1 / 64

Ch 1: Mastering Security Basics

Ch 1: Mastering Security Basics. CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson. Understanding Core Security Goals. The CIA of Security. Confidentiality. Integrity. Availability. Confidentiality. Prevents unauthorized disclosure of data

millsap
Download Presentation

Ch 1: Mastering Security Basics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ch 1: Mastering Security Basics CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson

  2. Understanding Core Security Goals

  3. The CIA of Security Confidentiality Integrity Availability

  4. Confidentiality • Prevents unauthorized disclosure of data • Ensures that data is only viewable by authorized users • Such as Personally Identifiable Information (PII) • Some methods • Encryption • Ex: Advanced Encryption Standard (AES) • Access controls

  5. Access Controls • Identification • Username: Who are you? • A claim, not proof • Authentication • Proof of identity • Often by providing a password • Authorization • Granting access to resources

  6. Steganography • Hiding data within other data • Ex: a secret message inside an image • "Hiding data in plain sight" • Observers won't even know a message is being sent

  7. Integrity • Assures that data has not been modified, tampered with, or corrupted • Only authorized users should modify data • Hashing assures integrity • Hash types: MD5, SHA-1, HMAC • If data changes, the hash value changes

  8. Hash Value for Download

  9. Digital Signatures • Makes a legal agreement • Like a handwritten signature • Provides authentication • Also provides non-repudiation

  10. Non-Repudiation • Prevents entities from denying that they took an action • Examples: signing a home loan, making a credit card purchase • Techniques • Digital signatures • Audit logs

  11. Certificates and PKI (Public Key Infrastructure) • Certificates prove the identity of a server or user • Contain encryption keys • Certificates are managed by the PKI • A group of companies that issue and verify certificates • Analogous to credit card companies

  12. Availability • Data and services are available when needed • Remove SPOF (Single Point of Failure)

  13. Availability • Techniques: • Disk redundancies (RAID) • Server redundancies (clusters) • Load balancing • Site redundancies • Backups • Alternate power • Cooling systems

  14. Balancing CIA • You can never have perfect security • Increasing one item lowers others • Increasing confidentiality generally lowers availability • Example: long ,complex passwords that are easily forgotten

  15. Patching • Software requires frequent updates • Patch Management • Testing patches to make sure they aren't harmful • Deploying them to all devices

  16. Safety • Safety of people • Escape plans and routes for fire, earthquake, etc. • Drills and training • Safety of assets • Physical security controls • Fences, lighting, locks, CCTV (closed-circuit television) systems

  17. Fail-Open • When power fails, exit doors commonly fail in an open state • So people aren't trapped inside • This lowers safety of material assets, but increases safety of people

  18. Defense in Depth • Layers of protection • Example • Firewall • Antivirus • Deep Freeze

  19. Introducing Basic Risk Concepts

  20. Risk • Risk • The likelihood of a threat exploiting a vulnerability, resulting in a loss • Threat • A circumstance or event that has the potential to compromise confidentiality, integrity, or availability • Insider threat • Vulnerability • A weakness

  21. Risk Mitigation • Reduces chance that a threat will exploit a vulnerability • Done by implementing controls (also called countermeasures and safeguards) • Even if a threat can't be prevented, like a tornado • Risk can still be reduced with controls, like insurance, evacuation plans, etc.

  22. Controls • Access controls • After Authentication, only authorized users can perform critical tasks • Business continuity and Disaster Recovery Plans • Reduce the impact of disasters • Antivirus software • Reduces the impact of malware

  23. Exploring Authentication Concepts

  24. Identification, Authentication, and Authorization • Identification • State your name (without proving it) • Authentication • Proves your identity (with a password, fingerprint, etc.) • Authorization • Grants access to resources based on the user's proven identity

  25. Identity Proofing • Verifying that people are who they claim to be prior to issuing them credentials • Or when replacing lost credentials

  26. Sarah Palin's Email • Link Ch 1a

  27. Five Factors of Authentication • Something you know (weakest) • Such as a password • Something you have • Such as a smart card • Something you are (strongest) • Such as a fingerprint • Somewhere you are • Such as geolocation • Something you do • Such as gestures on a touch screen

  28. Password Rules • Passwords should be strong • At least 8 characters, with three of: uppercase, lowercase, numbers, and symbols • Change passwords regularly • Verify a user's identity before resetting a password • Don't reuse passwords • Implement account lockout policies • Change default passwords

  29. Password Rules • Don't write down passwords • Don't share passwords

  30. Password Rules • Password history • Remembers previous passwords so users cannot re-use them • Account Lockout Policies • Account lockout threshold • The maximium number of times a wrong password can be entered (typically 5) • Account lockout duration • How long an account is locked (typically 30 min.)

  31. Previous Logon Notification • Gmail has it, at the bottom of the screen

  32. Creating Strong Passwords • At least 8 characters long • Isn't in a dictionary • Contains three of these character types: • Uppercase letters A-Z • Lowercase letters a-z • Numbers 0-9 • Special characters like @#$%

  33. Changing Default Passwords • Many devices have default passwords • Like routers • These must be changed before use • "Hardening"

  34. Something You Have • Smart Card • Contains a certificate • Read by a card reader • Image from made-in-china.com/

  35. Smart Cards • Embedded certificate • Public Key Infrastructure • Allows issuance and management of certificates • CAC (Common Access Card) • Used by US Department of Defense • PIV (Personal Identity Verfication) card • Used by US federal agencies

  36. Something You Have • Token or Key Fob • Image from tokenguard.com • HOTP (HMAC-based One-Time Password) • Open standard using a secret key and an incrementing counter • HMAC hash used to create 6- or 8-digit value • Password remains valid till it is used • TOTP (Time-based One-Time Password) • Uses a timestamp instead of a counter • Password expires every 30 seconds

  37. Symantec iPad App

  38. Something You Are (Biometrics) • Fingerprint, handprint, palm scanner • Image from amazon.com • Retinal scanners • Uncomfortable for some people • Iris scanners • Easier to use

  39. False Acceptance and False Rejection • False Acceptance Rate • Incorrectly identifying an unauthorized user as authorized • False Rejection Rate • Incorrectly rejecting an authorized user

  40. Somewhere You Are • IP address • Gives general location • May block logins from unexpected nations • MAC address • Identifies a specific device

  41. Something You Do • Windows 8 picture passwords • Gestures such as tapping or drawing lines • Keystroke dynamics when typing • Also called "behavioral biometrics"

  42. Multifactor Authentication • More than one of • Something you know • Something you have • Something you are • Two similar factors is not two-factor authentication • Such as password and PIN

  43. Comparing Authentication Services

  44. Authentication Services • Kerberos • Used in Windows Active Directory Domains • Used in UNIX realms • Developed at MIT • Prevents Man-in-the-Middle attacks and replay attacks

  45. Kerberos Requirements • A method of issuing tickets used for authentication • Key Distribution Center (KDC) grants ticket-granting-tickets, which are presented to request tickets used to access objects • Time synchronization within five minutes • A database of subjects or users • Microsoft's Active Directory

  46. Kerberos Details • When a user logs on • The KDC issues a ticket-granting-ticket with a lifetime of ten hours • Kerberos uses port 88 (TCP & UDP) • Kerberos uses symmetric cryptography

  47. LDAP (Lightweight Directory Access Protocol) • Formats and methods to query directories • Used by Active Directory • An extension of the X.500 standard • LDAP v2 can use SSL encryption • LDAP v3 can use TLS encryption • LDAP uses ports 389 (unencrypted) or 636 (encrypted) (TCP and UDP)

  48. Example LDAP String

  49. Single Sign-On • Users can access multiple systems after providing credentials only once • Federated Identity Management System • Provides central authentication in nonhomogeneous environments

  50. SSO and Transitive Trusts • Parent domain trusts two child domains • Training and Blog • Therefore the two child domains trust one another • This is called a Transitive Trust

More Related