Ch1-4 PDF
Document Details
Uploaded by LyricalBaltimore
University of Washington
Tags
Summary
This document provides an overview of fundamental security concepts, including confidentiality, integrity, availability, and related terms. It also touches upon security controls, and related topics.
Full Transcript
#separator:tab #html:true Confidentiality ”Confidentiality Ensures data is only viewable by authorized users” Encryption ”Encryption Best choice for providing confidentiality” Access controls ”Access controls Also protect the confidentiality of data” Integrity ”Integrity Provides assurances that...
#separator:tab #html:true Confidentiality ”Confidentiality Ensures data is only viewable by authorized users” Encryption ”Encryption Best choice for providing confidentiality” Access controls ”Access controls Also protect the confidentiality of data” Integrity ”Integrity Provides assurances that data has not been modified or tampered with” Hashing ”Hashing Common method of ensuring integrity” Availability ”Availability Ensures data and services are available when needed” Fault tolerance ”Fault tolerance Methods to support high availability by removing single points of failure” Re- dundancies ”Redundancies Commonly added to support high availability” Scalability ”Scalability Ability of a system to handle increased workload by scaling up or scaling out” Scaling up ”Scaling up Adding additional hardware resources like memory, processing power, etc.” Scal- ing out ”Scaling out Adding additional nodes or servers” Scaling down ”Scaling down Removing hardware resources to decrease system size” Elasticity ”Elasticity Ability of a system to dynamically add or remove resources based on workload” Cloud resources ”Cloud resources 1 Typically have elasticity capabilities for automatic adaptation to demand” Re- siliency methods ”Resiliency methods Help systems heal themselves or recover from faults with minimal downtime” Resource availability ”Resource availability Balanced with security constraints in organizations” Security controls ”Security controls Reduce risks by reducing the chances of threat exploitation or impact” Risk ”Risk Possibility of threat exploiting a vulnerability and causing a loss” Threat ”Threat Circumstance or event with potential to compromise confidentiality, integrity, or availability” Vulnerability ”Vulnerability Weakness in hardware, software, configuration, or user operation” Risk mitiga- tion ”Risk mitigation Reduces risk by lowering chances of threat exploiting vulnerability or impact” Antivirus software ”Antivirus software Example of security control reducing risk of virus infection” Security control categories ”Security control categories Managerial, operational, technical, and physical” Managerial controls ”Manage- rial controls Primarily administrative, include risk and vulnerability assessments” Opera- tional controls ”Operational controls 2 Focused on day-to-day operations of an organization” Compliance ”Compliance Ensuring an organization adheres to its overall security plan” Technical Controls ”Technical Controls Controls that use technology to reduce vulnerabilities” Physical Controls ”Phys- ical Controls Controls that can be physically touched or seen” Preventive Controls ”Preven- tive Controls Controls that aim to prevent security incidents” Detective Controls ”Detective Controls Controls that aim to detect when a vulnerability has been exploited” Deterrent Controls ”Deterrent Controls Controls that aim to prevent incidents by discouraging threats” Six Control Types ”Six Control Types Preventive, deterrent, detective, corrective, compensating, and directive con- trols” Antivirus Software ”Antivirus Software Software designed to detect and remove viruses from a computer system” IDSs ”IDSs Intrusion Detection Systems, used to monitor network traffic for suspicious ac- tivity” Firewalls ”Firewalls A network security system that monitors and controls incoming and outgoing network traffic” Least Privilege ”Least Privilege Principle of providing only the minimum level of access necessary for a user to perform their job functions” Bollards ”Bollards 3 Short vertical posts used to control or direct traffic” Access Control Vestibules ”Access Control Vestibules Enclosed areas with two or more doors used to control entry to a secure area” SIEM Systems ”SIEM Systems Security Information and Event Management systems used for real-time analysis of security alerts” Trend Analysis ”Trend Analysis Examining data over time to identify patterns or trends” Video Surveillance Systems ”Video Surveillance Systems Systems using cameras to monitor and record activities in an area” Motion Detection Systems ”Motion Detection Systems Systems that detect movement in a specific area” Corrective controls ”Corrective controls Controls that attempt to reverse the impact of an incident or problem after it has occurred” Compensating controls ”Compensating controls Alternative controls used when it isn’t feasible or possible to use the primary control” Directive controls ”Directive controls Controls that provide instruction to individuals on how they should handle security-related situations that arise” Log records ”Log records Records stored in operating system log files or by applications to track events” Metadata ”Metadata Information about data, such as email headers and image metadata” Security information and event management (SIEM) systems ”Security information and event management (SIEM) systems 4 Centralized solutions for collecting, analyzing, and managing data from multiple sources” Syslog protocol ”Syslog protocol Specifies a log entry format and details on how to transport log entries” Cen- tralized syslog server ”Centralized syslog server A server used to collect syslog entries from various devices in the network” Authentication ”Authentication Proving identity using credentials known to another entity” Identification ”Iden- tification User claiming an identity with a username, email, or biometrics” Authorization ”Authorization Granting access to resources based on proven identity” Accounting ”Accounting Tracking user activity and recording in logs” Something you know ”Something you know Username and password” Something you have ”Something you have Smart card or token” Something you are ”Something you are Biometrics like fingerprints, vein scans, facial scans, gait analysis” Somewhere you are ”Somewhere you are Home or office” Password managers ”Password managers Store and simplify credential use for users” Push notifications ”Push notifica- tions Common for 2FA, user-friendly verification method” Account lockout policies ”Account lockout policies 5 Locking out account after multiple incorrect password attempts” Default pass- words ”Default passwords Should be changed before using applications or devices” FAR ”FAR False Acceptance Rate” FRR ”FRR False Rejection Rate” CER ”CER Crossover Error Rate” HOTP ”HOTP One-time-use passwords” TOTP ”TOTP One-time passwords with expiration” Single-factor authentication ”Single-factor authentication Uses one or more authentication methods with the same factor” Dual-factor authentication ”Dual-factor authentication Uses two factors of authentication” Shared accounts ”Shared accounts Prevent effective identification, authentication, authorization, and accounting” Privileged Access Management (PAM) ”Privileged Access Management (PAM) Implements stringent security controls over accounts with elevated privileges” Time-based logins ”Time-based logins Prevent users from logging on during specific hours” Account audit ”Account audit Reviews rights and permissions assigned to users to enforce least privilege prin- ciple” Single Sign-On (SSO) ”Single Sign-On (SSO) 6 Allows users to access multiple resources without re-authenticating” SAML ”SAML XML-based standard for exchanging authentication and authorization informa- tion” OAuth ”OAuth Open standard for authorization allowing users to log in with other accounts” Role-based access control ”Role-based access control Granting access based on assigned roles” Group-based privileges ”Group-based privileges Assigning permissions to groups of users” Rule-based access control ”Rule-based access control Access control based on approved instructions” Discretionary access control ”Discretionary access control Owner-controlled access for objects” Mandatory access control ”Mandatory ac- cess control Using security labels to restrict access based on need to know” Attribute-based access control ”Attribute-based access control Granting access based on attribute values” OSI model ”OSI model Describes network communications using seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.” TCP ”TCP Connection-oriented protocol providing guaranteed delivery.” UDP ”UDP Connectionless protocol providing ’best effort’ delivery.” FTP ”FTP 7 Used to transfer files over networks, but does not encrypt the transmission.” SSH ”SSH Encrypts Secure Copy (SCP) and Secure FTP (SFTP).” TLS ”TLS Encrypts FTPS.” SMTP ”SMTP Sends email using TCP port 25 or port 587, with port 587 used for TLS en- crypted email.” POP3 ”POP3 Receives email using TCP port 110 or TCP port 995 for encrypted connections.” IMAP4 ”IMAP4 Uses TCP port 143 or port 993 for encrypted connections.” HTTPS ”HTTPS Encrypts browser-based traffic with TLS using TCP port 443.” LDAP ”LDAP Used for directory services over TCP port 389 or LDAPS over TCP port 636.” Telnet ”Telnet Less secure than SSH for connecting to remote systems.” NTP ”NTP Provides time synchronization services.” DNS ”DNS Provides domain name resolution.” DNSSEC ”DNSSEC Provides validation for DNS responses by adding RRSIG for data integrity and authentication.” Switches ”Switches Connect computers on a local network, mapping MAC addresses to physical ports.” Port security ”Port security 8 Limits access to switch ports by restricting the number of MAC addresses per port and disabling unused ports” Routers ”Routers Connect networks and direct traffic based on destination IP address” Access control lists (ACLs) ”Access control lists (ACLs) Used by routers and firewalls to allow or block traffic based on rules” Route command ”Route command Used to view and manipulate the routing table” Implicit deny ”Implicit deny Unless explicitly allowed, traffic is denied” Network-based firewalls ”Network- based firewalls Filter traffic in and out of a network, typically placed on the network border” Stateless firewall ”Stateless firewall Controls traffic between networks using rules within an ACL” Stateful firewall ”Stateful firewall Filters traffic based on the state of a packet within a session” Web Application Firewall (WAF) ”Web Application Firewall (WAF) Protects web servers against web application attacks, placed in the screened subnet” Next-generation firewalls (NGFW) ”Next-generation firewalls (NGFW) Perform deep packet inspection at the application layer” Stateful inspection firewalls ”Stateful inspection firewalls Also known as Layer 4 firewalls” Fail-open devices ”Fail-open devices Allow all traffic to pass when the device fails” Fail-closed devices ”Fail-closed devices 9 Allow no traffic to pass when the device fails, providing greater security” Screened subnet ”Screened subnet Provides a layer of protection for servers accessible from the Internet” Intranet ”Intranet Internal network used for communication and content sharing among people.” Extranet ”Extranet Part of a network accessible by authorized entities from outside the network.” NAT ”NAT Network Address Translation: translates public IP addresses to private, and vice versa, hiding internal IP addresses from the Internet.” NAT gateway ”NAT gateway Device that implements NAT.” Network segregation ”Network segregation Methods used to isolate and segment networks.” Air gap ”Air gap Physical isolation for systems or networks, completely separated from others by a gap of air.” Forward proxy servers ”Forward proxy servers Forward requests from clients, can cache content and monitor Internet activities.” Reverse proxy servers ”Reverse proxy servers Accept traffic from the Internet and forward it to internal web servers.” Unified Threat Management (UTM) ”Unified Threat Management (UTM) Security appliance with multiple layers of protection like URL filters, content inspection, malware inspection, and DDoS mitigation.” Jump servers ”Jump servers Placed between security zones to provide secure access from one zone to another, often used for managing devices across zones.” IDS ”IDS 10 Intrusion Detection System - inspects traffic for signs of attacks or security breaches” IPS ”IPS Intrusion Prevention System - actively blocks or prevents detected attacks” HIDS ”HIDS Host-based IDS - monitors local resources on a host to detect attacks” NIDS ”NIDS Network-based IDS - detects attacks on networks” Signature-based ”Signature- based Uses predefined signatures to detect known attacks or vulnerabilities” Trend- based ”Trend-based Anomaly-based IDS - detects attacks based on anomalies or deviations from expected behavior” False positive ”False positive Incorrectly raises an alert for a non-existent attack” False negative ”False nega- tive Fails to detect an active attack” IPS in-line ”IPS in-line Placed in the traffic path to actively block attacks before they reach the network” IDS out-of-band ”IDS out-of-band Passively monitors traffic without interfering with the network” Honeypots ”Honeypots Systems designed to attract attackers and divert them from real networks” Hon- eyfile ”Honeyfile 11 A file meant to lure attackers and gather information about their activities” Honeytokens ”Honeytokens Fake records inserted into databases to detect data theft” Wireless access points ”Wireless access points Connect wireless clients to a wired network” SSID ”SSID Name of the wireless network” Disabling SSID broadcast ”Disabling SSID broad- cast Hides a wireless network from casual users” Site survey ”Site survey Examines the wireless environment to identify potential problem areas” Wireless footprinting ”Wireless footprinting Uses a heat map to show wireless access points, hotspots, and dead spots” Wi-Fi analyzers ”Wi-Fi analyzers Show signal levels on individual wireless frequency channels” WPA2 ”WPA2 Uses AES with CCMP and supports open, pre-shared key, and Enterprise modes” Enterprise mode ”Enterprise mode More secure than Personal mode, adds authentication using 802.1X authentica- tion server (RADIUS)” WPA3 ”WPA3 Uses SAE instead of PSK, supports Enterprise mode similar to WPA2 Enterprise mode” Open mode ”Open mode Doesn’t use PSK or 802.1X server, often used in hotspots providing free wireless access” Secure open mode ”Secure open mode 12 Offered by WPA3, uses encryption to prevent eavesdropping” 802.1X servers ”802.1X servers Use EAP versions like PEAP, EAP-TTLS, EAP-TLS, or EAP-FAST for au- thentication” EAP-TLS ”EAP-TLS Most secure EAP method, requires certificates on server and clients” PEAP ”PEAP Protected Extensible Authentication Protocol” EAP-TTLS ”EAP-TTLS Extensible Authentication Protocol-Tunneled Transport Layer Security” 802.1X server ”802.1X server Provides strong port security using port-based authentication” Captive portal ”Captive portal Forces wireless clients to complete a process before granting access to the net- work” Disassociation attack ”Disassociation attack Effectively removes a wireless client from a network, forcing reauthentication” Wi-Fi Protected Setup (WPS) ”Wi-Fi Protected Setup (WPS) Allows easy configuration of a wireless device, not secure with WPA2” WPS attack ”WPS attack Can discover the PIN within hours to access the passphrase” Rogue access point (rogue AP) ”Rogue access point (rogue AP) Placed within a network without official authorization” Evil twin ”Evil twin Rogue access point with the same or similar SSID as a legitimate access point” Jamming attack ”Jamming attack 13 Floods a wireless frequency with noise, blocking wireless traffic” Initialization vector (IV) ”Initialization vector (IV) Arbitrary number used with a secret key for data encryption” Initialization vector (IV) attack ”Initialization vector (IV) attack Attempts to discover the IV to access the passphrase” Near field communication (NFC) attacks ”Near field communication (NFC) attacks Use an NFC reader to read data from mobile devices” Radio-frequency identifi- cation (RFID) attacks ”Radio-frequency identification (RFID) attacks Include eavesdropping, replay, and DoS” Bluejacking ”Bluejacking Sending unsolicited messages to a phone” Bluesnarfing ”Bluesnarfing Unauthorized access to or theft of information from a Bluetooth device” Faraday cage ”Faraday cage Conductive metal lockboxes that block Bluetooth attacks” Wireless replay at- tack ”Wireless replay attack Capturing and modifying data between two entities to impersonate one party” WPA2 and WPA3 ”WPA2 and WPA3 Resistant to wireless replay attacks” Virtual Private Network (VPN) ”Virtual Private Network (VPN) Provides access to private networks via a public network like the Internet” IPsec ”IPsec Common tunneling protocol used with VPNs to secure traffic within a tunnel” Authentication Header (AH) ”Authentication Header (AH) 14 Provides authentication and integrity in IPsec” Encapsulating Security Payload (ESP) ”Encapsulating Security Payload (ESP) Encrypts VPN traffic for confidentiality, integrity, and authentication” IPsec Tunnel mode ”IPsec Tunnel mode Encrypts the entire IP packet within the internal network” IPsec Transport mode ”IPsec Transport mode Encrypts only the payload and is commonly used in private networks, not with VPNs” Full tunnel ”Full tunnel Encrypts all traffic after connecting to a VPN” Split tunnel ”Split tunnel Encrypts only traffic destined for the VPN’s private network” Site-to-site VPNs ”Site-to-site VPNs Provide secure access between two networks, can be on-demand or always-on” Always-on VPNs ”Always-on VPNs Used by mobile devices to protect traffic when connecting to public hotspots” Network Access Control (NAC) ”Network Access Control (NAC) Inspects clients for specific health conditions like up-to-date antivirus software” NAC agent ”NAC agent Software installed on a client for Network Access Control.” Persistent NAC agent ”Persistent NAC agent Stays on the client system permanently.” Dissolvable NAC agent ”Dissolvable NAC agent Downloaded and run on the client temporarily, deleted after session ends.” Agentless NAC system ”Agentless NAC system 15 Scans systems remotely without installing an agent.” Remote access authentica- tion ”Remote access authentication Used when a user connects to a private network from a remote location.” PAP ”PAP Password Authentication Protocol; uses passwords in cleartext.” CHAP ”CHAP Challenge Handshake Authentication Protocol; more secure than PAP.” RA- DIUS ”RADIUS Provides central authentication for remote access services, uses shared secrets.” EAP ”EAP Extensible Authentication Protocol; can be used with RADIUS to encrypt the entire session.” TACACS+ ”TACACS+ Alternative to RADIUS, uses TCP, encrypts entire authentication process, sup- ports challenges and responses.” AAA protocols ”AAA protocols Authentication, Authorization, and Accounting protocols like RADIUS and TACACS+.” 16