> Access Controls – Identification, Authentication, Authorization
> Integrity -provides assurances that data has not changed
> Hashing – a hash is simply a number created by executing a hashing alogorithm against data,
such as a file or message. as long as the data never changes, the resulting hash will always be the same.
> Digital signatures – can verify the integrity of emails and files. require certificates and PKI
Avaliability – redundancy and fault tolerance
disk redundancies – RAID 1, 4, 6
Server redundancies – Failover clusters
Load Balancing, Site redundancies, Backups, Alternate Power, Cooling systems, Patching
Authentication Factors- something you know, something you have, something you are,
somewhere you are, something you do
Common Access Card (CAC), Personal Identity Verification(PIV) both support two factor authentication.
are special smart cards that include photo identifucation.
Tokens or key Fobs
HMAC-based One-Time Password(HOTP) password never expired
Time-based One-Time Password(TOTP) expire afetr 30 sec
Dwell time is the time a key is pressed
Flight time is the time between releasing one key and pressing the next key.
Enter password and a PIN(both in something you know factor) is not two-factor authentication.
Kerberos is a network authentication mechanism used within Windows Active Directory domains and some
UNIX enviroments known as realms.
Kerberos provides mutual authentication that can help prevent man-in-the-middle attacks and uses tickets
to prevent replay attacks.
Kerberos > A method of issuing tickets used for authentication
> Time synchronization
> a database of subjects or users
Kerberos uses a database of objects such as AD DS and a KDC (or TFT server) to issue timestamped tickets
that expired after a certain time period.
Symmetric encryption uses one key. Asymmetric use public and private key.
LightWeight Directory Access Protocol(LDAP)
Queries to Active Directory use the LDAP format. Unix relms use LDAP to identify objects
LDAP specifies formats and methods to query directories.
User named Homer in the Users container within the example.com domian is identified with the follwing LDAP String:
CN=Home > Common name. CN=Users > container. DC=example > domain. DC=com > second domain
Secure LDAP -> Transport Layer Security(TLS)
LDAP v2 use secure sockets layer(SSL) instead of TLS.
LDAP v3 is the current standard and it use TLS.
Single Sign-on(SSO) refers to the ability of a user to log on or access mutiple system by providing credentials only once.
SSO and transitive trusts.
SSO and Federation > A federated identity links a user’s credentials from different networks or OS, but
the federation treats it one identity.
SSO and SAML(Securty Assertion Markup Language) is an extensible markup language
XML-based data format used for SSO on web browsers.
Remote Access Service(RAS) provides access to an internal network ffrom an outside source.
Password Authentication Protocol(PAP) sends password in cleartext.
Challenge Handshake Authentication Protocol(CHAP) > uses a handshake process
Microsoft CHAP(MS-CHAP) – used only by MS clients.
MS-CHAPv2 -including the ability to perform mutual authentication
Remote Authentication Dial-In user Server(RADIUS) – provide centralized method of authentication
for mutiple remote access server. RADIUS encrypts the password packets, but not entire authentication process.
Diameter – an improvement over RADIUS and it supports Extensible Authentication Protocol(EAP) for security.
Diameter uses TCP instead of UDP used by RADIUS
Extended Terminal Access Controller Access-Control System(XTACACS)
Terminal Access Controller Access-Control System plus(TACACS+)
Cisco dev it. it can use Kerberos, allowing it to work with broader range of environments.
Q: A network includes a ticket-granting ticket server. Which is the primary purpose of this server?
Dec: Kerberos uses a ticket-granting ticket server for authentication
Q: Which of the follwoing provides authentication service uses PPP?
A: PAP and CHAP
Dec:Both Password Authentication Protocol(PAP) and Challenge Handshake Authentication Protocol(CHAP)
use Point-to-Point Protocol(PPP)
Q: Which of the follwing choices provide authentication services for remote users and devices?
A: RADIUS, Diameter
Dec: Both RADIUS and Diameter are authentication services for remote users and devices.
Security incident is an adverse event or series of events that can negatively affect the confidentiality,
integrity or availability of an Org IT and data.
One method of classifying security controls is based on how they are implemented. The three common
implementation classifications are technical, management, and operational
> Technical controls use technology
> Management controls use administrative or management methods
> Operational controls are implemented by people in day to day operations.
Technical controls – Encryption, anti-virus, IDS, Firewall, Least privilege
Management controls – Risk assessments, vulnerability assessments, pen test
Operational controls – Awareness and training, Config and change management, Contingency planning,
Media protection, Media protection, Physical and enviromental protection
SP 800 – http://csrc.nist.gov/publications/PubsSPs.html
Control Goals – Preventive, detective, corrective, deterrent, compensating
Preventive -Hardening, Security awareness training, security guards, Change management, Account disable policy
detective – Log monitoring, trend analysis, security audit, video surveillance, motion detection
corrective – Active IDS, Backups and system recovery
deterrent – Cable locks, Hardware locks
Physical security – perimeter, building, secure work area, server and network rooms, hardware
Door access system include cipher locks, proximity cards and biometrics. Cipher locks do not identify users.
Proximity cards can identify and authenticate users when combined with a PIN. Biometrics can also identify
and authenticate users.ID badges
Tailfating(piggybacking) occurs when one user follws closely behind another user without using credentials.
Mantrap is a physical security mechanism designed to control access to a secure aread through a buffer zone.
CCTV – only record activity in public areas, notify emplyees of the surveillance, don’t record audio
Role-based access control(role-BAC)
Rule-based access control(rule-BAC)
Discretionary access control(DAC)
Mandatory access control(MAC)
Router and firewall use rules within acl.(Rule-BAC)
Every object(such as a file or folder) includes a discretionary access control list(DACL) that identifies who
can access it in a system using DAC model.
The DACL is a list of access control entries(ACEs) Each ACE is composed of SID and the permission(s) granted
tp tje SID.
DAC model specifies that every object has an owner and the owner has full explicit control of the object.
Microsoft NTFS uses the DAC model.
The MAC model uses lables (security labels) to determine access.
MAC model uses sensitivity labels for users and data. It is commonly used when accress needs to be restricted
based on a need to know.
users account typically have security keys associated with them. these keys are retained when the acctount is disabled
but they are no longer accessible when the account deleted. by disabling the account, it helps ensure that access to
files is retained but it doesn’t directly retain user files.