Security Awareness: Applying Practical Security in Your World

1
Security Awareness Applying Practical Security
in Your World

• Chapter 2 Personal Computer Security

2
Objectives

• Define physical security and explain how to apply
  it
• List the different types of data security
• Work with operating system security

3
Personal Computer Security

• Ensuring physical security of personal computers
  is one of the basic lines of defense
• Users tend to focus on one or two defenses
• Personal computer security
• Physically secure
• Data secured on the personal computer
• Operating systems and software secured

4
Physical Security

• Physical Security ? The process of protecting the
  computer itself
• Goal prevent unauthorized users from reaching
  the equipment to use, steal or vandalize it
• Frequently overlooked security process
• Two types of PC equipment to be
  protectedDesktop Portable

5
Protecting Desktop Equipment

• Desktop equipment ? Equipment located in an
  office or not regularly moved to other locations
• Door locks are first line of defense
• Defended by What you have What you know What
  you are (See Figure 2-1)

6
Protecting Desktop Equipment
Figure 2-1
7
Using What You Have to Provide Protection

• Door locks protect based on what you have A KEY!
• Two types of door locksPreset (or key-in-knob)
  lock Deadbolt lock

8
Using What You Have to Provide Protection
(continued)
Preset lock
9
Door Lock Best Practices

• Procedure to monitor use of locks and keys
• Keep track of keys issued
• Keep records of who uses and turns in keys
• Inspect locks regularly
• Change locks immediately upon theft or loss of
  keys

10
Door Lock Best Practices (continued)

• No markings identifying master keys
• Only issue keys to authorized persons
• Keys not in use must be secured in a locked safe
• Mark master keys with Do Not Duplicate and
  erase manufacturers serial numbers

11
Using What You Know to Provide Protection

• Cipher lock ? Use buttons that must bepushed in
  correct sequence to grant access
• What you know COMBINATION

12
Using Who You Are to Provide Protection

• Biometrics ? Using unique human traits to
  authenticate
• Traits that can be usedFingerprint FaceHand
  IrisRetina Voice
• Fingerprint matching is most common
• Different methods of scanning
• Biometrics weaknesses expensive, difficult to
  use, and prone to errors and security breach

13
Using Who You Are to Provide Protection
(continued)
Fingerprint Scanner
Figure 2-5
14
Using Who You Are to Provide Protection
(continued)
Ridge points
Selected locations
15
Protecting Portable Equipment

• Portable equipment is designed to be mobile ?
  Requires different steps to secure
• Device locks (See Figure 2-8)
• Notebook safes (See Figure 2-9)
• Stealth signal transmitter
• Software installed that cannot be detected
• If stolen, the transmitter sends a signal to the
  monitoring center when it connects to the
  Internet
• Signal can be analyzed to track down the device

16
Protecting Portable Equipment (continued)
Device lock
Notebook safe
17
Data Security

• Data security ? More important than physical
  security
• Data is more valuable than devices
• Two methods to secure dataCryptography ?
  Scrambles data so no one can read it Access
  controls ? Restricts who has access to the data

18
Cryptography

• Cryptography ? Science of transforming
  information so it is secure during transmission
  or storage
• Encryption Changing original text into a
  secret, encoded message
• Decryption Reversing the encryption process to
  change text back to original, readable form

19
Cryptography (continued)

• Public and Private Keys
• Private Key System (See Figure 2-10)
• Same key used to encrypt and decrypt messages
• Key must remain secret
• Distributing the private key can be difficult
• Public Key System (See Figure 2-11)
• Public key used to encrypt (Key openly
  distributed)
• Private key used to decrypt (Key must remain
  secret)
• Eliminates the need for secret distribution of
  keys

20
Cryptography (continued)
Figure 2-10
21
Cryptography (continued)
Figure 2-11
22
Digital Signatures

• Digital signature ? Public key system used to
  prove that the person sending the message is who
  they claim to be
• Sender creates digital signature using their
  private key before encrypting the message with
  the receivers public key (See Figure 2-12)

23
Cryptography (continued)
Figure 2-12
24
Digital Certificates

• Digital certificate ? Links or binds a specific
  person to a public key
• Issued by a Certificate Authority (CA)
• Public keys that have been digitally signed by a
  trusted third party (the CA) that attests to the
  identity of the key owner

25
Authentication

• Authentication ? Confirms the identity of the
  person requesting access
• Passwords
• Biometrics
• Tokens
• Smart cards

26
Authentication (continued)

• Passwords
• Secret combination of words or numbers that
  identify the user
• Used in combinationwith usernames (See Figure
  2-13 at right)
• First line of defense?WEAK SECURITY

27
Authentication (continued)

• Password shortcuts that compromise security
• Short passwords
• Common word passwords
• Personal information password
• Same for all accounts
• Located (written down) under mouse pad or
  keyboard
• A stale, unchanged password

28
Authentication (continued)

• Techniques for choosing hard-to-crack passwords
  that are easy to remember
• Long phrases
• Substitute special characters
• Replace letters with numbers
• Group multiple accounts by security level
• Choose same password, but make increasingly
  difficult to crack depending on security level
• Do not write down passwords on paper ? Password
  protected document (See Figure 2-14)

29
Authentication (continued)
Password Options
Figure 2-14
30
Authentication (continued)
Fingerprint scanner

• Biometrics
• Biometrics used for door locks, can also be
  used for access control to personal computers
• Fingerprint scanners (See Figure 2-15?)

31
Authentication (continued)

• Tokens ? Security device that authenticates the
  user by embedding the appropriate permission in
  the token itself
• What you have (token)
• What you know (password or PIN)
  ACCESS GRANTED

32
Authentication (Cont.)

• Smart Cards ? Contains a chip that stores the
  users private key, login information and public
  key digital certificate
• Can be either credit cards or USB tokens (See
  Figure 2-16 below)

33
Operating System Security

• Modern operating systems have sophisticated
  security enhancements
• Most of these security tools not implemented by
  usersoff by default
• Operating system hardening ? Process of making a
  PC operating system more securePatch
  management Antivirus software Antispyware
  software Permissions

34
Patch Management

• Patches ? Updates to software to correct a
  problem or weakness
• Critical step in securing a system
• Generally not automatically installed
• User must download and install (See Figure 2-17)
  or give specific permission for automatically
  downloaded patches to be installed

35
Patch Management
Figure 2-17
36
Patch Management (continued)

• Patch management ? Describes the tools,
  utilities, and processes for keeping patches
  up-to-date
• Different types of software updates (See Table
  2-1)
• Weakness of patch management often up to the
  user to download and install the patch
• Automated patch management is becoming more
  prevalent

37
Patch Management (continued)
Table 2-1
38
Antivirus and Antispyware Software

• Antivirus software ? Works with the operating
  system to identify and destroy viruses
• Antivirus software companies regularly create
  updates to detect and destroy the latest viruses
• Definition files or signature files
• Antispyware software ? Software that disinfects a
  computer from spyware and monitors any spyware
  activity
• Spyware not only tracks what the user is doing,
  but can be used by hackers to identify security
  weaknesses

39
Shares

• Share ? Any object that is shared with others
• Necessary for todays networked computers, but
  can open security weaknesses if not done
  correctly
• General rules for setting up shares
• Determine who needs access and what level
• Use groups and assign permissions to the group
  rather than individuals
• Assign most restrictive permissions that still
  allow users to perform necessary tasks
• Organize resources

40
Summary

• Physical security is protecting the computer and
  equipment itself.
• Easily and often overlooked area of personal
  computer security.
• One primary goal prevent unauthorized users from
  reaching the equipment to steal, use or vandalize
  it.
• Door locks are the first line of defense in
  physical security.
• The steps taken to protect portable devices are
  different, because they are designed to be moved.

41
Summary (continued)

• Data security is as important as physical
  security.
• Two procedures used to secure data
• Cryptography
• Science of transforming information so that it is
  secure during transmission or storage
• Restrict users from accessing the data using a
  variety of tools
• PasswordsBiometricsTokensSmart cards are
  examples of the tools used for authentication of
  identity

42
Summary (continued)

• Operating system hardening is the process of
  making a PC operating system more secure
• Patch management
• Antivirus software
• Antispyware software
• Setting correct permissions for shares