Chapter 1 "Mastering the Basics of Security"

Security+ (Gibson, Darril) by Guardsman RedWolves336
STUDY
PLAY

Terms in this set (...)

Confidentiality
helps prevent the unauthorized disclosure of data.
Integrity
provides assurances that data has not been modified, tampered with, or corrupted.
Availability
indicates that data and services are available when needed.
Disk redundancies.
RAID-1 (mirroring) and RAID-5 (striping with parity) allow a system to continue to operate even if a disk fails.
Server redundancies.
Failover clusters can be implemented that will allow a service to continue to be provided even if a server fails.
Site redundancies.
If a site can no longer function due to a disaster, such as a fire, flood, hurricane, or earthquake, the site can move functionality to an alternate site.
Backups.
If important data is backed up, it can be restored when it is lost.
Alternate power.
Uninterruptible power supplies (UPSs) and power generators can provide power to key systemseven if commercial power fails.
Heating, ventilation, and air-conditioning (HVAC)
systems improve the availability of systems by reducing outages from overheating.
Balancing CIA
It's possible to ensure the confidentiality, integrity, and availability of data equally. However, an organization may choose to prioritize the importance of one or two of these based on the goals of the organization, or the goal of a specific system.
Non-repudiation
Is the term used to describe the inability of a person to deny or repudiate the origin of a signature or document, or the receipt of a message or document.
Defense in Depth
refers to the security practice of implementing several layers of protection.
Implicit Deny
indicates that unless something is explicitly allowed, it is denied. Routers and firewalls often have access control lists (ACLs) that explicitly identify allowed traffic.
Identity Proofing
is the process of verifying that people are who they claim to be prior to issuing them credentials, or later when individuals lose their credentials.
Identity Proofing for Verification
A second use of identity proofing is after issuing credentials.
Self-service Password Reset Systems
An additional use of identity proofing is with password reset or password management systems.
Three Factors of Authentication
-Something you know (such as username and password)
-Something you have (such as a smart card)
-Something you are (such as a fingerprint or other biometric identification)
Something You Know
authentication factor typically refers to a shared secret, such as a password, a username and password, or even a PIN.
Strong Passwords
-Uppercase characters (twenty-six letters A-Z)
-Lowercase characters (twenty-six letters a-z)
-Numbers (ten numbers 0-9)
-Special characters (thirty-two printable characters, such as !, $, and *)
Storing Passwords
Passwords should not be written down unless absolutely necessary. If they are written down, they should be stored in a safe.
Sharing Passwords
Only one person should know the password, and users should not share their passwords with anyone.
Changing Passwords
In addition to being strong, passwords should also be changed regularly. In most networks, users are automatically required to change their passwords regularly through technical means.
Resetting Passwords
It's not uncommon for users to occasionally forget their password. In many organizations, help-desk
professionals or other administrators are tasked with resetting the password and letting the user know the new password.
Password History
Passwords should not be reused. Forcing users to change their password is a good first step, but some users will change back and forth between two passwords that they constantly use and reuse.
Account Lockout Policies
Accounts will typically have lockout policies preventing users from guessing the password. If the wrong password is entered a specific number of times (such as three or five times), then the account will be locked.
Account lockout threshold.
This is the maximum number of times a wrong password can be entered. When the threshold is exceeded, the account is locked.
Account lockout duration.
his indicates how long an account will be locked.
Change Defaults
basics of hardening systems, including changing defaults, removing unnecessary
protocols and services, and keeping the system up to date.
Previous Logon Notification
A simple technique used to alert users when their account may have been compromised is to provide notification of when they last logged on.
Importance of Training
Many users don't understand the value of their password, or the damage that can be done if they give it out.
Something You Have
factor refers to something you can physically hold.
Smart Cards
are credit-card-sized cards that have an embedded microchip and a certificate.
Embedded certificate.
holds a user's private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others). The private key is used each time the user logs on to a network.
Public Key Infrastructure (PKI).
allows the issuance and management of certificates.
Common Access Card (CAC)
Is a specialized type of smart card used by the United States Department of
Defense.
Personal Identity Verification (PIV) Card
Is a specialized type of smart card used by United States federal agencies. It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does.
Tokens
are small objects you can carry around in your pocket or connect to a key chain. They include an LCD that displays a number that changes periodically, such as every sixty seconds, and the token is synced with a server that knows what the number will be at any moment.
False acceptance
This is when a biometric system incorrectly identifies an unauthorized user as an authorized user.
False rejection.
This is when a biometric system incorrectly rejects an authorized user.
Multifactor Authentication
is the use of more than one factor of authentication.
Kerberos
is a network authentication mechanism used within Windows Active Directory domains and some UNIX environments known as realms.
The Key Distribution Center (KDC)
uses a complex process of issuing ticket-granting tickets, which are later presented to request tickets used to access objects.
Time synchronization
The clock that provides the time synchronization is used to time-stamp tickets, ensuring they expire correctly.
A database of subjects or users.
In a Microsoft environment, this is Active Directory, but it could be any database
of users.
Lightweight Directory Access Protocol (LDAP)
specifies formats and methods to query directories. In this context, a directory is a database of objects that provides a central access point, or location, to manage users, computers, and other directory objects.
Mutual Authentication
is accomplished when both entities in a session authenticate with each other prior to exchanging data.
Single Sign-on (SSO)
refers to the ability of a user to log on or access multiple systems by providing credentials
only once.
IEEE 802.1X Protocol
Is a port-based authentication protocol. It provides authentication when a user connects to a specific access point, or, in this context, a logical port.
Institute of Electrical and Electronic Engineers
is an international organization that is actively involved in the development of many different protocol standards. Protocols and standards are created by the IEEE and prefaced with IEEE.
Remote Access Authentication (RAS)
are used to provide access to an internal network from an outside source.
Password Authentication Protocol (PAP)
is used with Point to Point Protocol (PPP) to authenticate clients.
CHAP
Challenge Handshake Authentication Protocol has often been used to authenticate users in the past.
MS-CHAP
Microsoft introduced Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) as an improvement over CHAP for Microsoft clients.
MS-CHAPv2
A significant improvement over MS-CHAP is the ability to perform mutual authentication. Not only does the client authenticate to the server, but the server also authenticates to the client.
Remote Authentication Dial-In User Service (RADIUS)
is a centralized authentication service.
Terminal Access Controller Access-Control System (TACACS) and Extended TACACS (XTACACS)
are older authentication protocols rarely used today. TACACS is a generic protocol and was commonly used on Cisco and
UNIX systems.
Terminal Access Controller Access-Control System+, or TACACS+
is Cisco's alternative to RADIUS. TACACS
and XTACACS have been replaced with TACACS+ in most implementations, but you may still see TACACS in a
legacy system.
AAA Protocols
provide authentication, authorization, and accounting. Authentication verifies a user's
identification. Authorization determines if a user should have access. Accounting tracks user access with logs.