More Related Content
Similar to Information Security Lesson 3 - Basics - Eric Vanderburg (20)
More from Eric Vanderburg (20)
Information Security Lesson 3 - Basics - Eric Vanderburg
- 2. • Approaches
– Bottom-up
– Top-down
• Human firewall – a security conscious
individual.
– Uses strong passwords
– Hygienic
– Watches for suspicious activity
– Aware of changes to their computer
Information Security © 2006 Eric Vanderburg
- 3. Layering
• Many defense mechanisms are in place
surrounding an asset
–
–
–
–
–
–
–
–
Edge firewall
Host firewall
Intrusion detection system
File permissions
Required usernames and passwords
Segmented network
Audit trails
Honeypots
• Layers should be coordinated so they do not
negatively impact one another when
implemented
Information Security © 2006 Eric Vanderburg
- 4. Limiting
• You should only have access to what you
need for your role.
• Subject – person or a computer program
• Object – computer or database
• Proper division of duties
Information Security © 2006 Eric Vanderburg
- 5. Diversity
• Layers of similar security mechanisms are
easy to conquer because the same
strategy can be used on each.
• A breach in one area does not
compromise the entire system.
Information Security © 2006 Eric Vanderburg
- 6. Obscurity
•
•
•
•
Practices should be secret
Source code should be protected
Keep usernames secret
Train employees not to reveal information
Information Security © 2006 Eric Vanderburg
- 7. Simplicity
• Simple from the inside, complex from the
outside.
– Well structured design
– Trained employees
– Documented
Information Security © 2006 Eric Vanderburg
- 8. Authentication
•
•
•
•
•
Proving you are who you say you are
What you know (password, pin, personal info)
What you have (card, token, RFID)
What you are (biometrics)
Username and password – simplest and most
common
– SSO (Single Sign On) – reduce number of logons
because one username/password can be used for all
systems and associated databases and logon is
transparent once a user logs on to their client system.
Information Security © 2006 Eric Vanderburg
- 9. Authentication
• Token
– Magnetic strip card
– RFID card
– Number sequencer
• Biometrics
–
–
–
–
–
–
–
Fingerprint
Facial scan
Retina / Iris scan
Hand print
Voice
Pheromones
Blood
• Biometrics is expensive, time consuming, error prone,
and hard to use.
Information Security © 2006 Eric Vanderburg
- 10. Authentication
• Certificates
– Binds a person to a key
– Personal info is provided to obtain the cert
– Provided by a trusted CA (Certification
Authority)
– Encrypted with CA private key for validity and
hashed for integrity
– Usage will be specified in the certificate
– Certificates expire and must be renewed
– CTL (Certificate Trust List)
– CRL (Certificate Revocation List)
Information Security © 2006 Eric Vanderburg
- 11. Authentication
• Kerberos
– Developed at MIT
– AS (Authentication Server) – gives out TGT
(Ticket Granting Ticket) and resides on the
KDC (Key Distribution Center)
– Present the TGT to a TGS (Ticket Granting
Service) to receive a service ticket for a
resource.
– Everything is time stamped
Information Security © 2006 Eric Vanderburg
- 12. Authentication
• CHAP (Challenge Handshake Authentication
Protocol)
– Server sends a challenge (piece of data)
– Client runs an algorithm using a shared secret on the
data and returns it.
– The server runs the same algorithm to see if the client
knows the shared secret
• Mutual Authentication
– Client authenticates to server
– Server authenticates to client
– Helps protect against Man in the middle attacks and
hijacking
– MSCHAP v2
Information Security © 2006 Eric Vanderburg
- 14. Access Control
• Controlled by the OS
• ACL (Access Control List)
– For each file
– Can be configured on network access devices
• ACE( Access Control Entry) – row in the
ACL with a user and associated
permission
Information Security © 2006 Eric Vanderburg
- 16. Access Control
• MAC (Mandatory Access Control) –
permissions are rights are specified and
cannot be changed.
• DAC (Discretionary Access Control) –
users can assign permissions as they see
fit.
• RBAC (Role Based Access Control) –
Roles are given permissions and users
inherit those permissions by belonging to
a role. Groups should mirror a role or
functions of a role.
Information Security © 2006 Eric Vanderburg
- 17. Auditing
• Logging – event viewer (Windows)
• System Scanning – Checks to make sure
a user does not exceed their permissions
Information Security © 2006 Eric Vanderburg
- 18. Acronyms
•
•
•
•
•
•
•
•
•
ACE, Access Control Entry
AS, Authentication Server
CA, Certification Authority
CHAP, Challenge Handshake
Authentication Protocol
CISO, Chief Information Security Officer
DAC, Discretionary Access Control
MAC, Mandatory Access Control
RBAC, Role Based Access Control
SSO, Single Sign On
Information Security © 2006 Eric Vanderburg
- 19. Acronyms
• KDC, Key Distribution Center
• TGT, Ticket Granting Ticket
• TGS, Ticket Granting Service
Information Security © 2006 Eric Vanderburg