Chapter 10

Security

Computer and network security helps to ensure that only authorized personnel have access. It also helps to keep data and equipment functioning properly. Threats to security can be internal or external to come from the inside or outside of an organization, and the level of potential damage can vary greatly.

Internal threats - Users and employees who have access to data, equipment, and the network

External threats - Users outside of an organization who do not have authorized access to the network or resources

Theft, loss, network intrusion, and physical damage are some of the ways a network or computer can be harmed. Damage or loss of equipment can mean a loss of productivity. Repairing and replacing equipment can cost the company time and money. Unauthorized use of a network can expose confidential information, violate the integrity of data, and reduce network resources.

To successfully protect computers and the network, a technician must understand both types of threats to computer security:

Physical - Events or attacks that steal, damage, or destroy equipment, such as servers, switches, and wiring

Data - Events or attacks that remove, corrupt, deny access to authorized users, allow access to unauthorized users, or steal information

Security Threats

Malware is any software created to perform malicious acts. Malware includes adware, spyware, grayware, phishing, viruses, worms, Trojan horses, and rootkits. Malware is usually installed on a computer without the knowledge of the user. These programs open extra windows on the computer or change the computer configuration. Malware can also collect information stored on the computer without the user’s consent.

Types of Security Threats

(i) Adware is a software program that displays advertising on your computer. Adware is usually distributed with downloaded software. Most often, adware is displayed in a pop-up window. Adware pop-up windows are sometimes difficult to control and open new windows faster than users can close them.

(ii) Spyware is similar to adware. It is distributed without user intervention or knowledge. After spyware is installed and run, it monitors activity on the computer. The spyware then sends this information to the individual or organization responsible for launching the spyware.

(iii) Grayware is similar to adware. Grayware may be malicious and is sometimes installed with the user’s consent. For example, a free software program may require the installation of a toolbar that displays advertising or tracks a user’s website history.

(iv) Phishing is where the attacker pretends to represent a legitimate outside organization, such as a bank. A potential victim is contacted via email, telephone, or text message. The attacker might ask for verification of information, such as a password or username, to possibly prevent some terrible consequence from occurring.

A virus is a program written with malicious intent and sent by attackers. The virus is transferred to another computer through email, file transfers, and instant messaging. The virus hides by attaching itself to computer code, software, or documents on the computer. When the file is accessed, the virus executes and infects the computer. When the file is accessed, the virus executes and infects the computer. A virus has the potential to corrupt or even delete files on your computer, use your email to spread itself to other computers, prevent the computer from booting, cause applications to not load or operate correctly, or even erase your entire hard drive.

A worm is a self-replicating program that is harmful to networks. A worm uses the network to duplicate its code to the hosts on a network, often without user intervention. A worm is different from a virus because it does not need to attach to a program to infect a host. Worms typically spread by automatically exploiting known vulnerabilities in legitimate software.

A Trojan is malicious software that is disguised as a legitimate program. It is named for its method of getting past computer defenses by pretending to be something useful.

A rootkit is a malicious program that gains full access to a computer system. Often, a direct attack on a system using a known vulnerability or password is used to gain Administrator-account level access. Because the rootkit has this privileged access, the program is able to hide the files, registry edits, and folders that it uses from detection by typical virus or spyware programs.

Virus protection software, also known as antivirus software, is designed to detect, disable, and remove viruses, worms, and Trojans before they infect a computer.

Web Security

Tools that are used to make web pages more powerful and versatile can also make computers more vulnerable to attacks. These are some examples of web tools:

o ActiveX was created by Microsoft to control interactivity on web pages. If ActiveX is on a page, an applet or small program has to be downloaded to gain access to the full functionality.

o Java is a programming language that allows applets to run within a web browser. Examples of applets include a calculator or a counter.

o JavaScript is a programming language developed to interact with HTML source code to allow interactive web sites. Examples include a rotating banner or a popup window. Adobe Flash - used to create interactive media (animation, video and games) for the web.

o Microsoft Silverlight -used to create rich, interactive media for the web, similar to flash.

To prevent against these attacks, most browsers have settings that force the computer user to authorize the downloading or use of these tools.

ActiveX filtering Pop-up Blockers SmartScreen Filter (Internet Explorer)

Spam, also known as junk mail, is unsolicited e-mail. In most cases, spam is used as a method of advertising. However, spam can be used to send harmful links or deceptive content.

TCP/IP Attacks

TCP/IP is the protocol suite used to control all communications on the Internet. The most common TCP/IP attacks are:

• Denial of Service (DoS) is a form of attack that prevents users from accessing normal services, such as e-mail or a web server, because the system is busy responding to abnormally large amounts of requests. DoS works by sending enough requests for a system resource that the requested service is overloaded and ceases to operate.

• Distributed DoS (DDoS) uses many infected computers, called zombies or botnets, to launch an attack. With DDoS, the intent is to obstruct or overwhelm access to the targeted server. Zombie computers located at different geographical locations make it difficult to trace the origin of the attack.

• SYN Flood randomly opens TCP ports, tying up the network equipment or computer with a large amount of false requests, causing sessions to be denied to others

• Spoofing - uses a forged IP or MAC address to impersonate a trusted computer.

• Man-in-the-Middle - intercepting communications between computers to steal information transiting through the network.

• Replay - data transmissions are intercepted and recorded by an attacker, then replayed to gain access.

• DNS Poisoning - changing DNS records to point to imposter servers.

Social Engineering

Social engineering occurs when an attacker tries to gain access to equipment or a network by tricking people into providing the necessary access information. Often, the social engineer gains the confidence of an employee and convinces the employee to divulge username and password information.

To protect against social engineering:

• Never give out your password.

• Always ask for the ID of unknown persons.

• Restrict access to visitors.

• Escort all visitors.

• Never post your password in your work area.

• Lock your computer when you leave your desk.

• Do not let anyone follow you through a door that requires an access card.

Hard Drive Disposal and Recycling

(i) Data wiping is often performed on hard drives containing sensitive data such as financial information. It is not enough to delete files or even format the drive. Software tools can still be used to recover folders, files, and even entire partitions if they are not erased properly. Use software specifically designed to overwrite data multiple times, rendering the data unusable. It is important to remember that data wiping is irreversible, and the data can never be recovered.

(ii) Degaussing disrupts or eliminates the magnetic field on a hard drive that allow for the storage of data.

(iii) Hard Drive Destruction: The only way to fully ensure that data cannot be recovered from a hard drive is to carefully shatter the platters with a hammer and safely dispose of the pieces.

(iv) Hard Drive Recycling - Hard drives that do not contain sensitive data can be reformatted and used in other computers.

Security Policies

A security policy is a collection of rules, guidelines, and checklists.

A security policy includes the following elements:

• An acceptable computer usage statement for the organization.

• The people permitted to use the computer equipment.

• Devices that are permitted to be installed on a network, as well as the conditions of the installation. Modems and wireless access points are examples of hardware that could expose the network to attacks.

• Requirements necessary for data to remain confidential on a network.

• Process for employees to acquire access to equipment and data. This process may require the employee to sign an agreement regarding company rules. It also lists the consequences for failure to comply.

Security Policy Requirements

The security policy should also provide detailed information about the following issues in case of an emergency:

• Steps to take after a breach in security

• Who to contact in an emergency

• Information to share with customers, vendors, and the media

• Secondary locations to use in an evacuation

Steps to take after an emergency is over, including the priority of services to be restored

Passwords

Password guidelines are an important component of a security policy. Passwords help prevent theft of data and malicious acts. Passwords also help to ensure that logging of events is correct by ensuring that the user is the correct person.

Three levels of password protection are recommended:

BIOS - Prevents the operating system from booting and the BIOS settings from being changed without the appropriate password.

Login - Prevents unauthorized access to the local computer.

Network - Prevents access to network resources by unauthorized personnel.

Guidelines for creating strong passwords are:

Length - Use at least eight characters.

Complexity - Include letters, numbers, symbols, and punctuation. Use a variety of keys on the keyboard, not just common letters and characters.

Variation - Change passwords often. Set a reminder to change the passwords you have for email, banking, and credit card websites on the average of every three to four months.

Variety - Use a different password for each site or computer that you use.

File and Folder Permissions

Permission levels are configured to limit individual or group user access to specific data. Both FAT32 and NTFS allow folder sharing and folder-level permissions for users with network access.

NTFS – File system that uses journals which are special areas where file changes are recorded before changes are made.

• Can log access by user, date, and time.

• Has encryption capability.

FAT 32 - no encryption or journaling

Principle of Least Privilege - only allow users access to the resources they need.

Restricting User Permissions-. If an individual or a group is denied permissions to a network share, this denial overrides any other permission given.

Lab Activity

Lab 10.2.1.7, 10.2.1.8, 10.2.1.9

Protecting Data

The value of physical equipment is often far less than the value of the data it contains. To protect data, there are several methods of security protection that can be implemented.

• A firewall is a way of protecting a computer from intrusion through the ports. The user can control the type of data sent to a computer by selecting which ports will be open and which will be secured.

• Biometric Security compares physical characteristics against stored profiles to authenticate people. A profile is a data file containing known characteristics of an individual such as a fingerprint or a handprint. Common biometric devices available include fingerprint readers, handprint readers, iris scanners, and face recognition devices.

• Smart cards store private information such as bank account numbers, personal identification, medical records, and digital signatures. Smart cards provide authentication and encryption to keep data safe.

• Data backups are one of the most effective ways of protecting against data loss. Establish data backup procedures which account for frequency of backups, storage for data backups, and securing data backups using passwords.

• Data Encryption is where data is transformed using a complicated algorithm to make it unreadable. A special key must be used to return the unreadable information back into readable data. Software programs are used to encrypt files, folders, and even entire drives.

Malware Software Protection Programs

It may take several different programs and multiple scans to completely remove all malicious software. Run only one malware protection program at a time.

Virus protection - An antivirus program typically runs automatically in the background and monitors for problems. When a virus is detected, the user is warned, and the program attempts to quarantine or delete the virus.

Spyware protection - Antispyware programs scan for keyloggers, which capture your keystrokes, and other malware so that it can be removed from the computer.

Adware protection - Anti-adware programs look for programs that display advertising on your computer.

Phishing protection - Antiphishing programs block the IP addresses of known phishing websites and warn the user about suspicious websites.

Common Communication Encryption Types

Hash Encoding: Hash encoding, or hashing, ensures that messages are not corrupted or tampered with during transmission.

Symmetric encryption requires both sides of an encrypted conversation to use an encryption key to encode and decode the data. The sender and receiver must use identical keys.

Asymmetric encryption requires two keys, a private key and a public key. The public key can be widely distributed, including emailing in cleartext or posting on the web.

The Service Set Identifier (SSID) is the name of the wireless network. A wireless router or access point broadcasts the SSID by default so that wireless devices can detect the wireless network.

Mac Address Filtering (MAC) address filtering is a technique used to deploy device-level security on a wireless LAN.

Wireless Security Modes

Most wireless access points support several different security modes. The most common ones are:

Wired Equivalent Privacy (WEP) – The first generation security standard for wireless. Attackers quickly discovered that WEP encryption was easy to break.

Wi-Fi Protected Access (WPA)- An improved version of WEP, uses much stronger encryption.

Wi-Fi Protected Access 2 (WPA2) -WPA2 supports robust encryption, providing government-grade security.

A hardware firewall is a physical filtering component that inspects data packets from the network before they reach computers and other devices on a network.

A hardware firewall passes two different types of traffic into your network:• Responses to traffic that originates from inside your network• Traffic destined for a port that you have intentionally left open

There are several types of hardware firewall configurations:

• Packet filter - Packets cannot pass through the firewall, unless they match the established rule set configured in the firewall. Traffic can be filtered based on different attributes, such as source IP address, source port or destination IP address or port. Traffic can also be filtered based on destination services or protocols such as WWW or FTP.

• Stateful packet inspection - This is a firewall that keeps track of the state of network connections traveling through the firewall. Packets that are not part of a known connection are dropped.

• Application layer - All packets traveling to or from an application are intercepted. All unwanted outside traffic is prevented from reaching protected devices.

• Proxy - This is a firewall installed on a proxy server that inspects all traffic and allows or denies packets based on configured rules. A proxy server is a server that is a relay between a client and a destination server on the Internet.

• Demilitarized Zone

• A Demilitarized Zone (DMZ) is a subnetwork that provides services to an untrusted network. An email, web, or FTP server is often placed into the DMZ so that the traffic using the server does not come inside the local network. This protects the internal network from attacks by this traffic, but does not protect the servers in the DMZ in any way.

• Port forwarding is a rule-based method of directing traffic between devices on separate networks:

• Used when specific ports must be opened so that certain programs and applications can communicate with devices on different networks.

• Router determines if the traffic should be forwarded to a certain device based on the port number found with the traffic. For example HTTP – Port 80.

• Port triggering allows the router to temporarily forward data through inbound ports to a specific device.

• For example, a video game might use ports 27000 to 27100 for connecting with other players. These are the trigger ports.

Lab Activity

Lab: 10.3.1.4, 10.3.1.5, 10.3.1.6, 10.3.1.8, 10.3.1.9, 10.3.1.10

Question

1.

A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes. Which security threat does this phone call represent?

DDoS

spam

social engineering

anonymous keylogging

2.

Which two security precautions will help protect a workplace against social engineering? (Choose two.)

performing daily data backups

encrypting all sensitive data stored on the servers

registering and escorting all visitors to the premises

ensuring that all operating system and antivirus software is up to date

ensuring that each use of an access card allows access to only one user at the time

3.

What are two typical physical security precautions that a business can take to protect its computers and systems? (Choose two.)

Perform daily data backups.

Implement biometric authentication.

Disable the autorun feature in the operating system.

Replace any software firewalls with a hardware firewall.

Ensure that all operating system and antivirus software is up to date.

4.

Which physical security technology can hold user authentication information, include software license protection, provide encryption, and provide hardware and software authentication that is specific to the host system?

card key access

two-factor security

biometric authentication

Trusted Platform Module (TPM)

5.

It has been noted that the computers of employees who use removable flash drives are being infected with viruses and other malware. Which two actions can help prevent this problem in the future? (Choose two.)

Set virus protection software to scan removable media when data is accessed.

Configure the Windows Firewall to block the ports that are used by viruses.

Disable the autorun feature in the operating system.

Repair, delete, or quarantine the infected files.

Enable the TPM in the CMOS settings.

6.

In which situation would a computer technician use the fixmbr command at the command prompt of a Windows XP computer to resolve a security issue?

when a virus has damaged the boot sector of the system disk

when a virus has damaged the master boot record of the system disk

when the folder permissions for user members of a group are incorrect

when unauthorized users have changed the CMOS settings and the CMOS password must be reset

7.

All users working with a particular Windows 7 computer are able to install unauthorized software. In addition to educating the users about correct security behavior, which action should also be performed to solve this issue?

Disable the users' accounts.

Enable UAC on the computer.

Set the user folder permissions to Deny.

Change the user file permissions to Read Only.

8.

You want to dispose of a 2.5 terabyte hard drive that contains confidential financial information. What is the recommended procedure to achieve this?

Drill through the HDD.

Smash the platters with a hammer.

Immerse the HDD in a weak solution of bicarbonate of soda.

Use data wiping.

9.

What is the most effective way of securing wireless traffic?

WPA2

SSID hiding

WEP

wireless MAC filtering

10.

Which two items are used in asymmetric encryption? (Choose two.)

a token

a DES key

a private key

a public key

a TPM

11.

Which two characteristics describe a worm? (Choose two.)

executes when software is run on a computer

is self-replicating

hides in a dormant state until needed by an attacker

infects computers by attaching to software code

travels to new computers without any intervention or knowledge of the user

12.

Which type of security threat uses email that appears to be from a legitimate sender and asks the email recipient to visit a website to enter confidential information?

adware

phishing

stealth virus

worm

13.

Which three questions should be addressed by organizations developing a security policy? (Choose three.)

What assets require protection?

How should future expansion be done?

What is to be done in the case of a security breach?

When do the assets need protecting?

What insurance coverage is required?

What are the possible threats to the assets of the organization?

14.

What does a malware detection program look for when running a scan?

a service pack

patterns in the programming code of the software on a computer

patches that prevent a newly discovered virus or worm from making a successful attack

mirror sites

15.

Port triggering has been configured on a wireless router. Port 25 has been defined as the trigger port and port 113 as an open port. What effect does this have on network traffic?

Any traffic that comes into port 25 allows outgoing port 113 to be used.

All traffic that is sent into port 25 to the internal network will also be allowed to use port 113.

Any traffic that is using port 25 going out of the internal network will also be allowed to transmit out port 113.

All traffic that is sent out port 25 will open port 113 to allow inbound traffic into the internal network through port 113.

16.

Which two characteristics of network traffic are being monitored if a network technician configures the company firewall to operate as a packet filter? (Choose two.)

packet speed

physical addresses

packet size

ports

protocols

17.

What is the primary goal of a DoS attack?

to facilitate access to external networks

to prevent the target server from being able to handle additional requests

to obtain all addresses in the address book within the server

to scan the data on the target server

18.

Which question would be an example of an open-ended question that a technician might ask when troubleshooting a security issue?

Is your security software up to date?

Have you scanned your computer recently for viruses?

Did you open any attachments from a suspicious email message?

What symptoms are you experiencing?

19.

Which action would help a technician to determine if a denial of service attack is being caused by malware on a host?

Disconnect the host from the network.

Log on to the host as a different user.

Disable ActiveX and Silverlight on the host.

Install rogue antivirus software on the host.

20.

A technician is troubleshooting a computer security issue. The computer was compromised by an attacker as a result of the user having a weak password. Which action should the technician take as a preventive measure against this type of attack happening in the future?

Check the computer for the latest OS patches and updates.

Verify the physical security of all offices.

Ensure the security policy is being enforced.

Scan the computer with protection software.

21.

A user has reported that a computer web browser will not display the correct home page even if the default page is reset. What is the likely cause of this problem?

UAC has been disabled on the computer.

The computer has been infected with spyware.

A virus has damaged the boot sector of the system disk.

Folder permissions have been changed from Deny to Allow.

22.

What is the name given to the programming-code patterns of viruses?

grayware

mirrors

signatures

virus definition tables