Certified Ethical Hacker Domain 3: Security
About the Domain
Domain 3 is the second largest of the seven domains covered on the EC-Council’s Certified Ethical Hacker (CEH) exam. The topic of Security has 30 questions (23.73%) of the exam devoted to it. The domain is broken up into three sections, testing an applicant’s knowledge of information security controls and the detection and prevention of information security attacks.
This part of the CEH exam focuses on the defensive side of the job of an ethical hacker. The questions in this domain are targeted toward the specific information security controls that an ethical hacker may have to identify and evade in the course of an ethical hacking engagement. The domain is broken into three sections: Information Security Controls, Information Security Attack Detection and Information Security Attack Prevention.
Information Security Controls
The information security controls subdomain has 15 questions (12%) of the total exam devoted to it. This high percentage is due to the fact that this category covers a lot of ground, including system security controls, security controls for applications and file servers and the use of firewalls and cryptography for security.
The first thing to know about system security controls for the CEH exam is the three types: physical (guards, gates and so on), technical (software-based protections) and administrative (policies and procedures). A candidate should be able to classify examples of security controls into the appropriate category.
Candidates should also be familiar with the Department of Defense’s Common Criteria for Information Technology Security Evaluation (Common Criteria). When a system is assessed against Common Criteria, the result is an Evaluation Assurance Level (EAL) in the range of 1-7. Other important terms are the Target of Evaluation (the system being tested), the Security Target (documentation that describes the TOE and the security requirements of the test) and the Protection Profile (a set of security requirements specific to the system under test). Questions about this will likely involve matching definitions to terms.
Application and file server security controls are also tested on this portion of the exam. One of the most important things to be familiar with for this section is administrative file shares. In order to be prepared for the test, a candidate should know what these are and how they work and be familiar with the commands used to set one up.
Firewalls are a fairly major topic on the Certified Ethical Hacker exam. In order to get these questions on the exam, you need to know the types of firewalls and the details of how they work. Spend some time reading up on all of the various flavors of firewall (proxy, application and so on), their purposes, how they work and what level of the OSI model they operate on. It’s likely that a question will ask if a simple firewall protecting a Web server will protect against attacks on ports 80 and 443 (it won’t). It’s also important to know that, by definition, every firewall is multihomed since it operates two NICs (one each on the internal and external networks).
The CEH also heavily tests an applicant’s knowledge of cryptography. To start, understanding how the exclusive-or (XOR) operation is important both for this section and for questions regarding subnetting.
The EC-Council also expects familiarity with some of the most famous cryptographic algorithms, including AES, DES, RSA, IDEA, Blowfish, Twofish and the RC series. For these, you should know how the algorithm is classified (symmetric versus asymmetric, block versus stream and so on) and general information about its operation (e.g., block sizes, the fact that RSA is based off of multiplication of large primes).
On the application/protocol side, it’s important to be familiar with how PGP and S/MIME work at a high level and the fact that PGP can be used to encrypt more than just email (and S/MIME can’t). You also need to understand how a PKI system works and the information contained in a digital certificate, never the private key.
Finally, the CEH exam tests knowledge of attacks against cryptography. This includes definitions (known plaintext attack, brute force, man-in-the-middle and so on) and the vulnerability (or lack thereof) of different algorithms to these types of attacks.
Information Security Attack Detection
The second section of this domain focuses on detecting attacks against an organization’s information security. Nine questions of the exam are devoted to this topic, covering network and physical security, verification procedures and social engineering.
The topics of network and physical security are broad ones and overlap with many other sections of the exam. For this section, focus on the various techniques and tools that can be used for detecting and/or preventing an attack whether they be network-based (IDS, IPS, SIEM) or physical (security cameras, card readers).
For the questions on verification procedures, the most important thing to know are the definitions and differences between false positive and false negatives. A false positive is when something happens when it shouldn’t, while a false negative is when something does not happen when it should. The crucial part of this is determining what is the “positive” case. For example, a false positive for granting access to a system would be allowing an unauthorized user access (the “positive” case is granting access) while a false positive on alerting is triggering an alert on benign traffic (the “positive” case is triggering an alert).
Social engineering is the practice of manipulating humans into performing actions that are in the attacker’s best interest. Phishing emails, watering hole attacks and SMiShing are examples of this. For this section, it’s important to know the definitions of the common types of social engineering attacks. The difference between piggybacking and tailgating is also important. In both cases, a social engineer uses a legitimate employee to get them through a door that requires key card access. In piggybacking, they have the assistance of the person they follow, usually by deceiving them into thinking they are also a legitimate employee; in tailgating, they do not.
Information Security Attack Prevention
The final section of this domain focuses on proactive methods that organizations can use to protect themselves from attack. The six questions in this section of the exam cover vulnerabilities, threat modeling, vulnerability scanners, security policy implications, privacy/confidentiality, biometrics and wireless access technology.
Vulnerabilities are the primary focus of this section of the exam. Preventing attacks involves identifying and mitigating vulnerabilities and many of the questions will deal with ways of doing so. It’s important to know that a vulnerability is a flaw that is exploited by a threat.
According to the EC-Council, threat modeling is a stage process for identifying threats and vulnerabilities within a system. The five stages of the threat modeling process are
- Identify Security Objectives
- Application Overview
- Decompose Application
- Identify Threats
- Identify Vulnerabilities
Candidates may be required to identify these as stages of the threat modeling process or select correct stages from a set of potential answers.
The use of vulnerability scanners to identify vulnerabilities in a system is an important part of preventative information security. For the exam, you should be familiar with the Nessus and Nikto vulnerability scanners. These tools will also be covered in Domain 4, which discusses information security tools.
Policies and procedures are an important part of security both for an organization and as part of a certified ethical hacking engagement. For the exam, an applicant should be familiar with the implications of different security policies (shortcomings, limitations and so on) and be able to identify if a policy could protect against a given attack (e.g., a strong password policy is meaningless if it isn’t followed).
During an engagement, an ethical hacker should respect the privacy and confidentiality of the target as much as possible. This includes abiding by the rules of engagement and not unnecessarily violating an individual’s privacy during the attack or reporting phases of the engagement.
Biometric technology use the “something you are” category of multi-factor authentication as a method of authenticating a person to a system. Important terminology for the exam is the False Rejection Rate (FRR), False Acceptance Rate (FAR) and the Crossover Error Rate (CER). The Crossover Error Rate is the point where graphs of the FRR and FAR for a system intersect and is used for ranking biometric systems.
For the exam, you should also be aware of the concept of a biometric passport. This passport includes biometric information about its holder (physical descriptors and so on). While this may seem like it fits into the “something you are” category of multi-factor authentication (since it deals with biometrics), the biometric passport is actually something that you have.
The use of wireless access technology is ubiquitous in the modern world to make it more convenient to connect devices together. To prepare for the exam, it’s important to be familiar with the common wireless technologies (Wi-Fi, RFID, Bluetooth), the tools used to scan for and exploit them, and any known major attacks against them. In particular, the details of the various Wi-Fi standards (802.11) are potential questions on the exam.
How to Prepare
This domain of the Certified Ethical Hacker exam mixes memorization-focused topics with knowledge of practical applications. For this reason, using a resource focused on the Certified Ethical Hacker exam is probably the best means of preparation. A CEH boot camp would allow an applicant to ensure that they have exposure to the complete range of material that is likely to be tested in this part of the exam while also providing the experience necessary for the questions that require knowledge of practical applications.