1 / 26

Comprehensive Security Concepts: Models and Controls

This chapter delves into fundamental concepts of security, focusing on network-based and host-based security models. Learn about preventative, detective, and response controls, as well as the operational model of security. Discover the principles of confidentiality, integrity, and availability, along with important strategies like Defense in Depth and Separation of Duty.

rketterer
Download Presentation

Comprehensive Security Concepts: Models and Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security+All-In-One EditionChapter 1 – General Security Concepts Brian E. Brzezicki

  2. Basic Security Concepts

  3. First Some Terms (NB) First we have to discuss some terms we will use again and again Protocol – an official set of steps or language for communication Algorithm – a specific set of steps to solve a problem or do some task String – a series of characters. Example if a character can be a-z and 0-9 an 8 character string might be “ar01z14b” Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control.

  4. CIA No… Not that CIA

  5. CIA* (7) 3 Fundamental Principles of Security • Confidentiality • Integrity • Availability

  6. Operational Model of Security (8) • Focus is no longer just on prevention • Security now is • Prevention • What are some preventative controls/measures? • Detection • What are some detective controls/measures? • Response • What are some response controls/measures? • Protection = Prevention + Detection + Response

  7. Security Models and Concepts

  8. Network Based Security (9) • Focuses on protecting a network from outside attackers by placing security devices on the “perimeter” (see visualization next slide) • Firewalls • IDS • Anti-virus • Problems? • Internal attackers • Little protection of network controls are taken out or bypassed

  9. Network Based Security

  10. Host Based Security

  11. Host Based Security (9) • Focuses on protecting a specific machine at the machine level. • Each computer protects itself • Locked down/bastion host model • Resource Permissions • Host based firewalls • HIDS • Anti-virus • Patching and updating • All machines should have host based security • Problems / Advantages of this model?

  12. Host and Network Based (12) • The ideal model would have components of both Network Based Security along with Host Based Security, this is one example of Layered Security.

  13. Layered Security (12) No one security should be completely relied upon. Instead have many overlapping security controls. • Network based firewall • Host based firewall • IDS system • Access controls • Proper patching and maintenance practices This is also referred to as “Defense in Depth”

  14. Diversity of Defense (14) Similar but different to defense in depth/layered security. But in this case each layer consists of multiple versions of the same thing. • Example – use 2 firewalls to protect your network, from different vendors. That way of someone hacks your first firewall, they should not be able to easily hack your second firewall, and hopefully that will stop them. (see next slide)

  15. Diversity of Defense

  16. Security Through Obscurity (15) Invalid method of security. The idea is that you don’t let people know what you use or how it works. • This does help and can be practiced however it should not be relied upon or considered any valid measure of security. • Example. You should generally NOT give any information about your systems or networks to people. However this alone is not security, and relying on hiding information rather than truly SECURE information, is NOT a valid security. • Ex. It’s not a bad idea to change the default port for ssh from port 22 to something else, but that does not really “secure” ssh in any fashion. • Remember when the NT 4.0 code was stolen and published online?

  17. Keep it Simple (16) Keep it Simple… the more complex something is, the harder it is to • Understand • Secure • Audit A good K.I.S.S rule is to remove all un-necessary services and software from a system

  18. Least Privilege (10) One of the Most fundamental rule of security • Provide a user the MINIMAL amount of access they needs to complete their work. • If you don’t EXPLICITLY need access… you don’t get access • Applications should run as a restricted user rather than the “root/administrator” account • Services and software should not be running or installed unless they are needed for the operation of the system/network.

  19. Separation of Duty (11) For any given task, more than one person needs to be involved. Ex. An person that puts in a procurement order should NOT be allowed to authorize the order. • Fights fraud • Requires “collusion” to subvert (see next slide)

  20. Separation of Duties

  21. Separation of Duties

  22. Implicit Deny (11) Fundamental security rule. If you do NOT explicitly have authorization, then you are automatically (implicitly) DENIED access. • Should be the default rule for ALL access controls..though often not :( • You usually see this in firewalls

  23. Authentication and Access Control If you want to protect a resource you must be able to determine which subject (a user or a program) can access an item, and what level access such a subject has to a resource. This requires • Identification • Authentication: 3 types + “strong/multi” • What is the most common form of authentication? • Authorization (ACLs, Rules, Unix Permissions) (chapter 19) • Auditing We will talk about these in more detail in later chapters.

  24. SecureID A type of multi factor authentication • Has a secret number that is syncronized to the server and changes every minute (what you have) • Also requires a PIN number (what you know) • we will talk about secureID again later in the upcoming classes

  25. Chapter 1Review Questions Q: What is the CIA triad, what does each mean? Q: What is non-repudiation? Q: Define Layered Security Q: What is the main security reasoning for mandatory vacations?

  26. Chapter 1 Review Questions Q: What type of authentication system does the OS (Security Kernel) determined who is allowed access to a resource Q: What access control model helps fight “authorization creep” Q: Biometrics are an example of “What you ____” Q: What is an advantage of network based security, how about host based?

More Related