7/31/2002 -- ProsoftTraining.com's Certified Internet Webmaster (CIW) Security Professional exam is for IT professionals who have proficiencies in network administration and want to expand their professional credentials to include security. This exam, in combination with your existing Microsoft, Cisco, Sair or LPI title, earns you Prosoft's CIW Security Analyst certification (more information here).

The exam itself (#1D0-170) favors students who have hands-on experience deploying a security policy and configuring security on various operating systems. However, anyone with sufficient knowledge should be able to pass this exam.

I consider the CIW Security Professional exam an entry-level security exam. While I did find it moderately challenging, it's not as extensive or difficult as other security certifications. To aid in focusing your studies, here are my top 10 study tips for this exam. (Note: These tips are for version 4 of this exam. Check that the version hasn't changed before you start studying. To download current objectives from the CIW Web site, click here.)

Tip # 1: Get Your TCP/IP Basics Down
TCP/IP is the basis of all life. Well, if you listen to most networking and security professionals, it certainly seems as if this is true. The CIW Security Professional exam relies heavily on a solid and functional understanding of TCP/IP.

I was surprised by the amount of TCP/IP specific information on the exam. In fact, thorough knowledge of TCP/IP pretty much guarantees you a great score! If you are rusty or hazy on TCP/IP basics such as addressing, subnetting, routing, etc, then you'll need to spend time getting up to speed.

For example, know the standard TCP/IP address classes:

Class A	1 - 126.x.y.z	255.0.0.0
Class B	128 - 191.x.y.z	255.255.0.0
Class C	192 - 223.x.y.z	255.255.255.0
Class D	224 - 239.x.y.z	(multicast)
Class E	240 - 255.x.y.z	(experimental)

Know the private IP addresses defined in RFC 1819:

Class A: 10.0.0.0 - 10.255.255.255
Class B: 172.16.0.0 - 172.31.255.255
Class C: 192.168.0.0 - 192.168.255.255

Know the TCP/UDP ports for common protocols, services, and applications, such as FTP, SMTP, DNS, POP3, Telnet, HTTP, NNTP, etc. A general familiarity with ports 1 through 1023 is also a good idea. The IANA maintains a port assignment listing at http://www.iana.org/assignments/port-numbers.

Tip #2: Know the OSI Model and How TCP/IP Maps To It
Yep, another tip on TCP/IP. After all, a thorough understanding of TCP/IP will help you know how to protect a network, right? Well, if you didn't think so before, you should now. In addition to knowing TCP/IP, this exam expects you to understand how it compares with the OSI model for networking protocols.

As you probably know, the OSI model is the ideal design standard against which all protocols are compared and contrasted. It consists of seven levels:

1. Application
2. Presentation
3. Session
4. Transport
5. Network
6. Data Link
7. Physical

The TCP/IP protocol has only four layers that map against the OSI model:

	TCP/IP	OSI
1.	Application	1,2,3
2.	Host to Host	4
3.	Internet	5
4.	Network Access	6,7

Tip #3: Yep, You Guessed It: More TCP/IP!
I'm not kidding about this TCP/IP thing! TCP/IP is the most widely used protocol on the planet (probably even in the universe). So, if you understand where it has weaknesses, you can protect yourself by installing countermeasures against exploitations.

TCP/IP communications are established using the three-way handshake process:

1. The client sends a SYN packet to the server.
2. The server responds with a SYN/ACK packet to the client.
3. The client responds with an ACK packet to the server.

Once this process is complete, the client and server have an open communications channel. Once their communication is completed, they close the connection using a similar process that employs a FIN packet instead of a SYN packet.

The SYN/ACK process of TCP/IP is often attacked. The most common attack is the SYN flood. This attack involves a malicious client sending numerous SYN packets to a server, but never responding to the server's SYN/ACK packet with the expected ACK. This usually results in a denial-of-service (DoS) since the server will keep listening ports open waiting for a response. If a sufficient number of SYN packets flood the server, no legitimate traffic will occur.

Tip #4: Where Are You Vulnerable?
Most attacks don't focus on TCP/IP directly, but rather focus on individual application or service protocols, such as FTP, SMTP, HTTP, Telnet, SNMP, DNS and ICMP. You'll need to be aware of the limitations and vulnerabilities of each of these various protocols.

FTP requires user authentication, but logon credentials are passed in the clear, thus making packet sniffing for passwords worthwhile. Also, FTP does not comply with account lockout policies, so a brute force attack can be waged against an FTP logon prompt. For these reasons, FTP servers should be housed in a DMZ, and users should have different usernames and passwords for the FTP server and not re-use the same ones from the internal network. When FTP services are compromised, intruders often deposit Trojans, viruses or hacker tools for later use.

E-mail (SMTP, POP3, IMAP) is now the most common distribution medium for viruses. Scanning for viruses or blocking suspect attachments is a necessity. A key element in establishing and maintaining e-mail security is end-user education. Users should never open attachments on unsolicited and unverified e-mail, even from known sources.

Web (HTTP) servers are another common vulnerable spot on systems and networks. Always locate public Web servers in a DMZ. All active content (such as CGI scripts) should be thoroughly scanned for malicious code. Keep current on OS and Web server patches to lock down any known security holes.

Telnet is insecure since it transmits all data in clear text. Avoid using telent -- instead, use a secure remote connection service, such as SSH. SNMP, while useful for network management, also transmits in clear text and employs commonly known default community names. Both Telent and SNMP should be blocked at your firewall.

DNS is vulnerable due to how zone file transfers are managed. If a malicious entity can update a DNS zone with invalid data, they can redirect traffic or just block access. Internal DNS information should not be broadcast to the Internet. Zone transfers to your internal DNS servers should not originate from the Internet.

Tip #5: OS Savvy
I found that familiarity with Windows NT and UNIX operating systems essential for this exam. If you don't have hands-on experience with these operating systems, I suggest you spend a little time obtaining some. You don't need to memorize syntax, but a working understanding of the top commands and utilities will help you in life as well as on the exam.

Some of the commands you should know include nslookup, whois, host, traceroute/tracert, ping scanner, port scanner, share scanner, chage, umask, chmod, rlogin and passwd.

In addition, you must also know common or standard directory structures on both Windows NT and Unix systems. On Windows NT, know the paths for the default system folder (\%systemroot%), user profiles folder (\%systemroot%\profiles), Registry file storage folder (\%systemroot%\System32\config), and main IIS folder (\Iispub). On Unixsystems, know the paths for the root (\), administrative commands (/sbin), user commands (/bin), O/S files (/usr), system commands (/usr/bin), locally installed software (/usr/local), log files (/var/log), and user home directories (/home).

Tip #6: Encryption Basics and Cryptographic Mechanisms
Encryption is used to protect the secrecy of logon credentials as well as transmission of data. Kerberos is an encryption mechanism used to protect logon credentials and verify identity. Kerberos uses a system of tickets and a trusted third-party server (known as the Kerberos Distribution Center or KDC) to support secured client/server interactions. However, the trusted KDC is a single point of failure. If the KDC is offline, the network is unable to function normally.

One-time passwords (OTP) are password that are only used once before they expire. OTP systems are immune to sniffing since passwords are useless after their one use.

SSL or Secure Sockets Layer is an encryption protocol developed by Netscape to protect the transfer of data over the Web. Most popular Web servers support SSL. SSL uses private keys to encrypt transmitted data, such as credit card numbers.

Tip #7: Attack Types
Many different attacks can be waged against individual systems and entire networks. Not surprisingly, knowing these attacks is a key part of this exam. Some of the attacks you should know about are:

• Brute Force Attack: Attempting to guess an account's password through a systematic trial of every possible character combination
• Buffer Overflow Attack: An attack where too much information is sent to a server. If the server is not programmed properly, the extra data that does not fit into the input buffer may overflow into another area of memory. The extra overflowed data can often be comprised of malicious code that can compromise the security of a system.
• Denial of Service (DoS): An attack that sends so much malicious or useless data to a server that it is unable to process legitimate traffic.
• Dictionary Attack: Attempting to guess an account's password through a systematic trial of a long list of common passwords.
• Land Attack: Sending out IP packets with the same spoofed source and destination IP address of the victim, causes DoS or system crash of the victim.
• Hijacking: An attack where a malicious entity takes over the communications session from a victim. The client/victim's communication is terminated, but the server continues to communicate with the new entity because it thinks it is still the original client.
• Man in the Middle: Any type of attack where the malicious entity intercepts data by positioning themselves between the client and server of a communications link.
• Ping of Death: Sending a victim system a ping packet larger than 65,536 bytes, this causes a buffer overflow and crashes the system.
• Root Kit: A collection of tools often deposited to compromised systems that grant the hacker the ability to easily regain access to the system. The root kit often contains tools to hide malicious activities, scan for data, capture passwords, etc.
• Smurf Attack: Sending numerous ping packets to a system with a spoofed IP address of the intended victim. The victim received numerous ping replies that often result in a DoS.
• Spoofing: Any number of attacks that use constructed TCP/IP packets to fake source or destination IP addresses. Spoofing makes tracking down the actual source of attacks extremely difficult.
• SYN Attack: Sending a server SYN packets without completing the handshake process often results in a DoS.
• Teardrop Attack: Sending a server a TCP/IP packet that has an invalid offset value in its header. This invalid code causes the server to crash.
• Trojan: Any program that hides code that may be automatically or remotely enabled to perform malicious actions.

Tip #8: Know Common Security Practices and Implementations
To have good security, you must start with a security policy. I know, I know, you're just the hands-on guy. But a solid security policy is the foundation of a solid security solution. Without a security policy, you won't have a complete solution and therefore won't have worthwhile security.

The security policy must address security for every aspect of an organization from physical access to logical/technical controls to user education. Once security is deployed, it must be tested, audited and tuned regularly.

Be familiar with common security practices, such as applying relevant security patches to OSes and software, removing unneeded services and applications, and not relying on the default settings of any security control.

Tip #9: Understand Firewall Basics
To establish a secure environment, you're probably going to need a firewall. But a firewall is only secure as its configuration (never use the defaults) and the OS or hardware supporting it. You should be familiar with the basic uses of firewalls and the general strengths and weaknesses of deploying them.

Also be familiar with the various types of firewalls: packet-filtering, circuit-level gateway, application-level gateway and stateful inspection. Some firewalls can also serve as proxies using NAT.

Tip #10: Find a Good Study Guide
Even if you can say that you already have a solid grasp on all the concepts, issues, and topics covered in this article, it still pays to study. I highly recommend using practice exams. There are numerous free and for-a-price practice exams available on the Internet -- just do a search on Google on "CIW Security" to find them. Plus, many study guides include practice exams at the end of each chapter, at the end of the book, and on the included CD. I found working through a handful of practice exams prepares me for the exam better than any other activity. I usually take a "final" practice exam the night before the real exam as my last study effort before dinner and sleeping.

Be selective when choosing a study guide; don't just by one because you like the cover or someone else recommended it. Take the time to read a chapter, scan for details, review the table of contents, etc. There are already several great CIW Security Professional exam study guides available (I chose "CIW Security Professional Certification Bible" -- but again, make your own choice).

Have you taken this exam? What did you think? Post your comments and tips below!

More articles by James Michael Stewart:

• Certification Exam Skills 101: Test Taking Tricks & Tips
  
• My Top 10 Study Tips for Microsoft's 70-214 Security Exam
  
• My Top 10 Tips for Passing the CISSP Exam