Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies
Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Verifiable Security Goals
Security+ Guide to Network Security Fundamentals, Third Edition
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Computer Security: Principles and Practice
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Chapter 10: Authentication Guide to Computer Network Security.
Information Security Technological Security Implementation and Privacy Protection.
Storage Security and Management: Security Framework
Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Security+ All-In-One Edition Chapter 2 – Organizational Security Brian E. Brzezicki.
Defense-in-Depth What Is It?
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Cryptography, Authentication and Digital Signatures
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Information Systems Security Operational Control for Information Security.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Information Systems Security
Chapter 5 Network Security
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 25 Integrity Protection: Biba, Clark Wilson, and Chinese Wall.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Chapter 2 Securing Network Server and User Workstations.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Integrity Policies Murat Kantarcioglu.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Privilege Management Chapter 22.
Design Principles and Common Security Related Programming Problems
Lesson 2-General Security Concepts
Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model.
Access Control for Security Management BY: CONNOR TYGER.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
6/22/20161 Computer Security Integrity Policies. 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
General Security Concepts
CS457 Introduction to Information Security Systems
Access Control Model SAM-5.
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Chapter 6 Integrity Policies
IS4680 Security Auditing for Compliance
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
General Security Concepts
How to Mitigate the Consequences What are the Countermeasures?
Module 2 OBJECTIVE 14: Compare various security mechanisms.
PLANNING A SECURE BASELINE INSTALLATION
Computer Security Integrity Policies
Presentation transcript:

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition General Security Concepts Chapter 2

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third EditionObjectives Define basic terms associated with computer and information security. Identify the basic approaches to computer and information security. Distinguish among various methods to implement access controls. Describe methods used to verify the identity and authenticity of an individual. Recognize some of the basic models used to implement security in operating systems.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms *-property Access control Auditability Authentication Availability Bell-LaPadula security model Biba security model Clark-Wilson security model Confidentiality Data aggregation Diversity of defense Hacking Host security Implicit deny Integrity layered security

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms (continued) Least privilege Low-Water-Mark policy Network security Nonrepudiation Operational model of computer security Phreaking Ring policy Security through Obscurity Separation of Duties Simple Security Rule Social engineering

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Basic Terms Hacking –Previously used as a term for a person who had a deep understanding of computers and networks. He or she would see how things worked in their separate parts (or hack them). –Media has now redefined the term as a person who attempts to gain unauthorized access to computer systems or networks. Phreaking –Hacking of the systems and computers used by phone companies

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition The CIA of Security CIA Confidentiality Integrity Availability Additional Concepts Authentication Nonrepudiation Auditability

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition The Operational Method of Computer Security Protection = Prevention –Previous model Protection = Prevention + (Detection + Response) –Includes operational aspects

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Sample Technologies in the Operational Model of Computer Security

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Security Principles Security approaches Least privilege Separation of duties Implicit deny Job rotation Layered security Defense in depth Security through obscurity Keep it simple

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Security Approaches Ignore Security Issues –Security is simply what exists on the system “out of the box.” Host Security –Each computer is “locked down” individually. –Maintaining an equal and high level of security amongst all computers is difficult and usually ends in failure. Network Security –Controlling access to internal computers from external entities

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Least Privilege Least privilege means a subject (user, application, or process) should have only the necessary rights and privileges to perform its task with no additional permissions. By limiting an object's privilege, we limit the amount of harm that can be caused. For example, a person should not be logged in as an administrator—they should be logged in with a regular user account, and change their context to do administrative duties.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Separation of Duties For any given task, more than one individual needs to be involved. Applicable to physical environments as well as network and host security. No single individual can abuse the system. Potential drawback is the cost. –Time – Tasks take longer –Money – Must pay two people instead of one

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Implicit Deny If a particular situation is not covered by any of the rules, then access can not be granted. Any individual without proper authorization cannot be granted access. The alternative to implicit deny is to allow access unless a specific rule forbids it.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Job Rotation The rotation of individuals through different tasks and duties in the organization's IT department. The individuals gain a better perspective of all the elements of how the various parts of the IT department can help or hinder the organization. Prevents a single point of failure, where only one employee knows mission critical job tasks.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Layered Security Layered security implements different access controls and utilizing various tools and devices within a security system on multiple levels. Compromising the system would take longer and cost more than its worth. Potential downside is the amount of work it takes to create and then maintain the system.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Diversity of Defense This concept complements the layered security approach. Diversity of defense involves making different layers of security dissimilar. Even if attackers know how to get through a system that compromises one layer; they may not know how to get through the next layer that employs a different system of security.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Security Through Obscurity Security through obscurity states that the security is effective if the environment and protection mechanisms are confusing or supposedly not generally known. The concept’s only objective is to hide an object (not to implement a security control to protect the object). It’s not effective.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Keep It Simple The simple security rule is the practice of keeping security processes and tools is simple and elegant. Security processes and tools should be simple to use, simple to administer, and easy to troubleshoot. A system should only run the services that it needs to provide and no more.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Security Topics Access control Authentication Social engineering

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Access Control Access control is a term used to define a variety of protection schemes. This is a term sometimes used to refer to all security features used to prevent unauthorized access to a computer system or network. It’s often confused with authentication.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Authentication Authentication deals with verifying the identity of a subject while access control deals with the ability of a subject (individual or process running on a computer system) to interact with an object (file or hardware device). Three types of authentication –Something you know (password) –Something you have (token or card) –Something you are ( biometric)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Access Control vs. Authentication Authentication – This proves that you (subject) are who you say you are. Access control – This deals with the ability of a subject to interact with an object. Once an individual has been authenticated, access controls then regulate what the individual can actually do on the system. Digital certificates – This is an attachment to a message, and is used for authentication. It can also be used for encryption.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Authentication and Access Control Policies Group policy –By organizing users into groups, a policy can be made that will apply to all users in that group. Password policy –Passwords are the most common authentication mechanism. –Should specify: character set, length, complexity, frequency of change and how it is assigned.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Social Engineering Social engineering is the process of convincing an individual to provide confidential information or access to an unauthorized individual. Social engineering is one of the most successful methods that attackers have used to gain access to computer systems and networks. The technique relies on an aspect to security that can be easily overlooked: people. Most people have an inherent desire to be helpful or avoid confrontation. Social engineers exploit this fact. Social engineers will gather seemingly useless bits of information, that when put together, divulge other sensitive information. This is “data aggregation.”

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Security Policies & Procedures Policy – High-level statements created by management that lay out the organization's positions on particular issues Security policy – High-level statement that outlines both what security means to the organization and the organization's goals for security Procedure – General step-by-step instructions that dictate exactly how employees are expected to act in a given situation or to accomplish a specific task

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Acceptable Use Policy The acceptable use policy outlines the behaviors that are considered appropriate when using a company’s resources. Internet use policy –This covers the broad subject of Internet usage. usage policy –This details whether non-work traffic is allowed at all or severely restricted.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Different Security Policies Change management policy –This ensures proper procedures are followed when modifications to the IT infrastructure are made. Classification of information policy –This establishes different categories of information and the requirements for handling each category. Due care and due diligence –Due care is the standard of care a reasonable person is expected to exercise in all situations –Due diligence is the standard of care a business is expected to exercise in preparation for a business transaction.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Different Security Policies (continued) Due process policy –Due process guarantees fundamental fairness, justice and liberty in relation to an individual’s rights. Need-to-know policy –This policy reflects both the principle of need to know and the principle of least privilege. Disposal and destruction policy –This policy outlines the methods for destroying discarded sensitive information.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Service Level Agreements Service level agreements are contractual agreements between entities that describe specified levels of service, and guarantee the level of service. –A web service provider might guarantee 99.99% uptime. –Penalties for not providing the service are included.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Human Resources Policies Employee hiring and promotions –Hiring – Background checks, reference checks, drug testing –Promotions – Periodic reviews, drug checks, change of privileges Retirement, separation, and termination of an employee –Determine the risk to information, consider limiting access and/or revoking access Mandatory vacation –An employee that never takes time off may be involved in nefarious activities and does not want anyone to find out.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Security Models Confidentiality models –Bell-LaPadula security model Integrity models –Biba model –Clark-Wilson model

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Bell-LaPadula Security Model Two principles –Simple security rule (“no read up”) –The *-property (pronounced "star property") principle (“no write down”) Objective – Protect confidentiality

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Biba Model Two principles based on integrity levels –Low-water policy (“no write up”) –Ring policy (“no read down”) Objective – Protect integrity

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Clark-Wilson Model Uses transactions as a basis for rules Two levels of integrity –Constrained data items (CDI) Subject to integrity controls –Unconstrained data items (UDI) Not subject to integrity controls Two types of processes –integrity verification processes (IVPs) –transformation processes (TPs)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Model Summary ModelObjectivePolicies Bell-LaPadulaConfidentialityNo read up No write down BibaIntegrityNo read down No write up Clark-WilsonIntegrityTwo levels of integrity – UDI and CDI IVP monitor TP (Transformation Processes)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chapter Summary Define basic terms associated with computer and information security. Identify the basic approaches to computer and information security. Distinguish among various methods to implement access controls. Describe methods used to verify the identity and authenticity of an individual. Recognize some of the basic models used to implement security in operating systems.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.