Security+ Guide to Network Security Fundamentals, 2e
Chapter 3
Security Basics
At a Glance
Instructor’s Notes

Chapter Overview

Chapter Objectives

Technical Notes

Lecture Notes

Quick Quizzes

Discussion Questions

Additional Activities
3-1
Security+ Guide to Network Security Fundamentals, 2e
3-2
Instructor’s Notes
Chapter Overview
This chapter discusses the basics of security computer systems and networks. It begins by examining who is
responsible for creating and maintaining information security schemes. It also offers principles for designing a
secure system and explores the three pillars of basic security: access control, authentication, and auditing.
Chapter Objectives
After reading this chapter, students will be able to:





Identify who is responsible for information security
Describe security principles
Use effective authentication methods
Control access to computer systems
Audit information security schemes
Technical Notes
HANDS-ON
PROJECTS
Project 3-1
HARDWARE
DEVICES REQUIRED
Computer PC
OPERATING SYSTEM
REQUIRED
Windows XP
Project 3-2
Project 3-3
Computer PC
Computer PC
Windows XP
Windows XP
Project 3-4
Computer PC
Windows 2000 or XP
Project 3-5
Project 3-6
Computer PC
Computer PC
Windows XP with NTFS hard disk
Windows XP
OTHER RESOURCES
Possible special permissions
if working in a school’s lab
Microsoft office
Possible special permissions
if working in a school’s lab
Possible special permissions
if working in a school’s lab
None
None
This chapter should not be completed in one class session. It is recommended that you split the chapter into at least
two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 3to 6-hour period, plus any at-home exercises you wish to assign.
Lecture Notes
Identifying Who Is Responsible for Information Security
When an organization secures its information, it completes a few basic tasks. First, it must analyze its assets and the
threats these assets face from threat agents. Next, the organization identifies its vulnerabilities and how they might
be exploited. Finally, the organization regularly assesses and reviews the security policy to ensure that it is
adequately protecting its information.
The major tasks of securing information can be accomplished from the lower levels of the organization upwards, as
shown in Figure 3-1 on page 71 of the text. This bottom-up approach has one key advantage: the bottom-level
employees have the technical expertise to understand what to do to secure information and how to do it.
Security+ Guide to Network Security Fundamentals, 2e
3-3
The opposite of the bottom-up approach is the top-down approach. Returning to Figure 3-1 on page 71 of the text,
a top-down approach starts at the highest levels of the organization and works its way down. A security plan
initiated by top-level managers has the backing to make the plan work. Many organizations have a top-level
manager dedicated to overseeing the security plan and its implementation. Known as the chief information security
officer (CISO), this person helps develop the security plan and then ensures that it is carried out. The term human
firewall is sometimes used to describe the security-enforcing role of each employee.
Understanding Security Principles
Consider some of the ways that information can be attacked: crackers can launch distributed denial-of-service
(DDoS) attacks through the Internet, spies can use social engineering, employees can guess other users’ passwords,
and hackers can create back doors. Protecting against the wide range of attacks calls for a wide range of defense
mechanisms.
Layering
A layered security approach has the advantage of creating a barrier of multiple defenses that can be coordinated to
thwart a variety of attacks. Information security likewise must be created in layers. Figure 3-2 on page 74 of the text
shows some basic layers for securing a desktop computer connected to a network. To be effective, however, all the
security layers must be properly coordinated.
Limiting
Limiting access to information reduces the threat against it. Only those who must use data should have access to it.
In information security terminology, for a subject (such as a person or a computer program running on a system) to
interact with an object (such as a computer or a database stored on a server), the access must be limited. In addition,
the amount of access granted to someone should be limited to what that person needs to know or do. Figure 3-3 on
page 75 of the text illustrates this limited access to a payroll database.
Diversity
Diversity is closely related to layering. Just as you should protect data with layers of security, so too must the layers
be different (diverse) so that if attackers penetrate one layer, they cannot use the same techniques to break through
all other layers.
Using diverse layers of defense means that breaching one security layer does not compromise the whole system.
You can set a firewall to filter a specific type of traffic, such as all inbound traffic, while a second firewall on the
same system filters another traffic type, such as outbound traffic. In addition, using firewalls produced by different
vendors creates even greater diversity.
Obscurity
Obscuring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from
the outside difficult. In information security, defending systems through obscurity can be a valuable tool.
Simplicity
Complex security systems can be difficult to understand, troubleshoot, and feel secure about. The challenge is to
make the system simple from the inside but complex from the outside.
Security+ Guide to Network Security Fundamentals, 2e
3-4
Quick Quiz
1.
Most ___________ security approaches wither in a few weeks or fragment into practices that protect a few
select devices or a unit of the business. ANSWER: bottom-up
2.
A(n) __________ is an employee who tries to prevent security attacks from passing through him or her.
ANSWER: human firewall
3.
A(n) ____________ security approach has the advantage of creating a barrier of multiple defenses that can be
coordinated to thwart a variety of attacks. ANSWER: layered
4.
_____________ access to information reduces the threat against it. ANSWER: Limiting
5.
______________ includes using physical and electronic security measures. ANSWER: Diversity
Using Effective Authentication Methods
Information security rests on three key pillars: authentication, access control, and auditing. A trusted user is
approved to access a secure computer system. However, when someone claiming to be that user requests access to
the system, how can his or her identity be verified? This process of proving identity is known as authentication.
Quick Reference
Discuss the three main categories of authentication as described on page 78 of
the text.
Username and Password
The most common authentication method is providing a user with a unique username and a secret password. A
technology that is increasing in popularity attempts to address the problem of users having individual usernames and
passwords for each account (and thus resorting to simple passwords that are easy to remember). Known as ID
management, a user’s single authenticated ID is shared across multiple networks or online businesses. ID
management can be not only for users, but also for computers that share data.
Tokens
Whereas passwords are based on what you know, tokens are based on what you have. A token is a security device
that authenticates the user by having the appropriate permission embedded into the token itself. A new type of token
is called a proximity card. A proximity card is a plastic card with an embedded thin metal strip that emits a lowfrequency short-wave radio signal.
Biometrics
Biometrics uses a person’s unique characteristics to authenticate that person, and is an example of authentication
based on what you are. Some of the human characteristics that can be used for identification include:



Finger print
Hand
Retina
 Face
 Iris
 Voice
The most common biometric device is a fingerprint scanner, shown in Figure 3-4 on page 81 of the text.
Security+ Guide to Network Security Fundamentals, 2e
3-5
Certificates
Although encrypting messages with keys is an excellent means of sending messages so that unauthorized users
cannot read them, the key system does not prove that the senders are actually who they claim to be. To let the
receiver verify who sent the message, the sender can provide a certificate (sometimes called a digital certificate). A
certificate links or binds a specific person to a key. Digital certificates are issued by a certification authority (CA),
which is an independent third-party organization.
Kerberos
Kerberos is an authentication system developed by the Massachusetts Institute of Technology (MIT) and used to
verify the identity of networked users. Using Kerberos is like using a driver’s license to cash a check.
A state agency, such as the Department of Motor Vehicles (DMV), issues a driver’s license that has these
characteristics:




It is difficult to copy.
It contains specific information (name, address, height, etc.).
It lists restrictions (must wear corrective lenses, etc.).
It expires on a specified date.
Kerberos is typically used when someone on a network attempts to use a network service, and the service wants
assurance that the user is who he says he is. The user is provided a ticket that is issued by the Kerberos
authentication server (AS), much as a driver’s license is issued by the DMV.
Challenge Handshake Authentication Protocol
The Challenge Handshake Authentication Protocol (CHAP) is considered a more secure procedure for
connecting to a system than using a password.
Quick Reference
Discuss the steps listed on page 83 of the text that describe how CHAP works.
Mutual Authentication
Two-way authentication, known as mutual authentication, can be used to combat identity attacks, such as man-inthe-middle and replay attacks. With mutual authentication, the server authenticates the user through a password,
tokens, or other means. Mutual authentication is illustrated in Figure 3-6 on page 84 of the text.
Multifactor Authentication
Implementing two or more types of authentication is known as multifactor authentication. Multifactor
authentication is a common security strategy. Multifactor authentication is being strongly proposed to verify the
authentication of cell phone users who use their phones to purchase goods and services.
Security+ Guide to Network Security Fundamentals, 2e
3-6
Controlling Access to Computer Systems
When an operating system is configured to restrict a user’s access, most operating systems store this information in
an access control list (ACL). An ACL is a table in the operating system that contains the access rights each subject
(a user or a device) has to a particular system object, such as a folder or file. In Microsoft Windows, an ACL has one
or more access control entries (ACEs) consisting of the name of a subject or group of subjects. Table 3-1 on page
85 of the text illustrates an ACL. When a user receives rights based on membership in a group, these rights are
called inherited rights.
Quick Reference
Discuss the basic folder and file permissions in a Windows Server 2003 system
as listed on pages 85 and 86 of the text.
Mandatory Access Control
The most restrictive model is known as Mandatory Access Control (MAC). In this model, the subject is not
allowed to give access to another subject to use an object.
Role Based Access Control
Instead of setting permissions for each user or group, you can assign permissions to a position or role and then
assign users and other objects to that role. The users and objects inherit all of the permissions for the role. This
model is known as Role Based Access Control (RBAC). Figure 3-7 on page 87 of the text shows roles created for a
variety of job classifications.
Discretionary Access Control
The least restrictive model is known as Discretionary Access Control (DAC). In this setting, one subject can adjust
the permissions for other subjects over objects. DAC is the type of access that most users associate with their
personal computers.
Auditing Information Security Schemes
The third pillar of information security is auditing. You can audit a security system in two ways: logging and system
scanning. Logging records which user performed a specific activity and when. Whereas logging keeps track of what
was done on the system, system scanning checks the permissions assigned to a user or role. These results are
compared to what is expected to detect any differences.
Security+ Guide to Network Security Fundamentals, 2e
3-7
Quick Quiz
1.
A(n) ____________ is a security device that authenticates the user by having the appropriate permission
embedded into itself. ANSWER: token
2.
______________ authentication provides a means for both sides of a connection to verify one another’s
authenticity. ANSWER: Mutual
3.
Implementing two or more types of authentication is known as ______________ authentication. ANSWER:
multifactor
4.
_____________ consists of the mechanisms for limiting access to resources based on users’ identities and their
membership in various groups. ANSWER: Access control
5.
______________ can be initiated by an administrator as a routine check or when it appears that a user is
accessing a resource for which she should not have permission. ANSWER: System scanning
Discussion Questions
1.
In an organization, how do you determine who will be responsible for securing information?
2.
How often should security schemes be changed in an organization?
Additional Activities
1.
Have students conduct research looking for software and hardware that can be used to authenticate users.
2.
Have students research the effectiveness of several biometric devices and summarize what they find.