Download presentation
Presentation is loading. Please wait.
Published byKathlyn Shepherd Modified over 6 years ago
1
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Brian E. Brzezicki
2
Basic Security Concepts
3
First Some Terms (NB) First we have to discuss some terms we will use again and again Protocol – an official set of steps or language for communication Algorithm – a specific set of steps to solve a problem or do some task String – a series of characters. Example if a character can be a-z and 0-9 an 8 character string might be “ar01z14b” Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control.
4
CIA No… Not that CIA
5
CIA* (7) 3 Fundamental Principles of Security Confidentiality
Integrity Availability
6
Operational Model of Security (8)
Focus is no longer just on prevention Security now is Prevention What are some preventative controls/measures? Detection What are some detective controls/measures? Response What are some response controls/measures? Protection = Prevention + Detection + Response
7
Security Models and Concepts
8
Network Based Security (9)
Focuses on protecting a network from outside attackers by placing security devices on the “perimeter” (see visualization next slide) Firewalls IDS Anti-virus Problems? Internal attackers Little protection of network controls are taken out or bypassed
9
Network Based Security
10
Host Based Security
11
Host Based Security (9) Focuses on protecting a specific machine at the machine level. Each computer protects itself Locked down/bastion host model Resource Permissions Host based firewalls HIDS Anti-virus Patching and updating All machines should have host based security Problems / Advantages of this model?
12
Host and Network Based (12)
The ideal model would have components of both Network Based Security along with Host Based Security, this is one example of Layered Security.
13
Layered Security (12) No one security should be completely relied upon. Instead have many overlapping security controls. Network based firewall Host based firewall IDS system Access controls Proper patching and maintenance practices This is also referred to as “Defense in Depth”
14
Diversity of Defense (14)
Similar but different to defense in depth/layered security. But in this case each layer consists of multiple versions of the same thing. Example – use 2 firewalls to protect your network, from different vendors. That way of someone hacks your first firewall, they should not be able to easily hack your second firewall, and hopefully that will stop them. (see next slide)
15
Diversity of Defense
16
Security Through Obscurity (15)
Invalid method of security. The idea is that you don’t let people know what you use or how it works. This does help and can be practiced however it should not be relied upon or considered any valid measure of security. Example. You should generally NOT give any information about your systems or networks to people. However this alone is not security, and relying on hiding information rather than truly SECURE information, is NOT a valid security. Ex. It’s not a bad idea to change the default port for ssh from port 22 to something else, but that does not really “secure” ssh in any fashion. Remember when the NT 4.0 code was stolen and published online?
17
Keep it Simple (16) Keep it Simple… the more complex something is, the harder it is to Understand Secure Audit A good K.I.S.S rule is to remove all un-necessary services and software from a system
18
Least Privilege (10) One of the Most fundamental rule of security
Provide a user the MINIMAL amount of access they needs to complete their work. If you don’t EXPLICITLY need access… you don’t get access Applications should run as a restricted user rather than the “root/administrator” account Services and software should not be running or installed unless they are needed for the operation of the system/network.
19
Separation of Duty (11) For any given task, more than one person needs to be involved. Ex. An person that puts in a procurement order should NOT be allowed to authorize the order. Fights fraud Requires “collusion” to subvert (see next slide)
20
Separation of Duties
21
Separation of Duties
22
Implicit Deny (11) Fundamental security rule. If you do NOT explicitly have authorization, then you are automatically (implicitly) DENIED access. Should be the default rule for ALL access controls..though often not :( You usually see this in firewalls
23
Authentication and Access Control
If you want to protect a resource you must be able to determine which subject (a user or a program) can access an item, and what level access such a subject has to a resource. This requires Identification Authentication: 3 types + “strong/multi” What is the most common form of authentication? Authorization (ACLs, Rules, Unix Permissions) (chapter 19) Auditing We will talk about these in more detail in later chapters.
24
SecureID A type of multi factor authentication
Has a secret number that is syncronized to the server and changes every minute (what you have) Also requires a PIN number (what you know) we will talk about secureID again later in the upcoming classes
25
Chapter 1Review Questions
Q: What is the CIA triad, what does each mean? Q: What is non-repudiation? Q: Define Layered Security Q: What is the main security reasoning for mandatory vacations?
26
Chapter 1 Review Questions
Q: What type of authentication system does the OS (Security Kernel) determined who is allowed access to a resource Q: What access control model helps fight “authorization creep” Q: Biometrics are an example of “What you ____” Q: What is an advantage of network based security, how about host based?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.