Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC

Security+ Chapter 1 – Basics of Security Brian E. Brzezicki

First Some Terms (NB) First we have to discuss some terms we will use again and again Protocol – an official set of steps or language for communication Algorithm – a specific set of steps to solve a problem or do some task String – a series of characters. Example if a character can be a- z and 0-9 an 8 character string might be “ar01z14b” Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control.

CIA No… Not that CIA

CIA (54-57) 3 Fundamental Principles of Security Confidentiality  controls Integrity  controls Availability  Controls Closely related Non-repudiation  controls

Defense in Depth (58-59) No one security control should be completely relied upon. Instead have many overlapping security controls. Network based firewall Host based firewall IDS system Access controls Proper patching and maintenance practices This is also referred to as “Layered Security”

Diversity of Defense (n/b) With a single control type, use multiple vendors/models. Why Examples

Implicit Deny (59) Fundamental security rule. If you do NOT explicitly have authorization, then you are implicitly DENIED access. Should be the default rule for ALL access controls. Usually seen in firewalls and access control lists

Use Devices as Intended (60) Security Devices have been fortified for security, do NOT intermingle security and non-security devices as you weaken the security and provide attack vectors. Similarly try to have every service in your network on a separate server that’s dedicated only to that tasks. Virtualization makes this EASY today!

Authentication Proving that you are who you say you are 3 factors Something you __________________ (more details of each in next slides)

Something you know (61-65) Passwords –what’s a password? Use strong passwords  What does that mean Do not write down passwords Do not share passwords Change passwords regularly  How often Do not reuse passwords Use account lockout policies  What is a lockout policy Change system default passwords Inform users of Previous Logons

Something You Know Passphrase I Like Iced Tea And Lemon With Cranberry I L I T A L W C 1 L 1 ! w c

Something You Have (65-67)

Something You Are (67-69) Biometrics Physically Based or Behaviorally Based What is the difference between these two Type 1, Type 2 errors, CER (images in a few slides) Finger printVoice Print Iris Scan (see next slide)Retinal Scan (see next slide) Face GeometryKeystroke Dynamics

Finger Print

Retina Scan

Iris Scan

CER (n/b) Crossover Error Rate (CER) is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false positive rate. Use CER to compare vendors products objectively Lower number CER is better/more accurate. (3 is better than an 4) Also called Equal Error Rate

CER (n/b)

Multifactor Authentication (69) For best security, use 2 or more of these for authentication. This is called “multi-factor” authentication or “strong authentication Why use Multifactor Authentication? Is a password and a passphrase multifactor? ”

Identity Proofing (69) Verifying someone is who they say they are before issuing authentication credentials initially or after they are lost This is NOT authentication but works hand in hand. Someone must prove their identity before getting authentication credentials.

Password Reset Systems (71) Allows users to reset their passwords, often saves IT staff time and money. Cognitive Passwords Issues? a password reset link Physically mail a new PIN

Kerberos (71)

A network authentication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environment Used in Windows2000+ and some Unix Allows for single sign on Never transfers passwords Uses PRIVATE key encryption to verify Identifications

Kerberos Components Principals – users or network services KDC – Key Distribution Center, stores secret keys (passwords) for principals Tickets Ticket Granting Ticket (TGT) gets you more tickets Service Tickets – access to specific network services (ex. File sharing) Realms – a grouping of principals that a KDC provides service for, looks like a domain name Example: somedepartment.mycompany.com

Kerberos Concerns Computers must have clocks synchronized within 5 minutes of each other Tickets are stored on the workstation. If the workstation is compromised your identity can be forged. Single point of failure if no backup KDC If your KDC is hacked, security is lost Use TCP and UDP port 88

LDAP (73) A centralized Directory of Users and Objects. LDAP is a protocol to access a X.500 compliant database Active Directory Implements LDAP LDAP ports are TCP / 389 TCP / 636 (SSL/secure)

Mutual Authentication (73) The process of having BOTH the client authenticate to the server AND the server authenticate to the client. Are you safe when you go to a website that asks for a username and password? How do you really know it’s the website? Should the client authenticate to the server first, or the server to the client? Does it matter which order?

Single Sign On I love having 40 different passwords… I just carry them all around in a laminated card in my wallet ;-) What’s the purpose of single sign on? Advantages Disadvantages

SIDS and UIDS (74) In any environment where you want to have access control, you MUST uniquely identifier subjects. Most systems have a friendly username however the system tracks by a number (similar to a SSN) SID (Windows) Ex. S = Administrator, 512 = Domain Admin Group UID (Unix) Ex is the superuser UID on Unix systems

Windows ACLs The basic permissions ACL permissions are Full Control Modify Read Read and Execute Write

Network Authentication (78) There are Different types of ways to validate your identity over the network. For the security+ exam you should be aware of the following that will be discuss on the upcoming slides PAP CHAP MS-CHAP MS-CHAPv2 RADIUS TACACS+

PAP (79) Password Authentication Protocol – Simply put your username and password over the wire. Advantages Disadvantages

CHAP

CHAP ( ) Challenge Handshake Authentication Protocol – Avoids ever sending a password. Server knows your password, as do you 1.Server creates a “challenge”, example: banana and an increasing number 2.You take the challenge + number + your password and do a hash of it, send the hash to the server 3.Server calculates the hash the same way, and compares if your hash is the same as it’s hash, if so you must be who you say you are. Advantages Avoids reply attacks Never sends password in plaintext

MS-CHAP (81) A Microsoft version of CHAP does not require the password stored in clear text MS-CHAPv2 Allows for mutual authentication

Radius (83) Network AAA protocol Connectionless protocol, using UDP Ports used 1812 / UDP (authentication) 1813 (accounting) Main messages sent Access-Request Access-Challenge Access-Accept Access-Reject (more)

Radius (83)

Uses “attribute/pair” values (256 different possible attributes/8 bits) Ex: Framed-IP-Address: Can use PAP, CHAP, EAP for authentication Problems No encryption of data (except login info) Minimal number of permissions (8 bits worth) Server cannot “kick off users” from NAS

TACACS+ Similar to Radius Used for network AAA Created by Cisco Attribute/Value Pairs Designed to separate each of the AAA components Uses TCP / 49