June 16, 2012

1.6.12 Power Level Controls

Power level controls

Some access points (AP) include power level controls that allow you to adjust the amount of output provided.

Antenna power level controls are typically set by the manufacturer to a level suitable for an average environment. However this power level can be changed as informed by a site survey and antenna placement adjustments. The power level can be increased to strength the signal or it can be decreased for example to keep wireless signals from leaking outside the coverage area.

1.6.11 Antenna Placement

Antenna Placement

The performance of a wireless network greatly depends on signal strength of the wireless access point (AP) and the location of the wireless clients. Antenna placement can be crucial in allowing signals from the AP to reach the clients. This signal can be affected by the construction materials of walls, the network range, and the strength, sensitivity and quality of the antennas.

Signal strength depends on the environment in which the access point is placed. As a general rule, the greater the distance the signal travels, the more it will attenuate. Factors such as construction materials of walls, the network range, and the strength, sensitivity and quality of the antennas can further affect the signal strength.
In general, the AP should be at the center of a circle (or sphere) with a minimum radius.

Clients situated near the edge of the network range will likely experience network performance issues or dropped connections.

Avoid placing AP near objects that can absorb or reflect the signal.

  • http://en.wikipedia.org/wiki/CCMP
  • alt.internet.wireless

1.6.10 CCMP


Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) is an encryption protocol designed for Wireless LAN products that implement the full IEEE 802.11i standard (IEEE 802.11i-2004). CCMP is a data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to address the vulnerabilities presented by TKIP, a protocol in WPA, and WEP.

CCMP is an AES-based encryption mode introduced with WPA2 and it is more secure than the WEP protocol and TKIP protocol of WPA. It provides the following security services:
  • Data Confidentiality; ensures only authorized parties can access the information
  • Authentication; provides proof of genuineness of the user
  • Access control in conjunction with layer management
CCMP uses 128-bit AES encryption with a 48-bit initialization vector.

CCMP computes a Message Integrity Check (MIC) using the well known, and proven, Cipher Block Chaining Message Authentication Code (CBC-MAC) method. Changing even one bit in a message produces a totally different result.

Advanced Encryption Standard (AES) is the cipher system used by Robust Security Network (RSN). It is the equivalent of the RC4 algorithm used by WPA. CCMP is the security protocol used by AES. It is the equivalent of TKIP in WPA.

In the beginning there was WEP. It’s security protocol was weak. WPA (with TKIP) fixed some of the issues with WEP, however it was an intermediate solution, implementing a portion of the 802.11i standard. WPA2 (with CCMP) was a full implementation of the 802.11i standard.

  • http://en.wikipedia.org/wiki/CCMP
  • http://www.openxtra.co.uk/articles/wpa-vs-80211i

May 28, 2012

1.6.5 PEAP


Wireless security consists of three components:
  1. The authentication framework
  2. The authentication algorithm
  3. The data privacy or encryption algorithm
Extensible Authentication Protocol (EAP) is a type of authentication algorithm.
EAP is an authentication framework that supports multiple authentication methods. PEAP adds security services to those EAP methods that EAP provides.

Protected Extensible Authentication Protocol, Protected EAP, or simply PEAP is a method to securely transmit authentication information, including passwords, over wireless networks. It was jointly developed by Microsoft, RSA Security and Cisco Systems. It is an IETF open standard. Note that PEAP is not an encryption protocol; as with other EAP types it only authenticates a client into a network.

While many consider PEAP and EAP-TTLS to be similar options, PEAP is more secure since it establishes an encrypted channel between the server and the client.

PEAP provides the security framework for mutual authentication between an EAP client and an EAP server. PEAP is not as secure as Transport Level Security (TLS), but has the advantage of being able to use username/password authentication instead of client certificate authentication.

PEAP authentication occurs as a two-part conversation between the EAP client and the EAP server. In the first part of the conversation, TLS is used to establish a secure channel for use in the second part of the authentication. Once the client authenticates the server and the secure channel is established, the second part of the PEAP conversation begins. In this second part, a complete EAP conversation occurs within the secure channel. PEAP authentication succeeds if both parts of the authentication succeed.

PEAP authenticates the server with a public key certificate and carries the authentication in a secure Transport Layer Security (TLS) session, over which the WLAN user, WLAN stations and the authentication server can authenticate themselves. Each station gets an individual encryption key.

PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs.

PEAP is considered an enhancement to Lightweight EAP (LEAP )in part because it supports secure mutual authentication.

  • http://www.potaroo.net/ietf/idref/draft-josefsson-pppext-eap-tls-eap/
  • http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a00800b469f_ps4570_Products_White_Paper.html
  • http://msdn.microsoft.com/en-us/library/aa921396.aspx
  • http://searchmobilecomputing.techtarget.com/definition/PEAP-Protected-Extensible-Authentication-Protocol
  • http://wiki.freeradius.org/EAP-PEAP

1.6.7 MAC Filter

MAC filter

MAC addresses are uniquely assigned to each network adapter. Every wireless network adapter has a MAC Address burnt into it.

When a wireless network adapter attempts to access the network, the access point (or router) checks the devices’ MAC address. Using MAC address filtering on a network allows the administrator to permit (or deny) network access to specific network adapter devices. If the MAC address doesn't match what's on the list, no connection is possible.

This security isn't perfect. MAC Address filtering is often referred to as Security through obscurity because while giving some additional protection, MAC filtering can be circumvented by a determined hacker configuring their client to spoof one of the validated MAC addresses. Using MAC Filtering may lead to a false sense of security.

To set up MAC address filtering, the administrator configures a list of network adapter MAC addresses that will be allowed to join the network. Then, each address is entered into the wireless access point.

Once enabled, whenever the wireless access point receives a request to join with the WLAN, it compares the MAC address of that client against the administrator's list. Clients on the list authenticate as normal; clients not on the list are denied any access to the WLAN.

MAC addresses are sent in the clear as required by the 802.11 specification. As a result, in wireless LANs that use MAC address filtering, a network attacker might be able to subvert the MAC filtering (or authentication) process by spoofing a valid MAC address.

MAC address filtering is not bulletproof, however used as an additional layer of defense, it can improve the overall wireless network security profile.

  • http://en.wikipedia.org/wiki/MAC_filtering
  • http://compnetworking.about.com/cs/wirelessproducts/qt/macaddress.htm
  • http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a00800b469f_ps4570_Products_White_Paper.html

May 24, 2012

1.4.13 IPv4 vs. IPv6

IPv4 vs. IPv6

Internet Protocol (IP) is a global communications standard used for linking devices together. It defines how computers communicate over a network. The primary purpose of an IP address is to uniquely identify a node at the Network Layer. Every Internet connected device, computer, smartphone, smart TV, etc. needs a unique IP address. The explosive growth in mobile devices including mobile phones, notebook computers, and wireless handheld devices has created a need for a large number of additional IP addresses.

There are currently two versions: IP version 4 (IPv4) and IP version 6 (IPv6).

IPv4 is the 4th version of the Internet Protocol. It is the most commonly deployed OSI Layer 3 (Network layer) protocol.

IPv4 has a 32 bit address space and consists of 232 or approximately 4.3 billion possibile IPv4 addresses. IPv4 was formally defined by the Internet Engineering Task Force (IETF) in September 1981 as RFC-791.

IPv6 is the next generation of the Internet Protocol. IPv6 has a 128 bit address space and consists of 2128 or approximately 340 undecillion possible IPv6 address. It was formally defined by the IETF as a specification in December 1998 as RFC 2460.

Since the commercialization of the Internet, pressure has been increasing on the IPv4 address space such that, today we have almost fully depleted the IPv4 address. In an effort to maximize usage, techniques such as CIDR, NAT and use of private address spaces are in use, these efforts are only managing to delay the inevitable.

In 1981 when it was first defined, 4 billion IPv4 addresses seemed like a lot. IPv4 was intended to support the needs of academic and US government needs at a time before the commercialization of the Internet. At the time, 4 billion seemed enough.

An IPv6 address is effectively 4 times as long as an IPv4 address. It would be impractical to use the binary or even the more compact decimal notation to represent an IPv6 address. Instead IPv6 is represented using hexadecimal characters.

An IPv6 address has eight groups of hexadecimal characters (the numbers 0–9 and the letters A–F),
also known as hextets, separated by colons. Each hexadecimal digit represents 4 binary digits. IPv6
can have up to 32 hexadecimal digits. Colons are placed between each hextet.

Enhancements in IPv6 include:

  • The size of the IPv6 address space makes it less vulnerable to malicious activities such as IP scanning.
  • IPv6 packets can support a larger payload than IPv4 packets resulting in increased throughput and transport efficiency.
  • Native support for mobile devices via the Mobile IPv6 (MIPv6) protocol.
  • Auto-configuration.
  • Increased authentication and privacy measures, e.g. with embedded IPSec.
  • Better performance through elimination of checksums at the IP level

When 4 Billion Is Not Enough

  • There are a total of 232 or 4,294,967,296 possible IPv4 addresses
  • An IPv4 address can be represented in several formats, including:
    • Dotted decimal notation, e.g. – four groups of decimal numbers, each in the range 0 – 255
    • 32-bit binary notation consisting of four groups of 8 binary digits, e.g. 10000000 01111101 01011001 11111010
    • Dotted hexadecimal, e.g. 0x80.0x7D.0x59.0xFA – Each octet is individually converted to hexadecimal form
    • Dotted octal 0200.0175.0131.0372 – Each octet is individually converted into octal
    • Hexadecimal, e.g. 0x807D59FA – Concatenate the octets of the dotted hexadecimal
  • IPv4 addresses consist of a network portion and a host portion. The network portion of an IPv4 address is variable in length, i.e. the IPv4 network subnet size is variable:
    • Use of the slash (/) notation or CIDR (Classless Inter-Domain Routing) to identify and differentiate between the network and host portion of an IPv4 address. The CIDR notation identifies the number of bits that determines the network portion, e.g. sets aside 24 bits for the network and the remaining 8 bits for hosts addresses.
    • Number of “default” network blocks:
      • 256/8 or 256 class A networks
      • 65,536/16 or 65,536 class B networks
      • 16,777,216/24 or 16,777,216 class C network

IPv6 Address

  • In binary notation, each IPv6 address has 128 binary digits: 2128 (about 3.4×1038) is equal to approximately 5×1028 addresses for each of the 6.5 billion (6.5×109) people alive today
  • There are theoretically 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses. The text version of this is 340 undecillion 282 decillion 366 nonillion 920 octillion 938 septillion 463 sextillion 463 quintillion 374 quadrillion 607 trillion 431 billion 768 million 211 thousand 456  addresses.
  • There are 216 or 65,536 numbers per segment or hextet.
  • The preferred form is a 16-byte global IPv6 address. This can be represented as: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx where x is a hexadecimal digit representing 4 bits. The colon (:) is the delimiter between each hextet.

    Here is an example of an IPv6 address: 2620:0000:1CFE:FACE:B00C:0000:0000:0003 – eight groups of 4 hexadecimal characters (0-9A-F) separated by colons

    IPv6 addresses range from 0000:0000:0000:0000:0000:0000:0000:0000 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF.

    Any four-digit group of zeroes in an IPv6 address can be collapsed by omitting leading zeros or replacing zeros with double colon. The following IPv6 addresses are identical and valid:
    • 2607:f8b0:4000:0805:0000:0000:0000:1010
    • 2607:f8b0:4000:805:0:0:0:1010
    • 2607:f8b0:4000:805::1010
  • Note: Only one set of double colons is allowed in any one IPv6 address.

    An IPv6 address can be used in a URL:
    • http://2607:f8b0:4000:0805:0000:0000:0000:1010/
  • Here is an example of an IP address that contains a port number:
    • [2607:f8b0:4000:0805:0000:0000:0000:1010]:80
  • This is a URL with an IPv6 address and a port number, 80:
    • http://[2607:f8b0:4000:0805:0000:0000:0000:1010]:80
  • Note: the square brackets above are only necessary when specifying a port number.
  • How many networks are possible with IPv6?
    • Take the 8 hextets of an IPv6 address; Cut it in half; That half has 4 hextet and each hextet consists of 16 bits; Each of the 4 hextets contains up to 65,536 numbers; To get the total number in the 4 hextet, multiply 65,536 four times, e.g. 65,536 * 65,536 * 65,536 * 65,536 = 18,446,744,073,709,551,616 or 18 quintillion.
    • There are 18 quintillion possible IPv6 networks. Each of the 18 quintillion IPv6 networks can host 18 quintillion host addresses.
  • Notes
    • Public IPv6 addresses begin with the 001 prefix. This cuts down the maximum possible IPv6 addresses from 2128 to 2125. Additionally it means that public IPv6 addresses are limited to those beginning with binary 001x or hextet 2xxx or 3xxx.
    • One undecillion is one trillion trillion trillion.
    • Broadcast addresses not supported in IPv6
    • Global unicast address defined in RFC3587
    • A hextet is the description for each of the 8 colon delimited blocks in an IPv6 address.
    • Google maintains both IPv4 and IPv6 DNS servers:
    • Google’s Public DNS IP Addresses
      IPv6 2001:4860:4860::8888 2001:4860:4860::8844

Transition Mechanisms

IPv4 and IPv6 are not interchangeable. In lieu of a clean cut-over from IPv4 to IPv6, one of three transition mechanisms can be implemented to enable communication between IPv4 and IPv6 devices.
  • Dual-stack: Device level support for both IPv4 and IPv6. The term "dual-stack" refers to TCP/IP capable devices providing support for both IPv4 and IPv6.
  • Tunnels: Tunnel IPv6 packets over an IPv4 topology. The term "tunneling" refers to a means to encapsulate one version of IP in another so the packets can be sent over a backbone that does not support the encapsulated IP version.
  • Protocol Translators: Translation allows IPv6 only hosts to communicate with IPv4 only hosts. The term "translators" refers to devices capable of translating traffic from IPv4 to IPv6 or vice and versa. Note: Use of protocol translators cause problems with NAT and highly constrain the use of IP-addressing.
Note: The transition mechanisms can impact (slow down) the communication channel between an IPv4-on and IPv6-only site.

IPv4 and IPv6 Address Equivalency

IPv4 Address IPv6 Address
Internet address classes Not applicable in IPv6
Multicast addresses ( IPv6 multicast addresses (FF00::/8)
Broadcast addresses Not applicable in IPv6
Unspecified address is Unspecified address is ::
Loopback address is Loopback address is ::1
Public IP addresses Global unicast addresses
Private IP addresses (,, and Site-local addresses (FEC0::/10)
Autoconfigured addresses ( Link-local addresses (FE80::/64)
Text representation: Dotted decimal notation Text representation: Colon-hexadecimal format with suppression of leading zeros and zero compression. IPv4-compatible addresses are expressed in dotted decimal notation.
Network bits representation: Subnet mask in dotted decimal notation or prefix length notation Network bits representation: Prefix length notation only
DNS name resolution: IPv4 host address (A) resource record DNS name resolution: IPv6 host address AAAA resource records (RFC 1886) or A6 records (RFC 2874)
DNS reverse resolution: IN-ADDR.ARPA domain DNS reverse resolution: IP6.INT domain (RFC 1886) or IP6.ARPA domain (RFC 2874)

Compression Rules

An IPv6 address can be compressed by squeezing out all zero hextets (groups of 4 hex digits) and leading zeros. I.e. FC00:0001:A000:0B00:0000:0927:0127:00AB or FC00:1:A000:B00::927:127:AB

Only one set of double colons is allowed, otherwise the result would be ambiguous.

“The killer application of IPv6 is the survival of the open Internet as we know it.” – Lorenzo Colitti, Google.

The following table compares some of the key features of the IPv4 and IPv6 protocols:

IPv4 IPv6
Source / destination addresses are 32 bits (4 bytes) in length. Source / destination addresses are 128 bits (16 bytes) in length.
IPSec support is optional. IPSec support is required.
No identification of packet flow for Quality of Service (QoS) handling by routers is present within the IPv4 header. Packet flow identification for QoS handling by routers is included in the IPv6 header using the Flow Label field.
Fragmentation is done by both routers and the sending host. Fragmentation is not done by routers, only by the sending host.
Header includes a checksum. Header does not include a checksum.
Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link layer address. ARP Request frames are replaced with multicast Neighbor Solicitation messages.
ICMP Router Discovery is used to determine the IPv4 address of the best default gateway and is optional ICMP Router Discovery is replaced with ICMPv6 Router Solicitation and Router Advertisement messages and is required.
Broadcast addresses are used to send traffic to all nodes on a subnet. There are no IPv6 broadcast addresses. Instead, a link-local scope all-nodes multicast address is used.
Must be configured either manually or through DHCP. Does not require manual configuration or DHCP.


1.4.12 ICMP


Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It provides maintenance and reporting functions. It is chiefly used by IP end systems and all IP intermediate systems (i.e routers) to send error messages indicating, problems with delivery of IP datagrams within an IP network. It can be used to show when a particular end system is not responding, when an IP network is not reachable, when a node is overloaded, when an error occurs in the IP header information, etc.

The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. The higher level protocols that use IP must implement their own reliability procedures if reliable communication is required.
ICMP is defined in RFC 792. It is assigned protocol number 1.

ICMP provides error reporting, flow control and first-hop gateway redirection.
The ping program contains a client interface to ICMP. It may be used by a user to verify an end-to-end Internet Path is operational. The ping program also collects performance statistics (i.e. the measured round trip time and the number of times the remote server fails to reply.

The traceroute (or tracert) program contains a client interface to ICMP. Like the ping program, it may be used by a user to verify an end-to-end Internet Path is operational, but also provides information on each of the Intermediate Systems (i.e. IP routers) to be found along the IP Path from the sender to the receiver.
Some Routers are configured to discard ICMP messages, while others process them but do not return ICMP Error Messages.

ICMP is one of the favorite protocols used for DoS attacks. Many businesses have disabled ICMP through the router to prevent these types of situations from occurring.

A smurf attack is one in which large volumes of ICMP echo requests (pings) are broadcast to all other machines on the network and in which the source address of the broadcast system has been spoofed to appear as though it came from the target computer. When all the machines that received the broadcast respond, they flood the target with more data than it can handle.

ICMP is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as ping and traceroute.

The “ping of death” is a large ICMP packet sent to overflow the remote host's buffer. A ping of death crashes a system by sending ICMP packets that are larger than the system can handle.

The countermeasure for ICMP attacks is to deny ICMP traffic through your network. You can disable ICMP traffic in most routers, and you should consider doing so in your network.

  • http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
  • http://www.networksorcery.com/enp/protocol/icmp.htm
  • http://www.erg.abdn.ac.uk/~gorry/eg3567/inet-pages/icmp.html
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml

May 13, 2012

1.4.11 SCP


Secure Copy or SCP is a network protocol, based on the Berkeley Software Distribution’s (BSD) Remote Copy (RCP) protocol. SCP supports secure transfer of computer files between hosts on a network (local to remote host or remote to remote host).

SCP uses Secure Shell (SSH) for data transfer and utilizes the same mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit.

A client can send (upload) files to a server, optionally including their basic attributes (permissions, timestamps). Clients can also request files or directories from a server (download).

SCP runs over TCP port 22 by default.

The scp (UNIX/Mac OS X) and winscp (Windows) programs are implementations of the SCP protocol.

SCP relies on Secure Shell (SSH). SCP is an application and a protocol that provide a secure replacement for the Berkeley r-tools, e.g rcp. Both programs (rcp and scp) are very similar, except that with scp, information (including the password used to log in) is encrypted.


January 29, 2012

3.4.8 IV Attack

IV attack

An initialization vector (IV) is an arbitrary number that can be used along with a secret key for data encryption. This number, also called a nonce, is employed only one time in any session.

Initialization vectors are used to prevent a sequence of text that is identical to a previous sequence from producing the same exact ciphertext when encrypted. The IV prevents the appearance of corresponding duplicate character sequences in the ciphertext.

The use of an IV prevents repetition in data encryption, making it more difficult for a hacker using a dictionary attack to find patterns and break a cipher.

The initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and IVs are reused with the same key. By examining the repeating result, it is easy for miscreants to crack the WEP secret key, known as using an IV attack.

An IV attack is usually associated with the WEP wireless protocol.

  • http://en.wikipedia.org/wiki/Initialization_vector
  • http://whatis.techtarget.com/definition/initialization-vector.html
  • http://www.pcmag.com/encyclopedia_term/0,2542,t=initialization+vector&i=44997,00.asp
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.7 War chalking

War chalking

Warchalking is the drawing of standard iconography (often in chalk) in public places to advertise an open Wi-Fi wireless network.

Warchalking involves those who discover a way into the network leaving signals on, or outside, the premise to notify others of the vulnerability.


  • http://en.wikipedia.org/wiki/Warchalking

3.4.6 Bluesnarfing


Bluesnarfing is much more serious than Bluejacking, but both exploit others' Bluetooth connections without their knowledge.

Bluesnarfing enables gaining unauthorized access through a Bluetooth connection. This access can be gained through a phone, PDA, or any device using Bluetooth. Once access has been gained, the attacker can copy any data in the same way they would with any other unauthorized access.

  • http://en.wikipedia.org/wiki/Bluesnarfing
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.5 Bluejacking


Bluejacking is the sending of unsolicited messages (think spam) over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field to another bluetooth enabled device via the OBEX protocol.
Bluejacking takes advantage of a loophole in the technology's messaging options that allows a user to send unsolicited messages to other nearby Bluetooth owners.

Bluetooth technology operates by using low-power radio waves, communicating on a frequency of 2.45 gigahertz. This special frequency is also known as the ISM band, an open, unlicensed band set aside for industrial, scientific and medical devices. When a number of Bluetooth devices are switched on in the same area, they all share the same ISM band and can locate and communicate with each other, much like a pair of walkie talkies tuned to the same frequency are able to link up.

Bluetooth technology users take advantage of this ability to network with other phones and can send text messages or electronic business cards to each other. To send information to another party, the user creates a personal contact name in his or her phone's address book -- the name can be anything from the sender's actual name to a clever nickname.

Bluejackers have devised a simple technique to surprise their victims: Instead of creating a legitimate name in the address book, the bluejacker's message takes the place of the name. The prank essentially erases the "from" part of the equation, allowing a user to send any sort of comment he wishes without identifying himself.

Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters.

Bluetooth is often used for creating personal area networks (PANs), and most Bluetooth devices come with a factory default PIN that you will want to change to more secure values.
One of the simplest ways to secure Bluetooth devices is to not set their attribute to Discoverable.


  • http://www.bluejackingtools.com/what-is-bluejacking/
  • http://electronics.howstuffworks.com/bluejacking.htm
  • http://en.wikipedia.org/wiki/Bluejacking
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.3 Evil Twin

Evil Twin

Evil twin attack is a term for a rogue Wi-Fi access point (AP) that appears to be a legitimate, but actually has been set up by a hacker to eavesdrop and intercept wireless communications among Internet surfers.

It is an attack in which unsuspecting Wi-Fi users are tricked into associating with a phony wireless Access Point. Also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP, these attacks use phony APs with faked login pages to capture credentials and credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.

Evil twin is the wireless version of e-mail phishing scams. An attacker tricks wireless users into connecting a laptop or mobile phone to a rogue hotspot by posing as a legitimate provider.
By imitating the name of another, legitimate wireless provider, they can fool people into trusting the internet services that they are providing. When the users log into bank or e-mail accounts, the phishers have access to the entire transaction, since it is sent through their equipment.

One way that Corporate users can protect themselves from an evil twin attack is by using VPN (virtual private network) when logging into company servers.


  • http://www.watchguard.com/infocenter/editorial/27061.asp
  • http://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)
  • http://www.ericgoldman.name/security/8-exploits-and-attacks/21-evil-twin-attack-explanation
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4 Analyze and differentiate among types of wireless attacks

Analyze and differentiate among types of wireless attacks

  • Rogue access points 
  • Interference 
  • Evil twin 
  • War driving 
  • Bluejacking 
  • Bluesnarfing 
  • War chalking 
  • IV attack 
  • Packet sniffing

3.2.14 Transitive Access

Transitive access

Transitive – Passing over to or affecting something else.

Transitive access is a problem when inadvertent (and possibly unauthorized) access results for a set of related and authorized access.

With transitive access, A trusts B, if B then trusts C, then a relationship can exist where C is trusted by A).

In a transitive trust relationship, the relationship between A and B flows through such that A now trusts C.

In all versions of Active Directory, the default is that all domains in a forest trust each other with two-way transitive trust relationships.

While this process makes administration much easier when you add a new child domain (no administrative intervention is required to establish the trusts), it leaves open the possibility of a hacker acquiring more trust than they should by virtue of joining the domain.

  • http://dictionary.reference.com/
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.13 DNS poisoning and ARP poisoning

DNS poisoning and ARP poisoning

DNS and ARP poisoning are types of man-in-the-middle (MITM) attacks, which are types of spoofing attacks. A spoofing attack is an attempt by someone to masquerade as someone else.

Address Resolution Protocol (ARP) cache poisoning (sometimes also known as ARP Poison Routing) allows an attacker on the same network segment (subnet) as its victims to eavesdrop on all network traffic between the victims.

ARP poisoning, tries to convince the network that the attacker's MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker's machine.

In ARP poisoning, the MAC (Media Access Control) address table of the victim host is ‘poisoned’ with false data. Incorrect data for a victim host is interjected into the MAC table of the victim host to force the victim to communicate with the wrong host. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack.

Any device can send an ARP reply packet to another host and force that host to update its ARP cache with the new value. Sending an ARP reply when no request has been generated is called sending a gratuitous ARP. When malicious intent is present the result of a few well placed gratuitous ARP packets used in this manner can result in hosts who think they are communicating with one host, but in reality are communicating with a listening attacker.

For sensitive hosts, you can rely on static ARP entries in your local ARP cache rather than on ARP requests and replies which can be faked.

As a reactive measure, you can monitor the network traffic of hosts using tools such as Snort or xARP.
With DNS poisoning, the DNS server is given information that it thinks is legitimate when it isn't. This can send users to a website other than the one they wanted to go to, reroute mail, or do any other type of redirection wherein data from a DNS server is used to determine a destination. Another name for this is DNS poisoning. DNS servers store its information (resource records) either in database files or as cached data. This information can be falsified or ‘poisoned’.

Every DNS query that is sent out over the network contains a uniquely generated identification number that’s purpose is to identify queries and responses and tie them together. This means that if our attacking computer can intercept a DNS query sent out from a target device, all we have to do is create a fake packet that contains that identification number in order for that packet to be accepted by that target.

DNS poisoning is difficult to defend against due to the attacks being mostly passive by nature. Typically, you will never know your DNS is being poisoned or spoofed until it has happened. That being said, there are still a few things that can be done to defend against these types of attacks:

  • Secure your internal machines
  • Defending against internal threats and having a good internal security posture is always good
  • Don’t rely on DNS for secure systems – use local hosts file for sensitive name resolution data
  • Use IDS – monitor your network/host
  • Use DNSSEC – an updated and more secure version of DNS


January 28, 2012

3.2.12 Parming


Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses — they are the "signposts" of the Internet.

Compromised DNS servers are sometimes referred to as "poisoned".

More worrisome than host file attacks is the compromise of a local network router. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN.

Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent.

In pharming, larger numbers of computer users can be victimized because it is not necessary to target individuals one by one and no conscious action is required on the part of the victim.
Pharming has been called "phishing with a grenade."

Pharming is more difficult to detect because it does not rely on the victim accepting a “bait” message. Users can be redirect to bogus Web site for example, even if they type the right Web address of their bank or other online service into their Web browser.

Related Terms
DNS cache poisoning – an attack on the Internet naming system
Domain spoofing


3.2.11 Xmas Attack

Xmas Attack

One of the three Nmap scan types:
Xmas scan (-sX) – Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
Null scan (-sN) – Does not set any bits (TCP flag header is 0)
FIN scan (-sF) – Sets just the TCP FIN bit.

One of the most popular attacks that utilizes Nmap is the Xmas attack (also known as the Xmas scan and Christmas attack). This is an advanced scan that tries to get around firewall detection and look for open ports. It accomplishes this by setting three flags (FIN, PSH, and URG).


  • http://nmap.org/book/man-port-scanning-techniques.html
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.10 Vishing & Spear Phishing


When you combine phishing with Voice over IP (VoIP), it becomes known as vishing and is just an elevated form of social engineering.

Spear phishing

Spear phishing is a unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party.

In spear phishing, the attacker uses information that the target would be less likely to question because it appears to be coming from a trusted source. Because it appears far more likely to be a legitimate message, it cuts through the user's standard defenses like a spear and has a higher likelihood of being clicked.

With spear phishing, you might get a message that appears to be from your boss telling you that there is a problem with your direct deposit account and you need to access this HR link right now to correct it.

Spear phishing works because it uses information it can find about you from email databases, friends lists, and the like.

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.9 Spim


SpIM is short for "Spam via Instant Messenger" and is a term that refers to unwanted and unsolicited junk messages sent via an instant messenger (instead of through e-mail messaging).

Most Spim comes in the form of chat requests/sessions from unknown people who then send you text messages about their products or services. Some may ask you to visit a website, which may contain malware or they may try to send you files to download.

The immediacy of IM makes users more likely to reflexively click links. Furthermore, because it bypasses anti-virus software and firewalls. IM is an easy means of passing on not only commercial messages, but also viruses and other malware.

Never accept or open attachments from people you don’t know.

Turn off the automatic download features in your instant messenger client.

Send all downloads to the same folder on your hard drive and then use your anti-virus software to scan that folder each time a new file is added.

Related Terms
SPIT – Spam over Internet Telephony

  • http://housing.uncc.edu/technology/securemypc/alt_spam.htm
  • http://www.webopedia.com/DidYouKnow/Internet/2006/spam_spit_spim.asp
  • http://searchexchange.techtarget.com/definition/spim

3.2.8 Phishing


Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is an example of social engineering techniques used to deceive users; in which you simply ask someone for a piece of information that you want by making it look as if it is a legitimate request.

Vishing involves combining phishing with Voice over IP.

An email might look as if it is from a bank and contain some basic information, such as the user's name. A fake website might be created to look just like a legitimate site. It can then gather personal information from the user.

The person instigating the phishing can then use the values entered there to access the legitimate account.

One of the best counters to phishing is to simply mouse over the “Click Here” link and read the URL.

Phishing email messages, websites, and phone calls are designed to steal money, access, information, etc.


  • http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
  • http://www.fraud.org/tips/internet/phishing.htm
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.7 Spam


Spam is the use of electronic messaging systems, particularly e-mail but including most broadcast media, digital delivery systems, to send unsolicited bulk messages indiscriminately. In general, e-mail messages you didn’t ask for, from people you don’t know are considered ‘spam’.

Spam can contain viruses or other malware, or it may try to trick the recipient to give up passwords and user names, or visit a harmful site.

Spam is not actually an acronym.

According to the Internet Society and other sources, the term spam is derived from the 1970 Spam sketch of the BBC television comedy series Monty Python's Flying Circus. The sketch is set in a cafe where nearly every item on the menu includes Spam canned luncheon meat. As the waiter recites the Spam-filled menu, a chorus of Viking patrons drowns out all conversations with a song repeating "Spam, Spam, Spam, Spam... lovely Spam! wonderful Spam!", hence "Spamming" the dialogue.

Related Terms
SPAM – Hormel Foods Corporation, the maker of SPAM luncheon meat, has asked that the capitalized word "Spam" be reserved to refer to their product and trademark.

  • http://en.wikipedia.org/wiki/Spam_(electronic)

3.2.5 Smurf Attack

Smurf Attack

The smurf attack, named after its exploit program, is a denial-of-service  attack which uses spoofed broadcast ping messages to flood a target system.

In the "smurf" attack, from remote location, an attacker sends forged ICMP echo packets directed to the broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.

This generates a denial-of-service attack. There are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim).

The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.

When the attackers create these packets, they do not use the IP address of their own machine as the source address. The victim is subjected to network congestion that could potentially make the network unusable.

One solution to prevent your site from being used as an intermediary in this attack is to disable IP-directed broadcasts at your router. By disabling these broadcasts, you configure your router to deny IP broadcast traffic onto your network from other networks.

Some operating systems can be configured to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. Configuring machines so that they do not respond to these packets can prevent your machines from being used as intermediaries in this type of attack.

  • http://searchcio-midmarket.techtarget.com/definition/adware
  • http://www.softpanorama.org/Net/Internet_layer/ICMP/smurf_attack.shtml
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2 Analyze and differentiate among types of attacks

Analyze and differentiate among types of attacks

  • Man-in-the-middle 
  • DDoS 
  • DoS 
  • Replay 
  • Smurf attack 
  • Spoofing 
  • Spam 
  • Phishing 
  • Spim 
  • Vishing 
  • Spear phishing 
  • Xmas attack 
  • Pharming 
  • Privilege escalation 
  • Malicious insider threat 
  • DNS poisoning and ARP poisoning 
  • Transitive access 
  • Client-side attacks 

January 25, 2012

3.1.6 Rootkits


Rootkits are software programs that have the ability to hide certain things from the operating system. Theoretically, rootkits could hide anywhere there is enough memory to reside: video cards, PCI cards, and the like. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.

A rootkit is a type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at a privileged level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. If a rootkit has been installed, you may not be aware that your computer has been compromised, and traditional anti-virus software may not be able to detect the malicious programs.

Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected.

Rootkits can be installed and hidden on your computer without your knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of a vulnerability on your computer or has convinced you to download it.

Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel.

Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers.

The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected.

Types of rootkits include the following:
  • Firmware – embedded in the firmware; always available
  • Kernel – embedded in the operating system; practically invisible; privileged
  • Persistent – activates on boot up and stays active while computer is running
  • Application – activates with a specific application
  • Library – associated with library files (e.g. DLLs); interjects own code via API and system calls
  • http://en.wikipedia.org/wiki/Rootkit
  • http://www.us-cert.gov/cas/tips/ST06-001.html
  • http://www.pcmag.com/encyclopedia_term/0,2542,t=root+kit&i=55733,00.asp

3.1.4 Spyware


Spyware is software that can display advertisements, collect information about you, or change settings on your computer, generally without appropriately obtaining your consent. For example, spyware can install unwanted toolbars, links, or favorites in your web browser, change your default home page, or display pop-up ads frequently.

Some spyware displays no symptoms that you can detect, but it secretly collects sensitive information, such as the websites you visit or the text you type. Most spyware is installed through free software that you download, but in some cases simply visiting a website results in a spyware infection.

Spyware gathers information on you to pass on to marketers or intercepts personal data such as credit card numbers and makes them available to third parties.


  • http://windows.microsoft.com/en-US/windows7/Understanding-security-and-safer-computing

3.1.1 Adware


Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during the installation process. The object of the Adware is to generate revenue for its author.

Adware, by itself, is harmless; however, some adware may come with integrated spyware such as keyloggers and other privacy-invasive software.

The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.

Adware is criticized because it can include code that tracks a user's personal information and pass it on to third parties, without the user's authorization or knowledge.

Adware is considered a nuisance when:
  • It can contain code that tracks a user's network usage patterns and personal information and pass it on to third parties, without the user's authorization or knowledge.
  • It puts additional load on your computer by consuming part of your CPU, memory and network resources.
  • It can be a distraction by displaying messages on your screen real-estate.
  • It is introduced without the consent of the computer user

There are legitimate uses of adware. At its best adware is a legitimate way for developers to cover the cost of content development. Instead of making the user pay for access, the developer might use adware to create “ad-supported” content and present it free to consumers.

In its more benign form, adware is an ad-support or sponsored software, offsetting the cost of
development, allowing the content to be made freely available to the consumer. In this form it is an inconvenience that is tolerated.

In its less benign form, adware is spyware that uses the resources of the computer (e.g. CPU, memory, network, to surreptitiously gather tracking and personal data and make it available to the adware developers. In this form, it compromises the user’s privacy and security. 

  • http://searchcio-midmarket.techtarget.com/definition/adware
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.1 Analyze and differentiate among types of malware

Analyze and differentiate among types of malware

  • Adware 
  • Virus 
  • Worms 
  • Spyware 
  • Trojan 
  • Rootkits 
  • Backdoors 
  • Logic bomb 
  • Botnets 

January 23, 2012

2.2.3 Incident Management

Incident management

Incident management—the steps followed when events occur.

A clearly defined incident response policy can help contain a problem and provide quick recovery to normal operations.

In the event of some form of security incident, some form of procedure should be in place to deal with these events as they happen.

The policy should cover each type of compromised security scenario and list the procedures to follow when they happen.

The incident response policy should cover the following areas:

  • Contact information for emergency services and other outside resources.
  • Methods of securing and preserving evidence of a security breach.
  • Scenario-based procedures of what to do with computer and network equipment depending on the security problem.
  • How to document the problem and the evidence properly.

The components of an incidence-response plan should include preparation, roles, rules, and procedures. Incident-response procedures should define how to maintain business continuity while defending against further attacks.


  • http://www.informit.com/articles/article.aspx?p=1809117&seqNum=3
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.2.2 Change Management

Change management

Change management policies are official company procedures used to identify and communicate current or forthcoming changes to some aspect of the company’s networks and communications services.

Change documentation should include the following:

  • Specific details, about the change being proposed/implemented
  • The name of the authority who approved the changes
  • A list of the departments and the names of the supervisors involved in performing the change
  • What the immediate effect of the change will be
  • What the long-term effect of the change will be
  • The date and time the change will occur

After the change has occurred, the following should be added to the documentation:

  • Specific problems and issues that occurred during the process
  • Any known workarounds if issues have occurred
  • Recommendations and notes on the event

After the change has been requested, documented, and approved, you should then send out notification to the users so that they know what to expect when the change has been implemented.

  • http://www.informit.com/articles/article.aspx?p=1809117&seqNum=3
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.2 Carry out appropriate risk mitigation strategies

Carry out appropriate risk mitigation strategies

2.1.7 Risks associated to Cloud Computing and Virtualization

Risks associated to Cloud Computing and Virtualization

If you ask two people a question about what cloud computing is, you are likely to get four different answers. That in itself should be considered a risk. For our purpose, we will consider cloud computing as the use of the Internet to host services and data instead of hosting it locally. Implementation of this include Google Mail, Amazon EC2, Salesforce.com, etc.

The Security+ certification exam considers the following three ways of implementing cloud computing:
  • The Platform as a Service (PaaS) model, vendors provide a platform for customers to build and run custom applications.
  • Software as a Service (SaaS) is a way of delivering Web-based, on-demand, or hosted applications.
  • Infrastructure as a Service The Infrastructure as a Service (IaaS) model closely resembles the traditional utility model used by electric, gas, and water providers. It delivers computer infrastructure – typically a platform virtualization environment – as a service, along with raw (block) storage and networking.
Risk-related issues associated with cloud computing include the following:
  • Regulatory Compliance such as Sarbanes-Oxley's act.
  • User Privileges such as preventing privilege escalation.
  • Data Segregation keeps customer’s data secure and private, particularly important in a multi-tenant cloud computing implementation.
Some of the security risks that are possible with virtualization include the following:
  • Breaking Out of the Virtual Machine.
  • Network and Security Controls Can Intermingle.
  • Lax patch/update policy.
  • http://en.wikipedia.org/wiki/Cloud_computing
  • http://onekobo.com/Cloud/TagCloud.html
  • https://cloudsecurityalliance.org/
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

January 22, 2012

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk Avoidance Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to exposure to the risk. One of the biggest problems with risk avoidance is that you are steering clear of activities you may benefit from.

This is the most effective solution, but often not possible due to organizational requirements.
Risk transference, you do not simply shift the risk completely to another entity, instead you share some of the burden of the risk with someone else, such as an insurance company. A typical policy would pay you a cash amount if all the steps were in place to reduce risk and your system still was harmed.

Risk mitigation is accomplished anytime you take steps to reduce the risk. Steps include installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall. In Microsoft's Security Intelligence Report, Volume 9, they list the following suggestions for mitigating risk:

  • Keep security messages fresh and in circulation.
  • Target new employees and current staff members.
  • Set goals to ensure a high percentage of the staff is trained on security best practices.
  • Repeat the information to raise awareness.

In risk mitigation (occasionally referred to as risk reduction), the harm can still occur, but you've reduced the impact it will have.

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you. The easiest way to think of risk deterrence is to think of it as a “you hit me and I'll hit you back harder” mentality. This can be as simple as posting prosecution policies on your login pages and convincing them that you have steps in place to identify intrusions and act on them.

Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, all the responsible parties must know that it exists and can affect the organization. It has to be an identified risk for which those involved understand the potential cost/damage and agree to accept.

Risk acceptance is essentially being fully aware that the risk exists (and that you could be affected by it), then choosing to do nothing further.

The risk must be identified, accepted and then a decision made that no action will be taken. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.

Related Terms:

  • Risk Appetite – the level of risk tolerance.
  • Exploit – An exploit is a mechanism of taking advantage of an identified vulnerability.
  • Threat – A threat is the potential that a vulnerability will be identified and exploited.
  • Control – Controls act to close vulnerabilities, prevent exploitation, reduce threat potential, and/or reduce the likelihood of a risk or its impact.


2.1.4 Risk Calculation

Risk Calculation

The likelihood and impact of a risk has a strong measure on your cost analysis for budgeting funds for risk countermeasures and mitigation. A calculation used to determine this factor is Annual Loss Expectancy (ALE).

You must calculate the chance of a risk occurring, sometimes called the Annual Rate of Occurrence (ARO), and the potential loss of revenue based on a specific period of downtime, which is called the Single Loss Expectancy (SLE). By multiplying these factors together, you arrive at the ALE. This is how much money you expect to lose on an annual basis because of the impact from an occurrence of a specific risk.

When you're doing a risk assessment, one of the most important things to do is to prioritize. Take into account the likelihood of an event happening and the impact to your organization if it does. Focus on the events that are likely and would have an impact. Not everything should be weighed evenly.

One method of measurement to consider is annualized rate of occurrence (ARO). This is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you're computing risk assessment, remember this formula:
Thus, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.
The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:
where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending more resources per year on a security measure which will eliminate it.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts and are thus quantitative.

Know how to calculate risk. Risk can be calculated either qualitatively (subjective) or quantitatively (objective). Quantitative calculations assign dollar amounts, and the basic formula is SLE × ARO = ALE where SLE is the single loss expectancy, ARO is the annualized rate of occurrence, and ALE is the annual loss expectancy.

ALE – A calculation that is used to identify risks and calculate the expected loss each year.
For each vulnerability associated with each asset, you must do the following to quantify risk:
  1. Estimate the cost of replacing or restoring that asset (its Single Loss Expectancy)
  2. Estimate the vulnerability's expected Annual Rate of Occurrence
  3. Multiply these to obtain the vulnerability's Annualized Loss Expectancy
The three categories commonly used to identify the likelihood of a risk: High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.


2.1 Explain risk related concepts

Explain risk related concepts

1.5 Identify commonly used default network ports

Identify commonly used default network ports

TCP Port # UDP Port # Service
20 FTP (data channel)
21 FTP (control channel)
22 SSH; SCP; SFTP (over SSH)
989 989 FTPS (data): FTP over TLS/SSL
990 990 FTPS (control): FTP over TLS/SSL
69 Trivial File Transfer Protocol (TFTP)
23 Telnet
80 Hypertext Transfer Protocol (HTTP)
443 HTTPS (Hypertext Transfer Protocol over SSL/TLS)
137 137 NetBIOS Name Service
138 138 NetBIOS Datagram Service
139 139 NetBIOS Session Service

1.6.8 SSID Broadcast

SSID broadcast

The SSID (Service Set IDentifier), or network name, of your wireless network is required for devices to connect to it.

SSID is a function performed by an Access Point (AP) that transmits its name so that wireless stations searching for a network connection can 'discover' it. It's what allows your wireless adapter's software to give you a list of the AP in range.

Wireless APs and routers can automatically broadcast their network name (SSID) into open air at regular intervals (every few seconds) to announce their presence. This feature of Wi-Fi network protocols is intended to allow clients to dynamically discover and roam between WLANs.

One method of "protecting" the network that is often recommended is to turn off the SSID broadcast. This should be considered a very weak form of security because it is a trivial process for an attacker to discover the presence of the access point besides the SSID broadcast.

Security by obscurity is no security at all.

SSIDs are not encrypted or otherwise scrambled, it becomes easy to grab one by snooping the WLAN looking for SSID broadcast messages coming from the router or AP. Knowing your SSID brings hackers one step closer to a successful intrusion.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

An SSID is a network name, not a password. It is not designed to be hidden.

A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. It's a violation of the 802.11 specification to keep your SSID hidden and, even if you think your SSID is hidden, it really isn't.

Having SSID broadcast disabled essentially makes your Access Point invisible unless a wireless client already knows the SSID, or is using tools that monitor or 'sniff' traffic from an AP's associated clients.

Related Terms
  • Site survey
  • War driving
  • War chalking
  • Basic Service Set (BSS)
  • Access Point (AP)
  • http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx
  • http://compnetworking.about.com/cs/wirelessproducts/qt/disablessidcast.htm
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.6.4 EAP


Extensible Authentication Protocol (EAP) is an Internet Engineering Task Force (IETF) standard that provides an infrastructure for network access clients and authentication servers to host plug-in modules for current and future authentication methods. EAP is used to authenticate Point-to-Point Protocol (PPP)-based connections (such as dial-up, virtual private network remote access, and site-to-site connections) and for IEEE 802.1X-based network access to authenticating Ethernet switches and wireless access points (APs).

EAP is used primarily in WEP/WPA/WPA2-based wireless networks for securely transporting authentication data. EAP separates the message exchange from the authentication process through the use of a different exchange layer and it provides a module-based infrastructure that supports several different authentication methods.

EAP, is an authentication framework (not a specific authentication mechanism) frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247.

It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.

Five EAP methods are adopted by the WPA/WPA2 standard: EAP-TLS, EAP-PSK, EAP-MD5, and LEAP and PEAP.

The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary EAP method developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard.

The Protected Extensible Authentication Protocol, (Protected EAP or PEAP), is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP which assumed a protected communication channel, so facilities for protection of the EAP conversation were not provided. PEAP is more secure since it establishes an encrypted channel between the server and the client.

  • http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
  • http://technet.microsoft.com/en-us/network/bb643147
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.4.10 SFTP


In computing, the SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management functionality over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0, but is also intended to be usable with other protocols.

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH working group.

The protocol itself does not provide authentication and security; it assumes that it is run over a secure channel, i.e. it expects the underlying protocol to secure this and that the server has already authenticated the client, and the identity of the client user is available to the protocol. SFTP is most often used as subsystem of SSH protocol version 2 implementations.

Unlike standard FTP, SFTP encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.


1.6.1 WPA


Wi-Fi Protected Access (WPA) is a security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless networks and surpass the older Wired Equivalent Privacy (WEP) protocol. The Alliance defined WPA in response to serious weaknesses researchers had found in WEP.

WPA (defined in the draft IEEE 802.11i standard) became available around 1999 and was intended as an intermediate measure in anticipation that it would be replaced by the more secure WPA2 protocol.

There are two versions, WPA and WPA2, with the latter being the full implementation of the security features.
The difference between WPA and WPA2 is that WPA implements most—but not all—of 802.11i in order to be able to communicate with older wireless cards and it used the RC4 encryption algorithm with TKIP, while WPA2 implements the full standard and is not compatible with older cards.

WPA also mandates the use of the Temporal Key Integrity Protocol (TKIP), while WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of replay.

WEP used a 40-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.

TKIP basically works by generating a sequence of WEP keys based on a master key, and re-keying periodically before enough data volume could be captured to allow recovery of the WEP key. TKIP changes the Key every 10,000 packets, which is quick enough to combat statistical methods to analyze the cipher.
TKIP also adds into the picture the Message Integrity Code (MIC). The transmission’s CRC, and ICV (Integrity Check Value) is checked. If the packet was tampered with, WPA stops using the current keys and re-keys.

As a simplified timeline useful for exam study, think of WEP as coming first. It was fraught with errors and WPA (with TKIP) was used as an intermediate solution, implementing a portion of the 802.11i standard. The final solution—a full implementation of the 802.11i standard—is WPA2 (with CCMP).5

WPA (and WEP before it) couples the RC4 encryption algorithm with TKIP, while WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector.

WPA was an intermediate solution that implemented only a portion of the 802.11i standard. The final solution—a full implementation of the 802.11i standard—is WPA2, which uses CCMP.

Security researchers showed theoretically how WPA could be broken in November 2008, in what is known as the “Becks-Tews method” developed by researchers Martin Beck and Erik Tews3.

The attack works only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm, and do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard, or AES, algorithm.

WPA can use a pre-shared key (PSK or Personal WPA) or it can use an authentication server (Enterprise) that distributes the keys. In the PSK method, all devices on the wireless LAN must use the same passphrase key to access the network. The authentication server method is more scalable to support environments with a large number of clients.

The strength of a WPA network, is only as strong as the passphrase used, which consists of from 8 to 63 characters.


  1. http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
  2. http://www.ezlan.net/wpa_wep.html
  3. http://www.zdnet.com/blog/btl/researchers-crack-wpa-wi-fi-encryption-in-60-seconds/23384
  4. http://www.practicallynetworked.com/security/041207wpa_psk.htm
  5. CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  6. CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.4.9 HTTPS


Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. It provides encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

HTTPS combines HTTP with SSL/TLS to provide encrypted communication. When a user connects to a website via HTTPS, the website encrypts the session with a digital certificate. A user can tell if they are connected to a secure website if the website URL begins with https:// instead of http://.

The default port is 443 and the URL begins with https://.

The main idea of HTTPS is to create a secure channel over an insecure network.

HTTPS is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.

HTTPS uses SSL to secure the channel between the client and server.

HTTPS is not to be confused with S-HTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

The protocol was originally created by Netscape for use with their browser and became a finalized standard with RFC 2818.

Secure Hypertext Transport Protocol (S-HTTP) is HTTP with message security (added by using RSA or a digital certificate). Whereas HTTPS creates a secure channel, S-HTTP creates a secure message. S-HTTP can use multiple protocols and mechanisms to protect the message. It also provides data integrity and authentication.

S-HTTP is seldom used and defaults to using port 80 (the HTTP port).


1.4.8 FTPS


FTPS (FTP over SSL) is an extension to the File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols for channel encryption as defined in RFC 2228.

Well-known TCP & UDP ports for FTPS:
  • 989 – FTPS (data channel)
  • 990 – FTPS (control channel)
Much like HTTPS, but unlike SFTP, FTPS servers may provide a public key certificate.

Both FTPS and SFTP use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twofish and so on), and a key-exchange algorithm. For authentication, FTPS uses X.509 certificates, whereas SFTP (SSH protocol) uses SSH keys.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices or from some specific operating systems that have FTP support but don't have SSH/SFTP clients.

Pros of FTPS:
  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks
Cons of FTPS:
  • Doesn't have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn't define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn't have a standard way to get and change file and directory attributes
SFTP (“SSH FTP”) is based on SSH (Secure Shell) version 2. It uses the same communication channels and encryption mechanisms as SSH.

There are several implementations of FTPS, including those with “implicit SSL” where a distinct service listens for encrypted connections, and “explicit SSL” where the connection runs over the same service and is switched to an encrypted connection by a protocol option. In addition, there are several potential combinations of what parts of an FTPS connection are actually being encrypted, such as “only encrypted login” or “encrypted login and data transfer”.


1.6 Implement wireless network in a secure manner

Implement wireless network in a secure manner

  • WPA
  • WPA2
  • WEP
  • EAP
  • PEAP
  • LEAP
  • MAC filter
  • SSID broadcast
  • TKIP
  • CCMP
  • Antenna Placement
  • Power level controls

1.4.6 SSL


Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are cryptographic protocols that provide communication security over the Internet. SSL (and TLS) encrypt the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

SSL establishes a session using asymmetric encryption and maintains the session using symmetric encryption.
The primary goal of the SSL protocol is to provide privacy and reliability between two communicating applications.

The SSL protocol uses an encryption scheme between the two systems. The client initiates the session, the server responds, indicating that encryption is needed, and then they negotiate an appropriate encryption scheme.

TLS is a newer protocol that merges SSL with other protocols to provide encryption. TLS supports SSL connections for compatibility, but it also allows other encryption protocols, such as Triple DES, to be used. SSL/TLS uses port 443 and TCP for connections.

When a connection request is made to the server, the server sends a message back that initiates the connection negotiation process. This negotiation includes the capabilities of the parties and sharing of certificates, session keys and encryption keys. The session is secure at the end of this process.

This session will stay open until one end or the other issues a command to close it. The command is typically issued when a browser is closed or another URL is requested.

Earlier browsers often use 40- or 56-bit SSL encryption. Modern browsers can work with 128-bit or higher encrypted sessions/certificates.

An SSL certificate enables encryption of sensitive information during online transactions. Each SSL certificate is a unique credential identifying the certificate owner. A Certificate Authority (CA) authenticates the identity of the certificate owner before it is issued.

Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it.

TLS is a security protocol that uses SSL, and it allows the use of other security protocols. The TLS protocol is also referred to as SSL 3.1, but despite its name, it doesn't interoperate with SSL. However, a message sent with TLS can be handled by a client that handles SSL but not TLS.