CompTIA CYSA+ CS0-002 – Technical Data and Privacy Controls Part 1

1. Access Controls (OBJ 5.1)

Access controls. In this lesson, we’re going to start talking about access controls and how we can use those to protect our information. Now, an access control model can be applied to any type of data or software resource. There are lots of different ways of doing this, including looking at things on our file systems, our network storage, or our database security. Now, when we do this, usually we’re going to use something like an ACL and each record in an ACL or Access Control list is known as an Access Control Entry. This is very commonly used inside of file systems networks and even inside of databases. Now, if you’re doing it inside of a file system, you’re going to have to have a file system that supports ACLs. This includes things like NTFS inside of Windows systems, ext Three or Ext Four inside of Linux systems, or the new ZFS file system inside of Linux systems.

Now, if you’re going to be doing this inside of your database, your database security can allow for more fine grain permission configuration. Now this is really nice because inside of your database you can actually control information on the data itself based on its tables, its views, its records, its fields and things like that. But you can also apply access control to the different statements you can apply to a database, such as the Select, Insert, Update or Delete statements. And so you really do have a fine grain permission configuration inside of a database that you don’t have with files. Now, another area that we can talk about access control is geographic access requirements. Now, with geographic access requirements, these primarily going to fall into two different types. This might be talking about the storage location or the employees themselves.

When we talk about storage locations, we have to consider data sovereignty issues. This includes if I’m going to put my server in a particular location. Because based on that, there’s going to be different laws that I’m going to have to figure out and which ones I’m going to comply with based on that location. And so there’s different privacy around the world as we’ve talked about before. But in addition to that, we might also be thinking about the geographic access requirements from an employee standpoint. For instance, if I have an employee who takes their laptop and they go on travel, can they connect back to our network? Well, sometimes employees need access from multiple geographic locations. For instance, I tend to travel a lot for work, so I might be in America this week, in Europe next week, and in Asia the week after that.

And so I might have to access it from different locations around the world. And so we have to keep that in mind as we’re designing our systems. Now, one way you can accomplish this is by using cloud based systems where you have multiple nodes around the world. But this is something you have to consider when you’re thinking about your employees or even your end users and how they’re going to access your systems. In addition to that, you want to think about it from the security side too. If you don’t have a need for people to access your systems from around the world, you can geographically block people and say, you know what, we’re only going to allow Americans to access our service, or only people in Florida to access our service, or even only people in Orlando, Florida, to access our service. You can really narrow it down based on the security and the requirements for your own organization.

2. File System Permissions (OBJ 3.2)

File system permissions. In this lesson we’re going to explore file system permissions both in Windows and Linux. Now, when you deal with file system permissions, incorrect permissions that can be allocated to a resource can be the cause of many of your data breaches. For example, if I have a web server and a particular folder is not supposed to be publicly visible, but somebody incorrectly sets up permission and makes it publicly visible, everyone in the world can see that information. And so incorrect permissions are a big source of pain for us. Now, as I said, we are going to cover two different types of permission sets. We’re going to talk about Windows permissions and Linux permissions because they are different on those different operating systems. Now, inside of Windows, we’re going to use the Icacls tool. Now, this is a command line tool for showing and modifying file permissions.

When you look at this, you’re going to be able to see permissions in different categories such as N for no Access, f for full Access, r for read only, RX for read and Execute, m for modify, w for right and D for delete. These are all the different permissions that you can have inside of Windows on a particular file or directory. Now, when you’re using Icacls, you can use it by actually adding individual permissions himself or you can use a comma separated list of permissions that’s used for more complex permission types. Most of you should be familiar with Windows file system permissions because this was covered all the way back in your A Plus studies. If you’re not familiar with this concept, grab a Windows machine, go into it right click on a filer folder and play around with the permissions just to get comfortable with it.

Next, we need to talk about Linux and Linux we’re going to cover in a little bit more depth because if you it’s been a while since you’ve done your A Plus. Linux wasn’t covered that frequently. If you’re on the 801 or the 901 version of A Plus, they didn’t really go into Linux at all and they left that for Linux Plus. Now, in the newer versions of A Plus they do cover Linux permissions but because I have a lot of students who didn’t go through that version of the course, I am going to cover Linux in a little bit more detail. Now, everything inside of Linux is treated as a file. It doesn’t matter if it’s a file, a directory, memory space or even a processor or an input output device. Everything in Linux is treated like a file. So permissions are really important. Now, in Linux there are three permissions read, write and execute and this is symbolized by RW and X.

Now, when we talk about read permissions, this is the ability to access and view the contents of a file or list the contents of a directory. Essentially, you want to be able to look at it want to be able to read it. Now when you deal with writing, you’re going to be dealing with the ability to save changes to a file. So you won’t be able to write it, or you want to be able to create a file or rename a file or delete files within a different directory. All of this can be done if you have the right permission. Now if you want to be able to delete something, you need permissions of both write and execute. Now when we talk about execute, this is the ability to run a script, a program or other software file. Or it’s the ability to access a directory, execute a file from that directory or perform a task on that directory. Basically, you want to do something. That’s what execute is all about. Now this sounds like it’s pretty easy, right? There’s only three permissions where Windows had a whole bunch more.

Well, it gets a little bit more complicated though, because when you look at the permissions for a file such as here, you’re going to see that it looks like this. You’re going to have a dash at the beginning and this means it’s a file. If it was a directory, that dash would be a D for directory. Then we have three sets of permissions. Here you can see read, write, execute, read, execute, read, execute. Those are three sets. Now as you start understanding this, why are there three sets? Well, this is because the first set represents the owner, the second set represents the group and the third represents others or World. Let’s talk about that for a second. When we talk about an owner’s permission, these are the permissions that determine what the file owner can do with that file.

So if I created a file and I own that file, I can do these things. Then I have group permissions. That’s the second set. These permissions determine what members of the file’s group who are not the owner can actually do with that file. And then we have the third one which is World or Other, which is everybody else. They’re not the owner, they’re not the group, they’re just somebody on the system. And these are permissions that determine what users who are not the files owner or members of the group can do with that file. So we have these three basic sets. So again, when I look at this and I look at it, I can see that the user has the ability to read, write and execute. They can pretty much do whatever they want to that file, but group members can only read it and execute it, but they can’t write to it.

And if there are another user on the system or that World group, they can again read and execute it, but they can’t write to it. This might be a good set of permissions for something like a file on your website or a script because there’s other people who need to be able to read it and execute that script but they shouldn’t be able to write it or delete it. Only you, the original author, should have those permissions. Now, I know that Linux permissions can get complicated. In fact, they even get more complicated because in addition to all these letters we can represent these using numbers. And this is a nice little chart that I like to use to help me remember it. Now, I know we just covered the basics of Linux permissions talking about the three groups in the Read, write, execute.

But Linux permissions get even more confusing because people also will abbreviate them using numbers instead of the R, the W and the X. So when you look at it, an R is a four, a W is a two and an X is a one and this chart here will help you wrote that. So for example, if I have read, Write, execute like the user did in my previous example this is symbolized by seven because read plus write plus execute equals seven. Now, if I wanted to see what the other two groups had they had read and execute only write, what would that equal? That’s right, it would equal five because read is four, execute is one, four plus one equals five and that gives us the five. So the easiest way to write this instead of writing read write, execute, read execute, read execute I could simply say this has the permissions of seven five five, which tells me the exact same thing.

This is the way that we can understand Linux permission systems by breaking down those numbers based on read, write and execute. So let’s go through and do a couple of examples together. Now, if I have Read, write, execute, read, write, execute, read, write, execute what would that be represented using three digits? That would be seven seven seven because read, write and execute is four plus two plus one, which gives you seven and we had that three times. So seven, seven, seven. This means we have read, write, execute for the owner, the group and every other user on the system. Now, what if we had read, write, execute, read, execute? What would that be? Well, Read writeexecute would be a seven read execute would be a five and then would be zero because there are no permissions.

So this says we have read, write and execute for the owner of the file we have read and execute for the group and no permissions for anybody who’s not the owner and not the group. Let’s take a look at the next one. We have read, write, read. What would this be? Well, Read write would be a six and then we have read would be a four and then read would be a four. So it becomes six four four this gives me read and write permissions for the owner and then read permissions for both the group and everybody else on the system and the final one we’re going to look at read. What would this one be? This one should be pretty easy. It only has the one read, which is worth four so it’s 40 zero. This means the owner can read it and nobody else, not the group and not the world can do anything with it.

This is a very well protected file so this is the way we can read these permissions. Now, if you want to be able to modify permissions using Linux you’re going to use the command chmod change mod. Now this is a Linux command that’s used to modify permissions for files so if I want to modify them I can do this by using the letters and I can do change mod g plus x comma o minus r and then the file or folder that I want to do it on, in this case home. What this says is that for the group I want to add the execute permission but for the other or world permission I want to remove the reading ability and so that would be adding some permissions and taking some away all at the same time.

Now I can do this again. Let’s say I wanted to do change mod and I wanted to say user equals Rwx comma g equals RW comma o equals RX home what is this saying? Well, this is being more explicit in what I want instead of adding or removing things one at a time, I’m saying just overwrite all the permissions with this set of conditions. So the user is going to read, write and execute that’s a seven the group is going to read and write that’s a four and then the others or world is going to read and execute that’s a five. So what this is saying is that for the user, the owner of this, we are going to read, write and execute, which is equivalent to a seven. The group is going to have read and write, which is the equivalent of a six.

And then we’re going to have the other, or the world permissions, reading and executing, which would be the equivalent of a five. And so by writing out all these letters, essentially I said I wanted to do seven, six, five. Now, wouldn’t it be easier if I could just use those numbers? Well, it would and the nice thing is changemod will let you. You can just type in something like change mod seven five five home and this is going to change the permissions of the home directory into seven five five which is read, write, execute for the owner and read and execute for everybody else in the system including the group and the world. So this is a nice easy way to do things and this is why people use the numbers inside of Linux so much.

Now, the final thing we need to talk about is ownership of the file. Now I said that the owner has that first set of permissions. Well, what if you want to change the owner? That’s where change own comes into play. Ch owen, this is Change owner. Essentially this is a Linux command that is used to modify the owner of a file. And so you basically would type in change own the person you want to change and then the file name. And so if I wanted to change the owner of the home to Jason I would say change own Jason home. It’s the command, the user of the group and then the file you want to change it to.

3. Encryption (OBJ 5.1)

Encryption. In this lesson, we are going to focus on encryption. Now, we’re not going to do a full review of all the different encryption types because you should already know that from Security Plus. Instead, I want to focus on more of the concepts around encryption as opposed to the specific methods of encryption like AES or WPA Two or RC Four or things like that. So as we talk about encryption, we want to remember that encryption is used to secure our information. And this can be done for lots of different data states. And we talked about the three data states before, and we’re going to dig a little deeper into those in this lesson. Now, encryption is a form of risk mitigation for access controls, because if I have some kind of access control like file system permissions, but somebody can still get that file because we screwed that up, well, if we encrypted that file, they still won’t be able to read it.

And so this is a great form of risk mitigation both on the network and for your storage. Now, as I said, there are three different data states that we need to talk about. We’re going to talk about data at Rest, data in transit, and data in use. Now, when we talk about data at Rest, this is inactive data that’s stored physically in any digital form. So if I have data sitting on a hard drive, that is data at Rest and it is vulnerable just sitting there. So I want to make sure I encrypt it. So if anybody steals that hard drive or is able to read from it, they wouldn’t be able to read the data because it would be encrypted and they wouldn’t have the key. Now, Data at Rest is protected by whole disk encryption, database encryption, file encryption, or folder encryption. If you can encrypt the data that’s stored on the disk in a file system, in a folder, or in a database, that is going to protect your data when you’re dealing with data at Rest.

Now, the second one we have is Data in Transit, also known as Data in Motion. And I’ve talked about this before that this is data that is actively being transmitted over the network. So if I’m taking data from my web server and sending it to your client computer over the Internet, that is data in transit. And we want to be able to protect that. So how do we do that? Well, we do it using transport encryption protocols that could be something like IPsec if you’re using VPNs TLS if you and I are connecting over to the web, or WPA Two if we’re trying to encrypt your local area network and the WiFi connection there. There’s lots of different types of data in transit encryptions. But you just want to remember when you’re dealing with transport encryption and you’re trying to protect that data as it’s moving. That’s what we’re talking about with data in transit. Now, the next one we want to talk about is data in use.

And data in use is the active data, which is stored in a non persistent digital state, typically in a computer’s random access memory, the Ram or the CPU caches or the CPU registers. Essentially, this is data that’s being worked on. It’s actively being worked on. So if I had a file on the hard drive, it might be encrypted that’s data at rest. But when the computer wants to work on that, it has to open it. It’s going to decrypt that file right, and load it into memory. At that point, it’s now vulnerable again. So how can I protect it? Well, the best way to protect data when it’s in use is to be able to protect it using secure processing mechanisms. And we talked about this back when we talked about hardware security and the root of trust. We talked about the fact that AMD and intel both have secure processing mechanisms inside their processors. Now, to help protect the data when it’s in the motherboard, when it’s in Ram, or when it’s in the processor.

• Category: Uncategorized