01 general security concepts

8/2/2019 01 General Security Concepts

1/16

Understanding Information Security

Understanding the Goals of Information Security

Comprehending the Security Process Authentication Issues to Consider

Distinguishing between Security Topologies

Protocol: an official set of steps or language for

communication Algorithm: a specific set of steps to solve a problem or

do some task

String: a series of characters. Example if a charactercan be a-z and 0-9 an 8 character string might bear01z14b

Control: a countermeasure or attempt to mitigate a

security risk.

A firewall is technical control. Policies are HR controls.Encryption is a technical control.

Security?

Physical security of servers and workstations

Protecting data from viruses and worms or from hackers andmiscreants

The capability to restore files if a user accidentally deletes them

Problems with security:

It is next to impossible for everyone to agree on what it means

We dont really mean that we want things to be completelysecured

While everyone wants security, no one wants to be

inconvenienced by it


2/16

Protecting your assets and information from physicalaccess by unauthorized persons

Threats often present themselves as service technicians,janitors, customers, vendors, or even employees

Components of physical security:

Making a physical location less tempting as a target

Detecting a penetration or theft

Recovering from a theft or loss of critical information or systems

Operational security issues include:

Network access control (NAC), Authentication,

Security topologies after the network installation is complete.

Daily operations of the network

Connections to other networks

Backup plans

Recovery plans

In short, operational security encompasses everythingthat isnt related to design or physical security in thenetwork


3/16

Guidance, rules, and procedures for implementing a

security environment Policies need the support of management to be carried

out well.

The issues that must be decided at the management andpolicy level affect the entire company and can greatlyimpact productivity, morale, and corporate culture

A number of key policies are needed to secure anetwork. The following list identifies some broad areas

that require thought and planning:

Administrative policies

Disaster recovery plans

Information policies

Security policies

Software design requirements

Usage policies

User management policies

Administrative policies lay out guidelines and

expectations for upgrades, monitoring, backups, andaudits.

System administrators and maintenance staff use thesepolicies to conduct business.

The policies must be:

Specific enough to help the administrative staff keep focused on

the business of running the systems and networks

Flexible enough to allow for emergencies and unforeseencircumstances.

Expensive to develop and to test, and it must be keptcurrent.

Takes into consideration virtually every type ofoccurrence or failure possible

The key to its success is its completeness

Many large companies invest huge amounts of money inDRPs, including backup or hot sites.


4/16

Refer to the various aspects of information security,

including access, classifications, marking and storage,and the transmission and destruction of sensitiveinformation.

Data classification matrix

Defines various classification levels

Public: For all advertisements and information posted on the

Web

Internal: For all intranet-type information Private: Personnel records, client data, and so on

Confidential: Public Key Infrastructure (PKI) information and

other items restricted to all but those who must know them

Define the configuration of systems and networks

Security policies also define computer room and data

center security as well as how identification andauthentication (I&A) occurs.

Things covered:

Determine how access control, audits, reports and network

connectivity are handled.

Encryption and antivirus software

Establish procedures and methods used for password selection,

account expiration, failed logon attempts, and related areas

Software design requirements outline what the

capabilities of the system must be A software design policy should be specific about

security requirements

If the design doesnt include security as an integral partof the implementation, the network may havevulnerabilities.

Cover how information and resources are used

Include statements about privacy, ownership, and the

consequences of improper acts Usage policies should also address how users should

handle incidents


5/16

Identify the various actions that must occur in the normalcourse of employee activities

These policies must address how new employees areadded to the system as well as managed.

A user may acquire administrative privileges to thesystem by accident.





Prevention: preventing computer or informationviolations from occurring.

Detection: identifying events when they occur.

Response: developing strategies and techniques to dealwith an attack or loss






6/16

Security is a combination of three Ps: processes,procedures, and policies.

There are several parts to this process

Appreciating Antivirus Software

Implementing Access Control

Authentication

Mandatory Access Control (MAC):

A static model that uses a predefined set of access privileges for

files on the system.

The system administrators establish these parameters and

associate them with an account, files

MAC uses labels to identify the level of sensitivity that applies to

objects.

When a user attempts to access an object, the label is examinedto see if the access should take place or be denied.

One key element to remember is that when mandatory control is

applied, labels are required and must exist for every object., orresources.

Discretionary Access Control (DAC):

The owner of a resource establishes privileges to the

information they own.

Labels are not mandatory but can be applied as needed.

Role-Based Access Control (RBAC):

A user acts in a certain predetermined manner based on the rolethe user holds in the organization.

The roles almost always shadow the organizational structure.

The RBAC model is common in network administrative roles.

Authentication proves that a user or system is actuallywho they say they are.

Authentication systems or methods are based on one ormore of these three factors:

Something you know, such as a password or PIN

Something you have, such as a smart card or an identification

device

Something physically unique to you, such as your fingerprintsor retinal pattern


7/16

Use physical characteristics to identify the user

Hand scanners Retinal scanners

DNA scanners (not available for now)

Commonly used

A server or certificate authority (CA) can issue a

certificate that will be accepted by the challengingsystem.

Certificate Practice Statement (CPS) outlines the rulesused for issuing and managing certificate

Certificate Revocation List (CRL) lists the revocationsthat must be addressed (often due to expiration) in orderto stay current

CHAP doesnt use a user ID/password mechanism

The initiator sends a logon request from the client to the

server. The server sends a challenge back to the client.

The challenge is encrypted and then sent back to theserver.

The server compares the value from the client

If the information matches, grants authorization.

If the response fails, the session fails, and the request phase

starts over


8/16

Originally designed by MIT

Allows for a single sign-on to a distributed network.

Key Distribution Center (KDC) authenticates theprinciple (which can be a user, a program, or a system)and provides it with a ticket.

After this ticket is issued, it can be used to authenticateagainst other principles. This occurs automatically whena request or service is performed by another principle

KDC can be a single point of failure

Two or more access methods are included as part of theauthentication process


9/16

Two or more parties authenticate each other

Mutual authentication ensures that the client is notunwittingly connecting and giving its credentials to arogue server; which can then turn around and steal thedata from the real server

Commonly, mutual authentication will be implementedwhen the data to be sent during the session is of acritical nature such as financial or medical record

One of the simplest forms of authentication

No true security

The username and password values are both sent to theserver as clear text and checked for a match.

If they match, the user is granted access; if they dontmatch, the user is denied access

A small piece of data that holds a sliver of informationabout the user

A type of badge or card that gives you access toresources, including buildings, parking lots, and

computers.

Contains information about ones identity and accessprivileges.

Each area or computer has a card scanner or a reader inwhich you insert your card.

Smart Cards often also require the use of a smallpassword called a PIN (personal identification number);

which further secures the smart card if lost by the truecard holder, so that it cannot be used by someone elseto gain access to data and resources.


10/16


Understanding the Goals of Information Security Comprehending the Security Process

Authentication Issues to Consider


Capabilities of people who will be working with policies.

Be wary of popular names or current trends that make

certain passwords predictable. Distinguish between identification process and

authentication process


11/16


Understanding the Goals of Information Security Comprehending the Security Process

Authentication Issues to Consider


Design goals

Security zones

Technologies Business requirements

Design goals

Security zones Technologies

Business requirements

Confidentiality: Prevent or minimize unauthorizedaccess to and disclosure of data and information

Integrity: Making sure that the data being worked with isthe correct data

Availability: Protect data and prevent its loss

Accountability: Who owns the data or is responsible formaking sure that its accurate


12/16

Four most common security zones:

Internet

Intranet

Extranet

Demilitarized zone (DMZ)


13/16

Extend intranets to include outside connections topartners

Connect to a partner via a private network or aconnection using a secure communications channelacross the Internet

A demilitarized zone (DMZ) is an area where you canplace a public server for access by people you might not

trust otherwise

By isolating a server in a DMZ, you can hide or removeaccess to other areas of your network

Use firewalls to isolate your network


14/16

Virtualization Technology (VT)

VLANs Network Address Translation (NAT)

Tunneling

Todays x86 computer hardware was designed to run asingle operating system and a single application, leaving

most machines vastly underutilized.

Virtualization lets you run multiple virtual machines on asingle physical machine, with each virtual machinesharing the resources of that one physical computeracross multiple environments.

Different virtual machines can run different operatingsystems and multiple applications on the same physical

computer.

Get more out of your existing resources

Reduce datacenter costs by reducing your physicalinfrastructure and improving your server to admin ratio

Increase availability of hardware and applications forimproved business continuity

Gain operational flexibility

Improve desktop manageability and security

A virtual local area network (VLAN) allows you to creategroups of users and systems and segment them on the

network.

This segmentation lets you hide segments of the networkfrom other segments and thereby control access.

You can also set up VLANs to control the paths that datatakes to get from one point to another. A VLAN is a goodway to contain network traffic to a certain area in anetwork.


15/16

Originally, NAT extended the number of usable Internetaddresses

Allow an organization to present a single address to theInternet for all computer connections

The NAT server provides IP addresses to the hosts orsystems in the network and tracks inbound andoutbound traffic.

Tunneling refers to creating a virtual dedicatedconnection between two systems or networks.

You create the tunnel between the two ends byencapsulating the data in a mutually agreed-uponprotocol for transmission.

In most tunnels, the data passed through the tunnelappears at the other side as part of the network.

Tunneling protocols usually include data security as wellas encryption. Several popular standards have emerged

for tunneling, with the most popular being the Layer 2Tunneling Protocol (L2TP).


16/16

Tunneling sends private data across a public network byplacing (encapsulating) that data into other packets.

Most tunnels are virtual private networks (VPNs).

01 general security concepts

Documents