Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CompTIA Security+ Module1: Security fundamentals

2,519 views

Published on

Published in: Education, Technology, Business

CompTIA Security+ Module1: Security fundamentals

  1. 1. Security Fundamentals <ul><li>The Information Security Cycle </li></ul><ul><li>Information Security Controls </li></ul><ul><li>Authentication Methods </li></ul><ul><li>Cryptography Fundamentals </li></ul><ul><li>Security Policy Fundamentals </li></ul>
  2. 2. Security Fundamentals <ul><li>The Information Security Cycle </li></ul><ul><li>Information Security Controls </li></ul><ul><li>Authentication Methods </li></ul><ul><li>Cryptography Fundamentals </li></ul><ul><li>Security Policy Fundamentals </li></ul>
  3. 3. What Is Information Security? <ul><li>Protection of available information or information resources. </li></ul><ul><li>Necessary for a responsible individual or organization to secure confidential information. </li></ul><ul><li>Minimize business risks and other consequences of losing crucial data. </li></ul>
  4. 4. What to Protect <ul><li>If the security of organization’s data and resources is compromised, it may cause collateral damage to the organization, in the form of compromised reputation, loss of goodwill , reduced investor confidence, loss of customers, and various financial losses. </li></ul>Data Resource
  5. 5. Goals of Security Security Goal Description Prevention Personal information, company information, and information on intellectual property must be protected. If security is breached in any of these departments, then the organization may have to put a lot of effort into recovering losses. Detection Detection is the step that occurs when a user is discovered trying to access unauthorized data or the information has been lost. Recovery You need to employ a process to recover vital data present in files or folders from a crashed system or data storage devices. Recovery can also pertain to physical resources.
  6. 6. A Vulnerability <ul><li>Any condition that leaves a system open to attack: </li></ul><ul><ul><li>Improperly configured or installed hardware or software </li></ul></ul><ul><ul><li>Bugs in software or operating systems </li></ul></ul><ul><ul><li>The misuse of software or communication protocols </li></ul></ul><ul><ul><li>Poorly designed networks </li></ul></ul><ul><ul><li>Poor physical security </li></ul></ul><ul><ul><li>Insecure passwords </li></ul></ul><ul><ul><li>Design flaws in software or operating systems </li></ul></ul><ul><ul><li>Unchecked user input </li></ul></ul>Attacker Information System Unsecured Router
  7. 7. Threats <ul><li>Any event or action that could potentially result in the violation of a security requirement, policy, or procedure. </li></ul>Information Security Threats Changes to Information Interruption of Services Interruption of Access Damage to Hardware Damage to Facilities Unintentional or intentional
  8. 8. Attacks <ul><li>A technique that is used to exploit a vulnerability in any application on a computer system without the authorization to do so. </li></ul>Physical Security Attacks Software-Based Attacks Social Engineering Attacks Web Application-Based Attacks Network-Based Attacks
  9. 9. Intrusions <ul><li>An attacker accesses your computer system without the authorization to do so. </li></ul>
  10. 10. Risk <ul><li>A concept that indicates exposure to the chance of damage or loss. </li></ul><ul><li>Risk is often associated with the loss of a system, power, or network, and other physical losses. </li></ul><ul><li>Risk also affects people, practices, and processes. </li></ul>Disgruntled Former Employees Threat of Improper Access
  11. 11. Controls <ul><li>The countermeasures that you need to put in place to avoid, mitigate or counteract security risks due to threats or attacks. </li></ul><ul><li>Types </li></ul><ul><ul><li>Prevention controls — These help to prevent a threat or attack from exposing a vulnerability in the computer system. </li></ul></ul><ul><ul><li>Detection controls — These help to discover if a threat or vulnerability has entered into the computer system. </li></ul></ul><ul><ul><li>Correction controls — These help to mitigate a consequence of a threat or attack from adversely affecting the computer system. </li></ul></ul>Prevention Control Detection Control Correction Control
  12. 12. Security Fundamentals <ul><li>The Information Security Cycle </li></ul><ul><li>Information Security Controls </li></ul><ul><li>Authentication Methods </li></ul><ul><li>Cryptography Fundamentals </li></ul><ul><li>Security Policy Fundamentals </li></ul>
  13. 13. The CIA Triad <ul><li>This is the fundamental principle of keeping information and communications private and protecting them from unauthorized access. </li></ul><ul><li>This is the property of keeping organization information accurate, free of errors, and without unauthorized modifications. </li></ul><ul><li>This is the fundamental principle of ensuring that systems operate continuously and that authorized persons can access the data that they need. </li></ul>Availability Integrity Confidentiality
  14. 14. Non-repudiation <ul><li>Supplemental to the CIA triad. </li></ul><ul><li>The goal of ensuring that the party that sent a transmission or created data remains associated with that data. </li></ul>
  15. 15. Authentication <ul><li>A method of uniquely validating a particular entity or individual’s credentials. </li></ul>Password User Name
  16. 16. Identification <ul><li>A method that ensures that the entity requesting authentication is the true owner of the credentials. </li></ul>Password User Name
  17. 17. The Four As <ul><li>Authorization is the process of determining what rights and privileges a particular entity has. </li></ul><ul><li>Access control is the process of determining and assigning privileges to various resources, objects, or data. </li></ul><ul><li>Accountability is the process of determining who to hold responsible for a particular activity or event. </li></ul><ul><li>Auditing or accounting is the process of tracking and recording system activities and resource access. </li></ul>
  18. 18. Access Control Methods Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) Rule-Based Access Control
  19. 19. Common Security Practices <ul><li>Implicit deny </li></ul><ul><li>Least privilege </li></ul><ul><li>Separation of duties </li></ul><ul><li>Job rotation </li></ul><ul><li>Mandatory vacation </li></ul><ul><li>Time of day restrictions </li></ul><ul><li>Privilege management </li></ul>
  20. 20. Implicit Deny <ul><li>Everything that is not explicitly allowed is denied </li></ul>Default Deny Read Access Granted Write Access Denied
  21. 21. Least Privilege <ul><li>Dictates that users and software should only have the minimal level of access that is necessary for them to perform the duties required of them. </li></ul>User 1 User 4 User 2 User 3 Data Entry Clerks Financial Coordinators Perform their job with fewer privileges Perform their job with more privileges
  22. 22. Separation of Duties <ul><li>No one person should have too much power or responsibility </li></ul>Audit Backup Restore
  23. 23. Job Rotation <ul><li>No one person stays in a vital job role for too long a time period. </li></ul><ul><li>Helps </li></ul><ul><ul><li>Prevent abuse of power </li></ul></ul><ul><ul><li>Reduces boredom </li></ul></ul><ul><ul><li>Enhances individuals’ </li></ul></ul><ul><ul><li>professional skills </li></ul></ul>
  24. 24. Mandatory Vacation <ul><li>The typical mandatory vacation policy requires that employees take at least one vacation a year in a full-week increment. During that time, the corporate audit and security employees have time to investigate and discover any discrepancies in employee activity. </li></ul><ul><li>When employees understand the security focus of the mandatory vacation policy, the chance fraudulent activities deceases. </li></ul>
  25. 25. Time of Day Restrictions <ul><li>Controls that allow users to access a system for a certain time period, which can be set using a group policy. </li></ul>
  26. 26. Privilege Management <ul><li>The use of authentication and authorization mechanisms to provide centralized or decentralized administration of user and group access control. </li></ul>Auditing Administrator Authentication Access Control Authorization
  27. 27. Security Fundamentals <ul><li>The Information Security Cycle </li></ul><ul><li>Information Security Controls </li></ul><ul><li>Authentication Methods </li></ul><ul><li>Cryptography Fundamentals </li></ul><ul><li>Security Policy Fundamentals </li></ul>
  28. 28. Authentication Factors <ul><li>Something you know </li></ul><ul><ul><li>Password, PIN </li></ul></ul><ul><li>Something you have </li></ul><ul><ul><li>Key, ID card </li></ul></ul><ul><li>Something you are </li></ul><ul><ul><li>Fingerprints, retinal patterns </li></ul></ul>Password
  29. 29. User Name/Password Authentication Password User Name
  30. 30. Tokens <ul><li>Tokens are physic or virtual objects, such as smart cards, ID badges, or data packets, that store authentication information. </li></ul><ul><li>Tokens can store personal identification numbers (PINs), information about users, or passwords. </li></ul>PIN Unique value User information Password
  31. 31. Biometrics <ul><li>Biometrics are authentication schemes based on individuals’ physical characteristics. </li></ul><ul><ul><li>Fingerprint scanner </li></ul></ul><ul><ul><li>Retinal scanner </li></ul></ul><ul><ul><li>Hand geometry scanner </li></ul></ul><ul><ul><li>Voice-recognition software </li></ul></ul><ul><ul><li>Facial-recognition software </li></ul></ul>Fingerprint Scanner
  32. 32. Multi-Factor Authentication <ul><li>Multi-factor authentication is any authentication scheme that requires validation of at least two of the possible authentication factors. </li></ul>Password
  33. 33. Mutual Authentication <ul><li>A security mechanism that requires that each party in a communication verifies each other’s identity. A service or reserve or resource verifies the client’s credentials, and the client verifies the resource’s credentials. </li></ul><ul><li>Mutual authentication prevents a client from inadvertently submitting confidential information to a non-secure server. </li></ul><ul><li>Mutual authentication helps in avoiding man-in-the-middle and session hijacking attacks. </li></ul>
  34. 34. Security Fundamentals <ul><li>The Information Security Cycle </li></ul><ul><li>Information Security Controls </li></ul><ul><li>Authentication Methods </li></ul><ul><li>Cryptography Fundamentals </li></ul><ul><li>Security Policy Fundamentals </li></ul>
  35. 35. Cryptography <ul><li>Cryptography is the science of hiding information. </li></ul>Used to secure sensitive data transmissions Electronic Commerce ATM Cards Computer Security
  36. 36. Encryption <ul><li>Cryptographic technique that converts data from plain, or cleartext form, into coded, or ciphertext form. Only authorized parties with the necessary decryption information can decode and read the data. </li></ul>Encryption Ciphertext Plaintext
  37. 37. Ciphers <ul><li>A cipher is a specific set of actions used to encrypt data. </li></ul><ul><li>Plaintext is the original, un-encoded data. </li></ul><ul><li>Cipher Types </li></ul>Stream Cipher Cipher Ciphertext block Plaintext block Block Cipher Original Information Cipher Encrypted Information Cipher Ciphertext Plaintext
  38. 38. Encryption and Security Goals <ul><li>Encryption supports: </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Non-repudiation </li></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><li>Access </li></ul></ul><ul><li>An Encryption Algorithm </li></ul><ul><ul><li>The rule, system, or mechanism used to encrypt data. </li></ul></ul><ul><li>An encryption key </li></ul><ul><ul><li>Specific piece of information </li></ul></ul><ul><ul><li>Used in conjunction with an algorithm to perform encryption and decryption </li></ul></ul>=Two Letters Following Text Vgzv
  39. 39. Steganography <ul><li>Steganographic techniques include: </li></ul><ul><ul><li>Hiding information in blocks. </li></ul></ul><ul><ul><li>Hiding information within images. </li></ul></ul><ul><ul><li>Invisibly altering the structure of a </li></ul></ul><ul><ul><li>digital image. </li></ul></ul>
  40. 40. Hashing Encryption <ul><li>One-way encryption that transforms cleartext into ciphertext that is not intended to be decrypted. </li></ul><ul><li>Algorithms </li></ul><ul><ul><li>MD5 </li></ul></ul><ul><ul><li>SHA </li></ul></ul><ul><ul><li>NTLM versions 1 and 2 </li></ul></ul><ul><ul><li>RIPEMD </li></ul></ul><ul><ul><li>HMAC </li></ul></ul>Hashing is one-way encryption
  41. 41. <ul><li>Two-way encryption scheme in which encryption and decryption are both performed by the same key. </li></ul><ul><li>Algorithms </li></ul><ul><ul><li>DES </li></ul></ul><ul><ul><li>3DES </li></ul></ul><ul><ul><li>AES </li></ul></ul><ul><ul><li>Blowfish </li></ul></ul><ul><ul><li>Twofish </li></ul></ul><ul><ul><li>RC 4, 5, 6 </li></ul></ul><ul><ul><li>Skipjack </li></ul></ul><ul><ul><li>CAST-128 </li></ul></ul>Symmetric Encryption Encrypts data Decrypts data Same key on both sides
  42. 42. <ul><li>Using public and private keys </li></ul><ul><li>The private key never shared </li></ul><ul><li>The public key is given to anyone </li></ul><ul><li>Algorithms </li></ul><ul><ul><li>Rivist Shamir Adelman (RSA ‏ ) </li></ul></ul><ul><ul><li>Diffie-Hellman </li></ul></ul><ul><ul><li>Elgamal </li></ul></ul><ul><ul><li>Paillier Cryptosystem </li></ul></ul><ul><ul><li>Elliptic curve cryptography (ECC) </li></ul></ul>Asymmetric Encryption Private key decrypts Public key encrypts
  43. 43. Digital Signatures <ul><li>A message digest that has been encrypted with a user’s private key. </li></ul><ul><li>Used with hashing algorithms </li></ul><ul><li>Support message integrity </li></ul><ul><li>Support non-repudiation </li></ul>Hash value of signature Hash value matches
  44. 44. Security Fundamentals <ul><li>The Information Security Cycle </li></ul><ul><li>Information Security Controls </li></ul><ul><li>Authentication Methods </li></ul><ul><li>Cryptography Fundamentals </li></ul><ul><li>Security Policy Fundamentals </li></ul>
  45. 45. A Security Policy <ul><li>A formalized statement that defines how security will be implemented within a particular organization. </li></ul>Individual policy Formal policy statement Implementation measures Resources to protect
  46. 46. Security Policy Components Policy Components Description Policy statement Outlines the plan for the individual security component. Standards Define how to measure the level of adherence to the policy. Guidelines Suggestions, recommendations, or best practices for how to meet the policy standard. Procedures Step-by-step instructions that detail how to implement components of the policy.
  47. 47. Security Policy Issues <ul><li>Acceptable use </li></ul><ul><li>Privacy </li></ul><ul><li>Separation of duties </li></ul><ul><li>Job rotation </li></ul><ul><li>Mandatory vacation </li></ul><ul><li>Need to know </li></ul><ul><li>Least privilege </li></ul><ul><li>Implicit deny </li></ul>
  48. 48. Common Security Policy Types Policy Type Description Acceptable use policy (AUP) Defines the acceptable use of organization’s physical and intellectual resources. Audit policy Details the requirements and parameters for risk assessment and audits of the organization’s information and resources. Extranet policy Sets the requirements for third-party entities that desire access to an organization’s networks. Password policy Defines standards for creating password complexity. Wireless standards policy Defines which wireless devices can connect to an organization’s network and how use them in a safe manner that protects the organization’s security.
  49. 49. Security Document Categories Security Document Description System architecture Physical documentation about the setup and configuration of your network and systems must be stored securely. Change documentation Changes in the configuration of data, systems, and services are often tracked and documented to provide an official record of the correct current configuration. Logs System logs, especially those generated by the auditing security function, need to be protected from unauthorized access or tampering. Inventories Equipment and asset inventories provide a valuable source of information for attackers, whether they plan to mount an electronic attack against the system or resort to physical damage or theft.
  50. 50. Change Management <ul><li>A systematic way of approving and executing change in order to assure maximum security, stability, and availability of information technology services. </li></ul>

×