CompTIA® Security+ : Wireless Network In A Secure Manner & Risk Related Concepts

1.6 Implement wireless network in a secure manner

WEP (Wired Equivalent Privacy) : A deprecated wireless network security standard, less secure than WPA. Key size is 64 bit. WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. However, it has been found that WEP is not very secure. WEP is used at the two lowest layers of the OSI model - the data link and physical layers; it therefore does not offer end-to-end security.

WPA (Wi-Fi Protected Access) : A wireless encryption standard created by the Wi-Fi Alliance to secure wireless computer networks. WPA improves on the authentication and encryption features of WEP (Wired Equivalent Privacy). Key size is 128 bits. WPA provides stronger encryption than WEP through use of either of two standard technologies: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). WPA also includes built-in authentication support that WEP does not offer. WPA provides comparable security to VPN tunneling with WEP, with the benefit of easier administration and use.

WPA2 (Wi-Fi Protected Access Version 2) : It is wireless encryption protocol and is based on the IEEE 802.11i technology standard for data encryption. Key size is 256 bits. It is more secure than WPA and WEP. WPA2 also improves the security of Wi-Fi connections by requiring use of stronger wireless encryption than what WPA requires. Specifically, WPA2 does not allow use of an algorithm called TKIP (Temporal Key Integrity Protocol) that has known security holes (limitations) in the original WPA implementation. There are two versions of WPA2: WPA2-Personal, and WPA2-Enterprise. WPA2-Personal protects unauthorized network access by utilizing a set-up password. WPA2-Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.

EAP (Extensible Authentication Protocol) : It is a framework for transporting authentication protocols. EAP defines the format of the messages. It uses four types of packets : request, response, success and failure. Request packets are issued by authenticator and ask for response packet from supplicant. If authentication is successful, a succes packet is sent to the supplicant is not a failure packet is sent.

PEAP (Protected EAP) : It is designed to simplify deployment of 802.1x by using MS Windows logins and passwords. It is considered more secure than EAP because it creates an encrypted channel between client and authentication server and the channel then protects further authentication exchanges.

LEAP (Lightweight EAP) : It is developed by Cisco Systems. It requires mutual authentication used for WLAN encryption using Cisco client software. There is no native support for LEAP in MS Windows operating system

MAC Filtering : Every Wi-Fi device is assigned a MAC (Media Access Control) address, a unique 12-digit hexadecimal identifier issued by the IEEE, the standards body that developed the Wi-Fi protocol. The MAC address is "hard-coded" in to the device and sent automatically to a Wi-Fi access point when the device tries to connect to the network.

Using the access point configuration software, you can create a safe list of allowed client devices or a black list of banned devices. If MAC filtering is activated, regardless of what encryption security is in place, the AP only allows devices on the safe list to connect, or blocks all devices on the black list - irrespective of encryption used.

Encryption protocols like WPA2 (Wi-Fi Protected Access 2), reduced the necessity for using MAC filtering. Hackers may break in to MAC filtering device by sniffing addresses of connected devices and then spoofing or masquerading as one of them.

To enable MAC address filtering and to allow the devices with matching MAC addresses, perform these steps (these steps are generic in nature, and likely to change from one device type to another):

Step 1: Access the router's web-based setup page.
Step 2: When the router's web-based setup page appears, click Wireless, look for MAC address filtering tab.
Step 3: Enter the MAC addresses of the devices that are allowed to use the wireless network in the table provided.
Step 3: Click on Save Settings

TKIP (Temporal Key Integrity Protocol ) : It is an Encryption protocol used with WEP and WPA. Key size is 128 bits.

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) : It is an Encryption protocol used with WPA2. It addresses the vulnerabilities of TKIP and meets requirements of IEEE 802.11i. It uses 128 bit Key.

SSID (Service Set Identifier) : One way to secure your wireless network is to disable the SSID broadcast. This procedure prevents other users from detecting your SSID or your wireless network name when they attempt to view available wireless networks in your area.

To disable SSID Broadcast, perform these steps (these steps are generic in nature, and likely to change from one device type to another):

Step 1: Access the router's web-based setup page.
Step 2: When the router's web-based setup page appears, click Wireless, look for Wireless SSID Broadcast, and select Disable.
Step 3: Click on Save Settings

2. Compliance and Operational Security

2.1 Explain risk related concepts

Security controls : Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity, and availability (C.I.A.) of the information system. Security controls fall in three classes

1. Technical

Access Control , firewalls
Audit and Accountability
Identification and Authentication
System and Communications Protection

2. Management

Certification, Accreditation, and Security Assessments
planing
Risk Assessment
System and Services Acquisition

3. Operational

Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Personnel Security
Physical and Environmental Protection
System and Information Integrity
Maintenance

False positives : False positives are when the system reads a legitimate event as an attack or other error. When a system authenticates a user who should not be allowed access to the system. For example, when an IDS/IPS blocks legitimate traffic from passing on to the network.

Privacy policy : This policy is used to secure user identities and other information related to user. If an internet based application provided by an organization require users to register with them using name and email id then this information provided by the user should be secure and not shared with any third party without user knowledge. Privacy policy should state what information is stored and will be accessed by whom, it should also state if information will be shared with third party.

Acceptable use : This policy restricts how a computer network and other devices and systems will be used. It states what users can do and what not with technology infrastructure of an organization. It is signed by the employees before they begin working on any systems. This protects the organization from employees misusing the systems or network. The policy may put limits on personal use of resources, and resource access time.

Security policy : A company's security policy outlines the security measures to be taken. Implementing the security policy is the first thing that needs to be done. Some issues that need to be taken care of, while planning security policies are:

Due care, acting responsibly and doing right thing.
Privacy, letting the employees and administrator know of the privacy issues
Separation of duties :It ensures that the vital activities are bifurcated among several individuals. This ensures that one or two individuals can not perform a fraud.
Need to know, providing employees only the information required to perform their role or duties.
Password management, auditing the passwords
Disposal and destruction
Human rights policies, and
Incident response, should take care of response to an act.
least privilege principle means a user should be given only the minimum privileges that are required to do his/her works accurately and completely. Other choices are not appropriate.
The security policy should clearly state that no one is ever allowed to share his/her password with anyone else. Secondly, the security policy should state that the help desk can only change or assign a new password after positive identification of the individual requesting the information

Risk Management : Risk management can be defined as the identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks.

1. Risk transference : The purpose of this action is to take a specific risk, which is detailed in the insurance contract, and pass it from one party who does not wish to have this risk (the insured) to a party who is willing to take on the risk for a fee, or premium (the insurer). Example organization that purchases insurance for a group of servers in a data center. The organization still takes on the risk of losing data in the case of server failure, theft, and disaster, but transfers the risk of losing the money those servers are worth in the case they are lost.

2. Risk avoidance : It refers to not carrying out a proposed plan because the risk factor is too great. If an organization decided not to implement a new website based on its calculation that too many attackers would attempt to hack it.

3. Risk acceptance : Also known as risk retention. Most organizations are willing to accept a certain amount of risk. Sometimes, vulnerabilities that would otherwise be mitigated by the implementation of expensive solutions are instead dealt with when and if they are exploited.

4. Risk reduction : This is the main aim of risk management that is to reduce the risk to an acceptable level.