Security Flashcards
Mantraps
- All doors normally unlocked
- Opening one door causes others to lock
• All doors normally locked
• Unlocking one door prevents others from being
unlocked
- One door open / other locked
- When one is open, the other cannot be unlocked
- One at a time, controlled groups
- Managed control through an area
Token-based
Magnetic swipe card or key fob
Tokens and cards
- Smart card
- Integrates with devices
- May require a PIN
- USB token
- Certificate is on the USB device
- Hardware or software tokens
- Generates pseudo-random authentication codes
- Your phone
- SMS a code to your phone
Guards and access lists
- Security guard
- Physical protection
- Validates identification of existing employees
- Provides guest access
- ID badge
- Picture, name, other details
- Must be worn at all times
- Access list
- Physical list of names
- Enforced by security guard
USB locks
- Prevent access to a USB port
- Physical lock inside of the interface
• A secondary security option after disabling the
interface
in BIOS and/or operating system
• There’s always a way around security controls
- Relatively simple locks
- Defense in depth
Active Directory
- Centralized management
- Windows Domain Services
- Limit and control access
Login script
- Map network drives
- Update security software signatures
- Update application software
Organizational Units
• Structure Active Directory
• Can be based on the company
(locations, departments)
Home Folder
- Assign a network share as the user’s home
- \server1\users\professormesser
- Folder redirection
- Instead of a local folder, redirect to the server
- Store the Documents folder on \server1
- Access files from anywhere
Mobile Device Management (MDM)
- Manage company-owned and user-owned devices
- BYOD - Bring Your Own Device
• Centralized management of
the mobile devices
• Specialized functionality
- Set policies on apps, data, camera, etc.
- Control the remote device
- The entire device or a “partition”
• Manage access control
• Force screen locks and PINs on these single user
devices
Port security
• Prevent unauthorized users from
connecting to a switch interface
• Alert or disable the port
- Based on the source MAC address
- Even if forwarded from elsewhere
- Each port has its own config
- Unique rules for every interface
MAC filtering
• Media Access Control - The “hardware” address
- Limit access through the physical hardware address
- Keeps the neighbors out
- Additional administration with visitors
• Easy to find MAC addresses through wireless LAN
analysis
• MAC addresses can be spoofed
• Security through obscurity
Certificate-based authentication
- Smart card
- Private key is on the card
- PIV (Personal Identity Verification) card
- US Federal Government smart card
- Picture and identification information
- CAC (Common Access Card)
- US Department of Defense smart card
- Picture and identification
- IEEE 802.1X
- Gain access to the network using a certificate
- On-device storage or separate physical device
Host-based firewalls
- “Personal” firewalls
- Software-based
- Included in many operating systems
- 3rd-party solutions also available
- Stops unauthorized network access
- “Stateful” firewall
- Blocks traffic by application
- Windows Firewall
- Filters traffic by port number and application
Network-based firewalls
• Filters traffic by port number
• HTTP is 80, SSH is 22
• Next-generation firewalls can
identify the application
- Can encrypt traffic into/out of the network
- Protect your traffic between sites
- Can proxy traffic
- A common security technique
- Most firewalls can be layer 3 devices (routers)
- Usually sits on the ingress/egress of the network
User authentication
• Identifier
• Something unique
• In Windows, every account has a Security Identifier
(SID)
- Credentials
- The information used to authenticate the user
- Password, smart card, PIN code, etc.
- Profile
- Information stored about the user
- Name, contact information, group memberships, etc
Directory permissions
- NTFS permissions
- Much more granular than FAT
- Lock down access
- Prevent accidental modification or deletion
- Some information shouldn’t be seen
- User permissions
- Everyone isn’t an Administrator
- Assign proper rights and permissions
- This may be an involved audit
VPN concentrator
- Virtual Private Network
- Encrypt (private) data traversing a public network
- Concentrator
- Encryption/decryption access device
- Many deployment options
- Specialized cryptographic hardware
- Software-based options available
• Used with client software - Sometimes built into the OS
Data Loss Prevention (DLP)
• Where’s your data?
• Social Security numbers, credit card numbers,
medical records
- Stop the data before the bad guys get it
- Data “leakage”
- So many sources, so many destinations
- Often requires multiple solutions in different places
Access Control Lists (ACLs)
- Used to allow or deny traffic
- Also used for NAT, QoS, etc.
- Defined on the ingress or egress of an interface
- Often on a router or switch
- Incoming or outgoing
- ACLs evaluate on certain criteria
- Source IP, Destination IP,
- TCP port numbers, UDP port numbers, ICMP
- Deny or permit
- What happens when an ACL matches the traffic?
- Following the traffic flow
Email filtering
- Unsolicited email
- Stop it at the gateway before it reaches the user
- On-site or cloud-based
- Scan and block malicious software
- Executables, known vulnerabilities
- Phishing attempts
- Other unwanted content
An antivirus software is kept up to date via
Engine updates
Virus signature updates
Examples of secure network protocols used for establishing VPN connections include
IPsec
TLS
