Chapter 3 Security Basics
-
Upload
rashad-joyner -
Category
Documents
-
view
37 -
download
3
description
Transcript of Chapter 3 Security Basics
Chapter 3 Chapter 3 Security BasicsSecurity Basics
Jeremy JordanJeremy Jordan
Who Should Make Information Who Should Make Information Security Policies?Security Policies?
Bottom-up approach – means the lower Bottom-up approach – means the lower people make the security policies.people make the security policies. This approach can be beneficial because the This approach can be beneficial because the
lower people know how to prevent attacks lower people know how to prevent attacks Top-down approach – means the higher Top-down approach – means the higher
people make the security policies.people make the security policies. This approach can be beneficial because the This approach can be beneficial because the
higher people know how the entire network higher people know how the entire network works as a wholeworks as a whole
Who Should Make Information Who Should Make Information Security Policies?Security Policies?
Ways to Protect SystemsWays to Protect Systems
LayeringLayering LimitingLimiting DiversityDiversity ObscurityObscurity SimplicitySimplicity
LayeringLayering
Layering is the process of Layering is the process of putting multiple different putting multiple different defenses in place to block defenses in place to block attacks.attacks. PasswordsPasswords FirewallsFirewalls AntivirusAntivirus
This way if a attacker gets This way if a attacker gets through one layer they still have through one layer they still have to get through other layers.to get through other layers.
Database
Database Password
Access Control List
Network Password
LimitingLimiting
Limiting is based on Limiting is based on using Access Control using Access Control Lists to limit what Lists to limit what users can do or users can do or access.access.
Access should be Access should be limited to the least limited to the least amount necessary for amount necessary for the person to do their the person to do their job.job.
DiversityDiversity
Diversity is related to Diversity is related to layering.layering. Each layer needs to be Each layer needs to be
different, so if an attacker different, so if an attacker gets through one layer gets through one layer they may not know how they may not know how to get through the next.to get through the next.
Diversity can also be Diversity can also be applied for the types for applied for the types for devices or applications devices or applications used.used.
Network
Cisco
Firewall
Cisco Firewall
Internet
Network
WatchGuard
Firewall
Cisco Firewall
Internet
ObscurityObscurity
Don’t let attackers know information about Don’t let attackers know information about your network.your network. Security policiesSecurity policies EquipmentEquipment SoftwareSoftware
User passwords should be changed in an User passwords should be changed in an unpredictable way.unpredictable way. Users shouldn’t be able to change a Users shouldn’t be able to change a
password from password from Fluffy01 Fluffy01 toto Fluffy02 Fluffy02..
SimplicitySimplicity
Very complex networks can be difficult to Very complex networks can be difficult to managemanage
Networks should be simple from the inside Networks should be simple from the inside but complex from the outsidebut complex from the outside
AuthenticationAuthentication
What you knowWhat you know
What you haveWhat you have
What you areWhat you are
What You KnowWhat You Know
Authentication that uses what a person Authentication that uses what a person knowsknows PasswordsPasswords PINPIN Answer to personal questionAnswer to personal question
What You HaveWhat You Have
Authentication Authentication method based on method based on what a person has.what a person has. TokenToken Smart CardSmart Card Proximity CardProximity Card
What You AreWhat You Are
Authentication based Authentication based on who the person ison who the person is
BiometricsBiometrics FingerprintsFingerprints FaceFace HandHand IrisIris RetinaRetina VoiceVoice
CertificatesCertificates
Certificates are used to bind a Certificates are used to bind a cryptographic key to a person who it is cryptographic key to a person who it is assigned to.assigned to.
Then any encryption done with that key is Then any encryption done with that key is from a known individualfrom a known individual
Certificates issued by a Certification Certificates issued by a Certification Authority (CA)Authority (CA)
KerberosKerberos
An authentication protocol developed by An authentication protocol developed by MITMIT
Used to verify the identity of network usersUsed to verify the identity of network users Is supported by:Is supported by:
Windows 2003Windows 2003 Apple Mac OSApple Mac OS LinuxLinux
KerberosKerberos
CHAPCHAP
Challenge Handshake Authentication ProtocolChallenge Handshake Authentication Protocol Allows a server to verify a computers identityAllows a server to verify a computers identity Server can start a CHAP challenge at any time Server can start a CHAP challenge at any time
the connection is openthe connection is open
Challenge
Response
Approval or Denial
Mutual AuthenticationMutual Authentication
A two-way authentication methodA two-way authentication method Server can authenticate the ClientServer can authenticate the Client Client can authenticate the serverClient can authenticate the server
Used to defend against identity attacksUsed to defend against identity attacks
Server authenticates client
Client authenticates server
Multifactor AuthenticationMultifactor Authentication
This is just using two or more This is just using two or more authentication methods to verify a user.authentication methods to verify a user. Password and tokenPassword and token Fingerprint and passwordFingerprint and password Fingerprint and smart cardFingerprint and smart card
Controlling Access To The ComputerControlling Access To The Computer
Access Control Lists (ACLs) are used to Access Control Lists (ACLs) are used to control what a user who has accessed a control what a user who has accessed a system can and can’t do.system can and can’t do.
ACLs are stored in Access Control Entries ACLs are stored in Access Control Entries (ACE)(ACE)
Users in a group inherit all ACL Users in a group inherit all ACL permissions applied to the grouppermissions applied to the group
Access Control ModelsAccess Control Models
Mandatory Access Control (MAC)Mandatory Access Control (MAC) A user is not allowed to give other users access A user is not allowed to give other users access
to a file/folderto a file/folder All permissions are set, and can only be changed, All permissions are set, and can only be changed,
by the administrator by the administrator Role Based Access Control (RBAC)Role Based Access Control (RBAC)
Allows for permissions to be given to a specific Allows for permissions to be given to a specific rolerole
Users are assigned to a role and inherit it’s Users are assigned to a role and inherit it’s permissionspermissions
Access Control ModelsAccess Control Models
Discretionary Access Control (DAC)Discretionary Access Control (DAC) The least restrictive modelThe least restrictive model A user can change other users permissions of A user can change other users permissions of
files/foldersfiles/folders
Auditing Information SecurityAuditing Information Security
Auditing is performed to ensure that the Auditing is performed to ensure that the proper security controls are in placeproper security controls are in place
Auditing can be done in two waysAuditing can be done in two ways LoggingLogging
• Logs Keep records that show what users are doing Logs Keep records that show what users are doing and whenand when
System ScanningSystem Scanning• Scans users permissions to see if they are Scans users permissions to see if they are
different then what they should be.different then what they should be.