chapter 3 security basics
DESCRIPTION
Chapter 3 Security Basics. Jeremy Jordan. Who Should Make Information Security Policies?. Bottom-up approach – means the lower people make the security policies. This approach can be beneficial because the lower people know how to prevent attacks - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/1.jpg)
Chapter 3 Chapter 3 Security BasicsSecurity Basics
Jeremy JordanJeremy Jordan
![Page 2: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/2.jpg)
Who Should Make Information Who Should Make Information Security Policies?Security Policies?
Bottom-up approach – means the lower Bottom-up approach – means the lower people make the security policies.people make the security policies. This approach can be beneficial because the This approach can be beneficial because the
lower people know how to prevent attacks lower people know how to prevent attacks Top-down approach – means the higher Top-down approach – means the higher
people make the security policies.people make the security policies. This approach can be beneficial because the This approach can be beneficial because the
higher people know how the entire network higher people know how the entire network works as a wholeworks as a whole
![Page 3: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/3.jpg)
Who Should Make Information Who Should Make Information Security Policies?Security Policies?
![Page 4: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/4.jpg)
Ways to Protect SystemsWays to Protect Systems
LayeringLayering LimitingLimiting DiversityDiversity ObscurityObscurity SimplicitySimplicity
![Page 5: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/5.jpg)
LayeringLayering
Layering is the process of Layering is the process of putting multiple different putting multiple different defenses in place to block defenses in place to block attacks.attacks. PasswordsPasswords FirewallsFirewalls AntivirusAntivirus
This way if a attacker gets This way if a attacker gets through one layer they still have through one layer they still have to get through other layers.to get through other layers.
Database
Database Password
Access Control List
Network Password
![Page 6: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/6.jpg)
LimitingLimiting
Limiting is based on Limiting is based on using Access Control using Access Control Lists to limit what Lists to limit what users can do or users can do or access.access.
Access should be Access should be limited to the least limited to the least amount necessary for amount necessary for the person to do their the person to do their job.job.
![Page 7: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/7.jpg)
DiversityDiversity
Diversity is related to Diversity is related to layering.layering. Each layer needs to be Each layer needs to be
different, so if an attacker different, so if an attacker gets through one layer gets through one layer they may not know how they may not know how to get through the next.to get through the next.
Diversity can also be Diversity can also be applied for the types for applied for the types for devices or applications devices or applications used.used.
Network
Cisco
Firewall
Cisco Firewall
Internet
Network
WatchGuard
Firewall
Cisco Firewall
Internet
![Page 8: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/8.jpg)
ObscurityObscurity
Don’t let attackers know information about Don’t let attackers know information about your network.your network. Security policiesSecurity policies EquipmentEquipment SoftwareSoftware
User passwords should be changed in an User passwords should be changed in an unpredictable way.unpredictable way. Users shouldn’t be able to change a Users shouldn’t be able to change a
password from password from Fluffy01 Fluffy01 toto Fluffy02 Fluffy02..
![Page 9: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/9.jpg)
SimplicitySimplicity
Very complex networks can be difficult to Very complex networks can be difficult to managemanage
Networks should be simple from the inside Networks should be simple from the inside but complex from the outsidebut complex from the outside
![Page 10: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/10.jpg)
AuthenticationAuthentication
What you knowWhat you know
What you haveWhat you have
What you areWhat you are
![Page 11: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/11.jpg)
What You KnowWhat You Know
Authentication that uses what a person Authentication that uses what a person knowsknows PasswordsPasswords PINPIN Answer to personal questionAnswer to personal question
![Page 12: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/12.jpg)
What You HaveWhat You Have
Authentication Authentication method based on method based on what a person has.what a person has. TokenToken Smart CardSmart Card Proximity CardProximity Card
![Page 13: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/13.jpg)
What You AreWhat You Are
Authentication based Authentication based on who the person ison who the person is
BiometricsBiometrics FingerprintsFingerprints FaceFace HandHand IrisIris RetinaRetina VoiceVoice
![Page 14: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/14.jpg)
CertificatesCertificates
Certificates are used to bind a Certificates are used to bind a cryptographic key to a person who it is cryptographic key to a person who it is assigned to.assigned to.
Then any encryption done with that key is Then any encryption done with that key is from a known individualfrom a known individual
Certificates issued by a Certification Certificates issued by a Certification Authority (CA)Authority (CA)
![Page 15: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/15.jpg)
KerberosKerberos
An authentication protocol developed by An authentication protocol developed by MITMIT
Used to verify the identity of network usersUsed to verify the identity of network users Is supported by:Is supported by:
Windows 2003Windows 2003 Apple Mac OSApple Mac OS LinuxLinux
![Page 16: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/16.jpg)
KerberosKerberos
![Page 17: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/17.jpg)
CHAPCHAP
Challenge Handshake Authentication ProtocolChallenge Handshake Authentication Protocol Allows a server to verify a computers identityAllows a server to verify a computers identity Server can start a CHAP challenge at any time Server can start a CHAP challenge at any time
the connection is openthe connection is open
Challenge
Response
Approval or Denial
![Page 18: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/18.jpg)
Mutual AuthenticationMutual Authentication
A two-way authentication methodA two-way authentication method Server can authenticate the ClientServer can authenticate the Client Client can authenticate the serverClient can authenticate the server
Used to defend against identity attacksUsed to defend against identity attacks
Server authenticates client
Client authenticates server
![Page 19: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/19.jpg)
Multifactor AuthenticationMultifactor Authentication
This is just using two or more This is just using two or more authentication methods to verify a user.authentication methods to verify a user. Password and tokenPassword and token Fingerprint and passwordFingerprint and password Fingerprint and smart cardFingerprint and smart card
![Page 20: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/20.jpg)
Controlling Access To The ComputerControlling Access To The Computer
Access Control Lists (ACLs) are used to Access Control Lists (ACLs) are used to control what a user who has accessed a control what a user who has accessed a system can and can’t do.system can and can’t do.
ACLs are stored in Access Control Entries ACLs are stored in Access Control Entries (ACE)(ACE)
Users in a group inherit all ACL Users in a group inherit all ACL permissions applied to the grouppermissions applied to the group
![Page 21: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/21.jpg)
Access Control ModelsAccess Control Models
Mandatory Access Control (MAC)Mandatory Access Control (MAC) A user is not allowed to give other users access A user is not allowed to give other users access
to a file/folderto a file/folder All permissions are set, and can only be changed, All permissions are set, and can only be changed,
by the administrator by the administrator Role Based Access Control (RBAC)Role Based Access Control (RBAC)
Allows for permissions to be given to a specific Allows for permissions to be given to a specific rolerole
Users are assigned to a role and inherit it’s Users are assigned to a role and inherit it’s permissionspermissions
![Page 22: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/22.jpg)
Access Control ModelsAccess Control Models
Discretionary Access Control (DAC)Discretionary Access Control (DAC) The least restrictive modelThe least restrictive model A user can change other users permissions of A user can change other users permissions of
files/foldersfiles/folders
![Page 23: Chapter 3 Security Basics](https://reader036.vdocuments.us/reader036/viewer/2022062314/56813352550346895d9a61c2/html5/thumbnails/23.jpg)
Auditing Information SecurityAuditing Information Security
Auditing is performed to ensure that the Auditing is performed to ensure that the proper security controls are in placeproper security controls are in place
Auditing can be done in two waysAuditing can be done in two ways LoggingLogging
• Logs Keep records that show what users are doing Logs Keep records that show what users are doing and whenand when
System ScanningSystem Scanning• Scans users permissions to see if they are Scans users permissions to see if they are
different then what they should be.different then what they should be.