1.2 Summarize fundamental security concepts.

Question 1

The CIA Triad

Answer 1

Combination of principles
– The fundamentals of security
– Sometimes referenced as the AIC Triad
* Confidentiality
– Prevent disclosure of information to
unauthorized individuals or systems
* Integrity
– Messages can’t be modified without detection
* Availability
– Systems and networks must be up and running

Question 2

Confidentiality

Answer 2

Certain information should only be known
to certain people
– Prevent unauthorized information disclosure
* Encryption
– Encode messages so only certain people
can read it
* Access controls
– Selectively restrict access to a resource
* Two-factor authentication
– Additional confirmation before information
is disclosed

Question 3

Integrity

Answer 3

Data is stored and transferred as intended
– Any modification to the data would be identified
* Hashing
– Map data of an arbitrary length to data of a fixed length
* Digital signatures
– Mathematical scheme to verify the integrity of data
* Certificates
– Combine with a digital signature to verify an individual
* Non-repudiation
– Provides proof of integrity, can be asserted to be genuine

Question 4

Availability

Answer 4

Availability
* Information is accessible to authorized users
– Always at your fingertips
* Redundancy
– Build services that will always be available
* Fault tolerance
– System will continue to run, even when a failure occurs
* Patching
– Stability
– Close security holes

Question 5

Non-repudiation

Answer 5

You can’t deny what you’ve said
– There’s no taking it back
* Sign a contract
– Your signature adds non-repudiation
– You really did sign the contract
– Others can see your signature
* Adds a different perspective for cryptography
– Proof of integrity
– Proof of origin, with high assurance of authenticity

Question 6

Proof of integrity

Answer 6

Verify data does not change
– The data remains accurate and consistent
* In cryptography, we use a hash
– Represent data as a short string of text
– A message digest, a fingerprint
* If the data changes, the hash changes
– If the person changes, you get a different fingerprint
* Doesn’t necessarily associate data with an individual
– Only tells you if the data has changed

Question 7

Hashing the encyclopedia

Answer 7

Gutenberg Encyclopedia, Vol 1,
by Project Gutenberg (8.1 megabytes)
* Change one character somewhere in the file
– The hash changes
* If the hash is different, something has changed
– The data integrity has been compromised

Question 8

Proof of origin

Answer 8

Prove the message was not changed
– Integrity
* Prove the source of the message
– Authentication
* Make sure the signature isn’t fake
– Non-repudiation
* Sign with the private key
– The message doesn’t need to be encrypted
– Nobody else can sign this (obviously)
* Verify with the public key
– Any change to the message will invalidate the signature

Question 9

AAA framework

Answer 9

Identification
– This is who you claim to be
– Usually your username
* Authentication
– Prove you are who you say you are
– Password and other authentication factors
* Authorization
– Based on your identification and authentication,
what access do you have?
* Accounting
– Resources used: Login time, data sent and
received, logout time

Question 10

Authenticating systems

Answer 10

You have to manage many devices
– Often devices that you’ll never physically see
* A system can’t type a password
– And you may not want to store one
* How can you truly authenticate a device?
– Put a digitally signed certificate on the device
* Other business processes rely on the certificate
– Access to the VPN from authorized devices
– Management software can validate the end device

Question 11

Certificate authentication

Answer 11

An organization has a trusted Certificate Authority (CA)
– Most organizations maintain their own CAs
* The organization creates a certificate for a device
– And digitally signs the certificate with the organization’s CA
* The certificate can now be included on a device as an
authentication factor
– The CA’s digital signature is used to validate the certificate

Question 12

Authorization models

Answer 12

The user or device has now authenticated
– To what do they now have access?
– Time to apply an authorization model
* Users and services -> data and applications
– Associating individual users to access rights
does not scale
* Put an authorization model in the middle
– Define by Roles, Organizations, Attributes, etc.

Question 13

No authorization model

Answer 13

A simple relationship
– User -> Resource
* Some issues with this method
– Difficult to understand why an authorization may exist
– Does not scale

Question 14

Using an authorization model

Answer 14

Add an abstraction
– Reduce complexity
– Create a clear relationship between the user
and the resource
* Administration is streamlined
– Easy to understand the authorizations
– Support any number of users or resources

Question 15

Gap Analysis

Answer 15

Where you are compared with where you want to be
– The “gap” between the two
* This may require extensive research
– There’s a lot to consider
* This can take weeks or months
– An extensive study with numerous participants
– Get ready for emails, data gathering, and technical
research

Question 16

Choosing the framework

Answer 16

Work towards a known baseline
– This may be an internal set of goals
– Some organizations should use formal standards
* Determine the end goal
– NIST Special Publication 800-171 Revision 2,
– Protecting Controlled Unclassified Information in
– Nonfederal Systems and Organizations
* ISO/IEC 27001
– Information security management systems

Question 17

Evaluate people and processes

Answer 17

Get a baseline of employees
– Formal experience
– Current training
– Knowledge of security policies and procedures
* Examine the current processes
– Research existing IT systems
– Evaluate existing security policies

Question 18

Compare and contrast

Answer 18

The comparison
– Evaluate existing systems
* Identify weaknesses
– Along with the most effective processes
* A detailed analysis
– Examine broad security categories
– Break those into smaller segments

Question 19

The analysis and report

Answer 19

The final comparison
– Detailed baseline objectives
– A clear view of the current state
* Need a path to get from the current security to the goal
– This will almost certainly include time, money, and lots
of change control
* Time to create the gap analysis report
– A formal description of the current state
– Recommendations for meeting the baseline

Question 20

Zero trust

Answer 20

Many networks are relatively open on the inside
– Once you’re through the firewall, there are few
security controls
* Zero trust is a holistic approach to network security
– Covers every device, every process, every person
* Everything must be verified
– Nothing is inherently trusted
– Multi-factor authentication, encryption, system
permissions, additional firewalls, monitoring and
analytics, etc

Question 21

Planes of operation

Answer 21

Split the network into functional planes
– Applies to both physical, virtual, and cloud
components
* Data plane
– Process the frames, packets, and network data
– Processing, forwarding, trunking, encrypting, NAT
* Control plane
– Manages the actions of the data plane
– Define policies and rules
– Determines how packets should be forwarded
– Routing tables, session tables, NAT tables

Question 22

Controlling trust

Answer 22

Adaptive identity
– Consider the source and the requested resources
– Multiple risk indicators - relationship to the
organization, physical location, type of connection, IP

Question 23

Policy enforcement point

Answer 23

Subjects and systems
– End users, applications, non-human entities
* Policy enforcement point (PEP)
– The gatekeeper
* Allow, monitor, and terminate connections
– Can consist of multiple components working together

Question 24

Applying trust in the planes

Answer 24

Policy Decision Point
– There’s a process for making an authentication decision
* Policy Engine
– Evaluates each access decision based on policy and other
information sources
– Grant, deny, or revoke
* Policy Administrator
– Communicates with the Policy Enforcement Point
– Generates access tokens or credentials
– Tells the PEP to allow or disallow access address, etc.
– Make the authentication stronger, if needed
* Threat scope reduction
– Decrease the number of possible entry points
* Policy-driven access control
– Combine the adaptive identity with a predefined set of rules

Question 25

Security zones

Answer 25

Security is more than a one-to-one relationship
– Broad categorizations provide a security-related
foundation
* Where are you coming from and where
are you going
– Trusted, untrusted
– Internal network, external network
– VPN 1, VPN 5, VPN 11
– Marketing, IT, Accounting, Human Resources
* Using the zones may be enough by itself to deny
access
– For example, Untrusted to Trusted zone traffic
* Some zones are implicitly trusted
– For example, Trusted to Internal zone traffic

Question 26

Barricades / bollards

Answer 26

Prevent access - There are limits to the prevention
* Channel people through a specific access point
– Allow people, prevent cars and trucks
* Identify safety concerns - And prevent injuries
* Can be used to an extreme
– Concrete barriers / bollards, moats

Question 27

Access control vestibules

Answer 27

All doors normally unlocked
– Opening one door causes others to lock
* All doors normally locked
– Unlocking one door prevents others from being unlocked
* One door open / other locked
– When one is open, the other cannot be unlocked
* One at a time, controlled groups
– Managed control through an area

Question 28

Fencing

Answer 28

Build a perimeter - Usually very obvious
– May not be what you’re looking for
* Transparent/opaque - See through the fence (or not)
* Robust - Difficult to cut the fence
* Prevent climbing - Razor wire - Build it high

Question 29

Video surveillance

Answer 29

CCTV (Closed circuit television)
– Can replace physical guards
* Camera features are important
– Motion recognition can alarm and alert
– Object detection can identify a license plate or face
* Often many different cameras
– Networked together and recorded over time

Question 30

Guards and access badges

Answer 30

Security guard
– Physical protection at the reception area of a facility
– Validates identification of existing employees
* Two-person integrity/control
– Minimize exposure to an attack
– No single person has access to a physical asset
* Access badge
– Picture, name, other details
– Must be worn at all times - Electronically logged

Question 31

Lighting

Answer 31

More light means more security
– Attackers avoid the light - Easier to see when lit
– Non IR cameras can see better
* Specialized design
– Consider overall light levels
– Lighting angles may be important
– Important for facial recognition
– Avoid shadows and glare

Question 32

Sensors

Answer 32

Infrared
– Detects infrared radiation in both light and dark
– Common in motion detectors
* Pressure
– Detects a change in force - Floor and window sensors
* Microwave
– Detects movement across large areas
* Ultrasonic
– Send ultrasonic signals, receive reflected sound waves
– Detect motion, collision detection, etc.

Question 33

Honeypots

Answer 33

Attract the bad guys - And trap them there
* The “attacker” is probably a machine
– Makes for interesting recon
* Honeypots - Create a virtual world to explore
* Many different options
– Most are open source and available to download
* Constant battle to discern the real from the fake

Question 34

Honeynets

Answer 34

A real network includes more than a single device
– Servers, workstations, routers, switches, firewalls
* Honeynets
– Build a larger deception network with
one or more honeypots
* More than one source of information

Question 35

Honeyfiles

Answer 35

Attract the attackers with more honey
– Create files with fake information
– Something bright and shiny
* Honeyfiles
– Bait for the honeynet (passwords.txt)
– Add many honeyfiles to file shares
* An alert is sent if the file is accessed
– A virtual bear trap

Question 36

Honeytokens

Answer 36

Track the malicious actors
– Add some traceable data to the honeynet
– If the data is stolen, you’ll know where it came from
* API credentials
– Does not actually provide access
– Notifications are sent when used
* Fake email addresses
– Add it to a contact list
– Monitor the Internet to see who posts it
* Many other honeytoken examples
– Database records, browser cookies, web page pixels