Transcript Chapter 3 Security Basics
Chapter 3 Security Basics
Jeremy Jordan
Who Should Make Information Security Policies?
Bottom-up approach – means the lower people make the security policies.
This approach can be beneficial because the lower people know how to prevent attacks Top-down approach – means the higher people make the security policies.
This approach can be beneficial because the higher people know how the entire network works as a whole
Who Should Make Information Security Policies?
Ways to Protect Systems
Layering Limiting Diversity Obscurity Simplicity
Layering
Layering is the process of putting multiple different defenses in place to block attacks.
Passwords Firewalls Antivirus
Network Password Access Control List Database Password Database
This way if a attacker gets through one layer they still have to get through other layers.
Limiting
Limiting is based on using Access Control Lists to limit what users can do or access.
Access should be limited to the least amount necessary for the person to do their job.
Diversity
Diversity is related to layering.
Each layer needs to be different, so if an attacker gets through one layer they may not know how to get through the next.
Diversity can also be applied for the types for devices or applications used.
Obscurity
Don’t let attackers know information about your network.
Security policies Equipment Software User passwords should be changed in an unpredictable way.
Users shouldn’t be able to change a password from
Fluffy01
to
Fluffy02
.
Simplicity
Very complex networks can be difficult to manage Networks should be simple from the inside but complex from the outside
Authentication
What you know What you have What you are
What You Know
Authentication that uses what a person knows Passwords PIN Answer to personal question
What You Have
Authentication method based on what a person has.
Token Smart Card Proximity Card
What You Are
Authentication based on who the person is Biometrics Fingerprints Face Hand Iris Retina Voice
Certificates
Certificates are used to bind a cryptographic key to a person who it is assigned to.
Then any encryption done with that key is from a known individual Certificates issued by a Certification Authority (CA)
Kerberos
An authentication protocol developed by MIT Used to verify the identity of network users Is supported by: Windows 2003 Apple Mac OS Linux
Kerberos
CHAP
Challenge Handshake Authentication Protocol Allows a server to verify a computers identity Server can start a CHAP challenge at any time the connection is open
Challenge Response Approval or Denial
Mutual Authentication
A two-way authentication method Server can authenticate the Client Client can authenticate the server Used to defend against identity attacks
Server authenticates client Client authenticates server
Multifactor Authentication
This is just using two or more authentication methods to verify a user.
Password and token Fingerprint and password Fingerprint and smart card
Controlling Access To The Computer Access Control Lists (ACLs) are used to control what a user who has accessed a system can and can’t do.
ACLs are stored in Access Control Entries (ACE) Users in a group inherit all ACL permissions applied to the group
Access Control Models
Mandatory Access Control (MAC) A user is not allowed to give other users access to a file/folder All permissions are set, and can only be changed, by the administrator Role Based Access Control (RBAC) Allows for permissions to be given to a specific role Users are assigned to a role and inherit it’s permissions
Access Control Models
Discretionary Access Control (DAC) The least restrictive model A user can change other users permissions of files/folders
Auditing Information Security
Auditing is performed to ensure that the proper security controls are in place Auditing can be done in two ways Logging • Logs Keep records that show what users are doing and when System Scanning • Scans users permissions to see if they are different then what they should be.