2) Security Part 1 Flashcards
Mantrap
Physical Security:
One at a time, controlled groups
Small area with two doors, both cannot be open at once
May process while inside (ID)
All doors normally unlocked
Opening one door causes others to lock
Or all doors normally locked
Unlocking one door prevents others from being unlocked
Badge Reader
RFID Badge, Magnetic Swipe Card
Smart Card
Integrates with devices & ID Cards
May require a PIN
Creates a digital certificate
Used with multifactor authentication
Types: PIV Card (Personal Identity Verification) CAC Card (Common Access Card)
IEEE 802.1X
Gain access to network using a certificate
On-device storage or separate physical device
Door Access Controls (Door Locks)
Conventional: Lock & Key or Deadbolt
Electronic: Keyless, PIN
Token-Based: RFID badge, magnetic swipe card, key fob
Biometric: Hand, fingers, retina, voiceprint
Usually a mathematical representation
Difficult to change
Often combined (multifactor)
Hardware/Software Tokens
Hardware Tokens
Generates pseudo-random auth codes
Software Tokens
In the form of a mobile app (ex: Google Authenticator)
or SMS code sent to phone
Cable Locks
Physical/Temporary Security
Connects your hardware to something solid
Works almost anywhere
Reinforced notch
Thin, can be cut, not for long-term
Server Locks
Locking Cabinets Data center hardware is often managed by different groups Racks usually installed together Keeps everything close, but protected Maintains airflow
USB Locks/Tokens
USB Lock
Prevents access to USB port
Secondary option after disabling interface in BIOS
(Defense in depth)
USB Token
Certificate/token is on USB Drive
Insert to gain access
Privacy Screen
Privacy Screen/Filter
Extremely narrow angle of view
Prevents others from seeing screen
Entry Control Roster
A roster used to record identities of those who access secured hardware.
Could be inside mantrap, or with security guard
(or both)
Active Directory: Login Script
A script that can be run when a user logs in.
Can map a network drive, run software, check anti-virus, verify application updates, etc
Active Directory: Group Policy/Updates
Defines specific policies
Ex: password complexity, login restrictions
Active Directory: OUs
Organizational Units
AD Structure Units
Can be based on the company (departments, locations)
Active Directory: Home Folder
Assign a network share as the user’s home
\server1\users\kevin
Active Directory: Folder Redirection
Instead of a local folder, redirects to server
Ex: Store Documents folder on \server1
Access these files from anywhere
MDM Policies
Mobile Device Management
Manage company-owned & user-owned mobile devices
BYOD (Bring Your Own Device)
Centralized management of mobile devices
Manage access control
Set policies on apps/data/camera/etc
Can control entire device, or a partition
Port Security
Prevent unauthorized users from connecting to a switch interface (alert/disable the port)
Based on source MAC address
Each port has its own config
Can configure max MAC addresses on interface
MAC Address Filtering
Whitelists/Blacklists MAC addresses allowed on network
Requires additional administration
Easy to circumvent; MAC addresses can be spoofed
“Overriding hardware MAC, spoofing existing MAC”
Security through obscurity
Anti-Virus/Anti-Malware
Must keep signatures updated all the time, updates are essential. (Can be a scaling issue)
A centralized server can be very useful for this.
Large organizations require enterprise management.
Updates are tracked, pushed, confirmed, & managed
Mobile devices will require additional management
Firewalls
Host-Based/Personal Firewall (Software-Based)
Many devices come equipped with their own firewall
Included in many OSs
Stops unauthorized network access “stateful”
Blocks traffic by application
Network-Based Firewalls
Filters traffic by port number
Modern firewalls can identify applications
Can encrypt inbound/outbound traffic (VPN Firewall)
Can proxy traffic (user sends request, firewall makes request, receives response, validates, sends to user)
Most firewalls can be layer 3 devices (routers)
Can provide routing & NAT for inside/outside of network
User Authentication/Strong Passwords
Unique Identifier
Windows: SID (Security Identifier)
Credentials: Password/Authentication data
Profile: Info stored about user
Strong Passwords
Weak passwords are difficult to protect against
Prone to brute force
Passwords need complexity & constant refresh
Multifactor Authentication
More than one factor
Something you are/have/know/do
Somewhere you are
Directory Permissions
NTFS Permissions
Supports encryption, file permissions
Prevent accidental modification/deletion
VPN
Virtual Private Network
Encrypts inbound/outbound data
Concentrator - Encryption/decryption access device
Hardware/software based
Common to use 3rd party apps
