Mantrap

A mantrap is a series of two doors with a small room between them. The user is authenticated at the first door and then allowed into the room. At that point, additional verification will occur (such as a guard visually identifying the person), and then they are allowed through the second door. These doors are normally used only in high-security situations. Mantraps also typically require that the first door is closed, prior to enabling the second door to open. Figure 7.1 shows a mantrap design.

Badge reader

Radio frequency identification (RFID) is a wireless, no-contact technology used with badges or cards and their accompanying reader. The reader is connected to the workstation and validates against the security system. This increases the security of the authentication process because the user must be in physical possession of the smart card to use the resources. Of course, if the card is lost or stolen, the person who finds the card can access the resources it allows. Badge readers are used not only to provide access to devices but also to provide access to doors as well.

Smart card

A smart card is a type of badge or card that gives you access to resources, including buildings, parking lots, and computers. It contains information about your identity and access privileges. Each area or computer has a card scanner or a reader in which you insert your card.

Smart cards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smart card, that person has all the access the card allows. To prevent this, many organizations don’t put any identifying marks on their smart cards, making it harder for someone to utilize them. Many modern smart cards require a password or PIN to activate the card, and they employ encryption to protect the card’s contents.

Security guard

While many other less manual methods of monitoring are available, nothing takes the place of a human being. Security guards can exercise judgment and common sense (sometimes an automated system seems to lack that) as they encounter issues.

Door lock

One of the easiest ways to prevent people intent on creating problems from physically entering your environment is to lock your doors and keep them out.

Door locks are the most universal form of physical barriers, which are a key aspect of access control. The objective of a physical barrier is to prevent access to computers and network systems. The most effective physical barrier implementations require that more than one physical barrier be crossed to gain access. This type of approach is called a multiple-barrier system.

Ideally, your systems should have a minimum of three physical barriers. The first barrier is the external entrance to the building, referred to as a perimeter, which is protected by burglar alarms, external walls, fencing, surveillance, and so on. An access list should exist to specifically identify who can enter and be verified by a guard or someone in authority. The second barrier is the entrance into the building and could rely on such items as ID badges to gain access. The third barrier is the entrance to the computer room itself (and could require fobs, or keys). Each of these entrances can be individually secured, monitored, and protected with alarm systems.

Although these three barriers won’t always stop intruders, they will potentially slow them down enough that law enforcement can respond before an intrusion is fully developed. Once inside, a truly secure site should be dependent on a physical token for access to the actual network resources.

Biometric locks

Biometric devices use physical characteristics to identify the user. Such devices are becoming more common in the business environment. Biometric systems include hand scanners, retinal scanners, and, possibly soon, DNA scanners. To gain access to resources, you must pass a physical screening process. In the case of a hand scanner, this may include identifying fingerprints, scars, and markings on your hand. Retinal scanners compare your eye’s retinal pattern to a stored retinal pattern to verify your identity. DNA scanners will examine a unique portion of your DNA structure to verify that you are who you say you are.

With the passing of time, the definition of biometric is expanding from simply identifying physical attributes about a person to being able to describe patterns in their behavior. Recent advances have been made in the ability to authenticate someone based on the key pattern they use when entering their password (how long they pause between each key, the amount of time each key is held down, and so forth). A company adopting biometric technologies needs to consider the controversy they may face (some authentication methods are considered more intrusive than others). It also needs to consider the error rate and that errors can include both false positives and false negatives.

Biometric systems, like most security tools, make mistakes. When the system improperly allows an individual in who should not be, it is called a false acceptance and the rate at which this occurs is called the false acceptance rate(FAR). When the system improperly rejects a legitimate user, it is called a false rejection, and the rate at which these occur is called the false rejection rate(FRR).

Hardware tokens

Physical tokens are anything that a user must have on them to access network resources and are often associated with devices that enable the user to generate a one-time password authenticating their identity. SecurID, from RSA, is one of the best-known examples of a physical token; learn more at www.rsa.com/node.aspx?id=1156.

Cable locks

While not all devices support this, larger mobile devices such as laptops come with a notch where you can attach a cable lock and lock the device to something solid, as you would lock a bicycle to a rack. This may even be advisable on some desktop systems if those systems are vulnerable to theft and contain sensitive data. Users who carry company devices that support cable locks should be instructed to never leave the device unattended and, if necessary, lock the device to an immovable object.

Server locks

Both rack and nonrack server systems can come with physical locks that prevent tampering with the server if physical access becomes possible. Having said that, all servers should be locked in a room, but the inclusion of physical server locks as well is an example of defense in depth.

USB locks

USB locks plug into the USB port. The lock prevents removal of the device, thus preventing use of the USB port.

Privacy screen

Privacy filters are either film or glass add-ons that are placed over a monitor and prevent the data on the screen from being readable when viewed from the sides. Only the user sitting directly in front of the screen is able to read the data. This is a good mitigation to shoulder surfing.

Key fobs

Key fobs are named after the chains used to hold pocket watches to clothes. They are security devices that you carry with you that display a randomly generated code that you can then use for authentication. This code usually changes quickly (every 60 seconds is probably the average), and you combine the code with your PIN for authentication.

Entry control roster

At any physical location where users are arriving and departing the facility, users should be authenticated through one of the mechanisms discussed in this section. There should be a recording of each user arriving and departing. This can be either a record of all successful and unsuccessful authentications on a log or, in the case of visitors who have no network account, a physical identification process of some sort. In any case, there should be an entry control roster in the form of a physical document that shows when each person entered and left the facility. This will serve as a backup in case the log is lost.

Exam essentials

Describe the purpose of a mantrap. A mantrap is a series of two doors with a small room between them. The user is authenticated at the first door and then allowed into the room. At that point, additional verification will occur (such as a guard visually identifying the person), and then they are allowed through the second door.

Active Directory

Active Directory (AD) is the directory service used in Windows since Windows 2000. It is used to locate resources and is also the point of configuration for all things security in a Windows domain (a concept to be explained shortly). It has a hierarchical structure that can be leveraged when using one of the more powerful tools of AD, Group Policy. Let’s survey some of the concepts of AD.

Software tokens

Software tokens are stored in software and can be duplicated. They are typically used in multifactor authentication mechanisms. Their purpose and use is the same as a hardware or physical token (described earlier in this chapter). Software tokens are cheaper than hardware tokens and do not have a battery that can run down as hardware tokens do.

MDM policies

Mobile Device Management (MDM) policies can be created in AD, or they can be implemented through MDM software. This software allows you to exert control over the mobile devices, even those you do not own if they have the software installed. These policies can force data encryption and data segregation, and they can be used to wipe a stolen device remotely.

Port security

One of the basic principles of security is to reduce the attack surface of all devices. This means shutting off all services and applications that are not required and closing all ports not being used. With respect to switches and hubs, it means disabling any ports that do not have devices connected to them. If this is not done, anyone could walk up to any unused wall outlet, plug in a device, get an IP address through DHCP, and be on your network.

But sometimes you want to prevent someone from unplugging a legitimate device and plugging in one that is not legitimate. That’s where port security comes in. By configuring port security on the port, you can prevent the transmission of data by any device other than the legitimate one. You can even shut the port down if this occurs.

Port security can also refer to the limitation of access that allows only well-known TCP and UDP port numbers. Limiting access to allow only required ports reduces the attack surface.

MAC address filtering

Most APs and network switches offer the ability to turn on MAC filtering, but it is off by default. In the default state, any wireless client that knows the values looked for can join the network, and any device connected to a switch port can send traffic. When MAC filtering is used, the administrator compiles a list of the MAC addresses associated with the users’ computers and enters those. When a client attempts to connect and other values have been correctly entered, an additional check of the MAC address is done. If the address appears in the allowed list, the client is allowed to join; otherwise, they are forbidden from doing so. On a number of wireless devices, the term network lock is used in place of MAC filtering, and the two are synonymous.

MAC address filtering at the wireless level is useless because it is quite simple to identify an allowed MAC address by sniffing the wireless frames. Then a hacker can simply change his MAC address to an allowed one.

Certificates

A certificate is a text document that ties a user account to a public and private key pair created by a certificate server or certificate authority (CA). Certificates follow the X.509 standard, which requires them to include certain pieces of information.

• Certificate
• Version number
• Serial number
• Signature algorithm ID
• Issuer name
• Validity period
  • Not before
  • Not after
• Subject name
• Subject public key info
  • Public key algorithm
  • Subject public ley
• Issuer unique identifier (optional)
• Subject unique identifier (optional)
• Extensions (optional)
• Certificate signature algorithm
• Certificate Signature

Antivirus/Anti-malware

The primary method of preventing the propagation of malicious code involves the use of antivirus software, a type of application that is installed on a system to protect it and to scan for viruses as well as worms and Trojan horses. Most viruses have characteristics that are common to families of a virus or viruses. Antivirus software looks for these characteristics, or fingerprints, to identify and neutralize viruses before they impact you.

More than 200,000 known viruses, worms, bombs, and other malware have been defined. New ones are added all the time. Your antivirus software manufacturer will usually work hard to keep the definition database files current. The definition database file contains all the known viruses and countermeasures for a particular antivirus software product. You probably won’t receive a virus that hasn’t been seen by one of these companies. If you keep the virus definition database files in your software up-to-date, you probably won’t be overly vulnerable to attacks.

Firewalls

Firewalls are one of the first lines of defense in a network. There are different types of firewalls, and they can be either stand-alone systems or included in other devices such as routers or servers. You can find firewall solutions that are marketed as hardware only and others that are software only. Many firewalls, however, consist of add-in software that is available for servers or workstations.

The basic purpose of a firewall is to isolate one network from another. Firewalls are becoming available as appliances, meaning they’re installed as the primary device separating two networks. Appliances are freestanding devices that operate in a largely self-contained manner, requiring less maintenance and support than a server-based product.

Firewalls function as one or more of the following:

• Packet filter
• Proxy firewall
• Stateful inspection firewall

The firewall shown in Figure 7.2 effectively limits access from outside networks, while allowing inside network users to access outside resources. The firewall in this illustration is also performing proxy functions.

The following list discusses three of the most common functions that firewalls perform:

Packet Filter Firewalls   A firewall operating as a packet filter passes or blocks traffic to specific addresses based on the type of application. The packet filter doesn’t analyze the data of a packet; it decides whether to pass it based on the packet’s addressing information. For instance, a packet filter may allow web traffic on port 80 and block Telnet traffic on port 23. This type of filtering is included in many routers. If a received packet request asks for a port that isn’t authorized, the filter may reject the request or simply ignore it. Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall.

Packet filters are growing in sophistication and capability. A packet filter firewall can allow any traffic that you specify as acceptable. For example, if you want web users to access your site, then you configure the packet filter firewall to allow data on port 80 to enter. If every network were exactly the same, firewalls would come with default port settings hard-coded, but networks vary, so the firewalls don’t include such settings.

Proxy Firewalls   A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all the packages and reprocesses them for use internally. This process includes hiding internal IP addresses.

The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed through the proxy. The proxy, in turn, repackages the request and sends it along, thereby isolating the user from the external network. The proxy can also offer caching, should the same request be made again, and can increase the efficiency of data delivery.

A proxy firewall typically uses two network interface cards (NICs). This type of firewall is referred to as a dual-homed firewall. One of the cards is connected to the outside network, and the other is connected to the internal network. The proxy software manages the connection between the two NICs. This setup segregates the two networks from each other and offers increased security. Figure 7.3 illustrates a dual-homed firewall segregating two networks from each other.

The proxy function can occur at either the application level or the circuit level. Application-level proxy functions read the individual commands of the protocols that are being served. This type of server is advanced and must know the rules and capabilities of the protocol used. An implementation of this type of proxy must know the difference between GET and PUT operations, for example, and have rules specifying how to execute them. A circuit-level proxy creates a circuit between the client and the server and doesn’t deal with the contents of the packets that are being processed.

A unique application-level proxy server must exist for each protocol supported. Many proxy servers also provide full auditing, accounting, and other usage information that wouldn’t normally be kept by a circuit-level proxy server.

Stateful Inspection Firewalls The last section on firewalls focuses on the concept of stateful inspection. Stateful inspection is also referred to as stateful packet filtering. Most of the devices used in networks don’t keep track of how information is routed or used. After a packet is passed, the packet and path are forgotten. In stateful inspection (or stateful packet filtering), records are kept using a state table that tracks every communications channel. Stateful inspections occur at all levels of the network and provide additional security, especially in connectionless protocols such as User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP). This adds complexity to the process. Denial-of-service (DoS) attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down or reboot.

User authentication/strong passwords

You can set up many different parameters and standards to force the people in your organization to conform with security practices. In establishing these parameters, it’s important that you consider the capabilities of the people who will be working with these policies. If you’re working in an environment where people aren’t computer savvy, you may spend a lot of time helping them remember and recover passwords. Many organizations have had to reevaluate their security guidelines after they’ve invested great time and expense to implement high-security systems.

Setting authentication security, especially in supporting users, can become a high-maintenance activity for network administrators. On one hand, you want people to be able to authenticate themselves easily; on the other hand, you want to establish security that protects your company’s resources. In a Windows server domain, password policies can be configured at the domain level using Group Policy objects. Variables you can configure include password complexity, length, and time between allowed changes.

A good password includes both uppercase and lowercase letters as well as numbers and symbols. In the past an accepted practice was to make passwords complex (using at least three of the four character types: uppercase, lowercase, numbers, and non-numeric figures), but recently the NIST has recommended that longer and simpler passwords are more secure than shorter and more complex ones.

Be wary of popular names or current trends that make certain passwords predictable. For example, during the first release of Star Wars, two of the most popular passwords used on college campuses were C3PO and R2D2. This created a security problem for campus computer centers. Educate users not to use personal information that one could easily guess about them, such as their pet names, anniversary, or birthdays.

Multifactor authentication

There are three factors of authentication: knowledge factors (something you know, such as a password), characteristic factors (some physical characteristic, such as a thumbprint), and behavioral factors (something you do, such as a voice analysis).

When more than one of these factors is required to authenticate, it is called multifactor authentication. It is not multifactor authentication if it uses two forms of the same factor of authentication such as a password and a PIN (both knowledge factors). An example of multifactor authentication is the requirement of a PIN and a retina scan.

Directory permissions

The protection of a directory service is based on the initial selection of network operating system and its deployment infrastructure. After these foundational decisions are made, you need to fully understand the technologies employed by your selected directory services system and learn how to make the most functional yet secure environment possible. This will usually require the addition of third-party security devices, applications, services, and solutions.

VPN

Virtual private network (VPN) connections are remote access connections that allow users to securely connect to the enterprise network and work as if they were in the office. These connections use special tunneling protocols that encrypt the information being transferred between the user and the corporate network. Anywhere users, business partners, or vendors are allowed remote access to the network, VPN connections should be used. VPNs were discussed in Chapter 6.

DLP

Data loss prevention (DLP) solutions are designed to prevent sensitive material from purposefully or inadvertently escaping the organization. These solutions allow you to specify exactly what actions each user may take with respect to a document. For example, you may choose to allow the document to be read but neither printed nor forwarded to another user.

Access control lists

Access control lists (ACLs) are sets of rules that either control access to a resource or are configured on a router or firewall to control the type of traffic allowed to enter or leave an interface. These lists are what make packet filtering firewalls work. Using these lists, an administrator can at a granular level define who can send specific types of traffic to specific locations. For example, you could prevent a user from using Telnet to connect to the sales server, without preventing him from using Telnet to connect to any other devices and without impacting any of his other activities.

Smart card

Smart cards were discussed in detail in the section “Smart cards” later in this chapter. While the emphasis there was on using smart cards for physical access to facilities, these cards can also be used to log on to the network and thus to access resources.

Email filtering

While email filtering is typically discussed in the context of preventing spam, the organization must also be concerned about the contents and types of email sent by its users. Because the users are representing the organization in everything they do, you want them to follow certain guidelines. Email filtering allows for the recognition and the blocking of messages that contain content that is not compliant with these guidelines. Configuring the filtering solution in such a way that it recognizes and blocks non-compliant emails while also leaving compliant emails unaffected can be a tremendous challenge.

Trusted/untrusted software sources

Users frequently download and install software and not always from the safest sources. While policies should definitely reflect the desire of the organization to prevent unauthorized software downloads and installation, you may have to go beyond policies and implement a software restriction tool that prevents users from doing this. If you want to prevent all downloads and installations by users, you can use a Group Policy in Windows to require administrator privileges to do any downloading or installing. If your goal is to allow some installations but not others, you can use additional policies to define exactly which applications are allowed and which are not.

Principle of least privilege

The concept of least privilege is a simple one: When assigning permissions, give each user only the permissions they need to do their work and no more. This is especially true with administrators. Users who need administrative-level permissions should be assigned two accounts: one for performing nonadministrative, day-to-day tasks and the other to be used only when performing administrative tasks that specifically require an administrative-level user account. Those users should be educated on how each of the accounts should be used.

The biggest benefit to following this policy is the reduction of risk. The biggest headache is trying to deal with users who may not understand it. A manager, for example, may assert that he should have more permission than those who report to him, but giving those permissions to him also opens up all the possibilities for inadvertently deleting files, crippling accounts, and so forth.

A least-privilege policy should exist, and be enforced, throughout the enterprise. Users should have only the permissions and privileges needed to do their jobs and no more. ISO standard 27002 (which updates 17799) sums it up well: “Privileges should be allocated to individuals on a need-to-use basis and on an event-by-event basis, i.e., the minimum requirement for their functional role when needed.” Adopting this as the policy for your organization is highly recommended.

Exam essentials

Be able to describe why antivirus software is needed. Antivirus software looks at a virus and takes action to neutralize it based on a virus-definition database. Virus-definition database files are regularly made available on vendor sites.

Understand the need for user education. Users are the first line of defense against most threats, whether physical or digital. They should be trained on the importance of security and how to help enforce it.

Protocols and encryption

More and more, networks are using wireless as the medium of choice. It is much easier to implement, reconfigure, upgrade, and use than wired networks. Unfortunately, there can be downsides, and security is one of the largest.

The 802.11 standard applies to wireless networking, and there have been many versions of it released; the main ones are a, b, g, n, and ac. Encryption has gone from very weak (WEP) to much stronger with increments along the way, including WPA, WPA2, and implementations of TKIP and AES.

Wireless protocols are covered in detail in Chapter 2, “Networking”.

Authentication

Authentication occurs when a user provides a username (identification) and then proper credentials (the authentication). In this section, we’ll look at the types of authentication and then at authentication, accounting, and authorization (AAA) services.

Exam essentials

Understand wireless connectivity. Networks work in the same way whether there is a physical wire between the hosts or that wire has been replaced by a wireless signal. The same order of operations and steps are carried out regardless of the medium employed.

Malware

Malware is a category of software that performs malicious activities on a device. It might wipe the hard drive or create a back door. In this section, we’ll look at types of malware and attacks.

Virus

Viruses can be classified as polymorphic, stealth, retroviruses, multipartite, armored, companion, phage, and macro viruses. Each type of virus has a different attack strategy and different consequences.

   Estimates for losses due to viruses are in the billions of dollars. These losses include financial loss as well as lost productivity.

The following sections will introduce the symptoms of a virus infection, explain how a virus works, and describe the types of viruses you can expect to encounter and how they generally behave. I’ll also discuss how a virus is transmitted through a network.

Symptoms of a virus/malware infection

Many viruses will announce that you’re infected as soon as they gain access to your system. They may take control of your system and flash annoying messages on your screen or destroy your hard disk. When this occurs, you’ll know that you’re a victim. Other viruses will cause your system to slow down, cause files to disappear from your computer, or take over your disk space.

   Because viruses are the most common malware, the term virus is used in this section.

You should look for some of the following symptoms when determining whether a virus infection has occurred:

• The programs on your system start to load more slowly. This happens because the virus is spreading to other files in your system or is taking over system resources.
• Unusual files appear on your hard drive, or files start to disappear from your system. Many viruses delete key files in your system to render it inoperable.
• Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs on your disk.
• Your browser, word-processing application, or other software begins to exhibit unusual operating characteristics. Screens or menus may change.
• The system mysteriously shuts itself down or starts itself up and does a great deal of unanticipated disk activity.
• You mysteriously lose access to a disk drive or other system resources. The virus has changed the settings on a device to make it unusable.
• Your system suddenly doesn’t reboot or gives unexpected error messages during startup.

This list is by no means comprehensive. What is an absolute, however, is that you should immediately quarantine the infected system. It is imperative that you do all you can to contain the virus and keep it from spreading to other systems within your network or beyond.

How viruses work

A virus, in most cases, tries to accomplish one of two things: render your system inoperable or spread itself to other systems. Many viruses will spread to other systems given the chance and then render your system unusable. This is common with many of the newer viruses.

If your system is infected, the virus may try to attach itself to every file in your system and spread each time you send a file or document to other users. When you give removable media to another user or put it into another system, you then infect that system with the virus.

Most viruses today are spread using email. The infected system attaches a file to any email that you send to another user. The recipient opens this file, thinking it’s something you legitimately sent them. When they open the file, the virus infects the target system. The virus might then attach itself to all the emails the newly infected system sends, which in turn infects the recipients of the emails. Figure 7.4 shows how a virus can spread from a single user to thousands of users in a short time using email.

Types of viruses

Viruses take many different forms. The following sections briefly introduce these forms and explain how they work. These are the most common types, but this isn’t a comprehensive list.

   The best defense against a virus attack is to install and run antivirus software. The software should be on all workstations as well as the server.

Armored Virus   An armored virus is designed to make itself difficult to detect or analyze. Armored viruses cover themselves with protective code that stops debuggers or disassemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract analysis while the actual code hides in other areas in the program.

From the perspective of the creator, the more time it takes to deconstruct the virus, the longer it can live. The longer it can live, the more time it has to replicate and spread to as many machines as possible. The key to stopping most viruses is to identify them quickly and educate administrators about them—the very things that the armor intensifies the difficulty of accomplishing.

Companion Virus   A companion virus attaches itself to legitimate programs and then creates a program with a different filename extension. This file may reside in your system’s temporary directory. When a user types the name of the legitimate program, the companion virus executes instead of the real program. This effectively hides the virus from the user. Many of the viruses that are used to attack Windows systems make changes to program pointers in the Registry so that they point to the infected program. The infected program may perform its dirty deed and then start the real program.

Macro Virus   A macro virus exploits the enhancements made to many application programs. Programmers can expand the capability of applications such as Microsoft Word and Excel. Word, for example, supports a mini-BASIC programming language that allows files to be manipulated automatically. These programs in the document are called macros. For example, a macro can tell your word processor to spell-check your document automatically when it opens. Macro viruses can infect all the documents on your system and spread to other systems via email or other methods.

Multipartite Virus   A multipartite virus attacks your system in multiple ways. It may attempt to infect your boot sector, infect all your executable files, and destroy your application files. The hope here is that you won’t be able to correct all the problems and will allow the infestation to continue. The multipartite virus in Figure 7.5 attacks your boot sector, infects application files, and attacks your Word documents.

Phage Virus   A phage virus alters other programs and databases. The virus infects all these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single instance of this virus on the victim system, the process will start again and infect the system once more.

Polymorphic Virus   Polymorphic viruses change form in order to avoid detection. The virus will attempt to hide from your antivirus software. Frequently, the virus will encrypt parts of itself to avoid detection. When the virus does this, it’s referred to as mutation. The mutation process makes it hard for antivirus software to detect common characteristics of the virus. Figure 7.6 shows a polymorphic virus changing its characteristics to avoid detection. In this example, the virus changes a signature to fool antivirus software.

   A signature is an algorithm or other element of a virus that uniquely identifies it. Because some viruses have the ability to alter their signature, it is crucial that you keep signature files current, whether you choose to manually download them or configure the antivirus engine to do so automatically.

Retrovirus   A retrovirus attacks or bypasses the antivirus software installed on a computer. You can consider a retrovirus to be an anti-antivirus. Retroviruses can directly attack your antivirus software and potentially destroy the virus definition database file. Destroying this information without your knowledge would leave you with a false sense of security. The virus may also directly attack an antivirus program to create bypasses for itself.

Stealth Virus   A stealth virus attempts to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself to avoid detection. An infected file may report a file size different from what is actually present to avoid detection. Figure 7.7 shows a stealth virus attaching itself to the boot sector to avoid detection. Stealth viruses may also move themselves from file A to file B during a virus scan for the same reason.

Present Virus Activity

New viruses and threats are released on a regular basis to join the cadre of those already in existence. From an exam perspective, you need to be familiar with the world only as it existed at the time the questions were written. From an administrative standpoint, however, you need to know what is happening today.

To find this information, visit the CERT/CC Current Activity web page at www.us-cert.gov/ current/current_activity.html. Here you’ll find a detailed description of the most current viruses as well as links to pages on older threats.

Tools and methods

Whereas physical security focused on keeping individuals out, digital security focuses mostly on keeping harmful data/malware out. The areas of focus are antivirus software, anti-malware, Recovery Console, backup/restore, end-user education, software firewalls, and DNS configuration. Each of these is addressed in the sections that follow.

Exam essentials

Describe the options available in Windows System recovery.   These include Startup Repair, System Restore, System Image Recovery, and Windows Memory Diagnostic Tool.

Social engineering

Social engineering is a process in which an attacker attempts to acquire information about your network and system by social means, such as by talking to people in the organization. A social-engineering attack may occur over the phone, by email, or by a visit. The intent is to acquire access information, such as user IDs and passwords. When the attempt is made through email or instant messaging, it is known as phishing (discussed later) and often is made to look as if it is coming from sites where users are likely to have accounts (eBay and PayPal are popular).

These types of attacks are relatively low-tech and are more akin to con jobs. Take the following example. Your help desk gets a call at 4 a.m. from someone purporting to be the vice president of your company. She tells the help-desk personnel that she is out of town to attend a meeting, her computer just failed, and she is sitting in a hotel trying to get a file from her desktop computer back at the office. She can’t seem to remember her password and user ID. She tells the help-desk representative that she needs access to the information right away or the company could lose millions of dollars. Your help-desk rep knows how important this meeting is and gives the vice president her user ID and password over the phone.

Another common approach is initiated by a phone call or email from your software vendor, telling you that they have a critical fix that must be installed on your computer system. If this patch isn’t installed right away, your system will crash and you’ll lose all your data. For some reason, you’ve changed your maintenance account password and they can’t log on. Your system operator gives the password to the person. You’ve been hit again.

DDoS

A distributed denial-of-service (DDoS) attack is one in which the attacker recruits additional devices (called zombies) to assist in the attack. This greatly magnifies the effect of the denial of service.

DoS

A denial-of-service (DoS) attack is one in which the attacker’s goal is to make the device unavailable to do its job. It consumes all the resources of the device leaving none for its regular work.

Zero-day

Vulnerabilities are often discovered in live environments before a fix or patch exists. Such vulnerabilities are referred to as zero-day vulnerabilities. A zero-day attack is one that occurs when a security vulnerability in an application is discovered on the same day the application is released. Monitoring known hacking community websites can often provide an early alert because hackers often share zero-day exploit information.

New zero-day attacks are announced on a regular basis against a broad range of technology systems. You should create an inventory of applications and maintain a list of critical systems to manage the risks of these attack vectors.

Man-in-the-middle

A man-in-the-middle (MITM) attack is one in which the hacker uses one of several techniques to position himself in the middle of a current communication session between two devices. One way he might do this is by polluting the ARP cache (mappings of IP addresses to MAC addresses) such that the users on either end of the session think they are sending data to one another when in reality they are sending it to the hacker. This allows the hacker to monitor the entire conversation.

Brute force

A brute-force attack is a password attack that operates by attempting every possible combination of characters that could be in a password. These can be performed online or offline. Given enough time and processing power, any password can be cracked, so most enterprises use some sort of password policy that locks an account after a certain number of incorrect attempts. For this reason, online attacks are largely unsuccessful.

In contrast, the offline mode of the attack requires the attacker to steal the password file first but enables an unconstrained guessing of passwords, free of any application- or network-related rate limitations.

Dictionary

Dictionary attacks rely on the use of large files that contain words from the dictionary. These attacks are most often attempts to crack an encrypted password by encrypting each word in the dictionary file using the same algorithm used to encrypt the users’ passwords and then comparing this value to the encrypted password for a match. These attacks are performed offline to eliminate the disabling of the account through password policies.

Rainbow table

Rainbow tables are used to speed the process of comparing captured password hashes to character combinations. In the absence of a rainbow table, the process is to take the character combination, hash it, and compare the hash. A rainbow table is a list of character combinations that have been pre-hashed. Salting the password, or adding a random character before hashing, can help defeat the use of rainbow tables.

Spoofing

Spoofing is the process of masquerading as another user or device. It is usually done for the purpose of accessing a resource to which the hacker should not have access or to get through a security device such as a firewall that may be filtering traffic based on a source IP address.

Spoofing can take various forms. The hacker may change her IP address to one that belongs to a trusted user or device to get through a firewall filtering at the IP layer. In other cases, she might spoof the MAC address of a trusted device to defeat layer 2 security applied on a switch or wireless access point (AP). It could also be the spoofing of a username and password to access a resource. Finally, it might be the spoofing of an email address to launch one of the email-based attacks.

Non-compliant systems

Upon infection, some viruses destroy the target system immediately. The saving grace is that the infection can be detected and corrected. Some viruses won’t destroy or otherwise tamper with a system; they use the victim system as a carrier. The victim system then infects servers, file shares, and other resources with the virus. The carrier then infects the target system again. Until the carrier is identified and cleaned, the virus continues to harass systems in this network and spread.

You should use some type of enterprise-grade malware management system that scans the network for non-compliant devices. Most of these systems can automate the entire process of locating, isolating, and remediating non-compliant devices.

Zombie/botnet

Botnets and zombies were described in the earlier section “Botnet,” under objective 2.4.

Exam essentials

Know the characteristics and types of viruses used to disrupt systems and networks. Several different types of viruses are floating around today. The most common ones are polymorphic viruses, stealth viruses, retroviruses, multipartite viruses, and macro viruses.

Know the various types of social engineering. Social-engineering variants include shoulder surfing (watching someone work) and phishing (tricking someone into believing they are communicating with a party other than the one they are communicating with). Variations on phishing include vishing and whaling as well as spear phishing.

User and groups

There are a number of groups created on the operating system by default. The following sections look at the main ones of these.

NTFS vs. share permissions

The New Technology File System (NTFS) was introduced with Windows NT to address security problems. Before Windows NT was released, it had become apparent to Microsoft that a new filesystem was needed to handle growing disk sizes, security concerns, and the need for more stability than FAT32 provided. NTFS was created to address those issues.

Although FAT was relatively stable, if the systems that were controlling it kept running, it didn’t do well when the power went out or the system crashed unexpectedly. One of the benefits of NTFS was a transaction tracking system, which made it possible for Windows NT to back out of any disk operations that were in progress when Windows NT crashed or lost power.

With NTFS, files, directories, and volumes can each have their own security. NTFS’s security is flexible and built in. Not only does NTFS track security in ACLs, which can hold permissions for local users and groups, but each entry in the ACL can specify what type of access is given—such as Read, Write, Modify, or Full Control. This allows a great deal of flexibility in setting up a network. In addition, special file-encryption programs were developed to encrypt data while it was stored on the hard disk.

Microsoft strongly recommends that all network shares be established using NTFS. Several current operating systems from Microsoft support both FAT32 and NTFS. It’s possible to convert from FAT32 to NTFS without losing data, but you can’t do the operation in reverse (you would need to reformat the drive and install the data again from a backup tape).

Share permissions apply only when a user is accessing a file or folder through the network. Local permissions and attributes are used to protect the file when the user is local. With FAT and FAT32, you do not have the ability to assign “extended” or “extensible” permissions, and the user sitting at the console effectively is the owner of all resources on the system. As such, they can add, change, and delete any data or file that they want.

With NTFS as the filesystem, however, you are allowed to assign more comprehensive security to your computer system. NTFS permissions are able to protect you at the file level. Share permissions can be applied to the directory level only. NTFS permissions can affect users logged on locally or across the network to the system where the NTFS permissions are applied. Share permissions are in effect only when the user connects to the resource via the network.

Shared files and folders

You can share folders, and the files within them, by right-clicking them and choosing Share With (Windows 7, Windows Vista, and Windows 8) from the context menu. In Windows 7, the context menu asks who you want to share the folder or file with (see Figure 7.8).

The options you see on the context menu will depend on the type of network you are connected to—a domain, a workgroup, or a Homegroup (the one shown in Figure 7.8). If you turn on password-protected sharing (the default), the person accessing the share has to give a username and password to access the shared entity.

The advanced sharing settings will come up if you try to share something in one of the Public folders or make other changes. This interface, shown in Figure 7.9, can also be accessed through the Network and Sharing Center applet in the Control Panel and is used to change network settings relevant to sharing.

System files and folders

System files are usually flagged with the Hidden attribute, which means they don’t appear when a user displays a directory listing. You should not change this attribute on a system file unless absolutely necessary. System files are required for the OS to function. If they are visible, users might delete them (perhaps thinking they can clear some disk space by deleting files they don’t recognize). Needless to say, that would be a bad thing!

User authentication

You already know that users are authenticated by identifying themselves and providing credentials. You also have learned that these credentials can take many forms depending on the authentication factors in use. In the following section, you will be introduced to a feature found in almost all modern authentication systems, single sign-on.

Run as administrator vs. standard user

One of the security recommendations from Microsoft is to have administrative users log on with a standard user account and, when necessary, elevate the privileges of the account temporarily to perform a task and then remove that permission when the task is complete.

This is done by running the task, tool, or utility as an administrator. This can be done by right-clicking the tool and selecting Run as Administrator. Once the tool is closed, that security session ends, and the permissions are returned to those of a standard user. Having these highly privileged accounts logged in as infrequently as possible helps prevent hackers from gaining control of these accounts when they are live.

BitLocker/BitLocker To Go

BitLocker is the whole-drive encryption tool that can also seal a device such that it will not boot if any system files are altered. It can also lock the drive to a particular machine, preventing anyone from stealing the drive and connecting it to another device. BitLocker was covered in Chapter 6.

BitLocker To Go provides the same encryption technology to help prevent unauthorized access to the files stored on removable drives.

EFS

The Encrypting File System (EFS) is an encryption tool built into Windows Vista Business, Enterprise and Ultimate, Windows 7 (EFS is not fully supported on Windows 7 Starter, Home Basic, or Home Premium), Windows 8 or 8.1 Professional or Enterprise, and Windows 10. It allows a user to encrypt files that can be decrypted only by the user who encrypted the files. It can be used only on NTFS volumes but is simple to use.

To encrypt a file in Windows 8.1, simply right-click the file, access the file properties, and on the General tab click the Advanced button. That will open the Advanced Attributes dialog box, as shown in Figure 7.10. On this page, check the Encrypt Contents To Secure Data box.

Exam essentials

Know the difference between single sign-on and multifactor authentication. Single sign-on is the concept of having the user be authenticated on all services they access after logging in once. Multifactor authentication is not the opposite of single sign-on but merely requires more than one entity to be authenticated, for security purposes.

Know the NTFS permissions. Permissions can be allowed or denied individually on a per-folder and per-file basis. Know the values shown in Tables 7.3 and 7.4.

Password best practices

One of the strongest ways to keep a system safe is to employ strong passwords and educate your users in the best security practices. In this section, you’ll explore various techniques that can enhance the security of your user passwords.

Account management

While I touched on one account management technique previously (preventing the reuse of passwords), there are a number of additional account management best practices that you should know and implement.

Disable autorun

It is never a good idea to put any media in a workstation if you do not know where it came from or what it is. The reason is that the media (CD, DVD, USB) could contain malware. Compounding matters, that malware could be referenced in the Autorun.inf file, causing it to be summoned when the media is inserted in the machine and requiring no other action. Autorun.inf can be used to start an executable, access a website, or do any of a large number of different tasks. The best way to prevent a user from falling victim to such a ploy is to disable the AutoRun feature on the workstation.

Microsoft has changed (by default, disabled) the AutoRun function on Windows Vista, Windows 7, Windows 8, and Widows 10, though running remains the default action for PCs using Windows XP through Service Pack 3. The reason Microsoft changed the default action can be summed up in a single word: security. That text-based Autorun.inf file not only can take your browser to a web page but also can call any executable file, pass along variable information about the user, or do just about anything else imaginable. Simply put, it is never a good idea to take any media whose source or contents you have no idea of and plug it into your system. Such an action opens up the user—and their network—to any number of possible tribulations. An entire business’s data could be jeopardized by such a minuscule act if a harmful CD were placed in a computer at work by someone with elevated privileges.

Data encryption

While data encryption is possible both on a drive level (BitLocker) and on an individual file level (EFS), always keep in mind the cost of encryption and save this tool for instances where you really need it. By cost I mean that any encrypted file must be decrypted to be opened and encrypted again to be saved. This requires CPU cycles on the device. If you attempt to encrypt everything, the performance of the device may make it practically unusable. You must strike a balance between security and usability.

Patch/update management

While many patches and updates either repair something that doesn’t work or add functionality, many others close a security hole. These are called hotfixes because they come out as soon as they are available, and you need to apply them as soon as possible (after testing them in a nonproduction environment).

For best results in patch management, you should deploy an automated system that can check for, download, and make available to the network all patches and updates for all systems. A good example of such a system is Microsoft Windows Server Update Services (WSUS), which can manage the updates for both servers and clients and for other operating systems as well.

Exam essentials

Understand the need for good passwords. Passwords are the first line of defense for protecting an account. A password should be required for every account, and strong passwords should be enforced. Users need to understand the basics of password security and work to keep their accounts protected by following company policies regarding passwords.

List some techniques that enhance account management. These techniques include but are not limited to disabling unused accounts, requiring frequent password changes, preventing the reuse of passwords, requiring complex passwords, and defining login hours for users.

Screen locks

One of the most basic (but not necessarily the most utilized) security measures you can take is to implement a screen lock on the device. This is akin to implementing the password you use to log on to your desktop or laptop, but it’s amazing how few people use this basic security measure. This can prevent someone from using the mobile device if it is stolen. There are several ways screen locks can be implemented, and in the following sections you’ll examine each method.

Remote wipes

Remote wipes are instructions sent remotely to a mobile device that erase all the data when the device is stolen. In the case of the iPhone, this feature is closely connected to the locator application (discussed in the next section). To perform a remote wipe on an iPhone (which requires iOS 5), navigate to Settings ➢ iCloud. On this tab, ensure that Find My iPhone is enabled (set to On). Next, use the browser to go to iCloud.com and log in using the Apple ID you use on your phone.

Next, select the icon Find My iPhone. The location of the phone will appear on a map. Click the i icon next to the location. In the dialog box that opens, select Remote Wipe. You will be prompted again to verify that is what you want to do. Select Wipe Phone.

The Android phones do not come with an official remote wipe. You can, however, install an Android app that will do this. Once the app, Lost Android, is installed, it works in the same way the iPhone remote wipe does. In this case, you log into the Lost Android website using your Google login. From the site, you can locate and wipe the device.

Android Device Manager, which is loaded on newer versions of Android, is available for download to any version of Android from 2.3 onward providing almost identical functionality to that of the iPhone.

Locator applications

Locator applications like the Lost Android app for Android are available where apps are sold for Androids. These apps allow you to locate the device, to lock the device, and even to send a message to the device offering a reward for its return. Finally, you can remotely wipe the device. The iOS devices and the newer Android devices have this feature built in, and it performs all the same functions.

Remote backup applications

Backing up your data with the iPhone can be done by connecting the device to a Mac and using iTunes to manage the content. (The data can also be backed up to a PC that has iTunes.) As users start to use the mobile device as their main tool, this may not be an optimal way to manage backups. New apps like Mozy are available that perform an online backup, which is attractive because the laptop or desktop where you backed up your data is not always close at hand, but the Internet usually is.

Android has always taken a cloud approach to backups. There are many Android apps now that can be used to back up data to locations such as Dropbox or Box.net.

Failed login attempts restrictions

Most of us have become accustomed to the lockout feature on a laptop or desktop that locks out an account after a certain number of failed login attempts. This feature is available on a mobile device and can even be set to perform a remote wipe of the device after repeated failed login attempts.

On the iOS, the Erase Data function can be set to perform a remote wipe after 10 failed passcode attempts. After six failed attempts, the iPhone locks out users for a minute before another passcode can be entered. The device increases the lockout time following each additional failed attempt.

The Android does not have this feature built in but does provide APIs that allow enterprise developers to create applications that will do this.

Antivirus/Anti-malware

Mobile devices can suffer from viruses and malware just like laptops and desktops. Major antivirus vendors such as McAfee and Kaspersky make antivirus and anti-malware products for mobile devices that provide the same real-time protection that the products do for desktops. The same guidelines apply for these mobile devices: Keep them up-to-date by setting the device to check for updates whenever connected to the Internet.

Patching/OS updates

Security patches and operating system updates are available on an ongoing basis for both the iOS and the Android. For the iPhone, both operating system updates and security patches are available at the Apple support site. Automatic updates can be enabled for the device in iTunes. Use the Check For Updates button located in the middle of iTunes.

An auto-update feature is built into Android, and you can also manually check for patches and updates by navigating to Settings ➢ About Phone ➢ System Updates. Selecting these options will cause the phone to check for, download, and install patches or updates.

Biometric authentication

Most mobile devices now offer the option to incorporate biometrics as an authentication mechanism. The two most common implementations of this use fingerprint scans or facial scans or facial recognition technology. While there can be issues with both false negatives (the denial of a legitimate user) and false positives (the admission of an illegitimate user), they offer much better security than other authentication mechanisms.

Full device encryption

Full device encryption is available for smartphones and other mobile devices. Most companies choose to implement this through the use of an enterprise mobility management system, since it can also manage the installation of updates, the tracking of devices, and the deployment of remote wipes and GPS location services when needed. There are also third-party applications that can provide full device encryption.

Multifactor authentication

Authentication factors describe the method used to verify the user’s identity. As described for other devices, there are three available authentication factors:

• Something you know (such as a password)
• Something you are (such as a fingerprint)
• Something you have (such as a smart card)

When two different types of factors are required (such as something you know and something you have), it is called multifactor authentication. It is important to understand that using two or more of the same type of factors (such as a password and a PIN, both something you know) is not multifactor authentication. However, when multifactor authentication is used for mobile devices, the level of security is significantly increased.

Authenticator applications

Authenticator applications, such as Google Authenticator, make it possible for a mobile device to use a time-based one-time password (TOTP) algorithm with a site or system that requires such authentication. In the setup operation, the site provides a shared secret key to the user over a secure channel to be stored in the authenticator app. This secret key will be used for all future logins to the site. The user will enter a username and password into a website or other server, generate a one-time password for the server using TOTP running locally, and type that password into the server as well. The server will then also run TOTP to verify the entered one-time password. While Google makes versions for multiple mobile platforms, there are also other third-party solutions.

Trusted sources vs. untrusted sources

Applications and utilities for mobile devices can come from both trusted and untrusted sources. An example of a trusted source is the official Google Play site or the Apple Store. That doesn’t mean these are the only trusted sources, but users should treat this issue with the same approach they have been taught with regard to desktop and laptop computers.

Any piece of software, be it an application, tool, or utility, can come with malware attached. Users should be trained to regard any software downloads with suspicion. It may be advisable to use an enterprise mobility management system to prevent users from downloading any software to a company-owned mobile device. You also may want to deselect the setting shown in Figure 7.12, which is an Android device setting. Apple devices warn users with a pop-up message when they download from an unknown source.

Firewalls

Because today’s mobile devices function more like laptops and desktop systems, they need the same protection. Mobile device firewall products are those that install on the device and protect the device in the same way a personal firewall on a desktop system, such as the Windows Firewall, does.

The disadvantage to this approach is that the software runs continuously, thus placing an ongoing load on the battery. Likewise, intrusion prevention and intrusion detection software can be placed on mobile devices, again with the same effect on battery lifetime.

If you need another reason to invest in an enterprise mobility management system, this is it. Most solutions include a firewall product of some sort in the suite. One consideration when choosing a solution is to balance the features you need against the memory footprint of the solution, because memory is a scarce resource in mobile devices.

Policies and procedures

With the introduction of mobile devices to the network, changes and additions may be called for in the organizational security policy. As procedures are derived from broader policies, these changes will also impact the procedures that users are required to follow. In this section, you’ll look at two issues that need to be considered with respect to policies and procedures.

Exam essentials

Describe the options available to secure the data on a mobile device.   These options include passcode locks, remote wipes, locator applications, failed login attempt restrictions, and remote backup applications.

List other security guidelines for mobile devices.   Always keep antivirus definitions up-to-date and set the mobile device to automatically check for OS updates and patches.

Physical destruction

Physically destroying the drive involves rendering the component no longer usable. While the focus is on hard drives, you can also physically destroy other forms of media, such as flash drives and CD/DVDs.

Recycling or repurposing best practices

Multiple levels of reformatting can be done to remove the contents of a drive. A standard format—accomplished using the operating system’s format utility (or similar)—can mark space occupied by files as available for new files without truly deleting what was there. Such erasing—if you want to call it that—doesn’t guarantee that the information isn’t still on the disk and recoverable.

Exam essentials

Understand the difference between standard and low-level formatting. Standard formatting uses operating system tools and makes the drive available for holding data without truly removing what was on the drive (thus the data can be recovered). A low-level format is operating system independent and destroys any data that was on the drive.

Understand how to physically destroy a drive. A hard drive can be destroyed by tossing it into a shredder designed for such a purpose, or it can be destroyed with an electromagnet in a process known as degaussing. You can also disassemble the drive and destroy the platters with a drill or other tool that renders the data irretrievable.

Wireless specific

Wireless networks present a unique set of challenges that wired networks do not. The communication methods are somewhat different, as are the attack methods. In this section, security issues that are relevant only to a WLAN are discussed.

Change default usernames and passwords

Default accounts include not only those created with the installation of the operating systems but often also accounts associated with hardware. Wireless APs, routers, and similar devices often include accounts for interacting with, and administering, those devices. You should always change the passwords associated with those devices and, where possible, change the usernames.

If there are accounts that are not needed, disable them or delete them. Make certain you use strong password policies and protect the passwords with the same security you do for any users or administrators (in other words, don’t write the router’s password on an address label and stick it to the bottom of the router).

In Windows, the Guest account is automatically created with the intent that it is to be used when someone must access a system but lacks a user account on that system. Because it is so widely known to exist, I recommend that you not use this default account and instead create another one for the same purpose if you truly need one. The Guest account leaves a security risk at the workstation and should be disabled to prevent it from being accessed by those attempting to gain unauthorized access.

Enable MAC filtering

The earlier section “MAC address filtering,” under objective 2.2, explained the importance of enabling MAC filtering, which is turned off by default.

Assign static IP addresses

While DHCP can be a godsend, a SOHO network is small enough that you can get by without it issuing IP addresses to each host. The advantage to assigning the IP addresses statically is that you can make certain which host is associated with which IP address and then utilize filtering to limit network access to only those hosts.

While static IP addressing may not be scalable in a wired network with many devices, in a small network, using static IP addressing will make it impossible for someone to just plug into your network without knowing your IP address scheme.

Firewall settings

All devices both wired and wireless should have personal firewalls enabled and configured to protect each system. In Windows, you can simply leverage the personal firewall that comes on all Windows Vista, 7, 8, 8.1, and 10 computers. For operating systems that don’t come with a personal firewall, third-party software should be implemented for this purpose. These firewalls help to prevent other devices from connecting to each station without the approval of the users.

The presence of personal firewalls on all the devices does not mean you don’t need a network firewall at the edge of the network and between sections of the network that may have varying security levels. You can find more information on firewalls under several objectives throughout this chapter.

Port forwarding/mapping

Another option to harden the entrance to the network is to deploy port forwarding or mapping. Port forwarding is a function typically performed on the same device that may be performing network address translation (NAT). One port number is set aside on the gateway for the exclusive use of communicating with a service in the private network, located on a specific host. External hosts must know this port number and the address of the gateway to communicate with the network-internal service. The purpose of this is to hide the real IP address of the destination device or server to protect it from connections outside the LAN.

Disabling ports

Disable all unneeded protocols/ports. If you don’t need them, remove them or prevent them from loading. Ports not in use present an open door for an attacker to enter.

Content filtering/parental controls

Content filtering software examines all web connections, and in some cases emails, for objectionable content or sites that have been identified as off-limits by the administrator. While this can be helpful in preventing the introduction of malware or in screening objectionable content, you should be aware that these filters are making educated guesses about what to deny and allow.

A filter will invariably deny content that should be allowed and allow content that should be denied. Try to be as specific as possible when defining keywords that are used to identify sites and content and set the expectation among users that the software is not perfect.

Parental controls operate on the same basic premise.

Update Firmware

In the past, updating firmware on devices such as APs, routers, and switches was considered to be desirable but optional. More and more security attacks are based on attacking the firmware, and for this reason firmware updates should be part of whatever automated update system you may be using (not to mention the additional functionality and bug elimination you may experience). It may be that you can get on a mailing list for each vendor so you can be notified when firmware updates are available. In any case, some systematic method must be developed to ensure these updates are maintained.

Physical security

Just as you would not park your car in a public garage and leave its doors wide open with the key in the ignition, you should educate users not to leave a workstation that they are logged into when they attend meetings, go to lunch, and so forth. They should log out of the workstation or lock it. “Lock when you leave” should be a mantra they become familiar with. Locking the workstation should require a password (usually the same as their user password) to resume working at the workstation.

Moreover, don’t overlook the obvious need for physical security. Adding a cable to lock a laptop to a desk prevents someone from picking it up and walking away with a copy of your customer database. Laptop cases generally include a built-in security slot in which a cable lock can be added to prevent it from being carried away easily, like the one shown in Figure 7.13.

When it comes to desktop models, adding a lock to the back cover can prevent an intruder with physical access from grabbing the hard drive or damaging the internal components. You should also physically secure network devices—routers, APs, and the like. Place them in locked cabinets, if possible. If they are not physically secured, the opportunity exists for them to be stolen or manipulated in such a way to allow someone unauthorized to connect to the network.

Exam essentials

Know the names, purpose, and characteristics of wireless security. Wireless networks can be encrypted through WEP and WPA technologies. Wireless controllers use special ID strings and must be configured in the network cards to allow communications. However, using ID string configurations doesn’t necessarily prevent wireless networks from being monitored, and there are vulnerabilities specific to wireless devices.