Professional Documents
Culture Documents
Chap02 R
Chap02 R
Chap02 R
Chapter 2
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Objectives
Definir trminos bsicos relacionados con la seguridad informtica y de informacin. Identificar los enfoques bsicos de seguridad informtica y de informacin. Distinguir entre diferentes mtodos para implementar controles de acceso. Describir los mtodos utilizados para verificar la identidad y la autenticidad de un individuo. Reconocer algunos de los modelos bsicos utilizados para implementar la seguridad en sistemas operativos.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Key Terms
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Basic Terms
Hacking
Previously used as a term for a person who had a deep understanding of computers and networks. He or she would see how things worked in their separate parts (or hack them). Media has now redefined the term as a person who attempts to gain unauthorized access to computer systems or networks.
Phreaking
Hacking of the systems and computers used by phone companies
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Additional Concepts
Authentication Nonrepudiation Auditability
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Sample Technologies in the Operational Model of Computer Security
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Security Principles
2012
Security approaches Least privilege Separation of duties Implicit deny Job rotation Layered security Defense in depth Security through obscurity Keep it simple
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Security Approaches
Ignore Security Issues
Security is simply what exists on the system out of the box.
Host Security
Each computer is locked down individually. Maintaining an equal and high level of security amongst all computers is difficult and usually ends in failure.
Network Security
Controlling access to internal computers from external entities
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Least Privilege
Least privilege means a subject (user, application, or process) should have only the necessary rights and privileges to perform its task with no additional permissions. By limiting an object's privilege, we limit the amount of harm that can be caused. For example, a person should not be logged in as an administratorthey should be logged in with a regular user account, and change their context to do administrative duties.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Separation of Duties
For any given task, more than one individual needs to be involved. Applicable to physical environments as well as network and host security. No single individual can abuse the system. Potential drawback is the cost.
Time Tasks take longer Money Must pay two people instead of one
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Implicit Deny
If a particular situation is not covered by any of the rules, then access can not be granted. Any individual without proper authorization cannot be granted access. The alternative to implicit deny is to allow access unless a specific rule forbids it.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Job Rotation
The rotation of individuals through different tasks and duties in the organization's IT department. The individuals gain a better perspective of all the elements of how the various parts of the IT department can help or hinder the organization. Prevents a single point of failure, where only one employee knows mission critical job tasks.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Layered Security
Layered security implements different access controls and utilizing various tools and devices within a security system on multiple levels. Compromising the system would take longer and cost more than its worth. Potential downside is the amount of work it takes to create and then maintain the system.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Diversity of Defense
This concept complements the layered security approach. Diversity of defense involves making different layers of security dissimilar. Even if attackers know how to get through a system that compromises one layer; they may not know how to get through the next layer that employs a different system of security.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Keep It Simple
The simple security rule is the practice of keeping security processes and tools is simple and elegant. Security processes and tools should be simple to use, simple to administer, and easy to troubleshoot. A system should only run the services that it needs to provide and no more.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Security Topics
Access control Authentication Social engineering
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Access Control
Access control is a term used to define a variety of protection schemes. This is a term sometimes used to refer to all security features used to prevent unauthorized access to a computer system or network. Its often confused with authentication.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Authentication
Authentication deals with verifying the identity of a subject while access control deals with the ability of a subject (individual or process running on a computer system) to interact with an object (file or hardware device). Three types of authentication
Something you know (password) Something you have (token or card) Something you are ( biometric)
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Password policy
Passwords are the most common authentication mechanism. Should specify: character set, length, complexity, frequency of change and how it is assigned.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Social Engineering
Social engineering is the process of convincing an individual to provide confidential information or access to an unauthorized individual. Social engineering is one of the most successful methods that attackers have used to gain access to computer systems and networks. The technique relies on an aspect to security that can be easily overlooked: people. Most people have an inherent desire to be helpful or avoid confrontation. Social engineers exploit this fact. Social engineers will gather seemingly useless bits of information, that when put together, divulge other sensitive information. This is data aggregation.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Acceptable Use Policy The acceptable use policy outlines the behaviors that are considered appropriate when using a companys resources. Internet use policy
This covers the broad subject of Internet usage.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Need-to-know policy
This policy reflects both the principle of need to know and the principle of least privilege.
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Mandatory vacation
An employee that never takes time off may be involved in nefarious activities and does not want anyone to find out.
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Security Models
Confidentiality models
Bell-LaPadula security model
Integrity models
Biba model Clark-Wilson model
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Biba Model
Two principles based on integrity levels
Low-water policy (no write up) Ring policy (no read down)
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Clark-Wilson Model
Uses transactions as a basis for rules Two levels of integrity
Constrained data items (CDI)
Subject to integrity controls
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Model Summary
Model Bell-LaPadula Biba Clark-Wilson Objective Confidentiality Integrity Integrity Policies No read up No write down No read down No write up Two levels of integrity UDI and CDI IVP monitor TP (Transformation Processes)
2012
Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
Chapter Summary
Define basic terms associated with computer and information security. Identify the basic approaches to computer and information security. Distinguish among various methods to implement access controls. Describe methods used to verify the identity and authenticity of an individual. Recognize some of the basic models used to implement security in operating systems.
2012