• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CompTIA Security+ Module1: Security fundamentals
 

CompTIA Security+ Module1: Security fundamentals

on

  • 1,222 views

 

Statistics

Views

Total Views
1,222
Views on SlideShare
1,196
Embed Views
26

Actions

Likes
2
Downloads
0
Comments
0

2 Embeds 26

http://training-report.blogspot.com 23
http://training-security.blogspot.com 3

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Зөвшөөрөлгүй хандалт, довтолгоо, хулгай болон өгөгдлийн эвдрэлээс мэдээллийн эх сурвалж болон бэлэн байгаа мэдээллийг хамгаалалт Хувь хүн болон байгууллагатай холбоотой маш чухал нууц мэдээг аюулгүй байлгах Маш чухал өгөгдөлийн алдагдалаас үүсэх бизнесийн эрсдэл болон бусад үр дагаварыг хамгийн бага байлгах
  • Байгууллагын мэдээлэл болон эх сурвалжийн аюулгүй байдал алдагдахад нэр хүнд унах, үнэ цэнэ буурах гэх мэтээр байгууллагад нэмэлт хохирол учрана. Хөрөнгө оруулагчидын итгэл багасч харилцагчидаа алдаж, олон төрлийн санхүүгийн алдагдалд орно .
  • Аюулгүй байдлын зорилгууд Урьдчилан сэргийлэх Хувийн мэдээлэл, компаний мэдээлэл, оюуны шинж чанартай мэдээллийг хамгаалах шаардлагатай. Хэрвээ аль нэг хэлтэст аюулгүй байдалын цоорхой гарвал тэр нь байгууллагын алдагдлын сэргээлтэнд маш ихээр нөлөөлнө. Илрүүлэх Алдагдаж болзошүй мэдээлэл буюу өгөгдөлд зөвшөөрөлгүй хандахыг оролдоход мэдэх алхам юм. Буцаан сэргээх Систем болон өгөгдөл хадгалах төхөөрөмж эвдрэхэд түүнд байсан чухал өгөгдөлтэй хавтас болон файлыг сэргээх ажил гардаг.
  • Сул тал буюу эмзэг байдал Системийг довтлоход нээлттэй болгосон бүх нөхцөл. Improperly – алдаатай, зааврын дагуу бус Misuse – буруугаар ашиглах Poorly – хангалтгүй
  • Аюул занал Аюулгүй байдлын шаардлага, бодлого, үйл явцын зөрчилд гарч болох үр дүн буюу үйлдэл.
  • Довтолгоо Компьютерийн систем дэх аль нэг аппликэйшний эмзэг байдалыг ашиглан зөвшөөрөлгүйгээр ашиглах арга техник.
  • Халдлага Довтлогч танай компьютерийн системд зөвшөөрөлгүйгээр хандах.
  • Эрсдэл Алдагдал болон хохиролын магадлалыг илрүүлж тогтооно Ихэнхдээ систем, хүчдэл, сүлжээ болон бусад физик алдагдлуудаас хамаардаг Түүнчлэн хүний, туршлага, үйл ажиллагаа нөлөөлдөг
  • Хяналт Аюул занал болон довтолгооноос шалтгаалсан аюулгүй байдлын эрсдэлийн эсрэг хэрэгтэй газар нь зайлсхийх, шийдвэрлэх зэрэг хариу арга хэмжээ авах ёстой. Төрөлүүд Урьдчилан сэргийлэх
  • If one of the principles is compromised, the security of the organization is threatened.
  • Мэдээллийн эх үүсвэр гэдгээ баталснаар татгалзахгүй байдал үүснэ.
  • Зөвшөөрөл – тодорхой нэг этгээд ямар эрхтэй вэ гэдгийг тодорхойлох процесс Хандалтын хяналт – олон янзын эх үүсвэрүүд, обектууд, өгөгдлүүдэд эрх хуваарилах буюу тодорхойлох процесс Хариуцлага – тухайн үйлдэлтэй холбоотой этгээдийг тодорхойлох процесс Аудит – системийн үйлдэл болон эх үүсвэрын хандалтыг бичих болон мөрдөх процесс
  • Duties such as authorization and approval, and design and development should not be held by same individual, because it would be far too easy for that individual to exploit an organization into using only specific software that contains vulnerabilities, or taking on projects that would be beneficial to that individual

CompTIA Security+ Module1: Security fundamentals CompTIA Security+ Module1: Security fundamentals Presentation Transcript

  • Security Fundamentals
    • The Information Security Cycle
    • Information Security Controls
    • Authentication Methods
    • Cryptography Fundamentals
    • Security Policy Fundamentals
  • Security Fundamentals
    • The Information Security Cycle
    • Information Security Controls
    • Authentication Methods
    • Cryptography Fundamentals
    • Security Policy Fundamentals
  • What Is Information Security?
    • Protection of available information or information resources.
    • Necessary for a responsible individual or organization to secure confidential information.
    • Minimize business risks and other consequences of losing crucial data.
  • What to Protect
    • If the security of organization’s data and resources is compromised, it may cause collateral damage to the organization, in the form of compromised reputation, loss of goodwill , reduced investor confidence, loss of customers, and various financial losses.
    Data Resource
  • Goals of Security Security Goal Description Prevention Personal information, company information, and information on intellectual property must be protected. If security is breached in any of these departments, then the organization may have to put a lot of effort into recovering losses. Detection Detection is the step that occurs when a user is discovered trying to access unauthorized data or the information has been lost. Recovery You need to employ a process to recover vital data present in files or folders from a crashed system or data storage devices. Recovery can also pertain to physical resources.
  • A Vulnerability
    • Any condition that leaves a system open to attack:
      • Improperly configured or installed hardware or software
      • Bugs in software or operating systems
      • The misuse of software or communication protocols
      • Poorly designed networks
      • Poor physical security
      • Insecure passwords
      • Design flaws in software or operating systems
      • Unchecked user input
    Attacker Information System Unsecured Router
  • Threats
    • Any event or action that could potentially result in the violation of a security requirement, policy, or procedure.
    Information Security Threats Changes to Information Interruption of Services Interruption of Access Damage to Hardware Damage to Facilities Unintentional or intentional
  • Attacks
    • A technique that is used to exploit a vulnerability in any application on a computer system without the authorization to do so.
    Physical Security Attacks Software-Based Attacks Social Engineering Attacks Web Application-Based Attacks Network-Based Attacks
  • Intrusions
    • An attacker accesses your computer system without the authorization to do so.
  • Risk
    • A concept that indicates exposure to the chance of damage or loss.
    • Risk is often associated with the loss of a system, power, or network, and other physical losses.
    • Risk also affects people, practices, and processes.
    Disgruntled Former Employees Threat of Improper Access
  • Controls
    • The countermeasures that you need to put in place to avoid, mitigate or counteract security risks due to threats or attacks.
    • Types
      • Prevention controls — These help to prevent a threat or attack from exposing a vulnerability in the computer system.
      • Detection controls — These help to discover if a threat or vulnerability has entered into the computer system.
      • Correction controls — These help to mitigate a consequence of a threat or attack from adversely affecting the computer system.
    Prevention Control Detection Control Correction Control
  • Security Fundamentals
    • The Information Security Cycle
    • Information Security Controls
    • Authentication Methods
    • Cryptography Fundamentals
    • Security Policy Fundamentals
  • The CIA Triad
    • This is the fundamental principle of keeping information and communications private and protecting them from unauthorized access.
    • This is the property of keeping organization information accurate, free of errors, and without unauthorized modifications.
    • This is the fundamental principle of ensuring that systems operate continuously and that authorized persons can access the data that they need.
    Availability Integrity Confidentiality
  • Non-repudiation
    • Supplemental to the CIA triad.
    • The goal of ensuring that the party that sent a transmission or created data remains associated with that data.
  • Authentication
    • A method of uniquely validating a particular entity or individual’s credentials.
    Password User Name
  • Identification
    • A method that ensures that the entity requesting authentication is the true owner of the credentials.
    Password User Name
  • The Four As
    • Authorization is the process of determining what rights and privileges a particular entity has.
    • Access control is the process of determining and assigning privileges to various resources, objects, or data.
    • Accountability is the process of determining who to hold responsible for a particular activity or event.
    • Auditing or accounting is the process of tracking and recording system activities and resource access.
  • Access Control Methods Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) Rule-Based Access Control
  • Common Security Practices
    • Implicit deny
    • Least privilege
    • Separation of duties
    • Job rotation
    • Mandatory vacation
    • Time of day restrictions
    • Privilege management
  • Implicit Deny
    • Everything that is not explicitly allowed is denied
    Default Deny Read Access Granted Write Access Denied
  • Least Privilege
    • Dictates that users and software should only have the minimal level of access that is necessary for them to perform the duties required of them.
    User 1 User 4 User 2 User 3 Data Entry Clerks Financial Coordinators Perform their job with fewer privileges Perform their job with more privileges
  • Separation of Duties
    • No one person should have too much power or responsibility
    Audit Backup Restore
  • Job Rotation
    • No one person stays in a vital job role for too long a time period.
    • Helps
      • Prevent abuse of power
      • Reduces boredom
      • Enhances individuals’
      • professional skills
  • Mandatory Vacation
    • The typical mandatory vacation policy requires that employees take at least one vacation a year in a full-week increment. During that time, the corporate audit and security employees have time to investigate and discover any discrepancies in employee activity.
    • When employees understand the security focus of the mandatory vacation policy, the chance fraudulent activities deceases.
  • Time of Day Restrictions
    • Controls that allow users to access a system for a certain time period, which can be set using a group policy.
  • Privilege Management
    • The use of authentication and authorization mechanisms to provide centralized or decentralized administration of user and group access control.
    Auditing Administrator Authentication Access Control Authorization
  • Security Fundamentals
    • The Information Security Cycle
    • Information Security Controls
    • Authentication Methods
    • Cryptography Fundamentals
    • Security Policy Fundamentals
  • Authentication Factors
    • Something you know
      • Password, PIN
    • Something you have
      • Key, ID card
    • Something you are
      • Fingerprints, retinal patterns
    Password
  • User Name/Password Authentication Password User Name
  • Tokens
    • Tokens are physic or virtual objects, such as smart cards, ID badges, or data packets, that store authentication information.
    • Tokens can store personal identification numbers (PINs), information about users, or passwords.
    PIN Unique value User information Password
  • Biometrics
    • Biometrics are authentication schemes based on individuals’ physical characteristics.
      • Fingerprint scanner
      • Retinal scanner
      • Hand geometry scanner
      • Voice-recognition software
      • Facial-recognition software
    Fingerprint Scanner
  • Multi-Factor Authentication
    • Multi-factor authentication is any authentication scheme that requires validation of at least two of the possible authentication factors.
    Password
  • Mutual Authentication
    • A security mechanism that requires that each party in a communication verifies each other’s identity. A service or reserve or resource verifies the client’s credentials, and the client verifies the resource’s credentials.
    • Mutual authentication prevents a client from inadvertently submitting confidential information to a non-secure server.
    • Mutual authentication helps in avoiding man-in-the-middle and session hijacking attacks.
  • Security Fundamentals
    • The Information Security Cycle
    • Information Security Controls
    • Authentication Methods
    • Cryptography Fundamentals
    • Security Policy Fundamentals
  • Cryptography
    • Cryptography is the science of hiding information.
    Used to secure sensitive data transmissions Electronic Commerce ATM Cards Computer Security
  • Encryption
    • Cryptographic technique that converts data from plain, or cleartext form, into coded, or ciphertext form. Only authorized parties with the necessary decryption information can decode and read the data.
    Encryption Ciphertext Plaintext
  • Ciphers
    • A cipher is a specific set of actions used to encrypt data.
    • Plaintext is the original, un-encoded data.
    • Cipher Types
    Stream Cipher Cipher Ciphertext block Plaintext block Block Cipher Original Information Cipher Encrypted Information Cipher Ciphertext Plaintext
  • Encryption and Security Goals
    • Encryption supports:
      • Confidentiality
      • Integrity
      • Non-repudiation
      • Authorization
      • Access
    • An Encryption Algorithm
      • The rule, system, or mechanism used to encrypt data.
    • An encryption key
      • Specific piece of information
      • Used in conjunction with an algorithm to perform encryption and decryption
    =Two Letters Following Text Vgzv
  • Steganography
    • Steganographic techniques include:
      • Hiding information in blocks.
      • Hiding information within images.
      • Invisibly altering the structure of a
      • digital image.
  • Hashing Encryption
    • One-way encryption that transforms cleartext into ciphertext that is not intended to be decrypted.
    • Algorithms
      • MD5
      • SHA
      • NTLM versions 1 and 2
      • RIPEMD
      • HMAC
    Hashing is one-way encryption
    • Two-way encryption scheme in which encryption and decryption are both performed by the same key.
    • Algorithms
      • DES
      • 3DES
      • AES
      • Blowfish
      • Twofish
      • RC 4, 5, 6
      • Skipjack
      • CAST-128
    Symmetric Encryption Encrypts data Decrypts data Same key on both sides
    • Using public and private keys
    • The private key never shared
    • The public key is given to anyone
    • Algorithms
      • Rivist Shamir Adelman (RSA ‏ )
      • Diffie-Hellman
      • Elgamal
      • Paillier Cryptosystem
      • Elliptic curve cryptography (ECC)
    Asymmetric Encryption Private key decrypts Public key encrypts
  • Digital Signatures
    • A message digest that has been encrypted with a user’s private key.
    • Used with hashing algorithms
    • Support message integrity
    • Support non-repudiation
    Hash value of signature Hash value matches
  • Security Fundamentals
    • The Information Security Cycle
    • Information Security Controls
    • Authentication Methods
    • Cryptography Fundamentals
    • Security Policy Fundamentals
  • A Security Policy
    • A formalized statement that defines how security will be implemented within a particular organization.
    Individual policy Formal policy statement Implementation measures Resources to protect
  • Security Policy Components Policy Components Description Policy statement Outlines the plan for the individual security component. Standards Define how to measure the level of adherence to the policy. Guidelines Suggestions, recommendations, or best practices for how to meet the policy standard. Procedures Step-by-step instructions that detail how to implement components of the policy.
  • Security Policy Issues
    • Acceptable use
    • Privacy
    • Separation of duties
    • Job rotation
    • Mandatory vacation
    • Need to know
    • Least privilege
    • Implicit deny
  • Common Security Policy Types Policy Type Description Acceptable use policy (AUP) Defines the acceptable use of organization’s physical and intellectual resources. Audit policy Details the requirements and parameters for risk assessment and audits of the organization’s information and resources. Extranet policy Sets the requirements for third-party entities that desire access to an organization’s networks. Password policy Defines standards for creating password complexity. Wireless standards policy Defines which wireless devices can connect to an organization’s network and how use them in a safe manner that protects the organization’s security.
  • Security Document Categories Security Document Description System architecture Physical documentation about the setup and configuration of your network and systems must be stored securely. Change documentation Changes in the configuration of data, systems, and services are often tracked and documented to provide an official record of the correct current configuration. Logs System logs, especially those generated by the auditing security function, need to be protected from unauthorized access or tampering. Inventories Equipment and asset inventories provide a valuable source of information for attackers, whether they plan to mount an electronic attack against the system or resort to physical damage or theft.
  • Change Management
    • A systematic way of approving and executing change in order to assure maximum security, stability, and availability of information technology services.