Module 1 - Security Fundamentals New
Module 1 - Security Fundamentals New
ASSURANCE &
SECURITY 1
MODULE 1
SECURITY
FUNDAMENTALS
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Define Information Security and its goals;
▪ Demonstrate the abstract view of the components of a goal of security;
▪ Enumerate the types of risks, threats, vulnerability, intrusion and attacks;
▪ Explain the Information Security Controls;
▪ Discuss Security Management Process;
▪ Give different aspects of CIA Triad.
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Define cryptography;
▪ Discuss encryption and decryption;
▪ Discuss the concepts of steganography and digital signatures;
▪ Explain the process concept of authentication methods;
▪ Describe different states of authentication;
▪ Discuss common security practices
▪ Explain security policy;
▪ Discuss the concept of common security policy and group policy;
INFORMATION SECURITY
CYCLE
What Is Information Security?
Data
Resource
Data Resource
Goals of Security
• Prevention
• Detection
• Recovery
A fundamental understanding of the standard concepts of security is
essential before people can start securing their environment.
Risk
Likelihood: Rare
Damage: Moderate
Network-Based Attacks
Security Controls
• Controls are the countermeasures that you need to put in place to avoid,
mitigate, or counteract security risks due to threats or attacks.
Availability
The CIA Triad is a well-known, venerable model for the development of security
policies used in identifying problem areas, along with necessary solutions in the
arena of information security.
Confidentiality
❑Strong encryption
❑Strong authentication
❑Stringent access controls
Integrity
❑Something you do
✓Keystroke patterns
Authorization
Rule-Based Access
Control
Accounting and Auditing
• The process of tracking and recording system activities and resource access.
Common Security Practices
❑Implicit deny
❑Least privilege
❑Separation of duties
❑Job rotation
❑Mandatory vacation
❑Time of day restrictions
❑Privilege management
Implicit Deny
Default Deny
An implicit deny only denies a permission until the user or group is allowed
to perform the permission
Least Privilege
Perform their jobs with User 1 User 4 Perform their jobs with
fewer privileges more privileges
User 2 User 3
Data Entry Clerks Financial Coordinators
Audit
Access Control
Firewall Restore
MANDATORY VACATIONS policies require employees to take time away from their job.
Time of Day Restrictions
AM PM
TIME OF DAY RESTRICTIONS limit when users can access specific systems based on
the time of day or week.
Security Tokens
Unique
PIN
Value
User Password
Information
Password
ID Card
Cipher is a system of writing that prevents most people from understanding the message
Stream Cipher
Cipher Types
Plaintext Ciphertext
Block Cipher Block
Block cipher takes a block of plain text and a key, and outputs a block of
ciphertext of the same size.
Steganography
A Hash function can only encrypt data; that data cannot be decrypted
Hashing Encryption
= Two Letters
Following
Symmetric encryption uses a single key to encrypt and decrypt data. Therefore,
it is also referred to as secret-key, single-key, shared-key, and private-key
encryption.
Symmetric Encryption Algorithms
Asymmetric encryption, also known as public key cryptography, uses two mathematically
related keys.
Asymmetric Encryption Techniques
❑RSA - Rivest–Shamir–Adleman
❑DH - Diffie–Hellman key exchange.
❑ECC - Elliptic curve cryptography
❑DHE - Diffie–Hellman key exchange
❑ECDHE - Elliptic curve Diffie-Hellman
Key Exchange
Sender Receiver
For messages to be exchanged, the sender and receiver need the right cryptographic keys
Hash Value of
Hash Value Matches
Signature
Single-Use Key
Individual Policy
Formal
Policy
Statement Resources to
Protect
Implementation
Measures
All security policies should include a well-defined security vision for the
organization.
Enforcement – This section should clearly identify how the policy will be
enforced and how security breaches and/or misconduct will be handled.
User Access to Computer Resources – This section should identify the roles and
responsibilities of users accessing resources on the organization’s network.
Security Policy Components
Security Profiles – This section should include information that identifies how
security profiles will be applied uniformly across common devices
Internet – This section is about usage and what content filtering is in place.
Anti-Virus – This section identifies the frequency of updating the file definitions
as well as how removable media, e-mail attachments and other files are scanned.
Audit policy defines account limits for a set of users of one or more
resources.
Common Security Policy Types
Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls
the working environment of user accounts and computer accounts.
Security Document Categories
System architecture - is the conceptual model that defines the structure,
behavior, and more views of a system
Classification
Every paper or electronic record has a specific amount of time that it needs
to be kept. This is called a retention period.
Once the retention period has ended, records are disposed
according to their value and content:
▪ Shred
▪ Recycle
▪ Delete
▪ Transfer
• CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
Paperback – October 12, 2017 by Darril Gibson