Security Basics PDF
Document Details
Uploaded by SmarterStarfish5366
École Supérieure des Sciences et Technologies
Tags
Summary
This document provides an introduction to computer security concepts, including confidentiality, integrity, and availability. It details various security measures, such as encryption, access controls, and authentication methods. It also covers basic risk concepts and mitigation strategies.
Full Transcript
Chapter 1: Security Basics « Notions de bases de la sécurité » The CIA of Security Confidentiality Prevents unauthorized disclosure of data. Ensures that data is only viewable by authorized users Some methods - Encryption Ex: Advanced Encryption Standard (AES)...
Chapter 1: Security Basics « Notions de bases de la sécurité » The CIA of Security Confidentiality Prevents unauthorized disclosure of data. Ensures that data is only viewable by authorized users Some methods - Encryption Ex: Advanced Encryption Standard (AES) - Access controls Access Controls Identification Username: Who are you? A claim, not proof Authentication Proof of identity Often by providing a password Authorization Granting access to resources Steganography Hiding data within other data Ex: a secret message inside an image "Hiding data in plain sight" Observers won't even know a message is being sent Integrity Assures that data has not been modified, tampered with, or corrupted Only authorized users should modify data Hashing assures integrity Hash types: MD5, SHA-1, HMAC If data changes, the hash value changes Hash Value for Download Digital Signatures Makes a legal agreement Like a handwritten signature Provides authentication Also provides non-repudiation Non-Repudiation Prevents entities from denying that they took an action Examples: making a credit card purchase Techniques Digital signatures Audit logs Availability Data and services are available when needed Remove SPOF (Single Point of Failure) Balancing CIA You can never have perfect security Increasing one item lowers others Increasing confidentiality generally lowers availability Example: long ,complex passwords that are easily forgotten Patching Software requires frequent updates Patch Management Testing patches to make sure they aren't harmful Deploying them to all devices Defense in Depth Layers of protection Example Firewall Antivirus Deep Freeze Introducing Basic Risk Concepts Risk Risk The likelihood of a threat exploiting a vulnerability, resulting in a loss Threat A circumstance or event that has the potential to compromise confidentiality, integrity, or availability Insider threat Vulnerability A weakness Risk Mitigation Reduces chance that a threat will exploit a vulnerability Done by implementing controls (also called countermeasures and safeguards) Even if a threat can't be prevented, like a tornado Risk can still be reduced with controls, like insurance, evacuation plans, etc. Controls Access controls After Authentication, only authorized users can perform critical tasks Business continuity and Disaster Recovery Plans Reduce the impact of disasters Antivirus software Reduces the impact of malware Exploring Authentication Concepts Identification, Authentication, and Authorization Identification State your name (without proving it) Authentication Proves your identity (with a password, fingerprint, etc.) Authorization Grants access to resources based on the user's proven identity Five Factors of Authentication Something you know (weakest) Such as a password Something you have Such as a smart card Something you are (strongest) Such as a fingerprint Somewhere you are Such as geolocation Something you do Such as gestures on a touch screen Something You Know Password Rules Password complexity Uppercase, lowercase, numbers, and symbols Passwords expiration Forces users to change password Password Recovery Password history Presevents users from reusing same password Something You Know Password Rules Change passwords regularly Verify a user's identity before resetting a password Group policy Implement password policies Change default passwords Don't write down passwords Don't share passwords Something You Know Creating Strong Passwords At least 8 characters long Isn't in a dictionary Contains three of these character types: Uppercase letters A-Z Lowercase letters a-z Numbers 0-9 Special characters like @#$% Something You Have Smart Cards Embedded certificate Public Key Infrastructure Allows issuance and management of certificates Read by a card reader Something You Have Token or Key Fob HOTP (HMAC-based One-Time Password) Open standard using a secret key and an incrementing counter HMAC hash used to create 6- or 8-digit value Password remains valid till it is used TOTP (Time-based One-Time Password) Uses a timestamp instead of a counter Password expires every 30 seconds Something You Are Somewhere You Are IP address Gives general location May block logins from unexpected nations MAC address Identifies a specific device Something You Do Gestures Keystrokes Multifactor Authentication More than one of Something you know Something you have Something you are Two similar factors is not two-factor authentication Such as password and PIN Authentication issues Weak passwords Forgotten passwords Biometric errors Authentication services Kerberos Network authentication protocol Database objects such as Active Directory Provides mutual authentication Ticket-based services access using Key Distribution Center (KDC) ticket-granting-tickets Time-stamped tickets, ticket has a lifetime of ten hours Uses port 88 (TCP & UDP) Authentication services LDAP: Lightweight Directory Access Protocol Version 3 uses TLS encryption An extension of the X.500 standard Virtualization One host appears as several systems in network Virtualization Hypervisor Virtualization Container Virtualization Using Virtualization Associated Risks
