LPI LVL3 Security:  Area 1 - Security Concepts and Policy

 

“Deals with information security best practices, policies, training and

other non-technical best practices.”

 

  1. Security Concepts and Policy

 

    1. Understand the goals of security

                                                               i.      Confidentiality

                                                             ii.      Integrity

                                                            iii.      Availability

                                                           iv.      Defense in depth

 

    1. Understand security policies and procedures

                                                               i.      Understand the need for organizational leadership of security initiatives

                                                             ii.      Understand authority and responsibility for security in the organization

                                                            iii.      Understand the need for security as part of the job description

                                                           iv.      Understand the need for security training and awareness initiatives for both I.T. staff  and users

1.      Sign up for security listserves

2.      Sign up for security alert bulletins from OS vendor / organization

3.      Attend security-specific training (SANS, CSI, etc.)

                                                             v.      Understand why and where to include security in the system purchase or development lifecycle (SDLC)

1.      Catches at purchasing

2.      Quality control in coding

3.      Change control systems

                                                           vi.      Understand the difference between

1.      Policy

2.      Procedure

3.      Guideline

4.      Etc.

                                                          vii.      Establish a formal build standard for Linux boxes

1.      Eases employee changes

2.      Improves ability to quickly understand config

                                                        viii.      Create a Linux hardening standard

1.      Identify services to run, admin accts. Etc.

                                                           ix.      Implement a change control system

1.      Identify key stakeholders / application owners

2.      Track changes, especially major ones

3.      Establish distinct barriers between development, testing and production environments

4.      Obtain buy-in from application owners as well as technical staff

5.      Establish a system to retroactively enter change data after an emergency update

                                                             x.      Implement disaster recovery procedures

1.      Perform a risk assessment and mitigate risks

a.       Perform routine hardware maintenance to minimize failures

b.      Implement hardware and software redundancy

2.      Perform a business impact analysis

3.      Draft recovery plans

4.      Test recovery plains

5.      Ongoing DR plan maintenance

                                                           xi.      Implement physical security

1.      Server room

2.      User work areas

3.      Individual machines

                                                          xii.      Maintain good system documentation

1.      Machine hardware / software inventories

2.      IP addressing plans

3.      Change logs

4.      Network maps

5.      Firewall and device configurations

                                                        xiii.      Establish acceptable use policies

1.      Establish an appropriate system use policy

2.      Establish a good password policy

3.      Establish a good remote access policy

4.      Other policies as needed

                                                        xiv.      Security best practices references

1.      ISO17799 / BS7799

 

    1. Cryptography

                                                               i.      Symmetrical encryption

                                                             ii.      Asymmetrical encryption

1.      RSA

                                                            iii.      Key management and certificate hierarchies

1.      X.509

2.      Public vs. private keys

3.      The chain of trust

4.      Key creation

5.      Key revocation and CRL

6.      Certificate authorities

7.      Non-repudiation

8.      Signing

9.      Browser CA settings

a.       Pre-programmed CA’s

b.      Certificate warning messages (date, untrusted, name mismatch)

c.       Adding a cert to Mozilla (?)

                                                           iv.      Encryption algorithms

1.      AES

2.      DES, 3DES

3.      Blowfish

                                                             v.      Key lengths (40/64, 104/128)

                                                           vi.      Hashes and hashing (MD5, etc)

                                                          vii.      Where cryptography is used on Linux systems

 

    1. Network security

                                                               i.      TCP/IPv4 and the 3-way handshake

1.      IP / ICMP messages

a.       Echo_request, echo_reply

b.      Port / host unreachable

c.       TTL

2.      TCP = connection oriented

3.      UDP = non-connection oriented

                                                             ii.      Overview of IPv6 features

1.      ??????

                                                            iii.      Denial of Service (DoS) attacks

                                                           iv.      Daemons and ports

1.      Association between daemons and port binding

2.      Ports < 1024 = root

3.      Ports > 1024 = anyone

4.      TCP Wrappers

5.      Access control with local firewalling

                                                             v.      Encryption on the wire

1.      Classically insecure protocols – telnet, FTP, smtp, HTTP

2.      Classically secure protocols – SSH, SSL, TLS

3.      Adding encryption to insecure protocols with openssl / stunnel tunnels

                                                           vi.      Understand sniffers and protocol analyzers

                                                          vii.      Understanding VPNs

                                                        viii.      Understand Wireless security

1.      WEP

2.      SSID broadcast

3.      WPA

4.      Frequencies

5.      Wardriving