General Security Concepts: Basic Security Terminology

General Security Concepts: Basic Security Terminology

Loading
Loading Social Plug-ins...
Language: English
Save to myLibrary Download PDF
Go to Page # Page of 30

Description: The term hacking has been used frequently in the media. A hacker was once considered an individual who understood the technical aspects of computer operating systems and networks. Hackers were individuals you turned to when you had a problem and needed extreme technical expertise.

Today, primarily as a result of the media, the term is used more often to refer to individuals who attempt to gain unauthorized access to computer systems or networks. While some would prefer to use the terms cracker and cracking when referring to this nefarious type of activity, the terminology generally accepted by the public is that of hacker and hacking. A related term that may sometimes be seen is phreaking, which refers to the “hacking” of the systems and computers used by a telephone company to operate its telephone network.

 
Author: McGraw-Hill Education (Fellow) | Visits: 461 | Page Views: 636
Domain:  High Tech Category: IT 
Upload Date:
Link Back:
Short URL: https://www.wesrch.com/electronics/pdfEL11TZ000POCV
Loading
Loading...



px *        px *

* Default width and height in pixels. Change it to your required dimensions.

 
Contents:
Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

2

General Security Concepts

“The only real security that a
man can have in this world is a
reserve of knowledge, experience
and ability.”
—HENRY FORD

In this chapter, you will learn
how to


Define basic terms associated
with computer and information
security



Identify the basic approaches to
computer and information
security



Distinguish among various
methods to implement access
controls



Describe methods used to verify
the identity and authenticity of
an individual



Describe methods used to
conduct social engineering



Recognize some of the basic
models used to implement
security in operating systems

20

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:20 PM

I

n Chapter 1, you learned about some of the various threats that we, as
security professionals, face on a daily basis. In this chapter, you start

exploring the field of computer security.

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2



Basic Security Terminology

The term hacking has been used frequently in the media. A hacker was once
considered an individual who understood the technical aspects of computer
operating systems and networks. Hackers were individuals you turned to
when you had a problem and needed extreme technical expertise. Today,
primarily as a result of the media, the term is used more often to refer to individuals who attempt to gain unauthorized access to computer systems or
networks. While some would prefer to use the terms cracker and cracking
when referring to this nefarious type of activity, the terminology generally
accepted by the public is that of hacker and hacking. A related term that may
sometimes be seen is phreaking, which refers to the “hacking” of the systems
and computers used by a telephone company to operate its telephone
network.

Exam Tip: The field of
computer security constantly
evolves, introducing new terms
frequently, which are often
coined by the media. Make sure
to learn the meaning of terms
such as hacking, phreaking,
vishing, phishing, pharming,
and spear phishing. Some of
these have been around for
many years, such as hacking,
whereas others have appeared
only in the last few years, such
as spear phishing.

Security Basics
Computer security itself is a term that has many meanings and related terms.
Computer security entails the methods used to ensure that a system is secure. Subjects such as authentication and access controls must be addressed
in broad terms of computer security. Seldom in today’s world are computers not connected to other computers in networks. This then introduces the
term network security to refer to the protection of the multiple computers and
other devices that are connected together. Related to these two terms are
two others: information security and information assurance, which place the focus of the security process not on the hardware and software being used but
on the data that is processed by them. Assurance also introduces another
concept, that of the availability of the systems and information when we
want them. Still another term that may be heard in the security world is
COMSEC, which stands for communications security and deals with the security of telecommunication systems.
Since the late 1990s, much has been reported in the media concerning
computer and network security. Often the news is about a specific lapse in
security that has resulted in the penetration of a network or in the denial of
service for a network. Over the last few years, the general public has become
increasingly aware of its dependence on computers and networks and consequently has also become interested in the security of these same computers and networks.
As a result of this increased attention by the public, several new terms
have become commonplace in conversations and print. Terms such as hacking, virus, TCP/IP, encryption, and firewalls are now frequently encountered
in mainstream news media and have found their way into casual conversations. What was once the purview of scientists and engineers is now part of
our everyday life.
With our increased daily dependence on computers and networks to
conduct everything from making purchases at our local grocery store to driving our children to school (that new car you just bought is probably using a
small computer to obtain peak engine performance), ensuring that computers and networks are secure has become of paramount importance. Medical
information about each of us is probably stored in a computer somewhere.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:20 PM

21

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

So is financial information and data relating to the types of purchases we
make and store preferences (assuming you have and use a credit card to make
purchases). Making sure that this information remains private is a growing
concern to the general public, and it is one of the jobs of security to help with
the protection of our privacy. Simply stated, computer and network security
is now essential for us to function effectively and safely in today’s highly automated environment.

The “CIA” of Security

Tech Tip
CIA of Security
While there is no universal
agreement on authentication,
auditability, and nonrepudiation
as additions to the original CIA of
security, there is little debate over
whether confidentiality, integrity,
and availability are basic security
principles. Understand these
principles, because one or more of
them are the reason for most security hardware, software, policies, and procedures.

Almost from its inception, the goal of computer security has been threefold:
confidentiality, integrity, and availability—the “CIA” of security. The purpose of confidentiality is to ensure that only those individuals who have the
authority to view a piece of information may do so. No unauthorized individual should ever be able to view data they are not entitled to access.
Integrity is a related concept but deals with the generation and modification
of data. Only authorized individuals should ever be able to create or change
(or delete) information. The goal of availability is to ensure that the data, or
the system itself, is available for use when the authorized user wants it.
As a result of the increased use of networks for commerce, two additional security goals have been added to the original three in the CIA of security. Authentication attempts to ensure that an individual is who they
claim to be. The need for this in an online transaction is obvious. Related to
this is nonrepudiation, which deals with the ability to verify that a message
has been sent and received and that the sender can be identified and verified. The requirement for this capability in online transactions should also
be readily apparent. Recent emphasis on systems assurance has raised the
potential inclusion of the term auditability, which refers to whether a control
can be verified to be functioning properly. In security, it is imperative that
we can track actions to ensure what has or has not been done.

The Operational Model of Computer Security
For many years, the focus of security was on prevention. If we could prevent
somebody from gaining access to our computer systems and networks, then
we assumed that we had achieved security. Protection was thus equated
with prevention. While the basic premise of this is true, it fails to acknowledge the realities of the networked environment our systems are part of. No
matter how well we seem to do in prevention technology, somebody always
seems to find a way around our safeguards. When this happens, our system
is left unprotected. Thus, we need multiple prevention techniques and also
technology to alert us when prevention has failed and to provide ways to
address the problem. This results in a modification to our original security
equation with the addition of two new elements—detection and response.
Our security equation thus becomes:
Protection = Prevention + (Detection + Response)
This is known as the operational model of computer security. Every security
technique and technology falls into at least one of the three elements of the
equation. Examples of the types of technology and techniques that represent
each are depicted in Figure 2.1.

22

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:21 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Security Principles
There are three approaches an organization can take to address the protection of its networks: ignore
security issues, provide host security, or provide network-level security. The last two, host and network • Figure 2.1 Sample technologies in the operational model of computer security
security, have prevention as well as
detection and response components.
If an organization decides to ignore security, it has chosen to utilize the
minimal amount of security that is provided with its workstations, servers,
and devices. No additional security measures will be implemented. Each
“out of the box” system has certain security settings that can be configured,
and they should be. To actually protect an entire network, however, requires work in addition to the few protection mechanisms that come with
systems by default.
Host Security Host security takes a granular view of security by focusing
on protecting each computer and device individually instead of addressing
protection of the network as a whole. When host security is used, each computer is relied upon to protect itself. If an organization decides to implement
only host security and does not include network security, there is a high
probability of introducing or overlooking vulnerabilities. Most environments are filled with different operating systems (Windows, UNIX, Linux,
Mac), different versions of those operating systems, and different types of
installed applications. Each operating system has security configurations
that differ from other systems, and different versions of the same operating
system may in fact have variations between them. Ensuring that every computer is “locked down” to the same degree as every other system in the environment can be overwhelming and often results in an unsuccessful and
frustrating effort.
Host security is important and should always be addressed. Security,
however, should not stop there, as host security is a complementary process
to be combined with network security. If individual host computers have
vulnerabilities embodied within them, then network security can provide
another layer of protection that will, hopefully, stop any intruders who have
gotten that far into the environment. Topics covered in this book dealing
with host security include: bastion hosts, host-based intrusion detection systems (HIDS), antivirus software, and hardening of operating systems.
Network Security In some smaller environments, host security by itself
may be an option, but as systems become connected into networks, security
should include the actual network itself. In network security, an emphasis is
placed on controlling access to internal computers from external entities.
This control can be through devices such as routers, firewalls, authentication hardware and software, encryption, and intrusion detection systems
(IDSs).
Network environments tend to be unique entities because usually no
two networks have exactly the same number of computers, the same applications installed, the same number of users, the exact same configurations,
or the same available servers. They will not perform the same functions or

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:21 PM

23

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

A longtime discussion has
centered on whether host- or
network-based security is more
important. Most security experts
now generally agree that a combination of both is needed to adequately address the wide range
of possible security threats. Certain attacks are more easily spotted and some attacks are more
easily prevented using tools designed for one or the other of
these approaches.

have the same overall architecture. Since networks have so many differences, there are many different ways in which they can be protected and
configured. This chapter covers some foundational approaches to network
and host security. Each approach may be implemented in a myriad of ways
but both network and host security need to be addressed for an effective total security program.

Least Privilege

One of the most fundamental approaches to security is least privilege. This
concept is applicable to many physical environments as well as network and
host security. Least privilege means that a subject (which may be a user, application, or process) should have only the necessary rights and privileges to
perform its task with no additional permissions. Limiting an object’s privileges limits the amount of harm that can be caused, thus limiting an organization’s exposure to damage. Users may have access to the files on their
workstations and a select set of files on a file server, but no access to critical
data that is held within the database. This rule helps an organization protect
its most sensitive resources and helps ensure that whoever is interacting
with these resources has a valid reason to do so.
Different operating systems and applications have different ways of implementing rights, permissions, and privileges. Before an operating system
is actually configured, an overall plan should be devised and standardized
methods should be developed to ensure that a solid security baseline is actually implemented. For example, a company may want all of the Accounting
employees, but no one else, to be able to access employee payroll and profit
margin spreadsheets held on a server. The easiest way to implement this is
to develop an Accounting group, put all Accounting employees in this
group, and assign rights to the group instead of each individual person.
As another example, there may be a requirement to implement a hierarchy of administrators that perform different functions and require specific
types of rights. Two administrators may be tasked with performing backups
of individual workstations and servers; thus they do not need administrative permissions with full access to all resources. Three other administrators
may be in charge of setting up new user accounts and password management, which means they do not need full, or perhaps any, access to the company’s routers and switches. Once these lines are delineated, indicating
what subjects require which rights and permissions, then it is much easier to
configure settings to provide the least privileges for different subjects.
The concept of least privilege
applies to more network security issues than just providing users with
specific rights and permissions.
Examples of the Least Privilege Principle
When trust relationships are creThe security concept of least privilege is not unique to computer secuated, they should not be implerity. It has been practiced by organizations such as financial institutions
mented in such a way that
and governments for centuries. Basically it simply means that individueveryone trusts each other simply
als are given only the absolute minimum of privileges that are required
because it is easier. One domain
to accomplish their assigned job. Examine the security policies that your
should trust another for very speorganization has in place and see if you can identify examples of where
cific reasons, and the implementers
the principle of least privilege has been used.
should have a full understanding of
what the trust relationship allows

Try This

24

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:22 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

between two domains. If one domain trusts another, do all of the users automatically become trusted, and can they thus easily access any and all resources on the other domain? Is this a good idea? Is there a more secure way
of providing the same functionality? If a trusted relationship is implemented such that users in one group can access a plotter or printer that is
available on only one domain, it might make sense to simply purchase another plotter so that other, more valuable or sensitive resources are not accessible by the entire group.
Another issue that falls under the least privilege concept is the security
context in which an application runs. All applications, scripts, and batch
files run in the security context of a specific user on an operating system.
They execute with specific permissions as if they were a user. The application may be Microsoft Word and run in the space of a regular user, or it may
be a diagnostic program that needs access to more sensitive system files and
so must run under an administrative user account, or it may be a program
that performs backups and so should operate within the security context of
a backup operator. The crux of this issue is that programs should execute
only in the security context that is needed for that program to perform its
duties successfully. In many environments, people do not really understand
how to make programs run under different security contexts, or it may just
seem easier to have them all run
under the administrator account.
If attackers can compromise a proControl of Resources
gram or service running under the
Being able to apply the appropriate security control to file and print readministrator account, they have
sources is an important aspect of the least privilege security principle.
effectively elevated their access
How this is implemented varies depending on the operating system
level and have much more control
that the computer runs. Check how the operating system that you use
over the system and many more
provides for the ability to control file and print resources.
ways to cause damage.

Try This

Separation of Duties
Another fundamental approach to security is separation of duties. This concept is applicable to physical environments as well as network and host security. Separation of duties ensures that for any given task, more than one
individual needs to be involved. The task is broken into different duties,
each of which is accomplished by a separate individual. By implementing a
task in this manner, no single individual can abuse the system for his or her
own gain. This principle has been implemented in the business world, especially financial institutions, for many years. A simple example is a system in
which one individual is required to place an order and a separate person is
needed to authorize the purchase.
While separation of duties provides a certain level of checks and balances, it is not without its own drawbacks. Chief among these is the cost required to accomplish the task. This cost is manifested in both time and
money. More than one individual is required when a single person could accomplish the task, thus potentially increasing the cost of the task. In addition, with more than one individual involved, a certain delay can be
expected because the task must proceed through its various steps.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:22 PM

25

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Implicit Deny

Exam Tip: Implicit deny is
another fundamental principle of
security and students need to be
sure that they understand this
principle. Similar to least privilege, this principle states that
if you haven’t specifically been
allowed access, then it should
be denied.

What has become the Internet was originally designed as a friendly environment where everybody agreed to abide by the rules implemented in the various protocols. Today, the Internet is no longer the friendly playground of
researchers that it once was. This has resulted in different approaches that
might at first seem less than friendly but that are required for security purposes. One of these approaches is implicit deny.
Frequently in the network world, administrators make many decisions
concerning network access. Often a series of rules will be used to determine
whether or not to allow access (which is the purpose of a network firewall).
If a particular situation is not covered by any of the other rules, the implicit
deny approach states that access should not be granted. In other words, if no
rule would allow access, then access should not be granted. Implicit deny
applies to situations involving both authorization and access.
The alternative to implicit deny is to allow access unless a specific rule
forbids it. Another example of these two approaches is in programs that
monitor and block access to certain web sites. One approach is to provide a
list of specific sites that a user is not allowed to access. Access to any site not
on the list would be implicitly allowed. The opposite approach (the implicit
deny approach) would block all access to sites that are not specifically identified as authorized. As you can imagine, depending on the specific application, one or the other approach will be more appropriate. Which approach
you choose depends on the security objectives and policies of your
organization.

Job Rotation
An interesting approach to enhance security that is gaining increasing attention is job rotation. Organizations often discuss the benefits of rotating individuals through various jobs in an organization’s IT department. By
rotating through jobs, individuals gain a better perspective on how the various parts of IT can enhance (or hinder) the business. Since security is often a
misunderstood aspect of IT, rotating individuals through security positions
can result in a much wider understanding throughout the organization
about potential security problems. It also can have the side benefit of a company not having to rely on any one individual too heavily for security expertise. If all security tasks are the domain of one employee, and that individual
leaves suddenly, security at the organization could suffer. On the other
hand, if security tasks are understood by many different individuals, the
loss of any one individual has less of an impact on the organization.
One significant drawback to job rotation is relying on it too heavily. The
IT world is very technical, and expertise in any single aspect often takes
years to develop. This is especially true in the security environment. In addition, the rapidly changing threat environment, with new vulnerabilities and
exploits routinely being discovered, requires a level of understanding that
takes considerable time to acquire and maintain.

Layered Security
A bank does not protect the money that it stores only by using a vault. It has
one or more security guards as a first defense to watch for suspicious activities and to secure the facility when the bank is closed. It may have

26

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:22 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

monitoring systems that watch various activities that take place in the bank,
whether involving customers or employees. The vault is usually located in
the center of the facility, and thus there are layers of rooms or walls before
arriving at the vault. There is access control, which ensures that the people
entering the vault have to be given the authorization beforehand. And the
systems, including manual switches, are connected directly to the police station in case a determined bank robber successfully penetrates any one of
these layers of protection.
Networks should utilize the same type of layered security architecture.
There is no 100 percent secure system, and there is nothing that is foolproof,
so a single specific protection mechanism should never be solely relied
upon. Every piece of software and every device can be compromised in
some way, and every encryption algorithm can be broken, given enough
time and resources. The goal of security is to make the effort of actually accomplishing a compromise more costly in time and effort than it is worth to
a potential attacker.
As an example, consider the steps an intruder might have to take to access critical data held within a company’s back-end database. The intruder
first has to penetrate the firewall and use packets and methods that will not
be identified and detected by the IDS (more information on these devices
can be found in Chapter 13). The
attacker next has to circumvent an
internal router performing packet
filtering, and then possibly penetrate another firewall used to separate one internal network from
another (see Figure 2.2). From
there, the intruder must break the
access controls that are on the database, which means having to do a
dictionary or brute-force attack to
be able to authenticate to the database software. Once the intruder
has gotten this far, the data still
needs to be located within the database. This may in turn be complicated by the use of access control
lists outlining who can actually
view or modify the data. That is a
lot of work.
This example illustrates the
different layers of security many
environments employ. It is important to implement several different
layers because if intruders succeed
at one layer, you want to be able to
stop them at the next. The redundancy of different protection layers assures that there is no one
single point of failure pertaining to
• Figure 2.2 Layered security
security. If a network used only a

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:22 PM

27

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

• Figure 2.3

Various layers of security

firewall to protect its assets, an attacker successfully able to penetrate this
device would find the rest of the network open and vulnerable.
It is important that every environment have multiple layers of security.
These layers may employ a variety of methods, such as routers, firewalls,
network segments, IDSs, encryption, authentication software, physical security, and traffic control. The layers need to work together in a coordinated
manner so that one does not impede another’s functionality and introduce a
security hole. Security at each layer can be very complex, and putting different layers together can increase the complexity exponentially. Although
having layers of protection in place is very important, it is also important to
understand how these different layers interact either by working together
or, in some cases, by working against each other.
One case of how different security methods can work against each other
is exemplified when firewalls encounter encrypted network traffic. An organization may utilize encryption so that an outside customer communicating with a specific web server is assured that sensitive data being exchanged
is protected. If this encrypted data is encapsulated within Secure Sockets
Layer (SSL) packets and then sent through a firewall, the firewall will not be
able to read the payload information in the individual packets. This may enable the customer, or an outside attacker, to send malicious code or instructions through the SSL connection undetected. There are other mechanisms
that can be introduced in these situations, such as designing web pages to
accept information only in certain formats and having the web server parse
through the data for malicious activity. The important point is to understand the level of protection that each layer provides and how each level
of protection can be affected by things that take place in other layers.
The layers usually are depicted starting at the top, with more general
types of protection, and progressing downward through each layer,
with increasing granularity at each layer as you get closer to the actual
resource, as you can see in Figure 2.3. This is because the top-layer protection mechanism is responsible for looking at an enormous amount of
traffic, and it would be overwhelming and cause too much of a performance degradation if each aspect of the packet were inspected. Instead,
each layer usually digs deeper into the packet and looks for specific
items. Layers that are closer to the resource have to deal with only a fraction of the traffic that the top-layer security mechanism does, and thus
looking deeper and at more granular aspects of the traffic will not cause
as much of a performance hit.

Diversity of Defense
Diversity of defense is a concept that complements the idea of various layers
of security. It involves making different layers of security dissimilar so that
even if attackers know how to get through a system that comprises one
layer, they may not know how to get through a different type of layer that
employs a different system for security.
If an environment has two firewalls that form a demilitarized zone
(DMZ), for example, one firewall may be placed at the perimeter of the
Internet and the DMZ. This firewall analyzes the traffic that is entering
through that specific access point and enforces certain types of restrictions.

28

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:23 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

The other firewall may then be placed between the DMZ and the internal
network. When applying the diversity of defense concept, you should set up
these two firewalls to filter for different types of traffic and provide different
types of restrictions. The first firewall, for example, may make sure that no
FTP, SNMP, or Telnet traffic enters the network but allow SMTP, SSH,
HTTP, and SSL traffic through. The second firewall may not allow SSL or
SSH through and may interrogate SMTP and HTTP traffic to make sure that
certain types of attacks are not part of that traffic.
Another type of diversity of defense is to use products from different
vendors. Every product has its own security vulnerabilities that are usually
known to experienced attackers in the community. A Check Point firewall
has different security issues and settings than the open source Sentry
firewall; thus different exploits can be used against them to crash them or
compromise them in some fashion. Combining this type of diversity with
the preceding example, you might utilize the Check Point firewall as the
first line of defense. If attackers are able to penetrate it, they are less likely to
get through the next firewall if it is one from another vendor, such as a Cisco
ASA firewall or a Sentry firewall.
There is an obvious trade-off that must be considered before implementing diversity of security using different vendor products. Doing so usually
also increases operational complexity, and security and complexity are seldom a good mix. When implementing products from more than one vendor,
the staff has to know how to configure two different systems, the configuration settings will be totally different, the upgrades and patches will come
out at different times and contain different changes, and the overall complexity of maintaining these systems may cause more headaches than security itself. This does not mean that you should not implement diversity of
defense by installing products from different vendors; it just means that you
should know the implications of this type of decision.

Security Through Obscurity
Another concept in security that should be discussed is the idea of security
through obscurity. In this case, security is considered effective if the environment and protection mechanisms are confusing or thought to be not generally known. Security through obscurity uses the approach of protecting
something by hiding it. Noncomputer examples of this concept include hiding your briefcase or purse if you leave it in the car so that it is not in plain
view, hiding a house key under a doormat or in a planter, or pushing your
favorite ice cream to the back of the freezer so that everyone else thinks it is
all gone. The idea is that if something is out of sight, it is out of mind. This
approach, however, does not provide actual protection of the object. Someone can still steal the purse by breaking into the car, lift the doormat and find
the key, or dig through the items in the freezer to find your favorite ice
cream. Security through obscurity may make someone work a little harder
to accomplish a task, but it does not prevent anyone from eventually
succeeding.
Similar approaches are seen in computer and network security when attempting to hide certain objects. A network administrator may, for instance,
move a service from its default port to a different port so that others will not
know how to access it as easily, or a firewall may be configured to hide

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:23 PM

29

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

It often amazes security professionals how frequently individuals rely on security through
obscurity as their main line of
defense. Relying on some piece
of information remaining secret
is generally not a good idea.
This is especially true in this age
of reverse-engineering, where
individuals analyze the binaries
for programs to discover embedded passwords or cryptographic keys. The biggest
problem with relying on security
through obscurity is that if it
fails and the secret becomes
known, there often is no easy
way to modify the secret to resecure it.

30

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:23 PM

specific information about the internal network in the hope that potential attackers will not obtain the information for use in an attack on the network.
In most security circles, security through obscurity is considered a poor
approach, especially if it is the only approach to security. Security through
obscurity simply attempts to hide an object; it doesn’t implement a security
control to protect it. An organization can use security through obscurity
measures to try to hide critical assets, but other security measures should
also be employed to provide a higher level of protection. For example, if an
administrator moves a service from its default port to a more obscure port,
an attacker can still actually find this service; thus a firewall should be used
to restrict access to the service. Most people know that even if you do shove
your ice cream to the back of the freezer, someone may eventually find it.

Keep It Simple
The terms security and complexity are often at odds with each other, because the more complex something is, the harder it is to understand, and
you cannot truly secure something if you do not understand it. Another reason complexity is a problem within security is that it usually allows too
many opportunities for something to go wrong. If an application has 4000
lines of code, there are a lot fewer places for buffer overflows, for example,
than in an application of two million lines of code.
As with any other type of technology or problem in life, when something goes wrong with security mechanisms, a troubleshooting process is
used to identify the actual issue. If the mechanism is overly complex, identifying the root of the problem can be overwhelming if not nearly impossible.
Security is already a very complex issue because there are so many variables
involved, so many types of attacks and vulnerabilities, so many different
types of resources to secure, and so many different ways of securing them.
You want your security processes and tools to be as simple and elegant as
possible. They should be simple to troubleshoot, simple to use, and simple
to administer.
Another application of the principle of keeping things simple concerns
the number of services that you allow your system to run. Default installations of computer operating systems often leave many services running. The
keep-it-simple principle tells us to eliminate those services that we don’t
need. This is also a good idea from a security standpoint because it results in
fewer applications that can be exploited and fewer services that the administrator is responsible for securing. The general rule of thumb should be to
always eliminate all nonessential services and protocols. This of course
leads to the question, how do you determine whether a service or protocol is
essential or not? Ideally, you should know what your computer system or
network is being used for, and thus you should be able to identify and activate only those elements that are essential. For a variety of reasons, this is
not as easy as it sounds. Alternatively, a stringent security approach that
one can take is to assume that no service is necessary (which is obviously absurd) and activate services and ports only as they are requested. Whatever
approach is taken, there is a never-ending struggle to try to strike a balance
between providing functionality and maintaining security.

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Access Control
The term access control has been used to describe a variety of protection
schemes. It sometimes refers to all security features used to prevent unauthorized access to a computer system or network. In this sense, it may be
confused with authentication. More properly, access control is the ability to
control whether a subject (such as an individual or a process running on a
computer system) can interact with an object (such as a file or hardware device). Authentication, on the other hand, deals with verifying the identity of
a subject. To help understand the difference, consider the example of an individual attempting to log into a computer system or network. Authentication is the process used to verify to the computer system or network that the
individual is who they claim to be. The most common method to do this is
through the use of a user ID and password. Once the individual has verified
their identity, access controls regulate what the individual can actually do
on the system. Just because a person is granted entry to the system does not
mean that they should have access to all data the system contains.

Authentication
Access controls define what actions a user can perform or what objects a
user can have access to. These controls assume that the identity of the user
has been verified. It is the job of authentication mechanisms to ensure that
only valid users are admitted. Described another way, authentication is using some mechanism to prove that you are who you claim to be. There are
three general methods used in authentication. In order to verify your identity, you can provide


Something you know



Something you have



Something about you (something that you are)

The most common authentication mechanism is to provide something
that only you, the valid user, should know. The most frequently used example of this is the common user ID (or username) and password. In theory,
since you are not supposed to share your password with anybody else, only
you should know your password, and thus by providing it, you are proving
to the system that you are who you claim to be. Another mechanism for authentication is to provide something that you have in your possession, such
as a magnetic stripe card that contains identifying information. The third
mechanism is to use something about you for identification purposes, such
as your fingerprint or the geometry of your hand. Obviously, for the second
and third mechanisms to work, additional hardware devices need to be
used (to read the card, fingerprint, or hand geometry).

Access Control vs. Authentication
It may seem that access control and authentication are two ways to describe
the same protection mechanism. This, however, is not the case. Authentication provides a way to verify to the computer who the user is. Once the user
has been authenticated, the access controls decide what operations the user

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:23 PM

31

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

can perform. The two go hand-in-hand but they are not the same thing. An
access control list (ACL) is a mechanism that is used to define whether a user
has certain access privileges for a system. For example, an ACL might be
used to provide a list of individuals and what access they have for a computer system or network device.
No matter what specific mechanism is used to implement access controls in a computer system or network, the controls should be based on a
specific model of access. Several different models are discussed in security
literature, including discretionary access control (DAC), mandatory access
control (MAC), role-based access control (RBAC), and rule-based access
control (also RBAC). Access control is covered in detail in Chapter 11.

Certificates
Certificates are a method to establish authenticity of specific objects such as
an individual’s public key (more on this specific subject in Chapter 6) or
downloaded software. A digital certificate is generally an attachment to a
message and is used to verify that the message did indeed come from the entity it claims to have come from. The digital certificate can also contain a key
that can be used to encrypt further communication. For more information
on this subject, refer to Chapter 11.

Authentication and Access Control Policies
Policies are statements of what the organization wants to accomplish. The
organization needs to identify goals and intentions for many different aspects of security. Each aspect will have associated policies and procedures.

Group Policy
Operating systems such as Windows and Linux allow administrators to organize users into groups, to create categories of users for which similar access policies can be established. Using groups saves the administrator time,
as adding a new user will not require the administrator to create a completely new user profile; instead, the administrator can determine to which
group the new user belongs and then add the user to that group.
A group policy defines for the group things such as the applicable operating system and application settings and permissions. Examples of groups
commonly found include administrator, user, and guest. Take care when creating groups and assigning users to them so that you do not provide more access than is absolutely required for members of that group. It would be simple
to make everybody an administrator—it would cut down on the number of
requests users make of beleaguered administrators—but this is not a wise
choice, as it also enables users to modify the system in ways that could impact
security. Establishing the rights levels of access for the various groups up
front will save you time and eliminate potential problems that might be encountered later on. More on this subject will be covered in Chapter 14.

Password Policy
Since passwords are the most common authentication mechanism, it is imperative that organizations have a policy that addresses them. The list of authorized users forms the basis of the ACL for the computer system or
32

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:23 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

network that the passwords will help control. The password policy should address the procedures used for selecting user passwords (specifying what is
considered an acceptable password in the organization in terms of the character set and length, its complexity), the frequency with which they must be
changed, and how they will be distributed. Procedures for creating new
passwords should an employee forget her old password also need to be addressed, as well as the acceptable handling of passwords (for example, they
should not be shared with anybody else, they should not be written down,
and so on). It might also be useful to have the policy address the issue of
password cracking by administrators, in order to discover weak passwords
selected by employees.
Note that the developer of the password policy and associated procedures can go overboard and create an environment that negatively impacts
employee productivity and leads to poorer security, not better. If, for example, the frequency with which passwords are changed is too great, users
might write them down or forget them. Neither of these is a desirable outcome, as the former makes it possible for an intruder to find a password and
gain access to the system, and the latter leads to too many people losing productivity as they wait for a new password to be created to allow them access
again. More information on password policies can be found in Chapter 22.



Social Engineering

Social engineering is the process of convincing an authorized individual to
provide confidential information or access to an unauthorized individual.
Social engineering takes advantage of what continually turns out to be the
weakest point in our security perimeter—the humans. Kevin Mitnick, a convicted cybercriminal turned security consultant, once stated, “Don’t rely on
network safeguards and firewalls to protect your information. Look to your
most vulnerable spot. You’ll usually find that vulnerability lies in your people.” In 2000, after being released from jail, Mitnick testified before Congress
and spoke on several other occasions about social engineering and how effective it is. He stated that he “rarely had to resort to a technical attack” because of how easily information and access could be obtained through social
engineering.
Individuals who are attempting to social engineer some piece of information generally rely on two aspects of human nature. First, most people generally want to help somebody who is requesting help. Second, people generally
want to avoid confrontation. To exploit people’s natural inclination to provide help, the knowledgeable social engineer might call a help desk and pretend to be a new employee who needs help to log onto the organization’s
network. By doing so, the social engineer can obtain valuable information as
to the type of system or network that is being employed. After making this
call, the social engineer might make a second call and use the information obtained from the first call to provide background so that the next individual the
attacker attempts to obtain information from will not suspect it is an unauthorized individual asking the questions. This works because people generally
assume that somebody is who they claim to be, especially if they have information that would be known by the individual they claim to be.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:24 PM

Exam Tip: A password policy is one of the most basic policies that an organization can
have. Make sure you understand
the basics of what constitutes a
good password along with the
other issues that surround password creation, expiration, sharing, and use.

Social engineering has for
many years been one of the
most successful methods that
attackers have used to gain unauthorized access to computer
systems and networks. The technique relies on the inherent desire in most people to be helpful.
With a plausible background and
a good story, a good social engineer can frequently talk individuals into divulging information
that they normally would never
have. Social engineering can
also take the form of something
simple such as striking up a conversation with a person as you
approach a locked door so that
when the individual opens it,
you walk in with them. For many
people, if the individual seems
friendly and doesn’t look suspicious, they will give them the
benefit of the doubt and assume
that they belong to the organization and are authorized access.

33

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

If the pleasant approach doesn’t work, a more aggressive approach can
be attempted. People will normally want to avoid unpleasant confrontations and will also not want to get into trouble with their superiors. An attacker, knowing this, may attempt to obtain information by threatening to
go to the individual’s supervisor or by claiming that he is working for somebody who is high up in the organization’s management structure. Because
employees want to avoid both a confrontation and a possible reprimand,
they might provide the information requested even though they realize that
doing so is against the organization’s policies or procedures.
The goal of social engineering is to gradually obtain the pieces of information necessary to take the next step. This is done repeatedly until the ultimate goal is reached. If social engineering is such an effective means of
gaining unauthorized access to data and information, how can it be
stopped? The most effective means is through the training and education of
users, administrators, and security personnel. All employees should be instructed in the techniques that attackers might use and trained to recognize
when a social engineering attack is being attempted. One important aspect
of this training is for employees to recognize the type of information that
should be protected and also how seemingly unimportant information can
be combined with other pieces of information to potentially divulge sensitive information. This is known as data aggregation.
In addition to the direct approach to social engineering, attackers can use other, indirect
means to obtain the information
Social Engineering Attacks
they are seeking. These include
In Chapter 1, the topic of social engineering was mentioned several
phishing, vishing, shoulder surftimes. Social engineering attacks can come in many different forms.
ing, and dumpster diving and are
Taken as a whole, they are the most common attack that most users will
discussed in Chapter 4. Again, the
be faced with. Be sure to understand the difference between the various
first defense against any of these
types of social engineering attacks and how each can be used as part of
methods to gather information to
an overall plan to attack an organization.
be used in later attacks is a strong
user education and awareness
training program.

Cross Check



Security Policies

Policies are high-level statements created by management that lay out the organization’s positions on particular issues. Policies describe mandatory activities but are not specific in their details. Policies are focused on the result,
not the methods for achieving that result. Procedures are generally step-bystep instructions that prescribe exactly how employees are expected to act in
a given situation or to accomplish a specific task. Although standard policies can be described in general terms that will be applicable to all organizations, standards (which define a subject’s specific requirements) and
procedures are often organization-specific and driven by specific organizational policies.

34

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:24 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Regarding security, every organization should have several common
policies in place (in addition to those already discussed relative to access
control methods). These include security policies regarding change management, classification of information, acceptable use, due care and due diligence, due process, need to know, disposal and destruction of data, service
level agreements, human resources issues, codes of ethics, and policies governing incident response.
In keeping with the high-level nature of policies, the security policy is a
high-level statement produced by senior management that outlines both
what security means to the organization and the organization’s goals for security. The main security policy can then be broken down into additional
policies that cover specific topics. Statements such as “this organization will
exercise the principle of least access in its handling of client information”
would be an example of a security policy. The security policy can also describe how security is to be handled from an organizational point of view
(such as describing which office and corporate officer or manager oversees
the organization’s security program).
In addition to policies related to access control, the organization’s security policy should include the specific policies described in the next sections.
All policies should be reviewed on a regular basis and updated as needed.
Generally, policies should be updated less frequently than the procedures
that implement them, since the high-level goals will not change as often as
the environment in which they must be implemented. All policies should be
reviewed by the organization’s legal counsel, and a plan should be outlined
that describes how the organization will ensure that employees will be
made aware of the policies. Policies can also be made stronger by including
references to the authority who made the policy (whether this policy comes
from the CEO or is a department-level policy, for example) and references to
any laws or regulations that are applicable to the specific policy and
environment.

Change Management Policy
The purpose of change management is to ensure proper procedures are followed when modifications to the IT infrastructure are made. These modifications can be prompted by a number of different events, including new
legislation, updated versions of software or hardware, implementation of
new software or hardware, or improvements to the infrastructure. The term
“management” implies that this process should be controlled in some systematic way, and that is indeed the purpose. Changes to the infrastructure
might have a detrimental impact on operations. New versions of operating
systems or application software might be incompatible with other software
or hardware the organization is using. Without a process to manage the
change, an organization might suddenly find itself unable to conduct business. A change management process should include various stages, including a method to request a change to the infrastructure, a review and
approval process for the request, an examination of the consequences of the
change, resolution (or mitigation) of any detrimental effects the change
might incur, implementation of the change, and documentation of the process as it related to the change.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:24 PM

35

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Classification of Information
A key component of IT security is the protection of the information processed and stored on the computer systems and network. Organizations
deal with many different types of information, and they need to recognize
that not all information is of equal importance or sensitivity. This requires
classification of information into various categories, each with its own requirements for its handling. Factors that affect the classification of specific
information include its value to the organization (what will be the impact to
the organization if it loses this information?), its age, and laws or regulations
that govern its protection. The most widely known system of classification
of information is that implemented by the U.S. government (including the
military), which classifies information into categories such as Confidential,
Secret, and Top Secret. Businesses have similar desires to protect information
and often use categories such as Publicly Releasable, Proprietary, Company
Confidential, and For Internal Use Only. Each policy for the classification of information should describe how it should be protected, who may have access
to it, who has the authority to release it and how, and how it should be destroyed. All employees of the organization should be trained in the procedures for handling the information that they are authorized to access.
Discretionary and mandatory access control techniques use classifications
as a method to identify who may have access to what resources.

Acceptable Use Policy
An acceptable use policy (AUP) outlines what the organization considers to be
the appropriate use of company resources, such as computer systems, e-mail,
Internet access, and networks. Organizations should be concerned about
personal use of organizational assets that does not benefit the company.
The goal of the AUP is to ensure employee productivity while limiting
organizational liability through inappropriate use of the organization’s assets. The AUP should clearly delineate what activities are not allowed. It
should address issues such as the use of resources to conduct personal business, installation of hardware or software, remote access to systems and networks, the copying of company-owned software, and the responsibility of
users to protect company assets, including data, software, and hardware.
Statements regarding possible penalties for ignoring any of the policies
(such as termination) should also be included.
Related to appropriate use of the organization’s computer systems and
networks by employees is the appropriate use by the organization. The most
important of such issues is whether the organization considers it appropriate to monitor the employee’s use of the systems and network. If monitoring
is considered appropriate, the organization should include a statement to
this effect in the banner that appears at login. This repeatedly warns employees, and possible intruders, that their actions are subject to monitoring
and that any misuse of the system will not be tolerated. Should the organization need to use in a civil or criminal case any information gathered during
monitoring, the issue of whether the employee had an expectation of

36

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:24 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

privacy, or whether it was even legal for the organization to be monitoring, is simplified if the
Examples of Common Policies
organization can point to a stateA very common and also very important policy is the acceptable use
ment that is always displayed that
policy. Make sure you understand that this policy outlines what is coninstructs users that use of the syssidered acceptable behavior for users of a computer system. This policy
tem constitutes consent to monioften goes hand-in-hand with an organization’s Internet usage policy.
toring. Before any monitoring is
Obtain a copy of the acceptable use policy for your organization. Comconducted, or the actual wording
pare it with samples of others that you can find on the Internet. How
on the warning message is created,
does yours compare with the others you found?
the organization’s legal counsel
should be consulted to determine
the appropriate way to address this issue in the particular location.

Try This

Internet Usage Policy
In today’s highly connected environment, employee use of access to the
Internet is of particular concern. The goal of the Internet usage policy is to ensure maximum employee productivity and to limit potential liability to the
organization from inappropriate use of the Internet in a workplace. The
Internet provides a tremendous temptation for employees to waste hours as
they surf the Web for the scores of games from the previous night, conduct
quick online stock transactions, or read the review of the latest blockbuster
movie everyone is talking about. Obviously, every minute they spend conducting this sort of activity is time they are not productively engaged in the
organization’s business and their jobs. In addition, allowing employees to
visit sites that may be considered offensive to others (such as pornographic
or hate sites) can open the company to accusations of condoning a hostile
work environment and result in legal liability.
The Internet usage policy needs to address what sites employees are allowed to visit and what sites they are not allowed to visit. If the company allows them to surf the Web during nonwork hours, the policy needs to
clearly spell out the acceptable parameters, in terms of when they are allowed to do this and what sites they are still prohibited from visiting (such
as potentially offensive sites). The policy should also describe under what
circumstances an employee would be allowed to post something from the
organization’s network on the Web (on a blog, for example). A necessary addition to this policy would be the procedure for an employee to follow to obtain permission to post the object or message.

E-Mail Usage Policy
Related to the Internet usage policy is the e-mail usage policy, which deals
with what the company will allow employees to send in, or as attachments
to, e-mail messages. This policy should spell out whether nonwork e-mail
traffic is allowed at all or is at least severely restricted. It needs to cover the
type of message that would be considered inappropriate to send to other
employees (for example, no offensive language, no sex-related or ethnic
jokes, no harassment, and so on). The policy should also specify any disclaimers that must be attached to an employee’s message sent to an individual outside the company.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:25 PM

37

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Due Care and Due Diligence
Due care and due diligence are terms used in the legal and business community to define reasonable behavior. Basically, the law recognizes the responsibility of an individual or organization to act reasonably relative to another
party. If party A alleges that the actions of party B have caused it loss or injury, party A must prove that party B failed to exercise due care or due diligence and that this failure resulted in the loss or injury. These terms often
are used synonymously, but due care generally refers to the standard of care
a reasonable person is expected to exercise in all situations, whereas due diligence generally refers to the standard of care a business is expected to exercise in preparation for a business transaction. An organization must take
reasonable precautions before entering a business transaction or it might be
found to have acted irresponsibly. In terms of security, organizations are expected to take reasonable precautions to protect the information that they
maintain on individuals. Should a person suffer a loss as a result of negligence on the part of an organization in terms of its security, that person typically can bring a legal suit against the organization.
The standard applied—reasonableness—is extremely subjective and often
is determined by a jury. The organization will need to show that it had taken
reasonable precautions to protect the information, and that, despite these
precautions, an unforeseen security event occurred that caused the injury to
the other party. Since this is so subjective, it is hard to describe what would
be considered reasonable, but many sectors have a set of “security best practices” for their industry, which provides a basis for organizations in that sector to start from. If the organization decides not to follow any of the best
practices accepted by the industry, it needs to be prepared to justify its reasons in court should an incident occur. If the sector the organization is in has
regulatory requirements, justifying why the mandated security practices
were not followed will be much more difficult (and possibly impossible).
Another element that can help establish due care from a security standpoint is developing and implementing the security policies discussed in this
chapter. As the policies outlined become more generally accepted, the effort
required to satisfy the level of diligence and care that an organization will be
expected to maintain will increase.

Due Process
Due process is concerned with guaranteeing fundamental fairness, justice,
and liberty in relation to an individual’s legal rights. In the United States,
due process is concerned with the guarantee of an individual’s rights as outlined by the Constitution and Bill of Rights. Procedural due process is based
on the concept of what is “fair.” Also of interest is the recognition by courts
of a series of rights that are not explicitly specified by the Constitution but
that the courts have decided are implicit in the concepts embodied by the
Constitution. An example of this is an individual’s right to privacy. From an
organization’s point of view, due process may come into play during an administrative action that adversely affects an employee. Before an employee
is terminated, for example, were all of the employee’s rights protected? An
actual example pertains to the rights of privacy regarding employees’ e-mail
messages. As the number of cases involving employers examining employee

38

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:25 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

e-mails grows, case law continues to be established and the courts eventually will settle on what rights an employee can expect. The best thing an employer can do if faced with this sort of situation is to work closely with HR
staff to ensure that appropriate policies are followed and that those policies
are in keeping with current laws and regulations.

Need to Know
Another common security principle is that of need to know, which goes handin-hand with least privilege. The guiding factor here is that each individual in
the organization is supplied with only the absolute minimum amount of information and privileges he or she needs to perform their work tasks. To obtain access to any piece of information, the individual must have a justified
need to know. In addition, the individual will be granted only the bare minimum number of privileges that are needed to perform their job.
A policy spelling out these two principles as guiding philosophies for
the organization should be created. The policy should also address who in
the organization can grant access to information and who can assign privileges to employees.

Disposal and Destruction Policy
Many potential intruders have learned the value of dumpster diving. An organization must be concerned about not only paper trash and discarded objects, but also the information stored on discarded objects such as
computers. Several government organizations have been embarrassed
when old computers sold to salvagers proved to contain sensitive documents on their hard drives. It is critical for every organization to have a
strong disposal and destruction policy and related procedures.
Important papers should be shredded, and important in this case means
anything that might be useful to a potential intruder. It is amazing what intruders can do with what appears to be innocent pieces of information.
Magnetic storage media discarded in the trash (such as disks or tapes) or
sold for salvage should have all files deleted, and then the media should be
overwritten at least three times with all 1’s, all 0’s, and then random characters. Commercial products are available to destroy files using this process. It
is not sufficient simply to delete all files and leave it at that, since the deletion process affects only the pointers to where the files are stored and doesn’t actually get rid of all the bits in the file. This is why it is possible to
“undelete” files and recover them after they have been deleted.
A safer method for destroying files from a storage device is to destroy
the data magnetically, using a strong magnetic field to degauss the media.
This effectively destroys all data on the media. Several commercial
degaussers are available for this purpose. Another method that can be used
on hard drives is to use a file on them (the sort of file you’d find in a hardware store) and actually file off the magnetic material from the surface of the
platter. Shredding floppy media is normally sufficient, but simply cutting a
floppy into a few pieces is not enough—data has been successfully recovered from floppies that were cut into only a couple of pieces. CDs and DVDs
also need to be disposed of appropriately. Many paper shredders now have

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:25 PM

39

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

the ability to shred these forms of storage media. In some highly secure environments, the only acceptable method of disposing of hard drives and
other storage devices is the actual physical destruction of the devices.
Matching the security action to the level of risk is important to recognize in
this instance. Destroying hard drives that do not have sensitive information
is wasteful; proper file scrubbing is probably appropriate. For drives with
ultra-sensitive information, physical destruction makes sense. There is no
single answer, but as in most things associated with information security,
the best practice is to match the action to the level of risk.

Service Level Agreements
Service level agreements (SLAs) are contractual agreements between entities that describe specified levels of service that the servicing entity agrees to
guarantee for the customer. These agreements clearly lay out expectations
in terms of the service provided and support expected, and they also generally include penalties should the described level of service or support not be
provided. An organization contracting with a service provider should remember to include in the agreement a section describing the service provider’s responsibility in terms of business continuity and disaster recovery.
The provider’s backup plans and processes for restoring lost data should
also be clearly described.

Human Resources Policies
It has been said that the weakest links in the security chain are the humans.
Consequently, it is important for organizations to have policies in place relative to their employees. Policies that relate to the hiring of individuals are
primarily important. The organization needs to make sure that it hires individuals who can be trusted with the organization’s data and that of its clients. Once employees are hired, they should be kept from slipping into the
category of “disgruntled employee.” Finally, policies must be developed to
address the inevitable point in the future when an employee leaves the organization—either on his or her own or with the “encouragement” of the organization itself. Security issues must be considered at each of these points.

Employee Hiring and Promotions
It is becoming common for organizations to run background checks on prospective employees and to check the references prospective employees supply. Frequently, organizations require drug testing, check for any past
criminal activity, verify claimed educational credentials, and confirm reported work history. For highly sensitive environments, special security
background investigations can also be required. Make sure that your organization hires the most capable and trustworthy employees, and that your
policies are designed to ensure this.
After an individual has been hired, your organization needs to minimize
the risk that the employee will ignore company rules and affect security. Periodic reviews by supervisory personnel, additional drug checks, and monitoring of activity during work may all be considered by the organization. If
the organization chooses to implement any of these reviews, this must be

40

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:25 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

specified in the organization’s policies, and prospective employees should
be made aware of these policies before being hired. What an organization
can do in terms of monitoring and requiring drug tests, for example, can be
severely restricted if not spelled out in advance as terms of employment.
New hires should be made aware of all pertinent policies, especially those
applying to security, and should be asked to sign documents indicating that
they have read and understood them.
Occasionally an employee’s status will change within the company. If
the change can be construed as a negative personnel action (such as a demotion), supervisors should be alerted to watch for changes in behavior that
might indicate the employee is contemplating or conducting unauthorized
activity. It is likely that the employee will be upset, and whether he acts on
this to the detriment of the company is something that needs to be guarded
against. In the case of a demotion, the individual may also lose certain privileges or access rights, and these changes should be made quickly so as to
lessen the likelihood that the employee will destroy previously accessible
data if he becomes disgruntled and decides to take revenge on the organization. On the other hand, if the employee is promoted, privileges may still
change, but the need to make the change to access privileges may not be as
urgent, though it should still be accomplished as quickly as possible. If the
move is a lateral one, changes may also need to take place, and again they
should be accomplished as quickly as possible. The organization’s goals in
terms of making changes to access privileges should be clearly spelled out in
its policies.

Tech Tip
Accounts of
Ex-employees
When conducting security assessments of organizations, security
professionals frequently find active accounts for individuals who
no longer work for the company.
This is especially true for larger
organizations, which may lack a
clear process for the personnel office to communicate with the network administrators when an
employee leaves the organization.
These old accounts, however, are
a weak point in the security perimeter for the organization and
should be eliminated.

Retirement, Separation, or Termination of an Employee
An employee leaving an organization can be either a positive or a negative
action. Employees who are retiring by their own choice may announce their
planned retirement weeks or even months in advance. Limiting their access
to sensitive documents the moment they announce their intention may be
the safest thing to do, but it might not be necessary. Each situation should be
evaluated individually. If the situation is a forced retirement, the organization must determine the risk to its data if the employee becomes disgruntled
as a result of the action. In this situation, the wisest choice might be to cut off
their access quickly and provide them with some additional vacation time.
This might seem like an expensive proposition, but the danger to the company of having a disgruntled employee may justify it. Again, each case
should be evaluated individually.
When an employee decides to leave a company, generally as a result of a
new job offer, continued access to sensitive information should be carefully
considered. If the employee is leaving as a result of hard feelings toward the
company, it might be wise to quickly revoke her access privileges. If she is
leaving as a result of a better job offer, you may decide to allow her to gracefully transfer her projects to other employees, but the decision should be
considered very carefully, especially if the new company is a competitor.
If the employee is leaving the organization because he is being terminated, you should plan on him becoming disgruntled. While it may not
seem the friendliest thing to do, an employee in this situation should immediately have his access privileges to sensitive information and facilities
revoked.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:26 PM

It is better to give a potentially disgruntled employee several weeks of paid vacation than
to have them trash sensitive files
to which they have access. Because employees typically know
the pattern of management behavior with respect to termination, doing the right thing will
pay dividends in the future for
a firm.

41

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Exam Tip: It is not uncommon for organizations to neglect
to have a policy that mandates
the removal of an individual’s
computer access upon termination. Not only should such a
policy exist, but it should also
include the procedures to reclaim and “clean” a terminated
employee’s computer system
and accounts.

Combinations should also be quickly changed once an employee has been
informed of their termination. Access cards, keys, and badges should be collected; the employee should be escorted to her desk and watched as she packs
personal belongings; and then she should be escorted from the building.
No matter what the situation, the organization should have policies that
describe the intended goals, and procedures should detail the process to be
followed for each of the described situations.

Mandatory Vacations
Organizations have provided vacation time to their employees for many years.
Few, however, force employees to take this time if they don’t want to. At some
companies, employees are given the choice to either “use or lose” their vacation
time; if they do not take all of their vacation time, they lose at least a portion of
it. From a security standpoint, an employee who never takes time off might be
involved in nefarious activity, such as fraud or embezzlement, and might be
afraid that if they leave on vacation, the organization will discover their illicit
activities. As a result, requiring employees to use their vacation time through a
policy of mandatory vacations can be a security protection mechanism. Using
mandatory vacations as a tool to detect fraud will require that somebody else
also be trained in the functions of the employee who is on vacation. Having a
second person familiar with security procedures is also a good policy in case
something happens to the primary employee.

Job Rotation
Another policy that provides multiple benefits is job rotation. Rotating
through jobs provides individuals with a better perspective of how the various parts of the organization can enhance (or hinder) the business. Since security is often of secondary concern to people in their jobs, rotating individuals
through security positions can result in a much wider understanding of the
organization’s security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security
tasks are the domain of one employee, security will suffer if that individual
leaves the organization. In addition, if only one individual understands the
security domain, should that person become disgruntled and decide to harm
the organization, it may become very difficult to recover from their attack.



Security Models

An important issue when designing the software that will operate and control secure computer systems and networks is the security model that the
system or network will be based upon. The security model will implement
the security policy that has been chosen and enforce those characteristics
deemed most important by the system designers. For example, if confidentiality is considered paramount, the model should make certain no data is disclosed to unauthorized individuals. A model enforcing confidentiality may
allow unauthorized individuals to modify or delete data, as this would not
violate the tenets of the model because the true values for the data would
still remain confidential. Of course, this model may not be appropriate for
all environments. In some instances, the unauthorized modification of data
may be considered a more serious issue than its unauthorized disclosure. In
42

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:26 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

such cases, the model would be responsible for enforcing the integrity of the
data instead of its confidentiality. Choosing the model to base the design on
is critical if you want to ensure that the resulting system accurately enforces
the security policy desired. This, however, is only the starting point, and it
does not imply that you have to make a choice between confidentiality and
data integrity, as both are important.

Confidentiality Models
Data confidentiality has generally been the chief concern of the military. For
instance, the U.S. military encouraged the development of the Bell-LaPadula
security model to address data confidentiality in computer operating systems.
This model is especially useful in designing multilevel security systems that
implement the military’s hierarchical security scheme, which includes levels
of classification such as Unclassified, Confidential, Secret, and Top Secret. Similar classification schemes can be used in industry, where classifications
might include Publicly Releasable, Proprietary, and Company Confidential.
The Bell-LaPadula security model employs both mandatory and discretionary access control mechanisms when implementing its two basic security principles. The first of these principles is called the Simple Security Rule,
which states that no subject (such as a user or a program) can read information from an object (such as a file) with a security classification higher than
that possessed by the subject itself. This means that the system must prevent
a user with only a Secret clearance, for example, from reading a document
labeled Top Secret. This rule is often referred to as the “no-read-up” rule.
The second security principle enforced by the Bell-LaPadula security
model is known as the *-property (pronounced “star property”). This principle states that a subject can write to an object only if its security classification
is less than or equal to the object’s security classification. This means that a
user with a Secret clearance can write to a file with a Secret or Top Secret
classification but cannot write to a file with only an Unclassified classification. This at first may appear to be a bit confusing, since this principle allows
users to write to files that they are not allowed to view, thus enabling them
to actually destroy files that they don’t have the classification to see. This is
true, but keep in mind that the Bell-LaPadula model is designed to enforce
confidentiality, not integrity. Writing to a file that you don’t have the clearance to view is not considered a confidentiality issue; it is an integrity issue.
Whereas the *-property allows a user to write to a file of equal or greater
security classification, it doesn’t allow a user to write to a file with a lower
security classification. This, too, may be confusing at first—after all, shouldn’t a user with a Secret clearance, who can view a file marked Unclassified,
be allowed to write to that file? The answer to this, from a security perspective, is “no.” The reason again relates to wanting to avoid either accidental
or deliberate security disclosures. The system is designed to make it impossible (hopefully) for data to be disclosed to those without the appropriate
level to view it. If it were possible for a user with a Top Secret clearance to
either deliberately or accidentally write Top Secret information and place it
in a file marked Secret, a user with only a Secret security clearance could
then access this file and view the Top Secret information. Thus, data would
have been disclosed to an individual not authorized to view it. This is what
the system should protect against and is the reason for what is known as the
“no-write-down” rule.
Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:26 PM

The Simple Security Rule is
just that: the most basic of security rules. It essentially states that
in order for you to see something, you have to be authorized
to see it.

43

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Not all environments are more concerned with confidentiality than integrity. In a financial institution, for example, viewing somebody’s bank
balance is an issue, but a greater issue would be the ability to actually modify that balance. In environments where integrity is more important, a different model than the Bell-LaPadula security model is needed.

Integrity Models
The Bell-LaPadula model was developed in the early 1970s but was found to
be insufficient for all environments. As an alternative, Kenneth Biba studied
the integrity issue and developed what is called the Biba security model in
the late 1970s. Additional work was performed in the 1980s that led to the
Clark-Wilson security model, which also places its emphasis on integrity
rather than confidentiality.

The Biba Security Model
In the Biba model, instead of security classifications, integrity levels are used.
A principle of integrity levels is that data with a higher integrity level is believed to be more accurate or reliable than data with a lower integrity level.
Integrity levels indicate the level of “trust” that can be placed in information
at the different levels. Integrity levels differ from security levels in another
way—they limit the modification of information as opposed to the flow of
information.
An initial attempt at implementing an integrity-based model was captured in what is referred to as the Low-Water-Mark policy. This policy in
many ways is the opposite of the *-property in that it prevents subjects from
writing to objects of a higher integrity level. The policy also contains a second rule that states the integrity level of a subject will be lowered if it reads
an object of a lower integrity level. The reason for this is that if the subject
then uses data from that object, the highest the integrity level can be for a
new object created from it is the same level of integrity of the original object.
In other words, the level of trust you can place in data formed from data at a
specific integrity level cannot be higher than the level of trust you have in
the subject creating the new data object, and the level of trust you have in the
subject can only be as high as the level of trust you had in the original data.
The final rule contained in the Low-Water-Mark policy states that a subject
can execute a program only if the program’s integrity level is equal to or less
than the integrity level of the subject. This ensures that data modified by a
program only has the level of trust (integrity level) that can be placed in the
individual who executed the program.
While the Low-Water-Mark policy certainly prevents unauthorized
modification of data, it has the unfortunate side effect of eventually lowering the integrity levels of all subjects to the lowest level on the system (unless the subject always views files with the same level of integrity). This is
because of the second rule, which lowers the integrity level of the subject after accessing an object of a lower integrity level. There is no way specified in
the policy to ever raise the subject’s integrity level back to its original value.
A second policy, known as the Ring policy, addresses this issue by allowing
any subject to read any object without regard to the object’s level of integrity
and without lowering the subject’s integrity level. This, unfortunately, can

44

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:26 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

lead to a situation where data created by a subject after reading data of a
lower integrity level could end up having a higher level of trust placed upon
it than it should.
The Biba security model implements a hybrid of the Ring and LowWater-Mark policies. Biba’s model in many respects is the opposite of the
Bell-LaPadula model in that what it enforces are “no-read-down” and “nowrite-up” policies. It also implements a third rule that prevents subjects
from executing programs of a higher level. The Biba security model thus
addresses the problems mentioned with both the Ring and Low-WaterMark policies.

The Clark-Wilson Security Model
The Clark-Wilson security model takes an entirely different approach than
the Biba and Bell-LaPadula models, using transactions as the basis for its
rules. It defines two levels of integrity only: constrained data items (CDI)
and unconstrained data items (UDI). CDI data is subject to integrity controls
while UDI data is not. The model then defines two types of processes: integrity verification processes (IVPs), which ensure that CDI data meets integrity constraints (to ensure the system is in a valid state), and transformation
processes (TPs), which change the state of data from one valid state to another. Data in this model cannot be modified directly by a user; it must be
changed by trusted TPs, access to which can be restricted (thus restricting
the ability of a user to perform certain activities).
It is useful to return to the prior example of the banking account balance
to describe the need for integrity-based models. In the Clark-Wilson model,
the account balance would be a CDI because its integrity is a critical function
for the bank. A client’s color preference for their checkbook is not a critical
function and would be considered a UDI. Since the integrity of account balances is of extreme importance, changes to a person’s balance must be accomplished through the use of a TP. Ensuring that the balance is correct
would be the duty of an IVP. Only certain employees of the bank should
have the ability to modify an individual’s account, which can be controlled
by limiting the number of individuals who have the authority to execute TPs
that result in account modification. Certain very critical functions may actually be split into multiple TPs to enforce another important principle, separation of duties. This limits the authority any one individual has so that
multiple individuals will be required to execute certain critical functions.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:26 PM

45

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

Chapter 2 Review
■ Chapter Summary
discretionary access control (DAC), mandatory
access control (MAC), role-based access control
(RBAC), and rule-based access control (also
RBAC).

After reading this chapter and completing the
exercises, you should understand the following
regarding the basics of security, security terminology,
and security models.

Define basic terms associated with computer and
information security

Describe methods used to verify the identity and
authenticity of an individual



Information assurance and information security
place the security focus on the information and not
on the hardware or software used to process it.



Authentication mechanisms ensure that only valid
users are provided access to the computer system
or network.



The original goal of computer and network
security was to provide confidentiality, integrity,
and availability—the “CIA” of security.





As a result of the increased reliance on networks
for commerce, authentication and nonrepudiation
have been added to the original CIA of security.

The three general methods used in authentication
involve users providing either something they
know, something they have, or something unique
about them (something they are).

Describe methods used to conduct social engineering


Social engineering is the process of convincing an
authorized individual to provide confidential
information or access to an unauthorized
individual.



With a plausible background and a good story, a
good social engineer can frequently talk individuals
into divulging information that they normally
would never give out.



In addition to the direct approach to social
engineering, attackers can use other, indirect
means to obtain the information they are seeking,
including phishing, vishing, shoulder surfing, and
dumpster diving.

Identify the basic approaches to computer and
information security




The operational model of computer security tells
us that protection is provided by prevention,
detection, and response.
Host security focuses on protecting each computer
and device individually instead of addressing
protection of the network as a whole.



Least privilege means that an object should have
only the necessary rights and privileges to perform
its task, with no additional permissions.



Diversity of defense is a concept that complements
the idea of various layers of security. It means to
make the layers dissimilar so that if one layer is
penetrated, the next layer can’t also be penetrated
using the same method.

Recognize some of the basic models used to
implement security in operating systems



Access is the ability of a subject to interact with an
object. Access controls are those devices and
methods used to limit which subjects may interact
with specific objects.



An access control list (ACL) is a mechanism that is
used to define whether a user has certain access
privileges for a system. Others methods include

46

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:27 PM

Security models enforce the chosen security policy.



Distinguish among various methods to implement
access controls



There are two basic categories of models: those that
ensure confidentiality and those that ensure integrity.



Bell-LaPadula is a confidentiality security model
whose development was prompted by the
demands of the U.S. military and its security
clearance scheme.



The Bell-LaPadula security model enforces “noread-up” and “no-write-down” rules to avoid the
deliberate or accidental disclosure of information
to individuals not authorized to receive it.

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen



BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

The Biba security model is an integrity-based
model that, in many respects, implements the
opposite of what the Bell-LaPadula model does—
that is, “no-read-down” and “no-write-up” rules.



The Clark-Wilson security model is an integritybased model designed to limit the processes an
individual may perform as well as require that
critical data be modified only through specific
transformation processes.

■ Key Terms
*-property (43)
access control (31)
auditability (22)
authentication (22)
availability (22)
Bell-LaPadula security model (43)
Biba security model (44)
certificates (32)
Clark-Wilson security model (45)
confidentiality (22)
data aggregation (34)
diversity of defense (28)
hacking (21)
host security (23)

implicit deny (26)
integrity (22)
layered security (27)
least privilege (24)
Low-Water-Mark policy (44)
network security (23)
nonrepudiation (22)
operational model of computer security (22)
phreaking (21)
Ring policy (44)
security through obscurity (29)
separation of duties (25)
Simple Security Rule (43)
social engineering (33)

■ Key Terms Quiz
Use terms from the Key Terms list to complete the
sentences that follow. Don’t use the same term more
than once. Not all terms will be used.
1. _______________ is a term used to describe the
condition where a user cannot deny that an event
has occurred.
2. The _______________ is an integrity-based
security model that bases its security on control
of the processes that are allowed to modify
critical data, referred to as constrained data
items.
3. The security principle used in the Bell-LaPadula
security model that states that no subject can
read from an object with a higher security
classification is called the _______________.
4. The principle that states a subject has only the
necessary rights and privileges to perform its
task, with no additional permissions, is called
_______________.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:27 PM

5. _______________ is the principle in security
whose goal it is to ensure that data is modified
only by individuals who are authorized to
change it.
6. _______________ is the term used to refer to the
_______________ of computers and systems used
by the telephone company.
7. _______________ is the process used to ensure
that an individual is who they claim to be.
8. The architecture in which multiple methods
of security defense are applied to prevent
realization of threat-based risks is called
_______________.
9. _______________ is the process of combining
seemingly unimportant information with other
pieces of information to divulge potentially
sensitive information.
10. Using _______________ is a method to establish
authenticity of specific objects such as an
individual’s public key or downloaded software.

47

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

■ Multiple-Choice Quiz
1. What is the most common form of authentication
used?

6. The Bell-LaPadula security model is an example
of a security model that is based on:

A. Smart card

A. The integrity of the data

B. Tokens

B. The availability of the data

C. Username/password

C. The confidentiality of the data

D. Retinal scan

D. The authenticity of the data

2. The CIA of security includes:
A. Confidentiality, integrity, authentication
B. Confidentiality, integrity, availability
C. Certificates, integrity, availability
D. Confidentiality, inspection, authentication
3. The security principle used in the Bell-LaPadula
security model that states that no subject can
read from an object with a higher security
classification is the:

7. The term used to describe the requirement that
different portions of a critical process must be
performed by different people is:
A. Least privilege
B. Defense in depth
C. Separation of duties
D. Job rotation
8. Hiding information to prevent disclosure is an
example of:

A. Simple Security Rule

A. Security through obscurity

B. Ring policy

B. Certificate-based security

C. Mandatory access control

C. Discretionary data security

D. *-property

D. Defense in depth

4. Which of the following concepts requires users
and system processes to use the minimal amount
of permission necessary to function?
A. Layer defense
B. Diversified defense
C. Simple Security Rule
D. Least privilege
5. Which of the following is an access control
method based on changes at preset intervals?
A. Simple Security Rule
B. Job rotation
C. Two-man rule
D. Separation of duties

9. The problem with the Low-Water-Mark policy is
that it:
A. Is aimed at ensuring confidentiality and not
integrity
B. Could ultimately result in all subjects having
the integrity level of the least-trusted object
on the system
C. Could result in the unauthorized
modification of data
D. Does not adequately prevent users from
viewing files they are not entitled to
10. The concept of blocking an action unless it is
specifically authorized is:
A. Implicit deny
B. Least privilege
C. Simple Security Rule
D. Hierarchical defense model

48

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:27 PM

Principles of Computer Security: CompTIA Security+ and Beyond

Color profile: Disabled
Composite Default screen

BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2

■ Essay Quiz
1. Your boss mentions that recently a number of
employees have received calls from individuals
who didn’t identify themselves and asked a lot of
questions about the company and its computer
infrastructure. At first, he thought this was a just
a computer vendor who was trying to sell your
company some new product, but no vendor has
approached the company. He also says several
strange e-mails requesting personal information
have been sent to employees, and quite a few
people have been seen searching your company’s
trash dumpsters for recyclable containers. Your
boss asks what you think about all of these
strange incidents. Respond and be sure to
provide a recommendation on what should be
done about the various incidents.
2. Your company has decided to increase the
authentication security by requiring remote
employees to use a security token as well as
a password to log onto the network. The
employees are grumbling about the new
requirements because they don’t want to have
to carry around the token with them and don’t
understand why it’s necessary. Write a brief
memo to the staff to educate them on the general

ways that authentication can be performed. Then
explain why your company has decided to use
security tokens in addition to passwords.
3. The new CEO for your company just retired from
the military and wants to use some of the same
computer systems and security software she
used while with the military. Explain to her the
reasons that confidentiality-based security
models are not adequate for all environments.
Provide at least two examples of environments
where a confidentiality-based security model is
not sufficient.
4. Describe why the concept of “security through
obscurity” is generally considered a bad
principle to rely on. Provide some real-world
examples of where you have seen this principle
used.
5. Write a brief essay describing the principle of
least privilege and how it can be employed to
enhance security. Provide at least two examples
of environments in which it can be used for
security purposes.

Lab Projects
• Lab Project 2.1
In an environment familiar to you (your school
or where you work, for example), determine
what different layers of security are employed.

Discuss whether you think they are sufficient and
whether the principle of diversity of defense has
also been used.

• Lab Project 2.2
Pick an operating system that enforces some form of
access controls and determine how it is implemented
in that system.

Chapter 2: General Security Concepts

P:\010Comp\BaseTech\619-8\ch02.vp
Wednesday, November 09, 2011 2:01:27 PM

49