#CompTIA Security+ 501 exam Chapter01 Understanding Security Fundamentals
Posted by Superadmin on November 16 2018 13:31:17

Understanding Security Fundamentals

 

In this chapter we will look at a number of security fundamentals, some of these will be expanded upon in later chapters. For the exam you will need to know all of the information in this book as the exam is fairly tricky. 

We will cover the following exam objectives in this chapter:

 

 

CIA triad concept

 

Most security books start with the basics of security by featuring the CIA triad—this is a model designed to guide policies for information security within an organization. It is a widely used security model and it stands for confidentiality, integrity, and availability; the three key principles that should be used to guarantee having a secure system:

Figure 1: CIA triad

 

 

Identifying security controls

 

There are a wide variety of different security controls that are used to mitigate the risk of being attacked; the three main security controls are technical, administrator, and physical. In this section, we are going to look at these in more detail; you need to be familiar with each of these controls and when each of them should be applied. Let's start by looking at the three main controls.

 

 

Administrative controls

 

Administrative controls are mainly written by managers to create organizational policies to reduce the risk within companies. Examples could be an internet-use policy so that the employees realize that the internet can only be used for company business and not used for social media during the working day. Another administrative control would be completing a form if you want to apply for a holiday; the form would be available from the forms library:

Administrative controls could be writing a policy, completing a form, and getting your ID badge re-keyed annually.

 

 

Technical controls

 

Technical controls are those implemented by the IT team to reduce risk to the business. These could include the following:

Technical controls could be installing a screensaver or configuring firewall rules.

 

 

Physical controls

 

Physical controls are controls that you can touch, for examples:

HVAC systems help provide availability to servers in the data center, ensuring they don't overheat.

 

 

Preventative controls

 

Preventative controls are in place to deter any attack; this could be having a security guard with a large dog walking around the perimeter of your company. This would make someone trying to break in think twice:

 

 

Deterrent controls

 

Deterrent controls could be CCTV and motions sensors. When someone is walking past a building and the motion sensors detect them, it turns lights on to deter them.

A building with a sign saying that it is being filmed with CCTV prevents someone from breaking into your premises, as they think they are being filmed, even though there may not be a camera inside—but they don't know that.

CCTV and motion sensors as deterrents. CCTV is a form of detective control following an incident, where you review the footage to see how the incident happened.

 

 

Detective controls

 

Detective controls are used to investigate an incident that has happened and needs to be investigated; these could include the following:

 

 

Corrective controls

 

Corrective controls are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken.

Fire-suppression systems are another form of corrective control. You may have had a fire in your data center that has destroyed many servers, therefore when you purchase a replacement, you may install an oxygen-suppressant system. This method uses argon/nitrogen and sometimes a small element of CO2 to displace the oxygen in the server room. The basis of this method is to reduce the oxygen level to below 15% because it will suppress a fire.

 

 

Compensating controls

 

Compensating controls can be called alternative controls; this is a mechanism that is put in place to satisfy the requirements of a security measure that is deemed too difficult or impractical to implement at the present time. It is similar to when you go shopping and you have $100 in cash—once you have spent your cash, you will have to use a credit card as a compensating control.

An example of this is where a new person has just been employed by the company where the normal way to log in is to use a smart card and PIN. This resembles a bank card with a chip where you insert it into your laptop or keyboard and then insert a PIN to log in. Maybe it takes 3-5 days to get a new smart card, so during the waiting period, they may log in using a username and password:

 

 

Access controls

 

The three main parts of access controls are identifying an individual, authenticating them when they insert a password or PIN, and then authorization, where an individual has different forms of access to different data. For example, someone working in finance will need a higher level of security clearance and have to access different data than the person who dispatched an order in finished goods:

 

 

Discretionary access control

 

Discretionary access control involves New Technology File System (NTFS) file permissions, which are used in Microsoft operating systems. The user is only given the access that he/she needs to perform their job.

The permissions are as follows:

 

 

Least privilege

 

Least privilege is where you give someone only the limited access level required so that they can perform their job role; this is known as the need to know basis. The company will write a least privilege policy so that the administrators know how to manage it.

 

 

Mandatory access control

 

Mandatory Access Control (MAC) is based on the classification level of the data. This looks at how much damage they could cause to the interest of the nation. These are as follows:

Examples of Mandatory Access Control (MAC):

Data types

Classification

Nuclear energy project

Top secret

Research and development

Secret

Ongoing legal issues

Confidential

Government payroll

Restricted

 

 

Linux permissions (not SELinux)

 

File permissions: Linux permissions come in a numerical format; the first number represents the owner, the second number represents the group, and the third number represents all other users:

Unlike a Windows permission that will execute an application, the execute function in Linux allows you to view or search.

A permission of 6 would be read and write. A value of 2 would be write, and a value of 7 would be read, write, and execute. Some examples are as follows:

When selecting the highest, you look at the value on the left, therefore the highest is the value of 777 is full control.

When selecting the lowest, you look at the lowest value on the left. There are two options here: d and e start with the lowest number, and then you look at the others. From here, you can see that answer e is the lowest.

The higher the number, the higher the permissions; the lowest number is the one with the lesser permissions.

You can also change permissions in Linux: If the permission to File C is 654 and we wish to change the permissions, we will run the Chmod 777 File A command, which changes the permissions to File C.

 

 

 

Role-based access control

 

This is a subset of duties within a department. An example would be two people with the finance department who only handle the petty cash. In IT, terms it could be that only two of the IT team administer the email server.

 

 

Rule-based access control

 

In Rule-Based Access Control (RBAC), a rule is applied to all of the people within, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access Building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department.

 

 

Attribute-based access control

 

In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute.

 

 

Group-based access

 

To control access to data, people may be put into groups to simplify access. An example would be if there were two people who worked in Information Technology (IT) who needed access to the older IT data. These people are called Bill and Ben:

Everyone in the sales team may have full control of the sales data by using group-based access, but you may need two new starters to have only read access. In this case, you would create a group called new starters and give those people inside that group only read permission to the data.

 

If access to data is done via group-based access, then any solution in the exam will be a group-based answer.

 

 

Hashing and data integrity

 

Can you read data that has been hashed? Hashing does not hide the data as a digitally signed email could still be read—it only verifies integrity. If you wish to stop someone reading the email in transit, you need to encrypt it.

 

 

Hash practical

 

The reason that we hash a file is to verify its integrity so that we know if someone has tampered with it.

 

 

Hash exercise

 

In this exercise, we have a file called data.txt. First of all, I use a free MD5 hashing tool and browse to the data.txt file, which generates a hash value. I have also created a folder called Move data to here:

  1. Get the original hash:

  1. Copy the hash from the current hash value to the original hash value.

  1. Copy the data.txt file to the Move data to here folder, then go to the MD5 hash software and browse to the data.txt file in the new location, then press verify. The values should be the same as shown here:

The values are the same, therefore we know the integrity of the data is intact and has not been tampered with during moving the readme.txt file.

  1. Next, we go into the data.txt file and change a single character, add an extra dot at the end of a sentence, or even enter a space that cannot be seen. We then take another hash of the data and we will then see that the hash value is different and does not match; this means that the data has been tampered with:

 

 

Defense in depth model

 

Defense in depth is the concept of protecting a company's data with a series of defensive layers so that if one layers fails, another layer will already be in place to thwart an attack. We start with our data, then we encrypt it to protect it:

Therefore, before someone can steal the data, they have seven layers of security that they must pass through. The concept of defense in depth is that if one layer fails, then the next layer protects:

 

 

Review questions

 

  1. What are the three components of the CIA triad?

  2. Why might a CCTV camera be sited outside a building without any film inside?

  3. What does confidentiality mean?

  4. How can we protect a data center from people entering it?

  5. What is the purpose of an airgap?

  6. Name three administrative controls.

  7. Name three physical controls.

  8. Following an incident, what type of control will be used when researching how the incident happened?

  9. How do I know if the integrity of my data is intact?

  1. What is a corrective control?

  2. What is the purpose of hashing?

  3. If i hash the same data with different SHA1 applications, what will the output be?

  4. What two things does HMAC provide?

  5. What type of control is it when I change the firewall rules?

  6. What is used to log into a system that works in conjunction with a PIN?

  7. What is the name of the person who looks after classified data and who is the person that gives people access to the classified data?

  8. When you use a DAC model for access, who determines who gains access to the data?

  9. What is least privilege?

  10. What access control method does SELinux utilize?

  11. What is the Linux permission of 777? What access does it give you?

  12. What does the Linux permission execute allow me to do?

  13. The sales are allowed to log into the company between 9 a.m. and 10 p.m. What type of access control is being used?

  14. Two people from the finance team are only allowed to authorize the payment of cheques; what type of access control are they using?

  15. What is the purpose of the defense in depth model?

  16. When someone leaves the company what is the first thing we should do with their user account?

 

 

Answers and explanations

 

  1. Confidentiality means only allowing those authorized to access data gain access. Integrity means that data has not been tampered with. Availability means that data is available when you need it, for example purchasing an airline ticket.

  2. We could place a CCTV camera in a prominent location as a deterrent, people walking past cannot tell if it has film or not, we are using it as a deterrent.

  3. Confidentiality means that we are limiting access to data to only those who should have access.

  4. To stop people entering a datacenter, we would install a mantrap a turnstile device so that we can control who accessed the datacenter one at a time.

  5. An airgap is what it says on the tin, it is a gap between your network and a machinee would use an airgap maybe between Research and Development Machine and the corporate network.

  6. Administrative controls could be writing a new Policy to make the company run smooth; we may have just implemented change management. You could implement a new form to ensure that all of the data required for an application is supplied. We could run an annual security awareness training day, complete risk assessment, or penetration testing.

  7. Physical control is huge. Remember that these can be physically touched. You can choose three from: cable locks, laptop safe, biometric locks, fences, gates, burglar alarms, fire alarms, lights, security guards, bollards, barricades, a faraday cage, key management, proximity cards, tokens, HVAC, an airgap, motions sensors, and cameras and biometric devices such as an iris scanner.

  8. If we investigate an incident, we need to collect all of the facts about the incident; this is a detective control. Think of a detective such as Sherlock Holmes who is always investigating mysteries.

  9. If we hash the data before and after, and the hash value remains the same, then integrity of the data is intact. If the second hash is different, the data has been tampered with.

  10. Corrective control is a one-way function where an incident has happened and we want to redeem the situation. For example, if the hard drive on my laptop fails, then I will purchase a new hard drive, put it into my laptop, install the operating systems and application, then obtain a copy of my data from a backup.

 

  1. Hashing is a technique that lets you know if data has been tampered with, but it does not hide the data.

  2. If the same data is hashed with two different applications that can hash data with SHA1, then the hash value will be the same.

  3. HMAC provides data integrity and data authentication. You can use HMAC-SHA1 or HMAC-MD5.

  4. If I change firewall rules, I am doing this to reduce risk; it is carried out by administrators, therefore it is a technical control.

  5. A smart card is a credit card-type device that has a chip built in; once inserted into the keyboard or USB card reader, you will then be asked to enter a PIN.

  6. The person who stores and manages classified data is called the custodian. The person who gives access to the classified data is the security administrator. Prior to getting access to the data, the person may well be vetted.

  7. In the DAC model, the data is unclassified and the data creator who is also called the owner will decide who gains access to the data.

  8. Least privilege is a technique that says that people should only get the limited access to data that they need to perform their job.

  9. SELinux uses the MAC model to access data. This is the secure version of Linux.

  10. In Linux 777 give the owner who is the first digit, the group that is the send digit and all users who are the third group read, write, and execute. It could also be should a rwx.

  11. The Linux permission for execute (x) allows you to search for or view data.

  12. An access control method that applies either a time restriction or location restriction is called rule-based access.

  13. A subset of a department with access to a subset of duties is called role-based access.

  14. The defense in depth model has many different layers; the idea behind this is if one layer is broken through, the next layer will provide protection.

  15. When someone leaves the company, we should disable their account so that the keys associated with it are still available. The next stage is to change the password so nobody can access it, especially the person who has just left.