Chapter 1 - Security Basics

Slides copyright 2010
by Paladin Group, LLC
used with permission by
UMBC Training Centers, LLC
Chapter 1 – Basics of Security
Brian E. Brzezicki
First Some Terms (NB)
First we have to discuss some terms we will use again and
Protocol – an official set of steps or language for
Algorithm – a specific set of steps to solve a problem or do
some task
String – a series of characters. Example if a character can be az and 0-9 an 8 character string might be “ar01z14b”
Control – a countermeasure or attempt to mitigate a security
risk. Example. A firewall is technical control. Policies are HR
controls. Encryption is a technical control.
No… Not that CIA
CIA (54-57)
3 Fundamental Principles of Security
• Confidentiality
 controls
• Integrity
 controls
• Availability
 Controls
Closely related
• Non-repudiation
 controls
Defense in Depth (58-59)
No one security control should be completely
relied upon. Instead have many overlapping
security controls.
Network based firewall
Host based firewall
IDS system
Access controls
Proper patching and maintenance practices
This is also referred to as “Layered Security”
Diversity of Defense (n/b)
With a single control type, use multiple
• Why
• Examples
Implicit Deny (59)
Fundamental security rule. If you do NOT
explicitly have authorization, then you are
implicitly DENIED access.
Should be the default rule for ALL access
Usually seen in firewalls and access control lists
Use Devices as Intended (60)
Security Devices have been fortified for
security, do NOT intermingle security and
non-security devices as you weaken the
security and provide attack vectors.
Similarly try to have every service in your
network on a separate server that’s dedicated
only to that tasks.
• Virtualization makes this EASY today!
Proving that you are who you say you are
3 factors
• Something you __________________
• Something you __________________
• Something you __________________
(more details of each in next slides)
Something you know (61-65)
Passwords –what’s a password?
• Use strong passwords
 What does that mean
• Do not write down passwords
• Do not share passwords
• Change passwords regularly
 How often
• Do not reuse passwords
• Use account lockout policies
 What is a lockout policy
• Change system default passwords
• Inform users of Previous Logons
Something You Know
I Like Iced Tea And Lemon With Cranberry
[email protected]!wc
Something You Have (65-67)
Something You Are (67-69)
Finger print
Voice Print
Iris Scan (see next slide)
Retinal Scan (see next slide)
Face Geometry
Keystroke Dynamics
Physically Based or Behaviorally Based
• What is the difference between these two
Type 1, Type 2 errors, CER (images in a few
Finger Print
Retina Scan
Iris Scan
CER (n/b)
Crossover Error Rate (CER) is an important
metric that is stated as a percentage that
represents the point at which the false
rejection rate equals the false positive rate.
Use CER to compare vendors products
Lower number CER is better/more accurate. (3
is better than an 4)
Also called Equal Error Rate
CER (n/b)
Multifactor Authentication (69)
For best security, use 2 or more of these for
authentication. This is called “multi-factor”
or “strong authentication
• Why use Multifactor Authentication?
• Is a password and a passphrase multifactor?
Identity Proofing (69)
Verifying someone is who they say they are
before issuing authentication credentials
initially or after they are lost
• This is NOT authentication but works hand in
hand. Someone must prove their identity
before getting authentication credentials.
Password Reset Systems (71)
Allows users to reset their passwords, often
saves IT staff time and money.
• Cognitive Passwords
• Issues?
• Email a password reset link
• Physically mail a new PIN
Kerberos (71)
Kerberos (71)
A network authentication protocol designed
from MITs project Athena. Kerberos tries to
ensure authentication security in an insecure
Used in Windows2000+ and some Unix
Allows for single sign on
Never transfers passwords
Uses PRIVATE key encryption to verify
Kerberos Components
Principals – users or network services
KDC – Key Distribution Center, stores secret keys
(passwords) for principals
• Ticket Granting Ticket (TGT) gets you more tickets
• Service Tickets – access to specific network services
(ex. File sharing)
Realms – a grouping of principals that a KDC
provides service for, looks like a domain name
• Example:
Kerberos Concerns
• Computers must have clocks synchronized
within 5 minutes of each other
• Tickets are stored on the workstation. If the
workstation is compromised your identity can
be forged.
• Single point of failure if no backup KDC
• If your KDC is hacked, security is lost
• Use TCP and UDP port 88
LDAP (73)
A centralized Directory of Users and Objects.
• LDAP is a protocol to access a X.500
compliant database
• Active Directory Implements LDAP
• LDAP ports are
• TCP / 389
• TCP / 636 (SSL/secure)
Mutual Authentication (73)
The process of having BOTH the client
authenticate to the server AND the server
authenticate to the client.
Are you safe when you go to a website that asks
for a username and password? How do you
really know it’s the website?
Should the client authenticate to the server first, or
the server to the client? Does it matter which
Single Sign On
I love having 40 different passwords… I just
carry them all around in a laminated card in
my wallet ;-)
What’s the purpose of single sign on?
• Advantages
• Disadvantages
SIDS and UIDS (74)
In any environment where you want to have
access control, you MUST uniquely identifier
subjects. Most systems have a friendly
username however the system tracks by a
number (similar to a SSN)
• SID (Windows)
Ex. S 1 5 21-3623811015-3361044348-30300820 1014
500 = Administrator, 512 = Domain Admin Group
• UID (Unix)
Ex. 5125
0 is the superuser UID on Unix systems
Windows ACLs
The basic permissions ACL permissions are
Full Control
Read and Execute
Network Authentication (78)
There are Different types of ways to validate
your identity over the network. For the
security+ exam you should be aware of the
following that will be discuss on the upcoming
PAP (79)
Password Authentication Protocol – Simply put
your username and password over the wire.
• Advantages
• Disadvantages
CHAP (79 - 81)
Challenge Handshake Authentication Protocol – Avoids ever
sending a password.
Server knows your password, as do you
1. Server creates a “challenge”, example: banana and an
increasing number
2. You take the challenge + number + your password and
do a hash of it, send the hash to the server
3. Server calculates the hash the same way, and compares
if your hash is the same as it’s hash, if so you must be
who you say you are.
• Avoids reply attacks
• Never sends password in plaintext
MS-CHAP (81)
A Microsoft version of CHAP
• does not require the password stored in clear text
• Allows for mutual authentication
Radius (83)
Network AAA protocol
Connectionless protocol, using UDP
Ports used
• 1812 / UDP (authentication)
• 1813 (accounting)
Main messages sent
Radius (83)
Radius (83)
Uses “attribute/pair” values (256 different
possible attributes/8 bits)
• Ex: Framed-IP-Address:
Can use PAP, CHAP, EAP for authentication
• No encryption of data (except login info)
• Minimal number of permissions (8 bits worth)
• Server cannot “kick off users” from NAS
Similar to Radius
Used for network AAA
Created by Cisco
Attribute/Value Pairs
Designed to separate each of the AAA
• Uses TCP / 49

similar documents