Download
web security associate n.
Skip this Video
Loading SlideShow in 5 Seconds..
Web Security Associate PowerPoint Presentation
Download Presentation
Web Security Associate

Web Security Associate

251 Views Download Presentation
Download Presentation

Web Security Associate

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Web SecurityAssociate

  2. Lesson 1:What Is Security?

  3. Lesson 1 Objectives 1.1.1: Define security 1.1.2: Identify the importance of network security 1.1.3: Identify potential risk factors for data security, including improper authentication 1.1.4: Identify security-related organizations, warning services and certifications 1.1.5: Identify key resources that need specialized security measures 1.1.6: Identify the general types of security threat/attacker 1.2.6: Select security equipment and software based on ease of use

  4. Network Security Background • Internet-related security threats: • Security problems with browsers • Attacks by hackers • Threats from viruses • Internet inherently insecure

  5. What Is Security? Local area networks (LANs) Wide area networks (WANs) Virtual private networks (VPNs) Network perimeters Illicit servers Trojans

  6. Hacker Statistics Reported incidents have risen steadily: From 252 in 1990 To 9,859 in 1999 To 137,529 in 2003 Total vulnerabilities cataloged have also risen steadily: From 417 in 1999 To 3,784 in 2003 To 7,236 in 2007 Losses due to security breaches are estimated at $67.2 billion (2005)

  7. The Myth of 100-Percent Security Balance in security Security policies

  8. Attributes of anEffective Security Matrix Allows access control Easy to use Appropriate cost of ownership Flexible and scalable Superior alarming and reporting

  9. What You AreTrying to Protect End-user resources Network resources Server resources Information-storage resources

  10. Who Is the Threat? Casual attackers Determined attackers Spies and industrial espionage End users

  11. Security Standards Security Services (ISO 7498-2) Authentication Access control Data confidentiality Data integrity Non-repudiation Security mechanisms Other government and industry standards in addition to ISO 7498-2

  12. Lesson 1 Summary 1.1.1: Define security 1.1.2: Identify the importance of network security 1.1.3: Identify potential risk factors for data security, including improper authentication 1.1.4: Identify security-related organizations, warning services and certifications 1.1.5: Identify key resources that need specialized security measures 1.1.6: Identify the general types of security threat/attacker 1.2.6: Select security equipment and software based on ease of use

  13. Lesson 2:Elements of Security

  14. Lesson 2 Objectives 1.1.7: Identify ways in which increased security mechanisms can result in increased latency 1.1.8: Define the significance of a security policy 1.1.9: Identify and develop basic components of an effective security policy 1.1.10: Identify the key user authentication methods 1.1.11: Define the significance of access control methods 1.1.12: Define the functions of access control lists (ACLs) and execution control lists (ECLs) 1.2.1: Identify the three main encryption methods used in internetworking 1.2.5: Identify the importance of auditing 1.2.6: Select security equipment and software based on ease of use 1.2.7: Identify security factors related to transmission of unencrypted data across the network 1.2.9: Identify the significance of encryption in enterprise networks

  15. Security Elementsand Mechanisms Elements of effective security Audit Administration Encryption Access Control User Authentication Corporate Security Policy

  16. The Security Policy Classify systems Prioritize resources Assign risk factors Define acceptable and unacceptable activities Define security measures to apply to resources Define education standards for employees Determine who is responsible for administering the policies

  17. Determining Backups • To recover data lost due to an attack: • Enable a backup device • Enable a backup service

  18. Encryption Encryption categories Symmetric Asymmetric Hash Encryption services Data confidentiality Data integrity Authentication Non-repudiation Encryption strength

  19. Authentication Authentication methods What you know What you have Who you are Where you are

  20. SpecificAuthentication Techniques Kerberos One-time passwords (OTP)

  21. Access Control Access Control List (ACL) Objects Common permissions Execution Control List (ECL) Sandboxing

  22. Auditing Passive auditing Active auditing

  23. Security Tradeoffsand Drawbacks Increased complexity Slower system response time Consider: Ease of installation An intuitive interface Effective customer support

  24. Lesson 2 Summary 1.1.7: Identify ways in which increased security mechanisms can result in increased latency 1.1.8: Define the significance of a security policy 1.1.9: Identify and develop basic components of an effective security policy 1.1.10: Identify the key user authentication methods 1.1.11: Define the significance of access control methods 1.1.12: Define the functions of access control lists (ACLs) and execution control lists (ECLs) 1.2.1: Identify the three main encryption methods used in internetworking 1.2.5: Identify the importance of auditing 1.2.6: Select security equipment and software based on ease of use 1.2.7: Identify security factors related to transmission of unencrypted data across the network 1.2.9: Identify the significance of encryption in enterprise networks

  25. Lesson 3:Applied Encryption

  26. Lesson 3 Objectives 1.2.2: Define symmetric (private-key) encryption 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes, Public Key Infrastructure (PKI) 1.2.4: Define one-way (hash) encryption 1.2.8: Identify the function of parallel processing in relation to cryptography 1.2.10: Identify the impact of encryption protocols and procedures on system performance 1.2.11: Create a trust relationship using public-key cryptography 1.2.12: Identify specific forms of symmetric, asymmetric and hash encryption, including Advanced Encryption Standard (AES) 1.4.1: Deploy Pretty Good Privacy (PGP) / Gnu Privacy Guard (GPG) in Windows and Linux/UNIX systems

  27. Reasons to Use Encryption • Make data confidential • Help authenticate users • Ensure data integrity

  28. Creating Trust Relationships Manually Automatically Rounds and parallelization

  29. Symmetric-KeyEncryption One key is used to encrypt and decrypt messages Benefits and drawbacks of symmetric-key encryption

  30. Symmetric-Key Algorithms Data Encryption Standard (DES) Triple DES Symmetric algorithms created by RSA Security Corporation International Data Encryption Algorithm (IDEA) Blowfish Twofish Skipjack MARS Rijndael Serpent Advanced Encryption Standard (AES)

  31. Asymmetric-Key Encryption Benefits and drawbacks of asymmetric-key encryption How do browsers use public-key encryption? Asymmetric-key encryption elements RSA DSA Diffie-Hellman

  32. One-Way (Hash) Encryption Signing data Hash algorithms MD2, MD4 and MD5 Secure hash algorithm MD5sum utility (Linux)

  33. AppliedEncryption Processes E-mail PGP and GPG Secure MIME Proprietary asymmetric encryption Encrypting drives Secure Sockets Layer (SSL) and Secure HTTP Transport Layer Security / Secure Sockets Layer (TLS/SSL)

  34. Encryption Review • Encryption • Authentication • Key • Symmetric-key (private-key) encryption • Asymmetric-key (public-key) encryption • Message integrity by hash mark and signature

  35. Lesson 3 Summary 1.2.2: Define symmetric (private-key) encryption 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes, Public Key Infrastructure (PKI) 1.2.4: Define one-way (hash) encryption 1.2.8: Identify the function of parallel processing in relation to cryptography 1.2.10: Identify the impact of encryption protocols and procedures on system performance 1.2.11: Create a trust relationship using public-key cryptography 1.2.12: Identify specific forms of symmetric, asymmetric and hash encryption, including Advanced Encryption Standard (AES) 1.4.1: Deploy Pretty Good Privacy (PGP) / Gnu Privacy Guard (GPG) in Windows and Linux/UNIX systems

  36. Lesson 4:Types of Attacks

  37. Lesson 4 Objectives 1.2.5: Identify the importance of auditing 1.4.3: Identify specific types of security attacks 1.4.4: Identify a brute-force attack 1.4.5: Identify a dictionary attack 1.4.6: Identify routing issues and security 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack 1.4.8: Recognize attack incidents 1.4.9: Distinguish between illicit servers and trojans

  38. Brute force Dictionary System bugs Back doors Malware Social engineering Denial of service (DOS) Distributed denial of service (DDOS) Spoofing Scanning Man in the middle Bots and botnets SQL injection Network Attack Categories

  39. Brute-Force andDictionary Attacks Brute-force attack Repeated access attempts Dictionary attack Customized version of brute-force attack

  40. System Bugs and Back Doors Bug Unintentional flaw in a program Back door Deliberately-placed opening in an operating system Buffer overflow

  41. Malware (Malicious Software) Viruses Worms Trojans and root kits Illicit servers Logic bombs Zero-day attacks Managing viruses, worms and illicit programs Avoiding viruses, worms and trojans

  42. Social Engineering Attacks Call and ask for password Fake e-mail Phishing Pharming Securing desktops

  43. Denial-of-Service (DOS) Attacks Flooding Malformed packets Teardrop/Teardrop2 Ping of Death Land attack Miscellaneous attacks Physical denial-of-service attacks

  44. Distributed Denial-of-Service (DDOS) Attacks Components: Controlling application Illicit service Zombie Target Smurf and Fraggle attacks Ways to diagnose DOS and DDOS attacks Mitigating vulnerability and risk Unintentional DOS

  45. Spoofing Attacks IP spoofing ARP spoofing DNS spoofing Spoofing and traceback Protecting against spoofing attacks

  46. Scanning Attacks • Stack fingerprinting and operating system detection • Sequence prediction • Network Mapper (Nmap)

  47. Man-in-the-Middle Attacks Packet sniffing and network switches Connection hijacking Registration hijacking Voicemail compromises Impersonated calls DNS and ARP cache poisoning Avoiding man-in-the-middle attacks

  48. Bots and Botnets Bot Software application that runs automated, repetitive tasks over the Internet Botnet Group of computers infected with a bot Avoiding bot attacks

  49. SQL Injection SQL injection Hacking technique in which malicious code is inserted into SQL command strings Preventing SQL injection attacks

  50. Auditing Checking password databases regularly Checking log files Scanning systems Identifying information leakage Necessary information Unnecessary information