Network Threats and

Mitigation
By Fanuel Vasco Nyirenda
Content
• Recognizing security threats
• Vulnerabilities
• Understanding Mitigation Techniques
• Policies and Procedures
• Anti-malware software
Recognizing security threats…
• Denial of Service(DoS) – designed to bring the network to its knees by flooding it with useless traffic by
exploit limitations in the TCP/IP protocols
• prevents users from accessing the network and/or its resources
• commonly launched against major companies’ intranet and especially its websites
• comes in a variety of flavors like;
• Ping of Death – a DoS attack caused by an attacker deliberately sending an IP packet larger than the 65,536
bytes allowed by the IP protocol.
• correctly formed ping size is 56 bytes or 84 bytes
• floods the victim’s buffer and causing the system to reboot or hang
• operating systems patches help to prevent Ping of Death attacks on a system
• Unreachable Gateway - attacker can make a host’s default gateway unreachable to get users change their
gateway address to that of one controlled by the attacker to accomplish a man-in-the-middle attack
• attacker takes control of a secondary gateway
• attacker, acting as the destination host, sends a TCP open packet to the acting source host
• attacker spoofs the gateway, sends an ICMP route redirect message to the source host
• source host accepts the route change control message
• attacker quietly reads/modifies and forwards all traffic bound for the destination host to spoofed gateway
Unreachable gateway
Recognizing security threats…
• Distributed DoS (DDoS) - multiple compromised systems are used to
target a single system causing a DoS attack
• Botnet – (zombie army) is a number of Internet computers that, although
their owners are unaware of it, have been set up to forward transmissions
(including spam or viruses) to other computers on the Internet
• some created to maintain control of Internet Relay Chat (IRC) channels, while
others are illegally created to foist a DDoS
• operator sends out viruses or worms whose payloads are malicious applications, the
bots, infecting ordinary users’ computers
• infected PCs log into a server called a command and control (C&C) server under the
control of the attacker
• attacker, through the C&C server, sends a command to all bots to attack the victim at the
same time
Botnet
Recognizing security threats…
• Traffic Spike – recruited bots mount an attack by sending lots of traffic on to a victim
• IDS recognizes these and may prevent them from growing larger or prevent the traffic in the first place
• features like TCP SYN cookie option allows the load balancer to react when the number of SYN requests
reaches a certain point
• Coordinated Attack – bots attack the victim at the same time orchestrated by the command and
control server
• Friendly/Unintentional DoS (a.k.a attack from “friendly fire”) - caused by a spike in activity to a
website or resource that overpowers its ability to respond
• E.g when Michael Jackson died, Twitter and Google traffic spiked so much that it was thought that an
automated attack was under way
• Physical Attack - causes hardware damage to a device
• mitigated by preventing physical access to the device like; Router, switches, firewalls, servers by locking
them away and using strong access controls
• Permanent DoS - one in which the device is damaged and must be replaced
• An attack called phlashing denial of service ( PDOS) attacks the firmware using tools that fuzz (introduce
errors) the firmware causing the device to be unusable
Recognizing security threats…
• Smurf - floods its victim with spoofed broadcast ping messages
• receiving router delivers the broadcast to all hosts in the subnet and all hosts
reply at the same time keeping them busy responding to each echo request
• SYN Flood - floods receiving machine with lots of packets causing it to
waste resources by holding connections open
• attacker sends a SYN, the victim sends back a SYN-ACK, and the attacker
leaves the victim waiting for the final ACK thus just consuming memory
• OS patches help guard against this type of attack
• Stacheldraht – (barbed wire) it incorporates TFN and adds a dash of
encryption to the mix
• begins with a huge invasion at the root level, followed with a DoS attack
Recognizing security threats…
• Reflective/Amplified Attacks - increases the effectiveness of a DoS attack
leveraging two network functions, DNS and NTP
• DNS - attacker delivers traffic to the victim by reflecting it off a third party
concealing source of the attack
• relies on the exploitation of publicly accessible open DNS servers to deluge victims with DNS
response traffic
• attacker sends a small DNS message using the victim’s IP address, which returns all DNS zone
information allowing for the maximum level of response amplification directed to the
victim’s server
• magnified by recruiting a botnet to send the small messages to a large list of open resolvers
(DNS servers)
• NTP - recruits bots to aid the attack and attacks are reflected off Network Time
Protocol (NTP) servers
• attacker sends a small spoofed 8-byte UDP packet to vulnerable NTP servers requesting a
large amount of data be sent to the DDoS’s target IP address
• can be prevented by using at least NTP version 4.2.7 released in 2010
Smurf Attack
SYN Flood attack
DNS amplification attack
Recognizing security threats…
• ARP Cache Poisoning - poisoned is by pinging a device with a spoofed IP address (man-in-the-middle
attack)
• an attacker forces two victims to insert an incorrect IP address to MAC address mapping into its ARP cache
• attacker places himself in the middle of the transmission
• poisoned machines send data packets to the attacker thinking they are sending them to the other member of the
conversation
• Packet/Protocol Abuse - concealing one protocol within another
• TCP can be encapsulated into either DNS or ICMP to bypass firewall restrictions
• Spoofing - process of changing a source IP address so that one computer appears to be a different
computer in order to get traffic through a firewall
• used to access a server with a false IP address
• ARP spoofing – refers to “ARP Cache Poisoning”
• Referrer spoofing – referrer header of an HTTP packet is changed to reflect an allowed referral page
• Email spoofing - “from” field is changed to hide the true origin of an email, conceals the identity of an email spammer
• Brute Force - form of password cracking where attacker attempts possible combination of numbers and
letters that could be in a password
• account lockout policy mitigates brute force attacks
Recognizing security threats…
• Session Hijacking - takes over a user’s session with a secure server after the user has
been authenticated
• Session Fixation – attacker sets the session ID ahead of time by sending a link to the victim with
the ID preset. attacker disconnects the user and using the ID he takes over the session
• Session Sidejacking – attacker uses a sniffer to steal a session cookie from the user. attacker
physically steals the session key from memory of user’s machine
• Cross-Site Scripting – attacker uses the user’s computer to run code on the site that may allow
him to obtain the cookie. using malware that runs the code on the site after the user
authenticates
• VLAN Hopping - results in traffic from one VLAN being sent to the wrong VLAN
• VTP prevents such occurrences by placing VLAN tags to identify the VLAN to which the traffic
belongs
• an attacker uses double tagging, which places a fake VLAN tag into the packet along with the real
tag where real tag is taken off when frame goes through multiple switches leaving the fake tag
which confuses the next switch that reads the frame
IP4 packets tunneled in DNS
VLAN hopping
Authentication issues
• TACACS/RADIUS Misconfiguration - are examples of Authentication, Authorization, and
Accounting (AAA) servers that verify the identity of, grant access to, and track the actions
of users
• misconfiguration results into inability of users and devices to connect to the access devices that are
clients of the AAA server
• prevents communication between the AAA server and the AAA client
• Solution;
• Verify the port numbers, making sure the client and server are using the correct port numbers
• Check to see if there is a mismatch in the pre-shared key between the client and the server
• Problem between the supplicant and the authenticating server (switch, WAP, dial-up server);
• Verify that configuration on the supplicant lists the appropriate RADIUS or TACACs+ server group
• Verify that the authentication port number matches the configured port number
• Verify that the user is configured on the AAA server (user account)
• Default Passwords/Settings - accounts should be disabled and renamed if possible
• passwords should be changed from the default because they are well known and readily available on
the internet
Authentication issues
• Viruses - programs that cause a variety of bad things on your computer, ranging from
merely annoying to totally devastating
• can’t replicate themselves to other computers without a user doing something
• Types include; file viruses, macro (data file) viruses, boot-sector viruses and multipartite
• can display a message, delete files, or even send huge amounts of meaningless data causing DoS
• can take actions the user did not authorize
• worm is a malware that can spread without the assistance of the user
• placing limits on sharing, writing, and executing programs and deploying antivirus and anti-
malware software to all network devices helps mitigate worms
• File viruses - attacks executable application and system program files with filenames
ending in .com, .exe, and .dll
• replaces some or all of the target program’s code with their own
• once executed, it loads into memory and infect other executables
• well-known fi le viruses are Jerusalem and Nimda
Authentication issues
• Macro viruses – macros are scripted commands used to automatically carry out tasks without
requiring a user to initiate them
• macro virus uses Visual Basic macro-scripting language to perform nasty things in data files created with
Microsoft Office Suite programs
• may not crash your system but cause you problems like failing to save a file
• Cap and Cap A are examples of macro viruses
• Boot-sector viruses – infects the ground-zero sector on your hard disk where a pointer for the
operating system lives
• overwrites the boot sector, resulting in Missing Operating System or Hard Disk Not Found error message
• examples are; Monkey B, Michelangelo, Stoned, and Stealth Boot
• Multipartite viruses - are dangerous and exasperatingly difficult to remove viruses that affect
both the boot sector and files on your computer
• examples are Anthrax and Tequila
• Tequila virus does nothing until the next reboot
• always use a good virus scan program as well as Windows Defender to prevent viruses from
attacking your systems
An email virus spreading rapidly
Authentication issues
• Zero Day Attacks - it is the first day a virus has been released and no known
fix exists
• term also applies to an OS bug that has not been corrected
• Insider Threat/Malicious Employee - employees complete two phases of
the hacking process, discovery and penetration
• learn a bit about the network just by doing their job
• disgruntled or malicious employees can be mitigated by adherence to the principle
of least privilege(giving users access only to resources required to do their job)
• separation of duties (breaks up sensitive operations into two parts, with different
users performing each part)
• taking all network access from a user who has been terminated before they have a
chance to access the network
Vulnerabilities
• Unnecessary Running Services - present an additional attack surface to the hacker
• hackers identify vulnerabilities presented by running services and attempt to use it to compromise the target
• Open ports - unnecessary open ports present attack options
• ports scanners identify open ports on all machines in a network
• open ports are available to accept a connection, thus Unused ports should be shut down
• Unpatched/Legacy Systems - older OSs and applications may lack the security required in today’s networks
• OSs and applications are insecure if they lack recent updates and security patches
• process of updating and maintaining OSs and applications can be automated
• Unencrypted channels – IPSec provides end-to-end protection of data at the network layer and layers
above
• Clear-Text credentials – e.g Telnet transmits credentials in clear text while Secure Shell does not
• PAP transmits credentials in clear text, while Challenge Authentication Protocol (CHAP) never sends the credential
across the network
• TEMPEST/RF Emanation - a National Security Agency specification and NATO certification that addresses
methods of spying used and how to protect against them
• describes the level of protection a system is certified to provide
• methods include distance, shielding, filtering, and masking are used to protect equipment from spying
Vulnerabilities
• Malicious Users - can come from both inside and outside the network
• Trusted users - “trusted” users can go to the dark side
• present danger in that the employee is already inside your network and knows a bit about it
• motives for trusted users turning malicious include;
• perceived slight by the company
• jealousy of other employees
• monetary reward
• principle of least privilege helps mitigate this
• Untrusted Users - users outside your network having a higher level of skill than disgruntled
employees
• mitigation for the attack includes; perimeter defense and strong access control at the point of resource access
• Packet sniffing - captures raw packets off the network for analysis
• NIC of the hacker’s device is set to operate in promiscuous mode to captures all packets on the
network
• used to examine a network for traffic that should not be there
Wireshark
Vulnerabilities
• Buffer Overflow - hacker injects a command that overflows the amount of memory allocated and
executes the command with security privileges
• hacker takes control of the machine and create havoc
• Code Red worm is an example of buffer overflow
• mitigation includes, input validation into programs
• Wireless threats -
• War driving - attacker drives around with a high-powered antenna connected to a wireless laptop scanning for
networks
• discovered networks are displayed by name(SSID) together with the channel and security measures in use, depending on the
software
• attacker may penetrate through unsecured networks and attempt other attacks, such as port scanning and peer-to-peer
attacks
• limitting APs transmission as well as setting AP not to broadcast the SSID may help mitigate this
• hidden SSID can be discovered using a wireless protocol analyzer or sniffer which captures the raw packets.
• War Chalking - hacker writes the SSID and security employed somewhere near your facility advertising to
anyone who recognizes that code
• hackers now post and share these networks on online maps indicating their location
Vulnerabilities
• WEP cracking - WEP is a security protocol designed to authenticate users and encrypt the wireless data
• uses RC4 algorithm which is weaker and easy to discover the encryption/decryption key
• WPA/WPA2 Cracking - required more effort than cracking WEP, using a dictionary file with words that
could possibly be used as a password
• required capturing a large number of wireless frames, and the cracking process took a lot of time
• WPA2 is harder to crack than WPA
• WPS Attacks - Wi-Fi Protected Setup enables the user to add a device to a network without typing
credentials
• user just needs to push the WPS button on home wireless access points
• hacker can perform a brute force attack on the password and the network preshared key for WPA or WPA2 if
function is enabled
• Rogue Access Points - access points that you do not control and manage either connected to your
wired infrastructure or not
• may be placed there by your own users without your knowledge, or by a hacker
• wireless IPS devices are used to locate them and to alert administrators of their presence
Vulnerabilities
• Evil Twin - AP not under your control but used to perform a hijacking attack
• hacker connects your users’ computers to their network for the purpose of a peer-to-
peer attack by “jamming” the channel on which your access point is transmitting and
then connecting your user’ computer to another access point with the same SSID but
under their control
• Bluejacking - annoying attacks aimed at Bluetooth connections
• sends unsolicited messages to the devices in the form of a vCard containing the message
in the name field
• Bluesnarfing - unauthorized access of information from a wireless device
through a Bluetooth connection, often between phones, desktops, laptops, and
PDAs (personal digital assistant
• Users should disable auto-device “discoverable” instead enable it manually when needed
Attackers’ Tools
• Application-Layer Attacks – exploits well-known holes in servers’ software
• targets include FTP, sendmail, and HTTP because the permissions level granted to these accounts is privileged
• ActiveX Attacks - makes its way to your computer through ActiveX and Java programs (applets)
• some ActiveX and Java applets contain viruses or snoop or spyware programs that allows a hacker to look on
your entire hard drive from a remote location without you knowing about it
• properly configuring the on-access component of your antivirus software checks and cleans ActiveX attacks
• Autorooters - hacker automaton using a rootkit to probe, scan, and then capture data on a
strategically positioned computer that’s poised to give them “eyes” into entire systems
automatically
• this is a method used to attack a Mac or Unix box
• Backdoors – are paths leading into a computer or network
• trojan horses, villains use previously placed inroads into a host or a network whenever they want to
• Network Reconnaissance – gathering of information about a network to better compromise it
• accomplished through methods like port scans, Domain Name Service (DNS) queries, and ping sweeps, social
engineering, or phishing
Attackers’ Tools
• Packet Sniffers - software tools used in troubleshooting a problematic network
• can nick valuable, sensitive data, including, passwords and usernames, making it a prize among identity
thieves
• Port Scanners - programs that ping ports on the target to identify which ports are open
• pings an IP address of the target with the port number appended after a colon
• Open ports can lead to services a hacker can exploit
• FTP Bounce - variation of the port scan, the attacker uses the FTP PORT command to request
access to ports indirectly by using the victim machine as a middleman for the request
• Port-Redirection Attacks - requires a host machine the hacker has broken into and uses to
redirect traffic that normally wouldn’t be allowed passage through a firewall
• attacker accesses a trusted computer that is outside the firewall and installs software on the machine which
redirect traffic bound for a particular port on the trusted yet now compromised host to their machine
• Trust-Exploitation Attacks - happens when someone exploits a trust relationship in your network
• attacker gains control of a host that is outside the firewall yet is trusted by hosts that are inside the firewall
• compromised host is used as a platform to exploit those inside the firewall
Attackers’ Tools
• Man-in-the-Middle Attacks – an attacker intercepts packets intended for one computer using a
packet sniffer and reads the data
• rogue ATM machines and credit-card swipers are common tools used for this type of attack
• Improper Access/Backdoor Access - backdoor is a piece of software installed by hackers, allows
them to connect to the computer without going through the normal authentication process
• sometimes programmers forget to remove backdoors before releasing software to the market
• Back Orifice 2000 (BO2K), is an application-level Trojan horse used to give an attacker backdoor network
access
• ARP Issues -
• Banner Grabbing/OUI - banners are messages configured on some devices to appear under certain
conditions; when someone is presented with a login screen, upon making a connection or when an error is
encountered
• reveals the OS or the version of firmware which can be used during the discovery phase of the hacking process
• Banner grabbing – process of connecting to a device using protocols such as Telnet, SMTP or HTTP and
then generating an error displaying the banner.
• disabled all services not in use to eliminate the problem
Man-in-the-middle attack
Attackers’ Tools
• Domain/Local Group Configurations - default local accounts can be
used to log on locally circumventing the domain login process
• local administrator account and privileged local accounts should be renamed
and/or disabled
• Jamming - process of sending out radio waves on the frequency used
by a wireless network, disassociating (disconnecting) all of the
stations from the AP, at least while the jam signal is still there
• considered a DoS attack
• usually part of an evil twin attack
Misconfiguration Issues
• Misconfigured Firewall - damage caused falls in three categories;
• Traffic is allowed that shouldn’t be allowed
• Traffic that should be allowed is blocked
• No traffic is allowed at all - ACL with no permit statements
• Misconfigured ACLs/Applications - can easily allow for attacks such as buffer overflows
• can in some cases allow for commands to be executed on the web server
• Web-based applications should undergo strict code review and fuzz testing to ensure all input is
validated before it is accepted by the application
• Open/Closed Ports – attackers leverage weaknesses that are known to be present
with certain ports
• closing or disabling a port eliminates the possibility of a malicious user connecting to that port
• standard device hardening practice is to close any ports not required for the proper functioning
of a device based on its role in the network
Misconfiguration Issues
• Unpatched Firmware/Oss - best defense against a majority of malware
types and attack modes is to keep current on all updates
• includes operating system patches, firmware updates, and application updates
• a formal update system ensures that no updates fall through the cracks
• Social Engineering (Phishing) – an act of attempting to illegally obtain
sensitive information by pretending to be a credible source
• tactics include; sending emails, making phone calls, or even starting up a
conversation in person
• legitimate-looking email is common form of phishing
• rule is to never give any of your information or anyone else’s to anyone you’re
not absolutely sure should have it
Understanding Mitigation Techniques
• techniques fall into three major categories: policies and procedures,
training, and patches and upgrades
• there are three main ways to detect an intruder and defend yourself
against one;
• active detection - involves constant scanning for possible break-ins into the
network
• passive detection - involves logging/recording all network events to a file
• proactive defense methods - involves using tools to shore up your network
walls against attack
Understanding Mitigation Techniques
• Active detection – acts like a security guard walking the premises
• searches for hackers attempting known attack methods, suspicious activity and weird network
traffic that hackers leave behind as a track
• sophisticated active systems shut down the communications sessions a hacker is using as well as
emailing or paging a network administrator while others cripple the hacker’s computer
• Passive detection – uses video cameras and files that log events that occur on the
network
• Unix’s Tripwire identifies changes in files using checksums
• works by examining files and data and then calculating the checksums for each
• Checksum is stored in a log file and accessed to find clues if the sys admin notices a security
breach
• Proactive defense - ensures that your network is impenetrable
• Security Administrator Tool for Analyzing Networks (SATAN) is used to find holes in your security
walls and plug them with software patches
Incident Response
• incident response policy establishes in advance the procedures that
should be followed when an attack occurs
• helps prevent further damage after an incident occurs
• categorizes incidents in that certain event types may require a
response within 10 minutes while other events may only require a
notation and follow-up in the next few days
• establishes rules ahead of time to ensure that events are handled in a
way that minimizes damage and preserves evidence
Basic Forensic Concepts
• proper and early response is key
• Computer forensics (is a branch of digital forensic science pertaining to
evidence found in computers and digital storage media) are applied
specifically to the nature of digital devices and the environment in which
security incidents occur
• steps in incident response;
• Detect the incident
• Respond to the incident
• Report the incident to the appropriate personnel
• Recover from the incident
• Remediate all affected components to remove traces of the incident
• Review the incident, and document all findings
Incident response
• First Responder - has responsibility for securing the crime scene and protecting the evidence
from corruption
• requires addressing the evidence in the order of volatility as some types of data may be fragile and need
to be collected before other types
• e.g a Polaroid photo taken of what happens on the computer before system went off
• Secure the Area - sealed off the area to prevent anyone from touching or tampering with
anything
• access to the crime scene should be tightly controlled and limited only to individuals who are vital to the
investigation
• there is no way to restore to the original condition of a contaminated crime scene
• note anyone who has access to the crime scene as part of the documentation process
• Escalate When Necessary - issue should be escalated to other personnel where the fi rst
responder is not trained in forensics
• calling the police in some cases mean losing control of the crime scene
• train all users in basic crime scene concepts, such as don’t turn the machine off and don’t touch anything
Incident response
• Document the Scene - record and document everything about the crime
scene
• Polaroid pictures should be taken to show the positon of everything in the scene
as well as diagrams drawn to indicate positioning as well
• Interviews of witnesses and first responders should be conducted as soon as
possible to avoid memory fades
• eDiscovery - process in which electronic data is sought, located, secured,
and searched with the intent of using it as evidence in a civil or criminal
legal case
• relevant data is placed on legal hold
• it is gathered using digital forensic procedures to prevent its contamination as
evidence
Incident response
• Evidence/Data Collection - order of volatility is critical when collecting the data
• order of volatility is as follows;
• Memory contents
• Swap files
• Network processes
• System processes
• File system information
• Raw disk blocks
• create a bit-level copy of the system image and isolate the system from the network
• keep two copies of this image, one stored as backup copy of the evidence and the other used to examine the
image
• create hashes of the images for later proof that the images have not been tampered with
• Chain of Custody - chain of custody records document who controlled the evidence, who secured
the evidence, and who obtained the evidence
• must be preserved and evidence collected following predefined procedures in accordance with all laws and
regulations for successful prosecution of suspects
• proper chain of custody ensures that all evidence is acceptable in court
Incident response
• Data Transport - process must be recorded and documented in detail
• physical evidence must be tagged, and the evidence tags must document the mode and
means of transportation, a complete description of the evidence (including quality), who
received the evidence, and who had access to the evidence
• should include a hash in order to maintain integrity of the evidence
• Forensics Report - should be created based on the findings
• characteristics such as time stamps and identification properties, should be determined and
documented
• full incident should be reconstructed and documented after a full analysis
• Legal Hold - evidence deemed relevant is placed on legal hold
• process is initiated by a notice or communication from legal counsel to an organization
• requires suspension of normal data processing, such as backup tape recycling, archiving
media, and using other forms of document and information storage and management
Policies and Procedures
• effectively enable security on computer networks
• should have the approval of the highest-ranking security or IT officer of
the company
• should address all aspects of the company network
• should determine the appropriate course of action if there is a security
breach
• all network administrators need to be thoroughly trained in all policies
and procedures
• the US Department of Defense has some good standards that could be
borrowed for own network application
Security Policies
• defines how security is to be implemented within an organization and
include physical security, document security, and network security
• must be Implemented completely to attain full coverage
• e.g should forbid posting any company and/or employee information
unnecessarily—like, sticking Post-its with usernames and passwords
on computer screens
• clean desks, audits, and recording email communications and, in
some cases, phone calls should also be requirements
• post also the consequences of not complying with the security policy
Security Audit
• is a thorough examination of your network, testing all its components
to make sure everything is secure
• can be done internally or with a third party who certifies level of
security
• government agencies usually require certified networks before they’ll
grant you contract work if that work is considered Confidential,
Secret, or Top Secret
Clean-Desk Policy
• requires that all potentially important documents like books,
schematics, confidential letters, notes to self, and so on aren’t left out
in the open when someone’s away from their desk
• rule applies to users’ PC desktops too
• important for employees who share workspaces and/or workstations
• is a simple way to guard against security breaches
• make sure workstations are locked to desks and do random spot
checks once in a while to help enforce the policy
Recording Equipment
• a good security policy should prohibit unauthorized presence and use
of the devices such as tape recorders, cell phones, and small memory
devices like USB flash memory keychains—can contain sensitive,
confidential information
• signs/posters should be posted indicating so e.g a camera with a circle
surrounding it and a slash through the center of the circle
• NSA has policy prohibits Furby dolls on government premises because
they have reasonably sophisticated computers inside them, complete
with a digital recording device
Other Common Security Policies
• Notification - give users a copy of the security policy when you give them their usernames
and passwords
• computers displaying a summarized version of the policy when any user attempts to connect e.g
“Unauthorized access is prohibited and will be prosecuted to the fullest extent of the law.”
• Equipment Access - disable all unused network ports to prevent nonemployees from
connecting their laptops
• placing all network equipment under lock and key
• Wiring - wires should never run along the floor where they can be easily accessed
• Infrastructure devices should live in locked closets or rooms with controlled access such as; good lock
or biometric access system, depending on the level of security your specific network and data require
• Door Locks/Swipe Mechanisms - only authorized people should know the combination to the
cipher lock on your data-center doors or that only the appropriate people have badges that
allow access to the data center
• change lock combinations often, and never ever leave server room doors open or unlocked
Other Common Security Policies
• Badges - require everyone to wear an ID badge with appropriate access levels
assigned. should include contractors and visitors
• Tracking - require badge access to all entrances to buildings and internal
computer rooms.
• track and record all entry to and exits from these rooms
• Passwords - reset passwords at least every month and train users to set strong
passwords
• set BIOS passwords to prevent BIOS changes on servers and clients
• Monitor Viewing - place computer monitors so that visitors or people looking
through windows can’t see them
• make sure unauthorized persons can’t see security-guard stations and server monitors
• use monitor privacy screens if necessary
Other Common Security Policies
• Accounts – each user should own, unique user account, and should
never share user accounts
• even temporary employees should have their own account
• Testing - review and audit your network security at least once a year
• Background Checks - may include calling technical staff’s previous
employers, verifying their college degrees, requiring a drug test, and
checking for a criminal background
• Firewalls - should provide as much security as your company requires
and your budget allows
Other Common Security Policies
• Intrusion Detection – used to discover security breaches, and ensure you’re
logging the events you want to monitor
• Cameras - should cover all entrances to the building and the entire parking lot
• should be in weather-proof and tamper-proof housings
• review the output at a security-monitoring office
• record everything on extended-length tape recorders
• Mail Servers - provide each person with their own email mailbox, and attach an
individual network account to each mailbox
• don’t give multiple users a password to a single network account in order to share a mailbox
• DMZ – should be used for all publicly viewable servers such as; web servers, FTP
servers, and email relay servers
• should not be placed outside the firewall
Common DMZ configuration
Other Common Security Policies
• Mail Relay - open relay relays from any server that requests it
• modern email systems allow you to control which servers your email server will relay for, which helps to prevent
forwarding of spam
• Patches - latest security updates must be installed after being properly tested on a nonproduction
computer
• Backups – must be stored securely, not on a shelf or table within reach of someone working at the server
• should be locked in a waterproof, fireproof safe, and kept at least off site
• Modems - never allow desktop modems because they can be used to get to the Internet without your
knowledge
• access should be restricted to approved server-based modem pools
• Guards - shouldn’t patrol the same station all the time to keep their concentration at the highest
possible level
• need breaks to ensure alertness while ensuring all patrol areas are covered during shift changes, rotations, and
breaks
• should receive periodic training and testing to make sure they can recognize a threat and take appropriate action
Breaking Policy
• a security policy should fully identifies and explains what’s expected
of every user and what they can and can’t do
• should spell out consequences of breaking the rules with penalties
that match the severity of the offense
• consequences for offenses such as pornography include immediate
termination for major technology policy breaches
• downloading and installing software from the Internet to your PC at
work may not be as major (depending on where you work), but can
compromise security
The Exit Interview
• done to minimize the risk of a terminated employee being disgruntled
and to attempt to ensure that they’re leaving under the most favorable
circumstances possible
• can include the IT manager, a human resources representative, a sys
admin, and sometimes even security personnel
• when employees leave the company, all company property – such as
company cell phones, pagers, toolkits, keys, badges, security tokens,
models, and, obviously, all company documents – needs to be turned in
and logged
• users' accounts should be disabled immediately and remaining
employees should be informed that the employee left
Security Procedures
• defines how to respond to any security event
• procedures might include;
• What to do when someone has locked themselves out of their account
• How to properly install or remove software on servers
• What to do if files on the servers suddenly appear to be “missing” or altered
• How to respond when a network computer has a virus
• Actions to take if it appears that a hacker has broken into the network
• Actions to take if there is a physical emergency such as a fire or flood
Security Training
• can include classroom sessions and/or web-based training
• should conduct separate training classes for IT personnel and end users
• End-User Training - “keep it short and simple” rule applies here
• include detailed security protocol training
• year-end bonus or something else could be used as motivational reward for the employees who
complete their training and test well on it
• provide your end users with hard-copy for the training such as;
• recommended policies for creating safe passwords
• number to call if they’ve locked themselves out of their accounts
• what to do if they think someone is phishing for information
• What to do if they think their computer has a virus
• new employees should be required to go through the training and refresher courses for older
employees
• Administrator Training - more in depth because they’ll be the ones who set up and
configure policies, and first responders to any security emergency
• ensure they understand the correct ways to escalate issues in case of an emergency
Patches and Upgrades
• OSs and applications have complicated code, thus have few holes,
glitches, and bugs requiring a fix
• developers catch and repair the problems they uncover after their
products are released
• repairs are released to the public as patches or hotfixes
• upgrades address large-scale issues or add major features and
components to a program
• software updates protect against bad guys exploiting the security
holes on your network
Automatic Updates through Windows Update
• is a utility that’s automatically installed to a windows system,
periodically scans the computer for the version of Windows
components already installed and compare them to the most current
versions available from Microsoft, automatically download and install
needed updates
• the utility downloads and installs updates in the background, enabling
you to work in the foreground without skipping a beat
Downloading Patches and Hotfixes
• can be downloaded manually from support.microsoft.com
• a hotfix is a solution to potentially serious issues that could
compromise your network and hosts
• service pack bundles patches, hotfixes, and upgrades together and
update lots of components and address security, performance, and
stability issues
Firmware Updates
• is a form of program code and related data stored in persistent
memory such as non-volatile RAM (NVRAM)
• increases the functionality of a device and may correct a bug or flaw
in the system
• update process is sometimes called flashing and must be done
carefully because failure can lead to device being unusable
Driver Updates
• drivers are files that allow a peripheral or component to talk to the
hardware layer of the hosting device
• installed automatically from windows driver cache or manually
installed from manufacture provided disks or websites
• should be updated to improve device functionality or reduce potential
risks of attack
Upgrading vs Downgrading
• downgrading a system to the old version may be necessitated if the
new version causes substantial issues in the production environment
• testing all new versions of applications, operating systems, and
firmware before deploying can help save a lot of grief and possible
downtime
Anti-malware software
• Host-based - Host or premises based is a solution that you install and
run inside your network
• gives you total control but also requires you to stay on top of updates
• requires the deployment of some hardware to hold the engine and the
definition files
• Cloud/Server-based – runs in the cloud, creating a smaller footprint on
the client and utilizing processing power in the cloud
• have the following advantages;
• allows access to the latest malware data within minutes
• eliminates the need to continually update your antivirus
• client is small, and it requires little processing power
• a client-to-cloud relationship, which means they cannot run in the background
• may scan only the core Windows files for viruses and not the whole computer
• are highly dependent on an Internet connection
Configuration Backups
• configurations can be complicated especially where multiple
technicians have played a role, no single person has a complete
understanding of the configuration
• configurations may exist as text files and should be backed up
• Microsoft servers have the configuration in what is called system state
• configuration backups assist in quick reconfiguration of failed devices
such as servers, switches, routers e.t.c
Updating Antivirus Components
• an antivirus program consists of two components;
• definition files -
• engine
• Heuristic scanning is a technology that allows an antivirus program to search for a virus even if there’s no
definition for it yet basing on suspicious activity of the kind that usually indicates the presence of a virus
• upgrade, update, and scan in a specific order;
• Upgrade the antivirus engine
• Update the definition files
• Create an antivirus emergency boot disk
• Configure and run a full on-demand scan
• Schedule monthly full on-demand scans
• Configure and activate on-access scans
• Make a new antivirus emergency boot disk monthly
• Get the latest update when fighting a virus outbreak
• Repeat all steps when you get a new engine
Updating Antivirus Components
• Upgrading an Antivirus Engine - is the core program that runs the
scanning process, and virus definitions are keyed to an engine version
number e.g 3.x engine won’t work with 4.x definition files
• Updating Definition Files – a list of known viruses, their types, their
footprints and how to remove them
• must be regularly updated either manually or automatically from the
manufacturer’s website
• Company‘s staging server downloads and distribute the updates or set up
each computer to download updates individually
Scanning for Viruses
• is a process that an antivirus program employs to examine a computer suspected of having a
virus, identify the virus, and then get rid of it
• there are three types of antivirus scans;
• On-Demand Scan – is initiated by you or an administrator to search a file, directory, drive, or an entire
computer but only checks the files you’re currently accessing
• recommend to be done at least monthly or when the following occurs;
• You first install the antivirus software
• You upgrade the antivirus software engine
• You suspect a virus outbreak
• On-Access Scan - runs in the background when you open a fi le or use a program in situations like these;
• Inserting a floppy disk or thumb drive
• Downloading a file with FTP
• Receiving email messages and attachments
• Viewing a web page
• On-access scan slows down the processing speed of other programs, but it’s worth the inconvenience
• Emergency Scan - only the OS and the antivirus program are running
• initiated when a virus has totally invaded your system and taken control of the machine
• antivirus emergency boot disk is used to boot the infected computer
• an emergency scan website like housecall.trendmicro.com allows scanning a computer via high-speed Internet access
without using an emergency disk
Fixing an Infected Computer
• establish a cleaning station, and quarantine the infected area
• make sure all users in the infected area stop using their computers
• remove all external memory devices from all disk drives and perform
a scan and clean at the cleaning station
• update the virus definitions of any computers that are still operational
• boot to an antivirus emergency boot disk, run a full scan and clean
the entire system on all computers in the office space
• scan all potentially affected hard disks plus any external disks that
could be infected