![101 Bluck Email Direct Sender 2.0.81 serial key or number](http://manicapital.com/web/2014/12/dowloads.png?w=300&h=141)
101 Bluck Email Direct Sender 2.0.81 serial key or number
![101 Bluck Email Direct Sender 2.0.81 serial key or number 101 Bluck Email Direct Sender 2.0.81 serial key or number](https://st.hotrod.com/uploads/sites/21/2014/05/gen-iii-engine-cam-sensor.jpg)
101 Bluck Email Direct Sender 2.0.81 serial key or number
CompTIA Security+ Certification Guide: Master IT security essentials and exam topics for CompTIA Security+ SY0-501 certification [Paperback ed.] 1789348013, 9781789348019
Citation preview
CompTIA Security+ Certification Guide
Master IT security essentials and exam topics for CompTIA Security+ SY0-501 certification
Ian Neil
BIRMINGHAM - MUMBAI
CompTIA Security+ Certification Guide Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Gebin George Acquisition Editor: Rahul Nair Content Development Editor: Arjun Joshi Technical Editor: Varsha Shivhare Copy Editor: Safis Editing Project Coordinator: Kinjal Bari Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Graphics: Jisha Chirayil Production Coordinator: Shraddha Falebhai First published: September 2018 Production reference: 2191118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78934-801-9
www.packtpub.com
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.
Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content
Packt.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Contributor About the author Ian Neil is one of the world’s top trainers of Security+ 501, who has the ability to break down information into manageable chunks helping no background knowledge. Ian was a finalist of the Learning and Performance Institute Trainer of the Year Awards. He has worked for the US Army in Europe and designed a Security+ course that catered to people from all backgrounds and not just the IT professional, with an extremely successful pass rate. He was instrumental in helping Microsoft get their office in Bucharest off the ground, where he won a recognition award for being one of their top trainers. Ian is an MCT, MCSE, A+, Network+, Security+, CASP, and RESILIA practitioner who over the past 20 years has worked with high-end training providers.
Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Table of Contents Preface
1
Chapter 1: Understanding Security Fundamentals CIA triad concept Identifying security controls Administrative controls Technical controls Physical controls Preventative controls Deterrent controls Detective controls Corrective controls Compensating controls Access controls
Discretionary access control Least privilege Mandatory access control Linux permissions (not SELinux) Role-based access control Rule-Based Access Control Attribute-based access control Group-based access
Hashing and data integrity Hash practical Hash exercise
Defense in depth model Review questions Answers and explanations Chapter 2: Conducting Risk Analysis Risk management Importance of policy, plans, and procedures Standard operating procedures Agreement types
Personnel management—policies and procedures
Role-based awareness training General security policies
Business impact analysis concepts Privacy threshold assessment/privacy impact assessment Mission-essential functions/identification of critical systems Example
5 6 7 7 8 9 11 11 11 12 12 12 13 14 14 15 17 17 17 17 18 19 19 21 22 24 26 27 27 28 28 29 32 32 33 33 34 34
Table of Contents
Supply chain risk assessment Example
Business impact analysis concepts Calculating loss Example
Risk procedures and concepts Threat assessment Threat actors
Risk treatment
Risk register Qualitative/quantitative risk analysis Review questions Answers and explanations Chapter 3: Implementing Security Policies and Procedures Industry-standard frameworks and reference architecture OSI reference model TCP/IP model Types of frameworks Benchmarks/secure configuration guides
Policies and user guides
Security configuration guides – web servers Network infrastructure device user guides General purpose guides
Implementing data security and privacy practices Destroying data and sanitizing media Data sensitivity labeling and handling Data retention – legal and compliance Data roles
Practical – creating a baseline Review questions Answers and explanations
Chapter 4: Delving into Identity and Access Management Understanding identity and access management concepts Passwords Default/administrator password Passwords – group policy Password recovery Authentication factors Number of factor examples Transitive trust Federation services Shibboleth Single sign-on
[ ii ]
34 35 35 36 36 37 37 38 39 40 41 41 43 45 46 46 47 48 49 49 52 52 53 54 54 56 56 57 58 63 65 67 68 68 68 69 71 71 72 73 74 76 76
Table of Contents
Installing and configuring identity and access services LDAP Kerberos
Internet-based open source authentication
Authentication, authorization, and accounting (AAA) servers Authentication
Learning about identity and access management controls Biometrics Security tokens and devices Certification-based authentication Port-based authentication
Common account management practices Account types Account creation Employees moving departments Disabling an account
Account recertification Account maintenance Account monitoring Security Information and Event Management Group-based access control Credential management User account reviews
Practical exercise – password policy Review questions Answers and explanations Chapter 5: Understanding Network Components OSI – reference model Installing and configuring network components Firewall Router
Access control list– network devices Intrusion-prevention system Intrusion-detection system Modes of detection Modes of operation
Monitoring data
Switch
Layer 3 switch
Proxy server Reverse proxy Remote access Virtual private network using L2TP/IPSec IPSec IPSec – handshake
VPN concentrator
[ iii ]
77 77 79 81 81 82 83 84 86 86 87 87 87 90 90 91 91 91 92 92 95 96 96 97 97 100 104 106 108 108 110 111 112 112 112 113 113 114 115 116 117 118 119 119 120 121
Table of Contents
Site-to-site VPN VPN always on versus on-demand SSL VPN Split tunnelling Load balancer Clustering Data-loss prevention
Security information and event management Mail gateway Cloud-based email Media gateway Hardware security module Software-defined network
Secure network architecture concepts Network address translation Port address translation Network Access Control (NAC) Honeypot Secure Socket Layer accelerators SSL/TLS decryptor Sensor/collector Tap/port mirror DDoS mitigator Segregation/segmentation/isolation Security device/technology placement DMZ device placement LAN device placement
Aggregation switches
Implementing secure protocols Use case
File transfer – use case Remote access – use case Email – use case Name resolution – use case Hostname DNSSEC NETBIOS
Web – use case Voice and video – use case Network address allocation – use case
IP Version 4 IP Version 4 – lease process IP Version 4 lease process – troubleshooting IP Version 6 addressing
Subscription services – use case Routing – use case Time synchronization – use case Directory services – use case
[ iv ]
121 121 122 122 123 125 125 126 127 127 127 127 127 128 129 130 130 132 132 132 133 133 133 133 135 136 136 137 137 140 140 141 142 142 143 144 145 145 146 146 147 148 148 149 151 151 152 153
Table of Contents Active Directory
Switching – use case Simple network management protocol – use case
Implementing wireless security
Wireless access points – controllers Securing access to your wireless access point
Wireless bandwidth/band selection Wireless channels Wireless antenna types and signal strength Wireless coverage Wireless encryption Wireless – Open System Authentication Wireless – WPS Wireless – captive portal Wireless attacks Wireless authentication protocols
Review questions Answers and explanations Chapter 6: Understanding Cloud Models and Virtualization Cloud computing Implementing different cloud deployment models Cloud service models Disk resiliency and redundancy Redundant array of independent disks
Storage area network Understanding cloud storage concepts Exploring virtual networks Virtual desktop infrastructure VDE
Heating, ventilation, and air-conditioning (HVAC) Network environments On-premises Hosted services Cloud-hosting services
Practical exercise – is the cloud cost-effective? Review questions Answers and explanations Chapter 7: Managing Hosts and Application Deployment Deploying mobile devices securely Bring your own device Choose your own device Corporate-owned personally-enabled Virtual desktop infrastructure
[v]
154 155 156 156 157 157 159 159 160 161 161 162 162 162 163 163 164 167 171 172 174 178 183 183 186 188 189 194 194 195 195 196 196 196 197 197 199 201 202 203 204 204 205
Table of Contents
Mobile device connection methods
Mobile device management concepts Accessing the device
Device management Device protection Device data Mobile device enforcement and monitoring Industrial control system Supervisory control and data acquisition
Mobile devices – security implications of embedded systems Special-purpose devices Secure application development and deployment concepts Development life cycle models – waterfall versus Agile Waterfall Agile Agile versus waterfall
DevOps
Secure DevOps Secure coding techniques Code quality and testing
Server-side versus client-side execution and validation Review questions Answers and explanations Chapter 8: Protecting Against Attacks and Vulnerabilities Virus and malware attacks Social engineering attacks Common attacks Application/service attacks
Programming attacks
Example 1—JavaScript—creating a money variable Example 2—JavaScript—setting the day of the month
Hijacking related attacks Driver manipulation Cryptographic attacks Password attacks Wireless attacks Penetration testing
Penetration testing techniques
Vulnerability scanning concepts Credentialed versus non-credentialed scans Penetration testing versus vulnerability scanning Practical exercise—running a vulnerability scanner Review questions [ vi ]
205 207 208 209 209 210 211 213 213 214 216 218 219 219 220 220 221 221 221 224 225 225 228 231 232 236 240 240 246 247 247 250 251 251 252 254 257 257 258 260 260 261 267
Table of Contents
Answers and explanations Chapter 9: Implementing the Public Key Infrastructure PKI concepts Certificate hierarchy Certificate trust Certificate validity Certificate management concepts Certificate types
Asymmetric and symmetric encryption
Encryption explained Digital signatures explained Cryptography algorithms and their characteristics
Symmetric algorithms Asymmetric algorithms Symmetric versus asymmetric analogy XOR encryption
Key-stretching algorithms Cipher modes
Stream versus block cipher analogy
Hashing and data integrity Comparing and contrasting the basic concepts of cryptography Asymmetric – PKI
Asymmetric – weak/depreciated algorithms Asymmetric – ephemeral keys
Symmetric algorithm – modes of operation
Symmetric encryption – streams versus block ciphers Symmetric encryption – confusion Symmetric encryption – secret algorithm Symmetric – session keys
Hashing algorithms Crypto service provider Crypto module Protecting data
Basic cryptographic terminology Obfuscation Pseudo-random number generator Nonce Perfect forward secrecy Security through obscurity Collision Steganography Diffusion Implementation versus algorithm
Common use cases for cryptography Supporting confidentiality
[ vii ]
270 273 274 274 278 279 280 282 284 284 288 289 290 290 292 292 293 293 293 295 296 296 296 297 297 297 297 297 298 298 298 298 299 299 299 300 300 300 300 300 301 301 301 301 302
Table of Contents
Supporting integrity Supporting non-repudiation Supporting obfuscation Low-power devices Low latency High resiliency Supporting authentication Resource versus security constraints
Practical exercises
Practical exercise 1 – building a certificate server Practical exercise 2 – encrypting data with EFS and stealing certificates Practical exercise 3 – revoking the EFS certificate
Review questions Answers and explanations Chapter 10: Responding to Security Incidents Incident response procedures Incident response process
Understanding the basic concepts of forensics Five-minute practical
Software tools for assessing the security posture of an organization Backup utilities Backup types Command-line tools Analyzing and interpreting output from security technologies
Review questions Answers and explanations Chapter 11: Managing Business Continuity Implementing secure systems design Hardware/firmware security Operating systems Securing IT systems Peripherals
The importance of the secure staging deployment concepts Troubleshooting common security issues Misconfigured devices Personnel issues Software issues
Disaster recovery and the continuity of operations concepts Review questions Answers and explanations Chapter 12: Mock Exam 1 [ viii ]
302 302 303 303 303 303 303 304 304 304 305 306 306 309 312 313 314 316 317 322 327 328 329 336 342 345 348 349 350 351 352 353 354 355 357 358 359 360 362 364 366
Table of Contents
Chapter 13: Mock Exam 2 Appendix A: Preparing for the CompTIA Security+ 501 Exam Tips on taking the exam Exam preparation Practical 1—drag and drop—attacks Practical 2—drag and drop—certificates Practical 3—drag and drop—ports/protocols Practical 4—drag and drop—authentication factors Practical 5—drag and drop—general Drag and drop—answers Linux information Appendix B: Acronyms
382
Assessment
425
Other Books You May Enjoy
488
Index
491
[ ix ]
400 400 401 403 403 405 406 407 408 413 414
Preface This book will help you to understand security fundamentals, ranging from the CIA triad right through to identity and access management. This book describes network infrastructure and how it is evolving with the implementation of virtualization, and different cloud models and their storage. You will learn how to secure devices and applications that are used by a company. Refer to www.ianneil501.com for additional exam resources.
Who this book is for This book is designed for anyone who is seeking to pass the CompTIA Security+ SY0-501 exam. It is a stepping stone for anyone who wants to become a security professional or move into cyber security.
What this book covers Chapter 1, Understanding Security Fundamentals, covers some security fundamentals that
will be expanded upon in later chapters.
Chapter 2, Conducting Risk Analysis, looks at the types of threats and vulnerabilities, and at
the roles that different threat actors play.
Chapter 3, Implementing Security Policies and Procedures, looks at reference architectures,
different guides, and how best to dispose of data.
Chapter 4, Delving into Identity and Access Management, looks at different types of
authentication and how to dispose of data. We will first look at the concepts of identity and access management. Chapter 5, Understanding Network Components, examines networking components and how
they could affect the security of your network. We will look at firewalls, switches, and routers.
Preface Chapter 6, Understanding Cloud Models and Virtualization, teaches about virtualization,
deployment, and security issues. We will get acquainted with various cloud models, looking at their deployment and storage environments.
Chapter 7, Managing Hosts and Application Deployment, looks at different mobile devices
and their characteristics, as well as the applications that run on these devices.
Chapter 8, Protecting Against Attacks and Vulnerabilities, explores attacks and vulnerabilities,
taking each type of attack in turn and examining its unique characteristics. This module is probably the most heavily tested module in the Security+ exam. Chapter 9, Implementing Public Key Infrastructure, gets into the different encryption types
and how certificates are issued and used.
Chapter 10, Responding to Security Incidents, deals with incident response, focusing on the
collection of volatile evidence for forensic analysis.
Chapter 11, Managing Business Continuity, turns its attention toward our business
environment to consider the provision of system availability, looking at selecting the most appropriate method for recovery following a disaster. Chapter 12, Mock Exam 1, includes mock questions, along with explanations, which will
help in assessing whether you're ready for the test.
Chapter 13, Mock Exam 2, includes more mock questions, along with explanations, which
will help in assessing whether you're ready for the test.
Appendix A, Preparing for the CompTIA Security+ 501 Exam, is included to help students pass
the Security+ exam first time.
Appendix B, Acronyms, contains full forms of the abbreviations used in all the chapters.
To get the most out of this book This certification guide assumes no prior knowledge of the product.
Download the color images We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/ downloads/9781789348019_ColorImages.pdf.
[2]
Preface
Conventions used There are a number of text conventions used throughout this book. CodeInText: Indicates code words in text, database table names, folder names, filenames,
file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "For example, if we take the word pass in plaintext, it may then be converted to UDVV; this way it is difficult to understand." Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "The most common asymmetric algorithms include the Diffie Hellman, which creates a secure session so that symmetric data can flow securely." Warnings or important notes appear like this.
Tips and tricks appear like this.
Get in touch Feedback from our readers is always welcome. General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected] Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material. If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
[3]
Preface
Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about Packt, please visit packt.com.
[4]
1 Understanding Security Fundamentals In this chapter, we will look at a number of security fundamentals; some of these will be expanded upon in later chapters. For the exam, you will need to know all of the information in this book as the exam is fairly tricky. We will cover the following exam objectives in this chapter: Explaining the importance of physical security controls: Lighting—signs—fencing/gate/cage—security guards—alarms—safe—secure cabinets/enclosures—protected distribution/protected cabling—Airgap—Mantrap—Faraday cage—lock types—biometrics—barricades/bollards—tokens/cards—environmental controls—HVAC—hot and cold aisles—fire suppression—cable locks—screen filters—cameras—motion detection—logs—infrared detection—key management Given a scenario, implement identity and access management controls: Access control models—MAC—DAC—ABAC—role-based access control—rule-based access control—physical access control—proximity cards—smart cards Comparing and contrasting various types of controls: Deterrent—preventive—detective—corrective—compensating—technic al—administrative—physical Explaining cryptography algorithms and their basic characteristics: Hashing algorithms—MD5—SHA—HMAC—RIPEMD
Understanding Security Fundamentals
Chapter 1
CIA triad concept Most security books start with the basics of security by featuring the CIA triad—this is a model designed to guide policies for information security within an organization. It is a widely used security model and it stands for confidentiality, integrity, and availability, the three key principles that should be used to guarantee having a secure system:
Figure 1: CIA triad
We'll discuss these principles in more depth here:
Confidentiality: Prevents the disclosure of data to unauthorized people so that only authorized people have access to data—this is known as the need to know basis. Only those who should know the contents should be given access. An example would be that your medical history is only available to your doctor and nobody else. We also tend to encrypt data to keep it confidential. Integrity: This means that you know that data has not been altered or tampered with. We use a technique called hashing that takes the data and converts it into a numerical value. If you run the hash when you suspect changes have taken place, and if the numerical value has changed, then the data has been tampered with. Common hashing algorithms in the exam are Secure Hash Algorithm version 1 (SHA1) and Message Digest version 5 (MD5). Availability: Ensures that data is always available; if you wanted to purchase an airplane ticket and the system came back with an error and you could not purchase it, this could be frustrating.
[6]
Understanding Security Fundamentals
Chapter 1
Identifying security controls There are a wide variety of different security controls that are used to mitigate the risk of being attacked; the three main security controls are technical, administrator, and physical. In this section, we are going to look at these in more detail; you need to be familiar with each of these controls and when each of them should be applied. Let's start by looking at the three main controls.
Administrative controls Administrative controls are mainly written by managers to create organizational policies to reduce the risk within companies. An example could be an internet use policy so that the employees realize that the internet can only be used for company business and not used for social media during the working day. Another administrative control would be completing a form if you want to apply for a holiday; the form would be available from the forms library. Administrative controls could be writing a policy, completing a form, and getting your ID badge re-keyed annually.
Some of the administrative measures are as follows: Annual security awareness training: This is an annual event where you are reminded about what you should be doing on a daily basis to keep the company safe. An example would be when you are finished for the day that you clear your desk and lock all documents away; another would remind you that your identity badge should be worn at all times and you should challenge anyone not wearing a badge. Another example is that companies now need their employees to complete cyber security training as the risk is getting greater each day. Annual risk assessment: A company will have a risk register where the financial director will look at all of the risks associated with money and the IT manager will look at all of the risks posed by the IT infrastructure. As technology changes and the hackers get more sophisticated, the risks can become greater.
[7]
Understanding Security Fundamentals
Chapter 1
Penetration testing/vulnerability scanning: A vulnerability scan is not intrusive as it merely checks for vulnerabilities, whereas a penetration test is more intrusive and can exploit vulnerabilities. These will be explained further into this book. Change management: This is a process that a company adopts so that changes don't cause any security risks to the company. A change to one department could impact another department. The Change Advisory Board (CAB) assists with the prioritization and priority of changes; they also look at the financial benefits of the change and they may accept or reject the changes proposed for the benefit of the company. Information technology (IT) evolves rapidly and our processes will need to change to cope with potential security risks associated with newer technology.
Technical controls Technical controls are those implemented by the IT team to reduce the risk to the business. These could include the following: Firewall rules: Firewalls prevent unauthorized access to the network by IP address, application, or protocol. These are covered in depth later in this book. Antivirus/antimalware: This is the most common threat to the business and we must ensure that all servers and desktops are protected and up to date. Screen savers: These log computers off when they are idle, preventing access. Screen filters: These prevent people walking past from reading the data on your screen. Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): The intrusion detection system monitors the network for any changes and the intrusion prevention system stops the attacks. Technical controls could be installing a screensaver or configuring firewall rules.
[8]
Understanding Security Fundamentals
Chapter 1
Physical controls Physical controls are controls that you can touch, for example: Cable locks: These are attached to laptops to secure them so that nobody can steal them. Laptop safe: Laptops and tablets are expensive, but the data they hold could be priceless, therefore there are safes for the storage of laptops and tablets. Biometric locks: Biometrics are unique to each person; examples would be using their fingerprint, voice, an iris scanner, or facial recognition. Fences/gates: The first line of defense should be a perimeter fence as the openness of many sites renders them highly vulnerable to intruders. Access to the site can be controlled by using a gate either manned by a security guard or with a proximity reader. A timber fence does not provide as much protection as a high steel fence. Burglar alarms: These are set when the premises is not occupied, so when someone tries to break into your premises, it will trigger the alarm and notify the monitoring company or local police. Fire alarms/smoke detectors: In a company, there will be fire alarms or smoke detectors in every room so that when a fire breaks out, and the alarms go off, the people inside the premises are given the opportunity to escape. Lighting: Lighting is installed for two main reasons: the first reason is so that anyone trying to enter your site at night can be seen and the second reason is for safety. Security guards: They check the identity cards of people entering the building to stop unauthorized access. This also helps deter people trying to enter a building illegally. Mantraps: These are turnstile devices that only allow one person in at a time. They maintain a safe and secure environment mainly for a data center. A data center hosts many servers for different companies. Perimeter protection: Fences, gates, and lights could protect the perimeter of your company. We could place bollards in front of a building to stop a car driving through the entrance. These normally protect ATM cash machines from being hit by a vehicle. Internal protection: We could have safes and secure enclosures; the first example would be a toughened glass container or a sturdy mesh, both with locks to reduce access. We could also have protected distribution for cabling; this looks like metal poles that would have network cables inside. Screen filters used on a desktop could prevent someone from reading the screen.
[9]
Understanding Security Fundamentals
Chapter 1
Faraday cage: This is a metal structure, like a metal mesh used to house chickens. The cage prevents wireless or cellular phones from working inside the company. This could be built into the structure of a room used as a secure area. Key management: This is where departmental keys are signed out and signed back in daily to prevent someone taking the keys away and cutting copies of them. Proximity card: These are contactless devices where a smart card or token is put near the proximity card to gain access to a door or building. Tokens: Tokens are small physical devices where you either touch the proximity card to enter a restricted area of a building. Some tokens allow you to open and lock doors by pressing the middle of the token itself; others display a code for a number of seconds before it expires. Environmental controls: Heating, ventilation, and Air-Conditioning (HVAC), and fire suppression systems, are also security controls. In a data center or a server room, the temperature needs to be kept cool or the servers inside will overheat and fail. HVAC systems help provide availability to servers in the data center, ensuring they don't overheat.
AirGap: This is where a device is on your network, but it has a device between it and the other devices on your network. For example, you may want to isolate a computer that can complete a BACS transfer from the other computers in the finance department. Motion detection/cameras: These could be deemed physical controls, but the exam is focused on these being deterrent controls. Log files also note the events and could also be deemed a physical control, but the exam deems them to be detective controls. Barricades: Barricades can be erected across roads to stop traffic entering your site, but will not stop someone getting out of a car and jumping over them. You will need to use them in conjunction with security guards to fully protect your site. Bollards: Bollards are becoming very common as they control access by cars and stop them ramming through a front door. They stop ram raiders from stealing a cash machine or crashing into a jeweler's shop. They can be made from steel or concrete and are placed about four feet apart. In some countries, they are installed to prevent car bombers driving their vehicle into a group of people, maybe inside a shopping mall.
[ 10 ]
Understanding Security Fundamentals
Chapter 1
Preventative controls Preventative controls are in place to deter any attack; this could be having a security guard with a large dog walking around the perimeter of your company. This would make someone trying to break in think twice. Some of the preventive measures that are taken are as follows: Disable user accounts: When someone leaves a company, the first thing that happens is that their account is disabled, as we don't want to lose information that they have access to, and then we change the password so that they cannot access it. We may disable an account while people are on secondment or maternity leave. Operating system hardening: This makes a computer's operating system more secure. It often requires numerous actions such as configuring system and network components properly, turning off features and services that it does not use, and applying the latest software and antivirus updates.
Deterrent controls Deterrent controls could be CCTV and motions sensors. When someone is walking past a building and the motion sensors detect them, it turns lights on to deter them. A building with a sign saying that it is being filmed with CCTV prevents someone from breaking into your premises, as they think they are being filmed, even though there may not be a camera inside—but they don't know that. CCTV and motion sensors as deterrents. CCTV is a form of detective control following an incident, where you review the footage to see how the incident happened.
Detective controls Detective controls are used to investigate an incident that has happened and needs to be investigated; these could include the following: CCTV records events as they happen and from that you can see who has entered a particular room or has climbed through a window at the rear of a building.
[ 11 ]
Understanding Security Fundamentals
Chapter 1
Log files are text files that record events and the times that they occurred; they can log trends and patterns over a period of time. For example, servers, desktops, and firewalls are all events. Once you know the time and date of an event, you can gather information from various log files.
Corrective controls Corrective controls are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken. Fire-suppression systems are another form of corrective control. You may have had a fire in your data center that has destroyed many servers, therefore when you purchase a replacement, you may install an oxygen suppressant system. This method uses argon/nitrogen and sometimes a small element of CO2 to displace the oxygen in the server room. The basis of this method is to reduce the oxygen level to below 15% because it will suppress a fire.
Compensating controls Compensating controls can be called alternative controls; this is a mechanism that is put in place to satisfy the requirements of a security measure that is deemed too difficult or impractical to implement at the present time. It is similar to when you go shopping and you have $100 in cash—once you have spent your cash, you will have to use a credit card as a compensating control. An example of this is where a new person has just been employed by the company, and the normal way to log in is to use a smart card and PIN. This resembles a bank card with a chip where you insert it into your laptop or keyboard and then insert a PIN to log in. Maybe it takes 3-5 days to get a new smart card, so during the waiting period, they may log in using a username and password:
[ 12 ]
Understanding Security Fundamentals
Chapter 1
Access controls The three main parts of access controls are identifying an individual, authenticating them when they insert a password or PIN, and then authorization, where an individual has different forms of access to different data. For example, someone working in finance will need a higher level of security clearance and have to access different data than a person who dispatched an order in finished goods: Identification: This is similar to everyone who has their own bank account; the account is identified by the account details on the bank card. Identification in a security environment may involve having a user account, a smart card, or maybe a fingerprint reader—this is unique to that individual. Authentication: Once the individual inserts their method of identification, they next to be authenticated, for example, by inserting a password or a PIN. Authorization: This is the level of access you have to selective data. You are normally a member of certain groups, for example, a sales manager could access data from the sales group and then access data from the managers group. You will only be given the minimum amount of access required to perform your job; this is known as least privilege.
Discretionary access control Discretionary access control involves New Technology File System (NTFS) file permissions, which are used in Microsoft operating systems. The user is only given the access that he/she needs to perform their job. The permissions are as follows: Full control: Full access Modify: Change data, read, and read and execute Read and execute: Read the file and run a program if one is inside it List folder contents: Expand a folder to see the subfolders inside it Read: Read the contents Write: Allows you to write to the file Special permissions: Allows granular access; for example, it breaks each of the previous permissions down to a more granular level
[ 13 ]
Understanding Security Fundamentals
Chapter 1
Data creator/owner: The person that creates the unclassified data is called the owner and they are responsible for checking who has access to that data:
Least privilege Least privilege is where you give someone only the most limited access required so that they can perform their job role; this is known as need to know basis. The company will write a least privilege policy so that the administrators know how to manage it.
[ 14 ]
Understanding Security Fundamentals
Chapter 1
Mandatory access control Mandatory Access Control (MAC) is based on the classification level of the data. MAC looks at how much damage they could cause to the interest of the nation. These are as follows: Top secret: Highest level, exceptionally grave damage Secret: Causes serious damage Confidential: Causes damage Restricted: Undesirable effects Examples of Mandatory Access Control (MAC) are as follows: Data types Nuclear energy project Research and development Ongoing legal issues Government payroll
Classification Top secret Secret Confidential Restricted
These are the roles: Custodian: The custodian is the person who stores and manages classified data. Security administrator: The security administrator is the person who gives access to classified data once clearance has been approved. Security enhanced Linux: SELinux is a project that was created with the intention of providing stricter security measures for access control and user permits, processes, files, and devices in Linux systems. The National Security Agency (NSA) in the United States published this as open code under the GNU PNL license. This project was integrated into Linux's (LSM) security modules from the 2.6.0 version of the Linux kernel that was published in 2003.
Linux permissions (not SELinux) File permissions: Linux permissions come in a numerical format; the first number represents the owner, the second number represents the group, and the third number represents all other users: Permissions:
Owner: First number Group: Second number All other users: Third number
[ 15 ]
Understanding Security Fundamentals
Chapter 1
Numerical values: 4: Read (r) 2: Write (w) 1: Execute (x) Unlike a Windows permission that will execute an application, the execute function in Linux allows you to view or search. A permission of 6 would be read and write. A value of 2 would be write, and a value of 7 would be read, write, and execute. Some examples are as follows: Example 1: If I have 764 access to File A, this could be broken down as: Owner: Read, write, and execute Group: Read All other users: Read Example 2: Determine which of the following permissions to File B is the highest and which is the lowest: 776 File B, also shown as _rwx _rwx _rw 677 File B 777 File B 577 File B 576 File B When selecting the highest, you look at the value on the left, therefore the highest is the value of 777, which is full control. When selecting the lowest, you look at the lowest value on the left. There are two options here: d and e start with the lowest number, and then you look at the others. From here, you can see that answer e is the lowest. The higher the number, the higher the permissions; the lowest number is the one with the least permissions.
You can also change permissions in Linux: If permissions to File C is 654 and we wish to change these permissions, we will run the Chmod 777 File A command, which changes the permissions to File C.
[ 16 ]
Understanding Security Fundamentals
Chapter 1
Role-based access control This is a subset of duties within a department. An example would be two people with the finance department who only handle the petty cash. In IT terms, it could be that only two of the IT team administer the email server.
Rule-Based Access Control In Rule-Based Access Control (RBAC), a rule is applied to all of the people within, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access Building 1, where their place of work is. It can be timebased or have some sort of restriction, but it applies to the whole department.
Attribute-based access control In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute.
Group-based access To control access to data, people may be put into groups to simplify access. An example would be if there were two people who worked in Information Technology (IT) who needed access to older IT data. These people are called Bill and Ben:
Everyone in the sales team may have full control of the sales data by using group-based access, but you may need two new starters to have only read access. In this case, you would create a group called new starters and give those people inside that group only read permission to the data.
[ 17 ]
Understanding Security Fundamentals
Chapter 1
If access to data is done via group-based access, then any solution in the exam will be a group-based answer.
Hashing and data integrity Hashing: It is where the data inside a document is hashed using an algorithm such as Secure Hash Algorithm version 1 (SHA1) and Message Digest version 5 (MD5). This turns the data inside the file into a long text string known as a hash value; this is also known as a message digest. Hashing the same data: If you copy a file and therefore have two files containing the same data, and if you hash them with the same hashing algorithm, it will always produce the same hash value. Verifying integrity: During forensic analysis, the scientist takes a copy of the data prior to investigation. To ensure that he/she has not tampered with it during investigation, he/she will hash the data before starting and then compare the hash to the data when he/she has finished. If the hash matches, then we know that the integrity of the data is intact. One-way function: For the purpose of the exam, hashing is a one-way function and cannot be reversed. HMAC authentication: In cryptography, an HMAC (sometimes known as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of Message Authentication Code (MAC) involving a cryptographic hash function and a secret cryptographic key. We can have HMAC-MD5 or HMAC-SHA1; the exam provides both data integrity and data authentication. Digital signature: This is used to verify the integrity of an email so that you know it has not been tampered with in transit. The private certificate used to sign the email that creates a one-way hash function and when it arrives at its destination the recipient has already been given a public key to verify that it has not been tampered with in transit. This will be covered in more depth later in this book. Can you read data that has been hashed? Hashing does not hide the data as a digitally signed email could still be read—it only verifies integrity. If you wish to stop someone reading the email in transit, you need to encrypt it.
[ 18 ]
Understanding Security Fundamentals
Chapter 1
RACE Integrity Primitives Evaluation Message Digest (RIPEMD): This is a 128-bit hashing function. RIPEMD (https://en.wikipedia.org/wiki/RACE_ (Europe) has been replaced by RIPEMD-160, RIPEMD-256, and RIPEMD-320. For the purpose of the exam, you need to know that it can be used to hash data.
Hash practical The reason that we hash a file is to verify its integrity so that we know if someone has tampered with it.
Hash exercise In this exercise, we have a file called data.txt. First of all, I use a free MD5 hashing tool and browse to the data.txt file, which generates a hash value. I have also created a folder called Move data to here: 1. Get the original hash:
[ 19 ]
Understanding Security Fundamentals
Chapter 1
2. Copy the hash from the current hash value to the original hash value. 3. Copy the data.txt file to the Move data to here folder, then go to the MD5 hash software and browse to the data.txt file in the new location, and press verify. The values should be the same as shown here:
The values are the same, therefore we know the integrity of the data is intact and it has not been tampered with when moving the readme.txt file. 4. Next, we go into the data.txt file and change a single character, add an extra dot at the end of a sentence, or even enter a space that cannot be seen. We then take another hash of the data and we will then see that the hash value is different and does not match; this means that the data has been tampered with:
[ 20 ]
Understanding Security Fundamentals
Chapter 1
Defense in depth model Defense in depth is the concept of protecting a company's data with a series of defensive layers so that if one layer fails, another layer will already be in place to thwart an attack. We start with our data, then we encrypt it to protect it: The data is stored on a server The data has file permissions The data is encrypted The data is in a secure area of the building There is a security guard at the building entrance checking identification There is CCTV on the perimeter There is a high fence on the perimeter
[ 21 ]
Understanding Security Fundamentals
Chapter 1
Therefore, before someone can steal the data, they have seven layers of security that they must pass through. The concept of defense in depth is that if one layer fails, then the next layer protects:
Review questions 1. 2. 3. 4. 5. 6. 7. 8.
What are the three components of the CIA triad? Why might a CCTV camera be sited outside a building without any film inside? What does confidentiality mean? How can we protect a data center from people entering it? What is the purpose of an airgap? Name three administrative controls. Name three physical controls. Following an incident, what type of control will be used when researching how the incident happened? 9. How do I know if the integrity of my data is intact?
[ 22 ]
Understanding Security Fundamentals
Chapter 1
10. What is a corrective control? 11. What is the purpose of hashing? 12. If I hash the same data with different SHA1 applications, what will the output be? 13. What two things does HMAC provide? 14. What type of control is it when I change the firewall rules? 15. What is used to log in to a system that works in conjunction with a PIN? 16. What is the name of the person who looks after classified data and who is the person that gives people access to the classified data? 17. When you use a DAC model for access, who determines who gains access to the data? 18. What is least privilege? 19. What access control method does SELinux utilize? 20. What is the Linux permission of 777? What access does it give you? 21. What does the Linux permission execute allow me to do? 22. The sales team are allowed to log in to the company between 9 a.m. and 10 p.m. What type of access control is being used? 23. Two people from the finance team are only allowed to authorize the payment of checks; what type of access control are they using? 24. What is the purpose of the defense in depth model? 25. When someone leaves the company what is the first thing we should do with their user account?
[ 23 ]
Understanding Security Fundamentals
Chapter 1
Answers and explanations 1. Confidentiality means only allowing those authorized to access data. Integrity means that data has not been tampered with. Availability means that data is available when you need it, for example when purchasing an airline ticket. 2. We could place a CCTV camera in a prominent location as a deterrent; people walking past cannot tell if it has film or not, so we are using it as a deterrent. 3. Confidentiality means that we are limiting access to data to only those who should have access. 4. To stop people entering a data center, we would install a mantrap, a turnstile device, so that we can control who accesses the data center, one at a time. 5. An airgap is what it says on the tin, it is a gap between your network and a machine. A user would use an airgap maybe between Research and Development Machine and the corporate network. 6. Administrative controls could be writing a new policy to make the company run smoothly; we may have just implemented change management. You could implement a new form to ensure that all of the data required for an application is supplied. We could run an annual security awareness training day, complete a risk assessment, or perform penetration testing. 7. Physical control is huge. Remember that these can be physically touched. You can choose three from: cable locks, laptop safe, biometric locks, fences, gates, burglar alarms, fire alarms, lights, security guards, bollards, barricades, a Faraday cage, key management, proximity cards, tokens, HVAC, an airgap, motion sensors, and cameras and biometric devices such as an iris scanner. 8. If we investigate an incident, we need to collect all of the facts about the incident; this is a detective control. Think of a detective such as Sherlock Holmes who is always investigating mysteries. 9. If we hash the data before and after, and the hash value remains the same, then the integrity of the data is intact. If the second hash is different, the data has been tampered with. 10. Corrective control is a one-way function where an incident has happened and we want to redeem the situation. For example, if the hard drive on my laptop fails, then I will purchase a new hard drive, put it into my laptop, install the operating system and application, then obtain a copy of my data from a backup.
[ 24 ]
Understanding Security Fundamentals
Chapter 1
11. Hashing is a technique that lets you know if data has been tampered with, but it does not hide the data. 12. If the same data is hashed with two different applications that can hash data with SHA1, then the hash value will be the same. 13. HMAC provides data integrity and data authentication. You can use HMACSHA1 or HMAC-MD5. 14. If I change firewall rules, I am doing this to reduce risk; it is carried out by administrators, therefore it is a technical control. 15. A smart card is a credit card-type device that has a chip built in; once inserted into the keyboard or USB card reader, you will then be asked to enter a PIN. 16. The person who stores and manages classified data is called the custodian. The person who gives access to the classified data is the security administrator. Prior to getting access to the data, the person may well be vetted. 17. In the DAC model, the data is unclassified and the data creator, who is also called the owner, will decide who gains access to the data. 18. Least privilege is a technique that says that people should only get the most limited access to data that they need to perform their job. 19. SELinux uses the MAC model to access data. This is the secure version of Linux. 20. In Linux 777, give the owner who is the first digit, the group that is the sent digit and all users who are the third group read, write, and execute. It could also be a rwx. 21. The Linux permission for execute (x) allows you to search for or view data. 22. An access control method that applies either a time restriction or location restriction is called rule-based access. 23. A subset of a department with access to a subset of duties is called role-based access. 24. The defense in depth model has many different layers; the idea behind this is if one layer is broken through, the next layer will provide protection. 25. When someone leaves the company, we should disable their account so that the keys associated with it are still available. The next stage is to change the password so nobody can access it, especially the person who has just left.
[ 25 ]
2 Conducting Risk Analysis As a security professional, you will need to understand that identifying and managing risks can help to keep your company's environment safe from various types of attacks. In this chapter, we will look at types of threats and vulnerabilities and the roles that different threat actors play. We will cover the following exam objectives in this chapter: Explain threat actor types and attributes: Types of actors: script kiddies—hacktivists—organized crime—nation states/APT—insiders—competitors. Attributes of actors: internal/external—level of sophistication—resources/funding—intent/motivation. Use of open source intelligence Explain the importance of policies, plans, and procedures related to organizational security: Standard operating procedure—agreement types—BPA—SLA—ISA—MOU/MOA. Personnel management: mandatory vacations—job rotation—separation of duties—clean desk—background checks—exit interviews—role-based awareness training—continuing education—acceptable use policy/rules of behavior—adverse actions. General security policies: social media networks/applications—personal email. Summarize business impact analysis concepts: RTO/RPO—MTBF—MTTR—mission-essential functions—identification of critical systems—impact—life—property—safety—finance—reputation. Privacy impact assessment—privacy threshold assessment.
Conducting Risk Analysis
Chapter 2
Explain risk management processes and concepts: Threat assessment: environmental—manmade—internal versus external. Risk assessment: SLE—ALE—ARO—asset value—risk register—likelihood of occurrence—supply chain assessment—impact—quantitative—qualitative. Testing: penetration testing authorization—vulnerability testing —authorization. Risk response techniques: accept—transfer—avoid—mitigate.
Risk management Risk management is the process of identifying risks within a company and making decisions about how to reduce the risks so that an incident does not cause harm to the company and its assets. You may not be able to eliminate the risk completely, but you may be able to put procedures in place to reduce it or keep it an acceptable level. The first step in risk management is to identify the asset. Is it a top-secret document? If that was the case you'd limit access to the document. The top-secret document would be stored in a secure area at all times; nobody would be able to take copies or photographs of it. For example, if you had 1 kg of trash and you placed it outside your front door at night, you would be certain that in the morning it would still be there; however, if the asset was 1 kg of 24-carat gold and you left it outside your house at night, it would probably not be there in the morning. The first step in risk management is identifying the asset, because how we classify the asset will determine how the asset is handled, stored, protected, and who has access to it.
Importance of policy, plans, and procedures Creating policies, plans, and procedures is a part of risk management and helps to reduce the attack surface and prevent incidents from happening. Let's look at the different type of policies that can be used.
[ 27 ]
Conducting Risk Analysis
Chapter 2
Standard operating procedures Standard operating procedures (SOP) give us step-by-step instructions about how an activity is to be carried out. An example would be how to back up data. The SOP will state which data needs to be backed up daily, weekly, or monthly. Critical data would be backed up every two hours, whereas archive data may be backed up monthly. The SOP would also state the medium to be used for the backup; it may be backed up to a NetApp or network share rather than to tape so that quicker recovery can be carried out. Stage one in risk assessment is the classification of the asset; this then determines how it is accessed, stored, and handled.
Agreement types Contracts between companies that want to purchase or sell services are very common as they protect both partners participating in the contract. We will now look at different agreement types that may be used in those contracts: Business Partnership Agreement (BPA): A BPA is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are agreed and shared. It also has rules for the partnership ending either over time or if one of the partners dies. Service-Level Agreement (SLA): A SLA is a contract between a service provider and a company receiving the service that defines the level of service expected from the service provider; it is based on metrics within a specific time frame. The agreement can be either a fix or a response over a certain period of time. SLA is measure in metrics, as to what percentage has been achieved.
[ 28 ]
Conducting Risk Analysis
Chapter 2
For example, your company has an SLA with a service provider that will fix your printer within 4 hours. If the printer breaks down then the service provider needs to repair the printer within four hours or face a penalty. An SLA only relates to one product or service at one time. A company may have several SLAs in place that cover all of their equipment: Interconnection Security Agreement (ISA): An ISA states how connections should be made between two business partners. If one of the business partners is a government agency and the connection agreement is not enforced, it could pose a security risk to their network. The connection agreement could specify which type of VPN and tunnel should be used or it could state that a dedicated T3 line is used to make the connection between them. Memorandum of Understanding (MOU): An MOU is a formal agreement between two or more parties. MOUs are stronger than a gentlemen's agreement and both parties must be willing to make a serious commitment to each other, but they are not legally binding. Memorandum of Agreement (MOA): An MOA is similar to an MOU but serves as a legal document and describes the terms and details of the agreement. Non—Disclosure Agreement (NDA): An NDA is a legally binding contract made between an employee or a business partner where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information being sold on to competitors.
Personnel management—policies and procedures Employing personnel is a key function in a successful business; however, employing people is high risk as we need to employ the right type of person, who must be bright enough to identify cyber-crime attacks. To help reduce the risk that employees face or to prevent human resources from employing the wrong person and prevent fraud on an ongoing basis, the following policies can be adopted: Job rotation: Job rotation is used for two main reasons—the first is so that all staff can be trained in all aspects of the jobs in the company. Employees may change departments every six months; this way, they get fully trained. The second reason is that by rotating jobs, any theft or fraudulent activities can be discovered by the new person coming in.
[ 29 ]
Conducting Risk Analysis
Chapter 2
Mandatory vacations: Mandatory vacation helps detect whether an employee has been involved in fraudulent activities by forcing them to take holidays of a week or more. When people are involved in fraudulent activities they tend not to take many holidays so that the fraud cannot be discovered. This is especially rife in jobs in which people have fiscal trust, such as someone working in finance or someone who can authorize credit card payments. Separation of duties: Separation of duties is having more than one person participate in completing a task; this is internal control to prevent fraud or error. An example would be where a person who worked in the finance department collected all money being paid in and then authorized all payment being payed out. A charity in the United Kingdom was defrauded out of £1.3 million over a period of six years. If they had two distinct finance jobs, where one person received the money and another authorized payments, the fraud would have been prevented. This is the aim of separation of duties: no one person does the whole task. Let's look at an example. All members of the IT team can make any changes to the network firewall; this creates a huge risk to the network. An auditor could recommend that each time a firewall rule is changed it is authorized by the Change Advisory Board and two people should be responsible for checking the changes to the firewall. With two people being responsible for making the changes, any errors should be eliminated. This is an example of separation of duties. Let's look at a second example. When I first got married, we opened a joint back account that only my wages were paid into. My wife spent money from this account even though she had her own account. I paid in, my wife withdrew—a true separation of duties. Nowadays I have my own account! Separation of duties is where one person does not complete all configuration or transactions by themselves.
[ 30 ]
Conducting Risk Analysis
Chapter 2
Other policies adopted by the company to help reduce risk are as follows: Clean desk policy: A clean desk policy (sometimes known as clear desk policy) is a company policy that specifies that employees should clear their desks of all papers at the end of the day. This prevents the cleaning staff or anyone else from breaking into the building and reading those papers. Background checks: Completing background checks on new employees may involve looking into criminal records, employment and education history, and driving license and credit checks. This is to ensure that what the person has stated on their CV (resume) is correct. More stringent background checks are needed for those working with children and handling finance. Exit interview: The purpose of an exit interview is to find out the reason behind why the employee has decided to leave; this can be used to improve employment retention. Acceptable User Policy (AUP): The purpose of the AUP is to let the employee or contractor know what they can do with company computers and Bring Your Own Device (BYOD) devices. It lays out the practices relating to how you can access the company network and the internet. It will also state practices that are forbidden, such as using in blogs and social media sites such as Facebook or Twitter while at work. Rules of behavior: Rules of behavior lay down the rules of how employees should conduct themselves when at work. There should be no bullying, discrimination, or sexual harassment. Employees should work together for good and for the benefit of the company, even if they are not from the same background. People should respect and tolerate other employee's religious beliefs even though they may not be their own beliefs and they may not agree with them. Adverse action: Adverse action is action that is unlawful if it is taken for particular reasons. The fair work act defines a number of actions as adverse actions, such as a person threatening an employee, injuring them in their employment, or discriminating against them. Policy violations: When employees or contractors do not follow the policies or procedures that they have agreed to, this may result in either disciplinary procedures or, if serious, instant dismissal. This is normally behavioral based.
[ 31 ]
Conducting Risk Analysis
Chapter 2
Role-based awareness training Role-based awareness training is mandatory training that an employee carries out on an annual basis; an example of this would be security awareness training that is used by companies to reduce their security risks. During the training, employees will learn about social engineering attacks where the employee is targeted, for example, a phishing email. There will be more information about attacks in Chapter 8, Protecting Against Attacks and Vulnerabilities. Policy violation is where SOP and policies have been ignored. Transferring data from outside the company should be done via VPN.
General security policies General security policies affecting an employee using the internet are as follows: Social media networks/applications: Many people have social media accounts, such as Twitter, Facebook, Reddit, or Instagram. These sites store personal details about everyone who has an account, and employees need to be careful with the information that they post on these sites. For example, you could put your date of birth, where you live, your personal preferences, and your email address. This information is a security risk and it could lead to a phishing attack or identify theft. Cognitive hacking is where a computer or information system attack relies on changing human users' perceptions and corresponding behaviors in order to be successful. This is a social engineering attack and the information required could be found on your various social media websites or applications. You may also put comments on social media websites that could discredit your employer or one of their customers, and this could lead to dismissal. These comments may also prevent you from gaining future employment as employers normally complete a background check and also look at your social media accounts. If you have different social media sites, don't use the same password for each of them, especially if it is the same as your online banking account. One account hacked means that all accounts are hacked. Personal email: Your company mailbox must not be used for personal email. For example, if you decide to sell your car and then email all of the staff in the company, you will violate the Acceptable Use Policy.
[ 32 ]
Conducting Risk Analysis
Chapter 2
Business impact analysis concepts Business impact analysis (BIA) looks at the financial loss relating to an incident and does not look at how the threat or how an event occurred. It measures the additional cost due to various factors. Financial loss factors include the following: Loss and delay of sales Regulatory fines and contract penalties Purchase of new equipment to return to an operational state Additional labor required until returning to an operational state Do we need to seek a new property to operate in? Impact factors include the following: Loss of company brand or reputation Loss of life Were safety procedures in place? BIA looks at the financial loss but does not look at the threat.
Privacy threshold assessment/privacy impact assessment Personal data use, storage, and access are regulated, and a company will be fined if they do not handle data properly. There are two policies that we need to look at, and these are the privacy threshold assessment and the privacy impact assessment. Let's now look at these: Privacy threshold assessment: This assessment is to help identify personal information, described as either Personally Identifiable Information (PII), Sensitive Personal Information (SPI), or Public Health Information (PHI), as used in information security and privacy laws.
[ 33 ]
Conducting Risk Analysis
Chapter 2
Privacy Impact Assessment (PIA): A PIA is an analysis of how personally identifiable information is collected, used, shared, and maintained. Should you have a project that requires access to the PII, SPI, or PHI information, you may need to fill in a PIA screening form justifying the need for its use.
Mission-essential functions/identification of critical systems When we look at BIA as a whole we have to see what the company's mission-essential functions are; for example, an airline depends heavily on its website to sell airline tickets. If this was to fail it would result in loss of revenue. Critical systems for the airline would be the server that the website was placed on, as well as its ability to contact a backend database server, such as SQL, that holds ticketing information, processes the credit card transactions, and contains the order history for each of their customers.
Example What would be the mission-essential functions of a newspaper, and what would be its critical systems? Newspapers generate revenue not only via sales but more importantly by selling advertisement space in the paper. The mission-essential function would be the program that creates the advertisements, and the critical systems would be the server that the program resides upon, the database for processing payments, and the systems used to print the newspapers.
Supply chain risk assessment Your supply chain is the companies that you totally rely upon to provide the materials for you to carry out a business function or make a product for sale. Let's say that you are a laptop manufacturer and Company A provides the batteries and Company B provides the power supplies. If either of these runs short of either batteries or power supplies it stops you from manufacturing and selling your laptops.
[ 34 ]
Conducting Risk Analysis
Chapter 2
Example Company C provides your broadband internet access and you are totally reliant upon them for the internet—you may mitigate the risk of the internet failing by adopting vendor diversity, where you purchase broadband from Company D so that if either of your suppliers fails you still have internet access, which is now crucial to any modern business.
Business impact analysis concepts The following concepts are used to carry out the business impact analysis: Recovery Point Object (RPO): RPO is how much time a company can last without its data before it affects operations. This is also known as acceptable downtime; if a company agrees that it can be without data for three hours, then the RPO is three hours. If the IT systems in a company suffer a loss of service at 13:00 hours, then the RPO would be 16:00 hours. Any repair beyond that time would have an adverse impact on the business. Recovery Time Object (RTO): RTO is the time that the company has been returned to an operational state. In the RPO scenario, we would like the RTO to be before 16:00 hours. If the RTO is beyond 16:00 hours, then once again it has an adverse impact on the business. Mean Time to Repair (MTTR): MTTR is the average amount of time it takes to repair a system. If my car broke down at 14:00 hours and it was repaired at 16:00 hours the MTTR would be two hours. Mean Time Between Failures (MTBF): MTBF shows the reliability of a system. If I purchase a new car for $50,000 on January 1 then it breaks down on January 2, 4, 6, and 8, I would take it back to the garage as the MTBF would be pretty high and for $50,000, I want a car that is more reliable. Mean Time to Failure (MTTF): MTTF is the predicted lifespan of a system. Normally, an IT system is expected to last about five years, therefore its MTTF is five years. If I bought a car in 1960 and I had to scrap it in 1992, the MTTF of the car would be 32 years. RPO is the acceptable downtime, whereas RTO is the return to an operational state.
[ 35 ]
Conducting Risk Analysis
Chapter 2
Calculating loss The following concepts can be used to calculate the actual loss of equipment throughout the year and may be used to determine whether we need to take out additional insurance against the loss of the equipment: Single Loss Expectancy (SLE): The SLE is the loss of one item. For example, if my laptop is worth $1,000 and I lose it while travelling, then my SLE would be $1,000. Annual Rate of Occurrence (ARO): The ARO is the number of times that an item has been lost in a year. If an IT team loses six laptops in a year, the ARO would be six. Annual Loss Expectancy (ALE): The ALE is calculated by multiplying the SLE by the ARO—in the previous examples we have $1,000 x 6 =$6,000. The ALE is the total loss in a year.
Example A multinational corporation loses 300 laptops annually and these laptops are valued at $850; would they take out an insurance policy to cover the costs of replacement if the insurance premiums were $21,250 monthly? The answer is no, because the cost of replacing them is the same as the cost of the insurance. They would take a risk on not losing 300 laptops next year. The calculations are as follows: ALE: SLE x ARO ALE: $850 x 300 = $225,000 Monthly cost: $225,000/12 = $21,250 Annual loss expectancy = Single loss expectancy X Annual rate of occurrence.
[ 36 ]
Conducting Risk Analysis
Chapter 2
Risk procedures and concepts Risk is the probability that an event will happen—it could bring profit to you. For example, if you place a bet in roulette at a casino then you could win money. It is, however, more likely that a risk will result in financial loss or loss of service. Companies will adopt a risk management strategy to reduce the risk they are exposed to, but may not be able to eliminate the loss completely. In IT, new technology comes out every day and poses new risks to businesses, and therefore risk management is ever evolving. The main components are assets, risks, threats, and vulnerabilities: Asset: The first stage in risk management is the identification and classification of the asset. If the asset is a top-secret document, you will handle and store it differently than an asset that is unclassified and available for free on the internet. Risk: Risk is the probability that an event could occur, resulting in financial loss or loss of service. Threat: A threat is someone or something that wants to inflict loss on a company by exploiting vulnerabilities. It could be a hacker that wants to steal a company's data. Vulnerability: This is the weakness that help an attacker exploit a system. It could be a weakness in a software package or a misconfiguration of a firewall. A threat is something that will pose a danger by exploiting vulnerability. Vulnerability is a weakness that may be exploited, and risk is the probability that an event will happen.
Threat assessment A threat assessment helps a company classify its assets and then looks at the vulnerabilities of that asset. It will look at all of the threats the company may face, the probably of the threat happening, and the potential loss should the threat be successful: Environmental threat: This threat is based on environmental factors, for example, the likelihood of a flood, hurricane, or tornado. If you live in Florida there is a peak season for hurricanes from mid-August to October, whereas if you live in Scotland, the last time they had a minor hurricane was in 1968. Florida has a high risk of having a hurricane, whereas Scotland would be an extremely low risk. Man-made threat: This is a human threat—it could be a malicious insider attack where an employee deliberately deletes data, or could just be an accidental deletion by an incompetent member of staff.
[ 37 ]
Conducting Risk Analysis
Chapter 2
sdOffice - Synergetic Data Systems
![](https://s1.manualzz.com/store/data/039539950_1-74e3007c7c66833ae29b608d71acfbe3.png)
DC02_Fin
Chapter Two
The Internet
and World Wide Web
1439079420_Ch02OP_REV.indd 72 10/27/09 10:32:18 AM
Objectives
After completing this chapter, you will be able to:
1 Discuss the evolution of the Internet
2 Identify and briefly describe various broadband Internet connections and
state differences between broadband Internet Internet connections and dial-up
connections
3 Describe the types of Internet access providers: Internet service providers,
online service providers, wireless Internet service providers
4 Describe the purpose of an IP address and its relationship to a domain
name
5 Explain the purpose of a Web browser and identify the components of a
Web address
6 Describe how to use a search engine to search for information on the Web
and differentiate between a search engine and a subject directory
7 Describe the types of Web sites: portal, news, informational, business/
marketing, blog, wiki, online social network, educational, entertainment,
advocacy, Web application, content aggregator, and personal
8 Explain how Web pages use graphics, animation, audio, video, virtual
reality, and plug-ins
9 Identify and briefly describe the steps required for Web publishing
10 Describe the types of e-commerce: business-to-consumer, consumerto-consumer,
and business-to-business
11 Explain how e-mail, mailing lists, instant messaging, chat rooms, VoIP,
newsgroups and message boards, and FTP work
12 Identify the rules of netiquette
1439079420_Ch02OP_REV.indd 73 10/27/09 10:32:36 AM
74 Chapter 2 The Internet and World Wide Web
The Internet
One of the major reasons business, home, and
other users purchase computers is for Internet
access. The Internet is a widely used research
tool, providing society with access to global
information and instant communications.
Further, access to the Internet can occur anytime
from a computer anywhere: at home, at
work, at school, in a restaurant, on an airplane,
and at a park.
The Internet, also called the Net, is a worldwide
collection of networks that links millions
of businesses, government agencies, educational
institutions, and individuals. Each of the networks
Web — conduct research
Web — share videos
on the Internet provides resources that add to the
abundance of goods, services, and information
accessible via the Internet.
Today, more than one billion home and business
users around the world access a variety of
services on the Internet, some of which are shown
in Figure 2-1. The World Wide Web, or simply
the Web, and e-mail are two of the more widely
used Internet services. Other services include chat
rooms, instant messaging, and VoIP (Voice over
Internet Protocol). To enhance your understanding
of these Internet services, the chapter begins
by discussing the history of the Internet and how
the Internet works and then explains each of
these services.
Web — read blogs
Figure 2-1 People around the world use a variety of Internet services in daily activities. Internet services allow home and business
users to access the Web for activities such as conducting research, reading blogs, or sharing videos; to send e-mail messages; or to
converse with others using chat rooms, instant messaging, or VoIP.
1439079420_Ch02_FINAL.indd 74 11/09/10 6:02:48 PM
Evolution of the Internet
The Internet has its roots in a networking project
started by the Pentagon’s Advanced Research
Projects Agency (ARPA), an agency of the U.S.
Department of Defense. ARPA’s goal was to build a
network that (1) allowed scientists at different physical
locations to share information and work together
on military and scientific projects and (2) could
function even if part of the network were disabled
or destroyed by a disaster such as a nuclear attack.
That network, called ARPANET, became functional
in September 1969, linking scientific and academic
researchers across the United States.
The original ARPANET consisted of four main
computers, one each located at the University
of California at Los Angeles, the University of
California at Santa Barbara, the Stanford Research
Institute, and the University of Utah. Each of these
The Internet and World Wide Web Chapter 2 75
computers served as a host on the network. A host,
more commonly known today as a server, is any
computer that provides services and connections
to other computers on a network. Hosts often use
high-speed communications to transfer data and
messages over a network.
As researchers and others realized the great
benefit of using ARPANET to share data and
information, ARPANET underwent phenomenal
growth. By 1984, ARPANET had more than 1,000
individual computers linked as hosts. Today, more
than 550 million hosts connect to the Internet.
Some organizations connected entire networks
to ARPANET to take advantage of its high-speed
communications. In 1986, the National Science
Foundation (NSF) connected its huge network
of five super computer centers, called NSFnet, to
ARPANET. This configuration of complex networks
and hosts became known as the Internet.
chat room
e-mail
instant messaging
1439079420_Ch02_FINAL.indd 75 11/09/10 6:02:58 PM
VoIP
76 Chapter 2 The Internet and World Wide Web
W3C
For more information,
visit scsite.com/dc2011/
ch2/weblink and then
click W3C.
Until 1995, NSFnet handled the bulk of the
communications activity, or traffic, on the Internet.
In 1995, NSFnet terminated its network on the
Internet and resumed its status as a research network.
Today, the Internet consists of many local,
regional, national, and international networks.
Numerous corporations, commercial firms, and
other companies such as IBM provide networks
to handle Internet traffic. Both public and private
organizations own networks on the Internet. These
networks, along with telephone companies such as
Verizon and AT&T, cable and satellite companies,
and the government, all contribute toward the internal
structure of the Internet.
Each organization on the Internet is responsible
only for maintaining its own network. No single
person, company, institution, or government agency
controls or owns the Internet. The World Wide
Web Consortium (W3C), however, oversees research
and sets standards and guidelines for many areas of
the Internet. The mission of the W3C is to contribute
to the growth of the Web. More than 350 organizations
from around the world are members of the
W3C, advising, defining standards, and addressing
other issues.
Internet2
Internet2 is a not-for-profit research and
development project that connects more than 200
universities and 115 companies via a high-speed private
network. Founded in 1996, the goal of Internet2
is to develop and test advanced network technologies
that will benefit Internet users in the short-term
future. These technologies require an extremely
high-speed network that exceeds the capabilities of
today’s Internet and networks. Examples of previous
Internet2 projects that are now mainstream
include telemedicine, digital libraries (online books,
magazines, music, movies, speeches, etc.), and faster
Internet services. Current Internet2 projects include
interactive high-definition video and enhanced
detection and resolution of network problems.
Connecting to the Internet
Many home and small business users connect
to the Internet via high-speed broadband Internet
service. With broadband Internet service, your computer
or mobile device usually is connected to the
Internet the entire time it is powered on. Examples
of broadband Internet service include cable, DSL,
fiber, radio signals, and satellite.
• Cable Internet service provides high-speed Internet
access through the cable television network via a
cable modem.
• DSL (digital subscriber line) provides high-speed
Internet connections using regular copper
telephone lines.
• Fiber to the Premises (FTTP) uses fiber-optic cable
to provide high-speed Internet access to home
and business users.
• Fixed wireless provides high-speed Internet
connections using a dish-shaped antenna on your
house or business to communicate with a tower
location via radio signals.
• A cellular radio network offers high-speed Internet
connections to devices with built-in compatible
technology or computers with wireless modems.
• A Wi-Fi (wireless fidelity) network uses
radio signals to provide high-speed Internet
connections to compatible or properly equipped
wireless computers and devices.
• Satellite Internet service provides high-speed
Internet connections via satellite to a satellite dish
that communicates with a satellite modem.
Employees and students typically connect their
computers to the Internet through a business or
school network. The business or school network
connects to a high-speed broadband Internet service.
Many home users set up a Wi-Fi network, which
sends signals to a communications device that is connected
to a high-speed Internet service such as cable
or DSL. Instead of using broadband Internet service,
however, some home users connect to the Internet
via dial-up access, which is a slower-speed technology.
Dial-up access takes place when the modem in your
computer connects to the Internet via a standard telephone
line that transmits data and information using
an analog (continuous wave pattern) signal. Users may
opt for dial-up access because of its lower price or
because broadband access is not available in their area.
Mobile users access the Internet using a variety of
Internet services. Most hotels and airports provide
wired or wireless Internet connections as a service to
travelers. Wireless Internet services, such as Wi-Fi
networks, allow mobile users to connect easily to the
Internet with notebook computers, smart phones,
and other mobile devices while away from a telephone,
cable, or other wired connection. Many public
locations, such as airports, hotels, schools, shopping
malls, and coffee shops, are hot spots that provide
Wi-Fi Internet connections to users with mobile
computers or devices. At public locations, you may
be required to agree to terms of service, obtain a
password (for example, from the hotel’s front desk),
or perform some other action in order to connect to
the Internet. Some cities provide free Wi-Fi Internet
connections to all residents.
1439079420_Ch02_FINAL.indd 76 11/09/10 6:03:01 PM
FAQ 2-1
How popular is broadband?
According to a study performed by Pew Internet &
American Life Project, 63 percent of American adults
have broadband Internet connections at home.
Adoption of broadband connections increases during
good economic times, while some may hesitate to
make the switch during an economic downturn. It is
believed that once the price of a broadband connection
decreases, and broadband is available in more
rural areas, its popularity will increase further.
For more information, visit scsite.com/dc2011/
ch2/faq and then click Broadband.
Access Providers
An access provider is a business that provides
individuals and organizations access to the
Internet free or for a fee. For example, some
local call
toll-free call
Regional
ISP
cable Internet service
The Internet and World Wide Web Chapter 2 77
Wi-Fi networks provide free access while others
charge a per use fee. Other access providers often
charge a fixed amount for an Internet connection,
offering faster speeds or more services for higher
rates. Typical monthly rates range from about
$5 to $24 per month for dial-up, $13 to $70 for
DSL, $20 to $75 for cable, $40 to $150 for FTTP,
$30 to $80 for fixed wireless, $60 to $80 for cellular
networks, and $50 to $120 for satellite. Many
Internet access providers offer services such as
news, weather, financial data, games, travel guides,
e-mail, photo communities, and online storage
to hold digital photos and other files. (A file is a
named unit of storage.)
Access providers are categorized as regional
or national ISPs, online service providers, and
wireless Internet service providers (Figure 2-2).
National
ISP
Online Service
(special members-only
content)
Online
Service
Provider
DSL
local call
Screen
T.K.
wireless connection
Wireless
Internet
Service
Provider
Figure 2-2 Common ways to access the Internet are through a regional or national Internet service provider, an online service
provider, or a wireless Internet service provider.
1439079420_Ch02_FINAL.indd 77 11/09/10 6:03:02 PM
78 Chapter 2 The Internet and World Wide Web
Wireless Modems
For more information, visit
scsite.com/dc2011/ch2/
weblink and then click
Wireless Modems.
An ISP (Internet service provider)
is a regional or national access provider.
A regional ISP usually provides Internet
access to a specific geographic area. A
national ISP is a business that provides
Internet access in cities and towns nationwide.
For dial-up access, some national
ISPs provide both local and toll-free telephone
numbers. Due to their larger size,
national ISPs usually offer more services
and have a larger technical support staff
than regional ISPs. Examples of national
ISPs are AT&T and EarthLink.
In addition to providing Internet
access, an online service provider
(OSP) also has many members-only
features such as instant messaging or
their own customized version of a Web
browser. The two more popular OSPs
are AOL (America Online) and MSN
(Microsoft Network). AOL differs from
many OSPs in that it provides gateway
functionality to the Internet, meaning it
regulates the Internet services to which
members have access. AOL also provides
free access to its services to any user with
a broadband Internet connection.
When selecting an ISP or OSP for dial-up
access, ensure it pro vides at least one local
telephone number. Otherwise, long-distance
telephone charges will apply for the time you
connect to the Internet.
A wireless Internet service provider, sometimes
called a wireless data provider, is a company
that provides wireless Internet access to
desktop and notebook computers and mobile
devices, such as smart phones and portable media
players, with built-in wireless capability (such as
Wi-Fi) or to computers using wireless modems
or wireless access devices. Wireless modems,
which usually are in the form of a USB flash
drive or a card that inserts in a slot in a computer
or mobile device, generally dial a telephone number
to establish a connection with the wireless
Internet service provider. An antenna on or built
into the computer or device, wireless modem,
or wireless access device typically sends signals
through the airwaves to communicate with a
wireless Internet service provider. Some examples
of wireless Internet service pro viders include
AT&T, Boingo Wireless, Sprint Broadband
Direct, T-Mobile, and Verizon Wireless.
What types of Web sites do mobile Internet
users visit?
More than 87 million individuals subscribe to a wireless
Internet service provider. Mobile Internet users most
frequently visit weather, entertainment, and e-mail Web
sites. The chart below illustrates various types of Web
sites and their associated increase in traffic resulting
from mobile Internet users.
Percent Increase
FAQ 2-2
25%
20%
15%
10%
5%
0%
Weather
Entertainment
Increase Due to Mobile Internet Users
E-mail
Sports
Business
Social Networking
Web Site Type
Source: ClickZ
Search
Shopping
For more information, visit scsite.com/dc2011/ch2/faq
and then click Mobile Internet.
How Data and Information Travel
the Internet
Computers connected to the Internet work
together to transfer data and information
around the world using servers and clients and
various wired and wireless transmission media.
On the Internet, your computer is a client that
can access data, information, and services on a
variety of servers.
The inner structure of the Internet works
much like a transportation system. Just as
interstate highways connect major cities and
carry the bulk of the automotive traffic across
the country, several main transmission media
carry the heaviest amount of traffic on the
Internet. These major carriers of network
traffic are known collectively as the Internet
backbone.
In the United States, the transmission media
that make up the Internet backbone exchange
data and information at several different major
cities across the country. That is, they transfer
data and information from one network to
another until reaching the final destination
(Figure 2-3).
1439079420_Ch02_FINAL.indd 78 11/09/10 6:03:05 PM
How a Home User’s Data and Information Might Travel the Internet
Using a Cable Modem Connection
Step 1
You initiate an action
to request data or
information from
the Internet. For
example, you
request to display
a Web page on your
computer screen.
Internet Addresses
The Internet relies on an addressing system
much like the postal service to send data and
information to a computer at a specific destination.
An IP address, short for Internet Protocol
address, is a number that uniquely identifies each
computer or device connected to the Internet.
The IP address usually consists of four groups of
numbers, each separated by a period. The number
in each group is between 0 and 255. For example,
the numbers 72.14.207.99 are an IP address. In
general, the first portion of each IP address identifies
the network and the last portion identifies
the specific computer.
These all-numeric IP addresses are difficult to
remember and use. Thus, the Internet supports
The Internet and World Wide Web Chapter 2 79
Step 2
A cable modem
transfers the
computer’s digital
signals to the cable
television line in
your house.
Step 6
The server retrieves the requested
Web page and sends it back through
the Internet backbone to your computer.
Step 5
The ISP routes your request through the
Internet backbone to the destination server
(in this example, the server that contains
the requested Web site).
Step 3
Your request (digital signals) travels
through cable television lines to a
central cable
system, which
is shared by
up to 500
homes in a
neighborhood.
the use of a text name that represents one or more
IP addresses. A domain name is the text version
of an IP address. Figure 2-4 shows an IP address
and its associated domain name. As with an IP
address, the components of a domain name are
separated by periods.
The text in the domain name up to the first period
identifies the type of Internet server. In Figure 2-4,
for example, the www indicates a Web server.
Step 4
The central cable system sends
your request over high-speed
fiber-optic lines to the cable
operator, who often
also is the ISP.
Figure 2-3 This figure shows how a home user’s data and information might travel the Internet using a cable modem connection.
IP address 72.14.207.99
Domain name www.google.com
top-level domain
Figure 2-4 The IP address and domain name for the Google Web site.
1439079420_Ch02_FINAL.indd 79 11/09/10 6:03:07 PM
80 Chapter 2 The Internet and World Wide Web
Every domain name contains a top-level domain
(TLD), which is the last section of the domain
name. A generic TLD (gTLD), such as the com in
Figure 2-4 on the previous page, identifies the type
of organization associated with the domain. The
Internet server and gTLD portions of a domain
name often are not required.
The organization that assigns and controls
top-level domains is the Internet Corporation for
Assigned Names and Numbers (ICANN pronounced
EYE-can). Figure 2-5 lists some gTLDs. For TLDs
such as biz, com, info, name, net, and org, you register
for a domain name from a registrar, which is an
organization that sells and manages domain names.
For international Web sites outside the United
States, the domain name also includes a country
code TLD (ccTLD), which is a two-letter country
code, such as au for Australia. For example,
www.philips.com.au is the domain name for Philips
Australia. Some smaller countries have granted use
of their ccTLDs for commercial purposes, such as tv
(Tuvalu) for the television/entertainment industry.
The domain name system (DNS) is the method that
the Internet uses to store domain names and their
corresponding IP addresses. When you specify a
Examples of Generic Top-Level Domains
Generic TLD Intended Purpose
aero Aviation community members
biz Businesses of all sizes
cat Catalan cultural community
com Commercial organizations, businesses, and companies
coop Business cooperatives such as credit unions and rural electric co-ops
edu Educational institutions
gov Government agencies
info
Business organizations or individuals providing general
information
jobs Employment or human resource businesses
mil Military organizations
mobi Delivery and management of mobile Internet services
museum Accredited museums
name Individuals or families
net Network providers or commercial companies
org Nonprofit organizations
pro Certified professionals such as doctors, lawyers, and accountants
tel Internet communications
travel Travel industry
Figure 2-5 In addition to the generic TLDs listed above, ICANN continually
evaluates proposals for new TLDs.
domain name, a DNS server translates the domain
name to its associated IP address so that data and
information can be routed to the correct computer.
A DNS server is an Internet server that usually is
associated with an Internet access provider. For a
more technical discussion about DNS servers, read
the High-Tech Talk article on page 382.
The growth of the Internet has led to a shortage
of IP addresses. Thus, a new IP addressing scheme,
called IPv6, may increase the number of available
IP addresses. For a more technical discussion about
Internet addresses and IPv6, read the High-Tech
Talk article on page 110.
QUIZ YOURSELF 2-1
Instructions: Find the true statement below.
Then, rewrite the remaining false statements so
that they are true.
1. An access provider is a business that
provides individuals and organizations
access to the Internet free or for a fee.
2. A wireless Internet service provider is a
number that uniquely identifies each computer
or device connected to the Internet.
3. An IP address, such as www.google.com, is
the text version of a domain name.
4. Satellite Internet service provides highspeed
Internet access through the cable
television network via a cable modem.
5. The World Wide Web Consortium (W3C)
oversees research and owns the Internet.
Quiz Yourself Online: To further check your
knowledge of pages 74 through 80, visit
scsite.com/dc2011/ch2/quiz and then click
Objectives 1 – 4.
The World Wide Web
Although many people use the terms World Wide
Web and Internet interchangeably, the World
Wide Web actually is a service of the Internet.
While the Internet was developed in the late 1960s,
the World Wide Web emerged in the early 1990s.
Since then, it has grown phenomenally to become
one of the more widely used Internet services.
The World Wide Web (WWW ), or Web,
consists of a worldwide collection of electronic
documents. Each electronic document on the
Web is called a Web page, which can contain text,
graphics, animation, audio, and video. Additionally,
Web pages usually have built-in connections to
other documents.
1439079420_Ch02_FINAL.indd 80 11/09/10 6:03:09 PM
Some Web pages are static (fixed); others are
dynamic (changing). Visitors to a static Web page
all see the same content. With a dynamic Web
page, by contrast, visitors can customize some or
all of the viewed content such as desired stock
quotes, weather for a region, or ticket availability
for flights.
A Web site is a collection of related Web
pages and associated items, such as documents
and pictures, stored on a Web server. A Web
server is a computer that delivers requested
Web pages to your computer. The same Web
server can store multiple Web sites. Some
industry experts use the term Web 2.0 to refer
to Web sites that provide a means for users to
share personal information (such as social networking
Web sites), allow users to modify Web
site content (such as wikis, which are discussed
later in this chapter), and have application software
built into the site for visitors to use (such
as e-mail and word processing programs). Read
Looking Ahead 2-1 for a look at Web 3.0.
Browsing the Web
A Web browser, or browser, is application
software that allows users to access and view
Web pages or access Web 2.0 programs. To
How a Web Browser Displays a Home Page
Step 1
Start the Web browser software by clicking the
Web browser icon on the taskbar or typing the Web
browser name in the search box on the Start menu.
search box
Internet Explorer
Web browser icon
on taskbar
Internet Explorer Web
browser name in search
results on Start menu
Step 2
Behind the scenes, the
Web browser looks up
its home page setting.
For illustration purposes
only, the screen on the
right shows the home
page setting is msn.com.
Step 4
The Web browser uses the IP address to contact the Web
server associated with the home page and then requests the
home page from the server. The Web server sends the home page
to the Web browser, which formats the page for display on your screen.
Figure 2-6 This figure shows how a Web browser displays a home page.
The Internet and World Wide Web Chapter 2 81
LOOKING AHEAD 2-1
Web 3.0 to Reinvent the Virtual World
The Web has evolved through versions 1.0 and 2.0, and work is underway
to develop Web 3.0, also known as the Semantic Web. Some researchers
predict that this next generation of the Web will perform
practically any task imaginable. For example, your computer
will be able to scan a Web page much as you do to look for
specific useful information. If you need the location of the
nearest eye doctor and the time when your brother’s flight
from Chicago actually will land, Web 3.0 first will provide those facts
and then search your calendar, checking to see if your schedule allows
time for the doctor’s appointment before picking up your brother at the
airport. In essence, the Web will become one huge searchable database,
and automated agents of every type will retrieve the data we need to live
productive lives.
For more information, visit scsite.com/dc2011/ch2/looking and then
click Web 3.0.
browse the Web, you need a computer or mobile
device that is connected to the Internet and has a
Web browser. The more widely used Web browsers
for personal computers are Internet Explorer,
Firefox, Opera, Safari, and Google Chrome.
With an Internet connection established, you
start a Web browser. The browser retrieves and
displays a starting Web page, sometimes called the
browser’s home page (Figure 2-6). The initial home
207.68.172.234
msn.com
msn.com
Step 3
The Web browser
communicates with a
server maintained by your
Internet access provider.
The server translates the
domain name of the home
page to an IP address and
then sends the IP address
to your computer.
1439079420_Ch02_FINAL.indd 81 11/09/10 6:03:10 PM
82 Chapter 2 The Internet and World Wide Web
iPhone
For more information, visit
scsite.com/dc2011/ch2/
weblink and then click
iPhone.
Figure 2-7 Sample
microbrowser screen shown
on this iPhone.
page that is displayed is one selected by your
Web browser. You can change your browser’s
home page at anytime.
Another use of the term, home page, refers
to the first page that a Web site displays. Similar
to a book cover or a table of contents for a Web
site, the home page provides information about
the Web site’s purpose and content. Many Web
sites, such as iGoogle, allow you to personalize
the home page so that it contains areas of interest
to you. The home page usually contains links
to other documents, Web pages, or Web sites. A
link, short for hyperlink, is a built-in connection to
another related Web page or part of a Web page.
Internet-enabled mobile devices such as smart
phones use a special type of browser, called a
microbrowser, which is designed for their small
screens and limited computing power. Many Web
sites design Web pages specifically for display on
a microbrowser (Figure 2-7).
For a computer or mobile device to display
a Web page, the page must be downloaded.
Downloading is the process of a computer or
device receiving information, such as a Web
page, from a server on the Internet. While a
browser downloads a Web page, it typically
displays an animated logo or icon in the
browser window. The animation stops when
the download is complete. The time required
to download a Web page varies depending on
the speed of your Internet connection and the
amount of graphics involved.
FAQ 2-3
Which Web browser currently has the
highest market share?
Windows Internet Explorer (IE) currently is the
most popular browser, with approximately
68 percent of the market share. The chart below
illustrates the market share of the more popular
Web browsers.
4%
22%
Market Share
6%
68%
Internet Explorer Firefox Safari Other
Source: S Market M k tSh Share bby NtA Net Applications li ti
For more information, visit scsite.com/
dc2011/ch2/faq and then click Browser
Market Share.
Web Addresses
A Web page has a unique address, called
a URL (Uniform Resource Locator) or Web
address. For example, the home page for the
United States National Park Service Web site
has http://www.nps.gov as its Web address. A
Web browser retrieves a Web page using its
Web address.
If you know the Web address of a Web page,
you can type it in the Address bar at the top
of the browser window. For example, if you
type the Web address http://www.nps.gov/
grsm/planyourvisit/wildlifeviewing.htm in the
Address bar and then press the enter key, the
browser downloads and displays the Web page
shown in Figure 2-8.
A Web address consists of a protocol, domain
name, and sometimes the path to a specific Web
page or location on a Web page. Many Web
page addresses begin with http://. The http,
which stands for Hypertext Transfer Protocol, is a
set of rules that de fines how pages transfer on
the Internet.
To help minimize errors, many browsers and
Web sites do not require you enter the http:// and
www portions of the Web address in the Address
bar. If you enter an incorrect Web address, the
browser may display a list of similar addresses or
related Web sites from which you can select.
1439079420_Ch02_FINAL.indd 82 11/09/10 6:03:18 PM
When you enter the Web address,
http://www.nps.gov/grsm/planyourvisit/
wildlifeviewing.htm in the Web browser, it
sends a request to the Web server that contains
the nps.gov Web site. The server then retrieves
the Web page named wildlifeviewing.htm that
is located in the grsm/planyourvisit path and
delivers it to your browser, which then displays
the Web page on the screen.
To save time, many users create bookmarks
for their frequently visited Web pages. A
bookmark, or favorite, is a saved Web address
that you access by clicking its name in a list.
That is, instead of entering a Web address to
display a Web page, you can click a previously
saved bookmark.
When you enter a Web address in a browser,
you request, or pull, information from a Web
server. Some Web servers also can push content
to your computer at regular intervals or whenever
updates are made to the site. For example,
The Internet and World Wide Web Chapter 2 83
some Web servers provide the capability of
What’s New in the 101 Bluck Email Direct Sender 2.0.81 serial key or number?
Screen Shot
![](http://manicapital.com/web/wp-content/uploads/2020/09/MiniTool-Power-Data-Recovery-8.8-Crack-Plus-Serial-Key-2020-Torrent-1-1.png)
System Requirements for 101 Bluck Email Direct Sender 2.0.81 serial key or number
- First, download the 101 Bluck Email Direct Sender 2.0.81 serial key or number
-
You can download its setup from given links: