Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ All-In-One Edition Chapter 1 – General Security Concepts

Published byKathlyn Shepherd Modified over 6 years ago

Similar presentations

Presentation on theme: "Security+ All-In-One Edition Chapter 1 – General Security Concepts"— Presentation transcript:

1 Security+ All-In-One Edition Chapter 1 – General Security Concepts
Brian E. Brzezicki

2 Basic Security Concepts

3 First Some Terms (NB) First we have to discuss some terms we will use again and again Protocol – an official set of steps or language for communication Algorithm – a specific set of steps to solve a problem or do some task String – a series of characters. Example if a character can be a-z and 0-9 an 8 character string might be “ar01z14b” Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control.

4 CIA No… Not that CIA

5 CIA* (7) 3 Fundamental Principles of Security Confidentiality
Integrity Availability

6 Operational Model of Security (8)
Focus is no longer just on prevention Security now is Prevention What are some preventative controls/measures? Detection What are some detective controls/measures? Response What are some response controls/measures? Protection = Prevention + Detection + Response

7 Security Models and Concepts

8 Network Based Security (9)
Focuses on protecting a network from outside attackers by placing security devices on the “perimeter” (see visualization next slide) Firewalls IDS Anti-virus Problems? Internal attackers Little protection of network controls are taken out or bypassed

9 Network Based Security

10 Host Based Security

11 Host Based Security (9) Focuses on protecting a specific machine at the machine level. Each computer protects itself Locked down/bastion host model Resource Permissions Host based firewalls HIDS Anti-virus Patching and updating All machines should have host based security Problems / Advantages of this model?

12 Host and Network Based (12)
The ideal model would have components of both Network Based Security along with Host Based Security, this is one example of Layered Security.

13 Layered Security (12) No one security should be completely relied upon. Instead have many overlapping security controls. Network based firewall Host based firewall IDS system Access controls Proper patching and maintenance practices This is also referred to as “Defense in Depth”

14 Diversity of Defense (14)
Similar but different to defense in depth/layered security. But in this case each layer consists of multiple versions of the same thing. Example – use 2 firewalls to protect your network, from different vendors. That way of someone hacks your first firewall, they should not be able to easily hack your second firewall, and hopefully that will stop them. (see next slide)

15 Diversity of Defense

16 Security Through Obscurity (15)
Invalid method of security. The idea is that you don’t let people know what you use or how it works. This does help and can be practiced however it should not be relied upon or considered any valid measure of security. Example. You should generally NOT give any information about your systems or networks to people. However this alone is not security, and relying on hiding information rather than truly SECURE information, is NOT a valid security. Ex. It’s not a bad idea to change the default port for ssh from port 22 to something else, but that does not really “secure” ssh in any fashion. Remember when the NT 4.0 code was stolen and published online?

17 Keep it Simple (16) Keep it Simple… the more complex something is, the harder it is to Understand Secure Audit A good K.I.S.S rule is to remove all un-necessary services and software from a system

18 Least Privilege (10) One of the Most fundamental rule of security
Provide a user the MINIMAL amount of access they needs to complete their work. If you don’t EXPLICITLY need access… you don’t get access Applications should run as a restricted user rather than the “root/administrator” account Services and software should not be running or installed unless they are needed for the operation of the system/network.

19 Separation of Duty (11) For any given task, more than one person needs to be involved. Ex. An person that puts in a procurement order should NOT be allowed to authorize the order. Fights fraud Requires “collusion” to subvert (see next slide)

20 Separation of Duties

21 Separation of Duties

22 Implicit Deny (11) Fundamental security rule. If you do NOT explicitly have authorization, then you are automatically (implicitly) DENIED access. Should be the default rule for ALL access controls..though often not :( You usually see this in firewalls

23 Authentication and Access Control
If you want to protect a resource you must be able to determine which subject (a user or a program) can access an item, and what level access such a subject has to a resource. This requires Identification Authentication: 3 types + “strong/multi” What is the most common form of authentication? Authorization (ACLs, Rules, Unix Permissions) (chapter 19) Auditing We will talk about these in more detail in later chapters.

24 SecureID A type of multi factor authentication
Has a secret number that is syncronized to the server and changes every minute (what you have) Also requires a PIN number (what you know) we will talk about secureID again later in the upcoming classes

25 Chapter 1Review Questions
Q: What is the CIA triad, what does each mean? Q: What is non-repudiation? Q: Define Layered Security Q: What is the main security reasoning for mandatory vacations?

26 Chapter 1 Review Questions
Q: What type of authentication system does the OS (Security Kernel) determined who is allowed access to a resource Q: What access control model helps fight “authorization creep” Q: Biometrics are an example of “What you ____” Q: What is an advantage of network based security, how about host based?

Download ppt "Security+ All-In-One Edition Chapter 1 – General Security Concepts"

Similar presentations

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies

Access Control Methodologies
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Defense-in-Depth What Is It?

Defense-in-Depth What Is It?
Troubleshooting Windows Vista Security Chapter 4.

Troubleshooting Windows Vista Security Chapter 4.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

Similar presentations

Ads by Google