Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Information Security
Chapter 3
Security Basics

Information Security © 2006 Eric Vanderburg
• Approaches
– Bottom-up
– Top-down

• Human firewall – a security conscious
individual.
– Uses strong passwords
– Hygieni...
Layering
• Many defense mechanisms are in place
surrounding an asset
–
–
–
–
–
–
–
–

Edge firewall
Host firewall
Intrusio...
Limiting
• You should only have access to what you
need for your role.
• Subject – person or a computer program
• Object –...
Diversity
• Layers of similar security mechanisms are
easy to conquer because the same
strategy can be used on each.
• A b...
Obscurity
•
•
•
•

Practices should be secret
Source code should be protected
Keep usernames secret
Train employees not to...
Simplicity
• Simple from the inside, complex from the
outside.
– Well structured design
– Trained employees
– Documented

...
Authentication
•
•
•
•
•

Proving you are who you say you are
What you know (password, pin, personal info)
What you have (...
Authentication
• Token
– Magnetic strip card
– RFID card
– Number sequencer

• Biometrics
–
–
–
–
–
–
–

Fingerprint
Facia...
Authentication
• Certificates
– Binds a person to a key
– Personal info is provided to obtain the cert
– Provided by a tru...
Authentication
• Kerberos
– Developed at MIT
– AS (Authentication Server) – gives out TGT
(Ticket Granting Ticket) and res...
Authentication
• CHAP (Challenge Handshake Authentication
Protocol)
– Server sends a challenge (piece of data)
– Client ru...
Authentication
• Multifactor authentication
– Have more than one form of authentication as
described before.
• What you kn...
Access Control
• Controlled by the OS
• ACL (Access Control List)
– For each file
– Can be configured on network access de...
Permissions
•
•
•
•
•
•

Full Control
Modify
Read
List folder contents
Read & Execute (folder contents & read)
Write (Crea...
Access Control
• MAC (Mandatory Access Control) –
permissions are rights are specified and
cannot be changed.
• DAC (Discr...
Auditing
• Logging – event viewer (Windows)
• System Scanning – Checks to make sure
a user does not exceed their permissio...
Acronyms
•
•
•
•
•
•
•
•
•

ACE, Access Control Entry
AS, Authentication Server
CA, Certification Authority
CHAP, Challeng...
Acronyms
• KDC, Key Distribution Center
• TGT, Ticket Granting Ticket
• TGS, Ticket Granting Service

Information Security...
Upcoming SlideShare
Loading in …5
×

Information Security Lesson 3 - Basics - Eric Vanderburg

418 views

Published on

Information Security Lesson 3 - Basics - Eric Vanderburg

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Information Security Lesson 3 - Basics - Eric Vanderburg

  1. 1. Information Security Chapter 3 Security Basics Information Security © 2006 Eric Vanderburg
  2. 2. • Approaches – Bottom-up – Top-down • Human firewall – a security conscious individual. – Uses strong passwords – Hygienic – Watches for suspicious activity – Aware of changes to their computer Information Security © 2006 Eric Vanderburg
  3. 3. Layering • Many defense mechanisms are in place surrounding an asset – – – – – – – – Edge firewall Host firewall Intrusion detection system File permissions Required usernames and passwords Segmented network Audit trails Honeypots • Layers should be coordinated so they do not negatively impact one another when implemented Information Security © 2006 Eric Vanderburg
  4. 4. Limiting • You should only have access to what you need for your role. • Subject – person or a computer program • Object – computer or database • Proper division of duties Information Security © 2006 Eric Vanderburg
  5. 5. Diversity • Layers of similar security mechanisms are easy to conquer because the same strategy can be used on each. • A breach in one area does not compromise the entire system. Information Security © 2006 Eric Vanderburg
  6. 6. Obscurity • • • • Practices should be secret Source code should be protected Keep usernames secret Train employees not to reveal information Information Security © 2006 Eric Vanderburg
  7. 7. Simplicity • Simple from the inside, complex from the outside. – Well structured design – Trained employees – Documented Information Security © 2006 Eric Vanderburg
  8. 8. Authentication • • • • • Proving you are who you say you are What you know (password, pin, personal info) What you have (card, token, RFID) What you are (biometrics) Username and password – simplest and most common – SSO (Single Sign On) – reduce number of logons because one username/password can be used for all systems and associated databases and logon is transparent once a user logs on to their client system. Information Security © 2006 Eric Vanderburg
  9. 9. Authentication • Token – Magnetic strip card – RFID card – Number sequencer • Biometrics – – – – – – – Fingerprint Facial scan Retina / Iris scan Hand print Voice Pheromones Blood • Biometrics is expensive, time consuming, error prone, and hard to use. Information Security © 2006 Eric Vanderburg
  10. 10. Authentication • Certificates – Binds a person to a key – Personal info is provided to obtain the cert – Provided by a trusted CA (Certification Authority) – Encrypted with CA private key for validity and hashed for integrity – Usage will be specified in the certificate – Certificates expire and must be renewed – CTL (Certificate Trust List) – CRL (Certificate Revocation List) Information Security © 2006 Eric Vanderburg
  11. 11. Authentication • Kerberos – Developed at MIT – AS (Authentication Server) – gives out TGT (Ticket Granting Ticket) and resides on the KDC (Key Distribution Center) – Present the TGT to a TGS (Ticket Granting Service) to receive a service ticket for a resource. – Everything is time stamped Information Security © 2006 Eric Vanderburg
  12. 12. Authentication • CHAP (Challenge Handshake Authentication Protocol) – Server sends a challenge (piece of data) – Client runs an algorithm using a shared secret on the data and returns it. – The server runs the same algorithm to see if the client knows the shared secret • Mutual Authentication – Client authenticates to server – Server authenticates to client – Helps protect against Man in the middle attacks and hijacking – MSCHAP v2 Information Security © 2006 Eric Vanderburg
  13. 13. Authentication • Multifactor authentication – Have more than one form of authentication as described before. • What you know • What you have • What you are Information Security © 2006 Eric Vanderburg
  14. 14. Access Control • Controlled by the OS • ACL (Access Control List) – For each file – Can be configured on network access devices • ACE( Access Control Entry) – row in the ACL with a user and associated permission Information Security © 2006 Eric Vanderburg
  15. 15. Permissions • • • • • • Full Control Modify Read List folder contents Read & Execute (folder contents & read) Write (Create files and folders) Information Security © 2006 Eric Vanderburg
  16. 16. Access Control • MAC (Mandatory Access Control) – permissions are rights are specified and cannot be changed. • DAC (Discretionary Access Control) – users can assign permissions as they see fit. • RBAC (Role Based Access Control) – Roles are given permissions and users inherit those permissions by belonging to a role. Groups should mirror a role or functions of a role. Information Security © 2006 Eric Vanderburg
  17. 17. Auditing • Logging – event viewer (Windows) • System Scanning – Checks to make sure a user does not exceed their permissions Information Security © 2006 Eric Vanderburg
  18. 18. Acronyms • • • • • • • • • ACE, Access Control Entry AS, Authentication Server CA, Certification Authority CHAP, Challenge Handshake Authentication Protocol CISO, Chief Information Security Officer DAC, Discretionary Access Control MAC, Mandatory Access Control RBAC, Role Based Access Control SSO, Single Sign On Information Security © 2006 Eric Vanderburg
  19. 19. Acronyms • KDC, Key Distribution Center • TGT, Ticket Granting Ticket • TGS, Ticket Granting Service Information Security © 2006 Eric Vanderburg

×