Security+ All-In-One Edition Chapter 1 – General Security Concepts Brian E. Brzezicki Basic Security Concepts First Some Terms (NB) First we have to discuss some terms we will use again and again Protocol – an official set of steps or language for communication Algorithm – a specific set of steps to solve a problem or do some task String – a series of characters. Example if a character can be a- z and 0-9 an 8 character string might be “ar01z14b” Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control. CIA No… Not that CIA CIA* (7) 3 Fundamental Principles of Security – Confidentiality – Integrity – Availability Operational Model of Security (8) • Focus is no longer just on prevention • Security now is – Prevention • What are some preventative controls/measures? – Detection • What are some detective controls/measures? – Response • What are some response controls/measures? • Protection = Prevention + Detection + Response Security Models and Concepts Host Based Security Network Based Security (9) • Focuses on protecting a network from outside attackers by placing security devices on the “perimeter” (see visualization next slide) – Firewalls – IDS – Anti-virus • Problems? – Internal attackers – Little protection of network controls are taken out or bypassed Network Based Security [...]... Advantages of this model? Host and Network Based (12) • The ideal model would have components of both Network Based Security along with Host Based Security, this is one example of Layered Security Layered Security (12) No one security should be completely relied upon Instead have many overlapping security controls – Network based firewall – Host based firewall – IDS system – Access controls – Proper patching... can be practiced however it should not be relied upon or considered any valid measure of security • Example You should generally NOT give any information about your systems or networks to people However this alone is not security, and relying on hiding information rather than truly SECURE information, is NOT a valid security • Ex It’s not a bad idea to change the default port for ssh from port 22 to something... depth/layered security But in this case each layer consists of multiple versions of the same thing • Example – use 2 firewalls to protect your network, from different vendors That way of someone hacks your first firewall, they should not be able to easily hack your second firewall, and hopefully that will stop them (see next slide) Diversity of Defense Security Through Obscurity (15) Invalid method of security. ..Host Based Security (9) • Focuses on protecting a specific machine at the machine level – Each computer protects itself – Locked down/bastion host model – Resource Permissions – Host based firewalls – HIDS – Anti-virus – Patching and updating – All machines should have host based security • Problems / Advantages of this model? Host and Network Based... take their vacation • Decreases the ability to commit fraud undetected (main security reason) • Decreases the chance that something could be seriously negatively effected if someone leaves the organization Authentication and Access Control Authentication (19) The ability to uniquely identify a user AND verify their identity 3 general methods – something you KNOW – something you HAVE – something you ARE... procurement order should NOT be allowed to authorize the order • Fights fraud • Requires “collusion” to subvert (see next slide) Separation of Duties Separation of Duties Implicit Deny (11) Fundamental security rule If you do NOT explicitly have authorization, then you are automatically (implicitly) DENIED access • Should be the default rule for ALL access controls though often not :( • You usually see... something is, the harder it is to • Understand • Secure • Audit A good K.I.S.S rule is to remove all unnecessary services and software from a system Least Privilege (10) One of the Most fundamental rule of security • Provide a user the MINIMAL amount of access they needs to complete their work • If you don’t EXPLICITLY need access… you don’t get access • Applications should run as a restricted user rather . Security+ All-In-One Edition Chapter 1 – General Security Concepts Brian E. Brzezicki Basic Security Concepts First Some Terms. Response Security Models and Concepts Host Based Security Network Based Security (9) • Focuses on protecting a network from outside attackers by placing security