Chapter 1: Mastering the Basics of Security

Security Training at CCSF Associate of Science Degree

CNIT 120: Network Security Fundamentals of Network Security Preparation for Security+ Certification ssential for any !nformation "echnology professional CNIT 40: DNS Security Configure and defend #NS infrastructure CNIT 121: Computer Forensics $naly%e computers for e&idence of crimes CN!" 1'( ) Bowne Page 1 of *

Chapter 1: Mastering the Basics of Security

CNIT 122: Firewa s #efend networks Two !acking C asses Perform real cy+erattacks and +lock them CN!" 1',: thical -acking and Network #efense CN!" 1'.: $d&anced thical -acking Supp ementa "ateria s Pro/ects from recent research Students get e0tra credit +y attending conferences Certifie# $t%ica !acker CN!" 1', and 1'. help prepare students for C - Certification

CNIT 12&: Information Security 'rofessiona C!SSP ) the most respected certificate in information security

CNIT 12(: 'ractica "a ware Ana ysis !ncident response after intrusion

CN!" 1'( ) Bowne

Page ' of *

Chapter 1: Mastering the Basics of Security

Exploring Core Security Principles T%e CIA of Security Confi#entia ity Pre&ents unauthori%ed disclosure of data nsures that data is only &iewa+le +y authori%ed users Some methods $uthentication com+ined with $ccess controls Cryptography Integrity $ssures that data has not +een modified1 tampered with1 or corrupted 2nly authori%ed users should modify data !as%ing assures integrity -ash types: M#31 S-$1 -M$C !f data changes1 the hash &alue changes !as% )a ue for Down oa# A*ai a+i ity #ata and ser&ices are a&aila+le when needed "echni4ues: #isk redundancies 56$!#7 Ser&er redundancies 5clusters7 Site redundancies Backups $lternate power Cooling systems ,a ancing CIA 8ou can ne&er ha&e perfect security !ncreasing one item lowers others !ncreasing confidentiality generally lowers a&aila+ility 0ample: long 1comple0 passwords that are easily forgotten Non-.epu#iation Pre&ents entities from denying that they took an action 0amples: signing a home loan1 making a credit card purchase "echni4ues #igital signatures $udit logs Defense in Dept% 9ayers of protection 0ample Firewall $nti&irus #eep Free%e Imp icit Deny $nything not e0plicitly allowed is denied Common $ccess Control 9ists for Firewalls CN!" 1'( ) Bowne Page , of *

Chapter 1: Mastering the Basics of Security

6outers Microsoft file and folder permissions

Introducing Basic Risk Concepts 6isk "hreat "he likelihood of a t%reat e/p oiting a *u nera+i ity1 resulting in a oss

Circumstance or e&ent that has the potential to compromise confidentiality1 integrity1 or a&aila+ility !nsider threat :ulnera+ility $ weakness .isk "itigation 6educes chance that a threat will e0ploit a &ulnera+ility #one +y implementing contro s 5also called countermeasures and safeguards7 &en if a threat can;t +e pre&ented1 like a tornado 6isk can still +e reduced with controls1 like insurance1 e&acuation plans1 etc< Contro s $ccess controls $fter Aut%entication1 only authori%ed users can perform critical tasks Business continuity and #isaster 6eco&ery Plans 6educe the impact of disasters $nti&irus software 6educes the impact of malware Exploring Authentication Concepts I#entification0 Aut%entication0 an# Aut%ori1ation !dentification State your name 5without pro&ing it7 $uthentication Pro&es your identity 5with a password1 fingerprint1 etc<7 $uthori%ation =rants access to resources +ased on the user;s pro&en identity I#entity 'roofing :erifying that people are who they claim to +e prior to issuing them credentials 2r when replacing lost credentials Sara% 'a in2s $mai 9ink Ch 1a T%ree Factors of Aut%entication Something you know Such as a password >eakest factor1 +ut most common Something you %a*e Such as a smart card Something you are Such as a fingerprint CN!" 1'( ) Bowne Page . of *

Chapter 1: Mastering the Basics of Security

CN!" 1'( ) Bowne

Page 3 of *

Chapter 1: Mastering the Basics of Security

'asswor# .u es Passwords should +e strong $t least ? characters1 with three of: uppercase1 lowercase1 num+ers1 and sym+ols Change passwords regularly #on;t reuse passwords Change default passwords #on;t write down passwords #on;t share passwords $ccount lockout policies Block access after too many incorrect passwords are entered Password history 6emem+ers pre&ious passwords so users cannot re@use them $ccount 9ockout Policies $ccount lockout threshold "he ma0imium num+er of times a wrong password can +e entered 5typically 37 $ccount lockout duration -ow long an account is locked 5typically ,( min<7 're*ious 3ogon Notification =mail has it1 at the +ottom of the screen Somet%ing 4ou !a*e Smart Card Contains a certificate 6ead +y a card reader !mage from made@in@china<comA "oken or Bey Fo+ !mage from tokenguard<com Smart Car#s m+edded certificate Pu+lic Bey !nfrastructure $llows issuance and management of certificates C$C 5Common $ccess Card7 Csed +y CS #epartment of #efense P!: 5Personal !dentity :erfication7 card Csed +y CS federal agencies Somet%ing 4ou Are 5,iometrics6 Physical +iometrics Fingerprint !mage from ama%on<com 6etinal scanners !ris scanners Beha&ioral +iometrics :oice recognition Signature geometry Beystrokes on a key+oard

CN!" 1'( ) Bowne

Page D of *

Chapter 1: Mastering the Basics of Security

Fa se Acceptance an# Fa se .e7ection False $cceptance 6ate !ncorrectly identifying an unauthori%ed user as authori%ed False 6e/ection 6ate !ncorrectly re/ecting an authori%ed user "u tifactor Aut%entication More than one of Something you know Something you ha&e Something you are "wo similar factors is not two@factor authentication Such as password and P!N Exploring Authentication Services Aut%entication Ser*ices Ber+eros Csed in >indows $cti&e #irectory #omains Csed in CN!E realms #e&eloped at M!" Pre&ents Man@in@the@Middle attacks and replay attacks 8er+eros .e9uirements $ method of issuing tickets used for authentication Bey #istri+ution Center 5B#C7 grants ticket@granting@tickets1 which are presented to re4uest tickets used to access o+/ects "ime synchroni%ation within fi&e minutes $ data+ase of su+/ects or users Microsoft;s $cti&e #irectory 8er+eros Detai s >hen a user logs on "he B#C issues a ticket@granting@ticket with a lifetime of ten hours Ber+eros uses port ?? 5"CP F C#P7 Ber+eros uses symmetric cryptography 3DA' 53ig%tweig%t Directory Access 'rotoco 6 Formats and methods to 4uery directories Csed +y $cti&e #irectory $n e0tension of the E<3(( standard 9#$P &' can use SS9 encryption 9#$P &, can use "9S encryption 9#$P uses ports ,?* 5unencrypted7 or D,D 5encrypted7 5"CP and C#P7 "utua Aut%entication Both entities in a session authenticate prior to e0changing data For e0ample1 +oth the client and the ser&er MS@C-$P&' uses mutual authentication Sing e Sign-:n Csers can access multiple systems after pro&iding credentials only once Federated !dentity Management System CN!" 1'( ) Bowne Page G of *

Chapter 1: Mastering the Basics of Security

Pro&ides central authentication in nonhomogeneous en&ironments I$$$ ;02<1/ Port@+ased authentication Cser conects to a specific access point or logical port Secures authentication prior to the client gaining access to a network Most common on wireless networks >P$ nterprise or >P$' nterprise 6e4uires a 6$#!CS 56emote $uthentication #ial@in Cser Ser&ice7 or other centrali%ed identification ser&er Remote Access Authentication .emote Access Clients connect through :PN 5:irtual Pri&ate Network7 or dial@up $ :PN allows a client to access a pri&ate network o&er a pu+lic network1 usually the !nternet .emote Access Aut%entication "et%o#s P$P 5Password $uthentication Protocol7 Passwords sent in clearte0t1 rarely used C-$P 5Challenge -andshake Protocol7 Ser&er challenges the client Client responds with appropriate authentication information MS@C-$P Microsoft;s implementation of C-$P #eprecated MS@C-$P&' More secure than MS@C-$P Seriously +roken +y Mo0ie Marlinspike at #efcon '(1' 59ink Ch 1c7 -e recommends using certificate authentication instead

6$#!CS 56emote $uthentication in Cser Ser&ice7 Central authentication for multiple remote access ser&ers ncrypts passwords1 +ut the entire authentication process Cses C#P

#ial@

not

CN!" 1'( ) Bowne

Page ? of *

Chapter 1: Mastering the Basics of Security

"$C$CS 5"erminal $ccess Controller $ccess@Control System7 >as used in CN!E systems1 rare today "$C$CS+ Cisco proprietary alternati&e to 6$#!CS !nteracts with Ber+eros ncrypts the entire authentication process Cses "CP Cses multiple challenges and responses during a session AAA 'rotoco s: Aut%entication0 Aut%ori1ation0 an# Accounting $uthentication :erifies a user;s identification $uthori%ation #etermines if a user should ha&e access $ccounting "racks user access with logs 6$#!CS and "$C$CS+ are +oth $$$ protocols Ber+eros doesn;t pro&ide accounting1 +ut is sometimes called an $$$ protocol 9ast modified ?@''@1,

CN!" 1'( ) Bowne

Page * of *