Information Security Lesson 3 - Basics - Eric Vanderburg

304 views
219 views

Published on

Information Security Lesson 3 - Basics - Eric Vanderburg

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
304
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information Security Lesson 3 - Basics - Eric Vanderburg

  1. 1. Information Security Chapter 3 Security Basics Information Security © 2006 Eric Vanderburg
  2. 2. • Approaches – Bottom-up – Top-down • Human firewall – a security conscious individual. – Uses strong passwords – Hygienic – Watches for suspicious activity – Aware of changes to their computer Information Security © 2006 Eric Vanderburg
  3. 3. Layering • Many defense mechanisms are in place surrounding an asset – – – – – – – – Edge firewall Host firewall Intrusion detection system File permissions Required usernames and passwords Segmented network Audit trails Honeypots • Layers should be coordinated so they do not negatively impact one another when implemented Information Security © 2006 Eric Vanderburg
  4. 4. Limiting • You should only have access to what you need for your role. • Subject – person or a computer program • Object – computer or database • Proper division of duties Information Security © 2006 Eric Vanderburg
  5. 5. Diversity • Layers of similar security mechanisms are easy to conquer because the same strategy can be used on each. • A breach in one area does not compromise the entire system. Information Security © 2006 Eric Vanderburg
  6. 6. Obscurity • • • • Practices should be secret Source code should be protected Keep usernames secret Train employees not to reveal information Information Security © 2006 Eric Vanderburg
  7. 7. Simplicity • Simple from the inside, complex from the outside. – Well structured design – Trained employees – Documented Information Security © 2006 Eric Vanderburg
  8. 8. Authentication • • • • • Proving you are who you say you are What you know (password, pin, personal info) What you have (card, token, RFID) What you are (biometrics) Username and password – simplest and most common – SSO (Single Sign On) – reduce number of logons because one username/password can be used for all systems and associated databases and logon is transparent once a user logs on to their client system. Information Security © 2006 Eric Vanderburg
  9. 9. Authentication • Token – Magnetic strip card – RFID card – Number sequencer • Biometrics – – – – – – – Fingerprint Facial scan Retina / Iris scan Hand print Voice Pheromones Blood • Biometrics is expensive, time consuming, error prone, and hard to use. Information Security © 2006 Eric Vanderburg
  10. 10. Authentication • Certificates – Binds a person to a key – Personal info is provided to obtain the cert – Provided by a trusted CA (Certification Authority) – Encrypted with CA private key for validity and hashed for integrity – Usage will be specified in the certificate – Certificates expire and must be renewed – CTL (Certificate Trust List) – CRL (Certificate Revocation List) Information Security © 2006 Eric Vanderburg
  11. 11. Authentication • Kerberos – Developed at MIT – AS (Authentication Server) – gives out TGT (Ticket Granting Ticket) and resides on the KDC (Key Distribution Center) – Present the TGT to a TGS (Ticket Granting Service) to receive a service ticket for a resource. – Everything is time stamped Information Security © 2006 Eric Vanderburg
  12. 12. Authentication • CHAP (Challenge Handshake Authentication Protocol) – Server sends a challenge (piece of data) – Client runs an algorithm using a shared secret on the data and returns it. – The server runs the same algorithm to see if the client knows the shared secret • Mutual Authentication – Client authenticates to server – Server authenticates to client – Helps protect against Man in the middle attacks and hijacking – MSCHAP v2 Information Security © 2006 Eric Vanderburg
  13. 13. Authentication • Multifactor authentication – Have more than one form of authentication as described before. • What you know • What you have • What you are Information Security © 2006 Eric Vanderburg
  14. 14. Access Control • Controlled by the OS • ACL (Access Control List) – For each file – Can be configured on network access devices • ACE( Access Control Entry) – row in the ACL with a user and associated permission Information Security © 2006 Eric Vanderburg
  15. 15. Permissions • • • • • • Full Control Modify Read List folder contents Read & Execute (folder contents & read) Write (Create files and folders) Information Security © 2006 Eric Vanderburg
  16. 16. Access Control • MAC (Mandatory Access Control) – permissions are rights are specified and cannot be changed. • DAC (Discretionary Access Control) – users can assign permissions as they see fit. • RBAC (Role Based Access Control) – Roles are given permissions and users inherit those permissions by belonging to a role. Groups should mirror a role or functions of a role. Information Security © 2006 Eric Vanderburg
  17. 17. Auditing • Logging – event viewer (Windows) • System Scanning – Checks to make sure a user does not exceed their permissions Information Security © 2006 Eric Vanderburg
  18. 18. Acronyms • • • • • • • • • ACE, Access Control Entry AS, Authentication Server CA, Certification Authority CHAP, Challenge Handshake Authentication Protocol CISO, Chief Information Security Officer DAC, Discretionary Access Control MAC, Mandatory Access Control RBAC, Role Based Access Control SSO, Single Sign On Information Security © 2006 Eric Vanderburg
  19. 19. Acronyms • KDC, Key Distribution Center • TGT, Ticket Granting Ticket • TGS, Ticket Granting Service Information Security © 2006 Eric Vanderburg

×