Applications | Security + Exam Guide (Charles River Media Networking/Security)

< Free Open Study >

The applications involved in applications and systems development consist of agents, viruses, applets, and other software. It is important to understand the difference between the two basic computing environments and the applications that are associated with each environment. Generally, we speak of applications operating in either a distributed or a nondistributed computing environment.

Distributed Computing Environment

A distributed computing environment (DCE) is one where the components that make up an application are running across multiple computers in a network. This means that one system could house an application while another contains the database of information that the application refers to. Still a third could handle processing data in the database, making the trio much more efficient than a single system trying to do all these tasks. Indeed, there is no limit to the number of systems that can coexist in a DCE. The players in a DCE could include servers in different geographic locations, running different operating systems on multiple platforms.

The Internet itself is a perfect example of the incredible power of distributed computing. Every time you fire up your browser and key in a Web address, distributed computing is serving you. When you key in that Web site, your computer must query a DNS server for the IP address. Because of the sheer size and dynamic nature of the entire domain name database, it’s lucky for us that other computers are handling the storage and maintenance of this information—not to mention the queries for IP address stored within. Because this task is being distributed to another, more powerful system, the search only takes milliseconds. Then, when you arrive to the Web site, most of what comes over the wire is simply HTML code; it is your computer that processes the HTML and puts it all together on your screen. Add Java, search engines, streaming media, and the wide variety of other information and applications at your disposal online, and you have a powerful DCE.

Another popular trend in distributed computing is called application hosting. Programs can be served up like any other data, providing a platform-independent way for users to connect to the applications they need. This can be accomplished by means of browser-based interfaces, Java applets, or terminal servers. The term client/server is often used to describe this type of remote connection to server-based applications.

Although some of these topics have been covered in Chapter 3, for the exam, you must know which types of applications run in each computing environment. For this reason, we will review a couple of these applications, introduce you to a few more, and categorize them into their respective computing environments. What follows is a listing of the applications native to distributed computing.

Applets

As you know, applets are miniature applications that are hosted on a server computer and transferred to a client computer upon request. They can perform a host of different functions and are intended to run within other applications, such as a Web browser. Most modern browsers have the ability to restrict what an applet can and cannot do. Security concerns related to applets include file read/write access, transmission of a user’s e-mail address, and reporting about which Web sites a user visits. Although Java Applets and ActiveX controls were discussed earlier in this book, it is important that they be revisited to emphasize their significance in applications development and their place in the distributed computing environment.

Note

The Internet is a prime example of a large-scale distributed computing environment.

Java

Java is an object-oriented programming language that enables the creation of cross-platform applications. Most browsers contain a component called a Java Virtual Machine (JVM), which enables them to independently run Java-based applets. These applets are light in code and can be run from within browsers on any operating system. Generally speaking, Java applets do not have the ability to read or write files on the client computer, nor are they allowed to make network connections, except back to the host from which they originated.

Another security feature of Java applets is that they are prohibited from starting up programs on the client computer. These inherent security features of Java allow a user to safely execute applets that are not trusted (or applets that do not contain a trusted digital signature). In fact, the JVM automatically categorizes any Java applet that is downloaded as unsafe. This is a significant trait because Java applets are often executed without the user’s knowledge. However, there are ways to include a digital signature within the code of a Java applet, enabling some of the built-in security restrictions to be loosened, provided one trusts the source. Opposed to the sandbox method, which places rigid controls upon the actions of an applet, the implementation of digitally signed applets permits a more flexible operating environment.

ActiveX

ActiveX controls, developed by Microsoft, are very similar to Java applets. Opposed to Java applets, which need to be downloaded every time they are needed, ActiveX controls stay resident. This means that they are downloaded only once and when they are needed again, the system refers to the copy on the hard drive. Take a peek into your Windows folder and you’ll probably find some files with the OCX extension. These are ActiveX controls. They can accomplish many of the same tasks as Java applets—and also some that Java can’t—but the security concerns are quite different. ActiveX controls can be granted unrestricted access to a computer’s resources. For this reason, the only ActiveX control that should be executed is one that is digitally signed from a trusted CA. Thankfully, Microsoft’s browser handles this concern automatically.

In Figure 7.1, note that downloading unsigned ActiveX controls is disabled by default. It is possible to change this setting although it is not a recommended action.

click to expand
Figure 7.1: Internet Explorer security settings.

Agents

Agents are applications that automatically collect data or perform predefined tasks on behalf of a user. Just like travel agents or real estate agents, the digital variety of agents tries to turn complicated tasks into a one-step process for the user.

Agents include a wide range of programs and utilities that share these traits. Intelligent agents have the ability to learn and can also possess certain decision-making properties using techniques such as rule-based programming, which will be discussed later. A common example of an agent is one that can browse the Internet in search of data that it has been configured to collect and then deliver it according to a schedule. Popular search engines employ agents (or bots/spiders) that search the Web for new information to include in their databases.

Although they are not the typical example, e-mail clients are another type of agent. Not only can these programs automatically fetch your mail but through the process of filtering, they can also decide the importance of individual pieces of mail. For instance, mail from a particular person might automatically be forwarded to your cell phone upon arrival. Or in another case, mail that contains a certain phrase in the subject line might be deleted upon arrival.

Two common types of agents are known as static and mobile. While static agents typically stay put, mobile agents are capable of roaming networks, copying themselves to other computers, and gathering all sorts of information. The use of mobile agents raises many security issues since they can be used to deliver viruses, Trojans, and other malicious code. A mobile agent could also send sensitive data back to its place of origin, which might be the lair of a malevolent hacker.

Another security concern that pertains to agents involves the agent itself being attacked. A harmless agent that’s going about its business collecting or transporting sensitive data could be attacked by a computer system on the network, resulting in its contents being exposed. This problem is exemplified by the idea of a shopping agent, which travels to several trusted, online establishments looking for the best price. To shop in this way, a user provides the agent (through a browser interface) some form of digital cash, such as a credit card number. When the agent finds the best deal, it makes the purchase. There must be a way to protect these credit card numbers while in transit and encryption techniques are among the solutions being developed to overcome this interesting problem. These kinds of mobile agents, also known as goal-oriented agents, are being used in other areas such as mobile computing (PDAs), and online auctions.

Note

The aim of an agent is to complete tasks for users.

Objects

Objects are self-contained, encapsulated units of code that are divided into a hierarchy of classes and subclasses. A distributed computing environment is an ideal setting for Object-Oriented Programming (OOP) in which applications are designed to work with objects instead of actions. This innovative concept in programming is facilitated by a software component known as an Object Request Broker (ORB). When an object is called by an application, the ORB functions as the negotiator between the application and the client. In other words, the ORB provides clients with access to distributed objects. Developed by the Object Management Group (OMG) and embraced by Netscape Communications, the Common Object Request Broker Architecture (CORBA) is a popular ORB that is playing a part in the advancement of this technology on the Internet. Related technologies include Microsoft’s Component Object Model (COM) and Distributed Component Object Model (DCOM).

In general, OOP allows for the speedy development of cross-platform, reusable applications. The modular, recyclable nature of objects also lowers the cost of development because old objects can easily be inserted into new application development projects.

Objects such as Macromedia Flash movies are everywhere on the Web nowadays. If you tinker with Web sites, you might recall seeing an OBJECT tag followed by a CLASSID attribute in some HTML code. This is one method of referring to a distributed object that resides on a remote machine. OBJECT tags allow the browser (the client) to access an encapsulated software component (the object) that is being distributed by the Web site (the server) in the client/server-based, distributed computing environment called the Internet.

Local/Non-distributed Computing Environment

The non-distributed (or local, centralized) computing environment is one where applications are running in an isolated environment on the local system. This situation presents its own distinct security threats and related safety measures. Understand, non-distributed computing doesn’t suggest that you are totally cut off from the world and locked in a closet with no wires attached to your computer. Viruses, for example, can be contracted by way of downloading e-mail, yet they are in this category. Non-distributed defines the environment with regard to the way programs run. The applications in this section are distinguished by the threats they present to the very system they are running on. For more detailed information on viruses, worms, and other malicious code, refer to Chapter 9. The following sections discuss the non-distributed applications that you should commit to memory.

Note

Security concerns in the non-distributed computing environment are characterized by a threat to the local system.

Viruses

Viruses are small, malicious programs that share common traits such as having bad intentions, running against a user’s wishes and without their knowledge, and the ability to replicate themselves. Viruses are also characterized by their synthetic nature, which means that people make viruses—they are not accidents. Delivery techniques include e-mail, infected disks, and HTML code. There are many types of viruses that will be discussed later on. The following list just briefly defines the few that should be remembered within the context of non-distributed computing:

Boot-sector viruses: This brand of virus, also called Master Boot Record (MBR) viruses, corrupt or alter information in the primary areas of a disk. They can cause serious problems and destroy an entire disk.
Macro viruses: This type, commonly found in Word and Excel files, are usually considered to be low risk. Some can delete files or add interesting captions to your word-processing documents.
File-infecting viruses: File infectors can attach themselves to other programs that appear to be safe only to propagate on the system when the host application is executed.
Stealth viruses: These get their name from the fact that they try to conceal their actions from the user. Masking file size information and removing themselves from memory are two methods by which stealth viruses accomplish this.
Polymorphic viruses: This variety has mutation capabilities that can create a new signature each time. This trait makes them hard to detect because it is a virus’s known signature that gives it away.

Worms

Worms are characterized by their ability to operate independently rather than through the use of a host file. They can replicate themselves with the assistance of innocent e-mail servers and unwitting address books, causing rapid spreading. The ILOVEYOU and Melissa worms worked in this way, bringing thousands of e-mail servers to their knees.

Trojan Horses

Trojan horse is a pretty vague term that is attached to any malicious application that masquerades as a harmless one. Trojans can be used to deliver viruses or worms and they can cause quite a bit of damage. Upon installation, the infamous Back Orifice Trojan allows ill-intentioned crackers to gain complete control of a system over a network connection.

Logic Bombs

This kind of nasty, delayed-reaction program (a.k.a. slag code) executes itself after a certain event takes place, such as on a predetermined date or at a certain time. There can be any number of harmful actions that logic bombs can inflict on a hapless computer. The original CIH (or Chernobyl) virus worked in this manner. It was programmed to explode on April 26th, the anniversary of the Chernobyl disaster.

Application Hardening

Because the applications that power computers and networks are so diverse, numerous, and highly accessible, keeping them all up-to-date and secure is a tall order. To harden an application means to make it more secure by adding features, restricting access, removing unnecessary services, and staying on the cutting edge of software technology. Hardening an application, server, or operating system involves the implementation of many different hardware and software components. User authentication features must be used to their fullest potential on machines with high visibility, such as on the Internet or other network.

Whether it’s applying service packs, or configuring firewalls to restrict application access, someone must ensure that applications are kept up-to-the-minute with the latest fixes and the newest (stable) security components. Why is this so important? Glad you asked. The reason is nothing makes a cracker’s job easier than finding that they are still able to exploit a security loophole in your system even though it’s been widely publicized for weeks or months. You see, the crackers and thugs are reading the news, too. Security advisories (or bulletins) seem to come out daily. They are reporting recently discovered flaws in this application, or that OS, continually. The moment a new security bug is discovered in a particular Web server, for instance, the malicious user will get online and try to take advantage of it.

In order to protect these applications, security professionals cannot slack off in this area. The overwhelming number of security bulletins and associated updates that get released cause many people to ignore the warnings and simply wait for the full product upgrades. This behavior should be avoided—the best defense is to stay current and read, read, read! One way to stay ahead of the game is to subscribe to e-mail security bulletins (or mailing lists) that report updates to the applications you rely on. In the following pages, we will talk about the different types of hardening techniques and how they lower the risk of attack.

Note

Application hardening involves the use of software mechanisms such as updates and virus scanning as well as hardware-based techniques, such as the use of firewalls.

Updates

Updates come in many formats and they are the simplest way to bring an application or device up to current standards. Frequent updates can cut support costs because they resolve most technical support issues automatically. This keeps users and administrators happy. Most vendors will supply some sort of update management tool that can automate the process. When dealing with updates across multiple computers in a production environment, it is always a good idea to first test them in a smaller, controlled group.

Many hardware devices, such as routers, include microchips that contain software components. Much like a mini OS, these hardware-based software mechanisms (known as firmware) control the functions of the device. Router firmware updates are simplified through the use of the Trivial File Transfer Protocol (TFTP). This protocol is known as trivial because it can be implemented with just a few lines of code, making it ideal for the small chips inside routers. Router manufacturers regularly update their TFTP servers with the latest version of each router’s firmware. This process makes it possible to teach old devices new tricks.

If a security bug in a router’s program is found, a quick firmware update can usually fix it. To update firmware, typically, a connection is made to the router through a Telnet session where the TFTP server IP address is entered. The firmware update is located, downloaded, applied, and then the router is restarted. As with any other update, it’s important to read the manufacturer’s instructions before altering your router’s firmware. A firmware update could cause problems depending on your network configuration and you might not even need the update. Also, backing up the router’s configuration is a good idea before doing an update because could cause data loss.

Another software component that requires regular updates are drivers. Drivers help applications communicate with hardware and a defective driver could present a security problem.

The following list explains the types of updates to be familiar with. These categories apply to the many updates intended for client applications, operating systems, firmware, and the various types of server applications that will be discussed shortly.

Hot-fixes: This type of update takes place while an application is operating. Hot-fixes are typically released to address a very specific bug or security concern. When a security bulletin hits the front page, hot-fixes are rushed out to consumers. This rush sometimes produces unreliable—even hazardous—code because little testing is done on these quick remedies. Always read any documentation that accompanies hot-fixes because it just might save a great deal of time. Hot-fixes are usually released between service packs.
Service packs: In Microsoft terms, a service pack (SP) is a collection of fixes and updates to an OS or application. They are all-in-one update kits, if you will. Although SPs are mostly just collections of fully tested hot-fixes, they might also include other utilities and updates as well as complete product upgrades.
Patches: Although the terms patch, fix, and update are often used loosely and interchangeably, patches have a few features that distinguish them from the others. First, patches are called by this name because they tend to add something to an executable file. They are patched (or inserted) into programs to fix a bug or add functionality. Patches are independent bits of object code that integrate with an application that is already running on a system. They can be thought of as bandages because they temporarily fix a bug until a more complete update can be developed.
Upgrades: While updates, patches, fixes, and service packs are normally available as free downloads, product upgrades provide a jump to a completely new version of an application and most often come at a price. The main difference between an update and an upgrade is in the numbers. An update will contain minor changes and error corrections, advancing the number to the right of the decimal point in a product version. For example, you might apply an update to ACME Web Server 4.1, bringing it up to Version 4.2. An upgrade, however, signifies a new product release, characterized by an increase in the number to the left of the decimal point. Hence, upgrading ACME Web Server 4.2 would bring it to Version 5.0.

Hardening Server Applications

The programs that run in the server environment tend to have more responsibilities than their client-based counterparts. Consequently, security bugs or other flaws in these programs will cause more widespread damage, data loss, or privacy leaks. It’s also the server apps that are the focus of most attacks. For these reasons, more effort is centered on tempering the applications and devices that provide network/resource access. Let’s take a look at how the primary types of server applications are strengthened and why.

Web Servers

The applications that drive Web servers bridge the gap between internal databases and the rest of the world. Machines that serve HTTP requests are among the most widely harassed on the Internet. When Web server applications are installed, the default settings will likely open up a plethora of vulnerabilities, and if your server has not been hardened, you are at risk—period.

Threats to Web servers include Denial of Service (DOS) attacks, breaches in SSL security, and plain old password guessing. Although not widely publicized, there have been attacks on major online vendors that resulted in the disclosure of “private” credit card information. SSL has also had its share of updates regarding security flaws.

Hardening techniques for the high-risk applications that power Web servers include blocking unused TCP/IP ports through the use of firewalls or other means, renaming administrator accounts, adding special software that can recognize (and deny) spoofed TCP/IP packets, and employing SSL on all secured pages. Directory browsing should be disabled, along with any unused services, protocols, or executables. If remote management is a necessary feature, make sure that encryption is used and strict policies regarding password strength and rotation are in place. Any other required access points should be fortified with proper authentication techniques. If possible, replace Telnet with SSH. Ongoing installation of the latest updates is also an essential hardening tool. For example, the Nimda and Code Red worms continue to attack Microsoft IIS-based Web servers even though a fix has been available for some time.

E-mail Servers

The first thing that comes to mind when considering the protection of mail servers is viruses. Although many viruses propagate by exploiting the address books of e-mail clients, they would never reach the client if they got stopped at the server. Virus protection hardens mail servers in the same way it protects the desktop by placing suspect code/attachments in quarantine. This prevents infections from spreading to the clients served by the system.

Not only can a mail server contract a virus but it can also be brought to its knees by a flood of self-duplicating, infected mail messages that the server itself is immune to. One drawback of mail server virus scanning is a decline in performance because the server must process each message in the search for viruses. Viruses are not the only threat here. The major protocols that mail servers use—SMTP, POP3, and IMAP—have some built-in weaknesses. The Simple Mail Transfer Protocol (SMTP) handles client requests for sending mail. An SMTP server should be secured by requiring some form of authentication before processing these requests. This can be accomplished by way of a username and password or by denying requests from outside the subnet/domain. SMTP can also be configured to use SSL to encrypt client/server traffic. If an individual could gain access to the SMTP service, they could bring a mail server down with a barrage of unauthorized outgoing messages.

The Post Office Protocol version 3 (POP3) and Internet Message Access Protocol (IMAP), which handle client requests for mail retrieval, typically are secured by a user name and password. However, the standard versions of these protocols are insecure because passwords are sent in plain text and could get sniffed out. Like SMTP, POP3 and IMAP can be configured to use SSL, thus encrypting traffic so that passwords (and therefore mail) do not get stolen. Secure versions of SMTP, POP3 and IMAP are known as SMTPs, POP3s and IMAPs. Kerberos and S/MIME can also be used to secure traffic between mail clients and servers.

Another concern of the e-mail server administrator is spam—unsolicited e-mail messages that are often sent to large groups of users at once. The bona fide scourge of the Internet, spam clogs servers with huge amounts of messages. Unless some kind of filtering is in place, a mail server will waste everyone’s time and money processing these e-mails. There are laws in place (http://www.spamlaws.com) governing the transmission of unsolicited electronic messages.

FTP Servers

The File Transfer Protocol (FTP) provides a speedy method of transferring files between clients and servers. FTP servers provide user authentication via passwords and they can incorporate password encryption techniques just like mail servers.

One feature of an FTP server that should be disabled in a high-risk environment is the anonymous logon, which allows any user to establish a connection. FTP servers can also fall victim to bounce attacks. This type of attack is enabled by the misuse of the FTP PORT command. An FTP server vulnerable to this type of siege can be protected by proper updates or the addition of IP filtering techniques to the server/firewall.

DNS Servers

As discussed in Chapter 5, if DNS (Domain Name Server) zone data is altered, there can be problems. Altering this type of information (known as DNS poisoning) can lead to e-mail theft, spoofing attacks, and masquerading Web sites. At the cost of performance, DNSSEC fixes the problem by encrypting zone data. Another set of issues involves the ISC (Internet Software Consortium) DNS server product known as BIND (Berkeley Internet Name Domain), which powers a large portion of name servers on the Internet. Recent reports have publicized several security vulnerabilities in older versions of BIND. These include buffer overflow problems, Denial of Service issues, and exposure to info leaks that can cause the disclosure of sensitive server information by means of specially formatted inverse queries.

Inverse (or reverse) DNS queries are requests for domain names when all one has are IP addresses. This is opposite from the typical request a browser sends to a DNS server when you type in a domain name and you get an IP address in return. There are fixes that prohibit the damage a mal-formatted reverse DNS lookup can cause. As with other types of server applications, staying informed and applying current updates will fix most problems. IP address logging is also essential because in a post-attack investigation, it is helpful to see where IP packets were coming from and going to.

NNTP Servers

Running services on port 119, a Network News Transfer Protocol (NNTP) server provides forums, known as newsgroups, that cover a mind-numbing array of topics. The worldwide collection of NNTP servers is called Usenet. Like e-mail servers, NNTP servers are prone to spam and filtering can help blot it out. By nature, access to news servers, usually provided by an ISP, is widely unregulated. This results in an inundation of bogus messages, advertisements, objectionable material, and dangerous code.

Because many NNTP servers allow files to be attached to messages, any type of harmful program could accompany a Usenet message or post. For this reason, virus scanning is implemented on news servers, too. NNTP servers are prone to DoS attacks and other insults, so the same general policies as the previous server applications apply to NNTP hardening as well.

DHCP Servers

A Dynamic Host Configuration Protocol (DHCP) server is constantly listening for client requests for IP addresses. Malformatted requests can expose vulnerabilities in DHCP servers. One hardening technique for internal DHCP servers that combats this is called ingress filtering, where the server or firewall is configured to prevent ingress (or incoming) access to the server from outside the network. If the DHCP server must reside outside the immediate network or beyond the protection of a firewall, it must be prevented from assigning IP addresses to unauthorized clients. If this were to happen, an attacker could gain access to network resources. Reducing the DHCP scope to the smallest workable range can minimize this threat.

Another preventative measure is to extend lease times, reducing the possibility of an unused IP being stolen. Still another trick is to map (or reserve) IP addresses based on the known MAC addresses of authorized clients. There have even been instances where DHCP server vulnerabilities enabled malicious servers to execute harmful commands on the client. The best hardening technique for issues like this—read, update, read, patch, read, hot-fix, and so on.

Data Repositories

A descendent of the data dictionary, data repositories are characterized by having large amounts of data from multiple sources. They can store any number of data types but they mostly contain information related to the internal structure of an organization, such as objects, business models, or even references to other databases. The next section in this chapter covers databases and database security in more detail.

The use of directory services is one method used to harden a data repository. The X.500 standard specifies a structure for this type of global, centralized directory. The familiar Lightweight Directory Access Protocol (LDAP) provides directory services. While offering much of the functionality of a full-blown, X.500-defined OSI directory service, LDAP does not require as much computing power. Other products such as Microsoft’s ADS (Active Directory Services) or Novell’s NDS (Novell Directory Services) offer directory services for their respective environments. ADS and NDS act as the central network authority, providing access to virtually anything in a distributed computing environment. Printers, files, programs, databases, and other resources are classified in the directory, and access is given to users based on their predetermined rights.

File/Print Servers

The most important aspect of hardening an intranet file/print server is securing the physical machine itself. Other than issues regarding unauthorized physical access, the same threats apply to these types of servers as with the others. Most issues are managed with the proper authentication techniques, virus scanning, and so on. On Internet-connected Intranet servers, unauthorized access from outside the LAN must be prevented in order to protect resources. Firewall software or hardware can block most traffic from the Internet easily. If authorized connections must be made to intranet servers from the outside world, they should be secured by VPN, SSH, or another sound method.

Remember the CIA Triad?

Illustrated in Figure 7.2, Confidentiality, Integrity, and Availability are three terms that arise often in the discussion of security. Within the context of application hardening, they are at center stage. Regardless of the type of server application you are hardening, several practices that address this trio of concerns should always be observed. To harden the confidentiality of server data, encryption-enabled protocols like SSL (aided by digital certificates) and SSH should be used. Strict authentication measures are also essential.

click to expand
Figure 7.2: The CIA Triad.

To harden the integrity of server resources, elements such DNSSEC with its hashing capabilities should be added to the mix. Because viruses and many other attacks can affect the availability server resources adversely, virus scanning and packet/port filtering must be put into place. Data backups, secondary servers, RAID arrays, server clusters, mirroring, replication, backup power sources, and other redundancy systems protect availability as well. In general, the avoidance of so-called single points of failure helps to protect resource availability.

Logging application activity is one way to help detect attacks that happen unexpectedly. Detailed logs can also help prevent future attacks. However, logging itself won’t do any good unless someone reads the logs.

Always question the default installation settings and paths of any server application. If everything is not where it’s supposed to be, an attacker might give up before finding application-critical executables or databases.

Have your server page or beep you when it experiences a serious error. Also, remember that password-based access methods are susceptible to brute force password guessing, so tighten password policies to prevent access. Again, it is essential to stay on top of updates via mailing lists or security bulletins. Usenet newsgroups also provide a valuable source of helpful information concerning bugs and fixes. Physical security procedures apply to any server and the applications it’s running because a potential threat could be within the walls of your organization.

Note

Hardening methods that apply to all types of servers include updates, logging, encryption, strict authentication, and disabling unused services and user accounts.

However clichéd, memory aids such as the CIA triad can be very useful. So much so, that many successful test takers use memory-jogging devices like this—known as mnemonics—to help burn all kinds of data into their brains. Do you need proof? Recall the names of the Great Lakes. You probably think of the H-O-M-E-S mnemonic right away. Or maybe, for all you music fans out there, you once used the mnemonic, Every Good Boy Does Fine, to remember the notes in a musical staff. Not only can these help you remember groupings of items, but they will also assist in recalling the specific order of items in a group. So go ahead, make up a few of your own. Put them to a tune. Be creative. You’ll be surprised how much they help on exam day.

< Free Open Study >