Glasses

Pass4sure MB6-508 certification exam engine

latonia — Fri, 05 Dec 2008 08:41:08 +0000

Three characteristics of data—purpose, integrity, and sensitivity—will help you define a categorization scheme that can be used in all security designs. Categorizing data will help you determine the extent to which it should be protected. Think of these as the dimensions that define the data. Just as height, width, and depth define objects such as blocks and boxes, purpose, integrity, and sensitivity define data.

Note In the real world, data owners should be responsible for classifying data, but being familiar with the process will allow you to question or to assist the data owners.

Use the following guidelines to categorize and secure data:

Determine how the data is used (its purpose) and what will happen if the data is unavailable. Here, it’s important to identify what the data is used for. Some information gathered during the organization’s risk analysis process or in the development of the BIA will be of great assistance to you here. Data can then often be categorized by its purpose—its importance to the survival of the business.

Determine the impact of errors in the data. What will happen if the integrity of the data cannot be ensured? If my name is spelled incorrectly in your customer database, I might get annoyed. If my bill is incorrect, I can guarantee you I’ll be upset. But these issues are correctable and might be due to small clerical errors. If, however, every customer’s bill is only half of what it should be, there is a serious system error somewhere that will affect the company’s profitability and, likely, its ability to remain in business. Clearly, some data must be protected more securely than other data.

Off the Record An example of why determining the impact of errors is important is evident in the early use of computer-controlled radiation machines. These machines controlled the amount of radiation directed to a cancerous tumor by calculations based on an operator setting and an internal table. Unfortunately, because of system-design errors coupled with operator error, there have been cases of accidental megadoses of radiation burning a hole through a patient’s shoulder instead of merely destroying cancerous cells.

Determine the sensitivity of the data. What will happen if the data becomes available to unauthorized individuals? In government operations, data is often classified as secret, top secret, and for these eyes only, and the protection of the data is arranged accordingly. In a business, care should also be taken to classify the sensitivity of data and arrange for its protection. If there is not time to formally classify data, you should at least make yourself aware of the nature of sensitive data. Financial factors that might affect the stock market price of a company are, for example, more sensitive than information about employee vacation times (and even that depends on whose vacation time people might gain knowledge of). 70-290 MB6-508 70-291 350-001

Pass4sure Microsoft 70-547 exam study guide

latonia — Fri, 05 Dec 2008 06:56:53 +0000

Analyzing Business Requirements for Information Security 70-547 70-291 SY0-101 70-270

When business managers state business requirements for an IT department, their requirements often do not consider security. Instead, managers ask for things such as quick turnaround, return on investment, and reduction in expenses—requirements that often lead to reduced security. As a security designer, you are responsible for aligning these business requirements with the IT department’s goals to design and deploy secure systems.

Planning

Whenever possible, security design should start at the beginning of each IT project. If you add the security design at the end of an existing project, you might not be able to provide the best solution and might not be able to provide sound security at all.

After this lesson, you will be able to

Explain the process of analyzing business requirements.
Describe common business drivers for security design.
Explain the guidelines for:
- Mitigating the cost of security.
- Managing legal requirements.
- Determining how security design affects end users.
- Using the security design to mitigate risk.
- Reducing the impact of interoperability on security.
Describe threats to security introduced by maintainability issues.
Analyze existing security policy and procedures.
Categorize and secure data based on organization’s needs.
Use data flow to determine where data is at risk.
Analyze risks to security in the existing IT administration structure.

Estimated lesson time: 90 minutes

The Process: Analyzing Business Requirements

To analyze business requirements:

Review business requirements stated by management. Business requirements might be stated in terms of the budget for the project, the connectivity and types of data that must be available for use by partners, etc. Make sure you understand the stated purpose.
Make note of additional business requirements discovered during the review. Asking questions about the stated requirements, for example, might turn up additional requirements. Questions about the type of data to be shared, for example, might reveal the limitations of who can read the information, who is allowed to change it, and so on.
Analyze the business requirements. You do this so that you can make sure that the security design stays true to its goal of supporting the business. To help you analyze the business requirements, perform the following tasks:
1. Develop a list of common business drivers—the objectives that propel the business forward and continue to make it profitable. (Examples of common business drivers are shown in the following section.) You can use this list to help you analyze all projects.
2. Research how the business drivers will affect the security design and vice versa.
3. Analyze existing security policies and procedures.
Document what you learn. If you document what you learn, your security design can start with an orderly discussion of the business drivers and business requirements and how you have considered them. This information will make it easier for business decision-makers to accept and support your design recommendations.

The rest of this lesson provides information that you can use to help you analyze business requirements.

Pass4usre Microsoft 70-291 certification engine

latonia — Thu, 27 Nov 2008 08:06:22 +0000

Identifying the Sources of Risk: It’s Not as Simple as It Seems
Many risk management experts caution that we should look for all sources of risk. They identify the sources of risk as people, processes, and technology. Other experts include things beyond our control, such as your ISP’s lax password policy that could be a risk to the security of your organization’s data. Identifying the sources of risk, however, is not always simple. SY0-101 70-272 70-630

In 1998, a small Midwestern consulting firm’s telephone system was rendered inoperable in the middle of a business day when the system administrator changed the account used to run the service for the software-based Private Branch Exchange (PBX) system. The change was made, in accordance with the PBX system documentation, to facilitate the delivery of voice mail directly to the employees’ mailboxes. However, when the PBX system was brought back on line, the phones were all dead. Fortunately, the administrator was able to determine that the problem could be rectified by granting the new account appropriate permissions on the database. Nowhere in the PBX system documentation was that step listed or even alluded to.

It is easy to see, after a loss occurs, how it happened. Yet if you had been evaluating the risks associated with the PBX, which source of risk would you have identified?

Was the source of the risk people related? The systems administrator has to make changes to systems configuration from time to time—did she make a mistake or proceed without all the information? Did the administrator make a change to the configuration without thinking of the possible consequences? If she had reviewed the process with others, she might have questioned why permissions were not being reassigned.

Was the source of the risk technical? The system might have failed because its configuration was in error. Wouldn’t a better design have warned the administrator that a change in accounts might cause a problem? New error messages in Microsoft Windows Server 2003 and Windows XP Professional seek to warn users and administrators of nonreversible operations, such as password resets, that might damage the ability to access critical data such as encrypted files. 70-297 70-640 mb2-631

Was the source of the risk process related? Should the operational procedures have been required to be tested or at least reviewed before they were implemented? Or, perhaps such a major change should have been made during less critical business hours.

Threats to Security Introduced by Security Maintainability Issues
Any operations design must satisfy maintainability goals, and this is even more important with security design. If security cannot be maintained, it might be eliminated. The following threats to security can result when security designers forget to consider maintainability:

If a security design has a high reliance on people following a written policy that cannot be enforced via technical controls, it is unlikely that adherence to the policy will continue over time.

If a technical control is difficult to maintain, its enforcement might weaken over time. If there is no way, for example, to prevent the introduction of modems into the network and strict restrictions on Internet access are enforced via the local area network (LAN) connection, users might use modems as alternative paths to access the Internet. In doing so, they breach security by avoiding filters, access controls, and logging.

When controls must be renewed and it is difficult to do so, business productivity will be disrupted. Can certificates be automatically reissued before they expire, or must new certificates be manually obtained? Who will manage the intrusion detection systems when the person who received training and cared for the intrusion detection systems for three years leaves the company?

Important Support for security maintainability is important. In Windows Server 2003, functions such as Group Policy can be used to reapply security settings on a periodic basis. Computer and user certificates can be automatically deployed. Security templates can be reapplied to stand-alone systems and used to audit security compliance. 70-294 70-647 70-291

Pass4usre NS0-201 certification practice testing

latonia — Thu, 27 Nov 2008 07:40:09 +0000

Guidelines for Mitigating the Cost of Security
Follow these guidelines to minimize the cost of security: 70-293 70-431 70-236 70-642

Always insist on a clear and complete statement of the cost that security adds to any project. Whether the cost is prepared by vendors, internal IT staff, management, or the security designer, it must be complete.

Look at security solutions that reduce cost. Are there security technologies suitable for this project that can reduce overall cost and thus improve profitability? An example of such technologies is the use of Secure Sockets Layer (SSL) encryption accelerator cards in e-commerce projects. People rarely doubt the need for secure servers to protect the transmission of sensitive customer or partner financial information during an e-commerce transaction. However, SSL encryption does reduce the number of transactions that can be processed per minute. Slowing the processing of monetary transactions is not a good thing, but removing SSL encryption is not an acceptable solution. SSL-encryption accelerator cards are the answer. Although these cards add cost to a security project, they pay for themselves because they allow the number of possible SSL-encrypted transactions to increase and provide the required care of customer information as it traverses the Internet.

Look for security technologies that, if not employed, absolutely will result in the failure of the project or will result in large, unnecessary expenses. No one today can imagine running an e-mail gateway without antivirus protection. However, it was not long ago that the purchase of such products was seen only as an expense that might be useful. Many organizations learned the hard way that not providing and frequently updating antivirus protection on both the gateway and the end-user machine leads to business interruptions and larger expenses than the cost of providing protection in the first place.

Look for other tangential business drivers that, if not analyzed, can lead to increased expense. For example, confidentiality and integrity—or perhaps the lack of confidentiality and integrity—are becoming increasingly larger legal issues. Ignorance of relevant laws and regulations is not an excuse not to follow them. Potentially large fines and lawsuits can be the result of failure to follow current laws. Another example is that although designing and deploying security can be expensive and require significant expertise, the lack of security can cost even more. The hard costs of the security design—such as costs for equipment, training, and so on—should always be a part of the project cost-benefit analysis. In some cases, it can be shown that adding security reduces the cost of doing business.

Guidelines for Managing Legal Requirements
Follow these guidelines to manage legal requirements: 70-271 770-445 70-237 NS0-201
Have the organization’s legal team review each security design.
Improve the security design team’s awareness of current legal requirements.
Require the security design team to prepare legal compliance as part of its design.
Have a frank discussion with IT-knowledgeable attorneys early in each product or process development cycle.

Testking demo update certification demo download

latonia — Wed, 26 Nov 2008 08:34:54 +0000

Security templates are text files that store policy settings from the Security node in an Active Directory Group Policy. These text files can be imported and applied to GPOs, altering the settings in the GPO to conform to a particular security standard. Because they are text files, security templates are often far easier to manipulate than GPOs. MB4-641 000-M26 70-448 000-209 MB4-640 352-001 642-524 HP0-M17

Security templates can be edited in two ways. The first is by using the Security Template snap-in of the Microsoft Management Console. This method is the simplest way to edit the templates because it displays them in a form that is similar to that of the Group Policy Editor. Because security templates are stored in text file format, you can also edit security templates by using a text editor such as Notepad. This method is far more complicated and requires detailed knowledge of the security template syntax. Unless there is a compelling reason to do so, use the Security Template snap-in, because editing by using Notepad might lead to inadvertent errors in a template which, when applied, could make a system insecure.

After a security template is created, it must be deployed before it can have any influence on the security configuration of a system. Security templates are generally deployed by importing them into a Group Policy object. Once they have been imported into a Group Policy object, that Group Policy object can then be applied to sites, domains, and organizational units. Security templates can also be deployed by importing them into local Group Policy objects on standalone systems that are not a part of the domain. This can be done by editing the local Group Policy object (gpedit.msc) or by importing the template using the secedit command.

The principles involved in deploying a security template across a domain are similar to the principles involved in deploying Group Policy objects. In general, deployment should be as specific as possible. Grouping target systems into organizational units or sites is far preferable to deploying GPOs with security templates applied at the domain level. This way only the systems that are the targets of these policies will have to process them, and systems for which the policies are not relevant will not be delayed. The more Group Policy settings that are applied within a domain to all machines, the longer those machines take during startup and logon to process all of the policies to reach a final configuration.

One of the advantages to using security templates to configure the security settings in Group Policy objects is that they provide a documented point of reference for determining what went wrong when unexpected results appear. The security configuration and analysis tool can be used to look into the expected results. An administrator can also diagnose where what was planned diverged from what actually happened. One of the most common problems that occurs when security settings are applied is that the rules of Group Policy inheritance are forgotten. Policies applied at the organizational unit level override those applied at the domain level, which in turn override those applied at the site level, which finally override those that are applied locally. This gets even more complicated when policies are applied with the “no override” and “block inheritance” settings. Understanding how these options work is the key to diagnosing problems that occur in the application of security templates. HP0-M23 000-938 000-100 000-960 000-995 190-805 HP0-S16

Pass4sure 156-215.1 free demo download

latonia — Fri, 21 Nov 2008 09:07:22 +0000

802.1X authentication 70-541 70-299 MB7-517 70-526
Although the early implementations of WEP were woefully inadequate, WEP’s vulnerability can be significantly reduced by using 802.1X authentication. 802.1X enables WEP to regularly change the encryption keys, which dramatically reduces the likelihood that an attacker will be able to gather enough data to identify the shared secret.

802.1X employs an Internet Engineering Task Force (IETF) standard protocol called Extensible Authentication Protocol (EAP) to carry the authentication conversation between the client, the WAP, and a Remote Access Dial-In User Server (RADIUS) service. As part of the 802.1X secure authentication process, the EAP method generates an encryption key that is unique to each client. RADIUS forces the client to generate a new encryption key on a regular basis, which makes it more difficult for an attacker to capture enough traffic to identify a key. This allows existing WEP-capable hardware to be used while minimizing WEP’s vulnerabilities.

PEAP PEAP is typically used to authenticate wireless clients by using a user name and password; EAP-TLS is used to authenticate wireless clients by using public key certificates. Although using a user name and password is not as strong as using public key certificates, because passwords can be stolen or guessed, the resulting encryption is still very strong. When PEAP authentication is used with a RADIUS service that forces encryption keys to change regularly, the resulting WEP encryption is not likely to be compromised in a reasonable amount of time. PEAP’s primary advantage over EAP-TLS is that it is easier to deploy because it does not require you to implement a Public Key Infrastructure (PKI).

The PEAP authentication method has two phases. Phase 1 authenticates the RADIUS server by using the RADIUS server’s public key certificate and then establishes a TLS session to the RADIUS server. Phase 2 requires a second EAP method tunneled inside the PEAP session to authenticate the client to the RADIUS service. This allows PEAP to use a variety of client authentication methods.

This is an important point: PEAP uses two separate types of authentication, one in each authentication phase. The first authentication is handled by PEAP without requiring administrative configuration. You must configure the second authentication protocol, however. Although wireless standards could theoretically support any authentication method, Windows Server 2003 and Windows XP support two by default: Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) and certificates using EAP-TLS tunneled inside PEAP. You will almost always use MS-CHAP v2 with PEAP, however, because you should use EAP-TLS for certificate-based authentication. Certificate-based authentication does not require the additional layer of encryption provided by PEAP.

Security Alert It’s a good thing the MS-CHAP v2 authentication is protected by TLS encryption, because MS-CHAP v2 is indeed susceptible to an offline dictionary attack. An attacker who can capture a successful MS-CHAP v2 exchange can methodically guess passwords until the correct one is determined. It would take a while, but the attacker will eventually get the password.

After the user is successfully authenticated, the authentication server supplies dynamically generated keying material to the WAP. From this keying material, the WAP creates new encryption keys for data protection. 642-811 MB7-515 70-631 156-215.1
Exam Tip If you have a hard time remembering the difference between PEAP and EAP-TLS, you can think of the P in PEAP as standing for password, because you usually use PEAP for password-based authentication, and you use EAP-TLS when client certificates are available.

Pass4sure Microsoft 70-630 practice testing

latonia — Fri, 21 Nov 2008 08:56:31 +0000

WEP 70-640 70-297 70-630
WEP is a wireless security protocol that helps protect your information by using a security setting, called a shared secret or a shared key, to encrypt network traffic before transmitting it over the airwaves. This helps prevent unauthorized users from accessing the data as it is being transmitted.

Unfortunately, some smart cryptographers found several theoretical ways to discover WEP’s shared secret by analyzing captured traffic. These theoretical weaknesses were quickly implemented in freely available software. The combination of free tools for cracking WEP encryption, the ease of capturing wireless traffic, and the dense proliferation of wireless networks have led WEP to become the most frequently cracked network encryption protocol today.

Security Alert You won’t need to understand the details of the WEP standard for the exam, but it is an interesting study on how not to make an encryption protocol. The most easily exploited weakness of WEP is that many of WEP’s possible initialization vectors (IVs) are cryptographically weak and can expose individual bytes of the WEP key. WEP changes these IVs over time, and an attacker who captures millions of packets will eventually gather enough packets with weak IVs to crack the entire WEP key. Some wireless network adapters intentionally avoid using weak IVs, which makes it much more time-consuming to expose the WEP key. Ask your network adapter vendor what they’ve done to make WEP communications more secure. For more detailed information on WEP’s weaknesses, search for the paper titled “Weaknesses in the Key Scheduling Algorithm of RC4” on the Internet. MB2-631 70-294 70-647

Besides weak cryptography, another factor contributing to WEP’s vulnerability is that WEP is difficult to manage because it doesn’t provide any mechanism for changing the shared secret. On wireless networks with hundreds of hosts configured to use a WAP, it is practically impossible to regularly change the shared secret on all hosts. As a result, the WEP shared secret tends to stay the same indefinitely. This gives attackers sufficient opportunity to crack the shared secret and all the time they need to abuse their ill-gotten network access.
WEP
WEP is a wireless security protocol that helps protect your information by using a security setting, called a shared secret or a shared key, to encrypt network traffic before transmitting it over the airwaves. This helps prevent unauthorized users from accessing the data as it is being transmitted.

Pass4sure 70-541 exam answer question

latonia — Thu, 20 Nov 2008 09:41:09 +0000

Public Key Infrastructure 156-215.1 MB7-515 642-811 70-526
Public key encryption wouldn't be any easier than shared key encryption if everyone had to manually exchange public keys. That's why we use a PKI-to make the process of managing and exchanging public keys simpler. A PKI is a set of policies, standards, and software that manages certificates and public and private keys. A PKI consists of a set of digital certificates, certification authorities (CAs), and tools that can be used to authenticate users and computers and to verify transactions. In order to place the PKI implementation provided by Windows Server 2003 in the proper context, this section provides a general overview of the components that make up a PKI.

See Also The data formats and network communications used by a PKI are (mostly) standardized. For detailed, but dry, information about PKI standards, refer to RFC 2459.
Certificates
A public key certificate, referred to in this chapter as simply a certificate, is a tool for using public key encryption for authentication and encryption. Certificates are issued and signed by a CA, and any user or application that examines the certificate can safely assume that the CA did indeed issue the certificate. If you trust the CA to do a good job of authenticating users before handing out certificates, and you believe that the CA protects the privacy of its certificates and keys, you can trust that a certificate holder is who he or she claims to be.

Certificates can be issued for a variety of functions, including Web user authentication, Web server authentication, secure e-mail, encryption of network communications, and code signing. CAs even use certificates to identify themselves, create other certificates, and establish a certification hierarchy between other CAs. If the Windows Server 2003 enterprise CA is used in an organization, clients can use certificates to log on to the domain.

Certification authorities
A CA is an entity trusted to issue certificates to an individual, a computer, or a service. A CA accepts a certificate request, verifies the requester's information according to the policies of the CA and the type of certificate being requested, generates a certificate, and then uses its private key to digitally sign the certificate. A CA can be a public third party, such as VeriSign, or it can be internal to an organization. For example, you might choose to use Windows Server 2003 Certificate Services to generate certificates for users and computers in your Active Directory directory service domain. Each CA can have distinct proof-of-identity requirements for certificate requesters, such as a domain account, an employee badge, a driver's license, a notarized request, or a physical address.

Registration is the process by which subjects make themselves known to a CA. Registration can be accomplished automatically during the certificate enrollment process, or it can be accomplished by a trusted entity such as a smart card enrollment station. Certificate enrollment is the procedure that a user follows to request a certificate from a CA. The certificate request provides identity information to the CA, and the information the user provides becomes part of the issued certificate.

Certificate life cycle MB7-517 70-299 70-541
Certificates cannot be used forever; that would give an attacker too much time to identify the corresponding private key. Certificates have a predefined life cycle and expire at the end of this life cycle. You, as the security administrator, maintain control over the certificate. You can extend the lifetime of a certificate by renewing it, or end the usefulness of a certificate before the expiration date by revoking it.

A number of factors influence the length you will choose for a certificate lifetime, such as the type of certificate, the security requirements of your organization, the standard practices in your industry, and government regulations. In general, longer keys support longer certificate lifetimes and key lifetimes. Longer lifetimes reduce administrative labor, which reduces costs.

Pass4sure Microsoft certification exmas

latonia — Wed, 19 Nov 2008 09:10:53 +0000

Considerations for Evaluating Your Environment 70-431 70-646 70-236
When establishing an authentication strategy for your organization, you must become familiar with your current environment, including the structure of your organization; the users, computers, and services in your organization that require authentication; and the applications and services that are in use. This will help you to understand the requirements and constraints of your organization.
When evaluating your environment, identify the following:
The number of domain controllers in your organization. Ensure that there are enough domain controllers to support client logon requests and authentication requests while meeting your redundancy requirements. A sufficient number of domain controllers will ensure that a large volume of authentication requests will not result in authentication failures, even if a domain controller is offline because of hardware or network failures.
The type of network connectivity between site locations in your organization. Ensure that clients in remote sites are connected well enough to authenticate to domain controllers located in main sites. If connectivity is an issue, consider installing domain controllers in sites that might have logon problems because of slow or unreliable links. 642-415 642-373 70-642
Planning Everyone is always concerned about whether they have enough bandwidth, but it’s latency that’s more likely to cause authentication problems across wide area network links. Authentication requires very little bandwidth. However, packets must go back and forth across the link several times. If latency causes a significant delay for each round trip, authentication will seem slow.
The number of certification authorities (CAs) that are available in your organization and their locations. Ensure that you have enough CAs to support the anticipated number of certificate requests.
Guidelines for Creating a Strong Password Policy
Encryption limits your vulnerability to having user credentials intercepted and misused. Specifically, password encryption is designed to be extremely difficult for unauthorized users to decrypt. Ideally, when a strong password is used, it should take an attacker months, years, or decades to identify the unencrypted password after the attacker captures the encrypted or hashed password. During that time, the password should have been changed—making the unencrypted password now useless.
In contrast, weak passwords can be identified in a matter of hours or days, even when they have been encrypted. Encryption cannot protect against passwords that are easily guessed, because weak passwords are vulnerable to dictionary attacks. Dictionary attacks encrypt a list of common passwords, and compare each possibility with the captured cyphertext. If the password appears in the password dictionary, the attacker will identify the password quickly. You can defend against this vulnerability by implementing a strong password policy.
Off the Record The best way to understand how effective dictionary attacks are is to grab a password cracking tool from the Internet and experiment with it on a test machine. I can’t point you to a specific tool, but they’re not hard to find. 70-271 70-445 70-237

Pass4sure Microsoft certification exmas

latonia — Wed, 19 Nov 2008 09:10:45 +0000