Explaining Common Security Concepts

# Explain Common Security Concepts [[Principles of Security]], [[Intro To Defensive Security]] ## Security Concepts ![[CIA Triad.png|300]] - confidentiality - certain info should only be known to certain people - Integrity - data is store and transferred as intended, and any modification is authorized - Availability - information is accessible to those authorized to view or modify it **VULNERABILITY + THREAT = RISK** ## Security Risk Assessments - Posture assessment - Enterprise risk management - Comparison with standard frameworks - NIST - Assess use the security controls - Process assessment - Mission essential function (MEF) - Business impact analysis (BIA) - Business continuity planning (BCP) ## Vulnerability and Exploit Types - Vulnerabilities - Misconfiguration and poor practice or faults in software code - Exploits - Code or method by which a vulnerability is used maliciously - Zero-day vulnerabilities and exploits - Unpatched and legacy systems - Vulnerability assessment - Manual and automated scanning - Identify deviation and configuration baseline - Common Vulnerabilities and Exposures (CVE) - dictionary of vulnerabilities in publish OS and software [CVE](https://cve.org) ## Threat Types and Assessment - External vs internal threats - They are different from each other, 443 internal traffic is fine but external 443 traffic might not be - An external threat actor or agent is one that has no account or authorized access to the target system. A malicious external threat must infiltrate the security system using malware and/or social engineering. Note that an external actor may perpetrate an attack remotely or on-premises (by breaking into the company’s headquarters, for instance). It is the threat actor that is defined as external, rather than the attack method. - an internal (or insider) threat actor is one that has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners. - Threat assessment - Identify adversary tactics, techniques, and procedures (TTPS) - Research sources - data feeds for automated detection tools ## Security Information and Event Management (SIEM) - one of the most complicated tools to deploy in an organization - takes ALL security data and puts integrates it all together - correlates data (takes individual events and readings) and shows it together in a meaningful way - SIEM offers: - Log aggregation - Event correlation - Indicator of compromise (IoC) - Alerting - Log storage and retention (compliance) ## Penetration Testing - Authorized or ethical hacking - aims to model how exposed the organization is to vulnerabilities exploited from the outside - goes beyond vulnerability scanning to actively test controls ## Privileged Access Management - policies, procedures, and technical controls to prevent the malicious abused of privileged accounts - Mitigate risks from weak configuration controls over privileges - least privilege - only have privilege for what you need to do - Role-based access - Zero trust ## Vendor Assessment - supply chain vulnerability management - Onboarding suppliers - Validate supplier security maturity level # Explain Authentication Methods ## Authentication Methods and Access Controls - subjects and objects - Access control lists (ACL) - entry on a device like a router or firewall to allow access - AAA - authenticating - access/authorization - auditing - Identity and access management (IAM) - Identification - Authentication - Authorization - Accounting ## Multifactor and 2 factor Authentication - Account identity and credentials - Authentication factors/credential format - Knowledge factor - something you know (password) - Ownership factor - something you have (smart card) - Human factor - something you are (fingerprint) - Behavioral factor - something you do (signature) - Location factor - somewhere you are (mobile device with location services) - MFA requires more then one type to be used ## Local Authentication and Single Sign-on - cryptographic hashing of passwords - Windows authentication - local sign-in, windows network sign-in, remote sign-in - Linux authentication - `/etc/passwd` user file & `/etc/shadow` password file - secure shell (SSH) - Pluggable authentication modules (PAM) - Single sign on (SSO) - Authenticate once - authorized many ## Kerberos - provides single sign on and mutual authentication - Uses a ticket granting system - 3 parts: - client - server - key distribution center (KDC) - authentication service - ticket granting - Ticket granting service - ticket service ## Digital Certificates and PKI - public key cryptography (asymmetric encryption) - confidentiality: public key can encrypt but no decrypt - authentication: private keys encrypts a signature - PKI authenticates the public key - Public key is wrapped in a digital certificate signed by a certificate authority (CA) - if client trusts the CA, they can also trust that a certificate is valid - Subject is the certificate holder (user or server) ## Extensible Authentication Protocol and IEEE 802.1X - Extensible Authentication Protocol (EAP) - framework for deploying authentication technologies - IEEE 802.1X Port-Based network access control (NAC) - Allows use of EAP when connecting to a switch - Authentication, authorization, and accounting (AAA) architecture - supplicant - network access server (NAS) / RADIUS client/authenticator - AAA server ## RADIUS and TACACS+ - remote authentication dial-in user service (RADIUS) - widely used to implement AAA for client device access and remote access VPNs - Terminal access Controller Access Control System (TACACS+) - Used to authenticate to network switches and routers - Uses TCP not UDP - Better support for fine-grained authorization policies ## Lightweight Directory Access Protocol (LDAP) - Lucky says this is just a database - List of network users and resources - not good for ALOT of users - ACLs - Authorizations - Directory database - objects - attributes - ==X.500== Distinguished Names - Attribute=value pairs - Schema ## LDAP Secure `STARTTLS` - binding methods - none - simple authentication - simple authentication and security layer (SASL) - LDAPS (TLS over TCP port 636) - Access control policy - Read only - Read/write