300 likes | 510 Vues
Security overview. Unit objectives Discuss network security Discuss security threat trends ( 威脅趨勢或走向 ) and their ramifications ( 錯綜複雜的演變 ) Determine the factors involved in creating a secure network strategy ( 決定在建立安全網路策略複雜的因素 ) Control access to a Windows 2000 server. Topic A.
E N D
Security overview Unit objectives • Discuss network security • Discuss security threat trends (威脅趨勢或走向) and their ramifications (錯綜複雜的演變) • Determine the factors involved in creating a secure network strategy (決定在建立安全網路策略複雜的因素) • Control access to a Windows 2000 server
Topic A • Topic A: Introduction to network security • Topic B: Understanding security threats • Topic C: Creating a secure network strategy • Topic D: Windows 2000 server access control
Network security defined • Network security(什麼是網路安全) • Process by which digital information assets are protected (保護數位資訊資產過程) • Goals • Maintain integrity (維護正確性清廉) • Protect confidentiality (保護機密) • Assure availability (確定可用性) • Assessing risk (如何做風險評估) • Identify threats (識別威脅) • Reduce vulnerabilities (降低受傷的機會)
Evolving (發展) technologies (技術) • Mainframes(主機越來越大提供服務也越多) • LANs (為了提供更多的人使用只好利用LAN) • Firewalls (為了免非法使用使用只好利用防火牆) • Extranets (跨企業或聯盟內部) • Security systems • Intrusion detection (入侵偵測) • Authentication (驗證) • Authorization (授權) • Vulnerability assessment (弱點評估)
Managing risk(管理的風險) 在網路上從事商業活動一定有風險 要談security則必需確立下面3件事 • Users can perform only authorized tasks (只能執行授權的任務) • Users can obtain only authorized information (只能獲得授權的資訊) • Users cannot damage data, applications, or operating environment
Goals(網路安全的目標) • Integrity(誠實—正確性、真實性) • Assurance that data is not altered or destroyed in an unauthorized manne(保證資料不會被未授權的方式所改變破壞) • Confidentiality(機密性、私密性) • Protection of data from unauthorized disclosure(透露)to a third party • Availability(可利用性) • Continuous operation of computing systems(隨時需要時就能用)
Topic B • Topic A: Introduction to network security • Topic B: Understanding security threats(威脅) • Topic C: Creating a secure network strategy • Topic D: Windows 2000 server access control
Price of intrusion (入侵) • Corporate espionage (商業間諜) • Identity theft (身分被竊取) • Lost revenues (歲收減少) • Lost prestige (聲望降低) • Lost productivity (生產力降低)
Sources of threats(威脅的來源) 安全性的威脅來源主要有四 • Technology weaknesses(技術的弱點) • Configuration weaknesses (結構上的弱點--) • Policy weaknesses (政策上的弱點--) • Human error or malice (人類的錯誤(無意的)或惡意(故意的))
Technology weaknesses • TCP/IP • Operating systems • Network equipment
Configuration weaknesses • Unsecured accounts • System accounts with easily guessed passwords • Misconfigured Internet services • Unsecured default settings • Misconfigured network equipment • Trojan horse programs • Vandals (汪達爾人) 原是日耳曼一種族 (Germanic tribe),住在北歐波羅的海 (Baltic Sea) 以南。西元五世紀,汪達爾人入侵羅馬帝國 (entered the Roman Empire) 並掠奪破壞其文物。 “Vandal” 在現今的英文裏,意指「故意破壞別人財物的人」--一種軟體 • Viruses
Policy weaknesses • Lack of a written security policy • Politics • High turnover • Concise access controls not applied • Software and hardware installation and changes do not follow policy • Proper security • Nonexistent disaster recovery plan
Human error and malice(敵意惡意怨恨) • Accident (事故) • Ignorance (無知、愚昧) • Workload (工作量、負擔) • Dishonesty (不誠實) • Impersonation (扮演、模仿) • Disgruntled employees (不爽的員工) • Snoops (事故) • Denial-of-service attacks (事故)
Topic C • Topic A: Introduction to network security • Topic B: Understanding security threats • Topic C: Creating a secure network strategy • Topic D: Windows 2000 server access control
Network security strategies • Achieve the state where any action that is not expressly permitted is prohibited • Address both internal and external threats • Define policies and procedures • Reduce risk across across perimeter security, the Internet, intranets, and LANs (continued)
Network security strategies, continued • Human factors • Knowing your weaknesses • Limiting access • Achieving security through persistence • Physical security • Perimeter security (continued)
Secure network strategy, cont’d • Firewalls • Web and file servers • Accesscontrol • Change management • Encryption • Intrusion detection systems (IDS)
Topic D • Topic A: Introduction to network security • Topic B: Understanding security threats • Topic C: Creating a secure network strategy • Topic D: Windows 2000 server access control
Access control • Restricts access to a resource • Security levels • Identify • Authenticate • Authorize
MAC, DAC and RBAC • Mandatory access control (MAC)強制式 • Non-discretionary control used in high-security locations 會給每個object 1個 security label • Discretionary access control (DAC)自訂式 • Allows the owner of a file to dictate who can access the file and to what extent • Role-based access control • Access is based on the role a user plays in the organization
Unit summary • Discussed network security • Discussed the security threat trends and their ramifications • Discussed the goals of network security and determined the factors involved in a secure network strategy • Discussed methods of access control and their implementation on a Windows 2000 server
Which of the following is NOT a valid access control mechanism? • DAC (Discretionary Access Control) list. • ***SAC (Subjective Access Control) list. • MAC (Mandatory Access Control) list. • RBAC (Role Based Access Control) list.
Which of the following best describes an access control mechanism in which access control decisions are based on the responsibilities that an individual user or process has in an organization? (組織內所指定的人或流程角色) • MAC (Mandatory Access Control) • ***RBAC (Role Based Access Control) • DAC (Discretionary Access Control) • None of the above.
Which of the following best describes an access control mechanism that allows the data owner to create and administer access control? (資料擁有者自訂DAC) • MACs (Mandatory Access Control) • RBACs (Role Based Access Control) • LBACs (List Based Access Control) • ***DACs (Discretionary Access Control)
Which of the following is an inherent flaw(一定會有的弱點) in the DAC (Discretionary Access Control) model? • DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a Trojan horse.(只靠使用者或流程自訂會給特洛依空間進入) • DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates. • DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an account. • DAC (Discretionary Access Control) has no known security flaws.
Which of the following access control methods provides the most granular access to protected objects? • Capabilities • Access control lists (表列設定哪些可以存取) • Permission bits • Profiles
With regard to DAC (Discretionary Access Control). Which of the following statements are true? • Files that don’t have an owner CANNOT be modified. (有file 就一定有crreator 不會沒有) • The administrator of the system is an owner of each object. (crreator 才是 不是administrator) • The operating system is an owner of each object. (crreator 才是 不是作業系統) • Each object has an owner, which has full control over the object.
Which of the following access control methods allows access control decisions to be based on security labels associated with each data item and each user? • MACs (Mandatory Access Control) • RBACs (Role Based Access Control) • LBACs (List Based Access Control) • DACs (Discretionary Access Control)
Which of the following access control methods relies on user security clearance and data classification? • RBAC (Role Based Access Control). • NDAC (Non-Discretionary Access Control). • MAC (Mandatory Access Control). • DAC (Discretionary Access Control).
Which of the following is a characteristic of MAC (Mandatory Access Control)? • Uses levels of security to classify users and data. • Allows owners of documents to determine who has access to specific documents. • Uses access control lists which specify a list of authorized users. • Uses access control lists which specify a list of unauthorized users.