Lecturer # 4

Chapter 4
Host, Application, and Data
Security

Security+ Guide to Network Security Fundamentals, FOURTH Edition

and Security Certified, CCNA, security 210-260, 2015
prepared by: Dr. Tahani Allam
9-3-2023
 Objectives

• List the steps for securing a host computer

• Define application security
• Explain how to secure data

Security+ Guide to Network Security Fundamentals 2

 Securing the Host

• Three important elements to secure

• Host
• Applications
• Data
• Securing the host involves:
A. Protecting the physical device
B. Securing the operating system software
C. Using antimalware software

Security+ Guide to Network Security Fundamentals 3

 Host Securing

1. Protecting the physical device

 Securing Devices
• Security control - any device or process that is used to
reduce risk.
• Two levels of security controls:
o Administrative controls - processes for developing and ensuring
that policies and procedures are carried out.
o Technical controls - controls that are carried out or
managed by devices.
• There are five subtypes of controls (sometimes
called activity phase controls) described on the
following slide.

Security+ Guide to Network Security Fundamentals 5

 Activity Phase Controls

Security+ Guide to Network Security Fundamentals 6

 Securing Devices (cont’d.)

• Securing devices includes

1. External perimeter defenses
2. Internal physical defenses
3. Hardware security

Security+ Guide to Network Security Fundamentals 7

Securing devices

1. External perimeter defenses

• External perimeter defenses are designed to restrict

access to equipment areas.
• This type of defense includes:
a) Barriers
b) Guards
c) Motion detection devices

Security+ Guide to Network Security Fundamentals 8

Securing devices

1. External perimeter defenses

a) Barriers
o Fencing - usually a tall, permanent structure.
o Modern perimeter fences are equipped with other
deterrents such as proper lighting and signage.
o Barricade - large concrete ones should be used.
b) Guards
o Human guards are considered active security
elements.
o Video surveillance uses cameras to transmit a signal
to a specific and limited set of receivers called closed circuit
television (CCTV).

Security+ Guide to Network Security Fundamentals 9

Securing devices

1. External perimeter defenses

c) Motion Detection
o Determining an object’s change in position in relation
to its surroundings.
o This movement usually generates an audible alarm.

Security+ Guide to Network Security Fundamentals 10

Securing devices

CCTV
Securing devices

Magnetic Sensor

Seismic Sensor
Securing devices

2. Internal Physical Access Security

• These protections include:

1. Hardware locks
2. Proximity readers
3. Access lists
4. Mantraps
5. Protected distribution systems for cabling

Security+ Guide to Network Security Fundamentals 13

Securing devices

Internal Physical Access Security

1. Hardware locks
– Standard keyed entry lock provides minimal security.
– Deadbolt locks provide additional security and
require that a key be used to both open and lock the door.
– Cipher locks are combination locks that use buttons that must
be pushed in the proper sequence.
• Can be programmed to allow a certain individual’s
code to be valid on specific dates and times.

Security+ Guide to Network Security Fundamentals 14

Securing devices

Internal Physical Access Security

Security+ Guide to Network Security Fundamentals 15

Securing devices

Internal Physical Access Security

• Recommended key management procedures

– Inspect ‫ فحص‬locks regularly.
– Issue keys only to authorized users.
– Keep track of issued keys.
– Master keys should not have identifying marks.
– Secure unused keys in a safe place.
– Establish a procedure to monitor use of locks and
keys.
– Mark master keys with “Do Not Duplicate”.
– Change locks after key loss or theft.

Security+ Guide to Network Security Fundamentals 16

Securing devices

Internal Physical Access Security

2. Proximity Readers
– Uses an object (physical token) to identify
persons with authorization to access an area.
• ID badge emits a signal identifying the owner.
• Proximity reader receives signal.
– ID badges that can be detected by a proximity
reader are often fitted with RFID tags.
• Badge can remain in bearer’s pocket.
• Radio Frequency Identification (RFID) refers to a wireless
system comprised of two components: tags and readers.

Security+ Guide to Network Security Fundamentals 17

Securing devices

Figure 4-4 RFID tag

© Cengage Learning 2015

Security+ Guide to Network Security Fundamentals 18

Securing devices

Internal Physical Access Security

3. Access list
– A record of individuals who have permission to enter
secure area.
– Records time they entered and left.
4. Mantrap
– Separates a secured from a nonsecured area.
– Device monitors and controls two interlocking doors.
• Only one door may open at any time

Security+ Guide to Network Security Fundamentals 19

Securing devices

Internal Physical Access Security

Security+ Guide to Network Security Fundamentals 20

Securing devices

Internal Physical Access Security

5. Protected Distribution Systems (PDS)
– A system of cable conduits used to protect classified
information that is being transmitted between two secure
areas.
• Created by the U.S. Department of Defense (DOD)
– Two types of PDS:
• Hardened carrier PDS - conduit constructed of special
electrical metallic tubing.
• Alarm carrier PDS - specialized optical fibers in the
conduit that sense acoustic vibrations that occur when an
intruder attempts to gain access.

Security+ Guide to Network Security Fundamentals 21

Securing devices

Internal Physical Access Security

Security+ Guide to Network Security Fundamentals 22

Securing devices

3. Hardware Security

• Hardware security
– The physical security protecting host system
hardware.
– Most portable devices have steel bracket security slot
• A cable lock inserted into slot and secured to device
• A cable connected to lock secured to desk or immobile
object.
• Locking cabinets
– Can be prewired for power and network connections.
– Allow devices to charge while stored.

Security+ Guide to Network Security Fundamentals 23

Securing devices

Figure 4-7 Cable lock

© Cengage Learning 2015

Security+ Guide to Network Security Fundamentals 24

 Host Securing

2. Securing the OS Software

 Securing the Operating System
Software

• Five-step process for protecting operating system

1. Develop the security policy.
2. Perform host software baselining.
3. Configure operating system security and settings.
4. Deploy and manage security settings.
5. Implement patch management.

Security+ Guide to Network Security Fundamentals 26

 Securing the OS Software

1. Develop the security policy

– Security policy – a document that clearly define
organization’s defense mechanisms.
2. Perform host software baselining
– Baseline: the standard or checklist against which
systems can be evaluated.
– Configuration settings that are used for each
computer in the organization.

Security+ Guide to Network Security Fundamentals 27

 Securing the OS Software

3. Configure operating system security and settings

– Modern OSs have hundreds of different security
settings that can be manipulated to conform to the
baseline.
– Typical configuration baseline
• Changing insecure default settings.
• Eliminating unnecessary software, services, protocols.
• Enabling security features such as a firewall.

Security+ Guide to Network Security Fundamentals 28

 Securing the OS Software

4. Deploy and Manage Security Settings

– Tools to automate the process
• Security template - collections of security configuration
settings.
• Group policy - Windows feature providing centralized
computer management; a single configuration may be
deployed to many users.

Security+ Guide to Network Security Fundamentals 29

 Securing the OS Software

5. Implement Patch Management

– Operating systems have increased in size and
complexity.
– New attack tools have made secure functions
vulnerable.
– Security patch - software security update to repair
discovered vulnerabilities.
– Hotfix - addresses specific customer situation.
– Service pack - accumulates security updates and
additional features.

Security+ Guide to Network Security Fundamentals 30

Security+ Guide to Network Security Fundamentals 31
 Securing the OS Software

• Security Through Design

– OS hardening - tightening security during the design
and coding of the OS
– Trusted OS - an OS that has been designed through
OS hardening.

Security+ Guide to Network Security Fundamentals 32

 Host Securing

3. Securing with Antimalware

 Securing with Antimalware

• Antimalware software includes:

– Antivirus
– Antispam
– Popup blockers
– Antispyware
– Host-based firewalls

Security+ Guide to Network Security Fundamentals 34

Securing with Antimalware

Antivirus

• Anti-virus - Software that examines a computer for

infections
– Scans new documents that might contain viruses.
– Searches for known virus patterns.
• Weakness of anti-virus
– Vendor must continually search for new viruses,
update and distribute signature files to users.
• Alternative approach: code emulation.
– Questionable code is executed in virtual environment
to determine if it is a virus.

Security+ Guide to Network Security Fundamentals 35

Securing with Antimalware

Anti-Spam

• Spammers can distribute malware through email

attachments.
• Spam can be used for social engineering attacks.
• Spam filtering methods.
– Bayesian filtering - divides email messages into two
piles: spam and nonspam.
– Create a list of approved and nonapproved senders
• Blacklist -nonapproved senders.
• Whitelist - approved senders.
– Blocking certain file attachment types.

Security+ Guide to Network Security Fundamentals 36

Securing with Antimalware

Pop-up Blockers and Anti-Spyware

• Pop-up - Small window appearing over Web site
– Usually created by advertisers
• Pop-up blockers
– A separate program as part of anti-spyware package
– Incorporated within a browser.
– Allows user to limit or block most pop-ups.
– Alert can be displayed in the browser.
• Gives user option to display pop-ups
• Antispyware – helps prevent computers from
becoming infected by different types of spyware.

Security+ Guide to Network Security Fundamentals 37

Securing with Antimalware

Host-Based Firewalls

• Firewall
– Designed to prevent malicious packets from entering
or leaving computers.
– Sometimes called a packet filter.
– May be hardware or software-based
• Host-based software firewall - runs as a program on
local system to protect it.
– Application-based.

Security+ Guide to Network Security Fundamentals 38

 Securing Static Environments

• Static environment - devices in which additional

hardware cannot easily be added or attached.
• Common devices in this category:
– Embedded system - a computer system with a
dedicated function within a larger electrical system
– Game consoles
– Smartphones
– Mainframes
– In-vehicle computer systems
– SCADA (supervisory control and data acquisition)

Security+ Guide to Network Security Fundamentals 39

Application Securing
 Application Security
• Besides protecting OS software on hosts, there is a
need to protect applications that run on these
devices.

• Aspects of applications security

– Application hardening and patch management

Security+ Guide to Network Security Fundamentals 41

 Application Hardening and Patch
Management

• Application hardening
– Intended to prevent attackers from exploiting
vulnerabilities in software applications.

Security+ Guide to Network Security Fundamentals 42

 Application Hardening and Patch
Management
• Patch management
– Rare until recently.
– Users were unaware of the existence of patches or
where to acquire them.
– More application patch management systems are
being developed to patch vulnerabilities.

Security+ Guide to Network Security Fundamentals 43

Data Securing
 Securing Data

• Work today involves electronic collaboration

– Data must flow freely.
– Data security is important.
• Big Data - refers to a collection of data sets so
large and complex that it becomes difficult to
process using traditional data processing apps.
• Data loss prevention (DPL)
– System of security tools used to recognize and
identify critical data and ensure it is protected
– Goal: protect data from unauthorized users.

Security+ Guide to Network Security Fundamentals 45

 Securing Data (cont’d.)

• DPL examines data as it resides in any of three

states :
– Data in use (example: creating a report from a
computer)
– Data in transit (data being transmitted)
– Data at rest (data that is stored on electronic media)

Security+ Guide to Network Security Fundamentals 46

 Securing Data (cont’d.)
• Most DLP systems use content inspection
– A security analysis of the transaction within its
approved context
– Looks at security level of data, who is requesting it, where the
data is stored, when it was requested, and
where it is going.
• DLP systems can also use index matching
– Documents that have been identified as needing protection
are analyzed by DLP and complex computations are
conducted based on the analysis.

Security+ Guide to Network Security Fundamentals 47

 Securing Data (cont’d.)
Three types of DLP sensors:
1. DLP network sensors - installed on the perimeter
of the network to protect data in-transit by
monitoring all network traffic.
2. DLP storage sensors - designed to protect data
at rest.
3. DLP agent sensors - installed on each host
device and protect data in-use.
• When a policy violation is detected by the DLP
agent, it is reported back to the DLP server.
– Different actions can then be taken.
Security+ Guide to Network Security Fundamentals 48
Security+ Guide to Network Security Fundamentals 49
Thanks
Enjoy...