Review the following summary points before proceeding to the “Review Questions” and “Exam Questions” sections at the end of this chapter to make sure you are comfortable with each concept. After completing the review, answer the review questions to verify your knowledge of the material covered in Part II.

Summary Points

• The first level of securing intelligent computing and control devices is to control access to them.
• The most obvious point of access through the outer perimeter of a PC would be its basic input devices: its keyboard, mouse, and touch-sensitive display. If someone can simply sit down in front of the system and freely use its input devices (keyboard, mouse, touchpad, or touchscreen), they have an avenue for accessing the information inside.
• The User Password option enables administrators to establish passwords that users must enter during the startup process to complete the boot process and gain access to the operating system. Without this password, the system never reaches an operational level that an intruder could use to access its internal perimeter and interior information.
• A Supervisory Password option must be used to establish a password that can be used to access the CMOS Setup utility.
• In computer and networking environments, the term hardening refers to the process of making a system more secure. Computer hardening efforts begin with hardware, but also extend to the local host’s operating system, its file system, and its applications.
• Physical hardware ports enable the basic PC system to interact with optional, removable devices. They also provide a potential security threat because individuals with malicious intent can gain access directly into the computer internal communication and processing system through these ports.
• It is common for system’s BIOS to offer device control options that provide control over the computer’s external hardware connection ports. By disabling these ports, users and administrators can help to ensure that unauthorized users cannot use the ports to gain unauthorized access to the system, transfer information out of the system, or download malware programs into the system.
• Removable computer media presents multiple security risks. These risks include potential loss of data through theft due to the portable nature of the media, as well as the potential to introduce destructive malware into the host system.
• The inner perimeter can be considered as consisting of the operating system and its application programs.
• One of the main tools for protecting the file system and its data is the use of access control lists (ACLs). The file management system uses ACLs to grant or deny users access to its different files, as well as to control what types of activities the individual can perform once access has been granted.
• In Microsoft Windows environments, these capabilities are assigned to folders and files in the form of permissions. In Unix and Linux-based systems, users are assigned access rights to files.
• The main user authentication tool used with personal computing devices is the username and password login. In general, there are three types of user-related logons with which to contend: a logon to the local machine, a logon to a specific software application, and a network logon.
• In a shared computer environment where multiple users may be enabled to use the same computer, local user and group credentials are created and configured through a user accounts database that is stored on the local computer.
• For a password to be effective, it must possess a certain amount of complexity. Its length, width, and depth must be such as to thwart the efforts of the previously mentioned password-cracking techniques.
• Password encryption is the process of taking a standard password and applying an algorithm to it in such a way as to make it meaningless to sniffers, crackers, or other eavesdroppers.
• Operating systems provide password-lockout policy settings that enable administrators to enact password policies that prevent attackers from repeatedly trying to access the system. This prevents the attackers from using brute force attacks to guess the account password so they can break into the system.
• Authentication is defined as the process of determining that someone is who they say they are. At the local computing or control device level, authentication can be implemented in terms of physical or biometric authentication systems to replace or augment password authentication methods.
• There are hardware devices that can be used to make personal computer systems unusable by people other than authorized users. These devices include items such as smart cards and biometric devices.
• Auditing is a security function of the operating system that enables the user and operating system activities performed on a computer to be monitored and tracked. This information can then be used to detect intruders and other undesirable activities.
• The auditing systems available with most operating systems consist of two major components: an audit policy (or audit rules), which defines the types of events that will be monitored and added to the system’s security logs, and audit entries (or audit records), which consist of the individual entries added to the security log when an audited event occurs.
• At the heart of the Linux audit system is the audit daemon that works with the Linux kernel’s audit module to record relevant events and write them to a log file on the disk. Audit rules are configured in a file that is executed when the system boots up. The audit controller utility employs the parameters in these rules to determine which system events are tracked and how they are written to the audit event log file.
• The term cryptography is used to define the art of protecting communications from unintended viewers.
• One of the oldest methods of hiding data in plain sight is to develop a code (algorithm) for altering the message so that unauthorized people cannot read it. The process for doing this is referred to as encryption.
• Disk-level encryption involves using technology to encrypt the entire disk structure. This technique offers value in that it protects everything on the disk from unauthorized access, including the operating system files and structure.
• Many computer motherboard designs include a built-in microchip called a Trusted Platform Module (TPM) that is used to store cryptographic information, such as the encryption key (also known as start-up key).
• File- and folder-level encryption is applied to individual files and folders. File- and folder-level encryption tools enable users to encrypt files stored on their drives using keys only the designated user (or an authorized recovery agent) can decode. This prevents theft of data by those who do not have the password or a decoding tool.
• Local software-based firewalls can be installed on an individual computer to protect it from malicious activities introduced through the Internet connection.
• Firewalls are configured so they will only pass data to and from designated IP addresses and TCP/UDP ports.
• Computer-based Intrusion Detection Systems (IDS) can be implemented in two ways: as network-based IDS (NIDS) or as host-based IDS (HIDS). In both cases, the system is designed primarily to monitor the system (local computer or network environment), log key events and policy violations, and report them as directed.
• Intrusion Prevention Systems (IPS), also referred to as Intrusion Detection and Prevention System (IDPS), provide an additional level of protection aimed at preventing the detected threat from succeeding.
• Signature-based IDS/IDPS products generally work by looking for specific patterns in content, known as signatures.
• Anomaly-based IDS/IDPS systems apply statistical analysis techniques to the data stream to determine whether it is “normal” or “anomalous” at any given time.
• Internet sites may be categorized under different security “zones” that enable sites listed in each zone to be governed by security restrictions that apply to that group (Internet, Local Intranet, Trusted Sites, and Restricted Sites).
• Scripts are executable applications that provide interactive content on websites. They are also capable of retrieving information in response to user selections. However, the user may not have to do anything to run a script program—they are simply embedded in the website being accessed.
• Cookies are small files that web servers send to web browsers when their pages are accessed. The legitimate use of these files is to enable the server to automatically recognize the client browser any time it connects to the server.
• Malware is the term used to describe programs designed to be malicious in nature.
• The term grayware describes programs that have behavior that is undisclosed or that is undesirable.
• All computers with connections to the Internet should be protected by an antivirus solution before they are ever attached to the Internet.
• There are basically two types of antispyware products available: those that find and remove spyware after it has been installed and those that block spyware when it is trying to install itself.
• The second level of hardening local computer systems against attacks is to secure their operating systems. This involves updating vulnerable code segments of the OS as they become known. OS hardening occurs through the application of new programming in the form of service packs, patches, and updates.
• The term software exploitation is used to describe cyber attacks designed to take advantage of vulnerabilities or weaknesses in software products, operating systems, and applications.

Security Challenge Scenarios

Now that you have completed this review chapter, once again use your portfolio to record your new observations for the Security Challenge Scenarios presented at the beginning of the chapter. Afterward, create a short comparison of your original assessment to the information you acquired through the chapter and its associated lab procedures.

Professional Feedback

In this section, you will compare your observations to those of a working security specialist—in this case, Philip Craig, the founder of BlackByte Cyber Security—to improve your understanding of cybersecurity.

The Insights of a Practicing Professional

The most basic activities you’ll face in everyday cybersecurity include the challenges of securing the devices within your networked or distributed environments. Part II is focused on the host, so this will account for any of the security controls that will be implemented on any particular host computer for which you are responsible. Many of these security controls have centralized management features, but in some cases they may not be part of an overall managed environment. An example may be a remote sales force that uses their own devices, or your company may be implementing cost reductions by implementing bring-your-own-device (BYOD) programs. Here you have to assume that you’re dealing with completely unsecure devices.

This solution will focus on the constraints listed in the scenarios, which are very common to a personal computer used in any business.

Computing Device Security Scenario 1

You have been assigned to develop a local security policy and configuration specifications for the desktop computers used by in-house employees at your firm. These PCs are mounted in special openings under the desk in each cubicle. The computers are physically identical, and they all run the same operating system. However, they may have different types of job-specific company software installed. These computers are equipped with the following:

• Detachable keyboards and mice
• Six built-in USB connection ports
• Separate monitors
• UTP local area network connection ports
• Microsoft Windows 10 Professional operating systems
• Microsoft Office 2016 software
• Dual built-in DVD disc drives

Although these recommendations aren’t specified down to the NIST level, they can be used to provide the basis for selection. Based on risk of loss, selecting Low-Risk=Low implementation, Med-Risk=Medium implementation, and, of course, High-Risk=Hi-Implementation of the selected security control is appropriate. As an example, simple USB locking devices, shown in Figure 10.1, are available. Certainly, they can be defeated, but in order to do so, combined with disabling the port in firmware, you have a pretty nefarious insider threat at this point—or, you may just have an indignant employee. Either way, your company will likely take action upon your discovery of the compromised system.

First, you need to quantify the problems you might experience by simply diagramming them, as shown in Figure 10.2.

A significant programmatic approach is necessary to address the issues that are identified in the Red portion of the figure. No approach you take will completely alleviate vulnerability, nor address all existing (or zero-day) attack vectors. As a professional, you should utilize the NIST Special Publication 800 series guidance documents to define the security posture necessary.

Those guidelines are summarized in the following steps.

Create a policy for assessments.

• Define the environment.
• Determine organizational priorities for protecting company property and materials.
• Ensure senior management is supportive.
• Procedurally define a process and diligence to form an informative assessment outcome.

Develop a risk-management program.

• Determine the risks of losing control of a host.
• Identify potential adversarial activities that could target your domain (e.g., are they targeting intellectual property?).
• Present a risk-informed report to ensure the organization recognizes the risks and provides support/buy-in to resolve, reduce, or prevent risks of loss.

Use NIST security controls.

• Create a matrix of individual concerns and associated attack vectors.
• Provide a mitigation method(s) for each.
• Select the appropriate NIST family (Management, Operational, Technical) of security controls that need to be implemented (Reference NIST SP 800-53, tables, spreadsheets, tools).
• Ensure that the reasons for their selection are commensurate to the risks. The selection of low-, medium-, and high-level implementations should be described in the guidance and should help ensure a cost-effective solution. Don’t overprescribe controls!

Deploy security hardware and software.

• Select, configure, and deploy commercially available solutions, or determine effective open-source security solutions. In many cases, the open-source community has provided very effective tools that should be evaluated for use.

Create an effective audit program.

• Provide effectiveness tests that challenge your security posture. (For example, use open-source or commercial password-hacking tools to challenge your domain or local password repository.) Tests will provide impact and awareness to your users if they are using simple passwords that do not comply to organizational security policy.
• Execute physical walk-downs (physically inspect keyboards and mice for key-loggers). As an example, you could implement the procedures listed in Figure 10.3.

  

  The physical walk-down can be broken down into the following areas of concern:

Detachable Keyboards and Mice

• Do not allow personally owned keyboards and mice.
• Physically inspect the mice for man-in-the-middle devices.

Six Built-in USB Connection Ports

• Disable USB ports and, if necessary, provide physical locks on them.
• Encourage or require the use of network storage for all company-related business.

Separate Monitors (Thunderbolt Ports)

• Discourage or disable connectivity to external ports.
• Provide detection/audits of externally connected devices. Disable ports.

UTP Local Area Network Connection Ports

• Provide network access controls, such as Layer 2 protective mechanisms (ACL, port authorization, etc.).
• Route unauthorized connectivity to a local honeypot for capture and analysis.
• Physically inspect for man-in-the-middle devices.

Microsoft Windows 7 Professional Operating Systems and Office 2013 Software

• Upgrade and patch management policy.
• Strict processing is required.
• Monitor US-CERT.
• Maintain a list of approved applications.
• Enforce user policy to disallow installation without system administration approval and IT support.
• Provide strong awareness training and extend security principles into your organization and workforce.

Dual Built-in DVD Disc Drives

• Remove DVD disc drives or other media controllers.
• Provide a procurement process or procedure that requires written justification and approval of these devices.
• Provide standalone workstation to scan media before using on host computers.

Computing Device Security Scenario 2

Because you did such an outstanding job of creating the security policies and configurations for the company’s desktop computers, you have been tasked to produce the same type of materials for the notebook computers used by the organization’s sales people.

Obviously, these computers are portable PCs that work in the office and at different locations on the road. These computers are equipped with the following:

• Built-in keyboards and displays
• Two built-in USB connection ports
• UTP local area network connection ports
• Microsoft Windows 10 Professional operating systems
• Microsoft Office 2016 software
• Dual SD card-reader slots
• Built-in wireless networking capabilities
• External VGA display connection ports
• Built-in DVD disc drives

Without completely repeating the previous scenario, let’s just say that there are many different methods to deal with the same problem. Focusing on a mobile computer (laptop, tablet, iPad, etc.) is more difficult based on what the user is tasked to do with it from a business perspective, and what you can control with electronic policy and written policy. It is very likely that removable devices will be used frequently. Remote connectivity, hotel/kiosk connectivity, and physical control of the device itself may offer unique challenges. In such cases, many companies simply utilize virtualization (or a business sandbox, as it is sometimes referred) to isolate the user and their interaction with the business. In the case of the laptop, you will want to at minimum ensure the following:

Use strong antivirus protection.

• Check applications, encrypted files, and removable media.

Use strong authentication methods to ensure appropriate access.

• Multifactor at a minimum utilizing hardware tokens.

Deploy a diligent auditing process as the device is connected to your local business network and from remote networks.

• VPN tunneling to proxy and DMZ environments even while in the local office is recommended.
• Review logs to reveal how many and what types of connectivity, media, or users have accessed or attempted to access the device.

Create an electronic policy for administration of the device

• Enforcement of access control by role, user, and application is sometimes necessary.

Review Questions

The following questions test your knowledge of the material presented in Part II.

1. How is securing a portable PC different than securing a cabinet mounted desktop computer?

   Answer: For the most part, it is not practical to lock up desktop and portable personal computer (PC) systems that may be used by different users and, in many cases, are portable. In many cases, a given computer station may routinely be used by different personnel—such as a day shift employee and a night shift employee. In such applications, administrative security measures must be in place to guarantee proper authentication and access control. One of the main functions of a docking station is to provide a lockable attachment to the desktop to prevent unauthorized users from picking up the portable unit while it is not in use and simply carrying it away.

2. List three locations where malicious individuals typically gain access to programs and data to damage, destroy, or steal them.

   Answer: In both computing and intelligent control devices, there are three general locations where individuals typically gain access to programs and data: while it’s in memory, while it’s in storage on devices (such as hard drives and flash drives), and when it is being transferred from one place to another.

3. The __________ option must be used to establish a password that can be used to access the CMOS Setup utility.

   Answer: User Password

4. What microprocessor/operating system feature is designed to protect certain areas of memory to prevent malicious software from taking over the computing device by inserting its code into another program’s data area?

   Answer: The No Execute (NX) bit or the eXecute Disable (XD) bit feature.

5. Describe one of the main tools that operating systems use to protect their file systems and stored data.

   Answer: Access control lists (ACLs)

6. Which tool is considered to be the main user-authentication tool used with computers and networking equipment?

   Answer: User Names and Passwords

7. Where are local user and group credentials created and stored in the local host computer?

   Answer: The users account database stored on the local computer

8. What administrative tool enables administrators to create password policies that prevent attackers from using brute force attacks to obtain account passwords so they can use them to break into the system?

   Answer: Password lockout policy settings

9. In Linux systems, what tool works with the Linux kernel’s audit module to record relevant events on disk?

   Answer: The audit daemon

10. Describe the steps associated with data encrypting processes.

    Answer: Encrypting data involves taking data and processing it with a key code (or encryption key) that defines how the original version of the data has been manipulated. Anyone who is given the encryption key can use it to decode the message through a decryption process using a decryption algorithm (or decryption key).

11. If you configure the local firewall and then find that no email has been received by the local host, what logical TCP port should be checked to see if it is being blocked?

    Answer: Port 110 – POP3

12. When using a web browser, how do you know that SSL links are being used to provide encryption services to prevent unauthorized access to the data during transmission across the Internet?

    Answer: SSL links are always identified as HTTPS:// sites instead of simply HTTP://.

13. List three steps that can be taken at the local host computer to fight spyware.

    Answer: In addition to installing antispyware applications, users can fight spyware in a number of other ways, including:

    • Install a web browser other than Internet Explorer (for example, Chrome or Firefox).
    • Download the newest browser version that offers better security features.
    • Work with an ISP that uses firewalls and proxies to block sites that are known to distribute spyware.
    • Download software only from reputable sites to prevent spyware that comes attached to other programs.

14. Where are controls for managing scripts located in the local host systems?

    Answer: The capability to load and run scripts in a browser can be controlled through the browser’s Security feature.

15. What type of attack is being conducted when attackers exploit poorly written computer code by inserting their own malicious code to corrupt a computer’s memory so that its operation is degraded so badly that the machine becomes virtually unusable?

    Answer: An attacker may alter existing code to create a condition in the computer’s memory known as a buffer overflow, which results in erratic behavior, memory access errors, and/or system crashes. The system is effectively disabled to the point where the user cannot use it. This type of attack is referred to as a Denial of Service or DOS attack.

Exam Questions

1. From the following options, select the most obvious pathway for attackers to gain access to computing equipment.
   1. Through the keyboard
   2. Through a USB port
   3. Through an open network port
   4. Through email attachments

   Answer: A

2. Without this password, the system will never reach an operational level that an intruder could use to access its internal perimeter and interior information.
   1. Administrator
   2. Supervisory
   3. User
   4. SuperUser

   Answer: C

3. Which of the following areas of a local host system is the first location for hardening the system?
   1. Hardware
   2. File systems
   3. Operating system
   4. Applications

   Answer: B

4. Which type of physical access port is most likely to be used to inject malicious software into computing and intelligent control device that might be very well protected from network access?
   1. IEEE-1394 FireWire ports
   2. HDMI connectors
   3. USB ports
   4. Parallel ports

   Answer: C

5. From the following options, select the type of attack that is not associated with the operating system’s file system.
   1. Buffer overflow attacks
   2. Race condition attacks
   3. Alternate data streams
   4. Directory traversals

   Answer: A

6. What type of login is typically required to validate users and supply access to the local host’s resources?
   1. Administrative login
   2. Network login
   3. Application login
   4. Local login

   Answer: D

7. Which of the following options does not represent a typical level for encrypting data?
   1. At the file/folder level
   2. At the microprocessor level
   3. At the disk level
   4. At the network transmission level

   Answer: B

8. Select the type of firewall typically used with a local host computing device.
   1. A hardware firewall device
   2. A 1394 firewall card
   3. A software firewall
   4. A static firewall card

   Answer: C

9. Which type of intrusion-detection systems are designed to look for specific patterns in software code?
   1. Signature-based detection systems
   2. Profile-based anomaly detection systems
   3. Rule-based anomaly detection
   4. Threshold-based anomaly detection systems

   Answer: A

10. What type of utility would an attacker employ to monitor data traffic looking for cookies to steal?
    1. An intrusion device
    2. A scripting utility
    3. A packet sniffer utility
    4. A man-in-the-middle (MITM) utility

    Answer: C