Section 1: Overview of Security

Basic security concepts

CIA Triad:

Confidentiality (by encryption)

  • Keeping data secret with those who don’t have the need or rights to access the data

  • Confidentiality prevents unauthorized discloser of data.

  • We achieve this by encryption such as a public and private key.

  • Three methods to maintain confidentiality.

    • Encryption

    • Access Control

      • Identification

      • Authentication

      • Authorization

    • Steganography: hiding data within data

      • However, this method isn't preferred by most security professionals. They refer to steganography as hiding data in plain sight

  • The best way to protect the confidentiality of data is by encrypting it.

Integrity (by hashing)

  • Integrity provides assurances that data has not changed.

  • Data and systems remain unaltered when stored, transmitted, and received.

  • No unauthorized modification, alteration, or deletion of the data

  • Hashing ensures no bit has changed.

  • Examples - Message Digest (MD5), Secure Hash Algorithm (SHA), Hash-based Message, Authentication Code (HMAC), Digital Signature

  • By comparing the hashes, you can verify integrity has been maintained.

Availability (by redundancy and fault-tolerance)

  • Data and systems should be available when needed to the right person

  • A common goal of fault tolerance and redundancy techniques is to remove each single point of failure (SPOF). If an SPOF fails, the entire system can fail. For example, if a server has a single drive, the drive is an SPOF because its failure takes down the server.

Redundancy and Fault-Tolerance Techniques:

  • Disk redundancies

  • Server redundancies

  • Site redundancies

  • Load balancing

  • Backups

  • Alternate powers

  • Cooling systems

  • Patching (that reduces security issues and even random crashes)

Digital Signatures

  • Digital signatures can verify the integrity of emails and files.

  • A digital signature also provides authentication. In other words, if the digital signature arrives intact, it authenticates the sender. Bart knows that Lisa sent it.

  • Digital signatures also provide non-repudiation. In other words, Lisa cannot later deny sending the email because the digital signature proves she did.

  • Digital signatures require certificates and a Public Key Infrastructure (PKI).

AAA of Security:

Authentication:

  • When a person's identity is established with proof and confirmed by a system

    • Something you know (like a username and password)

    • Something you are (like eye scan, figure prints)

    • Something you have (like a token, credit card)

    • Something you do (like the way you speak or sign your sign)

    • Somewhere you are

Authorization:

  • This occurs when a user is given access to a certain piece of data or a certain area of a building.

Accounting:

  • Tracking of data, computer usage, and network resources

  • Example: Log file of all the things such as internet and system usages

  • Who did something and when

  • Non-repudiation: You can’t deny if you have performed a particular action

Vulnerabilities

A vulnerability is a weakness to an asset that leaves it open to bad things happening to it.

  • For example: Default password to a SOHO router, or your server is unlocked anyone can go in-out

Threat

A threat is a negative event/action that exploits a vulnerability to harm assets. Any negative event that has an adverse effect on the assets and resources associated with the system. Or, a threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability

  • For example: Accessing your SOHO router with your default username and password.

A vulnerability is a weakness.

ThreatsVulnerability = Risk

If an asset doesn’t have a vulnerability or if there is no threat, you don’t have any risk at all.

Note: USE NIST SP 800-30 as part of risk assessment

Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.

Risk is best defined as the potential for loss and damage associated with an asset. Not to be confused with the definition of a threat or vulnerability.

Reducing risk is also known as risk mitigation. Risk mitigation reduces the chances that a threat will exploit a vulnerability

Risk Analysis: The process of calculating and documenting potential problems that can have a negative impact. Qualitative vs. Quantitative:

Qualitative: Analysing risk by assessing the probability of occurrence and potential impact.

Quantitative: Analysing risk by assigning numerical values and calculating the impact by using the probability of occurrence.

Security Threats:

Categories of security threats:

  • Malware (malicious software)

  • Unauthorized Access

    • Occurs when access to computer resources and data happens without the consent of the owner

    • Guessing the user's password and logon to their system

  • System Failure

    • Occurs when a computer crashes or an individual application fails

    • BSOD (Blue Screen of Death)

  • Social Engineering

    • Act of manipulating users into revealing confidential information or performing other detrimental actions.

      • Phishing: Phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity, or fear in victims. This happens through mass mailing.

      • Spear-Phishing: A more targeted version of the phishing.

      • Vishing: Phone calls in order to induce individuals to reveal personal info.

Mitigating Threats

Physical Controls:

  • Alarm systems, locks, surveillance cameras, identification cards, and security guards

Technical Controls:

  • Smart cards, encryption, access, control lists (ACLs), intrusion detection systems, and network authentication

Administrative Controls:

  • Policies, procedures, security awareness training, contingency planning, and disaster recovery plans

Two types of administrative controls:

  • Procedural controls: A control that an organization chooses to do it own

  • Legal or regulatory controls

CompTIA lists the following control types in the objectives:

  • Technical controls use technology.

    • Encryption.

    • Anti-virus software

    • IDS/IPS

    • Firewalls

    • Least priviledge

  • Administrative controls use administrative or management methods.

    • Risk assessments

    • Vulnerability assessments

    • Penetration Tests

    • Many administrative controls are also known as operational or management controls:

      • Awareness and training

      • Configuration and change management

      • Contingency planning

      • Media protection

      • Physical and environmental protection

  • Physical controls refer to controls you can physically touch.

  • Preventive controls attempt to prevent an incident from occurring.

    • System Hardening.

    • Security awareness and training

    • Security guards

    • Change management

    • Account disablement policy

  • Detective controls attempt to detect incidents after they have occurred.

    • Log monitoring

    • Trend analysis

    • Security audit

    • Video surveillance

    • Motion detection

  • Corrective controls attempt to reverse the impact of an incident.

    • IPS

    • Backups and system recovery

  • Deterrent controls attempt to discourage individuals from causing an incident.

  • Compensating controls are alternative controls used when a primary control is not feasible.

The first three control types in the list (technical, administrative, and physical) refer to how the security controls are implemented. The remaining control types refer to the goals of the security control.

Security Policy

A security policy is a statement that tells you what you are or aren't supposed to do. And, security mechanism is the way of enforcing the policy and making it work for in practice.

  • A security mechanism is something that enforces your security policy, either in whole or in part. Different security mechanisms contribute to the security policy in different ways. Some security mechanisms contribute to the enforcement of the security policy by prevention, meaning that they ensure that an aspect of the policy cannot be violated. Other security mechanisms contribute to the enforcement of the security policy by detection, or determining when the policy has been violated. Last, other mechanisms contribute through recovery, or being able to revert back to a secure state after the policy has been violated.

A secure system is a system that starts in an authorized state and cannot enter an unauthorized state.

A breach of security occurs when a system enters an unauthorized state.