- Shopping Bag ( 0 items )
Get the streamlined tool you need to bone up for the Security+ ...
Ships from: Friendswood, TX
Usually ships in 1-2 business days
Ships from: Chatham, NJ
Usually ships in 1-2 business days
Get the streamlined tool you need to bone up for the Security+ exam [SYO-101]. Fast Pass coverage includes:
Order your copy of the perfect preparation and review resource, Security+ Fast Pass today!
Note:CD-ROM/DVD and other supplementary materials are not included as part of eBook file.
COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER:
* DOS/DDOS (Denial of Service/Distributed Denial of Service)
* Back Door
* Man in the Middle
* TCP/IP Hijacking
* Weak Keys
* Social Engineering
* Password Guessing
* Brute Force
* Software Exploitation
* Trojan Horses
* Logic Bombs
The Security+ exam will test your basic IT security skills-those skills needed to effectively secure stand-alone and networked systems in a corporate environment. To pass the test and be effective in implementing security, you need to understand the basic concepts and terminology in this chapter. This chapter covers all of the seven major sections of the first domain of the Security+ objectives. These sections focus on the following topics: access control models, authentication methods, non-essential services, common attacks, malicious code, social engineering, and system auditing.
1.1 Identifying Access Control Models
The full name of this section from the Security+ objectives list is "Recognize and be able to differentiate and explain the following access control models." The mechanism by which users are granted or denied the ability to interact with and use resources is known as access control. Access control is often referred to using the term authorization. Authorization defines the type of access to resources users are granted-in other words, what users are authorized to do. Authorization is often considered the next logical step immediately after authentication. Authentication is the proving of your identity to a system or the act of logging on. With proper authorization or access control, a system will properly control access to resources in order to prevent unauthorized access.
For more information on this topic, refer to Chapter 1 of the Security+ Study Guide, Second Edition, by Sybex.
There are three common access control methods:
* Mandatory Access Control (MAC)
* Discretionary Access Control (DAC)
* Role-Based Access Control (RBAC)
These three models are widely used in today's IT environments. Familiarity with these three models is essential to the Security+ exam.
These three access control models aren't mutually exclusive. Two or more of them can be deployed simultaneously in a single environment.
Mandatory Access Control (MAC)
MAC is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set of rules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications. MAC environments define a few specific security domains or sensitivity levels and then use the associated labels from those domains to impose access control on objects and subjects.
A government or military implementation of MAC typically includes five levels:
* Sensitive but unclassified
* Top secret
This list is in order from least sensitive to most sensitive. Objects or resources are assigned sensitivity labels corresponding to one of these security domains. Each specific security domain or level defines the security mechanisms and restrictions that must be imposed in order to provide protection for objects within that domain.
MAC can also be deployed in private sector or corporate business environments. Such cases typically involve four levels of security domains:
This list is also in order from least sensitive to most sensitive.
The primary purpose of a MAC environment is to prevent disclosure: the violation of the security principle of confidentiality. When an unauthorized user gains access to a secured resource, this is a security violation. Objects are assigned a specific sensitivity label based on the damage that would be caused if disclosure occurred. For example, if a top secret resource was disclosed, it could case grave damage to national security.
A MAC environment works by assigning subjects a clearance level and objects a sensitivity label; in other words, everything is assigned a classification marker. Subjects or users are assigned clearance levels. The name of the clearance level is the same as the name of the sensitivity label assigned to objects or resources. A person (or other subject, such as a program or a computer system) must have the same or greater assigned clearance level as the resources they wish to access. In this manner, access is granted or restricted based on the rules of classification (that is, sensitivity labels and clearance levels).
MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned classifications and the resulting granting and restriction of access can't be altered by users. Instead, the rules that define the environment and judge the assignment of sensitivity labels and clearance levels control authorization.
MAC isn't a very granularly controlled security environment. An improvement to MAC includes the use of need to know: a security restriction where some objects (resources or data) are restricted unless the subject has a need to know them. The objects that require specific need to know are assigned a sensitivity label, but they're compartmentalized from the rest of the objects with the same sensitivity label (within the same security domain). The need to know is a rule in and of itself, which states that access is only granted to subjects who have been assigned work tasks that require access to the cordoned-off object. Even if a subject has the proper level of clearance, without need to know, they are denied access. Need to know is the MAC equivalent of the principle of least privilege from DAC (see the following section).
The Trusted Computer System Evaluation Criteria (TCSEC), or Orange Book specifications, which defined government computer security classifications before December 2000 (when they were replaced by the Common Criteria), reference only MAC and DAC methods of access control.
Discretionary Access Control (DAC)
DAC is the form of access control or authorization that is used in most commercial and home environments. DAC is user directed or, more specifically, controlled by the owner and creators of the objects (resources) in the environment. DAC is identity based: Access is granted or restricted by an object's owner based on user identity and on the discretion of the object owner. Thus, the owner or creator of an object can decide whom to grant and deny access to their object.
DAC uses access control lists (ACLs). An ACL is a security logical device attached to every object and resource in the environment; it defines which users are granted or denied the various types of access available based on the object type. Individual user accounts or user groups can be added to an object's ACL and granted or denied access.
If your user account isn't granted access through an object's ACL, then you're denied access by default. If your user account is specifically granted access through an object's ACL, then you're granted the specific level or type of access defined. If your user account is specifically denied access through an object's ACL, then you're denied the specific level or type of access defined. In most cases, a Denied setting in an ACL overrides all other settings. Table 1.1 shows an access matrix for a user who is a member of three groups, and the resulting access to a folder on a network server. As you can see, the presence of the Denied setting overrides any other access granted from another group. Thus, if your membership in one user group grants you write access over an object, but another group specifically denies you write access to the same object, then you're denied write access to the object.
The security concept of the principle of least privilege is connected to DAC. The principle of least privilege states that users should be granted only the minimum level of access that is necessary for them to perform their work tasks, and no more.
Role-Based Access Control (RBAC)
RBAC is another form of rules-based access control. It may be grouped with the nondiscretionary access control methods along with MAC. The rules used for RBAC are basically job descriptions: Users are assigned a specific role in an environment, and access to objects is granted based on the necessary work tasks of that role. For example, the role of backup operator may be granted the ability to back up every file on a system to a tape drive. The user given the backup operator role would then be able to perform that function.
RBAC is most suitable for environments with a high rate of employee turnover. It allows the job descriptions or roles to remain static even when the user performing that role changes often.
The acronym RBAC has a second definition. Rule-Based Access Control (RBAC) is typically used in relation to network devices that filter traffic based on filtering rules. Be sure you understand the context of the Security+ exam question before assuming Role or Rule when you see RBAC.
Mandatory Access Control (MAC) MAC is based on classification rules. Objects are assigned sensitivity labels. Subjects are assigned clearance labels. Users obtain access by having the proper clearance for the specific resource. Classifications are hierarchical.
Common MAC hierarchies Government or military MAC uses the following levels: unclassified, sensitive but unclassified, confidential, secret, and top secret. Private sector or corporate business environment MAC uses these: public, sensitive, private, and confidential.
Discretionary Access Control (DAC) DAC is based on user identity. Users are granted access through ACLs on objects, based on the discretion of the object's owner or creator.
Role-Based Access Control (RBAC) RBAC is based on job description. Users are granted access based on their assigned work tasks. RBAC is most suitable for environments with a high rate of employee turnover.
1.2 Identifying Authentication Methods
The full name of this section from the Security+ objectives list is "Recognize and be able to differentiate and explain the following methods of authentication." Authentication is the mechanism by which a person proves their identity to a system. Often the authentication process involves a simple username and password. But other more complex authentication factors or credential-protection mechanisms are involved in order to provide strong protection for the logon and account-verification process.
For more information on this topic, refer to Chapter 1 of the Security+ Study Guide, Second Edition, by Sybex.
Authentication is little more than the process of proving that a subject is the valid user of an account. The authentication process requires that the subject provide an identity and then proof of that identity. Identity proofing typically takes the form of one or more of the following three authentication factors:
* Something you know (such as a password)
* Something you have (such as a smartcard)
* Something you are (such as a fingerprint)
This section discusses the specific authentication factors of passwords, tokens, and biometrics. In addition, it addresses the concepts of multi-factor and mutual authentication.
The topic of authentication also includes the protection mechanisms used to secure the authentication credentials (identity claim and identity proofs) while they're in transit from the client to the authentication server. Three such mechanisms are addressed here: Kerberos, CHAP, and certificates.
Early authentication transmission mechanisms sent logon credentials from the client to the authentication server in clear text. Unfortunately, this solution is vulnerable to eavesdropping and interception, thus making the security of the system suspect (if not decimating it). What was needed was a solution that didn't transmit the logon credentials in a form that could be easily
One such method for providing protection for logon credentials is Kerberos: a trusted third-party authentication protocol that was originally developed at MIT under Project Athena. The current version of Kerberos in widespread use is version 5. Kerberos is used to authenticate network principles (subjects) to other entities on the network (objects, resources, and servers). Kerberos is platform independent; however, some operating systems require special configuration adjustments to support true interoperability (for example, Windows Server 2003 or Windows 2000 Server with Unix).
Kerberos is a centralized authentication solution. The core element of a Kerberos solution is the Key Distribution Center (KDC), which is responsible for verifying the identity of principles and granting and controlling access within a network environment through the use of secure cryptographic keys and tickets.
Kerberos is a trusted third-party authentication solution because the KDC acts as a third party in the communications between a client and a server. Thus, if the client trusts the KDC and the server trusts the KDC, then the client and server can trust each other.
Kerberos is also a single sign-on solution. Single sign-on means that once a user (or other subject) is authenticated into the realm, they need not reauthenticate to access resources on any realm entity. (A realm is the network protected under a single Kerberos implementation.)
The basic process of Kerberos authentication is as follows:
1. The subject provides logon credentials.
2. The Kerberos client system encrypts the password with Data Encryption Standard (DES) and transmits the protected credentials to the KDC.
3. The KDC verifies the credentials and then creates a Ticket Granting Ticket (TGT-a hashed form of the subject's password with the addition of a timestamp that indicates a valid lifetime). The TGT is encrypted and sent to the client.
4. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm.
5. The subject requests access to resources on a network server. This causes the client to request a Service Ticket (ST) from the KDC.
6. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a timestamp that indicates its valid lifetime.
7. The client receives the ST.
8. The client sends the ST to the network server that hosts the desired resource.
9. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.
Figure 1.1 shows the Kerberos authentication process.
The Kerberos authentication method helps to ensure that logon credentials aren't compromised while in transit from the client to the server. The inclusion of a timestamp in the tickets ensures that expired tickets can't be reused. This prevents replay and spoofing attacks against Kerberos.
Excerpted from Security+ Fast Pass by James Michael Stewart Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
|Ch. 1||General security concepts||1|
|Ch. 2||Communication security||37|
|Ch. 3||Infrastructure security||71|
|Ch. 4||Basics of cryptography||117|
|Ch. 5||Operational/organizational security||147|