700 likes | 786 Vues
Ch 1: Mastering Security Basics. CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson. Understanding Core Security Goals. The CIA of Security. Confidentiality. Integrity. Availability. Confidentiality. Prevents unauthorized disclosure of data
E N D
Ch 1: Mastering Security Basics CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson
The CIA of Security Confidentiality Integrity Availability
Confidentiality • Prevents unauthorized disclosure of data • Ensures that data is only viewable by authorized users • Such as Personally Identifiable Information (PII) • Some methods • Encryption • Ex: Advanced Encryption Standard (AES) • Access controls
Access Controls • Identification • Username: Who are you? • A claim, not proof • Authentication • Proof of identity • Often by providing a password • Authorization • Granting access to resources
Steganography • Hiding data within other data • Ex: a secret message inside an image • "Hiding data in plain sight" • Observers won't even know a message is being sent
Integrity • Assures that data has not been modified, tampered with, or corrupted • Only authorized users should modify data • Hashing assures integrity • Hash types: MD5, SHA-1, HMAC • If data changes, the hash value changes
Digital Signatures • Makes a legal agreement • Like a handwritten signature • Provides authentication • Also provides non-repudiation
Non-Repudiation • Prevents entities from denying that they took an action • Examples: signing a home loan, making a credit card purchase • Techniques • Digital signatures • Audit logs
Certificates and PKI (Public Key Infrastructure) • Certificates prove the identity of a server or user • Contain encryption keys • Certificates are managed by the PKI • A group of companies that issue and verify certificates • Analogous to credit card companies
Availability • Data and services are available when needed • Remove SPOF (Single Point of Failure)
Availability • Techniques: • Disk redundancies (RAID) • Server redundancies (clusters) • Load balancing • Site redundancies • Backups • Alternate power • Cooling systems
Balancing CIA • You can never have perfect security • Increasing one item lowers others • Increasing confidentiality generally lowers availability • Example: long ,complex passwords that are easily forgotten
Patching • Software requires frequent updates • Patch Management • Testing patches to make sure they aren't harmful • Deploying them to all devices
Safety • Safety of people • Escape plans and routes for fire, earthquake, etc. • Drills and training • Safety of assets • Physical security controls • Fences, lighting, locks, CCTV (closed-circuit television) systems
Fail-Open • When power fails, exit doors commonly fail in an open state • So people aren't trapped inside • This lowers safety of material assets, but increases safety of people
Defense in Depth • Layers of protection • Example • Firewall • Antivirus • Deep Freeze
Risk • Risk • The likelihood of a threat exploiting a vulnerability, resulting in a loss • Threat • A circumstance or event that has the potential to compromise confidentiality, integrity, or availability • Insider threat • Vulnerability • A weakness
Risk Mitigation • Reduces chance that a threat will exploit a vulnerability • Done by implementing controls (also called countermeasures and safeguards) • Even if a threat can't be prevented, like a tornado • Risk can still be reduced with controls, like insurance, evacuation plans, etc.
Controls • Access controls • After Authentication, only authorized users can perform critical tasks • Business continuity and Disaster Recovery Plans • Reduce the impact of disasters • Antivirus software • Reduces the impact of malware
Identification, Authentication, and Authorization • Identification • State your name (without proving it) • Authentication • Proves your identity (with a password, fingerprint, etc.) • Authorization • Grants access to resources based on the user's proven identity
Identity Proofing • Verifying that people are who they claim to be prior to issuing them credentials • Or when replacing lost credentials
Sarah Palin's Email • Link Ch 1a
Five Factors of Authentication • Something you know (weakest) • Such as a password • Something you have • Such as a smart card • Something you are (strongest) • Such as a fingerprint • Somewhere you are • Such as geolocation • Something you do • Such as gestures on a touch screen
Password Rules • Passwords should be strong • At least 8 characters, with three of: uppercase, lowercase, numbers, and symbols • Change passwords regularly • Verify a user's identity before resetting a password • Don't reuse passwords • Implement account lockout policies • Change default passwords
Password Rules • Don't write down passwords • Don't share passwords
Password Rules • Password history • Remembers previous passwords so users cannot re-use them • Account Lockout Policies • Account lockout threshold • The maximium number of times a wrong password can be entered (typically 5) • Account lockout duration • How long an account is locked (typically 30 min.)
Previous Logon Notification • Gmail has it, at the bottom of the screen
Creating Strong Passwords • At least 8 characters long • Isn't in a dictionary • Contains three of these character types: • Uppercase letters A-Z • Lowercase letters a-z • Numbers 0-9 • Special characters like @#$%
Changing Default Passwords • Many devices have default passwords • Like routers • These must be changed before use • "Hardening"
Something You Have • Smart Card • Contains a certificate • Read by a card reader • Image from made-in-china.com/
Smart Cards • Embedded certificate • Public Key Infrastructure • Allows issuance and management of certificates • CAC (Common Access Card) • Used by US Department of Defense • PIV (Personal Identity Verfication) card • Used by US federal agencies
Something You Have • Token or Key Fob • Image from tokenguard.com • HOTP (HMAC-based One-Time Password) • Open standard using a secret key and an incrementing counter • HMAC hash used to create 6- or 8-digit value • Password remains valid till it is used • TOTP (Time-based One-Time Password) • Uses a timestamp instead of a counter • Password expires every 30 seconds
Something You Are (Biometrics) • Fingerprint, handprint, palm scanner • Image from amazon.com • Retinal scanners • Uncomfortable for some people • Iris scanners • Easier to use
False Acceptance and False Rejection • False Acceptance Rate • Incorrectly identifying an unauthorized user as authorized • False Rejection Rate • Incorrectly rejecting an authorized user
Somewhere You Are • IP address • Gives general location • May block logins from unexpected nations • MAC address • Identifies a specific device
Something You Do • Windows 8 picture passwords • Gestures such as tapping or drawing lines • Keystroke dynamics when typing • Also called "behavioral biometrics"
Multifactor Authentication • More than one of • Something you know • Something you have • Something you are • Two similar factors is not two-factor authentication • Such as password and PIN
Authentication Services • Kerberos • Used in Windows Active Directory Domains • Used in UNIX realms • Developed at MIT • Prevents Man-in-the-Middle attacks and replay attacks
Kerberos Requirements • A method of issuing tickets used for authentication • Key Distribution Center (KDC) grants ticket-granting-tickets, which are presented to request tickets used to access objects • Time synchronization within five minutes • A database of subjects or users • Microsoft's Active Directory
Kerberos Details • When a user logs on • The KDC issues a ticket-granting-ticket with a lifetime of ten hours • Kerberos uses port 88 (TCP & UDP) • Kerberos uses symmetric cryptography
LDAP (Lightweight Directory Access Protocol) • Formats and methods to query directories • Used by Active Directory • An extension of the X.500 standard • LDAP v2 can use SSL encryption • LDAP v3 can use TLS encryption • LDAP uses ports 389 (unencrypted) or 636 (encrypted) (TCP and UDP)
Single Sign-On • Users can access multiple systems after providing credentials only once • Federated Identity Management System • Provides central authentication in nonhomogeneous environments
SSO and Transitive Trusts • Parent domain trusts two child domains • Training and Blog • Therefore the two child domains trust one another • This is called a Transitive Trust