1.2 Summarize fundamental security concepts. Flashcards
The CIA Triad
Combination of principles
– The fundamentals of security
– Sometimes referenced as the AIC Triad
* Confidentiality
– Prevent disclosure of information to
unauthorized individuals or systems
* Integrity
– Messages can’t be modified without detection
* Availability
– Systems and networks must be up and running
Confidentiality
Certain information should only be known
to certain people
– Prevent unauthorized information disclosure
* Encryption
– Encode messages so only certain people
can read it
* Access controls
– Selectively restrict access to a resource
* Two-factor authentication
– Additional confirmation before information
is disclosed
Integrity
Data is stored and transferred as intended
– Any modification to the data would be identified
* Hashing
– Map data of an arbitrary length to data of a fixed length
* Digital signatures
– Mathematical scheme to verify the integrity of data
* Certificates
– Combine with a digital signature to verify an individual
* Non-repudiation
– Provides proof of integrity, can be asserted to be genuine
Availability
Availability
* Information is accessible to authorized users
– Always at your fingertips
* Redundancy
– Build services that will always be available
* Fault tolerance
– System will continue to run, even when a failure occurs
* Patching
– Stability
– Close security holes
Non-repudiation
You can’t deny what you’ve said
– There’s no taking it back
* Sign a contract
– Your signature adds non-repudiation
– You really did sign the contract
– Others can see your signature
* Adds a different perspective for cryptography
– Proof of integrity
– Proof of origin, with high assurance of authenticity
Proof of integrity
Verify data does not change
– The data remains accurate and consistent
* In cryptography, we use a hash
– Represent data as a short string of text
– A message digest, a fingerprint
* If the data changes, the hash changes
– If the person changes, you get a different fingerprint
* Doesn’t necessarily associate data with an individual
– Only tells you if the data has changed
Hashing the encyclopedia
Gutenberg Encyclopedia, Vol 1,
by Project Gutenberg (8.1 megabytes)
* Change one character somewhere in the file
– The hash changes
* If the hash is different, something has changed
– The data integrity has been compromised
Proof of origin
Prove the message was not changed
– Integrity
* Prove the source of the message
– Authentication
* Make sure the signature isn’t fake
– Non-repudiation
* Sign with the private key
– The message doesn’t need to be encrypted
– Nobody else can sign this (obviously)
* Verify with the public key
– Any change to the message will invalidate the signature
AAA framework
Identification
– This is who you claim to be
– Usually your username
* Authentication
– Prove you are who you say you are
– Password and other authentication factors
* Authorization
– Based on your identification and authentication,
what access do you have?
* Accounting
– Resources used: Login time, data sent and
received, logout time
Authenticating systems
You have to manage many devices
– Often devices that you’ll never physically see
* A system can’t type a password
– And you may not want to store one
* How can you truly authenticate a device?
– Put a digitally signed certificate on the device
* Other business processes rely on the certificate
– Access to the VPN from authorized devices
– Management software can validate the end device
Certificate authentication
An organization has a trusted Certificate Authority (CA)
– Most organizations maintain their own CAs
* The organization creates a certificate for a device
– And digitally signs the certificate with the organization’s CA
* The certificate can now be included on a device as an
authentication factor
– The CA’s digital signature is used to validate the certificate
Authorization models
The user or device has now authenticated
– To what do they now have access?
– Time to apply an authorization model
* Users and services -> data and applications
– Associating individual users to access rights
does not scale
* Put an authorization model in the middle
– Define by Roles, Organizations, Attributes, etc.
No authorization model
A simple relationship
– User -> Resource
* Some issues with this method
– Difficult to understand why an authorization may exist
– Does not scale
Using an authorization model
Add an abstraction
– Reduce complexity
– Create a clear relationship between the user
and the resource
* Administration is streamlined
– Easy to understand the authorizations
– Support any number of users or resources
Gap Analysis
Where you are compared with where you want to be
– The “gap” between the two
* This may require extensive research
– There’s a lot to consider
* This can take weeks or months
– An extensive study with numerous participants
– Get ready for emails, data gathering, and technical
research
Choosing the framework
Work towards a known baseline
– This may be an internal set of goals
– Some organizations should use formal standards
* Determine the end goal
– NIST Special Publication 800-171 Revision 2,
– Protecting Controlled Unclassified Information in
– Nonfederal Systems and Organizations
* ISO/IEC 27001
– Information security management systems
Evaluate people and processes
Get a baseline of employees
– Formal experience
– Current training
– Knowledge of security policies and procedures
* Examine the current processes
– Research existing IT systems
– Evaluate existing security policies
Compare and contrast
The comparison
– Evaluate existing systems
* Identify weaknesses
– Along with the most effective processes
* A detailed analysis
– Examine broad security categories
– Break those into smaller segments
The analysis and report
The final comparison
– Detailed baseline objectives
– A clear view of the current state
* Need a path to get from the current security to the goal
– This will almost certainly include time, money, and lots
of change control
* Time to create the gap analysis report
– A formal description of the current state
– Recommendations for meeting the baseline
Zero trust
Many networks are relatively open on the inside
– Once you’re through the firewall, there are few
security controls
* Zero trust is a holistic approach to network security
– Covers every device, every process, every person
* Everything must be verified
– Nothing is inherently trusted
– Multi-factor authentication, encryption, system
permissions, additional firewalls, monitoring and
analytics, etc
Planes of operation
Split the network into functional planes
– Applies to both physical, virtual, and cloud
components
* Data plane
– Process the frames, packets, and network data
– Processing, forwarding, trunking, encrypting, NAT
* Control plane
– Manages the actions of the data plane
– Define policies and rules
– Determines how packets should be forwarded
– Routing tables, session tables, NAT tables
Controlling trust
Adaptive identity
– Consider the source and the requested resources
– Multiple risk indicators - relationship to the
organization, physical location, type of connection, IP
Policy enforcement point
Subjects and systems
– End users, applications, non-human entities
* Policy enforcement point (PEP)
– The gatekeeper
* Allow, monitor, and terminate connections
– Can consist of multiple components working together
Applying trust in the planes
Policy Decision Point
– There’s a process for making an authentication decision
* Policy Engine
– Evaluates each access decision based on policy and other
information sources
– Grant, deny, or revoke
* Policy Administrator
– Communicates with the Policy Enforcement Point
– Generates access tokens or credentials
– Tells the PEP to allow or disallow access address, etc.
– Make the authentication stronger, if needed
* Threat scope reduction
– Decrease the number of possible entry points
* Policy-driven access control
– Combine the adaptive identity with a predefined set of rules
