Transcript Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying
Practical Security in Your
World
Chapter 2: Personal Computer Security
Objectives

Define physical security and explain how to
apply it

List the different types of data security

Work with operating system security
Security Awareness: Applying Practical Security in Your World
2
Personal Computer Security

Ensuring physical security of personal
computers is one of the basic lines of defense


Users tend to focus on one or two defenses
Personal computer security:

Physically secure

Data secured on the personal computer

Operating systems and software secured
Security Awareness: Applying Practical Security in Your World
3
Physical Security

Physical Security  The process of protecting the
computer itself

Goal: prevent unauthorized users from reaching the
equipment to use, steal or vandalize it


Frequently overlooked security process
Two types of PC equipment to be protected:
Desktop
Security Awareness: Applying Practical Security in Your World
Portable
4
Protecting Desktop Equipment

Desktop equipment  Equipment located in an
office or not regularly moved to other locations


Door locks are first line of defense
Defended by:
What you have
What you know
What you are (See Figure 2-1)
Security Awareness: Applying Practical Security in Your World
5
Protecting Desktop
Equipment
Figure 2-1
Security Awareness: Applying Practical Security in Your World
6
Using What You Have to Provide
Protection

Door locks protect based on what you have: A
KEY!

Two types of door locks:
Preset (or key-in-knob) lock
Deadbolt lock
Security Awareness: Applying Practical Security in Your World
7
Using What You Have to
Provide Protection (continued)
Preset lock
Deadbolt lock
Security Awareness: Applying Practical Security in Your World
8
Door Lock Best Practices

Procedure to monitor use of locks and keys

Keep track of keys issued

Keep records of who uses and turns in keys

Inspect locks regularly

Change locks immediately upon theft or loss of
keys
Security Awareness: Applying Practical Security in Your World
9
Door Lock Best Practices
(continued)

No markings identifying master keys

Only issue keys to authorized persons

Keys not in use must be secured in a locked safe

Mark master keys with “Do Not Duplicate” and
erase manufacturer’s serial numbers
Security Awareness: Applying Practical Security in Your World
10
Using What You Know to Provide
Protection

Cipher lock  Use
buttons that must be
pushed in correct
sequence to grant
access

What you know:
COMBINATION
Security Awareness: Applying Practical Security in Your World
11
Using Who You Are to Provide
Protection

Biometrics  Using unique human traits to
authenticate

Traits that can be used:
Fingerprint
Hand
Retina
Face
Iris
Voice

Fingerprint matching is most common

Different methods of scanning
Biometrics weaknesses: expensive, difficult to use,
and prone to errors and security breach

Security Awareness: Applying Practical Security in Your World
12
Using Who You Are to Provide
Protection (continued)
Fingerprint Scanner
Figure 2-5
Security Awareness: Applying Practical Security in Your World
13
Using Who You Are to Provide
Protection (continued)
Ridge points
Selected locations
Security Awareness: Applying Practical Security in Your World
14
Protecting Portable Equipment

Portable equipment is designed to be mobile 
Requires different steps to secure

Device locks (See Figure 2-8)

Notebook safes (See Figure 2-9)

Stealth signal transmitter

Software installed that cannot be detected

If stolen, the transmitter sends a signal to the
monitoring center when it connects to the Internet

Signal can be analyzed to track down the device
Security Awareness: Applying Practical Security in Your World
15
Protecting Portable Equipment
(continued)
Device lock
Notebook safe
Security Awareness: Applying Practical Security in Your World
16
Data Security

Data security  More important than physical
security

Data is more valuable than devices

Two methods to secure data:
Cryptography  Scrambles data so no one can read
it
Access controls  Restricts who has access to the
data
Security Awareness: Applying Practical Security in Your World
17
Cryptography

Cryptography  Science of transforming
information so it is secure during transmission or
storage

Encryption:
Changing original text into a secret, encoded
message

Decryption:
Reversing the encryption process to change text
back to original, readable form
Security Awareness: Applying Practical Security in Your World
18
Cryptography (continued)

Public and Private Keys


Private Key System (See Figure 2-10)

Same key used to encrypt and decrypt messages

Key must remain secret

Distributing the private key can be difficult
Public Key System (See Figure 2-11)

Public key used to encrypt (Key openly distributed)

Private key used to decrypt (Key must remain
secret)

Eliminates the need for secret distribution of keys
Security Awareness: Applying Practical Security in Your World
19
Cryptography (continued)
Figure 2-10
Security Awareness: Applying Practical Security in Your World
20
Cryptography (continued)
Figure 2-11
Security Awareness: Applying Practical Security in Your World
21
Digital Signatures

Digital signature  Public key system used to
prove that the person sending the message is who
they claim to be

Sender creates digital signature using their private
key before encrypting the message with the
receiver’s public key (See Figure 2-12)
Security Awareness: Applying Practical Security in Your World
22
Cryptography (continued)
Figure 2-12
Security Awareness: Applying Practical Security in Your World
23
Digital Certificates

Digital certificate  Links or binds a specific
person to a public key

Issued by a Certificate Authority (CA)

Public keys that have been digitally signed by a
trusted third party (the CA) that attests to the
identity of the key owner
Security Awareness: Applying Practical Security in Your World
24
Authentication

Authentication  Confirms the identity of the
person requesting access

Passwords

Biometrics

Tokens

Smart cards
Security Awareness: Applying Practical Security in Your World
25
Authentication (continued)

Passwords

Secret combination of
words or numbers
that identify the user

Used in combination
with usernames (See
Figure 2-13 at right)

First line of defense
WEAK SECURITY
Security Awareness: Applying Practical Security in Your World
26
Authentication (continued)

Password shortcuts that compromise security:

Short passwords

Common word passwords

Personal information password

Same for all accounts

Located (written down) under mouse pad or
keyboard

A stale, unchanged password
Security Awareness: Applying Practical Security in Your World
27
Authentication (continued)

Techniques for choosing hard-to-crack
passwords that are easy to remember:




Long phrases
Substitute special characters
Replace letters with numbers
Group multiple accounts by security level


Choose same password, but make increasingly
difficult to crack depending on security level
Do not write down passwords on paper  Password
protected document (See Figure 2-14)
Security Awareness: Applying Practical Security in Your World
28
Authentication (continued)
Password Options
Figure 2-14
Security Awareness: Applying Practical Security in Your World
29
Authentication (continued)

Biometrics

Biometrics used for
door locks, can also be
used for access control
to personal computers

Fingerprint scanners
(See Figure 2-15)
Security Awareness: Applying Practical Security in Your World
Fingerprint scanner
30
Authentication (continued)

Tokens  Security device that authenticates the
user by embedding the appropriate permission in
the token itself
What you have (token)
+ What you know (password or PIN)
= ACCESS GRANTED
Security Awareness: Applying Practical Security in Your World
31
Authentication (Cont.)

Smart Cards  Contains a chip that stores the
user’s private key, login information and public key
digital certificate

Can be either credit cards or USB tokens (See
Figure 2-16 below)
Security Awareness: Applying Practical Security in Your World
32
Operating System Security

Modern operating systems have sophisticated
security enhancements


Most of these security tools not implemented by
users—off by default
Operating system hardening  Process of
making a PC operating system more secure
Patch management
Antispyware software
Security Awareness: Applying Practical Security in Your World
Antivirus software
Permissions
33
Patch Management

Patches  Updates to software to correct a
problem or weakness

Critical step in securing a system

Generally not automatically installed

User must download and install (See Figure 2-17) or
give specific permission for automatically
downloaded patches to be installed
Security Awareness: Applying Practical Security in Your World
34
Patch Management
Figure 2-17
Security Awareness: Applying Practical Security in Your World
35
Patch Management (continued)

Patch management  Describes the tools,
utilities, and processes for keeping patches up-todate

Different types of software updates (See Table 2-1)

Weakness of patch management: often up to the
user to download and install the patch

Automated patch management is becoming more
prevalent
Security Awareness: Applying Practical Security in Your World
36
Patch Management (continued)
Table 2-1
Security Awareness: Applying Practical Security in Your World
37
Antivirus and Antispyware Software

Antivirus software  Works with the operating
system to identify and destroy viruses

Antivirus software companies regularly create updates
to detect and destroy the latest viruses


Definition files or signature files
Antispyware software  Software that disinfects
a computer from spyware and monitors any
spyware activity

Spyware not only tracks what the user is doing, but can
be used by hackers to identify security weaknesses
Security Awareness: Applying Practical Security in Your World
38
Shares

Share  Any object that is shared with others

Necessary for today’s networked computers, but can
open security weaknesses if not done correctly

General rules for setting up shares:

Determine who needs access and what level

Use groups and assign permissions to the group
rather than individuals

Assign most restrictive permissions that still allow
users to perform necessary tasks

Organize resources
Security Awareness: Applying Practical Security in Your World
39
Summary

Physical security is protecting the computer and
equipment itself.




Easily and often overlooked area of personal
computer security.
One primary goal: prevent unauthorized users from
reaching the equipment to steal, use or vandalize it.
Door locks are the first line of defense in physical
security.
The steps taken to protect portable devices are
different, because they are designed to be moved.
Security Awareness: Applying Practical Security in Your World
40
Summary (continued)

Data security is as important as physical
security.

Two procedures used to secure data:

Cryptography


Science of transforming information so that it
is secure during transmission or storage
Restrict users from accessing the data using a
variety of tools

Passwords—Biometrics—Tokens—Smart cards
are examples of the tools used for
authentication of identity
Security Awareness: Applying Practical Security in Your World
41
Summary (continued)

Operating system hardening is the process of
making a PC operating system more secure

Patch management

Antivirus software

Antispyware software

Setting correct permissions for shares
Security Awareness: Applying Practical Security in Your World
42