Comptia Security+ Certification Support Skills

CompTIA Security+ Certification
Support Skills
1.1 Security Controls
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to accompany
the courseware may be copied, photocopied, reproduced, or re-used in any form or by any means without permission in writing from a director of gtslearning
International Limited. Violation of these laws will lead to prosecution. All trademarks, service marks, products, or services are trademarks or registered trademarks
of their respective holders and are acknowledged by the publisher.
All gtslearning products are supplied on the basis of a single copy of a course per student. Additional resources that may be made available from gtslearning may
only be used in conjunction with courses sold by gtslearning. No material changes to these resources are permitted without express written permission by a director
of gtslearning. These resources may not be used in conjunction with content from any other supplier.
If you suspect that this course has been copied or distributed illegally, please telephone or email gtslearning.
Objectives
• Understand why security
policies and procedures are
critical to protecting assets
• Distinguish the types of
security controls that can be
deployed to protect assets
• Describe the basis of access
control systems:
Identification,
Authentication,
Authorization, and
Accounting
• Know the use of different
access control models
3
Why is Security Important?
• Increasing computer crime
o Theft
o Fraud
o Vandalism
• Effective security is as much about people and

operations as it is about technology
3
Assets
• Tangible
• Intangible
• People (employees)
• Market value
• Practical value
4
Why is Data Important?
• Business functions
o IT / administration
o Product development
o Sales / marketing
o Financial information
• Legal / regulatory /contractual obligations
4
The CIA Triad
• Confidentiality
• Integrity
• Availability
• (Non-repudiation)
5
The CIA Triad
• Confidentiality:Kerahasiaan data terjaga dari
pihak yang tidak berhak
• Integrity:Kepercayaan data terjaga; data dapat
dipastikan tidak dimodifikasi oleh pihak yang
tidak berhak
• Availability:Ketersediaan data bagi pihak yang
berhak
• Non-Repudiation: Transaksi yang sudah
dilakukan tidak dapat ditolak terjadi oleh pihak
yang melakukan transaksi tersebut (someone
cannot deny something)
TBC
Security Policy
• Commitment to secure working practices
• Risk assessment
• Tested, documented procedures and security
controls
• Compliance
6
Roles and Responsibilities
• Overall responsibility
• Managerial
• Technical
• Non-technical
• Legal / regulatory
• Security professional role
6
Security Controls
• A security control (or countermeasure) is something
designed to make a particular asset or information
system secure (that is, give it the properties of
confidentiality, integrity, availability, and non-
repudiation).
• Countermeasures deployed against threats or
vulnerabilities to protect assets
• Types (NIST SP 800-53)
o Families
− Basic function (access control, configuration management, incident response, etc)
o Classes
− Technical – implemented in hardware or software
− Operational – implemented by people
− Management – oversight and evaluation
7
Physical Security Control Types
• As with the NIST classification, controls can be
divided into two broad classes:
o Administrative - controls that determine the way people act,
including policies, procedures, and guidance.
o Technical - controls implemented in operating systems,
software, and hardware devices.
8
• Goal / function
• Whether administrative or technical, controls can also be
classified according to the goal or function of the control
in a simpler schema than the families identified by NIST.
o Preventive - the control physically or logically restricts unauthorized access
o Deterrent - the control may not physically or logically prevent access, but
psychologically discourages an attacker from attempting an intrusion
o Detective - the control may not prevent or deter access, but it will identify
and record any attempted or successful intrusion.
o Corrective - the control responds to and fixes an incident and may also
prevent its reoccurrence.
o Compensating - the control does not prevent the attack but restores the
function of the system through some other means, such as using data
backup or an alternative site.
TBC
• As no single security control is likely to be
invulnerable, it is helpful to think of them as
delaying or hampering an attacker until the
intrusion can be detected. The efficiency of a
control is a measure of how long it can delay an
attack
TBC
Access Control and ACLs
• Subjects
o Users or software that request
access
• Objects
o Resources such as servers, data,
etc
• Access Control List (ACL)

o Privileges subjects have on
objects
• Select the appropriate

control
o Identification vs Authentication vs
Authorization
o Accounting (Auditing)
9
Identification
• Associates a subject (user or software process)
with an action performed on a network system
o Identifier
o Credentials
o Profile
• Issuance / Enrollment
• Identity Management
10
Authentication
• Proves that a user or
process is who it
claims to be
• Something you know
o Password
o PIN
o Personally Identifiable
Information (PII)
12
Something You Have / Are / Do
• Something you have
o Smart card
o Fob (one-time password)
• Something you are (or

do)
o Fingerprint
o Face
o Signature
13
Multifactor Authentication
• Strong authentication requires two (or three)
types
• Something you know AND something you HAVE
• Something you know AND something you are
• NOT something you know AND something else
you know
14
Authorization
• Granting users (subjects) rights to resources

(objects)
• Policy enforcement (ensuring only authorized
rights are exercised)
• Policy definition (determining rights)
14
Formal Access Control Models
• Discretionary Access Control (DAC)
o ACLs
o Ownership
o Flexible
o Decentralized
• Role-based Access Control (RBAC)

o ACLs
o Non-discretionary
o Centralized (administrative control)
• Mandatory Access Control (MAC)

o Labels and clearance
o Inflexible
• Rule-based Access Control

15
Basic Authorization Policies
• Implicit deny
o Default to refusing a request unless there is a rule allowing it
• Least privilege
o Assign the minimum possible rights
• Single Sign On
o Authenticate once – authorize many
− User authenticates to obtain an access token
− Token is used to authenticate silently to other applications
− User and application both trust token provider
o Simplifies account management
o But compromising an account may compromise multiple applications
o Difficult to implement on public networks
17
Accounting
• Logging
o Account for actions
o Detect intrusions
o Choosing what to log
• Surveillance
• Incident reporting
o What?
o When?
o Who?
18
Review
• Understand why security
policies and procedures are
critical to protecting assets
• Distinguish the types of
security controls that can be
deployed to protect assets
• Describe the basis of access
control systems:
Identification, Authentication,
Authorization, and Accounting
• Know the use of different
access control models
20
Labs
• Lab 1 / Hyper-V

Comptia Security+ Certification Support Skills

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Comptia Security+ Certification Support Skills

Uploaded by

Copyright:

Available Formats

CompTIA Security+ Certification

• Effective security is as much about people and

• Legal / regulatory /contractual obligations

• Access Control List (ACL)

• Select the appropriate

• Something you are (or

• Granting users (subjects) rights to resources

• Role-based Access Control (RBAC)

• Mandatory Access Control (MAC)

• Rule-based Access Control

1.1 Security Controls

You might also like