IT Fundamentals/Security Concepts

From Wikiversity
Jump to navigation Jump to search
Lock

This lesson introduces IT security concepts.

Objectives and Skills[edit]

Objectives and skills for the security concepts portion of IT Fundamentals certification include:[1]

  • Compare and contrast authentication, authorization, accounting and non-repudiation concepts.
    • Authentication
      • Single factor
      • Multifactor
      • Examples of factors
        • Password
        • PIN
        • One-time password
        • Software token
        • Hardware token
        • Biometrics
        • Specific location
        • Security questions
      • Single sign-on
    • Authorization
      • Permissions
      • Least privilege model
      • Role-based access
        • User account types
      • Rule-based access
      • Mandatory access controls
      • Discretionary access controls
    • Accounting
      • Logs
      • Tracking
      • Web browser history
    • Non-repudiation
      • Video
      • Biometrics
      • Signature
      • Receipt
  • Summarize confidentiality, integrity and availability concerns.
    • Confidentiality concerns
      • Snooping
      • Eavesdropping
      • Wiretapping
      • Social engineering
      • Dumpster diving
    • Integrity concerns
      • Man-in-the-middle
      • Replay attack
      • Impersonation
      • Unauthorized information alteration
    • Availability concerns
      • Denial of service
      • Power outage
      • Hardware failure
      • Destruction
      • Service outage

Readings[edit]

  1. Wikipedia: Authentication
  2. Wikipedia: Authorization
  3. Wikipedia: Accounting

Multimedia[edit]

  1. YouTube: Authentication, Authorization, Accounting & Non-Repudiation
  2. YouTube: Confidentiality, Integrity & Availability Concerns

Activities[edit]

  1. Manage user accounts.
  2. Research multi-factor authentication. Consider setting up multi-factor authentication on all supported accounts, including Apple, Facebook, Google, and/or Microsoft accounts, as well as your password manager and your financial institutions.
  3. Manage permissions.
  4. Review security policy settings.
  5. Research confidentiality, integrity, and availability concerns for your school or work environment. What security risks exist? How can these risks be mitigated?

Lesson Summary[edit]

Authentication[edit]

  • Authentication is the act of proving an assertion, such verifying the identity of a computer system user.[2]
  • Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism:[3]
    • knowledge (something the user and only the user knows)
    • possession (something the user and only the user has)
    • inherence (something the user and only the user is)
  • Examples of factors include:[4]
    • Password
    • PIN
    • One-time password
    • Software token
    • Hardware token
    • Biometrics
    • Specific location
    • Security questions
  • Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.[5]

Authorization[edit]

  • Authorization is the function of specifying access rights/privileges to resources, which is related to information security and computer security in general and to access control in particular.[6]
  • Permissions or access rights control the ability of users to view, change, navigate, and execute system resources.[7]
  • The principle of least privilege (PoLP) requires that every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.[8]
  • Role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users based on job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions.[9]
  • Common user account types may include guest, standard, power user, and administrator.[10]
  • Rule-based access control extends role-based access by applying policies that express a complex Boolean rule set that can evaluate many different attributes. Attribute categories include:[11]
    • Subject attributes: attributes that describe the user attempting the access e.g. age, clearance, department, role, job title
    • Action attributes: attributes that describe the action being attempted e.g. read, delete, view, approve
    • Object attributes: attributes that describe the object (or resource) being accessed e.g. the object type (medical record, bank account...), the department, the classification or sensitivity, the location
    • Contextual (environment) attributes: attributes that deal with time, location or dynamic aspects of the access control scenario
  • Mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.[12]
  • Discretionary access control (DAC) is a type of access control by which a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).[13]

Accounting[edit]

  • Accounting within computer security refers to accountability, using such system components as audit trails (records) and logs, to associate a subject with its actions.[14]
  • An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event.[15]
  • Logs are files that record either events that occur in an operating system or other software runs.[16]
  • Web browsing history is the list of web pages a user has visited recently, as well as associated data such as page title and time of visit, which is recorded by web browser software as standard for a certain period of time.[17]

Non-repudiation[edit]

  • Non-repudiation involves associating actions or changes with a unique individual. This prevents the owner of the account from denying actions performed by the account.[18]
  • Non-repudiation methods include:[19]
    • Video
    • Biometrics
    • Digital Signature
    • Receipt

Confidentiality[edit]

  • Confidentiality involves a set of rules or a promise usually executed through agreements that limits access or places restrictions on certain types of information.[20]
  • Snooping is stealthily observing any type of action or communication.[21][22]
  • Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent.[23]
  • Wiretapping is the monitoring of telephone and Internet-based conversations by a third party, often by covert means.[24]
  • Social engineering is the psychological manipulation of people into performing actions or divulging confidential information.[25]
  • Dumpster diving is salvaging from garbage containers for items discarded by their owners, but deemed useful to the picker.[26]

Integrity[edit]

  • Data integrity is the maintenance of, and the assurance of the accuracy and consistency of data over its entire life-cycle.[27]
  • Man-in-the-middle attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.[28]
  • Replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.[29]
  • Impersonation is when someone imitates or copies the behavior or actions of another, often as part of a criminal act such as identity theft.[30]
  • Unauthorized information alteration may occur with incomplete or incorrect implementation of authentication and authorization.[31]

Availability[edit]

  • Availability is the degree to which a system, subsystem or equipment is in a specified operable and committable state at a given time.[32]
  • A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.[33]
  • A power outage (also called a power cut, a power out, a power blackout, power failure or a blackout) is the loss of the electrical power network supply to an end user.[34]
  • Computer security can be compromised by devices, such as keyboards, monitors or printers (thanks to electromagnetic or acoustic emanation for example) or by components of the computer, such as the memory, the network card or the processor (thanks to time or temperature analysis for example).[35]
  • An asset is any data, device, or other component of the environment that supports information-related activities. Assets generally include hardware, software, and confidential information. Assets should be protected from illicit access, use, disclosure, alteration, destruction, and/or theft, resulting in loss to the organization.[36]
  • Downtime refers to periods when a system is unavailable. Downtime or outage duration refers to a period of time that a system fails to provide or perform its primary function. Reliability, availability, recovery, and unavailability are related concepts.[37]

Key Terms[edit]

ACL (Access Control List)
A list of permissions attached to an object.[38]
DDoS (Distributed Denial of Service)
A distributed denial-of-service (DDoS) is a large-scale DoS attack where the perpetrator uses more than one unique IP address or machines, often from thousands of hosts infected with malware.[39]
DLP (Data Leak Prevention)
Preventing the intentional or unintentional release of secure or private/confidential information to an untrusted environment.[40]
DoS (Denial of Service)
A cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.[41]
IDS (Intrusion Detection System)
A device or software application that monitors a network or systems for malicious activity or policy violations.[42]
IPS (Intrusion Prevention System)
Network security appliances that monitor network or system activities to identify malicious activity, log information about this activity, report it, and attempt to block or stop it.[43]
MITM (Man in the Middle)
An attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.[44]
ROSI (Return on Security Investment)
A ratio between net benefit and cost of investment. As a performance measure, ROI is used to evaluate the efficiency of an investment or to compare the efficiencies of several different investments.[45]
SID (System Identifier or Security Identifier)
A unique, immutable identifier of a user, user group, or other security principal.[46]

Assessments[edit]

See Also[edit]

References[edit]

  1. CompTIA: IT Fundamentals (ITF+) Exam Objectives FC0-U61
  2. Wikipedia: Authentication
  3. Wikipedia: Multi-factor authentication
  4. CompTIA: IT Fundamentals (ITF+) Exam Objectives FC0-U61
  5. Wikipedia: Single sign-on
  6. Wikipedia: Authorization
  7. Wikipedia: File system permissions
  8. Wikipedia: Principle of least privilege
  9. Wikipedia: Role-based access control
  10. Wikipedia: User (computing)
  11. Wikipedia: Attribute-based access control
  12. Wikipedia: Mandatory access control
  13. Wikipedia: Discretionary access control
  14. Wikipedia: Computer access control
  15. Wikipedia: Audit trail
  16. Wikipedia: Log file
  17. Wikipedia: Web browsing history
  18. Wikipedia: Non-repudiation
  19. CompTIA: IT Fundamentals (ITF+) Exam Objectives FC0-U61
  20. Wikipedia: Confidentiality
  21. Wikipedia: Snooping
  22. TechTarget: Snooping
  23. Wikipedia: Eavesdropping
  24. Wikipedia: Telephone tapping
  25. Wikipedia: Social engineering (security)
  26. Wikipedia: Dumpster diving
  27. Wikipedia: Data integrity
  28. Wikipedia: Man-in-the-middle attack
  29. Wikipedia: Replay attack
  30. Wikipedia: Impersonation
  31. Wikipedia: Computer access control
  32. Wikipedia: Availability
  33. Wikipedia: Denial-of-service attack
  34. Wikipedia: Power outage
  35. Wikipedia: Computer security compromised by hardware failure
  36. Wikipedia: Asset (computer security)
  37. Wikipedia: Downtime
  38. Wikipedia: Access control list
  39. Wikipedia: Denial-of-service attack
  40. Wikipedia: Data breach
  41. Wikipedia: Denial-of-service attack
  42. Wikipedia: Intrusion detection system
  43. Wikipedia: Intrusion detection system
  44. Wikipedia: Man-in-the-middle attack
  45. Wikipedia: Return on investment
  46. Wikipedia: Security Identifier