LPI LVL3 Security: Area 1 - Security Concepts and Policy
“Deals with information security best practices, policies, training and
other non-technical best practices.”
i. Confidentiality
ii. Integrity
iii. Availability
iv. Defense in depth
i. Understand the need for organizational leadership of security initiatives
ii. Understand authority and responsibility for security in the organization
iii. Understand the need for security as part of the job description
iv. Understand the need for security training and awareness initiatives for both I.T. staff and users
1. Sign up for security listserves
2. Sign up for security alert bulletins from OS vendor / organization
3. Attend security-specific training (SANS, CSI, etc.)
v. Understand why and where to include security in the system purchase or development lifecycle (SDLC)
1. Catches at purchasing
2. Quality control in coding
3. Change control systems
vi. Understand the difference between
1. Policy
2. Procedure
3. Guideline
4. Etc.
vii. Establish a formal build standard for Linux boxes
1. Eases employee changes
2. Improves ability to quickly understand config
viii. Create a Linux hardening standard
1. Identify services to run, admin accts. Etc.
ix. Implement a change control system
1. Identify key stakeholders / application owners
2. Track changes, especially major ones
3. Establish distinct barriers between development, testing and production environments
4. Obtain buy-in from application owners as well as technical staff
5. Establish a system to retroactively enter change data after an emergency update
x. Implement disaster recovery procedures
1. Perform a risk assessment and mitigate risks
a. Perform routine hardware maintenance to minimize failures
b. Implement hardware and software redundancy
2. Perform a business impact analysis
3. Draft recovery plans
4. Test recovery plains
5.
xi. Implement physical security
1. Server room
2. User work areas
3. Individual machines
xii. Maintain good system documentation
1. Machine hardware / software inventories
2. IP addressing plans
3. Change logs
4. Network maps
5. Firewall and device configurations
xiii. Establish acceptable use policies
1. Establish an appropriate system use policy
2. Establish a good password policy
3. Establish a good remote access policy
4. Other policies as needed
xiv. Security best practices references
1. ISO17799 / BS7799
i. Symmetrical encryption
ii. Asymmetrical encryption
1. RSA
iii. Key management and certificate hierarchies
1. X.509
2. Public vs. private keys
3. The chain of trust
4. Key creation
5. Key revocation and CRL
6. Certificate authorities
7. Non-repudiation
8. Signing
9. Browser CA settings
a. Pre-programmed CA’s
b. Certificate warning messages (date, untrusted, name mismatch)
c. Adding a cert to Mozilla (?)
iv. Encryption algorithms
1. AES
2. DES, 3DES
3. Blowfish
v. Key lengths (40/64, 104/128)
vi. Hashes and hashing (MD5, etc)
vii. Where cryptography is used on Linux systems
i. TCP/IPv4 and the 3-way handshake
1. IP / ICMP messages
a. Echo_request, echo_reply
b. Port / host unreachable
c. TTL
2. TCP = connection oriented
3. UDP = non-connection oriented
ii. Overview of IPv6 features
1. ??????
iii. Denial of Service (DoS) attacks
iv. Daemons and ports
1. Association between daemons and port binding
2. Ports < 1024 = root
3. Ports > 1024 = anyone
4. TCP Wrappers
5. Access control with local firewalling
v. Encryption on the wire
1. Classically insecure protocols – telnet, FTP, smtp, HTTP
2. Classically secure protocols – SSH, SSL, TLS
3. Adding encryption to insecure protocols with openssl / stunnel tunnels
vi. Understand sniffers and protocol analyzers
vii. Understanding VPNs
viii. Understand Wireless security
1. WEP
2. SSID broadcast
3. WPA
4. Frequencies
5. Wardriving