Chapter 3 Chapter 3 Security BasicsSecurity Basics

Jeremy JordanJeremy Jordan

Who Should Make Information Who Should Make Information Security Policies?Security Policies?

Bottom-up approach – means the lower Bottom-up approach – means the lower people make the security policies.people make the security policies. This approach can be beneficial because the This approach can be beneficial because the

lower people know how to prevent attacks lower people know how to prevent attacks Top-down approach – means the higher Top-down approach – means the higher

people make the security policies.people make the security policies. This approach can be beneficial because the This approach can be beneficial because the

higher people know how the entire network higher people know how the entire network works as a wholeworks as a whole

Who Should Make Information Who Should Make Information Security Policies?Security Policies?

Ways to Protect SystemsWays to Protect Systems

LayeringLayering LimitingLimiting DiversityDiversity ObscurityObscurity SimplicitySimplicity

LayeringLayering

Layering is the process of Layering is the process of putting multiple different putting multiple different defenses in place to block defenses in place to block attacks.attacks. PasswordsPasswords FirewallsFirewalls AntivirusAntivirus

This way if a attacker gets This way if a attacker gets through one layer they still have through one layer they still have to get through other layers.to get through other layers.

Database

Database Password

Access Control List

Network Password

LimitingLimiting

Limiting is based on Limiting is based on using Access Control using Access Control Lists to limit what Lists to limit what users can do or users can do or access.access.

Access should be Access should be limited to the least limited to the least amount necessary for amount necessary for the person to do their the person to do their job.job.

DiversityDiversity

Diversity is related to Diversity is related to layering.layering. Each layer needs to be Each layer needs to be

different, so if an attacker different, so if an attacker gets through one layer gets through one layer they may not know how they may not know how to get through the next.to get through the next.

Diversity can also be Diversity can also be applied for the types for applied for the types for devices or applications devices or applications used.used.

Network

Cisco

Firewall

Cisco Firewall

Internet

Network

WatchGuard

Firewall

Cisco Firewall

Internet

ObscurityObscurity

Don’t let attackers know information about Don’t let attackers know information about your network.your network. Security policiesSecurity policies EquipmentEquipment SoftwareSoftware

User passwords should be changed in an User passwords should be changed in an unpredictable way.unpredictable way. Users shouldn’t be able to change a Users shouldn’t be able to change a

password from password from Fluffy01 Fluffy01 toto Fluffy02 Fluffy02..

SimplicitySimplicity

Very complex networks can be difficult to Very complex networks can be difficult to managemanage

Networks should be simple from the inside Networks should be simple from the inside but complex from the outsidebut complex from the outside

AuthenticationAuthentication

What you knowWhat you know

What you haveWhat you have

What you areWhat you are

What You KnowWhat You Know

Authentication that uses what a person Authentication that uses what a person knowsknows PasswordsPasswords PINPIN Answer to personal questionAnswer to personal question

What You HaveWhat You Have

Authentication Authentication method based on method based on what a person has.what a person has. TokenToken Smart CardSmart Card Proximity CardProximity Card

What You AreWhat You Are

Authentication based Authentication based on who the person ison who the person is

BiometricsBiometrics FingerprintsFingerprints FaceFace HandHand IrisIris RetinaRetina VoiceVoice

CertificatesCertificates

Certificates are used to bind a Certificates are used to bind a cryptographic key to a person who it is cryptographic key to a person who it is assigned to.assigned to.

Then any encryption done with that key is Then any encryption done with that key is from a known individualfrom a known individual

Certificates issued by a Certification Certificates issued by a Certification Authority (CA)Authority (CA)

KerberosKerberos

An authentication protocol developed by An authentication protocol developed by MITMIT

Used to verify the identity of network usersUsed to verify the identity of network users Is supported by:Is supported by:

Windows 2003Windows 2003 Apple Mac OSApple Mac OS LinuxLinux

KerberosKerberos

CHAPCHAP

Challenge Handshake Authentication ProtocolChallenge Handshake Authentication Protocol Allows a server to verify a computers identityAllows a server to verify a computers identity Server can start a CHAP challenge at any time Server can start a CHAP challenge at any time

the connection is openthe connection is open

Challenge

Response

Approval or Denial

Mutual AuthenticationMutual Authentication

A two-way authentication methodA two-way authentication method Server can authenticate the ClientServer can authenticate the Client Client can authenticate the serverClient can authenticate the server

Used to defend against identity attacksUsed to defend against identity attacks

Server authenticates client

Client authenticates server

Multifactor AuthenticationMultifactor Authentication

This is just using two or more This is just using two or more authentication methods to verify a user.authentication methods to verify a user. Password and tokenPassword and token Fingerprint and passwordFingerprint and password Fingerprint and smart cardFingerprint and smart card

Controlling Access To The ComputerControlling Access To The Computer

Access Control Lists (ACLs) are used to Access Control Lists (ACLs) are used to control what a user who has accessed a control what a user who has accessed a system can and can’t do.system can and can’t do.

ACLs are stored in Access Control Entries ACLs are stored in Access Control Entries (ACE)(ACE)

Users in a group inherit all ACL Users in a group inherit all ACL permissions applied to the grouppermissions applied to the group

Access Control ModelsAccess Control Models

Mandatory Access Control (MAC)Mandatory Access Control (MAC) A user is not allowed to give other users access A user is not allowed to give other users access

to a file/folderto a file/folder All permissions are set, and can only be changed, All permissions are set, and can only be changed,

by the administrator by the administrator Role Based Access Control (RBAC)Role Based Access Control (RBAC)

Allows for permissions to be given to a specific Allows for permissions to be given to a specific rolerole

Users are assigned to a role and inherit it’s Users are assigned to a role and inherit it’s permissionspermissions

Access Control ModelsAccess Control Models

Discretionary Access Control (DAC)Discretionary Access Control (DAC) The least restrictive modelThe least restrictive model A user can change other users permissions of A user can change other users permissions of

files/foldersfiles/folders

Auditing Information SecurityAuditing Information Security

Auditing is performed to ensure that the Auditing is performed to ensure that the proper security controls are in placeproper security controls are in place

Auditing can be done in two waysAuditing can be done in two ways LoggingLogging

• Logs Keep records that show what users are doing Logs Keep records that show what users are doing and whenand when

System ScanningSystem Scanning• Scans users permissions to see if they are Scans users permissions to see if they are

different then what they should be.different then what they should be.