Security+: Implementing Secure Protocols
The Security+ syllabus is updated every three years. Normally, the exam is denoted by a code consisting of a sequence of letters and numbers; for example, SY0-401 is the most recently outdated exam. During the revision, a number of changes are made from the previous to the most recent exam. This article covers the most recent changes leading to the current exam – SY0-501. We shall be covering the changes related to the implementation of secure protocols, how it is covered in the new exam, and how that differs from the previous exam.
Exam Changes Overview
Between the two exams SY0-401 and SY0-501, there has been a significant overall change in the content. The new exam focuses on attacks, risk management and hands-on skills using technologies and tools. As a result, the domains have been re-named and re-ordered to reflect cyber security trends as determined in the Security+ SY0-501 Job Task Analysis (JTA).
Under the previous exam (SY0-401), the implementation of secure protocols was found under the Network Security domain, which covered 20% of the exam, but is currently found within the Technologies and Tools domain which now covers 22% of the exam.
The most recent changes to the exam have also been structured to ensure that candidates are more able to explain the learned concepts by translating them to real-life problems.
Exam Changes Comparison
The SY0-401 exam featured numerous protocols within the Network Security domain. Emphasis was on the different protocols, ports and their relevance to the OSI stack. Compared with the new exam, much effort was placed in the implementation of numerous protocols that had not been adequately streamlined to the most recent security concerns. For example, in compliance to industry-wide best practice, many organizations today have shut down (or effectively reconfigured) certain protocols that could pose a security threat, such as TELNET, DNS, SNMP and NetBIOS; as a result, the most recent exam revision omits these protocols, focusing on the most relevant as per today’s cyber threats. Some of the covered protocols included:
Telnet and SSH – These protocols are effective in communication between two parties on the internet, with SSH allowing for encrypted communication and Telnet being totally un-encrypted. Candidates were previously tested on the differences between these protocols and their implementation, along with the security implications that may accompany them within the organization.
File Transfer Protocols – Candidates were required to master methods of transferring files on the network depending on the sensitivity of the content being transferred. For instance, the FTP protocol (such as Telnet) is not encrypted and should never be used for the transfer of sensitive files. FTPS and SFTP were also covered as secure alternatives to the FTP protocol. SCP was covered as well.
ICMP and SNMP – ICMP allows hosts within the network to reach each other through sending and receiving echo requests and replies. SNMP allows device metrics to be discovered and gathered within a network. Different aspects of these protocols were covered within the exam.
IPSec – Candidates had to know how to bring up secure tunnels using IPSec and creating an encrypted link between devices. Understanding of this protocol required to be well demonstrated, since any improper configuration could introduce attack vectors into the organization.
IPv4 and IPv6 – Candidates needed to understand the differences between these two protocols and why there is a great need to move to the newer and more effective IPv6.
DNS – The DNS protocol converts IP addresses to URLs. Candidates were required to properly understand the configurations of DNS servers to prevent attackers from performing redirection, DNS Zone Transfers and Phishing attacks that could lead to the compromise of the organization.
HTTPS and SSL/TLS – Web technologies use these protocols to protect content on transit between the web servers and client (user) machines. Candidates were required to understand these encryption technologies from a security perspective so as to prevent man-in-the-middle or detect hidden attacks hidden within SSL/TLS encryption.
NetBIOS – This API has been used by programmers for a long time to create programs that can communicate across the network. Candidates were required to understand how this API is integrated over TCP/IP to allow for routing outside the subnet without introducing a security risk.
The above protocols were scenario-based in that different scenarios would be presented to the candidate and they were required to provide well thought solutions.
The newer SY0-501 exam features fewer protocols, as compared to the previous exam, within the Technologies and Tools domain. Here, emphasis is placed on the most critical protocols that pose a security risk in many organizations today. The following protocols are covered in detail:
Secure Real-Time Transport Protocol (SRTP) – Candidates must now show the ability to implement this VoIP encrypted protocol for voice and video over the network. Candidates need to also master the authentication integrity and replay protection of the protocol, using HMAC-SHA1 as a hashing function.
Network Time Protocol (NTP) – Candidates are required to show how this protocol can be used to conduct denial of service attacks within the network, abusing its normal intention of synchronizing time within multiple hosts. There have been attempts to make this protocol secure; for instance, the introduction of NTPsec which has multiple vulnerabilities patched and its code base reduced.
Secure/Multipurpose Internet Mail Extensions (S/MIME) – Candidates are tested on how email communication can be secured using public and private encryption keys. The email content is encrypted and digitally signed and candidates must show an understanding of this security process.
Secure POP and Secure IMAP – Security of emails across the network is examined as well. Candidates must show how the current POP3 and IMAP can be advanced to add SSL encryption over to them.
File Transfer Protocol Secure (FTPS) – Generally, transferring files in the clear is highly discouraged and here, discussions are had on how SSL can be added over to FTP to ensure encrypted communication. Here, pretty much what was covered in the previous exam is examined.
SSH File Transfer Protocol (SFTP) – Different from FTPS is SFTP which allows for resumption of file transfers if they have been interrupted, and is entirely over SSH. Candidates are examined on different aspects of the protocol to show good understanding. Not much is changed here from the previous exam, though.
Lightweight Directory Access Protocol (LDAP) – Candidates are tested on configuring the security of directories of network devices and hosts over large corporate networks. Emphasis is placed on the X.500 specification that allows communication between different Operating Systems to be achieved. Methods that make LDAP secure by adding SSL implementation or implementing Simple Authentication and Security Layer (SASL) and LDAP Secure (LDAPS) are discussed in detail as well.
Domain Name System Security Extensions (DNSSEC) – Candidates will need to know how to verify the responses from a DNS server. This is made possible using public key cryptography. This is an addition to the DNS protocol, since it had not been designed with security in mind.
SSH, SNMPv3 and HTTPS – Commonly used protocols such as SSL are examined and scenarios presented to candidates to choose according to the most appropriate. For instance, SSH provides a secure terminal for communication with Switches and Routers. SNMPv3 is the encrypted SNMP protocol that adds security to the previously insecure SNMPv1 and v2. Candidates are tested on the confidentiality, integrity and authentication aspects of the SNMPv3 protocol. Some devices on the network are managed via the web browser, such as some firewalls and switches, and candidates must demonstrate an understanding of the importance of communication over HTTPS.
DHCP – Candidates must demonstrate an understanding of this protocol and the security challenges it introduces into the organization. For instance, it was not built with security in mind and so far, there is no secure version implemented. As such, candidates must understand how to configure DHCP servers to be properly authorized within the Active Directory. Some switches may allow “trusted” interfaces to be configured such that DHCP distribution will be allowed only from trusted interfaces. Attackers may execute DHCP snooping attacks in networks such that DHCP servers run out of IP addresses. Candidates must know how to address this issue through properly configuring switches.
The new exam revision also introduces use cases where devices and scenarios warrant some additional technologies. For example, within corporate environments, we might have infrastructure that is automatically updated based on subscriptions. These may include:
- Antiviruses/Anti-malware signature updates
- IPS updates
- Malicious IP address databases/Firewall updates
The main security challenge with providing updates to each of these infrastructure is that they may be using completely different methods to obtain and apply the updates. Candidates are tested on how to apply security mechanisms to ensure that updates do not introduce attack vectors.
Some of the use cases tested include:
- File transfer
- Directory services
- Remote access
- Routing and switching
- Network address allocation
- Voice and video
- Email and web
As can be seen, the new exam completely revises the Network Security domain, adding 2% of overall exam content and renaming the domain into what is now Technologies and Tools. Specifically covered in this article are the changes done to the implementation of secure protocols. The new exam revision discusses the protocols that are more relevant in today’s security environment, as opposed to the previous exam’s less affected protocols.