Security Flashcards
Mantraps
- All doors normally unlocked
- Opening one door causes others to lock
• All doors normally locked
• Unlocking one door prevents others from being
unlocked
- One door open / other locked
- When one is open, the other cannot be unlocked
- One at a time, controlled groups
- Managed control through an area
Token-based
Magnetic swipe card or key fob
Tokens and cards
- Smart card
- Integrates with devices
- May require a PIN
- USB token
- Certificate is on the USB device
- Hardware or software tokens
- Generates pseudo-random authentication codes
- Your phone
- SMS a code to your phone
Guards and access lists
- Security guard
- Physical protection
- Validates identification of existing employees
- Provides guest access
- ID badge
- Picture, name, other details
- Must be worn at all times
- Access list
- Physical list of names
- Enforced by security guard
USB locks
- Prevent access to a USB port
- Physical lock inside of the interface
• A secondary security option after disabling the
interface
in BIOS and/or operating system
• There’s always a way around security controls
- Relatively simple locks
- Defense in depth
Active Directory
- Centralized management
- Windows Domain Services
- Limit and control access
Login script
- Map network drives
- Update security software signatures
- Update application software
Organizational Units
• Structure Active Directory
• Can be based on the company
(locations, departments)
Home Folder
- Assign a network share as the user’s home
- \server1\users\professormesser
- Folder redirection
- Instead of a local folder, redirect to the server
- Store the Documents folder on \server1
- Access files from anywhere
Mobile Device Management (MDM)
- Manage company-owned and user-owned devices
- BYOD - Bring Your Own Device
• Centralized management of
the mobile devices
• Specialized functionality
- Set policies on apps, data, camera, etc.
- Control the remote device
- The entire device or a “partition”
• Manage access control
• Force screen locks and PINs on these single user
devices
Port security
• Prevent unauthorized users from
connecting to a switch interface
• Alert or disable the port
- Based on the source MAC address
- Even if forwarded from elsewhere
- Each port has its own config
- Unique rules for every interface
MAC filtering
• Media Access Control - The “hardware” address
- Limit access through the physical hardware address
- Keeps the neighbors out
- Additional administration with visitors
• Easy to find MAC addresses through wireless LAN
analysis
• MAC addresses can be spoofed
• Security through obscurity
Certificate-based authentication
- Smart card
- Private key is on the card
- PIV (Personal Identity Verification) card
- US Federal Government smart card
- Picture and identification information
- CAC (Common Access Card)
- US Department of Defense smart card
- Picture and identification
- IEEE 802.1X
- Gain access to the network using a certificate
- On-device storage or separate physical device
Host-based firewalls
- “Personal” firewalls
- Software-based
- Included in many operating systems
- 3rd-party solutions also available
- Stops unauthorized network access
- “Stateful” firewall
- Blocks traffic by application
- Windows Firewall
- Filters traffic by port number and application
Network-based firewalls
• Filters traffic by port number
• HTTP is 80, SSH is 22
• Next-generation firewalls can
identify the application
- Can encrypt traffic into/out of the network
- Protect your traffic between sites
- Can proxy traffic
- A common security technique
- Most firewalls can be layer 3 devices (routers)
- Usually sits on the ingress/egress of the network
