General Security Concepts doc

Network Based Security 9• Focuses on protecting a network from outside attackers by placing security devices on the “perimeter” see visualization next slide... Host Based Security 9• Foc

All-In-One Edition Chapter 1 – General Security

Concepts

Brian E Brzezicki

Basic Security Concepts

First Some Terms (NB)

First we have to discuss some terms we will use again and

String – a series of characters Example if a character can be

a-z and 0-9 an 8 character string might be “ar01a-z14b”

Control – a countermeasure or attempt to mitigate a security risk Example A firewall is technical control Policies are HR controls Encryption is a technical control.

No… Not that CIA

Operational Model of Security (8)

• Focus is no longer just on prevention

• What are some response controls/measures?

• Protection = Prevention + Detection + Response

Security Models and Concepts

Host Based

Security

Network Based Security (9)

• Focuses on protecting a network from outside attackers by placing security devices on the

“perimeter” (see visualization next slide)

Network Based Security

Host Based Security (9)

• Focuses on protecting a specific machine at the machine level

– Each computer protects itself

– Locked down/bastion host model

– Resource Permissions

– Host based firewalls

– HIDS

– Anti-virus

– Patching and updating

– All machines should have host based security

• Problems / Advantages of this model?

Host and Network Based (12)

• The ideal model would have components

of both Network Based Security along with Host Based Security, this is one example

of Layered Security

Layered Security (12)

No one security should be completely relied upon Instead have many overlapping

security controls

– Network based firewall

– Host based firewall

– IDS system

– Access controls

– Proper patching and maintenance practices

This is also referred to as “Defense in

Depth”

Diversity of Defense (14)

Similar but different to defense in depth/layered security But in this case each layer consists

of multiple versions of the same thing

• Example – use 2 firewalls to protect your

network, from different vendors That way of someone hacks your first firewall, they should not be able to easily hack your second

firewall, and hopefully that will stop them

(see next slide)

Diversity of Defense

Security Through Obscurity (15)

Invalid method of security The idea is that you don’t let

people know what you use or how it works.

• This does help and can be practiced however it should not be relied upon or considered any valid measure of security.

• Example You should generally NOT give any

information about your systems or networks to people However this alone is not security, and relying on hiding information rather than truly SECURE information, is

NOT a valid security.

• Ex It’s not a bad idea to change the default port for ssh from port 22 to something else, but that does not really

“secure” ssh in any fashion

• Remember when the NT 4.0 code was stolen and

published online?

Keep it Simple (16)

Keep it Simple… the more complex

something is, the harder it is to

A good K.I.S.S rule is to remove all

un-necessary services and software from a system

Least Privilege (10)

One of the Most fundamental rule of security

• Provide a user the MINIMAL amount of

access they needs to complete their work

• If you don’t EXPLICITLY need access… you don’t get access

• Applications should run as a restricted user rather than the “root/administrator” account

• Services and software should not be running

or installed unless they are needed for the

operation of the system/network

Separation of Duty (11)

For any given task, more than one person

needs to be involved

Ex An person that puts in a procurement

order should NOT be allowed to authorize the order

• Fights fraud

• Requires “collusion” to subvert

(see next slide)

Separation of Duties

Implicit Deny (11)

Fundamental security rule If you do NOT explicitly have authorization, then you are automatically (implicitly) DENIED access

• Should be the default rule for ALL access controls though often not :(

• You usually see this in firewalls

Job Rotation (12)

Individuals rotate through various jobs

responsibilities, such that no one person is

solely responsible for something

• Decreases the ability to commit fraud

undetected

• Decreases the chance that something could

be seriously negatively effected if someone leaves the organization

• Decreases ability for employees to “blackmail”

Mandatory Vacations

Mandatory Vacations (NB)

All employees are REQUIRED to take their

vacation

• Decreases the ability to commit fraud

undetected (main security reason)

• Decreases the chance that something could

be seriously negatively effected if someone leaves the organization

Authentication and Access

Control

Authentication (19)

The ability to uniquely identify a user AND verify their identity

3 general methods

– something you KNOW

– something you HAVE

– something you ARE

What are some examples of each type, what

are the pros/cons of each type?

(more)

A type of multi factor authentication

• Has a secret number that is syncronized to the server and changes every minute (what you have)

• Also requires a PIN number (what you know)

• we will talk about secureID again later in the upcoming classes

Access Control (16)

Concept of restricting access to a resource to

authorized parties only This requires

authentication

Access Control Matrix (17)

• Rows are a “capability table”

• Columns are an Access Control List

Capability Table* (n/b)

• Bound to subjects, lists what permissions a subject has to each object

• This is a row in the access matrix

• NOT an ACL In fact the opposite

See next slide

Capability Table (n/b)

ACL* (17)

• Lists what (and how) subjects may access a

certain object

• It’s a column of an access matrix

see next slide

ACL

Discretionary Access Control (18)

Concept that a “data owner” are allowed

authorize access to subjects This is based on

their discretion.

• Most commercial solutions implement

Discretionary Access Control

• ACLs are a common implementation of

access controls in Discretionary systems

Discretionary access control

MAC

Mandatory Access Control (18)

Concept that a user may not give or revoke

access to an object Instead objects are

“labeled” with a security classification, and the Operating system enforces resource access based on the clearance of a subject

• Users do NOT get to authorize access

• System enforces security rules

Role Based Access Control (19)

Access to resources are given to job positions

or “roles” Users are assigned to roles, and

then they have the access rights that the roles have

• Much more scalable model than individually signing permissions

• Avoids Authorization Creep

• Great for large companies

• Great if there is a lot of turn over

Role Based Access Control

Rule Based Access Control (19)

Access is granted or denied based on a set of rules,

rather than permissions.

• Example: You may only access/login to a

workstation between 9AM-5PM Monday-Friday.

• A TCP packet is only allowed if the SYN flag is set.

• Rules based systems can be used with other types such as DAC and MAC

• MAC systems can actually be implemented in a Rule Based System.

Chapter 1Review Questions

Q: What is the CIA triad, what does each mean?

Q: What is non-repudiation?

Q: Define Layered Security

Q: What is the main security reasoning for mandatory vacations?

Chapter 1 Review Questions

Q: What type of authentication system does the OS (Security Kernel) determined who is allowed access

to a resource

Q: What access control model helps fight

“authorization creep”

Q: Biometrics are an example of “What you ”

Q: What is an advantage of network based security, how about host based?