Uploaded by jeff besos

Notes for Security+ 501

advertisement
Notes:
Confidentiality: This concept centers on preventing the disclosure of information to
unauthorized persons. For the public it signifies Social Security numbers (or other countryspecific identification), driver’s license information, bank accounts and passwords, and so on.
For organizations this can include all the preceding information, but it actually denotes the
confidentiality of data. To make data confidential, the organization must work hard to make sure
that it can be accessed only by authorized individuals. This book spends a good amount of time
discussing and showing how to accomplish this. For example, when you use a credit card
number at a store or online, the number should be encrypted with a strong cipher so that the
card number cannot be compromised. Next time you buy something over the Internet, take a
look at how the credit card number is being kept confidential. As a security professional,
confidentiality should be your number one goal. In keeping data confidential, you remove
threats, absorb vulnerabilities, and reduce risk.
Integrity: This means that data has not been tampered with. Authorization is necessary before
data can be modified in any way; this is done to protect the data’s integrity. For example, if a
person were to delete a required file, either maliciously or inadvertently, the integrity of that
file will have been violated. There should have been permissions in place to stop the person
from deleting the file. Here’s a tip for you: Some organizations do not delete data—ever!
Availability: Securing computers and networks can be a strain on resources. Availability means
that data is obtainable regardless of how information is stored, accessed, or protected. It also
means that data should be available regardless of the malicious attack that might be
perpetrated on it.
Authentication: When a person’s identity is established with proof and confirmed by a system.
Typically, this requires a digital identity of some sort, a username/password, biometric data, or
other authentication scheme.
Authorization: When a user is given access to certain data or areas of a building. Authorization
happens after authentication and can be determined in several ways, including permissions,
access control lists, time-of-day restrictions, and other login and physical restrictions.
Accounting: The tracking of data, computer usage, and network resources. Often it means
logging, auditing, and monitoring of the data and resources. Accountability is quickly becoming
more important in today’s secure networks. Part of this concept is the burden of proof. You as
the security person must provide proof if you believe that someone committed an unauthorized
action. When you have indisputable proof of something users have done and they cannot deny
it, it is known as non-repudiation.
-
non-repudiation: The idea of ensuring that a person or group cannot refute the validity
of your proof against them.
Malicious software: Known as malware, this includes computer viruses, worms, Trojan horses,
spyware, rootkits, adware, ransomware, crypto-malware, and other types of unwanted
software. Everyone has heard of a scenario in which a user’s computer was compromised to
some extent due to malicious software.
Unauthorized access: Access to computer resources and data without consent of the owner. It
might include approaching the system, trespassing, communicating, storing and retrieving data,
intercepting data, or any other methods that would interfere with a computer’s normal work.
Access to data must be controlled to ensure privacy. Improper administrative access falls into
this category as well.
System failure: Computer crashes or individual application failure. This can happen due to
several reasons, including user error, malicious activity, or hardware failure.
Social engineering: The act of manipulating users into revealing confidential information or
performing other actions detrimental to the users. Almost everyone gets e-mails nowadays
from unknown entities making false claims or asking for personal information (or money!); this
is one example of social engineering.
Physical: Things such as alarm systems, surveillance cameras, locks, ID cards, security guards,
and so on.
Technical: Items such as smart cards, access control lists (ACLs), encryption, and network
authentication.
Administrative: Various policies and procedures, security awareness training, contingency
planning, and disaster recovery plans (DRPs). Administrative controls can also be broken down
into two subsections: procedural controls and legal/regulatory controls.
User awareness: The wiser the user, the less chance of security breaches. Employee training
and education, easily accessible and understandable policies, security awareness e-mails, and
online security resources all help to provide user awareness. These methods can help to protect
from all the threats mentioned previously. Although it can only go so far while remaining costeffective and productive, educating the user can be an excellent method when attempting to
protect against security attacks.
Authentication: Verifying a person’s identity helps to protect against unauthorized access.
Authentication is a preventative measure that can be broken down into five
categories:
— Something the user knows; for example, a password or PIN
— Something the user has; for example, a smart card or other security token
— Something the user is; for example, the biometric reading of a fingerprint or retina scan
— Something a user does; for example, voice recognition or a written signature
— Somewhere a user is; for example, a GPS-tracked individual, or when a system is
authenticated through geographic location
Anti-malware software: Anti-malware protects a computer from the various forms of malware
and, if necessary, detects and removes them. Types include antivirus and anti-spyware software.
Well-known examples include programs from Symantec and McAfee, as well as Microsoft’s
Windows Defender. Nowadays, a lot of the software named “antivirus” can protect against
spyware and other types of malware as well.
Data backups: Backups won’t stop damage to data, but they can enable you to
recover data after an attack or other compromise, or system failure. From programs such as
Windows Backup and Restore, Windows File History, and Bacula to enterprise-level programs
such as Veritas Backup Exec and the various cloud-based solutions, data backup is an important
part of security. Note that fault-tolerant methods such as RAID 1, 5, 6, and 10 are good
preventative measures against hardware failure but might not offer protection from data
corruption or erasure. For more information on RAID, see Chapter 16, “Redundancy and
Disaster Recovery.”
Encryption: This involves changing information using an algorithm (known as a cipher) to make
that information unreadable to anyone except users who possess the proper “key.” Examples of
this include wireless sessions encrypted with Advanced Encryption Standard (AES), web pages
encrypted with HTTP Secure (HTTPS), and e-mails encrypted with Secure/Multipurpose Internet
Mail Extensions (S/MIME) or Pretty Good Privacy (PGP).
Data removal: Proper data removal goes far beyond file deletion or the formatting of digital
media. The problem with file deletion/formatting is data remanence, or the residue, left behind,
from which re-creation of files can be accomplished by some less-than-reputable people with
smart tools. Companies typically employ one of three options when met with the prospect of
data removal: clearing, purging (also known as sanitizing), and destruction. We talk more about
these in Chapter 18, “Policies and Procedures.”
White hats: These people are non-malicious; for example, an IT person who attempts to “hack”
into a computer system before it goes live to test the system. Generally, the person attempting
the hack has a contractual agreement with the owner of the resource to be hacked. White hats
often are involved in something known as ethical hacking. An ethical hacker is an expert at
breaking into systems and can attack systems on behalf of the system’s owner and with the
owner’s consent. The ethical hacker uses penetration testing and intrusion testing to attempt to
gain access to a target network or system.
Black hats: These are malicious individuals who attempt to break into computers and computer
networks without authorization. Black hats are the ones who attempt identity theft, piracy,
credit card fraud, and so on. Penalties for this type of activity are severe, and black hats know it;
keep this in mind if and when you come into contact with one of these seedy individuals—they
can be brutal, especially when cornered. Of course, many vendors try to make the term “black
hat” into something cuter and less dangerous. But for the purposes of this book and your job
security, we need to speak plainly, so here we will consider a black hat to be a malicious
individual.
Gray hats: These are possibly the most inexplicable people on the planet. They are individuals
who do not have any affiliation with a company but risk breaking the law by attempting to hack
a system and then notify the administrator of the system that they were successful in doing
so—just to let them know! Not to do anything malicious (other than breaking in…). Some gray
hats offer to fix security vulnerabilities at a price, but these types are also known as green hats
or mercenaries.
Blue hats: These are individuals who are asked to attempt to hack into a system by an
organization, but the organization does not employ them. The organization relies on the fact
that the person simply enjoys hacking into systems. Usually, this type of scenario occurs when
testing systems.
Elite: Elite hackers are the ones who first find out about vulnerabilities. Only 1 out of an
estimated 10,000 hackers wears the Elite hat—and I say that figuratively. The credit for their
discoveries is usually appropriated by someone else more interested in fame. Many of these
types of individuals don’t usually care about “credit due” and are more interested in
anonymity—perhaps a wise choice. You do not want to get on an Elite hacker’s bad side; they
could crumple most networks and programs within hours if they so desired.
Review Questions:
1. In information security, what are the three main goals? (Select the three best
answers.)
A. Auditing
B. Integrity
C. Non-repudiation
D. Confidentiality
E. Risk Assessment
F. Availability
2. To protect against malicious attacks, what should you think like?
A. Hacker
B. Network admin
C. Spoofer
D. Auditor
3. Tom sends out many e-mails containing secure information to other companies. What
concept should be implemented to prove that Tom did indeed send the e-mails?
A. Authenticity
B. Non-repudiation
C. Confidentiality
D. Integrity
4. Which of the following does the A in CIA stand for when it comes to IT security? (Select
the best answer.)
A. Accountability
B. Assessment
C. Availability
D. Auditing
5. Which of the following is the greatest risk when it comes to removable storage?
A. Integrity of data
B. Availability of data
C. Confidentiality of data
D. Accountability of data
6. When it comes to information security, what is the I in CIA?
A. Insurrection
B. Information
C. Indigestion
D. Integrity
7. You are developing a security plan for your organization. Which of the following is an
example of a physical control?
A. Password
B. DRP
C. ID card
D. Encryption
8. A user receives an e-mail but the e-mail client software says that the digital signature is
invalid and the sender of the e-mail cannot be verified. The would-be recipient is
concerned about which of the following concepts?
A. Confidentiality
B. Integrity
C. Remediation
D. Availability
Download