Chap02 R

Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition
General Security Concepts
Chapter 2
2012
Objectives
Definir trminos bsicos relacionados con la seguridad informtica y de informacin. Identificar los enfoques bsicos de seguridad informtica y de informacin. Distinguir entre diferentes mtodos para implementar controles de acceso. Describir los mtodos utilizados para verificar la identidad y la autenticidad de un individuo. Reconocer algunos de los modelos bsicos utilizados para implementar la seguridad en sistemas operativos.
2012
Key Terms
2012
Key Terms (continued)
2012
Basic Terms
Hacking
Previously used as a term for a person who had a deep understanding of computers and networks. He or she would see how things worked in their separate parts (or hack them). Media has now redefined the term as a person who attempts to gain unauthorized access to computer systems or networks.
Phreaking
Hacking of the systems and computers used by phone companies
2012
The CIA of Security

CIA
Confidentiality Integrity Availability
Additional Concepts
Authentication Nonrepudiation Auditability
2012
The Operational Method of Computer Security

Protection = Prevention
Previous model
Protection = Prevention + (Detection + Response)

Includes operational aspects
2012
Sample Technologies in the Operational Model of Computer Security
2012
Security Principles

2012
Security approaches Least privilege Separation of duties Implicit deny Job rotation Layered security Defense in depth Security through obscurity Keep it simple
Security Approaches
Ignore Security Issues
Security is simply what exists on the system out of the box.
Host Security
Each computer is locked down individually. Maintaining an equal and high level of security amongst all computers is difficult and usually ends in failure.
Network Security
Controlling access to internal computers from external entities
2012
Least Privilege
Least privilege means a subject (user, application, or process) should have only the necessary rights and privileges to perform its task with no additional permissions. By limiting an object's privilege, we limit the amount of harm that can be caused. For example, a person should not be logged in as an administratorthey should be logged in with a regular user account, and change their context to do administrative duties.
2012
Separation of Duties
For any given task, more than one individual needs to be involved. Applicable to physical environments as well as network and host security. No single individual can abuse the system. Potential drawback is the cost.
Time Tasks take longer Money Must pay two people instead of one
2012
Implicit Deny
If a particular situation is not covered by any of the rules, then access can not be granted. Any individual without proper authorization cannot be granted access. The alternative to implicit deny is to allow access unless a specific rule forbids it.
2012
Job Rotation
The rotation of individuals through different tasks and duties in the organization's IT department. The individuals gain a better perspective of all the elements of how the various parts of the IT department can help or hinder the organization. Prevents a single point of failure, where only one employee knows mission critical job tasks.
2012
Layered Security
Layered security implements different access controls and utilizing various tools and devices within a security system on multiple levels. Compromising the system would take longer and cost more than its worth. Potential downside is the amount of work it takes to create and then maintain the system.
2012
Diversity of Defense
This concept complements the layered security approach. Diversity of defense involves making different layers of security dissimilar. Even if attackers know how to get through a system that compromises one layer; they may not know how to get through the next layer that employs a different system of security.
2012
Security Through Obscurity

Security through obscurity states that the security is effective if the environment and protection mechanisms are confusing or supposedly not generally known. The concepts only objective is to hide an object (not to implement a security control to protect the object). Its not effective.
2012
Keep It Simple
The simple security rule is the practice of keeping security processes and tools is simple and elegant. Security processes and tools should be simple to use, simple to administer, and easy to troubleshoot. A system should only run the services that it needs to provide and no more.
2012
Security Topics
Access control Authentication Social engineering
2012
Access Control
Access control is a term used to define a variety of protection schemes. This is a term sometimes used to refer to all security features used to prevent unauthorized access to a computer system or network. Its often confused with authentication.
2012
Authentication
Authentication deals with verifying the identity of a subject while access control deals with the ability of a subject (individual or process running on a computer system) to interact with an object (file or hardware device). Three types of authentication
Something you know (password) Something you have (token or card) Something you are ( biometric)
2012
Access Control vs. Authentication

Authentication This proves that you (subject) are who you say you are. Access control This deals with the ability of a subject to interact with an object. Once an individual has been authenticated, access controls then regulate what the individual can actually do on the system. Digital certificates This is an attachment to a message, and is used for authentication. It can also be used for encryption.
2012
Authentication and Access Control Policies

Group policy
By organizing users into groups, a policy can be made that will apply to all users in that group.
Password policy
Passwords are the most common authentication mechanism. Should specify: character set, length, complexity, frequency of change and how it is assigned.
2012
Social Engineering
Social engineering is the process of convincing an individual to provide confidential information or access to an unauthorized individual. Social engineering is one of the most successful methods that attackers have used to gain access to computer systems and networks. The technique relies on an aspect to security that can be easily overlooked: people. Most people have an inherent desire to be helpful or avoid confrontation. Social engineers exploit this fact. Social engineers will gather seemingly useless bits of information, that when put together, divulge other sensitive information. This is data aggregation.
2012
Security Policies & Procedures

Policy High-level statements created by management that lay out the organization's positions on particular issues Security policy High-level statement that outlines both what security means to the organization and the organization's goals for security Procedure General step-by-step instructions that dictate exactly how employees are expected to act in a given situation or to accomplish a specific task
2012
Acceptable Use Policy The acceptable use policy outlines the behaviors that are considered appropriate when using a companys resources. Internet use policy
This covers the broad subject of Internet usage.
E-mail usage policy

This details whether non-work e-mail traffic is allowed at all or severely restricted.
2012
Different Security Policies

Change management policy
This ensures proper procedures are followed when modifications to the IT infrastructure are made.
Classification of information policy

This establishes different categories of information and the requirements for handling each category.
Due care and due diligence

Due care is the standard of care a reasonable person is expected to exercise in all situations Due diligence is the standard of care a business is expected to exercise in preparation for a business transaction.
2012
Different Security Policies (continued)

Due process policy
Due process guarantees fundamental fairness, justice and liberty in relation to an individuals rights.
Need-to-know policy
This policy reflects both the principle of need to know and the principle of least privilege.
Disposal and destruction policy

This policy outlines the methods for destroying discarded sensitive information.
2012
Service Level Agreements

Service level agreements are contractual agreements between entities that describe specified levels of service, and guarantee the level of service.
A web service provider might guarantee 99.99% uptime. Penalties for not providing the service are included.
2012
Human Resources Policies

Employee hiring and promotions
Hiring Background checks, reference checks, drug testing Promotions Periodic reviews, drug checks, change of privileges
Retirement, separation, and termination of an employee

Determine the risk to information, consider limiting access and/or revoking access
Mandatory vacation
An employee that never takes time off may be involved in nefarious activities and does not want anyone to find out.
2012
Security Models
Confidentiality models
Bell-LaPadula security model
Integrity models
Biba model Clark-Wilson model
2012
Bell-LaPadula Security Model

Two principles
Simple security rule (no read up) The *-property (pronounced "star property") principle (no write down)
Objective Protect confidentiality
2012
Biba Model
Two principles based on integrity levels
Low-water policy (no write up) Ring policy (no read down)
Objective Protect integrity
2012
Clark-Wilson Model
Uses transactions as a basis for rules Two levels of integrity
Constrained data items (CDI)
Subject to integrity controls
Unconstrained data items (UDI)

Not subject to integrity controls
Two types of processes

integrity verification processes (IVPs) transformation processes (TPs)
2012
Model Summary
Model Bell-LaPadula Biba Clark-Wilson Objective Confidentiality Integrity Integrity Policies No read up No write down No read down No write up Two levels of integrity UDI and CDI IVP monitor TP (Transformation Processes)
2012
Chapter Summary
Define basic terms associated with computer and information security. Identify the basic approaches to computer and information security. Distinguish among various methods to implement access controls. Describe methods used to verify the identity and authenticity of an individual. Recognize some of the basic models used to implement security in operating systems.
2012

Chap02 R

Uploaded by

Copyright:

Available Formats

You might also like

Chap02 R

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chap02 R

Uploaded by

Copyright:

Available Formats

Principles of Computer Security: CompTIA Security+ Security+ and Beyond, Third Edition

General Security Concepts

Key Terms (continued)

The CIA of Security

The Operational Method of Computer Security

Protection = Prevention + (Detection + Response)

Security Through Obscurity

Access Control vs. Authentication

Authentication and Access Control Policies

Security Policies & Procedures

E-mail usage policy

Different Security Policies

Classification of information policy

Due care and due diligence

Different Security Policies (continued)

Disposal and destruction policy

Service Level Agreements

Human Resources Policies

Retirement, separation, and termination of an employee

Bell-LaPadula Security Model

Objective Protect confidentiality

Objective Protect integrity

Unconstrained data items (UDI)

Two types of processes

You might also like