Professional Documents
Culture Documents
Describe IT Security Solutions
Describe IT Security Solutions
• Virus scanning services: As web pages are downloaded, content within the pages
can be checked for viruses. This feature is attractive to companies concerned about potential
threats from Internet-based sources.
Firewalls(FWs)
• URL filtering: By using a variety of methods, the firewall can choose
to block certain websites from being accessed by clients within the
organization. This blocking allows companies to control what pages can
be viewed and by whom.
• Bandwidth management: Although it’s required in only certain
situations, bandwidth management can prevent a certain user or system
from hogging the network connection. The most common approach to
bandwidth management is to divide the available bandwidth into sections
and then make just a certain section available to a user or system.
Demilitarized zone (DMZ)
• An important firewall-related concept is
the demilitarized zone (DMZ),
sometimes called a perimeter network.
• A DMZ is part of a network where you
place servers that must be accessible by
sources both outside and inside your
network.
• Not connected directly to either
network, and it must always be
accessed through the firewall.
• Using DMZs gives your firewall
configuration an extra level of
flexibility, protection, and complexity.
Demilitarized zone (DMZ)
• By using a DMZ, you can create an
additional step that makes it more
difficult for an intruder to gain access to
the internal network.
• Using the example opposite an intruder
who tried to come in through Interface
1 would have to spoof a request from
either the web server or proxy server
into Interface 2 before it could be
forwarded to the internal network.
• Although it is not impossible for an
intruder to gain access to the internal
network through a DMZ, it is difficult.
NAT(Network Address Translation)
• The basic principle of NAT is that many
computers can “hide” behind a single IP
address.
• The main reason you need to do this is
because there simply aren’t enough IPv4
addresses to go around.
• Using NAT means that only one
registered IP address is needed on the
system’s external interface, acting as the
gateway between the internal and
external networks.
To outside users, all traffic coming to and going from the
network has the same IP address or is from the same pool of
addresses.
Security vulnerability:
• Logs & Traces
• Honeypots
• Data mining algorithms
• Vulnerability testing.
Security vulnerability: Logs
• A system’s security log contains events
related to security incidents such as
successful and unsuccessful logon
attempts and failed resource access.
• Security logs can be customized,
meaning that administrators can fine-
tune exactly what they want to
monitor.
• Some administrators choose to track
nearly every security event on the
system. Although this might be
prudent, it can often create huge log
files that take up too much space
Security vulnerability: Logs
• Each event in a security log contains
additional information to make it
easy to get the details on the event:
• Date: The exact date the security event
occurred.
• Time: The time the event occurred. .
User: The name of the user account that
was tracked during the event. .
• Computer: The name of the computer
used when the event occurred. .
• Event ID: The Event ID tells you what
event has occurred. You can use this ID
to obtain additional information about
the particular event.
Security vulnerability: Honeypots
• It helps to recover, analyze, and preserve computer and related materials in such a
manner that it helps the investigation agency to present them as evidence in a court of
law.
• It helps to postulate the motive behind the crime and identify of the main culprit.
• Helps you to identify the evidence quickly, and also allows you to estimate the potential
impact of the malicious activity on the victim.
• Each computer forensic model is focused on a particular area such as law enforcement
or electronic evidence discovery. There is no single digital forensic investigation model
that has been universally accepted.
• However, it was generally accepted that the digital forensic model framework must be
flexible, so that it can support any type of incidents and new technologies
• NIST developed a basic digital forensic investigation model using which digital forensics
investigation can be conducted by even non-technical persons.
• NIST model gives more flexibility than any other model so that an organization can
adopt the most suitable model based on the situations that occurred.
Process of Digital forensics
NIST Digital forensics entails the following steps (Kent et al., n.d.):
• Collection
• Examination
• Analysis
• Reporting
Process of Digital forensics
Collection
• During collection phase , data related to a specific event is identified, labeled, recorded,
and collected, and its integrity is preserved
• The first step in the collection forensic process is to identify potential sources of data
and acquire data from them.
• The most obvious and common sources of data are desktop computers, servers,
network storage devices, and laptops.
• In addition to computer-related devices, many types of portable digital devices (e.g.,
PDAs, cell phones, digital cameras, digital recorders, audio players) may also contain
data.
Process of Digital forensics
Collection
• After the data has been acquired, its integrity should be verified. It is particularly
important for an analyst to prove that the data has not been tampered with if it might
be needed for legal reasons.
• Data integrity verification typically consists of using tools to compute the message
digest of the original and copied data, then comparing the digests to make sure that
they are the same.
Process of Digital forensics
Collection
Answer the five W’s questions in digital forensics process. Who, What, When, Where,
Why.
• Who controlled the evidence?
• What was used to collect it?
• Why was it done in that manner?
• When was each piece of evidence found?
• Where was the evidence found?
Process of Digital forensics
Examination
• In the second phase, examination, forensic tools and techniques appropriate to the
types of data that were collected are executed to identify and extract the relevant
information from the collected data while protecting its integrity.
• Examination may use a combination of automated tools and manual processes
• Examination of data involves assessing and extracting the relevant pieces of
information from the collected data. This phase may also involve bypassing or
mitigating OS or application features that obscure data and code, such as data
compression, encryption, and access control mechanisms.
Process of Digital forensics
Examination
• Text and pattern searches can be used to identify pertinent data, such as finding
documents that mention a particular subject or person, or identifying e-mail log entries
for a particular e-mail address.
• Another helpful technique is to use a tool that can determine the type of contents of
each data file, such as text, graphics, music, or a compressed file archive.
• Knowledge of data file types can be used to identify files that merit further study, as
well as to exclude files that are of no interest to the examination.
• There are also databases containing information about known files, which can also be
used to include or exclude files from further consideration
Process of Digital forensics
Analysis
• The analysis phase involves analyzing the results of the examination to derive useful
information that addresses the questions that were the impetus for performing the
collection and examination.
• In this step, investigation agents reconstruct fragments of data and draw conclusions
based on evidence found. However, it might take numerous iterations of examination
to support a specific crime theory.
Process of Digital forensics
Analysis
• The analysis should include identifying people, places, items, and events, and
determining how these elements are related so that a conclusion can be reached.
• Often, this effort will include correlating data among multiple sources.
• Tools such as centralized logging and security event management software can
facilitate this process by automatically gathering and correlating the data. Comparing
system characteristics to known baselines can identify various types of changes made
to the system.
Process of Digital forensics
Reporting
• The final phase involves reporting the results of the analysis, which may include
describing the actions performed, determining what other actions need to be
performed, and recommending improvements to policies, guidelines, procedures, tools,
and other aspects of the forensic process.
• It includes the presentation of all the digital evidences and documentation in the court
in order to prove the digital crime committed and identify the criminal.
Process of Digital forensics
• The forensic process transforms media into evidence, whether evidence is needed for
law enforcement or for an organizations internal usage.
• Specifically, the first transformation occurs when collected data is examined, which
extracts data from media and transforms it into a format that can be processed by
forensic tools.
• Second, data is transformed into information through analysis.
• Finally, the information transformation into evidence is analogous to transferring
knowledge into action using the information produced by the analysis in one or more
ways during the reporting phase. For example, it could be used as evidence to help
prosecute a specific individual, actionable information to help stop or mitigate some
activity, or knowledge in the generation of new leads for a case.
Types of Digital Forensics
• Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or
deleted files.
• Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of
computer network traffic to collect important information and legal evidence.
• Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to offers the
tools need to collect and analyze the data from wireless network traffic.
• Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases
and their related metadata.
Types of Digital Forensics
• Malware Forensics:
This branch deals with the identification of malicious code, to study their payload,
viruses, worms, etc.
• Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and
contacts.
• Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw
form and then carving the data from Raw dump.
• Mobile Phone Forensics:
It mainly deals with the examination and analysis of mobile devices. It helps to retrieve
phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos,
etc.
Benefits of Digital Forensics
Here, are pros/benefits of Digital forensics
• RAID level 0 divides data into block units and writes them across a
number of disks.
• As data is placed across multiple disks, it is also called “data
stripping”
• The advantage of distributing data over disks is that if two different
I/O requests are pending for two different blocks of data, then there is
a possibility that the requested blocks are on different disks
RAID Level 0
• Implementation is easy
• No overhead of parity calculation
RAID Level 0 - Disadvantages
• The failure of just one drive will result in all data in an array being
lost.
• This level is called "mirroring" as it copies data onto two disk drives
simultaneously.
• As same data is placed on multiple disks, it is also called “data
mirroring”
• The automatic duplication of the data means there is little likelihood
of data loss or system downtime.
RAID Level 1 - Diagram
RAID Level 1 - Animation
RAID Level 1 - Characteristics
• RAID 2 differs from other levels of RAID because it does not use the standard way of mirroring,
striping or parity. It implements these methods by separating data in the bit level and then saving
the bits over a number of different data disks and redundancy disks. Hamming code is used to
compute for the parity of the redundant bits to check and correct errors.
• The spindles of individual disk drives are synchronized so that each disk head is in the same
position on each disk at any given time. This configuration requires special driver hardware to
make the disks spin synchronously.
• Data is divided into byte units and written across multiple disk drives.
• Parity information is stored for each disk section and written to a
dedicated parity drive.
• All disks can be accessed in parallel
• Data can be transferred in bulk. Thus high speed data transmission is
possible
RAID Level 3
Parity Disk
Important Questions on RAID
• Start two file transfers, however, and you'll see the 1. Switch/router that supports Dual Lan/link aggregation
benefits of aggregated bandwidth.
2. PC with two LAN ports
• In simple terms, link aggregation increases the number
of lanes on a highway but it doesn't increase the speed 3. Windows Server, linux, OS X.
limit.
Server balancing(Load balancing)
• Network servers are the workhorses of the network.
They are relied on to hold and distribute data,
maintain backups, secure network communications,
and more.
• The load of servers is often a lot for a single server
to maintain. This is where load balancing comes into
play.
• Load balancing is a technique in which the workload
is distributed between several servers. This feature ■ Increases redundancy and therefore
can take networks to the next level; it increases data availability.
network performance, reliability, and availability. ■ Increases performance by
distributing the workload.
■ Implemented through Server
Clustering
Data security: Asset management
• As part of your network risk management the assets used should be
considered and assessed by performance, configuration, and behaviour.
• Plan and organise devices:
• What functions do they perform? How and where are they used? Who is responsible
for them? Expected lifespan of each device including the refresh cycles, lease date
or end of life warranty.
• Monitor your devices:
• Consider performance, health, and risk exposure, and make informed decisions
about changes to your environment.
• Consider then how you identify the scope of unexpected changes in your
environment and how can you address them at-scale when they occur? What’s your
action plan if a device is lost or stolen? How will you discover that it’s gone?
• DeviceData security:
Retirement: Asset management
• Ensure that the devices important to you are monitored and protected.
• Establish a process for your devices’ end of life.
• Device’s should be collected, secured, sanitized, and removed from your
environment when the time comes.
• How will you manage device returns when employees leave or change roles?
• How do you manage timely and secure device end-of-life?
• How can you confirm that are they safely decommissioned from your organisation?
Data security: image differential/incremental
backups
• Considered previously as part of Unit 2: Networking.
Data security: (Storage area network) SAN
servers
• A centralised subnetwork of storage devices, usually
found on high-speed networks and shared by all
servers on a network.
• An SAN makes a network of storage devices
accessible to potentially multiple servers/devices.
• Often combined with “Fibre Channel” technology
that defines over 5 gigabit-per-second data transfer
over fiber-optic cable. Simple guide
on how to
• Advantages include Storage Virtualization, High- configure in
Speed Disk Technologies(Fibre Channel), Centralized Windows
Backup, Dynamic Failover Protection(Provides Server:
continuous network operation, even if a server fails or
https://www.techrep
goes offline for maintenance, which enables built-in Through Storage Virtualization ublic.com/blog/data
-center/diy-san-win
redundancy and automatic traffic rerouting.) these different devices will be dows-server-2012-st
orage-spaces-and-is
seen as one storage area csi-target/
Data centres
• Cryptographic protocols designed to provide
communications security over a network
and in data centres.
• TLS(Transport Layer Security) replaces
SSL(Secure Sockets Layer) as the current
most secure option.
• Websites can use TLS to secure all
communications between
their servers and web browsers.
• TLS used in the context of web servers is
known as HTTPS(Hyper Text Transfer Further guidance:
Protocol Secure) (that is HTTP over TLS).
https://www.ncsc.gov.uk/guidance/tls-external-facing-services
Secure MPLS (Multiprotocol Label
Switching) routing
• MPLS is a switching technology used frequently with data centres to make Further reading:
packet forwarding happen.
https://www.networkworld
• A technology designed to speed up network traffic flow by moving away from .com/article/2297171/netw
the use of traditional routing tables. ork-security-mpls-explaine
• Instead of routing tables, MPLS uses short labels to direct packets and forward d.html
them through the network.
Routing table
• Because labels refer to paths and not endpoints, packets destined for the same
endpoint can use a variety of LSPs(label-switched path) to get there: A set of rules, often
• The packet follows the channel to its destination, thereby eliminating the need to check the viewed in table format,
packet for forwarding information at each hop and reducing the need to check routing tables. that is used to determine
where data packets
• The multiprotocol part of the name refers to the fact that MPLS works with a traveling over an
variety of protocols, including Frame Relay, ATM, and IP. Internet Protocol (IP)
network will be
directed.
Remote access methods/procedures for third-
party access.
• Remote management allows centrally located personnel and applications to monitor,
manage, and respond to globally distributed networks and systems from a single
location.
Company's that
• With these tools, IT managers can respond to problems quickly and perform
provides remote
corrective actions from anywhere in the world at anytime.
access data
• This addresses staffing issues and ensures effective systems management. centres:
• Remote access methods should be able to:
scc.com
• Remotely configure, monitor, and manage equipment lantronix.com
• Access equipment over the network (in-band), through a single modem connection (out-of-
band), or via the Internet (IP-based management)
• Connect equipment that lacks a network interface
• Secure access to mission-critical equipment