WIRELESS AUTHENTICATION PROTOCOLS

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) This requires certificates to be installed on both the wireless clients and the server,  making this one of the most secure implementations of EAP.

PEAP (Protected EAP): PEAP only requires the server to have the certificate. PEAP encapsulates the EAP communication in a TLS tunnel.

LEAP (Lightweight EAP): Developed by Cisco, does not require a certificate on either the client or server. Cisco recommends using a stronger version such as EAP-FAST, as LEAP has a known weakness.

EAP-FAST (EAP Flexible Authentication via Secure Tunneling): Developed to replace LEAP. The use of certificates is optional.

EAP-TTLS (EAP Tunneled Transport Layer Security): Needs a certificate on the server, but not the client. The username and password are not sent in plain-text as the transmission is in an encrypted tunnel. PAP can be used for authentication due to the use of Tunneled TLS without the credentials being compromised.

802.1x: PEAP, EAP-TLS, and EAP-TTLS all require an 802.1x server. Some refer to the 802.1x as a RADIUS server.

WPA2/WPA Enterprise: This requires a RADIUS/802.1x server. Enterprise mode also requires the use of a certificate on the server. The user will also need a username and password to authenticate.

MALWARE TYPES - PART 3

Rootkits: Are programmed to provide continuous privileged access to a system. This malware remains hidden to avoid detection from an antivirus program. The rootkit will give access to a remote attacker to control items such as system processes. The controller of the rootkit has the ability to change system configuration, spy on users' actions.

The detection of such an infection is extremely difficult. The best way to remove a rootkit when detected is to wipe the system and reinstall the operating system and applications.

Ransomware: There are two different definitions of the types of ransomware. The first one starts out as scareware. The user clicks on something, a pop-up or web page appears mimicking an antivirus scan. The scan finds infections immediately (even though they don't exist), the number of infections it finds can be anywhere from the teens to the thousands of infections. You click on the button to clean the infections, and you get the notice that this is the Free version, you will need to purchase the Paid version. You pay for the new "Fake Antivirus" and miraculously it removes all the infections that were not there to start.

The second type takes on the name Crypto-malware: This version encrypts all your documents and photos. They give you anywhere from an hour to 7 days to pay them a fee to retrieve a decryption key, otherwise, your information remains encrypted or will be deleted. Most of these end up doubling the fee right after the deadline passes. Most of them require payment through Money Pak or Bitcoin.

Remote Access Trojan (RAT): This gives an attacker total control over the system. This gives the attacker access to any information on the system, the ability to spy on the victim or control the system.

RATs are very difficult to detect as they operate like remote management tools, and use common ports. They are typically delivered through a Trojan, via a phishing attack. The best way to protect against this is to have email opened in plain text rather than HTML.

MALWARE TYPES - Part 2

Logic Bombs: A piece of code that is on a target PC/Sever until it is triggered by an event. That event can be a specific date or time, or when a certain condition is met. The event is specific to what the programmer coded the malware to run.

• It could be a script that runs every payday, if their name isn't included (meaning they have been laid off/fired) in the payroll report, the malware is triggered to run a predetermined time afterward.
• Another event could be when the company hires the 250th (just picked a random number for the example), employee.
• The date is another possibility, launched on a specific date.

Worms: Worms are a type of malware that self-replicates. The worm moves through the network consuming bandwidth. Worms take advantage of weaknesses in certain networking protocols. 

Worms are known to take advantage of the weakness found in SMBv1, spreading through the network over port 445, Microsoft's file-sharing port.

USB flash drives tend to be one of the easiest ways to introduce a worm into the network. Users will find a USB on a table or floor, pick it up and install it to see what is on the device and to determine the owner. There are vendors that will have out free USBs that are infected at conferences like Def Con.

Botnets:  A botnet is a collection of Internet-connected devices, PCs, webcams, etc. These devices are normally on 24 hours per day and have decent bandwidth. The owners of these devices are unaware that their device is participating in the botnet. The devices are known as zombies and perform whatever the handler has programmed them to do:

• DDoS; Distributed Denial of Service attack on a single target
• Send SPAM from these devices
• Download other malware like keyloggers

Botnets typically use anywhere from 5,000 to 20,000 devices

One of the largest DDoS attacks happened in November of 2016, which was an attack against DNS servers. This time the bot was comprised mostly of DVR players and digital cameras. 

MALWARE TYPES - Part 1

Virus: This is malicious code that attaches to a host program/application. After a user initiates an action such as launching the application. Some viruses deliver the payload immediately, others wait for the virus to replicate.

Symptoms vary, the virus may open a backdoor for an attacker, delete files, install a zombie and join the system to a botnet, or cause the system to reboot intermittently.

Polymorphic Virus: This type of virus has the ability to change its binary pattern as it replicates or when it is executed. The code is encrypted and uses different encryption after each infection. The ability to change code makes it difficult for an antivirus program to detect this malware.

Armored Virus: This type of malware is able to fool antivirus programs as to its true location, making the antivirus believe it is located in one area while being located in a completely different area. Armored viruses use obfuscated code making it difficult to reverse engineer.

Trojans: Trojans are disguised as something useful, such as a screensaver, or legitimate software. Trojans are added to keygens so that a user activates pirated software. Here are some of the things that occur as a result of a trojan:

• Backdoor: gives an attacker remote control
• Email: Be used to harvest emails from the system
• Usernames & Passwords: Steal this info for bank accounts
• Download: Can be used to update itself or download other malware

One of the platforms for Trojans to be delivered is through email attachments. The best way to protect against this: to prevent executables from running, open the email in plain text, not HTML

CompTIA SYO-501 Security+ covers all of these in the objectives

LINUX CLI COMMANDS

Here are the Linux commands that you will need to know for the exam:

cd: change directory - Allows a user to change between directories

chmod: Changes the permissions on the files listed

chown: Allows you to change group & user of a file

cp: copy - Allows a user to make a copy of a file

grep: Search feature to look for a string of text

head: outputs the first 10 lines of a file

locate: this is the find command, used to locate a file

logger: writes input to the local system log or to a remote syslog server

ls: Shows the user a list of the files in the current directory

man: manual - Will show all the information about a particular command

mkdir: make directory - Allows a user to make a new folder or directory

mv: move - Allows a user to move a file to another directory or folder

passwd: changes the users' password

ps: Allows the user to see the processes running on the PC/Server

pwd: Allows a user to know the name of the directory in which they are located

rm: remove - This command allows a user to remove files within a directory

rmdir: remove directory: Allows a user to remove a folder or directory

tail: outputs the last 10 lines of a file

LINUX PERMISSIONS

Linux permission attributes:

r (read)                                                        View file content

w (write)                                                     Modify file content

x (execute)                                                  Run a file (if it's an executable program & is combined
                                                                    with the read attribute)


An example of Linux permissions:

rwxrwxrwx

The first 3 belong to the user or owner: Owner level rwx: Owner can read, write & execute the file

The second 3 belong to the group: Group-level rwx: only members of the group to which the file belongs can read, write, & execute the file

The last 3 belong to other or world: Other level rwx: All users can read, write and execute

To change file permissions using the CLI, you would use "chmod"

Permissions example: rwxrw-r--

The owner has read, write, execute

Groups have read, write

Other have read

SYMMETRIC ENCRYPTION

Symmetric encryption uses the same key to encrypt and decrypt. Because this is a shared key, the keys have to be kept private. Symmetric Encryption is known as Private Key encryption. Remember, "YOU HAVE TO KEEP YOUR PRIVATES: PRIVATE".

With symmetric encryption, you do not want to send the key with the message, if the message were to be intercepted, they would have access to the key and be able to read (decrypt) the message.

The keys are exchanged out-of-band. For a secure exchange of symmetric keys, you would use some form of Diffie Hellman (DH, ECDHE, DHE).

Symmetric encryption uses less overhead than asymmetric encryption and decryption.

Stream ciphers and block ciphers are forms of symmetric encryption, The following are all symmetric encryptions:

Stream Cipher: 

RC4 (encrypts one bit at a time, used for audio & video streaming. WEP, WPA (TKIP), and SSL/TLS are built on RC4). Considered weak encryption and has been deprecated.

Block Ciphers:
DES: Data Encryption Standard - a symmetric block cipher that encrypts in 64-bit blocks. It uses a 56-bit key. Considered weak encryption and has been deprecated.

3DES: Triple-DES - uses 3 different keys to encrypt 3 different times. Encrypts in 64-bit blocks, easy upgrade from DES without changing hardware. Considered weak encryption and has been deprecated.

AES: Advanced Encryption Standard - encrypts data in 128-bit blocks. It has 3 different key sizes, 128-bit, 192-bit, and 256-bit. The most widely used encryption.

Blowfish: Encrypts in 64-bit blocks and uses key sizes between 32-bit and 64-bit.

Twofish: Encrypts data in 128-bit blocks and uses key sizes of 128-bit, 192-bit, or 256-bit.

IF THE ENCRYPTION IS A STREAM CIPHER OR BLOCK CIPHER, THEN IT IS SYMMETRIC ENCRYPTION:

ASYMMETRIC ENCRYPTION

Asymmetric encryption uses two different keys, a public key and a private key, which are mathematically paired to work together. Asymmetric encryption is commonly called "Public Key" encryption. You will need a Certificate Authority to use asymmetric encryption.

It only encrypts small bits of data. The data or message must be smaller than the asymmetric key. 

Only used to encrypt symmetric keys (used for encrypting data at rest, and encrypting the hashes (combined this creates the "Digitial Signature".

The Public Key is available to everyone, the Private Key is only available to you. Users are not to share their Private Key with anyone. My way of telling people how to remember who gets the Private Key, "YOU HAVE TO KEEP YOUR PRIVATES: PRIVATE" keys. 

In this blog, we are going to cover the use of asymmetric encryption when it comes to emails or messages, and documents (files). 

ENCRYPTION & DECRYPTION: is performed with the recipient's keys:

1. If you were to send an email (Message, document, or file) to Dave, and you want only Dave to read it, you would encrypt with Dave's Public Key. 

2. Dave would then decrypt the email (Message, document, or file) with his Private Key. 

DIGITAL SIGNATURE: is always perform with the sender's keys.

1. First, the email (Message, document, or file) is hashed, the encrypted (Signed: Digitally signed) whit the sender Private Key. This Digital Signature will include the sender's Public Key.

2. The recipient will use the senders Public Key to verify that the digital signature is valid. The recipient validates the Public key to the issuing Certificate Authority.

Common asymmetric encryptions:

RSA: Typically used with X.509 certificates, it encrypts the certificate

DSA: Digital Signature Algorithm

ECC: Elliptic Curve Cryptography, mainly used with mobile devices due to less processing power

About Us

I am a CompTIA Certified Instructor. I do not work for CompTIA, but rather a technical training school. My main job is as a Network Administrator. My specialty on the teaching side is as a Boot Camp Instructor for CompTIA's A+, Network+, and Security+ classes. Classes begin on Monday morning, and the class takes the exam on Friday at 1:00PM. Over 90% of my students have to pass the class t keep their jobs.

Most of the students work for the Department of Defense contractors and need this certification to comply with the DOD 8570 directive. Eighty-five percent of the individuals do jobs other than network administration. The majority are software engineers. My current pass rate is 93%. 

Unlike most boot camps, I do not teach from a brain dump, but instead, teach concepts. My goal in this blog will be to educate exam candidates on the concepts of what is covered in the SYO-501 exam. 

I hope to add at least two objectives each day until all of the objectives are covered. Hopefully, in September I will be able to have questions with answers and a flashcard program. These will be a different site and will have a charge to access the content. The price will be kept low to make it affordable. This Blog will stay up and running for those looking for free-content. 

I will add free questions with answers, but only a few per week.