“remember, when you connect with another computer, you're...
TRANSCRIPT
.
1
Essential Knowledge
Chapter #1:
Getting Started
CIS 4500
Remember …
“Remember, when you connect with
another computer, you're connecting
to every computer that computer has
connected to.” Dennis Miller
Essential Knowledge 2
CIS 4500
CEH Exam
n EC Council
n Site
n Credentials
n Establish and govern minimum standards for credentialing professional
information security specialists in ethical hacking measures.
n Inform the public that credentialed individuals meet or exceed the
minimum standards.
n Reinforce ethical hacking as a unique and self-regulating profession.
Essential Knowledge 3 CIS 4500
CEH Exam Blueprint
Section Knowledge of:
Weight Number
of Questions
I. Background A. networking technologies (e.g., hardware, infrastructure)
B. web technologies (e.g., web 2.0, skype) C. systems technologies D. communication protocols E. malware operations F. mobile technologies (e.g., smart phones) G. telecommunication technologies H. backups and archiving (e.g., local, network)
4% 5
II. Analysis/Assessment A. data analysis B. systems analysis C. risk assessments D. technical assessment methods
13% 16
Essential Knowledge 4
.
2
CIS 4500
CEH Exam Blueprint
Section Knowledge of:
Weight Number
of Questions
III. Security A. systems security controls B. application/file server C. firewalls D. cryptography E. network security F. physical security G. threat modeling H. verification procedures (e.g., false positive/
negative validation) I. social engineering (human factors manipulation) J. vulnerability scanners K. security policy implications L. privacy/confidentiality (with regard to
engagement) M. biometrics N. wireless access technology (e.g., networking,
RFID, Bluetooth) O. trusted networks P. vulnerabilities
25% 31
Essential Knowledge 5 CIS 4500
CEH Exam Blueprint
Section Knowledge of:
Weight Number
of Questions
IV. Tools/Systems/Programs
A. network/host based intrusion B. network/wireless sniffers (e.g., WireShark,
Airsnort) C. access control mechanisms (e.g., smart cards) D. cryptography techniques (e.g., IPSec, SSL, PGP) E. programming languages (e.g. C++, Java, C#, C) F. scripting languages (e.g., PHP, JavaScript) G. boundary protection appliances H. network topologies I. subnetting J. port scanning (e.g., NMAP) K. domain name system (DNS) L. routers/modems/switches M. vulnerability scanner (e.g., Nessus, Retina) N. vulnerability management and protection systems
(e.g., Foundstone, Ecora) O. operating environments (e.g., Linux, Windows,
Mac) P. antivirus systems and programs Q. log analysis tools R. security models S. exploitation tools T. database structures
25% 31
Essential Knowledge 6
CIS 4500
CEH Exam Blueprint
Section Knowledge of:
Weight Number
of Questions
V. Procedures/Methodology
A. cryptography B. public key infrastructure (PKI) C. security architecture (SA) D. service oriented architecture (SOA) E. information security incident F. N-tier application design G. TCP/IP networking (e.g., network routing) H. security testing methodology
20% 25
VI. Regulation/Policy A. security policies B. compliance regulations (e.g., PCI)
4% 5
Vll. Ethics A. professional code of conduct B. appropriateness of hacking
2% 3
Essential Knowledge 7 CIS 4500
Outline
n Identify components of TCP/IP computer networking
n Understand basic elements of information security
n Understand incident management steps
n Identify fundamentals of security policies
n Identify essential terminology associated with ethical
hacking
Essential Knowledge 8
.
3
CIS 4500
Outline
n Define ethical hacker and classifications of hackers
n Describe the five stages of ethical hacking
n Define the types of system attacks
n Identify laws, acts, and standards affecting IT security
Essential Knowledge 9 CIS 4500
Servers in Networks
Authentication Server
Directory Server
File Server Print Server
Mail Server E-Commerce Server
RealTime Communication Server
Application Servers
Management Server
Streaming Media Server
Mobile Communication Server
Content Management Server
Active Directory Server
FTP Server Web Server
Proxy Server
Essential Knowledge 10
CIS 4500
TCP/IP Overview
Essential Knowledge 11 CIS 4500
OSI Reference Model
Essential Knowledge 12
.
4
CIS 4500
Ethernet Frame
Essential Knowledge 13 CIS 4500
Frames in Transit
Essential Knowledge 14
CIS 4500
Network Zones
n Internet
Ø Outside the boundary and uncontrolled. You don’t apply security policies to the Internet.
Governments try to all the time, but your organization can’t.
n Internet DMZ
Ø The acronym DMZ (for Demilitarized Zone) comes from the military and refers to a section of
land between two adversarial parties where there are no weapons or fighting. The idea is you
can see an adversary coming across the DMZ and have time to work up a defense. In
networking, the idea is the same: it’s a controlled buffer network between you and the
uncontrolled chaos of the Internet.
n Production Network Zone
Ø A very restricted zone that strictly controls direct access from uncontrolled zones. The PNZ
doesn’t hold users.
n Intranet Zone
Ø A controlled zone that has little-to-no heavy restrictions. This is not to say everything is wide
open on the Intranet Zone, but communication requires fewer strict controls internally.
n Management Network Zone
Ø Usually an area you’d find rife with VLANs and maybe controlled via IPSec and such. This is a
highly secured zone with very strict policies.
Essential Knowledge 15 CIS 4500
Network Security Issues
n Physical security
n Controlling access to internal computers from external
entities
n Routers, authentication hardware and software, encryption
n Firewalls, intrusion detection systems (IDSs)
Essential Knowledge 16
.
5
CIS 4500
Protection
Essential Knowledge 17
In the operational model Protection =
CIS 4500
Layered Security
n Every environment needs multiple layers of security
n routers
n firewalls
n network segments
n IDSs
n encryption
n authentication software
n physical security
n traffic control
Essential Knowledge 18
CIS 4500
Balancing
Essential Knowledge 19 CIS 4500
Organizational Security
n Incident Response Team (IRT)
n to identify, analyze, prioritize, and resolve the incident
n reviews detection, analyzes the exploitation, notifies
appropriate stakeholders
n works to contain the exploitation, eradicate residual back
doors, and coordinates recovery for any lost data or services.
Essential Knowledge 20
.
6
CIS 4500
Organizational Security
n Incident management process, the team provides post-
incident reporting and lessons learned to management.
n Post-incident report: suggestions to management to
identify what risks are present and quantify them on a
measurement scale.
n Risk management approach would allow them to come up
with solutions to mitigate, eliminate, or accept the
identified risks.
Essential Knowledge 21 CIS 4500
Organizational Security
n Identify organizational assets, threats to those assets, and
their vulnerabilities would allow the organization to explore
which countermeasures to minimize risks as much as
possible.
n Security controls greatly increase the security posture of
the systems.
Essential Knowledge 22
CIS 4500
Security Controls
n Security controls can be categorized as physical, technical,
and administrative.
n Physical controls include guards, lights, and cameras.
n Technical controls include encryption, smartcards, and access
control lists.
n Administrative controls include the training, awareness, and
policy efforts.
Essential Knowledge 23 CIS 4500
Risk Management
n Business Impact Analysis (BIA)
n maximum tolerable downtime (MTD), which provided a means
to prioritize the recovery of assets should the worst occur
n business continuity plan (BCP) included a disaster recovery
plan (DRP), addressing exactly what to do to recover any lost
data or services
Essential Knowledge 24
.
7
CIS 4500
Risk Management
n Numbers and values
n ALE (annualized loss expectancy) turned out to be the product
of the
n ARO (annual rate of occurrence) and the SLE (single loss
expectancy) – SLE is exposure factor (EF) multiplied by asset value
Essential Knowledge 25 CIS 4500
CIA Triad of Security
Essential Knowledge 26
Integrity, which means guarding against improper
information modification or destruction, and includes ensuring
information nonrepudiation, accuracy, and authenticity
Availability, which means ensuring timely and reliable access
to, and use of, information
Confidentiality, which means preserving authorized
restrictions on access and disclosure, including a means for
protecting personal privacy and proprietary information
CIS 4500 Essential Knowledge 27
Access Control
n Prevent unauthorized access
n Access
n Authentication
n Access control matrix
n Access control lists (ACLs)
n discretionary access control (DAC)
n mandatory access control (MAC)
n role-based access control (RBAC)
CIS 4500 Essential Knowledge 28
Discretionary Access Control (DAC)
... “a means of restricting access to objects based on the
identity of subjects and/or groups to which they belong.
The controls are discretionary in the sense that a subject
with a certain access permission is capable of passing
that permission (perhaps indirectly) on to any other
subject.” ...
.
8
CIS 4500 Essential Knowledge 29
Mandatory Access Control (MAC)
... “a means of restricting access to objects based on the
sensitivity (as represented by a label) of the information
contained in the objects and the formal authorization
(i.e., clearance) of subjects to access information of such
sensitivity.”
CIS 4500 Essential Knowledge 30
Role-based Access Control (RBAC)
The roles are assigned the access permissions necessary
to perform the tasks associated with the role.
Users will thus be granted permissions to objects in
terms of the specific duties they must perform.
CIS 4500
Access Control Evaluation
n “Rainbow Series” - “Orange Book,” which held something
known as the Trusted Computer System Evaluation Criteria
(TCSEC).
n Common Criteria for Information Technology Security
Evaluation (also known as Common Criteria, or CC).
n It provides a way for vendors to make claims about their in-
place security by following a set standard of controls and
testing methods, resulting in something called an Evaluation
Assurance Level (EAL: 1-7).
Essential Knowledge 31 CIS 4500
Common Criteria
n A testing standard designed to reduce or remove
vulnerabilities from a product before it is released.
n Evaluation Assurance Level (EAL) A set standard of
controls and testing methods
n Target of evaluation (TOE) What is being tested
n Security target (ST) The documentation describing the TOE
and security requirements
n Protection profile (PP) A set of security requirements
specifically for the type of product being tested
Essential Knowledge 32
.
9
CIS 4500
Security Policies
n Access Control Policy This identifies the resources that need protection and the rules in place to
control access to those resources.
n Information Security Policy This identifies to employees what company systems may be used
for, what they cannot be used for, and what the consequences are for breaking the rules. Generally
employees are required to sign a copy before accessing resources. Versions of this policy are also
known as an Acceptable Use Policy.
n Information Protection Policy This defines information sensitivity levels and who has access to
those levels. It also addresses how data is stored, transmitted, and destroyed.
n Password Policy This defines everything imaginable about passwords within the organization,
including length, complexity, maximum and minimum age, and reuse.
n E-mail Policy Sometimes also called the E-mail Security Policy, this addresses the proper use of
the company e-mail system.
n Information Audit Policy This defines the framework for auditing security within the organization.
When, where, how, how often, and sometimes even who conducts information security audits are
described here.
Essential Knowledge 33 CIS 4500
Hacker
n A hacker is using a specialized set of tools, techniques,
knowledge, and skills to bypass computer security
measures.
Essential Knowledge 34
CIS 4500
Hacker Classifications: The Hats
n White hats Considered the good guys, these are the ethical hackers, hired by a
customer for the specific goal of testing and improving security or for other defensive
purposes. White hats are well respected and don’t use their knowledge and skills without
prior consent. White hats are also known as security analysts.
n Black hats Considered the bad guys, these are the crackers, illegally using their skills
for either personal gain or malicious intent. They seek to steal (copy) or destroy data
and to deny access to resources and systems. Black hats do not ask for permission or
consent.
n Gray hats The hardest group to categorize, these hackers are neither good nor bad.
Generally speaking, there are two subsets of gray hats—those who are simply curious
about hacking tools and techniques and those who feel like it’s their duty, with or
without customer permission, to demonstrate security flaws in systems. In either case,
hacking without a customer’s explicit permission and direction is usually a crime.
Essential Knowledge 35 CIS 4500
Attack Types
n Operating system (OS) attacks – these attacks target the common
mistake many people make when installing operating systems—
accepting and leaving all the defaults. Administrator accounts with no
passwords, all ports left open, and guest accounts (the list could go
on forever) are examples of settings the installer may forget about.
Additionally, operating systems are never released fully secure—they
can’t be, if you ever plan on releasing them within a timeframe of
actual use—so the potential for an old vulnerability in newly installed
operating systems is always a plus for the ethical hacker.
Essential Knowledge 36
.
10
CIS 4500
Attack Types
n Application-level attacks - these are attacks on the actual
programming code and software logic of an application. Although
most people are cognizant of securing their OS and network, it’s
amazing how often they discount the applications running on their OS
and network. Many applications on a network aren’t tested for
vulnerabilities as part of their creation and, as such, have many
vulnerabilities built into them. Applications on a network are a gold
mine for most hackers.
Essential Knowledge 37 CIS 4500
Attack Types
n Shrink-wrap code attacks - these attacks take advantage of the
built-in code and scripts most off-the-shelf applications come with.
The old refrain “Why reinvent the wheel?” is often used to describe
this attack type. Why spend time writing code to attack something
when you can buy it already “shrink-wrapped”? These scripts and
code pieces are designed to make installation and administration
easier but can lead to vulnerabilities if not managed appropriately.
Essential Knowledge 38
CIS 4500
Attack Types
n Misconfiguration attacks - these attacks take advantage of systems
that are, on purpose or by accident, not configured appropriately for
security. Remember the triangle earlier and the maxim “As security
increases, ease of use and functionality decrease”? This type of attack
takes advantage of the administrator who simply wants to make
things as easy as possible for the users. Perhaps to do so, the admin
will leave security settings at the lowest possible level, enable every
service, and open all firewall ports. It’s easier for the users but
creates another gold mine for the hacker.
Essential Knowledge 39 CIS 4500
Phases of Hacking
Essential Knowledge 40
.
11
CIS 4500
Ethical Hacker
n A hacker is using a specialized set of tools, techniques,
knowledge, and skills to bypass computer security
measures.
n An ethical hacker is someone who employs the same tools
and techniques a criminal might use, with the customer’s
full support and approval, to help secure a network or
system.
Essential Knowledge 41 CIS 4500
Penetration Testing
n A penetration test is a clearly defined, full-scale test of the
security controls of a system or network in order to identify
security risks and vulnerabilities.
Essential Knowledge 42
CIS 4500
Penetration Testing
n The preparation phase defines the time period during which the actual contract
is hammered out. The scope of the test, the types of attacks allowed, and the
individuals assigned to perform the activity are all agreed upon in this phase.
n The assessment phase (sometimes also known as the security evaluation phase
or the conduct phase) is exactly what it sounds like—the actual assaults on the
security controls are conducted during this time.
n The conclusion (or post-assessment) phase defines the time when final reports
are prepared for the customer, detailing the findings of the tests (including the
types of tests performed) and many times even providing recommendations to
improve security.
Essential Knowledge 43 CIS 4500
Laws and Regulations
n FISMA - Federal Information Security Management Act
n Electronics Communications Privacy Act
n PATRIOT Act
n Privacy Act of 1974 (5 U.S.C. § 552a)
n Computer Fraud (18 U.S.C. § 1030)
n CISPA - Cyber Intelligence Sharing and Protection Act
n Data Security and Breach Notification Act
n Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999
n Computer Security Act of 1987
n HIPAA - Health Insurance Portability and Accountability Act
n SOX - Sarbanes-Oxley Act
n PCI-DSS - Payment Card Industry Data Security Standard
n COBIT - Control Objects for Information and Related Technology
n ISO/IEC 27001:2013 - creating, maintaining, and improving organizational information security
systems
n GDPR - EU General Data Protection Regulation
n NIST SP 800, SP 1800
n EO 13636
Essential Knowledge 44
.
12
Stay Alert!
There is no 100 percent secure system,
and there is nothing that is foolproof!