Security Awareness: Applying Practical Security in Your World

Download Report

Transcript Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying
Practical Security in Your
World
Chapter 2: Personal Computer Security
Objectives
 Define physical security and explain how to
apply it
 List the different types of data security
 Work with operating system security
Security Awareness: Applying Practical Security
in Your World
2
Personal Computer Security
 Ensuring physical security of personal
computers is one of the basic lines of defense

Users tend to focus on one or two defenses
 Personal computer security:



Physically secure
Data secured on the personal computer
Operating systems and software secured
Security Awareness: Applying Practical Security
in Your World
3
Physical Security
 Physical Security  The process of
protecting the computer itself

Goal: prevent unauthorized users from
reaching the equipment to use, steal or
vandalize it


Frequently overlooked security process
Two types of PC equipment to be protected:
Desktop
Portable
Security Awareness: Applying Practical Security
in Your World
4
Protecting Desktop Equipment
 Desktop equipment  Equipment located in
an office or not regularly moved to other
locations

Door locks are first line of defense
 Defended by:
What you have
What you know
What you are (See Figure 2-1)
Security Awareness: Applying Practical Security
in Your World
5
Protecting Desktop
Equipment
Figure 2-1
Security Awareness: Applying Practical Security
in Your World
6
Using What You Have to Provide
Protection
 Door locks protect based on what you have: A
KEY!

Two types of door locks:
Preset (or key-in-knob) lock
Deadbolt lock
Security Awareness: Applying Practical Security
in Your World
7
Using What You Have to
Provide Protection (continued)
Preset lock
Deadbolt lock
Security Awareness: Applying Practical Security
in Your World
8
Door Lock Best Practices
 Procedure to monitor use of locks and keys
 Keep track of keys issued
 Keep records of who uses and turns in keys
 Inspect locks regularly
 Change locks immediately upon theft or loss
of keys
Security Awareness: Applying Practical Security
in Your World
9
Door Lock Best Practices
(continued)
 No markings identifying master keys
 Only issue keys to authorized persons
 Keys not in use must be secured in a locked
safe
 Mark master keys with “Do Not Duplicate” and
erase manufacturer’s serial numbers
Security Awareness: Applying Practical Security
in Your World
10
Using What You Know to Provide
Protection
 Cipher lock  Use
buttons that must
be
pushed in correct
sequence to grant
access
 What you know:
COMBINATION
Security Awareness: Applying Practical Security
in Your World
11
Using Who You Are to Provide
Protection
 Biometrics  Using unique human traits to
authenticate
 Traits
that can be used:
Fingerprint
Hand
Retina
Face
Iris
Voice

Fingerprint matching is most common

Different methods of scanning
Biometrics weaknesses: expensive, difficult to
use, and prone to errors and security breach

Security Awareness: Applying Practical Security
in Your World
12
Using Who You Are to Provide
Protection (continued)
Fingerprint Scanner
Figure 2-5
Security Awareness: Applying Practical Security
in Your World
13
Using Who You Are to Provide
Protection (continued)
Ridge points
Selected locations
Security Awareness: Applying Practical Security
in Your World
14
Protecting Portable Equipment
 Portable equipment is designed to be mobile 
Requires different steps to secure



Device locks (See Figure 2-8)
Notebook safes (See Figure 2-9)
Stealth signal transmitter



Software installed that cannot be detected
If stolen, the transmitter sends a signal to the
monitoring center when it connects to the Internet
Signal can be analyzed to track down the device
Security Awareness: Applying Practical Security
in Your World
15
Protecting Portable Equipment
(continued)
Device lock
Notebook safe
Security Awareness: Applying Practical Security
in Your World
16
Data Security
 Data security  More important than
physical security


Data is more valuable than devices
Two methods to secure data:
Cryptography  Scrambles data so no one
can read it
Access controls  Restricts who has access
to the data
Security Awareness: Applying Practical Security
in Your World
17
Cryptography
 Cryptography  Science of transforming
information so it is secure during
transmission or storage


Encryption:
Changing original text into a secret, encoded
message
Decryption:
Reversing the encryption process to change
text back to original, readable form
Security Awareness: Applying Practical Security
in Your World
18
Cryptography (continued)
 Public and Private Keys

Private Key System (See Figure 2-10)




Same key used to encrypt and decrypt messages
Key must remain secret
Distributing the private key can be difficult
Public Key System (See Figure 2-11)



Public key used to encrypt (Key openly distributed)
Private key used to decrypt (Key must remain secret)
Eliminates the need for secret distribution of keys
Security Awareness: Applying Practical Security
in Your World
19
Cryptography (continued)
Figure 2-10
Security Awareness: Applying Practical Security
in Your World
20
Cryptography (continued)
Figure 2-11
Security Awareness: Applying Practical Security
in Your World
21
Digital Signatures
 Digital signature  Public key system used
to prove that the person sending the
message is who they claim to be

Sender creates digital signature using their
private key before encrypting the message
with the receiver’s public key (See Figure 212)
Security Awareness: Applying Practical Security
in Your World
22
Cryptography (continued)
Figure 2-12
Security Awareness: Applying Practical Security
in Your World
23
Digital Certificates
 Digital certificate  Links or binds a
specific person to a public key


Issued by a Certificate Authority (CA)
Public keys that have been digitally signed by
a trusted third party (the CA) that attests to the
identity of the key owner
Security Awareness: Applying Practical Security
in Your World
24
Authentication
 Authentication  Confirms the identity of
the person requesting access




Passwords
Biometrics
Tokens
Smart cards
Security Awareness: Applying Practical Security
in Your World
25
Authentication (continued)
 Passwords



Secret combination of
words or numbers
that identify the user
Used in combination
with usernames (See
Figure 2-13 at right)
First line of defense
WEAK SECURITY
Security Awareness: Applying Practical Security
in Your World
26
Authentication (continued)
 Password shortcuts that compromise
security:






Short passwords
Common word passwords
Personal information password
Same for all accounts
Located (written down) under mouse pad or
keyboard
A stale, unchanged password
Security Awareness: Applying Practical Security
in Your World
27
Authentication (continued)
 Techniques for choosing hard-to-crack
passwords that are easy to remember:




Long phrases
Substitute special characters
Replace letters with numbers
Group multiple accounts by security level


Choose same password, but make increasingly
difficult to crack depending on security level
Do not write down passwords on paper 
Password protected document (See Figure 214)
Security Awareness: Applying Practical Security
in Your World
28
Authentication (continued)
Password Options
Figure 2-14
Security Awareness: Applying Practical Security
in Your World
29
Authentication (continued)
 Biometrics


Fingerprint scanner
Biometrics used for
door locks, can also be
used for access control
to personal computers
Fingerprint scanners
(See Figure 2-15)
Security Awareness: Applying Practical Security
in Your World
30
Authentication (continued)
 Tokens  Security device that
authenticates the user by embedding the
appropriate permission in the token itself
What you have (token)
+ What you know (password or PIN)
= ACCESS GRANTED
Security Awareness: Applying Practical Security
in Your World
31
Authentication (Cont.)
 Smart Cards  Contains a chip that stores
the user’s private key, login information
and public key digital certificate

Can be either credit cards or USB tokens (See
Figure 2-16 below)
Security Awareness: Applying Practical Security
in Your World
32
Operating System Security
 Modern operating systems have
sophisticated security enhancements

Most of these security tools not implemented
by users—off by default
 Operating system hardening  Process of
making a PC operating system more
secure
Patch management
Antivirus
software Antispyware software
Permissions
Security Awareness: Applying Practical Security
in Your World
33
Patch Management
 Patches  Updates to software to correct
a problem or weakness



Critical step in securing a system
Generally not automatically installed
User must download and install (See Figure 2-17)
or give specific permission for automatically
downloaded patches to be installed
Security Awareness: Applying Practical Security
in Your World
34
Patch Management
Figure 2-17
Security Awareness: Applying Practical Security
in Your World
35
Patch Management (continued)
 Patch management  Describes the tools,
utilities, and processes for keeping
patches up-to-date


Different types of software updates (See Table
2-1)
Weakness of patch management: often up to
the user to download and install the patch

Automated patch management is becoming more
prevalent
Security Awareness: Applying Practical Security
in Your World
36
Patch Management (continued)
Table 2-1
Security Awareness: Applying Practical Security
in Your World
37
Antivirus and Antispyware
Software
 Antivirus software  Works with the
operating system to identify and destroy
viruses

Antivirus software companies regularly
create updates to detect and destroy the
latest viruses

Definition files or signature files
 Antispyware software  Software that
disinfects a computer from spyware and
monitors any spyware activity

Security Awareness: Applying Practical Security
in Your World
Spyware not only tracks what the user is
38
Shares
 Share  Any object that is shared with
others


Necessary for today’s networked computers, but
can open security weaknesses if not done
correctly
General rules for setting up shares:




Determine who needs access and what level
Use groups and assign permissions to the group
rather than individuals
Assign most restrictive permissions that still allow
users to perform necessary tasks
Organize resources
Security Awareness: Applying Practical Security
in Your World
39
Summary
 Physical security is protecting the computer
and equipment itself.




Easily and often overlooked area of personal
computer security.
One primary goal: prevent unauthorized users
from reaching the equipment to steal, use or
vandalize it.
Door locks are the first line of defense in
physical security.
The steps taken to protect portable devices
are different, because they are designed to be
Security Awareness: Applying Practical Security
in Your World
40
Summary (continued)
 Data security is as important as physical
security.

Two procedures used to secure data:

Cryptography
 Science of transforming information so that it is
secure during transmission or storage

Restrict users from accessing the data using a
variety of tools
 Passwords—Biometrics—Tokens—Smart cards are
examples of the tools used for authentication of
identity
Security Awareness: Applying Practical Security
in Your World
41
Summary (continued)
 Operating system hardening is the process of
making a PC operating system more secure
 Patch
management
 Antivirus software
 Antispyware software
 Setting correct permissions for shares
Security Awareness: Applying Practical Security
in Your World
42