web security associate n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Web Security Associate PowerPoint Presentation
Download Presentation
Web Security Associate

Loading in 2 Seconds...

play fullscreen
1 / 131

Web Security Associate - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Web Security Associate. Lesson 1: What Is Security?. Lesson 1 Objectives. 1.1.1: Define security 1.1.2: Identify the importance of network security 1.1.3: Identify potential risk factors for data security, including improper authentication

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Web Security Associate


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Web SecurityAssociate

    2. Lesson 1:What Is Security?

    3. Lesson 1 Objectives 1.1.1: Define security 1.1.2: Identify the importance of network security 1.1.3: Identify potential risk factors for data security, including improper authentication 1.1.4: Identify security-related organizations, warning services and certifications 1.1.5: Identify key resources that need specialized security measures 1.1.6: Identify the general types of security threat/attacker 1.2.6: Select security equipment and software based on ease of use

    4. Network Security Background • Internet-related security threats: • Security problems with browsers • Attacks by hackers • Threats from viruses • Internet inherently insecure

    5. What Is Security? Local area networks (LANs) Wide area networks (WANs) Virtual private networks (VPNs) Network perimeters Illicit servers Trojans

    6. Hacker Statistics Reported incidents have risen steadily: From 252 in 1990 To 9,859 in 1999 To 137,529 in 2003 Total vulnerabilities cataloged have also risen steadily: From 417 in 1999 To 3,784 in 2003 To 7,236 in 2007 Losses due to security breaches are estimated at $67.2 billion (2005)

    7. The Myth of 100-Percent Security Balance in security Security policies

    8. Attributes of anEffective Security Matrix Allows access control Easy to use Appropriate cost of ownership Flexible and scalable Superior alarming and reporting

    9. What You AreTrying to Protect End-user resources Network resources Server resources Information-storage resources

    10. Who Is the Threat? Casual attackers Determined attackers Spies and industrial espionage End users

    11. Security Standards Security Services (ISO 7498-2) Authentication Access control Data confidentiality Data integrity Non-repudiation Security mechanisms Other government and industry standards in addition to ISO 7498-2

    12. Lesson 1 Summary 1.1.1: Define security 1.1.2: Identify the importance of network security 1.1.3: Identify potential risk factors for data security, including improper authentication 1.1.4: Identify security-related organizations, warning services and certifications 1.1.5: Identify key resources that need specialized security measures 1.1.6: Identify the general types of security threat/attacker 1.2.6: Select security equipment and software based on ease of use

    13. Lesson 2:Elements of Security

    14. Lesson 2 Objectives 1.1.7: Identify ways in which increased security mechanisms can result in increased latency 1.1.8: Define the significance of a security policy 1.1.9: Identify and develop basic components of an effective security policy 1.1.10: Identify the key user authentication methods 1.1.11: Define the significance of access control methods 1.1.12: Define the functions of access control lists (ACLs) and execution control lists (ECLs) 1.2.1: Identify the three main encryption methods used in internetworking 1.2.5: Identify the importance of auditing 1.2.6: Select security equipment and software based on ease of use 1.2.7: Identify security factors related to transmission of unencrypted data across the network 1.2.9: Identify the significance of encryption in enterprise networks

    15. Security Elementsand Mechanisms Elements of effective security Audit Administration Encryption Access Control User Authentication Corporate Security Policy

    16. The Security Policy Classify systems Prioritize resources Assign risk factors Define acceptable and unacceptable activities Define security measures to apply to resources Define education standards for employees Determine who is responsible for administering the policies

    17. Determining Backups • To recover data lost due to an attack: • Enable a backup device • Enable a backup service

    18. Encryption Encryption categories Symmetric Asymmetric Hash Encryption services Data confidentiality Data integrity Authentication Non-repudiation Encryption strength

    19. Authentication Authentication methods What you know What you have Who you are Where you are

    20. SpecificAuthentication Techniques Kerberos One-time passwords (OTP)

    21. Access Control Access Control List (ACL) Objects Common permissions Execution Control List (ECL) Sandboxing

    22. Auditing Passive auditing Active auditing

    23. Security Tradeoffsand Drawbacks Increased complexity Slower system response time Consider: Ease of installation An intuitive interface Effective customer support

    24. Lesson 2 Summary 1.1.7: Identify ways in which increased security mechanisms can result in increased latency 1.1.8: Define the significance of a security policy 1.1.9: Identify and develop basic components of an effective security policy 1.1.10: Identify the key user authentication methods 1.1.11: Define the significance of access control methods 1.1.12: Define the functions of access control lists (ACLs) and execution control lists (ECLs) 1.2.1: Identify the three main encryption methods used in internetworking 1.2.5: Identify the importance of auditing 1.2.6: Select security equipment and software based on ease of use 1.2.7: Identify security factors related to transmission of unencrypted data across the network 1.2.9: Identify the significance of encryption in enterprise networks

    25. Lesson 3:Applied Encryption

    26. Lesson 3 Objectives 1.2.2: Define symmetric (private-key) encryption 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes, Public Key Infrastructure (PKI) 1.2.4: Define one-way (hash) encryption 1.2.8: Identify the function of parallel processing in relation to cryptography 1.2.10: Identify the impact of encryption protocols and procedures on system performance 1.2.11: Create a trust relationship using public-key cryptography 1.2.12: Identify specific forms of symmetric, asymmetric and hash encryption, including Advanced Encryption Standard (AES) 1.4.1: Deploy Pretty Good Privacy (PGP) / Gnu Privacy Guard (GPG) in Windows and Linux/UNIX systems

    27. Reasons to Use Encryption • Make data confidential • Help authenticate users • Ensure data integrity

    28. Creating Trust Relationships Manually Automatically Rounds and parallelization

    29. Symmetric-KeyEncryption One key is used to encrypt and decrypt messages Benefits and drawbacks of symmetric-key encryption

    30. Symmetric-Key Algorithms Data Encryption Standard (DES) Triple DES Symmetric algorithms created by RSA Security Corporation International Data Encryption Algorithm (IDEA) Blowfish Twofish Skipjack MARS Rijndael Serpent Advanced Encryption Standard (AES)

    31. Asymmetric-Key Encryption Benefits and drawbacks of asymmetric-key encryption How do browsers use public-key encryption? Asymmetric-key encryption elements RSA DSA Diffie-Hellman

    32. One-Way (Hash) Encryption Signing data Hash algorithms MD2, MD4 and MD5 Secure hash algorithm MD5sum utility (Linux)

    33. AppliedEncryption Processes E-mail PGP and GPG Secure MIME Proprietary asymmetric encryption Encrypting drives Secure Sockets Layer (SSL) and Secure HTTP Transport Layer Security / Secure Sockets Layer (TLS/SSL)

    34. Encryption Review • Encryption • Authentication • Key • Symmetric-key (private-key) encryption • Asymmetric-key (public-key) encryption • Message integrity by hash mark and signature

    35. Lesson 3 Summary 1.2.2: Define symmetric (private-key) encryption 1.2.3: Define asymmetric (public-key) encryption, including distribution schemes, Public Key Infrastructure (PKI) 1.2.4: Define one-way (hash) encryption 1.2.8: Identify the function of parallel processing in relation to cryptography 1.2.10: Identify the impact of encryption protocols and procedures on system performance 1.2.11: Create a trust relationship using public-key cryptography 1.2.12: Identify specific forms of symmetric, asymmetric and hash encryption, including Advanced Encryption Standard (AES) 1.4.1: Deploy Pretty Good Privacy (PGP) / Gnu Privacy Guard (GPG) in Windows and Linux/UNIX systems

    36. Lesson 4:Types of Attacks

    37. Lesson 4 Objectives 1.2.5: Identify the importance of auditing 1.4.3: Identify specific types of security attacks 1.4.4: Identify a brute-force attack 1.4.5: Identify a dictionary attack 1.4.6: Identify routing issues and security 1.4.7: Determine the causes and results of a denial-of-service (DOS) attack 1.4.8: Recognize attack incidents 1.4.9: Distinguish between illicit servers and trojans

    38. Brute force Dictionary System bugs Back doors Malware Social engineering Denial of service (DOS) Distributed denial of service (DDOS) Spoofing Scanning Man in the middle Bots and botnets SQL injection Network Attack Categories

    39. Brute-Force andDictionary Attacks Brute-force attack Repeated access attempts Dictionary attack Customized version of brute-force attack

    40. System Bugs and Back Doors Bug Unintentional flaw in a program Back door Deliberately-placed opening in an operating system Buffer overflow

    41. Malware (Malicious Software) Viruses Worms Trojans and root kits Illicit servers Logic bombs Zero-day attacks Managing viruses, worms and illicit programs Avoiding viruses, worms and trojans

    42. Social Engineering Attacks Call and ask for password Fake e-mail Phishing Pharming Securing desktops

    43. Denial-of-Service (DOS) Attacks Flooding Malformed packets Teardrop/Teardrop2 Ping of Death Land attack Miscellaneous attacks Physical denial-of-service attacks

    44. Distributed Denial-of-Service (DDOS) Attacks Components: Controlling application Illicit service Zombie Target Smurf and Fraggle attacks Ways to diagnose DOS and DDOS attacks Mitigating vulnerability and risk Unintentional DOS

    45. Spoofing Attacks IP spoofing ARP spoofing DNS spoofing Spoofing and traceback Protecting against spoofing attacks

    46. Scanning Attacks • Stack fingerprinting and operating system detection • Sequence prediction • Network Mapper (Nmap)

    47. Man-in-the-Middle Attacks Packet sniffing and network switches Connection hijacking Registration hijacking Voicemail compromises Impersonated calls DNS and ARP cache poisoning Avoiding man-in-the-middle attacks

    48. Bots and Botnets Bot Software application that runs automated, repetitive tasks over the Internet Botnet Group of computers infected with a bot Avoiding bot attacks

    49. SQL Injection SQL injection Hacking technique in which malicious code is inserted into SQL command strings Preventing SQL injection attacks

    50. Auditing Checking password databases regularly Checking log files Scanning systems Identifying information leakage Necessary information Unnecessary information