

• Something you are. Biometrics is used for this factor of authentication and is not only in movies.  Biometrics is commonly used in many applications today. A common example is at theme parks like Disney World.  It includes fingerprints, retinal scans, voice prints and even handwriting analysis. Biometrics is considered the strongest form of authentication, but also the most expensive.

Multifactor Authentication. Multifactor authentication combines two or three of the factors. Two common examples are where

1. Someone may have a smart card and know a personal identification number (PIN), or
2. Have a fob and know their username and password.

 Darril Gibson

Security+ Tip of day Tweets
twitter.com/DarrilGibson

Some people query about the popularity of Security+ in the past few years.  What is driving so many people to seek this certification?

 One of the big driving factors is a U.S. Department of Defense (DoD) directive named DoD 8570.1.  This directive mandates many IT professionals employed in the government to have specific certifications.  Some of the common certifications are CompTIA A+, Network+, and Security+ and the people required to have the different certifications are military personnel, civilian employees and civilian contractors.

While civilian companies aren't mandated to have employees with these certifications, they are much more competitive if they do when they compete for IT sservice contracts.  Employers may not require you to have the certification, but if do have it, it weighs just a little more in your favor.

 Darril

CompTIA Security+: Get Certified Get Ahead

One quantitative risk model uses three elements three elements to quantify and prioritize risks. They are:

• Single loss expectancy (SLE).  The is the cost of any single loss expressed in monetary terms (such as $4,000).
• Annualized rate of occurrence (ARO). This indicates how many times the loss is expected to occur if no action is taken. For example, it may have occurred an average of 4 times in the past three years, so the ARO would be 4.
• Annualized loss expectancy (ALE). SLE * ARO.  What you expect to lose annually if no action is taken in this example is $16,000.

Using and SLE of $4,000, and an ARO of 4, see if you can solve this problem. Suppose you could spend $2,000 and reduce the ARO from 4 to 1.  How much money would you save?

• The original ALE is $16,000 ($4,000 * 4).
• If the ARO was reduced to 1, the ALE would be $4,000 ($4,000 * 1), or a reduction of losses by $12,000.
• You spent $2,000 to save $12,000 so you saved $10,000

 Another way of looking at this is to use these figures to determine the effectiveness of a mitigation measure.  Imagine the ALE is $16,000.  Someone proposes a risk mitigation solution that costs $35,000  a year with a guarantee that it will eliminate this risk.  Does that make fiscal sense?  In other words, you’ll spend $35,000 to save $16,000 - not too good.  Now instead of losing $16,000, you’re spending $35,000.

Make sure you understand the SLE, ALE, and ARO when preparing for the CompTIA Security+ exam. 

Darril

CompTIA Security+: Get Certified Get Ahead

 Three weeks after taking the CISSP exam, I received notification of a successful pass. Woo Hoo!

One thing that was very apparent to me was the information I learned while studying the CompTIA Security+ objectives definitively helped me with the CISSP.  The CISSP exam is a monster and will take a lot more time and effort to master than the Security+ certification.  However, if you take the time to truly learn the material for the Security+ exam, you'll be a step closer to the CISSP.

 As one of many examples, understanding public key cryptography helped with many questions on the CISSP exam.  Chapter 9 of the CompTIA Security+ SY0-201: Get Certified, Get Ahead book includes all of the material you'll need for cryptography in Security+ and you won't need much more if you later pursue the CISSP.

Darril