CIST 1601 Information Security Fundamentals Chapter 1 General Security Concepts Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College
Network Access Control (1:58) Understanding Information Security The term information security covers a wide array of activities in an organization, including: Products Processes used to prevent unauthorized access to, modification of, and deletion of information. Protect resources by preventing them from being disrupted by situations or attacks. Internally Externally A security administrator must deal with system vulnerabilities and human vulnerabilities. You must assume that you’re under attack
Understanding Information Security Physical The security triad or three primary areas of security focus include: Management Security Provide the guidance, rules, and procedures for implementing a security environment. Operational Security Includes access control, authentication, and security topologies after network installation is complete. Physical Security Involves the protection of your assets and information from physical access by unauthorized personnel. Security policies fall under the Management category Security Operational Management
Securing the Physical Environment The goal of a physical security policy is to allow only trusted use of resources via positive identification that the entity accessing the systems is someone or something that has permission to do so based on the security model the organization has chosen. Physical security addresses the following major categories of risks: Physical theft Loss of an asset Unauthorized disclosure of information Interruption of critical services Power failure Physical damage to hardware assets Threats affecting confidentiality Integrity and availability of critical resources
Securing the Physical Environment It is much easier for an attacker to walk into a reception area, masquerade as a vendor agent, and get access to the server than to get into a physically secured area that utilizes a guest sign-in and sign-out sheet. Unsecured equipment is vulnerable to social engineering attacks. Lock the door(s) to the server room. Mandatory physical access controls are common in government facilities and military installations where users are closely monitored and very restricted.
Examining Operational Security Operational security encompasses everything not related to design or physical security. Instead of focusing on the physical components where the data is stored, such as the server, the focus is now on the topology and connections. Issues include: Daily operations of the network Connections to other networks Backup and recovery plans Operational security includes: Computers Networks and communications systems Management of information Operational security issues include: Network access control (NAC) Authentication Security topologies
Survey Your Physical Environment The job of the security administrator is to prevent and to seek out rats (hackers). To catch a rat you need to think like a rat. How would a rat gain access to the building? Is a key or code required? Security guard? Receptionist? Cameras? How would a rat gain access to the floor of the server room? Is the elevator keyed, or can anyone use it? Do the doorways to the stairs only open outward, or can anyone walk up and enter? How would a rat find the server? In the middle of the office? In a separate room? Door secured? Key, badge or punchpad required? If the rat finds the server, would anyone see what he’s doing? Does the server room have glass windows? Are cameras overlooking the server? Can you physically see the server? Would anyone question why a rat was there? If you do use cameras where are the tape machines? Near the server so the rat can steal the evidence? If you can easily spot flaws in the security then a rat can spot them too.
Network Access Control (NAC) Network Access Control (NAC) is an effective way to protect the network from malicious hosts. NAC secures the environment by examining the user’s machine and, based on the results, grant access accordingly. NAC provides: Enforcement of security policy Containment of noncompliant users Mitigation of threats The basic components of NAC products: Access requestor (AR); device that requests access Policy decision point (PDP); system that assigns a policy based on the assessment Policy enforcement point (PEP); device that enforces the policy. Switch Firewall Router Four ways NAC systems can be integrated into the network: Inline out-of-band switch based and host based An out-of-band intervenes and performs an assessment as hosts come online, and then grants appropriate access. NAC business benefits include: Compliance Better security posture Operational cost management
Reducing Risk with Security Policies (12:24) Working with Management and Policies Management and policies provide the guidance, rules, and procedures for implementing a security environment. IT professionals can recommend policies, but they need the support of management to implement them. As a security administrator, you’ll need to look for openings that intruders can use to enter your network. Don’t think of the safeguards that may currently exist, but rather focus on ways someone not on your network might join it. How do users on your network access the Internet? Dial-up connections ? Dial-up access on laptops at home? Are proxy servers in use? Private or public IP addresses? Network Address Translation? Wireless access points on the network? Unsecured SSID? WAP range? Can you access the network in the parking lot? Remote Access allowed? From home? From hotel rooms? Callback option enabled or only user credentials? Do you use Terminal Services? Are thin clients employed/allowed? Are entire sessions on the server run remotely? Is remote administration enabled? Do users have shares on their laptops that could compromise the laptop’s data security? What ports are open on your routers and firewalls?
Working with Management and Policies A number of key policies are needed to secure a network. Administrative policieslay out guidelines and expectations for upgrades, monitoring, backups, and audits. System administrators and maintenance staff use these policies to conduct business. Administrative policies should clearly outline: When and How often to upgrade. When and how monitoring occurs. How logs are reviewed. Job responsible for these decisions. How often decisions should be reviewed. Who wrote the policy? Who signed off on the policy? What date were they mandated? Administrative policies must be specific yet flexible enough to allow for emergencies and unforeseen circumstances but not too flexible as to be virtually ineffective or unenforceable.
Working with Management and Policies Disaster recovery plans (DRPs) are one of the biggest headaches that IT professionals face. Disaster recovery plans are expensive to develop and to test, and it must be kept current. A good Disaster recovery plan takes into consideration tornadoes, floods, fires, and every conceivable disaster. Information policies refer to the various aspects of information security, including access, classifications, marking and storage, and the transmission and destruction of sensitive information. Information policies may include a data classification similar to the following: Public - For all advertisements and information posted on the Web Internal - For all intranet-type information Private - Personnel records, client data, and so on Confidential - Public Key Infrastructure (PKI) information and other items restricted to all but those who must know them Information policies must be as comprehensive as possible.
Working with Management and Policies Security policies define the configuration of systems and networks, including: Installation of software and hardware Network connections and network connectivity Computer room and data center security How identification and authentication occurs. Access control Audits and reports Encryption Antivirus software Security policies also establish procedures and methods used for: Password policy Account expiration Failed logon attempts
Working with Management and Policies Software design requirementsoutline system capabilities. Use the requirements to have vendors explain proposed solutions. Should be specific about security requirements. Design requirements should be viewed as a moving target. Usage policiescover how information and resources are used. How users can use organizational resources and for what purposes Rules of computer usage Statements about privacy, ownership, and the consequences of improper acts Internet, remote access, and e‑mail usage expectations How users should handle incidents and who to contact if they suspect something Spell out the fact that monitoring can take place and that users agree to it Consequences for account misuse should also be stated.
Working with Management and Policies User management policies identify how new employees are added to the system as well as: Training and orientation Equipment installation and configuration Employee transfers This can result in privilege creep where a user acquires administrative privileges to the system by accident. User management policies should outline: Notification of IT department about employee terminations How notifications should occur Terminated employees accounts should be either disabled or deleted.
Understanding the Goals of Information Security Goals of Information Security include: Prevention – Preventing computer or information violations. Detection - Identifying events when they occur, identifying the assets under attack, how the attack is occurring, and who is responsible. Detection may involve complicated monitoring tools or checking the system logs. System logs will frequently tell you what was accessed and in what manner. These logs are usually explicit in describing the events that occurred during a security violation. Detection should be ongoing and part of security policies and procedures. Response – Strategies and techniques to deal with an attack or loss. Have a well thought out and tested plan for response, restoring operations, and neutralizing the threat.
Comprehending the Security Process Appreciating Antivirus Software The most common method used in an antivirus program is scanning. Scanning identifies virus code based on a unique string of characters known as a signature. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Your first step, should a system become infected with a new virus, would be to verify antivirus software is up to date including the virus definition files.
Authorization and Access Control (3:59) Comprehending the Security Process Implementing Access Control Access Control defines how users and systems communicate and in what manner. Three basic models are used to explain access control: Mandatory Access Control (MAC) MAC provides the strictest security mechanism. It assigns security labels to both subjects and objects. Labels are comprised of a classification and different categories. Classification indicates the sensitivity level of the subject or object, such as secret or top-secret. Categories enforce need to know rules. Categories should be determined by the organization based on access control needs, such as human resources or accounting. Under MAC, a file, printer, or computer would exist as an object. Objects are resources accessed by groups, users, or processes. A user or group would exist as a subject. Subjects access objects. Access privileges to resources are assigned by administrators, are predefined based on the security policy, and can’t be changed by users. A privilege that is not expressly permitted is forbidden. Users cannot share resources dynamically. This model is usually implemented in highly secure networks, such as military facilities.
Comprehending the Security Process Implementing Access Control The Discretionary Access Control model (DAC) The Discretionary Access Control model (DAC) is used in small Microsoft workgroup networks where users commonly share folders with each other. In the DAC model, the data owner\creator is responsible for granting other users access to resources, and determines the level of access that will be granted to those users, as well as limiting object access to certain days and certain times in the day. The DAC model uses Access Control Lists (ACLs) to map a user's access permissions to a resource. An ACL is a security mechanism used to designate those users who can gain various types of access, such as read, write, and execute access, to resources on a network. An ACL provides security as granular as the file level. In DAC, a subject’s rights should be suspended when he is on leave or vacation and should be terminated when he leaves the company.
Comprehending the Security Process Implementing Access Control Role-Based Access Control (RBAC) Role-Based Access Control (RBAC) allows specific people to be assigned to specific roles with specific privileges. RBAC uses the role to identify the users who have permissions to a resource, and may be implemented system wide. Users may be able to access information from any station in the network, based strictly on their role. Privileges would be limited to the role and wouldn’t be present during the employee’s normal job functions. For example, a backup operator role would give anyone who occupied that role the ability to perform backups, including the security privileges that went along with it. These privileges should reflect the organization's structure and responsibilities users have in the organization. The RBAC mode is common in network administrative roles.
Identification and Authentication (6:32) Understanding Authentication Single-Factor Authentication (4:38) Authentication is the mechanism by which the unique identity is associated with a security principal (a specific user or service). Before authorization can occur, the identity of the account attempting to access a resource must first be determined. This process is known as authentication. Authentication can be generally broken into three basic forms, depending on what is required to authorize access: Something you know Something you have Something you are The most well-known form of authentication is the use of a username and password combination to access controlled resources. Access is not possible without both parts required for account authentication, so a level of protection is provided. The shortcoming of any authentication system is that the keys used may be easily falsified and access rights may be granted to an unauthorized access attempt. Null or easily guessed passwords are one of the most widespread examples of the potential for this weakness.
Biometrics Biometrics is the authentication process that uses physical characteristic to establish identification. A user places their hand on a finger print scanner or they put their eyes against a retinal scanner. Since a person’s fingerprint, blood vessel print, or retinal image is unique the only way the system can authenticate is if the proper user is there. Biometric devices typically use either a hand pattern or a retinal scan to accomplish this. Iris profile biometric devices identify an individual b y using the colored part of the eye that surrounds the pupil. Facial geometry identifies a user based on the profile and characteristics of the face. A retina scan identifies an individual by using the blood vessel pattern at the back of the eyeball. A retinal scan is a very secure form of evidence used in high-security companies and government agencies. When using biometrics, remember that each method has its own degree of error ratios, and some methods may seem invasive to the users and may not be accepted gracefully. The false acceptance rate (FAR) is a measure if the likelihood that the access system will wrongly accept an access attempt. In other words, it will allow access to an unauthorized user. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as unauthorized. The only way for an unauthorized user to get access is to physically kidnap the authorized user and force them through the system. For this reason, biometrics are the strongest (and the costliest) form of authentication.
Certificates Certificates are another form of authentication. A server or certificate authority (CA) can issue a certificate that will be accepted by the challenging system. Certificates can be either physical access devices, such as smart cards, or electronic certificates that are used as part of the logon process. A Certificate Practice Statement (CPS) outlines the rules used for issuing and managing certificates. A Certification Revocation List (CRL) lists the revocation that must be addressed (often due to expiration) in order to stay current.
Certificates A certificate being issued after identification has been verified.
Challenge Handshake Authentication Protocol (CHAP) Challenge Handshake Authentication Protocol (CHAP) uses a challenge/response mechanism. Using CHAP, the initiator sends a logon request from the client to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and, if the information matches, grants authorization and the client logs on. If the response fails, the session fails and the request phase starts over. A challenge/response mechanism, sometimes referred to as a three-way handshake, uses a secret password that verifies the identity of a user or node without revealing the password. CHAP is typically used for authentication on dial-up connections. CHAP uses only encrypted passwords during the authentication process. CHAP uses two compared values created using the MD5 hashing algorithm.
Challenge Handshake Authentication Protocol (CHAP) CHAP Authentication
Kerberos (9:57) Kerberos Kerberos uses a Key Distribution Center (KDC) to authenticate a principle. Principals are the entities to which the KDC provides services. They may be users, applications, systems, or services. Session keys are symmetric keys used to encrypt and decrypt information that passed between the principals and KDC. The Key Distribution Center (KDC) is the most important component in a Kerberos environment. It is responsible for managing all the secret keys, authenticating all users, and issuing tickets to valid users. The KDC provides a ticket to the network. A ticket granting ticket (TGT) is the entity issued by the authentication service (AS) on the KDC to a principal. The TGT proves principal identity throughout the communication process. Once this ticket is issued, it can be used to authenticate against other principles. This occurs automatically when a request or service is performed by another principal. Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified. Kerberos and Active Directory are two technologies that provide single sign-on authentication. Single sign-on addresses the problem of users having to remember multiple usernames and passwords to access different systems. Single Sign-on (3:25)
Kerberos Kerberos Authentication Process
Multi-Factor Authentication (3:15) Multifactor Authentication Multifactor authentication involves the use of two or more different forms of authentication. Any combination of authentication methods may be used in a multifactor solution. Different forms include: What you know (logon, password, PIN) What you have (smartcard, keycard, SecureID number generator) What you are (biometrics) A two-factor method can potentially increase the strength of authentication by combining authentication protocols such as the use of a smart card in conjunction with a password or smart card and biometrics for logon.
Multifactor Authentication Two-factor Authentication
Mutual Authentication Whenever two or more parties authenticate each other, this is known as mutual authentication. Mutual authentication checks the identity of both ends of the connection. It is often referred to as two-way authentication. A client may authenticate to a server, and a server authenticate to a client when there is a need to establish a secure session between the two and employ encryption. Mutual authentication ensures that the client is not unwittingly connecting and giving its credentials to a rogue server; which can then turn around and steal the data from the real server. Commonly, mutual authentication will be implemented when the data to be sent during the session is of a critical nature—such as financial or medical records.
Password Authentication Protocol (PAP) Password Authentication Protocol (PAP) offers no true security, but it’s one of the simplest forms of authentication. The username and password values are both sent to the server as clear text and checked for a match. If they match, the user is granted access; if they don’t match, the user is denied access. In most modern implementations, PAP is shunned in favor of other, more secure authentication methods.
Security Tokens Security tokens are similar to certificates. They contain the rights and access privileges of the token bearer as part of the token. Many operating systems generate a token that is applied to every action taken on the computer system. I f your token doesn’t grant you access to certain information, then either that information won’t be displayed or your access will be denied. The authentication system creates a token every time a user connects or a session begins. Authentication is established on each session and is valid only for that session. At the completion of a session, the token is destroyed.
Security Tokens Security Token Authentication
Smart Cards A smart card is a type of badge or card that can allow access to multiple resources including buildings, parking lots, and computers. It contains information about your identity and access privileges. The reader is connected to the workstation and validates against the security system. Smart Cards often also require the use of a small password called a PIN; which further secures the smart card if lost by the true card holder. Smart Cards increase the security of the authentication process because it must be in your physical possession. A whole system can become useless if the smart card is lost or stolen.
Smart Cards The Smart Card Authentication Process
Username/Password Using a login and password is single-factor authentication because it consists of only what you know. A username and password are unique identifiers for a logon process. Most operating systems use a user ID and password to accomplish identity during the logon process. These values can be sent across the connection as plain text or can be encrypted. The logon process identifies to the operating system, and possibly the network, that you are who you say you are. The operating system might establish privileges or permissions based on stored data about that particular ID. Usernames and passwords can be intercepted and are the least secure.
Authentication Issues to Consider Setting authentication security, especially in supporting users, can become a high-maintenance activity for network administrators. On one hand, you want people to be able to authenticate themselves easily On the other hand, you want to establish security that protects your company’s resources. Be wary of popular names or current trends that make certain passwords predictable. Identity proofing is an organizational process that binds users to authentication methods. Identification proofing is invoked when a person claims they are the user, but cannot be authenticated—such as when they lose their password. They are typically asked to provide another value—such as mother’s maiden name— to prove their identity. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. Under no circumstance should the person proofing be allowed access immediately— instead their access information should be sent to their email account of record. Identity proofing is the main component of authentication lifecycle management. Authenticators for identity proofing include smart cards, biometrics, and one-time password (OTP) devices.
Distinguishing between Security Topologies Setting Design Goals Sending data across an insecure network, such as the Internet, affects confidentiality and integrity. It is the responsibility of the sender to ensure that proper security controls are in place. Confidentiality and integrity should be implemented to ensure the accuracy of the data and its accessibility to authorized personnel. The three core security objectives for the protection of the information assets of an organization are: Confidentiality Integrity Availability These three objectives are also referred to as the CIA triad. Most computer attacks result in the violation of the CIA triad.
Confidentiality, Integrity, and Availability (5:10) Confidentiality Meeting the goal of confidentiality is to prevent or minimize unauthorized access to and disclosure of data and information. Confidentiality is the minimum level of secrecy that is maintained to protect sensitive information from unauthorized disclosure. In many instances, laws and regulations require specific information confidentiality. Confidentiality can be implemented through encryption, access control data classification, and security awareness. Maintaining the confidentiality of information prevents an organization from attacks, such as shoulder surfing and social engineering, which can lead to disclosure of confidential information and disrupt business operations. Lack of sufficient security controls to maintain confidentiality leads to the disclosure of information.
Integrity Ensuring the integrity of information implies that the information is protected from unauthorized modification and that the contents have not been altered. To meet the goal of integrity, you must verify that information being used is accurate and hasn’t been tampered with. Integrity ensures the following conditions: The data is accurate and reliable. The data and the system are protected from unauthorized alteration. Attacks and user mistakes do not affect the integrity of the data and the system. Integrity is coupled with accountability to ensure that data is accurate and that a final authority exists to verify this, if needed.
Availability To meet the goal of availability, you must protect data and prevent its loss. Data that can’t be accessed is of little value. If a mishap or attack brings down a key server or database, that information won’t be available to the people who need it. This can cause havoc in an organization. Your job is to provide maximum availability to your users while ensuring integrity and confidentiality. The hardest part of this process is determining the balance you must maintain between these three aspects to provide acceptable security for the organization’s information and resources.
Accountability The final and often overlooked goal of design concerns accountability. Accountability involves identifying who owns or is responsible for the accuracy of certain information in an organization. Many of the resources used by an organization are shared between departments and individuals. The department or individual that is accountable for certain information would also be responsible for verifying accuracy in the event of a data-tampering incident. You should also be able to track and monitor data changes to detect and repair the data in the event of loss or damage. Most systems will track and store logs on system activities and data manipulation, and they will also provide reports on problems.
Creating Security Zones It’s common for a network to have connections among departments, companies, countries, and public access using private communication paths and through the Internet. Not everyone in a network needs access to all the assets in the network. The term security zone describes design methods that isolate systems from other systems or networks. You can isolate networks from each other using hardware and software. The Internet creates a challenge for security. Security zones allow you to isolate systems from unauthorized users. Here are the four most common security zones you’ll encounter: Internet Intranet Extranet Demilitarized zone (DMZ) By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization.
Internet The Internet is a global network connecting computers and individual networks together. In this environment, you should have a low level of trust in the people who use the Internet. You must always assume that the people visiting your website may have bad intentions; they may want: To buy your product To hire your firm To bring your servers to a screaming halt Because the Internet involves such a high level of anonymity, you must always safeguard your data with the utmost precautions
Intranets Intranets are private networks implemented and maintained by an individual company or organization. An intranet is the private network of the company that contains most of the private resources and network infrastructure equipment of the company. An intranet belongs to and is controlled by the company. Intranets use the same technologies used by the Internet. You can think of an intranet as an Internet that doesn’t leave your company: It’s internal to the company. Access is limited to systems within the intranet. Access to the intranet is granted to trusted users inside the corporate network or to users in remote locations.
Extranets Extranets extend intranets to include outside connections to partners. An extranet is the public area of the company network infrastructure that enables resources to be accessed by external users. An extranet is a semi-secure zone that allows partners of the organization to access specific resources. The partners can be vendors, suppliers, or similar parties who need access to your data for legitimate reasons. Extranet connections involve connections between trustworthy organizations. Security for the extranet security zone can include a number of strategies: Using VPN connections Regularly auditing all services Removing all unnecessary services Limiting the number of services provided
Demilitarized Zone (DMZ) A demilitarized zone (DMZ), or perimeter network, provides a layer of security and privacy between the company infrastructure and the Internet. A DMZ might contain Internet accessible servers such as access web servers, FTP servers, and mail-relay servers for restrictive access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or remove access to other areas of your network. The internal network isn’t visible to external users lowering the threat of intrusion in the internal network. A DMZ is a separate subnet coming off a separate router interface. Most organizations deploy, at a minimum, two firewalls. The first firewall is placed in front of the DMZ to allow requests from the external public interface destined for servers in the DMZ or to route requests to an authentication proxy. The second firewall is placed to allow outbound requests and denies public traffic to pass through the interface that connects to the internal private network. From there, you can decide what traffic goes where; for example, HTTP traffic would be sent to the DMZ, and e‑mail would go to the internal network. All initial necessary connections are located on the DMZ machines. For example, a RADIUS server may be running in the DMZ for improved performance and enhanced security, even though its database resides inside the company intranet.
Demilitarized Zone (DMZ) A typical DMZ
Virtualization (2:20) Working with Newer Technologies Virtualization Technology Virtual environments are available to run on just about everything from servers and routers to USB thumb drives. Hardware vendors are rapidly embracing virtualization and developing new features to simplify virtualization techniques. Virtual environments can be used to improve security by: Allowing unstable applications to be used in an isolated environment. Providing better disaster recovery solutions. Virtual environments are also used for cost-cutting measures. One well-equipped server can host several virtual servers, reducing the need for power and equipment. Forensic analysts often use virtual environments as a method of viewing the environment the same way the criminal did. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides multiple operating systems running on a host computer at the same time. A Type 1 native or bare-metal hypervisor is software that runs directly on a hardware platform. The guest operating systems runs at the second level above the hardware. This technique allows full guest systems to be run in a relatively efficient manner. The guest OS is not aware it is being virtualized and requires no modification. A Type 2 or hosted hypervisor is software that runs within an operating system environment, and the guest operating system runs at the third level above the hardware. The hypervisor runs as an application or shell on another already running operating system.