Chapter 1 - Security Basics
Slides copyright 2010 by Paladin Group, LLC used with permission by
UMBC Training Centers, LLC
Security+
Chapter 1 – Basics of Security
Brian E. Brzezicki
First Some Terms (NB)
First we have to discuss some terms we will use again and again
Protocol – an official set of steps or language for communication
Algorithm – a specific set of steps to solve a problem or do some task
String – a series of characters. Example if a character can be az and 09 an 8 character string might be “ar01z14b”
Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control.
CIA
No… Not that CIA
CIA (54-57)
3 Fundamental Principles of Security
• Confidentiality
controls
• Integrity
controls
• Availability
Controls
Closely related
• Non-repudiation
controls
Defense in Depth (58-59)
No one security control should be completely relied upon. Instead have many overlapping security controls.
• Network based firewall
• Host based firewall
• IDS system
• Access controls
• Proper patching and maintenance practices
This is also referred to as “Layered Security”
Diversity of Defense (n/b)
With a single control type, use multiple vendors/models.
• Why
• Examples
Implicit Deny (59)
Fundamental security rule. If you do NOT explicitly have authorization, then you are implicitly DENIED access.
Should be the default rule for ALL access controls.
Usually seen in firewalls and access control lists
Use Devices as Intended (60)
Security Devices have been fortified for security, do NOT intermingle security and non-security devices as you weaken the security and provide attack vectors.
Similarly try to have every service in your network on a separate server that’s dedicated only to that tasks.
• Virtualization makes this EASY today!
Authentication
Proving that you are who you say you are
3 factors
• Something you __________________
• Something you __________________
• Something you __________________
(more details of each in next slides)
Something you know (61-65)
Passwords –what’s a password?
• Use strong passwords
What does that mean
• Do not write down passwords
• Do not share passwords
• Change passwords regularly
How often
• Do not reuse passwords
• Use account lockout policies
What is a lockout policy
• Change system default passwords
• Inform users of Previous Logons
Something You Know
Passphrase
I Like Iced Tea And Lemon With Cranberry
I L I T A L W C
1 L 1 t @ ! w c
Something You Have (65-67)
Something You Are (67-69)
Biometrics
Finger print
Iris Scan (see next slide)
Face Geometry
Voice Print
Retinal Scan (see next slide)
Keystroke Dynamics
Physically Based or Behaviorally Based
• What is the difference between these two
Type 1, Type 2 errors, CER (images in a few slides)
Finger Print
Retina Scan
Iris Scan
CER (n/b)
Crossover Error Rate (CER) is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false positive rate.
Use CER to compare vendors products objectively
Lower number CER is better/more accurate. (3 is better than an 4)
Also called Equal Error Rate
CER (n/b)
Multifactor Authentication (69)
For best security, use 2 or more of these for authentication. This is called “multi-factor” authentication or “strong authentication
•”
• Why use Multifactor Authentication?
• Is a password and a passphrase multifactor?
Identity Proofing (69)
Verifying someone is who they say they are before issuing authentication credentials initially or after they are lost
• This is NOT authentication but works hand in hand. Someone must prove their identity before getting authentication credentials.
Password Reset Systems (71)
Allows users to reset their passwords, often saves IT staff time and money.
• Cognitive Passwords
• Issues?
• Email a password reset link
• Physically mail a new PIN
Kerberos (71)
Kerberos (71)
A network authentication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environment
• Used in Windows2000+ and some Unix
• Allows for single sign on
• Never transfers passwords
• Uses PRIVATE key encryption to verify
Identifications
Kerberos Components
Principals – users or network services
KDC – Key Distribution Center, stores secret keys
(passwords) for principals
Tickets
• Ticket Granting Ticket (TGT) gets you more tickets
• Service Tickets – access to specific network services
(ex. File sharing)
Realms – a grouping of principals that a KDC provides service for, looks like a domain name
• Example: somedepartment.mycompany.com
Kerberos Concerns
• Computers must have clocks synchronized within 5 minutes of each other
• Tickets are stored on the workstation. If the workstation is compromised your identity can be forged.
• Single point of failure if no backup KDC
• If your KDC is hacked, security is lost
• Use TCP and UDP port 88
LDAP (73)
A centralized Directory of Users and Objects.
• LDAP is a protocol to access a X.500 compliant database
• Active Directory Implements LDAP
• LDAP ports are
• TCP / 389
• TCP / 636 (SSL/secure)
Mutual Authentication (73)
The process of having BOTH the client authenticate to the server AND the server authenticate to the client.
Are you safe when you go to a website that asks for a username and password? How do you really know it’s the website?
Should the client authenticate to the server first, or the server to the client? Does it matter which order?
Single Sign On
I love having 40 different passwords… I just carry them all around in a laminated card in my wallet ;-)
What’s the purpose of single sign on?
• Advantages
• Disadvantages
SIDS and UIDS (74)
In any environment where you want to have access control, you MUST uniquely identifier subjects. Most systems have a friendly username however the system tracks by a number (similar to a SSN)
• SID (Windows)
Ex. S 1 5 21-3623811015-3361044348-30300820 1014
500 = Administrator , 512 = Domain Admin Group
• UID (Unix)
Ex. 5125
0 is the superuser UID on Unix systems
Windows ACLs
The basic permissions ACL permissions are
Full Control
Modify
Read
Read and Execute
Write
Network Authentication (78)
There are Different types of ways to validate your identity over the network. For the security+ exam you should be aware of the following that will be discuss on the upcoming slides
• PAP
• CHAP
• MS-CHAP
• MS-CHAPv2
• RADIUS
• TACACS+
PAP (79)
Password Authentication Protocol – Simply put your username and password over the wire.
• Advantages
• Disadvantages
CHAP
CHAP (79 - 81)
Challenge Handshake Authentication Protocol – Avoids ever sending a password.
Server knows your password, as do you
1.
Server creates a “challenge”, example: banana and an increasing number
2. You take the challenge + number + your password and do a hash of it, send the hash to the server
3. Server calculates the hash the same way, and compares if your hash is the same as it’s hash, if so you must be who you say you are.
Advantages
• Avoids reply attacks
• Never sends password in plaintext
MS-CHAP (81)
A Microsoft version of CHAP
• does not require the password stored in clear text
MS-CHAPv2
• Allows for mutual authentication
Radius (83)
Network AAA protocol
Connectionless protocol, using UDP
Ports used
• 1812 / UDP (authentication)
• 1813 (accounting)
Main messages sent
• Access-Request
• Access-Challenge
• Access-Accept
• Access-Reject
(more)
Radius (83)
Radius (83)
Uses “attribute/pair” values (256 different possible attributes/8 bits)
• Ex: Framed-IP-Address: 192.168.1.1
Can use PAP, CHAP, EAP for authentication
Problems
• No encryption of data (except login info)
• Minimal number of permissions (8 bits worth)
• Server cannot “kick off users” from NAS
TACACS+
Similar to Radius
• Used for network AAA
• Created by Cisco
• Attribute/Value Pairs
• Designed to separate each of the AAA components
• Uses TCP / 49
