13.1 - 13.13 Security
Spoofing is used to hide the true source of packets or to redirect traffic to another location. Spoofing attacks:
> Use modified source and/or destination addresses in packets > Can include site spoofing that tricks users into revealing information Network attacks may also falsify source or destination addresses for network communications. This is called spoofing. Common methods of spoofing are listed in the table below:
Botnet
A botnet refers to a group of zombie computers that are commanded from a central control infrastructure. A botnet is: > Under a command and control infrastructure where the zombie master (also known as the bot herder) can send remote commands to order all the bots they control to perform actions. > Capable of performing distributed denial of service attacks. > Detected through the use of firewall logs to determine if a computer is acting as a zombie and participating in external attacks.
Organizational security policy
A high-level overview of the organization's security program.
Hybrid
A hybrid attack adds appendages to known dictionary words. For example, 1password, password07, p@ssword1.
Privacy filter
A polarized sheet of plastic to restrict screen visibility.
Automatic sample submission
A software feature that allows Windows Defender to send information to Microsoft for use in analyzing and identifying new malware.
BitLocker partition
A volume that contains the boot files.
Hybrid attack
Adds appendages to known dictionary words.
13.13.2 Network Security Threat Facts
Common network attacks that you should be aware of include the following:
Browser history
Contain information that an attacker can exploit.
Removable storage
Easily removable data storage.
Configure Automatic Updates
Enable automatic updates for all operating systems.
GRE
Generic Routing Encapsulation
Computer tracking service
Helps locate stolen devices.
Spoofing
Hiding the true source of packets or redirecting traffic to another location.
IP Spoofing
IP spoofing changes the IP address information within a packet. It can be used to: > Hide the origin of the attack by spoofing the source address. > Amplify attacks by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with responses.
IPsec
Internet Protocol Security
Layer Two Tunneling Protocol (L2TP)
L2TP is an open standard for secure multiprotocol routing. L2TP: > Supports multiple protocols (not just IP) > Uses IPsec for encryption > Is not supported by older operating systems > Uses TCP port 1701 and UDP port 500
L2TP
Layer Two Tunneling Protocol
Shoulder surfing
Looking over the shoulder of someone working on a computer.
Which of the following networking devices or services is LEAST likely to be compatible with VPN connections? Firewall Switch NAT Router
NAT When using a VPN through a NAT device, check your NAT solution to make sure that the router can support VPN connections. Not all VPN solutions are compatible with NAT.
Offline Scanning
Offline scanning causes the system to reboot and Windows Defender to run a scan in an offline state before returning to Windows. This allows some types of malware to be removed that normally can't be removed from a running system..
Password policy
Requirements for passwords used to authenticate to company-owned systems.
SSL
Secure Sockets Layer
Browser History
The browser history and its cache contain information that an attacker can exploit. If an attacker can gain access to the cache or the browser history, they can learn things about the user such as: > The email service they use > The bank where they keep their accounts > Where they shop An attacker can exploit this information to conduct other attacks, such as stealing cookies or sending phishing emails.
Phishing emails
The process attackers use to acquire sensitive information by masquerading as a trustworthy entity.
Dictionary attack
Tries to guess a user's password using a list of words from a dictionary.
Brute force attack
Tries to identify a user's password by exhaustively working through all possibilities
Phishing
Uses an email and a spoofed website to gain sensitive information.
Mobile devices
Wired or wireless personal devices.
Intrusion detection system (IDS)
A feature that detects intrusion attempts and alerts the system administrator.
MAC address filtering
A feature that restricts access to the wired network switch to hosts that have specific MAC addresses.
A public library has purchased a new laptop computer to replace their older desktop computers and is concerned that they are vulnerable to theft. Which of the following laptop features should be used to physically secure the laptop? An external encryption device A multi-factor password policy Biometric authentication A cable lock
A cable lock A cable lock can be used to physically secure a laptop to deter theft. Biometric authentication does not physically secure a laptop. A multi-factor password policy does not physically secure a laptop. An external encryption device does not physically secure a laptop.
13.2.3 Incident Response Facts
A security incident is an event or series of events that result from a security polciy violation that has adverse effects on a company's ability to proceed with normal business. Security incidents include employee errors, unauthorized acts by employees, insider attacks, malware attacks, and unethical gathering of competitive information. This lesson covers the following topics: Incident response Damage containment Forensic investigation Notification
Piggybacking
An attacker entering a secured building by following an authorized employee.
Masquerading
Convincing personnel to grant access to sensitive information by pretending to be someone who is authorized.
Autorun
Disable autorun.
Disable Autorun
Disable autorun. This prevents malware from automatically running when an optical disc or USB drive is inserted in the system.
Piggybacking
Piggybacking refers to an attacker entering a secured building by following an authorized employee. This is also called tailgating.
The chain of custody is used for what purposes? Maintaining compliance with federal privacy laws Retaining evidence integrity by identifying people coming into contact with evidence Identifying the owner of evidence Detailing the timeline between creation and discovery of evidence
Retaining evidence integrity by identifying people coming into contact with evidence The chain of custody is used to track the people who came in contact with evidence. The chain of custody starts at the moment evidence is discovered. It lists the identity of the person who discovered, logged, gathered, protected, transported, stored, and presented the evidence. The chain of custody helps to insure the admissibility of evidence in court.
A security technician is conducting a forensic analysis. Which of the following actions is MOST likely to destroy critical evidence? Restricting physical access to the system Shutting down the system Disconnecting the system from the network Copying the contents of memory to removable media
Shutting down the system Shutting down or rebooting a compromised system will erase the memory contents. An attacker may load and run a memory-resident program and immediately erase it from the disk. Shutting down or rebooting the system will destroy all evidence of the malicious program.
13.4.2 Social Engineering Facts
Social engineering exploits human nature by convincing someone to reveal information or perform an activity. Examples of social engineering include: Impersonating support staff or management, either in person or over the phone. Asking for someone to hold open a door rather than using a key for entrance. Spoofed emails that ask for information or tasks to be performed (such as delete a file or go to a website and enter sensitive information). Looking on desks for usernames and passwords. This lesson covers the following topics: Social engineering attacks Social engineering countermeasures
Incident response
The actions taken to deal with an incident during and after the incident.
Damage Containment
The first step in responding to an incident should be to take actions to stop the attack and contain the damage. For example, if the attack involves a computer system attached to the network, the first step might be to disconnect it from the network. Although you want to preserve as much information as possible to assist in later investigations, it might be better to stop the attack, even if doing so alerts the attacker or results in the loss of evidence regarding the attack.
Principle of Least Privilege
Users should have only the necessary degree of access to the workstation.
Adware
Adware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Adware: > Is usually passive > Invades the user's privacy > Is installed by visiting a malicious website or installing an infected application > Is usually more annoying than harmful
Which of the following is an example of a strong password? desktop#7 Robert694 a8bT11$yi at9iov45a
a8bT11$yi A strong password should not contain dictionary words or any part of the login name. They should include upper- and lower-case letters, numbers, and symbols. In addition, longer passwords are stronger than shorter passwords.
Forensic Investigation
After containing a threat, forensic investigation can be performed on computer systems to gather evidence and identify methods used in the attack. When working with computer systems, use special computer forensic tools to analyze the system. Investigations can be performed in the following ways: > A live analysis examines an active (running) computer system to analyze the live network connection, memory, contents, and running programs. > A dead analysis examines data at rest, such as analyzing hard drive contents. Follow these procedures when collection and analyzing computer evidence: > Before touching the computer, document and photograph the entire scene of the crime including the current state of the computer screen. A traditional camera is preferred over a digital camera to avoid allegations that an image was digitally altered. > Do not turn off the computer until the necessary evidence has been collected > Some data might be lost when the computer is turned off. > Volatile data is any data that is stored in memory, CPU registers, and CPU caches that will be lost when the computer is powered off or loses power. > Persistent data resides on the system's hard drives, USB drives, optical media, and other external hard drives. > If it is necessary to isolate a system to stop or prevent future attacks, disconnect the system from the network rather than shutting it down (if possible). > Turning off the system might be the only practical method to prevent further damage and should be done if necessary, even if it results in the loss of potential evidence. > Assess the situation to determine whether you have the expertise to conduct further investigations, or whether you need to call in additional help. > Analyze data in order from most volatile to least volatile: 1. CPU registers and caches 2. RAM 3. Virtual memory and temporary file systems 4. Hard disk data 5. Archived media (backups) > Save the contents of memory by taking one of the following actions: > Save and extract the page file. > Do a complete memory dump to save the contents of physical RAM. The page file will be lost but the physical memory will be preserved. > Clone or image hard disks. > Never analyze the original data. Make several copies for analysis to preserve the original. > Archive the original system or data for later investigations and comparisons to your copy. > In addition to looking for obvious evidence on computer systems (such as saved files), use special forensic tools to check for deleted files, files hidden in empty space, or data hidden in normal files. > For some investigations, you might need to review archived log files or data in backups to look for additional evidence. Be sure to design your backup strategy with not only recovery but also investigation and preservation of evidence in mind. > Track hours and expenses for each incident. This may be necessary to calculate a total damage estimation and possibly restitution. > Forensic investigation results can be used in a court of law if properly handled and documented. To ensure that evidence is admissible in court, you must be able to provide its chain of custody. The chain of custody: > Documents the integrity of the evidence by providing a record of every person it has come in contact with and under what conditions. Without a chain of custody document, there is no way to prove who might have had access to the evidence, meaning that the evidence could have been altered after discovery. Failure to provide a valid chain of custody could make the evidence worthless in court. > Should be started the moment evidence is discovered and should include what the evidence is, who found it, under what circumstances, the location of the evidence, the date and time of original discovery, how it was handled, and all precautionary actions that have been taken to ensure its integrity. > Should be maintained throughout the evidence life cycle to document the people and procedures used at each stage. *Be aware that many organizations will intentionally not bring evidence to court to avoid the negative publicity that could be associated with a trial.
HTTP (session) Hijacking
HTTP (session) hijacking is a real-time attack in which the attacker hijacks a legitimate user's cookies and uses the cookies to take over the HTTP session.
13.2.4 Practice Questions
CIST 1130
Data transmission encryption
Protects data sent through a network.
13.3.8 Practice Questions
CIST 1130
Which of the following is the most secure security protocol for wireless networks? BitLocker 802.11n WPA2 WPA WEP
WPA2 WEP, WPA, and WPA2 are all security protocols for wireless networks. However, WPA2 provides much stronger security than WEP or WPA. 802.11n is a wireless standard with specific parameters for wireless data transmission. BitLocker is a Microsoft solution that provides hard drive disk encryption.
Chassis Intrusion Detection
Chassis intrusion detection helps you identify when a system case has been opened. With chassis intrusion detection a sensor switch is located inside the system case. When the case cover is removed, the switch sends a signal to the BIOS/UEFI. Depending on the system configuration, a message might be displayed on the screen at startup, or the message might be visible only from within the BIOS/UEFI configuration program.
13.8.2 File Encryption Facts
Encryption is the process of scrambling data to make it unreadable except to those who have the required key to unlock the obscured data. You should be familiar with the following types of encryption.
Which of the following is the BEST device to deploy to protect your private network from a public, untrusted network? Firewall Router Gateway Hub
Firewall A firewall is the best device to deploy to protect your private network from a public, untrusted network. Firewalls are used to control traffic entering and leaving your trusted network environment. Firewalls can manage traffic based on source or destination IP address, port number, service protocol, application or service type, user account, and even traffic content. Routers offer some packet-based access control, but not as extensively as a firewall. Hubs and gateways are not sufficient for managing the interface between a trusted network and an untrusted network.
You want to use a protocol that can encapsulate other LAN protocols and carry the data securely over an IP network. Which of the following protocols is suitable for this task? SLIP NetBEUI PPP PPTP
PPTP
Point-to-Point Tunneling Protocol (PPTP)
PPTP was developed by Microsoft as one of the first VPN protocols. PPTP: > Uses standard authentication protocols, such as CHAP and PAP > Supports TCP/IP only > Is supported by most operating systems and servers > Uses TCP port 1723
Maintain Awareness
Stay current by subscribing to security alerts offered by many security software vendors.
To access your company's internal network from home, you use Secure Shell (SSH). The administrator has recently implemented a new firewall at the network perimeter and disabled as many ports as possible. Which port needs to remain open so you can still work from home? 23 80 21 443 22
22 SSH uses port 22. This port would need to remain open for you to access your company's internal network from home. SSL uses port 443, FTP uses port 21, and HTTP uses port 80. Telnet uses port 23.
Trusted Platform Module (TPM)
A special chip on the motherboard that generates and stores cryptographic keys.
Trusted Platform Module (TPM)
A special hardware chip that generates and stores cryptographic keys.
Zombie
A zombie is a computer that is infected with malware that allows remote software updates and control by a command and control center called a zombie master. A zombie: > Is also known as a bot (short for robot). > Is frequently used to aid spammers. > Can commit click fraud. The internet uses an advertising model called pay per click (PPC). With PPC, ads are embedded on a website by the developer. The advertiser then pays the website owner for each click the ad generates. Zombie computers can imitate a legitimate ad click, generating fraudulent revenue. > Can be used to perform denial of service attacks.
Cloud-Based Protection
Cloud-based protection provides real-time protection by sending Microsoft information about potential security threats discovered by Windows Defender. This feature requires automatic sample submission to be enabled.
Dumpster Diving
Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.
Hardware Locks
Hardware locks prevent theft of computers or components. > Keep servers and other devices inside locked cabinets or locked rooms. > Bolt or chain workstations to desks or other stationary objects to prevent theft. > Lock cases to prevent opening up devices and removing components such as memory and hard drives. > For laptops, use removable cable locks when leaving computers unattended in public areas (such as a library). You can also use motion detectors that sound an alarm when a laptop is moved. > Tablet devices can be secured with a cable lock or simply locked in a cabinet or drawer when not in use.
Which of the following protocols can your portable computer use to connect to your company's network via a virtual tunnel through the internet? (Select TWO). PPTP Remote Desktop Protocol (RDP) L2TP PPPoE VNC
PPTP L2TP PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer Two Tunneling Protocol) are two VPN (Virtual Private Networking) protocols that let you access your company's network through a public network, such as the internet. PPPoE is used for connecting to the internet through an Ethernet connection to include authentication and accounting. VNC and RDP are remote desktop protocols used for remote administration or remote device access.
Pharming
Pharming redirects one website's traffic to another, bogus, website that is designed to look like the real website. Once there, the attacker tricks the user into supplying personal information, such as bank account and PIN numbers. Pharming works by resolving legitimate URLs to the IP address of malicious websites. This is typically done using one of the following techniques: > Changing the hosts file on a user's computer > Poisoning a DNS server > Exploiting DHCP servers to deliver the IP address of malicious DNS servers in DHCP leases.
Hardware locks
Prevent theft of computers or components.
Rainbow Table
Rainbow table is a reference table for hashed passwords. When a password is hashed, a reference key is added to a database. The rainbow table can be used for reversing the hashed cryptography into the original password.
13.10.3 Firewall Facts
A firewall is a device or software running on a device that inspects network traffic and allows or blocks traffic based on a set of rules. There are two types of firewalls that you should be familiar with: > A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect against attacks from internet hosts. A network firewall is created using two (or more) interfaces on a network device: one interface connects to the private network, and the other interface connects to the external network. > A host-based firewall inspects traffic received by a specific host. *A best practice is to implement both types of firewalls. Firewalls use filtering rules, sometimes called access control lists (ACLs), to identify allowed and blocked traffic. A rule identifies characteristics of the traffic, such as: > The interface the rule applies to > The direction of traffic (inbound or outbound) > Packet information such as the source or destination IP address or port number > The action to take when the traffic matches the filter criteria Windows includes a host-based firewall that you can configure to protect your system from attacks. Be aware of the following: > By default, the firewall allows all outgoing web traffic and responses but blocks all other traffic. > You can configure exceptions to allow specific types of traffic through the firewall. In Windows Firewall, you can configure two exception types: Program - Configuring an exception for a program automatically opens the ports required by the application only while the application is running. Be aware of the following: > You can select from a list of known applications or browse to and select an unlisted application. > You do not need to know the port number used; the firewall automatically identifies the ports used by the application when it starts. > After the application is stopped, the required ports are closed. Port - Configuring an exception for a specific port and protocol (either TCP or UDP) keeps that port open all the time. Be aware of the following: > You must know both the port number and the protocol. > Some services require multiple open ports, so you must identify all necessary ports and open them. > Ports stay open until you remove the exception. > When you turn on the firewall, you can block all incoming connections or allow exceptions. If all incoming connections are blocked, any defined exceptions are ignored. When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind: > Most SOHO routers and access points include a firewall to protect your private network. > By default, most SOHO routers allow all traffic initiated on the private network to pass through the firewall. Responses to those outbound requests are typically also allowed. For example, a user browsing a website will receive the web pages back from the internet server. > All traffic initiating from the external network is blocked by default. > You can configure individual exceptions to allow or deny specific types of traffic. A best practice is to block all ports, then open only the necessary ports. > Some firewalls support port triggering, which allows the firewall to dynamically open incoming ports based on outgoing traffic from a specific private IP address and port. - On the firewall you identify a private IP address and port, then associate one or more public ports. - When the router sees traffic sent from the private network from that host and port number, the corresponding incoming ports are opened. - The incoming ports remain open as long as the outgoing ports show activity. When the outgoing traffic stops for a period of time, the incoming ports are automatically closed. - Use port triggering to open incoming ports required for specific applications (such as online games). > Some applications identify incoming ports dynamically once a session is established with the destination device. The ports that the application might use are typically within a certain range. - For some applications, you can configure the application to use a specific port instead of a dynamic port. You can then open only that port in the firewall. - If you are unable to configure the application, you will need to open the entire range of possible ports in the firewall. - Use port triggering to dynamically open the ports when the application runs instead of permanently opening all required ports. > Configure port forwarding to allow incoming traffic directed to a specific port to be allowed through the firewall and sent to a specific device on the private network. - Inbound requests are directed to the public IP address on the router to the port number used by the service (such as port 80 for a Web server). The port number is often called the public port. - Port forwarding associates the inbound port number with the IP address and port of a host on the private network. This port number is often called the private port. - Incoming traffic sent to the public port is redirected to the private port. When defining firewall rules, you should be aware of the following port numbers for common network protocols: SERVICE - PORT File Transfer Protocol (FTP) - 20 TCP | 21 TCP Secure Shell (SSH) - 22 TCP and UDP Telnet - 23 TCP Simple Mail Transfer Protocol (SMTP) - 25 TCP Domain Name System (DNS) - 53 UDP HyperText Transfer Protocol (HTTP) - 80 TCP Post Office Protocol (POP3) - 110 TCP Network Basic Input/Output System (NetBIOS) - 137 TCP | 138 TCP | 139 TCP Internet Message Access Protocol (IMAP4) - 143 TCP and UDP HTTP with Secure Sockets Layer (SSL) - 443 TCP and UDP Service Location Protocol (SLP) - 427 TCP and UDP Server Message Block (SMB)/Common Internet File System (CIFS) - 445 TCP Apple File Protocol (AFP) - 548 TCP Remote Desktop Protocol (RDP) - 3389 TCP
Malware
A type of software designed to take over or damage a computer without the user's knowledge or approval.
13.10 Firewalls
As you study this section, answer the following questions: > Why is using a firewall important when connecting your computer to the internet? > What is the difference between host-based and network-based firewall solutions? > What information does the firewall use to allow or prevent communication? > How would you configure Windows Firewall to allow network traffic generated by a specific application installed on the system? How would you allow a specific IP port number? > What capabilities does configuring port forwarding provide? > How would you configure port triggering? > What are the advantages of implementing an all-in-one security appliance? What are the disadvantages? In this section, you will learn to: > Configure a Windows firewall Key terms for this section include the following:
13.9 Network Security
As you study this section, answer the following questions: > How can you secure physical access to computer systems? > What configuration changes could you make to prevent data loss on a Windows system? > What are the characteristics of a strong password? > How can you limit wired network connectivity to only authorized systems? > How can you make it more difficult for an unauthorized person to connect to a wired network? > Which network devices should be put in a DMZ? Which systems should not? > What is the role of a content filter? > What can you do to obscure a wireless network? > How can you prevent data emanation from a wireless network? Key terms for this section include the following:
13.5 BIOS/UEFI Security
As you study this section, answer the following questions: > What is the difference between a user password and an administrator password in the BIOS/UEFI configuration? > How can BIOS/UEFI passwords be circumvented on some systems? > How does chassis intrusion detection help to secure the BIOS? > How does a hard disk password differ from a BIOS/UEFI password? What happens to the hard disk password if the disk is moved to another system? > What is the function of the TPM? > Where is the TPM chip located? > Which UEFI security feature ensures that firmware updates for the motherboard do not contain malware? > Which UEFI security feature prevents the system from booting an operating system without a valid digital signature? In this section, you will learn to: > Configure BIOS/UEFI security Key terms for this section include the following:
13.7 Authentication
As you study this section, answer the following questions: > What is the difference between local authentication and domain authentication? > What are the key characteristics of a strong password? > Which tool would you use to configure a computer to require complex passwords for local user accounts? > What is the difference between a locked account and a disabled account? > What policies can you configure on a > Windows workstation to defend yourself against a brute-force password attack? > What authentication mechanisms can be used to log on to a Windows workstation? In this section, you will learn to: > Enforce password settings > Manage Linux passwords Key terms for this section include the following:
13.1.5 Practice Questions
CIST 1130
13.10.7 Practice Questions
CIST 1130
13.11.5 Practice Questions
CIST 1130
13.12.5 Practice Questions
CIST 1130
13.13.4 Practice Questions
CIST 1130
13.4.3 Practice Questions
CIST 1130
13.5.5 Practice Questions
CIST 1130
13.6.10 Practice Questions
CIST 1130
13.7.11 Practice Questions
CIST 1130
13.8.8 Practice Questions
CIST 1130
13.9.5 Practice Questions
CIST 1130
Which of the following functions are performed by the TPM? Perform bulk encryption. Create a hash based on installed system components. Generate authentication credentials. Encrypt data on the hard disk drive.
Create a hash based on installed system components. A Trusted Platform Module (TPM) is a hardware cryptoprocessor that resides on the motherboard that stores and generates cryptographic keys. Using these keys, the TPM can generate a hash value based on the components installed in the system. The hash value can be used to verify that system components have not been modified when the system boots. Because each system will have a unique hash value, the hash can also be used as a form of identification for the system. Keys generated by the TPM can be used for encryption and authentication, but the TPM does not perform the actual encryption.
Cookies
Data files placed on a client system by a web server for retrieval at a later time.
Acceptable use policy (AUP)
Defines an employee's rights to use company property.
Implement Browser Security
Do the following: > Disable pop-ups on all web browsers. Pop-ups can covertly install malware or redirect users to malicious websites. Enable pop-ups only for legitimate sites that require them. > Override automatic cookie handling. Configure your browser to prompt you before allowing cookies. > Disable third-party browser extensions. > Disable sounds in web pages.
File encryption
Encrypts individual files so that only the user who created the file can open it.
Implement Static IP Addressing
In order to use IP addresses efficiently, most networks use a DHCP server to automatically assign an IP address to hosts whenever they connect to the network. However, this configuration presents a security weakness. If attackers are able to successfully connect a system to an open network jack in your wired network, they automatically receive all the configuration information they need to communicate with other hosts on the network. To prevent this, use static IP addressing instead of DHCP. In this configuration, an attacker who manages to successfully connect to your wired network won't receive any IP addressing information. Be aware that using static IP addressing isn't a fool-proof security measure. Determined attackers will eventually be able to determine the IP addressing scheme used on your network and configure their system appropriately. However, it does make your network more difficult to compromise.
LoJack
LoJack is a mechanism that is used to secure systems that are prone to being stolen, such as notebooks systems. The LoJack software is implemented within a chip on the motherboard itself and you can use it to recover a stolen system. The LoJack service running on the computer periodically contacts a LoJack server at the vendor's site to: > Report its current location using GPS coordinates. > Query LoJack headquarters to see if that system's been reported as stolen. If the system has been reported as stolen, then LoJack will continuously update the server with its current location, making it easier for law enforcement to figure out where it is. The software that performs these two tasks is not actually contained in the motherboard chip. The software contained in the motherboard chip is just a downloader that downloads and installs the LoJack software as a Windows service.
What are the most common means of virus distribution? (Select TWO). Malicious websites Floppy disks Email Downloading music files from the internet Commercial software CDs
Malicious websites Email Email is the most common means of virus distribution. Often, viruses will employ self-contained SMTP servers to facilitate self-replication and distribution over the internet. Viruses are able to spread quickly and broadly by exploiting the communication infrastructure of internet email. Malicious websites are also frequently used for virus distribution. For this reason, it is important to keep your anti-virus software updated so as to block any possible attempt of viruses to infect your systems or to spread to other systems from your system. Downloaded music files and commercial software CDs all have the potential to spread viruses, but they are not as commonly employed.
You are configuring a network firewall to allow SMTP outbound email traffic and POP3 inbound email traffic. Which of the following IP ports should you open on the firewall? (Select TWO). 143 25 21 110 443
25 110 The Simple Mail Transfer Protocol (SMTP) uses IP port 25. The Post Office Protocol version 3 (POP3) uses IP port 110. The File Transfer Protocol (FTP) uses IP Ports 20 and 21. The Internet Message Access Protocol (IMAP) uses IP port 143. IP port 443 is used by the Secure Sockets Layer (SSL) protocol.
Brute force
A brute force attack tries to identify a user's password by exhaustively working through all possibilities of all letter, number, and symbol combinations until the correct password is identified. Brute force attacks will always be successful if given enough time, yet they are frequently the most time consuming method of attack.
Proxy server
A specific implementation of a firewall that uses filter rules to allow or deny internet traffic.
Zero Day
A zero day attack (also known as a zero hour or day zero attack) is an attack that exploits computer application vulnerabilities before they are known and patched by the application's developer.
While browsing the internet, you notice that your browser displays pop-ups containing advertisements that are related to recent keyword searches you have performed. What is this an example of? Grayware Adware Worm Trojan
Adware Adware monitors actions that denote personal preferences and then sends pop-ups and ads that match those preferences. Adware is: Usually passive. Invasive. Installed on your machine when you visit a website or run an application. Usually more annoying than harmful. A worm is a self-replicating virus. Grayware is software that might offer a legitimate service, but also includes features that you aren't aware of or features that could be used for malicious purposes. A Trojan horse is a malicious program that is disguised as legitimate or desirable software.
13.12 VPN
As you study this section, answer the following questions: How does a remote access VPN differ from a host-to-host VPN? With a site-to-site VPN, which devices are configured as the VPN tunnel endpoints? What does PPTP use for encryption? What does L2TP use? What is the difference between AH and ESP used with IPsec? Why would you want to use SSL VPNs when creating VPNs? In this section, you will learn to: Configure a VPN connection Key terms for this section include the following:
Automatic Sample Submission
Automatic sample submission allows Windows Defender to send information to Microsoft for use in analyzing and identifying new malware.
Protect User Accounts and Passwords
Consider implementing the following measures to increase the security of user accounts and passwords: > Require strong passwords. A strong password is at least 8 characters long, uses upper- and lower-case letters, and includes numbers or non-alphabetic characters. > Don't allow users to write down their passwords. > Ensure all user accounts have passwords assigned. > Disable guest user accounts. > Change default user names (such as Administrator) to something less obvious (such as Winifred). > Immediately disable or remove accounts when users leave the organization. > Change default usernames and passwords. Many network devices, such as routers and switches, use a default user name and password for initial setup. These default user names and passwords are widely posted on the internet.
Cookies
Cookies are data files placed on a client system by a web server for retrieval at a later time. Cookies are primarily used to track the client. By default, cookies can be retrieved only by the server that set them. The cookies themselves are fairly benign; however, cookies can be exploited by an attacker to steal a client's session parameters. This allows the attacker to impersonate the client system and hijack the session, potentially exposing sensitive information.
Crimeware
Crimeware is designed to facilitate identity theft by gaining access to a user's online financial accounts, such as banks and online retailers. Crimeware can: > Use keystroke loggers, which capture keystrokes, mouse operations, or screenshots and transmits those actions back to the attacker to obtain passwords. > Redirect users to fake sites. > Steal cached passwords. > Conduct transactions in the background after logon.
Implement Malware Prevention
Do the following: > Install anti-malware on all systems to search for malware, viruses, worms, trojans, and rootkits. > Enable automatic definition updates on your anti-malware software. > Configure frequent quick malware scans along with less frequent full system scans. > Implement anti-spam measures. This can be done using anti-spam software on each individual workstation. However, it's usually advantageous to implement an anti-spam appliance that filters email messages for your entire organization.
A user has a file that contains sensitive data. Which of the following can be used to encrypt a single file? EFS Single sign-on BitLocker Administrative share
EFS Encrypting File Server (EFS) is a Windows feature that can be used to encrypt a single file or multiple files and folders. BitLocker is a Windows feature that encrypts an entire disk. A single sign-on permits a user and their programs to use their credentials to automatically log in to other sites and services; it's not used for encryption. An administrative share is used by administrators to access system drives; it's not used for encryption.
Eavesdropping
Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics.
Generic Routing Encapsulation (GRE)
GRE is a tunneling protocol that was developed by Cisco. GRE can be used to route any Layer 3 protocol across an IP network. GRE: > Creates a tunnel between two routers. > Encapsulates packets by adding a GRE header and a new IP header to the original packet. > Does not offer any type of encryption. > Can be paired with other protocols, such as IPsec or PPTP, to create a secure VPN connection. Ports must be open in firewalls to allow VPN protocols. For this reason, using SSL for the VPN often works through firewalls when other solutions do not. Additionally, some NAT solutions do not work well with VPN connections.
Grayware
Grayware is software that might offer a legitimate service, but which also includes features that you aren't aware of or features that could be used for malicious purposes. > Grayware is often installed with the user's permission, but without the user fully understanding what is being adding. > Some grayware installs automatically when another program is installed, or in some cases it can be installed automatically. > Features included with grayware might be identified in the end user license agreement (EULA), or the features could be hidden or undocumented. The main objection to grayware is that the user cannot easily tell what the application does or what was added with the application.
Implement a Demilitarized Zone (DMZ)
If internet users need to access internal network resources (such as a web server), do not allow their traffic to flow into the internal network. Instead, use a high-end router or network security appliance to create a DMZ and place the resource to which they need access within it. This divides the network into three areas of differing levels of security: > External network: Little or no security > DMZ: Moderate security > Internal network: High security In this configuration, external traffic enters the DMZ instead of the internal network. If a server in the DMZ is compromised by an external attacker, the rest of the network is not affected.
Manage Power Levels
Most wireless access points are set to run at maximum power by default. However, this can result in the wireless network's radio signal being transmitted outside of your facility. Usually you can decrease an access point's signal strength to reduce emanation. However, this will require additional access points to be deployed because the reduced signal strength can create areas of poor coverage. Usually, directional antennae are used in conjunction with customized power levels to provide the best coverage while reducing data emanation. *You should use a site survey tool to measure the strength of the wireless signal at various locations both inside and outside the structure to customize the configuration of each access point. This ensures appropriate wireless coverage with minimal emanation.
While organizing a storage cabinet, a technician discovers a box of hard drives that are incompatible with current hardware and may contain sensitive data. Which of the following is the BEST method for disposing of these drives? Shredding Formatting Overwriting Partitioning
Shredding A physical method of destroying the hard drives is best. This includes shredding, drilling, pulverizing, degaussing, and incinerating. If not done repeatedly, overwriting may leave recoverable data on the disk. Formatting will leave recoverable data on the disk. Partitioning will leave recoverable data on the disk.
Social Engineering Attacks
Specific social engineering attacks include:
A VPN is used primary for what purpose? Support the distribution of public Web documents Allow remote systems to save on long distance charges Support secured communications over an untrusted network Allow the use of network-attached printers
Support secured communications over an untrusted network A VPN (Virtual Private Network) is used primarily to support secured communications over an untrusted network. A VPN can be used over a local area network, across a WAN connection, over the Internet, and even between a client and a server over a dial-up connection through the Internet. All of the other items listed in this question are benefits or capabilities that are secondary to this primary purpose.
Manage the SSID
There are several practices you can implement regarding your wireless network's SSID to increase the security of the wireless network: > Change the SSID from the default. Lists of default SSIDs assigned by manufacturers are posted on the internet. If you use the default SSID, an attacker can quickly determine the make and model of your access point. Using this information, an attacker can: - Identify the default username and password used by that device. - Research known security weaknesses associated with that device, making it easier to compromise your wireless network. > Use a network name that is not easily associated with your organization. > Disable SSID broadcast. If SSID broadcast is enabled, then the name of the network is advertised to all wireless devices within range of your wireless access points. Disabling SSID makes your wireless network harder to locate.
Which security measure can be used to generate and store cryptographic keys? DriveLock BIOS/UEFI password Chassis intrusion detection Trusted Platform Module (TPM)
Trusted Platform Module (TPM) A Trusted Platform Module (TPM) is a special chip on the motherboard that generates and stores cryptographic keys. The TPM can be used by applications (such as Bitlocker on Windows systems) to generate and save keys that are used for encryption. DriveLock is a disk encryption solution. Chassis intrusion detection helps you identify when a system case has been opened. A BIOS/UEFI password controls access to the BIOS/UEFI setup program.
Which of the following is the most common form of authentication? Photo ID Username and password Digital certificate on a smart card Fingerprint
Username and password Passwords are the most common form of authentication. Most secure systems require only a username and password to provide users with access to the computing environment. Many forms of online intrusion attacks focus on stealing passwords. This makes using strong passwords very important. Without a strong password policy and properly trained users, the reliability of your security system is greatly diminished. Photo ID, fingerprint, and digital certificate on a smart card are not the most common forms of authentication.
Which of the following provides the BEST security for wireless networks? 802.11a CSMA/CD WAP WEP WPA2
WPA2 Wi-Fi Protected Access (WPA) provides encryption and user authentication for wireless networks. Wired Equivalent Privacy (WEP) also provides security, but WPA is considered more secure than WEP. A wireless access point (WAP) is a hardware device, like a switch, that provides access to the wireless network. 802.11a is a wireless networking standard that defines the signal characteristics for communicating on the wireless network. CSMA/CD is a media access control method that controls when a device can communicate on the network.
You are configuring a firewall to allow access to a server hosted in the demilitarized zone of your network. You open IP ports 80, 25, 110, and 143. Assuming that no other ports on the firewall need to be configured to provide access, which applications are most likely to be hosted on the server? Email server, Newsgroup server, or DNS server Web server, DNS server, or DHCP server Web server and email server Web server, DNS server, or email server
Web server and email server TCP/IP port 80 is associated with accessing webpages from a web server using the Hypertext Transfer Protocol (HTTP). Email can be accessed using a number of protocols, including the Simple Mail Transfer Protocol (SMTP), the Post Office Protocol version 3 (POP3), and the Internet Message Access Protocol version 4 (IMAP4). SMTP uses TCP/IP port 25, while POP3 uses TCP/IP port 110, and IMAP4 uses TCP/IP port 143. Domain Name Service (DNS) traffic uses TCP/IP port 53. Newsgroup servers are accessed using the Network News Transfer (NNTP) protocol on TCP/IP port 119. Dynamic Host Configuration Protocol (DHCP) traffic uses the BOOTP protocol on TCP/IP ports 67 and 68.
13.3.7 Physical Security Facts
Data loss prevention (DLP) is a strategy for making sure that sensitive or critical information does not leave the corporate network. Compliance policy should be implemented to regulate company rules and expectations. This should be clearly communicated to the employees. By enforcing compliance policies, the organization will be safeguarded against any laws and government regulations that employees may break. Be aware of the following methods for protecting computers:
While reviewing video files from your organization's security cameras, you notice a suspicious person using piggy-backing to gain access to your building. The individual in question did not have a security badge. Which of the following would you MOST likely implement to keep this from happening in the future? Door locks with card readers Lo-jack recovery service Mantraps Cable locks
Mantraps You could implement mantraps at each entrance to the facility. A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas. Once a person enters into the space between the doors, both doors are locked. To enter the facility, authentication must be provided. If authentication is not provided, the intruder is kept in the mantrap until authorities arrive. Cable locks are used to secure computer hardware. Lo-jack recovery services are used to locate stolen or misplaced computer hardware. Door locks with card readers were already circumvented in this scenario using the piggy-backing technique.
Install Privacy Filters
A privacy filter is a polarized sheet of plastic that is placed over a computer screen to restrict screen visibility from any angle other than straight on. This prevents office guests and passers-by from being able to read information from the user's computer monitor.
13.1.4 Security Policy Facts
A security policy defines the overall security configuration for an organization. To be effective, the security policy must be: > Planned: Good security is the result of good planning. > Maintained: A good security plan must be constantly evaluated and modified as needs change. > Used: The most common failure of a security policy is the lack of user awareness. The most effective way of improving security is to implement user education and training. There are several security-related policies that should be implemented within your organization:
Require Passwords
All user accounts should have a password assigned. Passwords should also be required to unlock the screensaver and to resume from standby or hibernation.
13.1 Security Best Practices
As you study this section, answer the following questions: > How does the principle of least privilege apply to workstation security? > What are the characteristics of a strong password? > How can file and folder permissions be used to restrict access to information on a workstation? > Which default Windows user accounts should you secure? > How does the autorun feature in Windows reduce a workstation's security? > How does an acceptable use policy increase system security? > What role does user awareness play in system security? Key terms for this section include the following:
13.3 Physical Security
As you study this section, answer the following questions: > What precautions should you implement for good physical security for a building? > How can you prevent laptops and their components from being stolen? > How can you secure unattended Windows computers? > What measures can you implement to protect data on stolen laptops? > What are the best ways to securely dispose of magnetic media and optical media? > How can you scrub data from a hard disk drive? In this section, you will learn to: > Configure remote wipe > Require a screen saver password > Key terms for this section include the following:
Code of ethics
Set of rules that define ethical behavior.
Shoulder Surfing
Shoulder surfing is looking over the shoulder of someone working on a computer.
13.1.2 Workstation Security Facts
When managing workstations, there are several key security best practices that you should be aware of:
Which are examples of a strong password? (Select TWO). skippy Morganstern il0ve2EatIceCr3am TuxP3nguinsRn0v3l NewYork
il0ve2EatIceCr3am TuxP3nguinsRn0v3l A strong password is one that: Is at least 6 characters long (longer is better) Is not based on a word found in a dictionary Contains both upper-case and lower-case characters Contains numbers Does not contain words that can be associated with you personally Is changed frequently The passwords il0ve2EatIceCr3am and TuxP3nguinsRn0v3l both meet the above criteria. The password NewYork is long enough and includes upper- and lower-case letters, but it doesn't contain numbers and could be easily dissected into a dictionary word. The password skippy is probably a pet name. The password Morganstern is probably someone's last name (perhaps a spouse's name or a maiden name).
BitLocker differs from the Encrypting File System (EFS) in the following ways:
> BitLocker encrypts the entire volume. EFS encrypts individual files. > BitLocker encrypts the volume for use on the computer, regardless of the user. Any user who has the PIN or startup key and who can successfully log on can access a BitLocker volume. With EFS, only the user who encrypted the file can access the file unless access has been granted to other users. > BitLocker protects files against offline access only. If the computer boots successfully, any authorized user who can log on can access the volume and its data. EFS protects against offline access as well as online access for unauthorized users. EFS does not provide online protection if an authorized user's credentials are compromised.
What is a cookie? A file saved on your hard drive that tracks website preferences and use. An executable file that runs in the background and tracks internet use. A malicious program that runs when you read an email attachment. A malicious program that disguises itself as a useful program.
A file saved on your hard drive that tracks website preferences and use. A cookie is a file saved on your hard drive that tracks website preferences and use. Many legitimate websites use cookies to remember your preferences and make the websites easier to use. However, other sites can use cookies to track personal information. Spyware is a program that runs in the background and reports internet use to servers on the internet. A Trojan horse is a malicious program that disguises itself as a useful program. Programs do not run when you simply read an email attachment. However, many malicious script programs are disguised as simple text files and can cause damage if you run the script file.
Rootkit
A rootkit is a stealthy type of malware. After infection, a rootkit can be very difficult to detect and remove from a system. A rootkit is installed in the boot sector of the hard disk drive. On systems that do not include the secure boot function, this causes the rootkit to be loaded before the operating system. As a result, a rootkit can hide itself from detection methods used by typical anti-malware software. If a rootkit is detected, it usually can't be removed from the system without completely re-installing the operating system from scratch.
13.13.3 Security Troubleshooting Facts
As a PC technician, there are a variety of security issues that you must deal with each day. Several common workstation security issues and practices are discussed here. The key to troubleshooting security issues is to do everything you can to prevent them from occurring in the first place. Consider the following preventative measures:
13.11 Proxy Servers
As you study this section, answer the following questions: What is the function of a proxy server? How can it be used to control internet traffic? What other functions can a proxy server perform? What should you do if Internet Explorer doesn't automatically detect a proxy server? In this section, you will learn to: Use a proxy server Key terms for this section include the following:
Which of the following is an important aspect of evidence gathering? Monitoring user access to compromised systems Backing up all log files and audit trails Purging transaction logs Restoring damaged data from backup media
Backing up all log files and audit trails When gathering evidence, it is important to make backup copies of all log files and audit trails. These files will help reconstruct the events leading up to the security violation. They often include important clues as to the identity of the attacker or intruder. Users should not be granted access to compromised systems while evidence gathering is taking place. Damaged data should not be restored, and transaction logs should not be purged while evidence gathering is taking place.
Do Not Allow Port Forwarding
Because of the wide-spread use of NAT routing to conserve registered IP addresses, some organizations implement port forwarding to allow access to internal network resources (such as a web server) from the internet. However, when you enable port forwarding you allow untrusted traffic into the internal network, which should be an area of high security. In this configuration, you must rely on the security configuration of the internal host that is being accessed externally to protect the rest of the network. For this reason, port forwarding implementations should be avoided.
What do biometrics use to authenticate identity? Biological attributes Knowledge of passwords Possession of a device Ability to perform tasks
Biological attributes Biometrics is based on biological attributes. Biometrics is a strong form of authentication because each person has unique characteristics. When these unique characteristics are used for authentication, they are more reliable and stronger than the best passwords. For example, no two people have the exact same fingerprint or retina pattern.
A user stores sensitive data on a USB flash drive. Which of the following can be used to encrypt the data on this drive? Administrative share Single sign-on Run as administrator Bitlocker To Go
Bitlocker To Go Bitlocker To Go can be used to encrypt a USB flash drive. A single sign-on permits a user and their programs to use their credentials to automatically log in to other sites and services. It's not used for encryption. Run as administrator is used to run an application with elevated privileges, not to encrypt data. An administrative share is used by administrators to access system drives. It's not used for encryption.
13.5.3 BIOS/UEFI Security Facts
Depending on your motherboard, you can configure the following security-related features in the BIOS/UEFI configuration utility:
A technician was able to stop a security attack on a user's computer. When conducting a forensic investigation, which of the following actions should be performed FIRST? Stop all running processes Document what's on the screen Remove the hard drive Turn off the system
Document what's on the screen Preserving evidence while conducting a forensic investigation is a trade-off. Any attempt to collect evidence may actually destroy the very data needed to identify an attack or attacker. Of the choices given, documenting what's on the screen is the least intrusive and the least likely to destroy critical evidence. Halting, disassembling, or stopping running processes may erase evidence.
Disk encryption
Encrypts the entire contents of a hard drive.
Which of the following protocols establish a secure connection and encrypt data for a VPN? (Select THREE). IPSec PPTP L2TP FTP RDP
IPSec PPTP L2TP A virtual private network (VPN) uses an encryption protocol (such as IPSec, PPTP, or L2TP) to establish a secure communication channel between two hosts, or between one site and another site. Data that passes through the unsecured network is encrypted and protected. The Remote Desktop Protocol (RDP) is used by Windows Terminal Services based applications, including Remote Desktop. FTP is used for transferring files and will not establish a secure connection.
BitLocker partition
Implementing BitLocker requires two NTFS partitions: > The system partition is a 100 MB volume that contains the boot files. This partition is set to active, and is not encrypted by the BitLocker process. > The operating system partition must be large enough for the operating system files. This partition is encrypted by BitLocker. Be aware of the following: > A new Windows installation creates both partitions prior to the installation of the operating system files. > For operating systems already installed on a single partition, you may need to resize the existing partition and create the system partition required by BitLocker.
MAC Spoofing
MAC spoofing occurs when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device. This can be used to bypass: > A wireless AP with MAC filtering on a wireless network > Router ACLs > 802.1x port-based security
You are configuring the local security policy of a Windows system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least five days before changing it again. Which of the following policies are BEST to configure? (Select TWO). Maximum password age Minimum password age Enforce password history Password complexity Minimum password length
Minimum password age Enforce password history Set the Enforce password history policy to prevent users from reusing old passwords. Set the Minimum password age policy to prevent users from changing passwords too soon. Passwords must remain the same for at least the time period specified. Use the Maximum password age policy to force periodic changes to the password. After the maximum password age has been reached, the user must change the password. Use the Password complexity to require that passwords include letters, numbers, and symbols. This makes it harder for hackers to guess or crack passwords. Minimum password length determines how how many characters must be in the password.
Implement Static IP Addressing
Most wireless access points provide a DHCP server function within the firmware of the device. Using DHCP makes it very easy for wireless hosts to connect to the wireless network. However, it also decreases the security of the network. With DHCP is enabled, the access point provides any wireless client with the appropriate information needed to communicate with other hosts on your network. If you implement static IP addressing, then wireless hosts must be statically configured with this information. This increases security because it makes it more difficult for attackers to connect to your wireless network. Even if they manage to associate with the access point, they still have to figure out what IP addressing information is required. This won't stop determined attackers, but it does make their job more difficult..
A user within your organization received an email relating how an account containing a large sum of money has been frozen by the government of a small middle eastern nation. The user was offered a 25% share of this account if she would help the sender transfer it to a bank in the United States. The user responded and was instructed to wire $5,000 to the sender to facilitate the transfer. She complied, but has not heard from the sender since. Which of the following BEST describes the type of attack which as occurred in this scenario? Eavesdropping Nigerian 419 scam Man-in-the-middle Vishing
Nigerian 419 scam A phishing attack has occurred in this scenario. This particular attack is sometimes referred to as a Nigerian 419 scam, and is very common. Vishing is similar to phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics. A man-in-the-middle attack is a technological attack where a malicious person intercepts network communications between two hosts, posing as the sender to the receiver and as the receiver to the sender.
Which of the following is a firewall function? Packet rearranging Packet filtering Encrypting Protocol converting FTP hosting
Packet filtering Firewalls often filter packets by checking each packet against a set of administrator-defined criteria. If the packet is not accepted, it is simply dropped.
13.7.4 Password Facts
Passwords are probably the most common authentication credential used on computer systems. However, passwords have the following weaknesses: > Most users choose passwords that are easy for themselves to remember, but also easy for others to guess. Using social media, an attacker might be able to guess a user's password (using information such birthdays, names of family members, favorite sport teams, or pet names). > Automated attacks can be employed which try all likely or possible combinations in order to discover (or crack) a password. The following table lists common automated password attacks (which are also sometimes referred to as password cracks):
PPTP
Point-to-Point Tunneling Protocol
An after-school care center allows children to browse the internet. They want to limit the websites that the children can access. Which of the following network hosts would MOST likely provide this service? Print server Proxy server Web server DHCP server
Proxy server One function of a proxy server is to intercept request from a client browser, and either forward it on to the internet or deny access to the internet site. A print server manages network printers and makes them available to computers throughout the network. Print jobs are sent to the print server instead of directly to the printer. A web server offers web pages to clients. Many organizations have their own web server which is accessible from the internet or from the internal network. A DHCP server leases IP addresses to client computers when they first connect to the network.
Rogue Antivirus
Rogue antivirus exploits usually employ a pop-up in a browser that tells the user the computer is infected with a virus and that the user must click a link to clean it. Sometimes this exploit is used to trick users into paying for worthless software they don't need. However, it also is frequently used to deploy malware on the victim's computer.
Scareware
Scareware is a scam that fools users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.
Spam
Spam may or may not be malicious in nature. However, it wastes time, network bandwidth, and storage space as many organizations are required by law in the United States to retain all email communications for a period of time. The best way to combat spam is to implement an anti-spam appliance that is placed between your network and the internet. The appliance scans all emails as they enter the organization and quarantines anything deemed to be spam.
13.6.5 Windows Defender Facts
Windows Defender helps protect against slow performance and malware-caused security threats. Like most other anti-malware engines, Windows Defender uses definition files to identify harmful software. Windows Defender provides the following features to protect your computer:
Which of the following forms of networking is highly susceptible to eavesdropping (data interception) and must be secured accordingly? ISDN DSL Satellite Dial-up Wireless
Wireless All forms of networking are potentially vulnerable to eavesdropping. Wireless networks by definition broadcast network transmissions openly and therefore can be detected by outsiders. Subsequently wireless networks should maintain data encryption to minimize the risk of transmitting information to unintended recipients.
To increase security on your company's internal network, the administrator has disabled as many ports as possible. Now, however, you can browse the internet, but you are unable to perform secure credit card transactions when making purchases from e-commerce websites. Which port needs to be enabled to allow secure transactions? 69 80 23 443 21
443 To perform secure transactions, SSL on port 443 needs to be enabled. HTTPS uses port 443 by default.
Countermeasures to prevent spoofing use:
> Firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network. Filters will drop any packet suspected of being spoofed. > Certificates to prove identity > Reverse DNS lookup to verify the source email address > SecureDNS to identify emails with malicious domains. SecureDNS will redirect the user to a safe landing page or send the bad traffic to a sinkhole. > Encrypted communication protocols, such as IPsec > Ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.
Be aware of the following when working with Windows Defender:
> For best protection, keep the definition files up to date. By default, Windows Defender checks for new updates every time a system scan takes place. Windows Defender also uses Windows updates to automatically download definition files. > Non-administrators can use Windows Defender to run scans. > To run a program on the Quarantined Items list, you must restore it on your system. When you run it, Windows Defender will identify it again as a potential security threat. Select Allow to add the program to the list of allowed items so that you can run it in the future without a prompting. > You can review past actions taken by Windows Defender through the History tab. You can also check for Windows Defender events in Event Viewer. > In a corporate environment, use Group Policy to manage Windows Defender settings on domain members. > If a third-party anti-malware scanner is installed on the system, Windows Defender may need to be disabled.
Additional countermeasures for malware include:
> Install anti-malware scanning software on email servers. Attachments are scanned before email is delivered. You can also block all attachments to prevent any unwanted software, but this can also block needed attachments as well. > Implement spam filters and real-time blacklists. When implementing filters, be sure not to make the filters too broad, otherwise legitimate emails will be rejected. > Train users to use caution when downloading software or responding to emails. > Train users to update their malware definition files frequently and to scan removable storage devices before copying files. > Disable scripts when previewing or viewing emails. > Implement software policies that prevent downloading software from the internet. > Keep your operating system files up-to-date; apply security-related hot fixes as they are released to bring all non-compliant systems into compliance. A non-compliant system is any computer that doesn't meet your security guidelines.
Wi-Fi Protected Setup (WPS)
A network security standard that makes wireless networks easier to manage.
Good anti-malware software is your first line of defense against malware. Be aware of the following when using anti-malware software:
> Malware definition files are provided by the software vendor. These files are used to identify viruses and are a vital component of the anti-malware software. > Protection against malware is provided only after a definition file has been released which matches the target malware. > For maximum protection, you must keep the definition files updated. Most software will automatically check for updated definition files daily. > You should scan new files before they are copied or downloaded to the system. You should also periodically scan the entire system.
Countermeasures for password attacks include the following:
> Require that user passwords: Contain multiple character types, including uppercase, lowercase, numbers, and symbols. Are a minimum length of eight characters (longer is even better). Do not contain any part of a username or email address. Do not contain words found in the dictionary. > Require that user passwords be changed frequently (such as every 30 days). This is called password aging. *Be aware that requiring overly complex passwords or changing them too frequently can cause users to circumvent security policies by writing down their passwords. > Retain password history to prevent re-use. > Implement multifactor authentication. > Audit computer systems for excessive failed logon attempts. > Implement account lockout to lock accounts when multiple incorrect passwords are used. > Monitor the network or system for sniffing and password theft tools In Windows, edit the Local Security Policy to modify password settings for a local computer, or the Default Domain Policy to control passwords for all computers in an Active Directory domain. The following table lists various policy settings that you should know.
As a PC technician, you should be familiar with the symptoms of a malware infection. Look for the following:
> Slow computer performance > Internet connectivity issues > Operating system lock ups > Windows update failures > Renamed system files > Disappearing files > Changed file permissions > Access denied errors *You should frequently check your logs in Event Viewer to identify suspicious behaviors. If you suspect a system has been infected, you should observe the following best practices to remove the malware: > Identify the malware symptoms. > Quarantine the infected system. > Disable system restore to prevent the malware from being saved in a restore point (and to prevent an uninfected restore point from being potentially deleted to make room for a new restore point). > Remediate the infected system. > Update the anti-malware definitions. > Scan for and remove the malware. Some malware can be removed while the system is running normally. However, some malware can be removed only while in Safe Mode or in the Pre-Installation Environment. > Schedule future scans and updates. > Re-enable system restore and create a new restore point. > Educate users to prevent the infection from happening again.
Trusted Platform Module (TPM)
A TPM is a special chip on the motherboard that generates and stores cryptographic keys. > You can use the BIOS/UEFI configuration program to initialize the TPM. > During initialization, you can set a TPM owner password. The TPM password is required to manage TPM settings. > The TPM includes a unique key on the chip that can be used for hardware system identification. > The TPM can generate a cryptographic key or hash based on the hardware in the system. It then uses this key value to verify that the hardware has not changed. This value can be used to prevent the system from booting if the hardware has changed. > The TPM can be used by applications to generate and save keys that are used with encryption.
Trojan Horse
A Trojan horse is a malicious program that is disguised as legitimate or desirable software. A Trojan horse: > Is usually hidden within useful software such as games. A wrapper is a program that is used legitimately, but has a Trojan attached to it that will infiltrate whichever computer runs the wrapper software. > Cannot replicate itself > Relies on user decisions and actions to spread > Often contains spy or backdoor functions that allow a computer to be remotely controlled from the network
Denial-of-Service Attack
A denial-of-service attack, also known as DoS or DDos (distributed denial-of-service) is when a service or an application is overwhelmed with remote connections from botnets, and it crashes because it cannot process all of them.
Firewall
A device that inspects network traffic and allows or blocks traffic based on a set of rules.
Dictionary
A dictionary attack tries to guess a user's password using a list of words from a dictionary. Often symbols and upper and lower case characters are substituted inside the dictionary word. The dictionary attack frequently works because users tend to choose easy-to-guess passwords. A strong password policy is the best defense against dictionary attacks.
Cloud-based protection
A feature that provides real-time protection by sending Microsoft information about potential security threats discovered by Windows Defender.
Man-in-the-Middle
A man-in-the-middle attack is used to intercept information passing between two communication partners. With a man-in-the-middle attack: > An attacker inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker. > Both parties at the endpoints believe they are communicating directly with each other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials. Man-in-the-middle attacks are commonly used to steal credit card numbers, online bank credentials, as well as confidential personal and business information.
Lo-jack
A mechanism used to secure systems that are vulnerable to theft.
Chassis intrusion detection
A motherboard feature that helps you identify when a system case has been opened.
Phishing
A phishing scam employs an email pretending to be from a trusted organization, asking to verify personal information or send a credit card number. In a phishing attack: > A fraudulent message (that appears to be legitimate) is sent to a victim. > The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to legitimate websites they are trying to imitate. > The fraudulent website requests that the victim provide sensitive information, such as an account username and password. Common phishing scams include: > A Rock Phish kit uses a fake website that imitates a real website (such as banks, PayPal®, eBay®, or Amazon®). Phishing emails direct victims to the fake website where they enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection. > A Nigerian scam, also known as a 419 scam, involves email which requests a small amount of money to help transfer funds from a foreign country. For their assistance, the victim is promised a reward for a much larger amount of money that will be sent at a later date. > In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing emails for the specific bank that the victim uses. > Whaling is another form of phishing that is targeted to senior executives and high profile victims. > Vishing is similar to phishing but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. To protect against phishing: > Check the actual link destination within emails to verify that they go to the correct URL and not a spoofed one. > Do not click on links in emails. Instead, type the real bank URL into the browser. > Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. If the website is using an invalid certificate, then an invalid SSL certificate warning appears when you try to access the website. > Implement phishing protections within your browser.
13.11.3 Proxy Server Facts
A proxy server is a device that stands as an intermediary between a host and the internet. A proxy server is a specific implementation of a firewall that uses filter rules to allow or deny internet traffic. With a proxy, every packet is stopped and inspected, which causes a break between the client and the server on the internet. Proxies can be configured to: > Control internet access based on user account and time of day. > Prevent users from accessing certain websites. For example, proxy servers used in schools or at home protect children from viewing inappropriate sites. > Restrict users from using certain protocols. For example, a proxy server at work might prevent instant messaging, online games, or streaming media. > Cache heavily accessed web content to improve performance. Be aware of the following when using proxy servers: > Configure a proxy server as a firewall device between the private network and the internet to control internet access based on user account. > You can use a third-party service that uses proxy servers at your ISP or on the internet for content filtering. > When using a proxy server, all traffic must be sent to the proxy server first before being forwarded to the destination device. This redirection is typically done by configuring the client to use the proxy server. > Content filtering solutions reconfigure the client such that the redirection is done automatically and cannot be bypassed. > Internet Explorer automatically detects and uses a proxy server if one is on the network. If the proxy server is not detected, use Internet Options to identify the proxy server IP address and port number. Steps to configure a proxy server will vary depending on the the tool used. For example, you can use a browser, such as Internet Explorer, or Google Chrome, as well as using Control Panel, or Windows Settings. To configure proxy settings using Internet Explorer and Control panel: 1. Access the Internet Options, "Connections" dialog. > Using Internet Explorer: - Open Internet Explorer. - To the right of the URL field, select Tools and then select Internet options. - Select the Connections tab. > Using Control Panel: - From Control Panel, select Network and Internet > Internet Options. - Select the Connections tab. 2. Select LAN settings. 3. Enable Use a proxy sewer for your LAN. 4. Configure the Address and Port fields as needed. To configure proxy settings using Windows 10 settings: 1. Right-click Start, then select Settings. 2. Select Network & Internet. 3. Select Proxy. 4. From the right pane, configure the proxy settings as required.
You connect your computer to a wireless network available at the local library. You find that you can't access several websites you need to on the internet. Which of the following is the MOST likely cause of this problem? A proxy server is filtering access to websites. A firewall is blocking ports 80 and 443. The router has not been configured to perform port forwarding. Port triggering is redirecting traffic to the wrong IP address.
A proxy server is filtering access to websites. A proxy server can be configured to block internet access based on website or URL. Many schools and public networks use proxy servers to prevent access to websites with objectionable content. Ports 80 and 443 are used by HTTP to retrieve all web content. If a firewall were blocking these ports, access would be denied to all websites. Port forwarding directs incoming connections to a host on the private network. Port triggering dynamically opens firewall ports based on applications that initiate contact from the private network.
Real-time protection
A software function that alerts you when spyware attempts to install itself or run on your computer.
Offline scanning
A system feature that causes the system to reboot and Windows Defender to run a scan in an offline state.
Scheduled scanning
A system feature that checks computer files for malware.
13.12.3 VPN Facts
A virtual private network (VPN) is a type of network that uses encryption to allow IP traffic to travel securely over the TCP/IP network. A VPN is used primarily to support secure communications over an untrusted network. > VPNs work by using a tunneling protocol that encrypts packet contents and wraps them in an unencrypted packet. > Tunnel endpoints are devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. The endpoints create a secure, virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents. > Routers use the unencrypted packet headers to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents. > A VPN can be used over a local area network, across a WAN connection, over the internet, and even over a dial-up connection. > VPNs can be implemented in the following ways: - With a host-to-host VPN, two hosts establish a secure channel and communicate directly. With this configuration, both devices must be capable of creating the VPN connection. - With a site-to-site VPN, routers on the edge of each site establish a VPN with the router at the other location. Data from hosts within the site are encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN. - With a remote access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network. The following table describes the most common VPN tunneling protocols:
Virus
A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus has the following characteristics: > A virus requires a replication mechanism which is a file that it uses as a host. When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed through email and are distributed to everyone in your address book. They can also be inadvertently downloaded from a malicious or compromised website. > The virus replicates only when an activation mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated. > The virus is programmed with an objective, which is usually to destroy, compromise, or corrupt data.
Worm
A worm is a self-replicating program. A worm: > Does not require a host file to propagate. > Automatically replicates itself without an activation mechanism. A worm can travel across computer networks without requiring any user assistance. > Infects one system and spreads to other systems on the network.
Botnet/Zombie
A zombie is a computer that has been infected with a Trojan and is remote controlled by a zombie master. A botnet is a network of computers infected with the same Trojan. To find out if your computer has been turned into a zombie, examine the computer's firewall log files. The log will show the outbound traffic from the zombie going through the firewall to the zombie master. A botnet: > Uses IRC channels to communicate with the zombie master. > Is controlled by an infrastructure created by a zombie master (also known as the bot herder). > May be used for spamming, committing click fraud, and performing distributed denial-of-service attacks.
ARP Spoofing
ARP spoofing (also known as ARP poisoning) uses spoofed ARP messages to associate a different MAC address with an IP address. ARP spoofing can be used to perform a man-in-the-middle attack as follows: 1. When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with its own MAC address. 2. The client receives the spoofed ARP response and uses that MAC address when communicating with the destination host. For example, packets sent to the default gateway are sent instead to the attacker. 3. The attacker receives all traffic sent to the destination host. The attacker can then forward these packets on to the correct destination using its own MAC address as the source address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or nonexistent MAC addresses.
You are configuring the local security policy of a Windows system. You want to require users to create passwords that are at least 10 characters long. You also want to prevent logon after three unsuccessful logon attempts. Which of the following policies are BEST to configure? (Select TWO). Account lockout duration Account lockout threshold Password complexity Maximum password age Enforce password history Minimum password length
Account lockout threshold Minimum password length Set the Minimum password length policy to require a password equal to or longer than the specified length. Set the Account lockout threshold policy to lock an account after the specified number of incorrect logon attempts. Incorrect policy choices for this scenario include Enforce password history requires users to input a unique (previously unused) password when changing the password. This prevents users from reusing previous passwords. Maximum password age forces users to change the password after the specified time interval. Password complexity prevents using passwords that are easy to guess or easy to crack. It forces passwords to include letters, symbols, and numbers, and also requires passwords of at least 7 characters. However, you cannot configure a longer password length requirement with this policy. Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically.
Alice has received several calls from her friends informing her that they are receiving strange emails containing content that seems odd coming from her. Which of the following MOST likely happened on Alice's computer? A Trojan horse is running on Alice's computer. A family member used her account to send prank emails. A virus or malware was installed on Alice's computer. Alice's email account was hijacked.
Alice's email account was hijacked. Although a family member may have tried to play a trick on Alice, it is more plausible that her email was hijacked. Hijacked or hacked email accounts are suspected when those receiving the emails are confused by or suspicious of the email's content. Another indication of a hijacked email account is automated replies from unknown sent email. Email accounts can be hijacked using several techniques. Therefore, it may or may not be caused by malware or a Trojan horse. For example, some email providers, such as Yahoo, can have their systems compromised, and your email information (username and password) are sold and used to access your account. Since it is also possible that your email was compromised through malicious software, you should take the proper steps to verify that all malware software is removed.
Which of the following describes a man-in-the-middle attack? An attacker intercepts communications between two network hosts by impersonating each host. Malicious code is planted on a system where it waits for a triggering event before activating. A person over the phone convinces an employee to reveal their logon credentials. An IP packet is constructed which is larger than the valid size.
An attacker intercepts communications between two network hosts by impersonating each host. A man-in-the-middle attack is a technological attack where a malicious person intercepts network communications between two hosts, posing as the sender to the receiver and as the receiver to the sender. Convincing an employee over the phone to reveal his logon credentials is an example of a social engineering attack. Constructing an IP packet which is larger than the valid size is a form of denial of service attack. Planting malicious code on a system where it waits for a triggering event before activating is a logic bomb.
Eavesdropping
An unauthorized person listening to sensitive conversations.
Bob calls and complains that he has suddenly started getting a lot of unwanted email. Which of the following is the BEST type of software to install to help solve Bob's problem? Anti-malware Anti-plagiarism Anti-spam Anti-virus
Anti-spam In computer terms, SPAM email (or junk email) is the unsolicited email users receive. One of the best ways to prevent receiving this type of email is to use anti-spam software. Anti-malware software helps protects a computer from software that is intentionally designed to cause harm or damage to your computer. Anti-virus software helps protect the infiltration and spread of malicious code that is designed to alter the way a computer operates. Anti-plagiarism software helps detect when someone has plagiarized someone else's material.
13.9.2 Wired Network Security Facts
As a system administrator, there are several best practices that you can employ to increase the security of a wired network. The goal is to make the network more difficult to compromise and accordingly less attractive to an attacker. These best practices are listed in the following table:
13.9.4 Wireless Network Security Facts
As a system administrator, there are several best practices that you can employ to increase the security of a wireless network. The goal is to make the network more difficult to compromise and accordingly less attractive to an attacker. These best practices are listed in the following table:
13.6 Malware Protection
As you study this section, answer the following questions: > What is the role of a signature file when using anti-malware software to protect a system? > How often should the signature files be updated? > Why does showing file extensions help to protect against malware? > What are some common symptoms that might make you suspect that your system is infected with malware? > When your system is infected with malware, what remediation actions can you take? > What happens when a file is quarantined? > Why is user education often the best protection against malware? In this section, you will learn to: > Configure Windows Defender Key terms for this section include the following:
13.13 Security Troubleshooting
As you study this section, answer the following questions: > What key preventative measures can you employ to increase the overall security of your computers and network? > A user reports that someone on the internet is using her Gmail account to send spam. How did this happen? > A malicious individual has set up a fake website that looks identical to a major bank's website. Users trying to connect to the legitimate site are redirected to the malicious site. How did this happen? > A user reports that a pop-up window is displayed on his computer indicating he has a virus. What should you tell him to do? > What are the symptoms of a malware infection? > What is the proper procedure for removing malware from a system? Key terms for this section include the following:
13.8 File Encryption
As you study this section, answer the following questions: > Which encryption method encrypts individual files so that only itsowner and authorized users can decrypt the file and read it? > Why is it important to not move files that have been encrypted with EFS to a non-NTFS partition? > How does file encryption differ from disk encryption? > What is the role of a TPM when implementing whole disk encryption? > Which editions of Windows provide BitLocker support? > How can BitLocker be implemented on Windows systems lacking a TPM chip on the motherboard? > What protocols are commonly used to establish a VPN? Which protocol is typically used for web transactions? > What protocols are commonly used to encrypt and secure wireless communications? In this section, you will learn to: > Configure file encryption Key terms for this section include the following:
13.7.10 Authentication Management Facts
Authentication is the process of submitting and checking credentials to validate or prove user identity. On a computer system, authentication typically occurs during logon where the user provides a username and password or some other form of credential (such as a smart card or a biometric scan). The system verifies the credentials, allowing access if the credentials are valid. Be aware of the following when troubleshooting user authentication on Windows systems. > For a workgroup, the username must match a user account configured on the local system. However, if the computer is a member of a domain, the username must match a user account configured in the domain database on the domain controller. > Usernames are not case sensitive. > Passwords are case sensitive. Having the Caps Lock on (or the Fn key or the Num Lock on a laptop) could result in incorrect characters in the password. > Password Policy settings in the Local Security Policy control characteristics about a password such as how long it must be, how often it must be changed, or whether complex passwords are required. > Account Lockout Policy settings in the Local Security Policy control what happens when users enter incorrect passwords. With account lockout, an account is locked (and cannot be used for logon) when a specified number of incorrect passwords are entered. - Depending on the policy settings, locked accounts might be unlocked automatically after a period of time. - You can unlock a locked account by editing the account properties in Local Users and Groups. - If an account is locked because the user forgot the password, an administrator can change the password using Local Users and Groups. As a best practice, when changing the password for a user, the password the administrator configures should be a temporary password. In the user account properties, select User must change password at next logon to require the user to change the password after logging on with the temporary password. > A disabled account cannot be used for logon. - You will typically disable an account that is no longer needed or that will not be used for a long period of time. - You can manually disable and enable an account; however, you cannot manually lock an account (you can only unlock a locked account). Accounts are locked automatically through the account lockout settings. - By default, the Guest account is disabled. On later versions of Windows, the built-in Administrator account is also disabled during installation. Both of these accounts are usually left disabled. > To access a shared folder, shared printer, or Remote Desktop within a workgroup environment, you must supply credentials that match a valid user account configured on the remote computer you are trying to access. The user account you specify must have a password configured. User accounts with blank passwords cannot be used to access a computer over the network. > By default, members of the Administrators group are allowed Remote Desktop access. To allow non-administrators access, add them to the list of authorized users for Remote Desktop. This automatically makes them members of the Remote Desktop Users group. *To increase authentication security, consider implementing multiple authentication factors. Three commonly used types of authentication factors are listed in the following table:
Employees currently access a data center using RFID badges. The company is concerned that an unauthorized person could gain access using a lost or stolen badge. Which of the following could be implemented to increase the physical security? Key fobs Smart cards Biometric locks Security tokens
Biometric locks Biometric locks require a user to authenticate with a unique personal attribute such as their iris, fingerprint, or voice. Smart cards can be lost or stolen as easily as any other badge. Key fobs contain a security code that changes at predetermined intervals. Like badges, they can be lost or stolen. Tokens are the security components used in devices to provide the holder of the token the proper access level. They can be transmitted via card readers, magnetic swipes, or wireless communication. The company's current RFID badges would include these tokens.
You want a security solution that protects the entire hard drive, preventing access even when it is moved to another system. Which of the following is the BEST method for achieving your goals? BitLocker IPsec VPN EFS
BitLocker BitLocker is a Microsoft security solution that encrypts the entire contents of a hard drive, protecting all files on the disk. BitLocker uses a special key, which is required to unlock the hard disk. You cannot unlock/decrypt a drive simply by moving it to another computer. EFS is a Windows file encryption option, but only encrypts individual files. Encryption and decryption is automatic and dependent upon the file's creator and whether other uses have read permissions. A virtual private network (VPN) uses an encryption protocol (such as IPsec, PPTP, or L2TP) to establish a secure communication channel between two hosts or between one site and another site. Data that passes through the unsecured network is encrypted and protected.
13.8.6 BitLocker Facts
BitLocker protects against unauthorized data access on lost or stolen laptops and on other compromised systems. > BitLocker encrypts the entire contents of the operating system partition, including operating system files, swap files, hibernation files, and all user files. A special BitLocker key is required to access the contents of the encrypted volume. > BitLocker uses integrity checking early in the boot process to ensure that the drive contents have not been altered and that the drive is in the original computer. If any problems are found, the system will not boot and the drive contents remain encrypted. The integrity check prevents hackers from moving the hard disk to another system in order to try to gain access to its contents. > BitLocker requires data to be decrypted before it can be used, which reduces disk I/O throughput. > BitLocker is available only on Ultimate and Enterprise editions of Windows. > In Windows 8 and later, you can choose to encrypt the entire volume or just the used space on the volume. > BitLocker uses the following components:
A user reports that his machine will no longer boot properly. After asking several questions to determine the problem, you suspect the user unknowingly downloaded malware from the internet, and that the malware corrupted the boot block. Based on your suspicions, which of the following actions would you MOST likely take to correct the problem? (Select TWO.) Boot from the Windows installation DVD and use the Recovery Environment to run a startup repair. Boot into Safe Mode and try removing the malware. Reimage the machine. Have the user attend an internal internet safety training course. Run sfc.exe.
Boot from the Windows installation DVD and use the Recovery Environment to run a startup repair. Reimage the machine. From the Recovery Environment, run a startup repair operation. If you have an existing image of the computer, you could also reimage the system. However, all data and applications added to the system since the image was created will be lost. Reimaging the system will typically get Windows back up and running on the computer more quickly than manually re-installing the operating system. User training is a preventative measure against malware infections; however, the training will not repair the current damage. Sfc.exe scans every system file in the operating system for altered files, but does not scan the master boot record or the volume boot record. Since the machine no longer boots properly, booting into Safe Mode is not an option in this scenario.
Your anti-malware software has detected a virus on your Windows 10 system. However, the anti-malware software is unable to remove it. When you try to delete the files, you can't because they are in use. Which of the following actions would be BEST to try first? Boot into Safe Mode and try removing the malware. Run Sfc.exe. Update the anti-malware definition files. Reset the operating system.
Boot into Safe Mode and try removing the malware. If a malware process is running and you are unable to stop it, try booting into Safe Mode and then run the scanning software to locate and remove the malware (or delete the files manually). Safe Mode loads only the required drivers and processes. Anti-malware definition files are used to identify a virus; in this case, the anti-malware software has already detected the virus so the files are sufficiently up-to-date to detect the virus. Resetting the operating system might be necessary, but should only be tried after all other measures have failed. Sfc.exe checks and repairs system files.
Which of the following functions are performed by proxy servers? (Select TWO). Cache web pages Store client files Block unwanted packets from entering your private network Filter unwanted email Block employees from accessing certain websites
Cache web pages Block employees from accessing certain websites A proxy, or proxy server, stands between client computers and web servers. You can use a proxy server to prevent access to specific websites, or to cache (save) frequently used web pages. When a proxy receives a request from the client, it checks to verify that the client is allowed access to the website. If allowed, it then checks its cache to see if the requested page is in the cache. If the page is already cached, then the proxy server fulfills the request by displaying the requested page from the cache rather than retrieving it from the internet. Receiving a web page from a local proxy server is much faster than downloading the page from the internet.
Which of the following are likely symptoms of malware infection? (Select TWO). Changed file permissions Operating system updates that were installed without your knowledge Renamed system files Cookies placed by a website recently visited Receipt of phishing emails in your inbox
Changed file permissions Renamed system files Common symptoms of a malware infection include the following: Slow computer performance Internet connectivity issues Operating system lock ups Windows update failures Renamed system files Disappearing files Changed file permissions Access denied errors Cookies are commonly placed by legitimate websites and aren't considered a major security threat. Windows operating systems automatically install updates by default. Receiving phishing emails doesn't necessarily indicate that the system is infected with malware. It's more likely your email address has been picked up and included on a list.
You've just finished installing a wireless access point for a client. Which action best protects the access point from unauthorized tampering with its configuration settings? Changing the default administrative password Disabling SSID broadcast Disabling DHCP Implementing MAC address filtering
Changing the default administrative password To prevent administrative access to the access point, change the default administrator password. If you do not change the password, users can search the internet for the default password and use it to gain access to the access point and make configuration changes. Disabling SSID broadcast, disabling DHCP, and using MAC address filtering helps prevent unauthorized access to the wireless network.
Which of the following indicates that a system case cover has been removed? Trusted Platform Module (TPM) BIOS password DriveLock Chassis intrusion detection
Chassis intrusion detection Chassis intrusion detection helps you identify when a system case has been opened. When the case cover is removed, an alert is recorded in the BIOS. A BIOS password controls access to the system. If set, the administrator (or supervisor or setup) password is required to enter the CMOS program to make changes to BIOS settings. A Trusted Platform Module (TPM) is a special chip on the motherboard that generates and stores cryptographic keys to verify that the hardware has not changed. This value can be used to prevent the system from booting if the hardware has changed. DriveLock is a disk encryption solution.
You need to configure a Windows workstation with the IP address of the proxy server for your network. Click the tab in the Internet Properties window that you would use to do this.
Connections To configure the IP address of the proxy server, go to Control Panel > Network and Internet > Internet Options. Click the Connections tab and then select LAN settings. In the dialog displayed, you can enable a proxy server for the LAN and then enter the proxy server's IP address and port number.
Following your Windows installation, you enabled the built-in Administrator account. You remove the password for this account. You enable Remote Desktop on your computer using the default settings. From home, you try to access your computer using Remote Desktop using the Administrator account, but you are unable to log on. Which of the following MUST be completed before you can access your computer using Remote Desktop? Configure a password for the Administrator account. Unlock the Administrator account. Make the Administrator account a member of the Remote Desktop Users group. Disable fast user switching on the computer.
Configure a password for the Administrator account. When you access shared folders or Remote Desktop on a network computer, the user account must be configured with a password. User accounts with blank passwords cannot be used to gain network access to a computer. By default, members of the Administrators group are allowed Remote Desktop access. To allow non-administrators access, add them to the list of authorized users for Remote Desktop. The user accounts you specify are made members of the Remote Desktop Users group. Accounts are locked automatically through the account lockout settings when too many incorrect passwords have been entered. Fast user switching is only configurable on Windows XP and does not affect users' ability to log on with Remote Desktop.
You want to configure your computer so that a password is required before the operating system will load. What should you do? Configure a user password in the BIOS/UEFI. Require complex passwords in the local security policy. Configure chassis instruction detection. Configure an administrator password in the BIOS/UEFI.
Configure a user password in the BIOS/UEFI. Configuring a user password in the BIOS/UEFI requires that a valid password is entered before the operating system will load. When an administrative password is set, it must be entered in order to access the firmware setup program. Chassis intrusion detection helps you identify when a system case has been opened. Password settings in the local security policy control passwords associated with user accounts that are configured within the operating system. These passwords are used after the system loads the operating system, not before.
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection. Which of the following key steps should you take when implementing this configuration? (Select TWO. Each option is part of the complete solution.) Configure the VPN connection to use PPTP. Configure the VPN connection to use MS-CHAPv2. Configure the browser to send HTTPS requests directly to the Wi-Fi network without going through the VPN connection. Configure the browser to send HTTPS requests through the VPN connection. Configure the VPN connection to use IPsec.
Configure the browser to send HTTPS requests through the VPN connection. Configure the VPN connection to use IPsec. It is generally considered acceptable to use a VPN connection to securely transfer data over an open Wi-Fi network. As long as strong tunneling ciphers and protocols are used, the VPN provides sufficient encryption to secure the connection even though the wireless network itself is not encrypted. It is recommended that you use IPsec or SSL to secure the VPN, as these protocols are relatively secure. You should also configure the browser's HTTPS requests to go through the VPN connection. To conserve VPN bandwidth and to improve latency, many VPN solutions automatically reroute web browsing traffic through the client's default network connection instead of through the VPN tunnel. This behavior would result in HTTP/HTTPS traffic being transmitted over the unsecure open wireless network instead of through the secure VPN tunnel. Avoid using PPTP with MS-CHAPv2 in a VPN over open wireless configuration, as these protocols are no longer considered secure.
Network appliances
Devices that are dedicated to providing certain network services.
Data Transmission Encryption
Data that is sent through a network can potentially be intercepted and read by an attacker. Use some form of encryption to protect data sent through a network. You should be aware of the following solutions to protect data communications. > A virtual private network (VPN) uses an encryption protocol to establish a secure communication channel between two hosts, or between one site and another site. Data that passes through the unsecured network is encrypted and protected. > IPsec, PPTP, and L2TP are common protocols used for establishing a VPN. > Secure Sockets Layer ((SSL) is a protocol that can be added to other protocols to provide security and encryption. For example, HTTPS uses SSL to secure Web transactions. > Use WPA, WPA2, or WEP to secure wireless communications, which are highly susceptible to eavesdropping (data interception). WEP, WPA Personal, and WPA2 Personal use a common shared key configured on the wireless access point and on all wireless clients. > When implementing network services, do not use protocols such as FTP or Telnet that pass logon credentials and data in clear text. Instead, use a secure alternative such as FTP-S or SSH.
A small company hires a technician to review their wireless security. The technician discovers that the wireless signal is available outside of the building. Which of the following could the technician recommend to correct this problem? (Select TWO). Decrease radio power levels. Implement a directional antennae. Update firmware. Enable MAC filtering. Disable SSID broadcast.
Decrease radio power levels. Implement a directional antennae. Directional antennae can be positioned to point wireless signals toward more desired areas and away from less desired areas. Decreasing radio power levels can limit the radius of the effective wireless signal. MAC filtering can be used to block devices from connecting, but does not limit the wireless signal. Disabling SSID broadcast can make a wireless network more secure, but does not limit the wireless signal. Updating firmware is a good practice, but does not limit the wireless signal.
Which of the following measures will make your wireless network less visible to the casual attacker? Implement WPA2 Personal Implement MAC address filtering Disable SSID broadcast Change the default SSID Use a form of authentication other than Open authentication
Disable SSID broadcast Wireless access points are transceivers which transmit and receive radio signals on a wireless network. Each access point has a service set ID (SSID) which identifies the wireless network. By default, access points broadcast the SSID to announce their presence and make it easy for clients to find and connect to the wireless network. You can turn off the SSID broadcast to keep a wireless 802.11 network from being automatically discovered. When SSID broadcasting is turned off, users must know the SSID to connect to the wireless network. This helps to prevent casual attackers from connecting to the network, but any serious hacker with the right tools can still connect to the wireless network. Using authentication with WPA2 helps prevent attackers from connecting to your wireless network, but does not hide the network. Changing the default SSID to a different value does not disable the SSID broadcast. Implementing MAC address filtering prevents unauthorized hosts from connecting to your WAP, but it doesn't disable the SSID broadcast.
A small business named Widgets, Inc. has hired you to evaluate their wireless network security practices. As you analyze their facility, you note the following using a wireless network locator device: They use an 802.11n wireless network. The wireless network is broadcasting the SID Linksys. The wireless network uses WPA2 with AES security. Directional access points are positioned around the periphery of the building. Which of the following would you MOST likely recommend your client do to increase their wireless network security? (Select TWO). Disable SSID broadcast. Implement omnidirectional access points. Configure the wireless network to use WPA with TKIP security. Change the SSID to something other than the default. Upgrade to an 802.11g wireless network.
Disable SSID broadcast. Change the SSID to something other than the default. You should recommend the following: Disable SSID broadcast. This makes the network harder (but not impossible) to locate. Change the SSID to something other than the default. This obscures what type of AP is in use. Using WPA instead of WPA2 would decrease the security of the wireless network, as would implementing omnidirectional APs. Switching to an 802.11g network would dramatically reduce the speed of the network without providing any security enhancements.
You just bought a new notebook. This system uses UEFI firmware and came with Windows 10 preinstalled. However, you want to use Linux on this system. You download your favorite distribution and install it on the system, removing all Windows partitions on the hard disk in the process. When the installation is complete, you find that the operating system won't load when the system is rebooted. Which of the following would allow your computer to boot to Linux? Enable SecureBoot in the UEFI configuration. Disable SecureBoot in the UEFI configuration. Reinstall Windows 10 on the system. Set the boot order to boot from the hard disk first in the UEFI configuration. Enable the TPM chip on the motherboard.
Disable SecureBoot in the UEFI configuration. You should disable the SecureBoot option in the UEFI configuration. SecureBoot requires the operating system installed on the hard drive to be digitally signed. If it isn't digitally signed, then the UEFI firmware will not boot it by default. Reinstalling Windows 10 doesn't meet the requirements of the scenario. If SecureBoot is already enabled, then the TPM chip on the motherboard must already be enabled. The boot order configuration is not preventing the system from booting in this scenario.
You are a security consultant and have been hired to evaluate an organization's physical security practices. All employees must pass through a locked door to enter the main work area. Access is restricted using a smart card reader. Network jacks are provided in the reception area such that employees and vendors can access the company network for work-related purposes. Users within the secured work area have been trained to lock their workstations if they will be leaving them for any period of time. Which of the following recommendations would you MOST likely make to this organization to increase their security? Replace the smart card reader with a key code lock. Require users to use screensaver passwords. Disable the switch ports connected to the network jacks in the reception area. Move the receptionist's desk into the secured area.
Disable the switch ports connected to the network jacks in the reception area. You should recommend the company disable the switch ports connected to the network jacks in the reception area. Having active network jacks in an unsecured area allows anyone who comes into the building to connect to the company's network. Smart card readers are generally considered more secure than key code locks because access codes can be easily shared or observed. Training users to lock their workstations is more secure than screensaver passwords, although this may be a good idea as a safeguard in case a user forgets.
Which of the following security solutions would prevent a user from reading a file which she did not create? BitLocker IPSec EFS VPN
EFS EFS is a Windows file encryption option that encrypts individual files so that only the user who created the file can open it. Decryption is automatic when the file owner opens it. Other users cannot open the encrypted file unless specifically authorized. BitLocker is a Microsoft security solution which encrypts the entire contents of a hard drive, protecting all files on the disk. BitLocker uses a special key which is required to unlock the hard disk. You cannot unlock/decrypt a drive simply by moving it to another computer. A virtual private network (VPN) uses an encryption protocol (such as IPSec, PPTP, or L2TP) to establish a secure communication channel between two hosts, or between one site and another site. Data that passes through the unsecured network is encrypted and protected.
Educate Users
Educate users about current security threats and how to respond to them. For example, teach them to: > Use strong passwords. This includes email account passwords as well as workstation account passwords. > Distrust anything coming from the web: Don't click anything just because the site says you must do so. > View email with suspicion. A reputable company in the modern world will not send an email asking users to respond with personal information. Any message that does is using phishing to gather personal information. > Recognize social engineering attempts and respond appropriately As a PC technician, there are many key security threats that you need to be aware of:
A company has chosen a UTM instead of an IDS or IPS appliance to protect their network. Which of the following UTM security features is not available with an IDS or IPS? Email and antispam filtering Intrusion detection Intrusion prevention Anomaly logs and alerts
Email and antispam filtering A unified threat management (UTM) appliance offers the best network protection in a single device. It has all the features of an intrusion detection system (IDS) or intrusion prevention system (IPS). One of the features of a UTM that is not found in an IDS or IPS is email and antispam filtering. UTMs, IDSs, and IPSs all provide intrusion detection functions. Both UTMs and IPSs provide intrusion prevention functions. UTMs, IDSs, and IPSs all log anomalies and send alerts.
Employees complain to the company IT division that they are spending considerable time and effort discarding unwanted junk email. Which of the following should be implemented? Email filtering Firewall Antivirus Multifactor authentication
Email filtering While email filtering can be implemented by each user, it can also be enabled in incoming mail services to reduce spam and other unwanted email by blocking email based on the sender address or by content. Antivirus software can protect computers from viruses found in emails, but is not used to filter email content. Firewalls are placed between the company network and the internet to filter network traffic at the IP level. Normally, they do not filter email based on content. Multifactor authentication combines a strong password with at least one other form of authentication before granting access. It does not filter email.
Which of the following features is supplied by WPA2 on a wireless network? (Select TWO). Centralized access for clients Identification of the network Filtering of traffic based on packet characteristics Encryption Authentication Refusal of client connections based on MAC address
Encryption Authentication Wi-Fi Protected Access 2 (WPA2) provides encryption and authentication for wireless networks. MAC address filtering allows or rejects client connections based on the hardware address. The SSID is the network name or identifier. A wireless access point (called an AP or WAP) is the central connection point for wireless clients. A firewall allows or rejects packets based on packet characteristics (such as address, port, or protocol type).
Which of the following statements about an SSL VPN are true? (Select TWO). Uses UDP port 500. Provides message integrity using HMAC. Encrypts the entire communication session. Uses port 443. Encapsulates packets by adding a GRE header. Uses pre-shared keys for authentication.
Encrypts the entire communication session. Uses port 443 SSL VPN uses the SSL protocol to secure communications. SSL VPN: Authenticates the server to the client using public key cryptography and digital certificates. Encrypts the entire communication session. Uses port 443, which is already open on most firewalls. IPsec uses pre-shared keys to provide authentication with other protocols. IPsec also uses HMAC to provide message integrity checks. GRE headers are used exclusively by the GRE tunneling protocol. UDP port 500 is used by the Layer Two Tunneling Protocol (L2TP).
Which of the following techniques are used in a pharming attack to redirect legitimate web traffic to malicious websites? (Select TWO). Dictionary attack Man-in-the-middle attack Exploiting DHCP servers to deliver the IP address of poisoned DNS servers Search engine results poisoning Changing the hosts file of a user's computer
Exploiting DHCP servers to deliver the IP address of poisoned DNS servers Changing the hosts file of a user's computer Pharming redirects one website's traffic to a bogus website designed to look like the real website. Once the user is there, the attacker tricks the user into supplying personal information, such as bank account and PIN numbers. Pharming works by resolving legitimate URLs to the IP address of malicious websites. This is typically done using one of the following techniques: Changing the hosts file of a user's computer Poisoning a DNS server Exploiting DHCP servers to deliver the IP address of malicious DNS servers in DHCP leases Search engine results poisoning is not typically associated with pharming attacks. A man-in-the-middle attack occurs when the attacker intercepts legitimate network traffic and then poses as one of the parties involved in the network communication. A dictionary attack is used to crack passwords by guessing the password from a list of likely words.
File Encryption
File encryption encrypts individual files so that only the user who created the file can open it. > The Encrypting File Service (EFS) on Windows systems encrypts individual files. Windows automatically decrypts a file when the file owner accesses it. > With EFS, you can add other users who are also allowed to access the encrypted file. > EFS is available only on NTFS partitions. Moving an encrypted file to a non-NTFS partition removes the encryption. > Files remain encrypted and inaccessible even when the drive is moved to another computer or if another operating system is used. This is because the encryption keys needed to decrypt the file do not exist on these other systems. > Encryption cannot be used together with compression (you can use either, but not both).
Which type of biometric authentication uses the ridges of your skin? Retina scan Keystroke dynamics Face scan Fingerprint
Fingerprint Fingerprint biometrics use the ridges of your skin, which are known as ridge minutiae. Retina scans use blood vein patters, facial scans use a facial pattern, and keystroke dynamics use a behavioral system.
Which of the following security measures is a form of biometrics? TPM BIOS password Fingerprint scanner Chassis intrusion detection
Fingerprint scanner A fingerprint scanner is a type of biometrics. The fingerprint scanner uses the ridges of your skin known as ridge minutiae. A Trusted Platform Module (TPM) is a special chip on the motherboard that generates and stores cryptographic keys to verify that the hardware has not changed. This value can be used to prevent the system from booting if the hardware has changed. Chassis intrusion detection helps you identify when a system case has been opened. A BIOS password controls access to the BIOS setup program.
A user can't make an RDP connection from outside the network to a server inside the network. Which network device will a network administrator MOST likely configure to allow this connection? Firewall Hub Access point Switch
Firewall A firewall filters network traffic based on a set of rules. The network administrator will most likely configure the firewall to allow RDP traffic. A switch maintains a table of MAC addresses by port and forwards network frames to only the port that matches the MAC address. An access point gives Wi-Fi access to a network. A hub transmits a data frame to every port except the port that received the data frame.
For some time now, you have been using an application on your Windows 10 computer at home and while in the office. This application communicates with the internet. Today, your team lead decided to have a special team meeting at a local hotel. During this meeting, you obtained access to the internet using the hotel's network, but when you tried to run your application, it could not communicate with the internet. Which of the following Control Panel settings is MOST likely causing this behavior? Firewall settings Programs settings Privacy settings Security settings
Firewall settings Microsoft's Windows Defender Firewall lets you configure which applications have access in and out of your computer by means of the internet. This helps you to protect your computer, your data, and even your identity, and the program runs in the background. Since the application had access at home (a private network) and at the office (a domain network), but not in the hotel (a guest or public network), the most likely scenario is that this application is being blocked by the firewall's Guest and Public Networks settings. The Privacy settings control the level of access cookies have to your machine. Security settings is where you maintain the settings for each of your four internet zones. The zones can have their security set from medium to high. Security Settings is where you can enable or disable Protected Mode. Since the only change in your program access was moving to the hotel, it is not likely that Protected Mode is blocking access. Programs settings let you define your default web browser and allow or block add-ons or plug-ins used to accelerate multimedia performance, including Active X features.
The TCP/IP session state between two computers on a network is being manipulated by an attacker such that she is able to insert tampered packets into the communication stream. Which of the following BEST describes the type of attack which as occurred in this scenario? Whaling Hijacking Spear phishing Phishing
Hijacking A hijacking attack has occurred. Hijacking happens when the TCP/IP session state is manipulated such that a third party is able to insert alternate packets into the communication stream. A phishing scam employs an email pretending to be from a trusted organization, asking to verify personal information or send a credit card number. In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing emails for the specific bank that the victim uses. Whaling is another form of phishing that is targeted to senior executives and high-profile victims.
Which of the following protocols provides authentication and encryption services for VPN traffic? TCP SSL L2TP IPsec
IPsec IPsec is a security implementation that provides security for all other TCP/IP based protocols. IPsec provides authentication through a protocol called IPsec Authentication Header (AH) and encryption services through a protocol called IPsec Encapsulating Security Payloads (ESP). The Transmission Control Protocol (TCP) is a transport layer connection-oriented protocol that provides data transmission services. It is not a secure protocol, and relies on other measures, such as IPsec, to provide security. The Secure Sockets Layer (SSL) is an application layer protocol that is designed to secure network traffic from certain other protocols, such as Hypertext Transfer Protocol (HTTP) and Post Office Protocol version 3 (POP3). It does not provide security for protocols lower in the TCP/IP protocol stack, such as TCP and UDP. The Layer 2 Tunneling Protocol (L2TP) is a protocol used to encapsulate Point-to-Point protocol (PPP) traffic.
13.6.2 Malware Facts
Malware (sometimes called malicious code) is a type of software designed to take over or damage a computer user's operating system, without the user's knowledge or approval. It can be very difficult to remove and it can cause considerable damage. Common malware exploits are listed in the following table:
Internet Protocol Security (IPsec)
IPsec provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes the following three protocols for authentication, data encryption, and connection negotiation: > Authentication Header (AH) enables authentication with IPsec. > Encapsulating Security Payload (ESP) provides data encryption. > Internet Key Exchange (IKE) negotiates the connection. IPsec can be used to secure the following types of communications: > Host-to-host communications within a LAN > VPN communications through the internet, either by itself or in conjunction with the L2TP VPN protocol > Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, as well as countless others IPsec uses either digital certificates or pre-shared keys
Two employees are unable to access any websites on the internet, but can still access servers on the local network, including those residing on other subnets. Other employees are not experiencing the same problem. Which of the following actions would BEST resolve this issue? Identify the filter settings on the proxy server for specific internet sites. Reconfigure the clients to send all traffic directly to the ISP, bypassing the proxy server. Identify the proxy server name and port number in Internet Options. Use ipconfig to confirm that APIPA has not assigned an IP address.
Identify the proxy server name and port number in Internet Options. In this case, you should identify the proxy server name and port number in Internet Options. Windows automatically detects and uses a proxy server if one is on the network. If the proxy server is not detected, you should manually configure the proxy settings. If you bypass the proxy server, the clients are no longer managed by the proxy server. This is not a recommended solution. Because other users are not experiencing the same problems, the filtering settings on the proxy server for specific internet sites are probably not the cause of the problem. IP addresses assigned by APIPA force the client to the 169.254.0.0 subnet. This would prevent the client form accessing internal servers that use static IP addresses, especially those on different subnets.
Malware Symptoms
If you suspect that your system is infected with malware, keep the following in mind: > Common symptoms of malware on your system include: The browser home page or default search page has changed. Excessive pop-ups or strange messages are displayed. Firewall alerts about programs trying to access the internet. System errors about corrupt or missing files are displayed. File extension associations have changed to open files with a different program. There are files that disappear, are renamed, or are corrupt. New icons appear on the desktop or taskbar, or new toolbars are displayed in the browser. The firewall or antivirus software is turned off, or you can't run antivirus scans. The system won't boot. The system runs very slowly. Unusual applications or services are running. > Some malicious software can hide themselves such that there might not be any obvious signs of their presence. Other symptoms of an infection include: Slow internet access. Excessive network traffic, or traffic during times when no activity should be occurring. Excessive CPU or disk activity. Low system memory. An unusually high volume of outgoing email, or email sent during off hours. > Regular system scans can detect and fix many problems. Most software lets you schedule complete system scans, such as daily or weekly. If you suspect a problem, initiate a full system scan immediately.
A local dentist has contracted with you to implement a network in her new office. Because of security concerns related to patient privacy laws, she has asked that the new network meet the following criteria: No one from the internet should be able to access her internal network. Email messages should be scanned for spam, phishing attacks, and malware before they reach users' workstations. Employees access to non-work-related websites, especially sites that contain inappropriate content, should be blocked. A system should be put in place to detect and prevent external attacks on her network. Which of the following would BEST meet your client's criteria? Implement an email security appliance. Implement an all-in-one security appliance. Implement an intrusion prevention system (IPS). Implement a content filter. Implement a firewall.
Implement an all-in-one security appliance. You should implement an all-in-one security appliance. The network criteria specified by your client requires several different network devices to be implemented, including a firewall, an email scanner, a content filter, and an intrusion prevention system. While you could purchase each device separately, the cost of doing so would probably be quite high. Because you are working with a small business, an all-in-one security appliance that includes all of these functions in a single device would be more cost-effective and easier for you to manage.
You have installed anti-malware software that checks for viruses in e-mail attachments. You configure the software to quarantine any files with problems. You receive an email with an important attachment, but the attachment is not there. Instead, you see a message that the file has been quarantined by the anti-malware software. Which of the following BEST describes what happened to the file? It has been deleted from your system. It has been moved to a folder on your computer. The infection has been removed, and the file has been saved to a different location. The file extension has been changed to prevent it from running.
It has been moved to a folder on your computer. Quarantine moves the infected file to a secure folder, where it cannot be opened or run normally. By configuring the software to quarantine any problem files, you can view, scan, and try to repair those files. Quarantine does not automatically repair files. Deleting a file is one possible action to take, but this action removes the file from your system.
A small business named BigBikes, Inc. has hired you to evaluate their wireless network security practices. As you analyze their facility, you note the following: They use an 802.11a wireless network. The wireless network SSID is set to BWLAN. The wireless network is not broadcasting the network SSID. The wireless network uses WPA2 with AES security. Omnidirectional access points are positioned around the periphery of the building. Which of the following would you MOST likely recommend your client do to increase their wireless network security? Change the SSID to something similar to BigBikeInc. Upgrade to an 802.11g wireless network. Enable SSID broadcast. Implement directional access points. Configure the wireless network to use WEP security.
Implement directional access points. You should recommend that they implement directional access points along the periphery of the building. Using omnidirectional APs in these locations can cause the wireless network radio signal to emanate outside the building, making it readily available to malicious individuals. Enabling SSID broadcasts and using an SSID that is easily identifiable reduces the security of the wireless network, as would switching to WEP security. Switching to an 802.11g network offers no speed or security benefits and would require retrofitting all wireless equipment in the organization.
Your organization is frequently visited by sales reps. While on-site, they frequently plug their notebook systems into any available wall jack, hoping to get internet connectivity. You are concerned that allowing them to do this could result in the spread of malware throughout your network. Which of the following would BEST protect you from guest malware infection? (Select TWO). Implement static IP addressing. Implement private IP addressing with a Network Address Translation (NAT) router facing the internet. Enable port analysis on your network switch. Implement MAC address filtering. Implement SNMP traps on your network switch.
Implement static IP addressing. Implement MAC address filtering. You should consider enabling MAC address filtering. MAC filtering is configured on your network switches and is used to restrict network access to only systems with specific MAC addresses. You could also consider assigning static IP addresses to your network hosts. By not using DHCP, visitor laptops connected to a wired Ethernet jack won't receive a valid IP address and won't be able to communicate with other hosts on your network. Implementing SNMP traps, port analysis, or a NAT router will not prevent visitors from connecting to your network.
Replay Attack
In a replay attack, the attacker uses a protocol analyzer or sniffer to capture authentication information going from the client to the server. The attacker then uses this information to connect at a later time and pretend to be the client.
There are two main types of firewalls that you should be familiar with. Which of the following describes a feature of a network-based firewall? Inspects traffic as it flows between networks. Inspects traffic received by a specific host. Works with a single network interface. Is executed directly on the servers that need to be protected.
Inspects traffic as it flows between networks. A network-based firewall inspects traffic as it flows between networks. A host-based firewall inspects traffic received by a specific host. Host-based is installed directly on a host and only requires a single interface. A network-based firewall requires two (or more) interfaces.
You would like to control internet access based on users, time of day, and websites visited. Which of the following actions would BEST meet your criteria? Configure a packet-filtering firewall. Add rules to allow or deny access based on time of day and content. Configure the Local Security Policy of each system to add access restrictions based on time of day and content. Enable Windows Firewall on each system. Add or remove exceptions to control access based on time of day and content. Install a proxy server. Allow internet access only through the proxy server. Configure internet zones using Internet Options.
Install a proxy server. Allow internet access only through the proxy server. Use a proxy server to control internet access based on users, time of day, and websites visited. You configure these rules on the proxy server, and all internet access requests are routed through the proxy server. Use a packet filtering firewall, such as Windows Firewall, to allow or deny individual packets based on characteristics such as source or destination address and port number. Configure internet zones to identify trusted or restricted websites and to control the types of actions that can be performed when going to those sites.
You have recently had an issue where a user's Windows computer was infected with a virus. After removing the virus from the computer, which of the following is the NEXT step you should take? Create a restore point. Install all OS updates. Enable System Restore. Educate the user.
Install all OS updates. After an infected computer has been remediated successfully, the next step in the best practice procedures for malware removal states that you should ensure that all OS updates are installed and that regular virus scans are scheduled. Following that action, you should enable system restore, create a new restore point, and educate end users on better practices.
Install Firmware Updates
It is important that you keep the firmware of your network devices updated, including: > Switches > Routers > Firewalls The firmware contains software instructions that allow these devices to run. It's not unusual for security weaknesses to be discovered in the firmware of these devices when they are deployed in production environments. To address these weaknesses, the hardware vendor should release updates to the firmware. Unlike standard software, which can be automatically updated over a network connection, firmware updates must usually be installed manually. You should watch for updates for your devices to be released and install them when they become available.
Which of the following best describes spyware? It is a malicious program that is disguised as legitimate software. It monitors the actions of the user and then sends pop-up ads to the user that match their tastes. It is a program that attempts to damage a computer system and replicate itself to other computer systems. It monitors the actions you take on your machine and sends the information back to its originating source.
It monitors the actions you take on your machine and sends the information back to its originating source. Spyware monitors the actions you take on your machine and sends the information back to its originating source. Adware monitors the actions of the user that would denote their personal preferences and then sends pop-ups and ads to the user that match their tastes. A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A Trojan horse is a malicious program that is disguised as legitimate software.
An employee working from home accesses the company network using a VPN connection. When connecting, the employee is prompted for a PIN that changes at predetermined intervals. Which of the following will the employee MOST likely use to obtain the PIN? Key fob RFID badge Fingerprint reader Entry control roster
Key fob A key fob can be issued to the employee that presents a security code or PIN that changes at predetermined intervals. This PIN is synchronized to the master security system and provides authentication to initialize the VPN connection. Security personnel can grant access to a physical area using entry control roster. Only people on the roster will be granted access. It does not provide a PIN. When presented to a reader, an RFID badge can transmit a security token. Normally, this token is static and does not change. A fingerprint reader can be used for authentication, but does not normally provide a PIN.
Implement MAC Address Filtering
MAC address filtering restricts access to the wired network switch to hosts that have specific MAC addresses. This can be done in two different ways: > Use a whitelist, which defines a list of MAC addresses that are allowed to connect to the switch. > Use a blacklist, which defines a list of MAC addresses that are not allowed to connect to the switch. With MAC address filtering enabled, a switch checks a computer's MAC address when it connects to the wired network. If the switch has been configured to use a whitelist, it will compare the computer's MAC address to the whitelist. If its address is listed in the whitelist of allowed MAC addresses, then the switch will allow the host to connect to the wired network. If the computer's MAC address is not in the whitelist, then the host will be denied access. If the switch is configured to use a blacklist, the opposite occurs. If the computer's MAC address is on the blacklist, the switch will not allow the host to connect to the network. If its MAC address is not listed in the blacklist, the switch will allow the computer to connect to the network. For security reasons, whitelists are usually the preferred option. This configuration locks out all hosts except for those specifically allowed in the whitelist. However, MAC address filtering provides only a basic level of network security and can be defeated by a determined attacker. However, it does make the network harder to compromise and hopefully less attractive to an attacker.
Implement MAC Address Filtering
MAC address filtering restricts access to the wireless network to hosts that have specific MAC addresses. This can be done in two different ways: > Use a whitelist, which defines a list of MAC addresses that are allowed to connect. > Use a blacklist, which defines a list of MAC addresses that are not allowed to connect. With MAC address filtering enabled, the access point checks a computer's MAC address when it connects to the wireless network. If the access point has been configured to use a whitelist, it will compare the computer's MAC address to the whitelist. If its address is listed in the whitelist of allowed MAC addresses, then the access point will allow the host to connect to the network. If the computer's MAC address is not in the whitelist, then the host will be denied access. If the access point is configured to use a blacklist, the opposite occurs. If the computer's MAC address is on the blacklist, the access point will not allow the host to connect to the network. If its MAC address is not listed in the blacklist, the access point will allow the computer to connect to the network. For security reasons, whitelists are usually the preferred option. This configuration locks out all hosts except for those specifically allowed in the whitelist. However, MAC address filtering provides only a basic level of network security and can be defeated by determined attackers. However, it does make the network harder to compromise and hopefully less attractive to attackers.
Malware
Malware is a type of software designed to take over or damage a computer, without the user's knowledge or approval. Be aware of the following when protecting against malware: > Most vendors provide products that protect against a wide range of malware including viruses, spyware, adware, and even spam. > You can install anti-malware software on an individual host system or on a network server to scan attachments and files before they reach the end computer. > Most anti-malware software that protects a single host uses a signature-based scanning system. - Signature files (also called definition files) identify specific known threats. During a system scan, the anti-malware engine runs and compares files on your computer against the signature files. - Anti-malware software that uses signatures can detect only threats that have been identified by an associated signature file. Malicious software that does not have a matching signature file will not be detected. The system is not protected against these files. - It is important to keep the signature files up to date. If possible, download new signature files daily. Most anti-malware software will check for updates automatically on a schedule. - It is important to keep the scanning engine software updated to add new features and fix bugs in the scanning software. In addition to using scanning software, you should also do the following: > Keep your operating system and browser up to date. Make sure to apply security-related hotfixes as they are released. > Implement software policies that prevent downloading software from the internet. > Scan all files before copying them to your computer or running them. > In highly-secure areas, remove any removable drives (such as recordable optical drives and USB drives) to prevent unauthorized software from entering a system. > Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change the qualities of files that are normally deemed harmless. For example, adding the extension .txt.exe to a file will make the file appear as a text file in an attachment, when in reality it is an executable. > Use Security and Maintenance, in Control Panel to check the current security status of your computer. Security and Maintenance shows if you have antivirus, firewall, and automatic updates running. > Train users about the dangers of downloading software and the importance of anti-malware protections. Teach users to scan files before running them, and to make sure they keep the virus protection definition files up to date.
A malicious person calls an employee from a cell phone. She tells the employee that she is the vice president over the accounting department in the employee's company. She relates that she has forgotten her password and demands that the employee give her his password so that she can access the reports she needs for an upcoming presentation. She threatens to fire the employee if he does not comply. Which of the following BEST describes the type of attack that just occurred? Phishing Eavesdropping Piggybacking Masquerading
Masquerading A masquerading attack has occurred. Masquerading involves an attacker convincing authorized personnel to grant them access to protected information by pretending to be someone who is authorized and/or requires that access. Usually, the attacker poses as a member of senior management. A sense of urgency is typically fabricated to motivate the user to act quickly.
What is the least secure place to locate an omnidirectional access point when creating a wireless network? In common or community work areas Near a window In the center of the building Above the third floor
Near a window The least secure location for an omnidirectional wireless access point is against a perimeter wall. So, placement near a window would be the worst option from this list of selections. For the best security, omnidirectional wireless access points should be located in the center of the building. This will reduce the likelihood that the wireless network's access radius will extend outside of the physical borders of your environment. It is important to place wireless access points where they are needed, such as in a common or community work area.
A user within your organization received an email relating how an account containing a large sum of money has been frozen by the government of a small African nation. The user was offered a 25 percent share of this account if she would help the sender transfer it to a bank in the United States. The user responded to the sender and was instructed to send her bank account number so that it could be used to facilitate the transfer. She complied, and then the sender used the information to drain her bank account. What type of attack occurred? Eavesdropping Piggybacking Man-in-the-middle Phishing
Phishing A phishing attack has occurred in this scenario. This particular attack is sometimes referred to as a Nigerian 419 attack and is very common. Piggybacking occurs when an unauthorized person follows behind an authorized person to enter a secured building or area within a building. Piggybacking is also sometimes called tailgating. Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics. A man-in-the-middle attack is a technological attack where a malicious person intercepts network communications between two hosts, posing as the sender to the receiver and as the receiver to the sender.
13.10.6 Network Appliance Facts
Network appliances are devices that are dedicated to providing certain network services. Common network appliances include: > Switches > Wireless access points > Routers > Firewalls > Security threat management devices These devices are unlike common network hosts in that they don't typically provide monitor, keyboard, or mouse connections. Instead, they are designed to be plugged directly into the network and then managed using a web-based interface from the system administrator's workstation. Large organizations typically purchase separate appliances for each network function they require. However, this strategy can be quite expensive. To reduce costs, smaller organizations may choose to use an all-in-one device instead of purchasing separate network appliances. For example, an all-in-one security appliance combines many network security functions into a single device. All-in-one security appliances are also known as unified threat security devices or web security gateways. This type of device may be the best choice for: > A small company without the budget to purchase individual components > A small office without the physical space for individual components > A remote office without a technician to manage individual security components Security functions implemented within an all-in-one security appliance may include components such as: > An endpoint management server to keep track of various devices, while ensuring their software is secure > A network switch to provide internal network connectivity between hosts > A router to connect network segments together > An ISP interface for connecting the local network to the internet > A firewall to filter network traffic > A syslog server to store event messages > A spam filter to block unwanted emails > A web content filter to prevent employees from visiting inappropriate websites > A malware inspection engine to prevent malware from entering the network > An intrusion detection system (IDS) or intrusion prevention system (IPS) to detect hackers trying to break into systems on the network *An IDS detects intrusion attempts and alerts the system administrator. An IPS detects intrusion attempts, notifies the administrator, and also tries to block the attempt. While they are less expensive, all-in-one appliances have several drawbacks that you should consider before implementing one: > All-in-one appliances perform many tasks adequately. However, they usually can't perform any one task extremely well. If high-performance is a concern, then using dedicated appliances might be more appropriate. > All-in-one devices create a single point of failure. Because so many services are hosted by a single device, then all of the services are affected if that device goes down. > All-in-one devices create a single attack vector that can be exploited by an attacker. Compromising the single device could potentially expose many aspects of the network. *Unified threat management (UTM) or unified security management (USM), is a network gateway defense solution for organizations. UTM is the evolution of the traditional firewall into an all-in-one device that can perform multiple security functions within one single system.
You want to be able to access your home computer using Remote Desktop while traveling. You enable Remote Desktop, but you find that you cannot access your computer outside of your home network. Which of the following is the BEST solution to your problem? Open the firewall port for the Remote Desktop protocol. Move your home computer outside of the firewall. Configure a VPN connection to your computer. Open the Telnet and SSH ports in your firewall.
Open the firewall port for the Remote Desktop protocol. You need to open the firewall port for the Remote Desktop program. Firewalls prevent all traffic except authorized traffic. To allow a specific program, open the port that corresponds to the port used by that application. Placing your computer outside of the firewall leaves it open to attack. A VPN encrypts communications between two computers through the internet. However, the VPN will not allow a Remote Desktop connection. The Telnet and SSH ports do not apply to this scenario.
Forensic investigation
Performed to gather evidence and identify the methods used in the attack.
Several users have forwarded you an email stating that your company's health insurance provider has just launched a new website for all employees. To access the site, they are told to click a link in the email and provide their personal information. Upon investigation, you discover that your company's health insurance provider did not send this email. Which of the following BEST describes the type of attack that just occurred? Piggybacking Smurf Phishing Denial of service
Phishing A phishing attack has occurred. In a phishing attack, a spoofed email containing a link to a fake website is used to trick users into revealing sensitive information, such as a username, password, bank account number, or credit card number. Both the email and the website used in the attack appear to be legitimate on the surface. Piggybacking occurs when an unauthorized person follows an authorized person to enter a secured building or area within a building. Piggybacking is also sometimes called tailgating. A denial of service (DoS) attack involves using network mechanisms to flood a particular host with so many bogus requests that it can no longer respond to legitimate network requests. A Smurf attack is a distributed type of DoS attack that inserts a target system's IP address for the source address of ICMP echo request packets, causing a flood of ICMP echo response packets to be sent to a victim system.
Joe, a user, receives an email from a popular video streaming website. The email urges him to renew his membership. The message appears official, but Joe has never had a membership before. When Joe looks closer, he discovers that a hyperlink in the email points to a suspicious URL. Which of the following security threats does this describe? Trojan Zero-day attack Phishing Man-in-the-middle
Phishing Phishing is an attempt to trick a user into compromising personal information or downloading malware. Most often, it involves an email containing a malicious attachment or hyperlink. A man-in-the-middle (MITM) attack intercepts communications between two systems and alters the message before sending it on to the original recipient. A zero-day attack is an exploit of an operating system or software vulnerability that is unknown and unpatched by the author. A Trojan horse, or Trojan, is a type of malware that is often disguised as legitimate software.
Which of the following is a form of attack that tricks victims into providing confidential information, such as identity information or logon credentials, through emails or websites that impersonate an online entity that the victim trusts, such as a financial institution or well-known e-commerce site? Social engineering Phishing Fraggle attack Session hijacking
Phishing Phishing tricks victims into providing confidential information, such as identity information or logon credentials, through emails or websites that impersonate an online entity that the victim trusts, such as a financial institution or well-known e-commerce site. Phishing is a specific form of social engineering. A fraggle attack uses spoofed UDP packets to flood a victim with echo requests using a bounce network, much like a Smurf attack. Session hijacking takes over a logon session from a legitimate client, impersonating the user and taking advantage of their established communication link.
Phishing Emails
Phishing is the process used by attackers to acquire sensitive information such as passwords, credit card numbers, and usernames by masquerading as a trustworthy entity. Phishing emails are drafted such that they appear to have come from a legitimate organization, such as banking, social media, or e-commerce websites. They convince the user to click a link that takes them to a malicious website (that looks exactly like the legitimate website) where they are tricked into revealing sensitive information. To detect phishing email, train users to recognize their key characteristics: > The source address of the message may not match the domain of the company it claims to be coming from. > The message tries to create a sense of urgency. For example, it may warn that your bank account will be frozen, that your credit card has been stolen, or that you will be subject to arrest if you don't follow the instructions in the message. > The hyperlinks in the message go to websites that are not associated with the organization the message claims to be coming from. If you hover your mouse over a link (without clicking it) you can see where the link actually leads. If it isn't pointing to the organization's URL, there's a pretty good chance the message is an exploit.
You are an IT technician for your company. Vivian has been receiving error messages indicating that some of her Windows system files are corrupt or missing. To fix this issue, you ran the Windows System File Checker tool (SFC.exe). Shortly after the files were repaired, Vivian calls again because she is still having the same issue. You now suspect that the corruption or renaming of the system files is being caused by malware. Which of the following is the next BEST step that should be taken? Disable System Restore. Perform a scan using anti-malware software. Quarantine Vivian's computer. Back up Vivian's critical files and perform a clean install of Windows.
Quarantine Vivian's computer. When you suspect that a computer may be infected with malware, you should immediately quarantine the computer to prevent the propagation of the malware. After the computer is isolated, you can begin to remove the malware, starting by disabling System Restore, updating your anti-malware software, and then performing an anti-malware scan. Backing up an infected computer only saves the problem for future users.
Ransomware
Ransomware is a form of malware that denies access to an infected computer system until the user pays a ransom.
Real-Time Protection
Real-time protection alerts you when spyware or potentially unwanted software attempts to install itself or run on your computer. It also alerts you when programs attempt to change important Windows settings. Real-time protection uses security agents to monitor specific system components and software.
Pharming
Redirects one website's traffic to a bogus website that looks like the real website.
Which of the following is the process of fixing problems detected by anti-virus software so that the computer is restored to its original state? Remediation Scanning Isolation Quarantine
Remediation Remediation is the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (you are prompted to identify the action to take). Quarantine is the process of moving an infected file or computer to a safe location so that the problem cannot affect or spread to other files or computers. Isolation is one method of performing quarantine. Scanning is the process of checking a system for infected files.
Malware Infection Remediation
Remediation is the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (i.e. you are prompted to identify the action to take). Possible actions in response to problems are: > Repair the infection. This may be possible for true viruses that have attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state (if possible). Configuration changes made by the infection may also need to be repaired. For example, if the virus changed the default browser home page or search page, you may need to manually reset them using Internet Options, in Control Panel. > Quarantine the file. This moves the infected file to a secure folder where it cannot be opened or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file at another time. > Delete the file. You should delete malicious files such as worms, Trojan horse programs, spyware, or adware programs. In addition, you should periodically review the quarantine folder and delete any files you do not want to recover. If a scan reports a serious problem, disconnect your computer from the network. This prevents your computer from infecting other computers until the problem is corrected. Some malicious software warnings, such as those seen in pop-ups or received through email, are hoax viruses. A hoax virus instructs you to take an action to protect your system, when in fact that action will cause harm. Two common hoaxes are: > Instructing you to delete a file that is reported as a virus. The file is actually an important system file that will lead to instability or the inability to boot your computer. > Instructing you to download and run a program to see if your system is compromised or to add protection to your system. The file you download is the malicious software. Before taking any actions based on notices or emails, search the internet for a list of virus hoaxes and compare your notice to known hoaxes. A suggested procedure for remediating a system with a malware infection is as follows: 1. Identify the symptoms of the infection. 2. Quarantine the infected system. 3. Disable System Restore in Windows. This prevents the infection from being included in a restore point. 4. Update the anti-malware definitions. 5. Scan for and remove the malware. *Some malware cannot be removed because it is running. If possible, stop its process from running, then try to remove it. If you are unable to stop the malware's process, try booting into Safe Mode and then run the scanning software to locate and remove the malware. 6. If necessary, schedule future anti-malware scans and configure the system to automatically check for signature file updates. 7. Install any operating system updates. 8. Re-enable System Restore and create a new restore point. 9. Educate the end user to prevent future infections. Some malware infections could require that you reinstall applications or features, restore files from a backup, or even restore the entire operating system from scratch. If the infection has damaged or corrupted system files, you might be able to repair the infected files using the sfc.exe command. Before running sfc, be sure to first remove the malware that caused the damage (or it might re-introduce the problem later). You might need to boot into Safe Mode in order to check system file integrity and repair any problems found. Some malware can corrupt the boot block on the hard disk preventing the system from starting. To repair this problem, try performing an automatic repair. Use fixmbr or fixboot in the Recovery Console to try to repair the damage. Alternatively, if your organization uses imaging solutions, you can quickly re-image an infected machine. Re-imaging is often faster and more effective than malware removal and cleanup.
Drive locking
Setting a password on the system hard disk.
You have purchased a used computer from a computer liquidator. When you boot the computer, you find that there has been a password set on the BIOS. You need to clear the password so that you can edit the CMOS settings. What should you do? Press Ctrl + Alt + Del while booting the computer. Flash the BIOS. Remove the motherboard battery for a few seconds. Press F2 while booting the computer.
Remove the motherboard battery for a few seconds. You can clear the BIOS password by removing the motherboard battery for few seconds or, on older systems, by setting a motherboard jumper. Flashing the BIOS probably will not remove the password.
Some software on Rachel's computer is telling her that her computer is at risk and that she needs to purchase an upgrade for the software before the risk can be removed. Confused, Rachel calls you (the IT specialist) for advice. After meeting with Rachel, you discover that the pop-up warnings only began after she installed a plug-in for her internet browser. Which of the following is the MOST likely cause of these warning messages? SPAM Hijacked email App scanner Rogue antivirus
Rogue antivirus Rogue antiviruses are programs maliciously added to a computer, which will then often display pop-up or warning messages that try to scare a user into purchasing fake products to clean their computers. SPAM is the type of unwanted and unsolicited email a user gets. Hijacked email is when someone deceptively takes over your legitimate email account, typically by guessing your password. App scanner is software that allows a mobile phone to scan documents.
Scheduled Scanning
Scheduled scanning checks computer files for malware. Windows Defender can run three different types of scans: > A Quick scan checks file system locations that are most likely to be infected by spyware. > A Full scan checks all files in the file system, the registry, all currently running applications, and other critical areas of the operating system. > A Custom scan checks only the locations you specify. Windows Defender performs a quick scan at 2 a.m. each day. You can also manually initiate a scan, if necessary. The results of the scan are shown in the Home tab in Windows Defender.
You have a computer that runs Windows 10. Where would you go to verify that the system has recognized the anti-malware software installed on the system? Security and Maintenance System Windows Firewall Network and Sharing Center
Security and Maintenance Use Security and Maintenance in Control Panel to check the current security status of your computer. Security and Maintenance displays whether you have anti-malware, firewall, and automatic updates configured. Use the firewall to open and close firewall ports. Use System to perform tasks such as viewing system information and enabling Remote Desktop. Use the Network and Sharing Center to view the status of your network connections.
Which of the following are common forms of social engineering attacks? Sending hoax virus information emails. Distributing false information about your organization's financial status. Stealing the key card of an employee and using that to enter a secured building. Using a sniffer to capture network traffic.
Sending hoax virus information emails. Hoax virus information emails are a form of social engineering attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. The victims of these attacks usually fail to double-check the information or instructions with a reputable third party anti-virus software vendor before implementing the recommendations. Usually, these hoax messages instruct the reader to delete key system files or download Trojan horses. Social engineering relies on the trusting nature of individuals to take an action or allow unauthorized action.
Anna, a home office user, employs a technician to check the security on a computer that was hacked. The technician discovers that the user's password is the name of Anna's dog and hasn't been changed in over a year. Which of the following security best practices should the technician recommend? (Select TWO). Configure the screen saver to require a password. Set the number of failed password attempts to two. Set a password expiration period. Require a strong password. Restrict user permissions.
Set a password expiration period. Require a strong password. Strong passwords are harder to hack, and they should be changed frequently. Screen saver passwords may not be needed in a home office environment. Restricting user permissions for Ann will not increase security. Setting a lower number of password attempts may not be warranted in a home office environment.
A user is trying to log into her notebook computer. She enters the correct password for her user account, but the system won't let her authenticate, claiming the wrong password has been entered. Which of the following is MOST likely causing the problem? She has entered the wrong password too many times, causing Intruder Detection in Windows to lock the system. The Scroll Lock key has been pressed, locking all input from the keyboard. The keyboard must be replaced. The CPU is in power-save mode, causing all login attempts to be denied. She has enabled Num Lock, causing numbers to be sent from the keyboard instead of letters.
She has enabled Num Lock, causing numbers to be sent from the keyboard instead of letters. The most likely cause of this user's problem is that the Num Lock key sequence for the notebook system has been pressed causing the keyboard to send numbers in the place of letters. Turning Num Lock off should fix the problem.
Which of the following are examples of social engineering? (Select TWO). Shoulder surfing Port scanning Dumpster diving Brute force password cracking War dialing
Shoulder surfing Dumpster diving Social Engineering leverages human nature. Internal employees are often the target of trickery, and false trust can quickly lead to a serious breach of information security. Shoulder surfing and dumpster diving are examples of social engineering. Shoulder surfing is the act of looking over an authorized user's shoulder in hopes of obtaining an access code or credentials. Dumpster diving involves searching through trash or other discarded items to obtain credentials or information that may facilitate further attacks. These low-tech attack methods are often the first course of action that a hacker pursues. Port scanning and war dialing are technical attacks that seek to take advantage of vulnerabilities in systems or networks. Brute force password-cracking software tries to identify a password by trying every possible letter, number, and symbol combination until the correct one is found.
Which of the following security technologies stores identification information in a magnetic strip, radio frequency transmitter, or hardware contact to authorize access to a computer? Key fob SSID Biometric Smart card ID badge
Smart card A smart card contains identification information stored on a magnetic strip, radio frequency transmitter, or hardware contact that allow it to interact with a smart card reader to authorize access. The reader uses information on the card to allow or deny access. A biometric is a physical characteristic of a human that can be scanned to control access. A key fob can be used for accessing an automobile, but is not used for computer access. An ID badge can be just a picture with a name on it and may or may not also be a smart card. In Windows, the Local Security Policy is a collection of settings that control how the system behaves. The SSID is the name of a wireless network.
Which of the following is not a form of biometrics? Retina scan Face recognition Fingerprint Smart card
Smart card A smart card is used in token-based authentication, so it is not a form of biometrics. Biometrics rely on personal characteristics (such as fingerprints, facial recognition, or a retina scan) to prove identity. A smart card is an example of the something you have authentication factor.
Joe, an executive, receives an email that appears to be from the financial institution that provides his company credit card. The text of the email includes Joe's name and the company name and states that there is a problem with Joe's credit card. The email provides a link to verify the credit card, but when Joe hovers over the link, he thinks the web address seems strange. Which of the following BEST describes this type of attack? Social engineering Zero-day attack Man-in-the-middle attack Brute forcing
Social engineering Social engineering is the use of deception to manipulate individuals into sharing confidential or personal information that can be used for unlawful purposes. A zero-day attack is an exploit of an operating system or software vulnerability that is unknown and unpatched by the author. Brute force can be used to crack a username, password, or other authentication using trial and error, usually by trying all possibly permutations. A man-in-the-middle (MITM) attack intercepts communications between two systems and alters the message before sending it on to the original recipient.
Drive Locking
Some motherboards allow you to set a password on the system hard disk. This practice is sometimes referred to as drive locking. > When set, the password must be given at system startup or the disk cannot be used. > There are two different passwords: user and master. > Set the password(s) by using the motherboard's BIOS/UEFI configuration program. > Passwords are saved on the hard disk itself. - You cannot read the passwords from the disk. - You cannot move the drive to another system to access the disk without the password (the password moves with the disk). - You cannot format the disk to remove the passwords. > If you forget the user password, use the master password to access the drive. If you do not know either password, you cannot access any data on the drive. > Most drive locking systems allow a limited number of incorrect password attempts. After that time, you must restart the system to try entering additional passwords. > Some systems ship with a default master password already set. However, these passwords (if they exist) are not publicly available and cannot be obtained from disk manufacturers.
Type 3 Something you are
Something you are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is generally considered to be the most secure form of authentication. Common attributes used for biometric systems are: > Fingerprints (end point and bifurcation pattern) > Hand topology (side view) or geometry (top down view) > Palm scans (pattern, including fingerprints) > Retina scans (blood vein pattern) > Iris scans (color) > Facial scans (pattern) > Voice recognition > Handwriting dynamics > Keyboard or keystroke dynamics (behavioral biometric systems) - Dwell time (key press time) - Flight time (how fingers move from key to key) When implementing a biometric system, the attribute that is used for authentication must meet the following criteria: > Universality means that all individuals possess the attribute. > Uniqueness means that the attribute is different for each individual. > Permanence means that the attribute always exists and will not change over time. > Collectability ensures that the attribute can be measured easily. Performance means that the attribute can be accurately and quickly collected. > Circumvention allows for acceptable substitutes for the attribute in case the original attribute is missing or can't be read. > Acceptability identifies the degree to which the technology is accepted by users and management. *True multifactor authentication requires the user to provide an authentication factor from more than one category. For example, requiring users to provide a username and password is not true multifactor authentication because both the user and the password are something the user knows. To strengthen authentication, you could require the user to provide a fingerprint (something the user is) and a password (something the user knows).
Type 2 Something you have
Something you have (also called token-based authentication) is authentication based on something a user has in their possession. Examples of something you have authentication controls are: > Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip. > Smart cards with a memory chip containing encrypted authentication information. Smart cards can - Require contact such as swiping, or they can be contactless. - Contain microprocessor chips with the ability to add, delete, and manipulate data on it. - Can store digital signatures, cryptography keys, and identification codes. - Use a private key for authentication to log a user into a network. The private key will be used to digitally sign messages. - Be based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.
Type 1 Something you know
Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of something you know include: > Passwords, codes, or IDs > PINs > Passphrases (long, sentence-length passwords) > Cognitive information such as questions that only the user can answer, including: > Your mother's maiden name > The model or color of your first car > The city where you were born *Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.
Spam
Spam is unwanted and unsolicited email sent to many recipients. Spam: > Can be benign as emails trying to sell products. > Can be malicious containing phishing scams or malware as attachments. > Wastes bandwidth and could fill the inbox, resulting in a denial of service condition where users can no longer receive emails.
Which type of malicious activity can be described as numerous unwanted and unsolicited email messages sent to a wide range of victims? Email hijacking Spamming Crimeware Trojan
Spamming Spamming is a type of malicious activity in which numerous unwanted and unsolicited email messages are sent to a wide range of victims. Spam itself may or may not be malicious in nature. Unfortunately, spam accounts for 40 to 60 percent of the email traffic on the internet. Most of this activity is unsolicited.
A router on the border of your network receives a packet with a source address that shows it originating from a client on the internal network. However, the packet was received on the router's external interface, which means it originated somewhere on the Internet. Which of the following BEST describes the type of attack which as occurred in this scenario? Sniffing Man-in-the-middle Session hijacking Spoofing Snooping
Spoofing This is an example of spoofing. Spoofing involves changing or falsifying information in order to mislead or re-direct traffic. In this scenario, the router's external interface cannot receive a valid packet with a source address from the internal network. One must assume that the source address of the packet was faked. Snooping is the act of spying into private information or communications. One type of snooping is sniffing. Sniffing is the act of capturing network packets in order to examine the contents of communications. A man-in-the-middle attack is a technological attack where a malicious person intercepts network communications between two hosts, posing as the sender to the receiver and as the receiver to the sender. Session hijacking is an extension of a man-in-the-middle attack where the attacker hijacks an active communication session.
Spyware
Spyware is software that is installed without the user's consent or knowledge, designed to intercept or take partial control over the user's interaction with the computer. Spyware: > Is usually installed on your machine by visiting a malicious website or installing an infected application. > Collects various types of personal information, such as your internet surfing habits and passwords, and then sends the information back to its originating source. > Uses tracking cookies to collect and report a user's activities. > Can interfere with user control of the computer such as installing additional software, changing computer settings, and redirecting web browser activity.
A VPN is used primarily for which purpose? Allow the use of network-attached printers. Support the distribution of public web documents. Support secured communications over an untrusted network. Allow remote systems to save on long distance charges.
Support secured communications over an untrusted network. A VPN (Virtual Private Network) is used primarily to support secured communications over an untrusted network. A VPN can be used over a local area network, across a WAN connection, over the internet, and even between a client and a server over a dial-up connection through the internet. All of the other items listed in this question are benefits or capabilities that are secondary to this primary purpose.
TCP/IP (session) Hijacking
TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user. > The attacker takes over the session and cuts off the original source device. > The TCP/IP session state is manipulated so that the attacker is able to insert alternate packets into the communication stream.
An intruder waits near an organization's secured entrance until an employee approaches the entrance and unlocks it with a security badge. The intruder falls in line behind the employee, who assumes the intruder is another employee and holds the door open for her. Which of the following BEST describes the type of attack that just occurred? Phishing Tailgating Smurf Denial of service
Tailgating A tailgating attack has occurred. Tailgating occurs when an unauthorized person follows behind an authorized person to enter a secured building or area within a building. Tailgating is also sometimes called piggybacking. In a phishing attack, a spoofed email containing a link to a fake website is used to trick users into revealing sensitive information, such as a username, password, bank account number, or credit card number. Both the email and the website used in the attack appear on the surface to be legitimate. A denial of service (DoS) attack involves using network mechanisms to flood a particular host with so many bogus requests that it can no longer respond to legitimate network requests. A Smurf attack is a distributed type of DoS attack that inserts a target system's IP address for the source address of ICMP echo request packets, causing a flood of ICMP echo response packets to be sent to a victim system.
An unauthorized person gains access to a secured area by following an authorized person through a door controlled by a badge reader. Which of the following security threats does this sentence describe? Phishing Shoulder surfing Tailgating Brute forcing
Tailgating Tailgating describes the actions of an unauthorized person closely following an authorized person to gain access to a secure area. Shoulder surfing occurs when a one person obtains usernames, passwords, and other data by looking over the shoulder of another person. Brute forcing describes the process of cracking a username, password, decryption key, or network protocols using the trial-and-error method, often by testing all possible character combinations. Phishing is an attempt to trick a user into compromising personal information or downloading malware. Most often, it involves an email containing a malicious attachment or hyperlink.
You are a security consultant. An organization has hired you to review their security measures. The organization is chiefly concerned that it could become the victim of a social engineering attack. Which of the following actions would you MOST likely recommend to mitigate the risk? Establish a written security policy. Implement a border firewall to filter inbound network traffic. Teach users how to recognize and respond to social engineering attacks. Train managers to monitor user activity.
Teach users how to recognize and respond to social engineering attacks. The best way to combat social engineering is to train users how to recognize and respond to social engineering attacks. For example, most organizations train employees to forward any calls or emails requesting a password or other network information to their help desk. Filtering network traffic with a firewall fails to address the human element involved in social engineering. While a written security policy is a necessary measure, it will do little to defend your network if your users don't know how to recognize social engineering attempts. Management oversight is expensive and unlikely to detect a social engineering attempt until it is too late. Raising user awareness of the issue tends to be much more effective.
Maintain Physical Security
Technological security measures can be circumvented if the computer systems connected to the wired network are not physically secure. Consider the following physical security measures: > Keep server systems in a locked server room where only authorized persons who have the appropriate keys or access codes are allowed in. > Ensure that the screen savers on workstations and notebook systems have a very short timeout period and require a password whenever a user tries to resume the session. > Ensure workstation and notebook systems require the user to authenticate before they're allowed to resume a session from sleep or hibernation. > Control access to work areas where computer equipment is used. For example, you could use a proximity badge reader on a locked door to regulate access. > Ensure computers in low security areas (such as a receptionist's desk) are secured with a cable lock. > Disable external ports on desktop and servers systems, especially USB and FireWire ports. This can be done in the BIOS/UEFI configuration or using Windows Group Policy. > Disable or completely remove optical disc burners. > Uninstall any software from servers and workstations that isn't necessary.
Secure Sockets Layer (SSL)
The SSL protocol has long been used to secure traffic generated by IP protocols such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote access scenario. SSL: > Authenticates the server to the client using public key cryptography and digital certificates > Encrypts the entire communication session > Uses port 443, which is already open on most firewalls Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.
Use Content Filters
The internet contains illicit and illegal content. If your users access this type of content from your organization's network, then your organization could be held liable for their actions. To keep this from happening, implement a content filter that inspects network traffic to ensure that it meets your organization's Acceptable Use Policy (AUP). This prevents users from: > Wasting time accessing content that is not work-related > Accessing content that could be construed as creating a hostile work environment > Engaging in illegal activities Most content filters can be configured to use pre-defined blacklists of websites categorized according to content. However, there will always be unapproved sites that slip past these pre-defined blacklists. When this happens, most content filters allow you to manually add specific sites to the blacklists. As with network firewalls, content filters can be implemented for an entire network or on individual network hosts: > A network-wide content filter usually sits near the network firewall and router, inspecting the contents of all incoming and outgoing network traffic. > A host-based content filter is implemented as software on a specific host.
Password Policy
The password policy defines characteristics that valid passwords must have. Settings that you can configure in the password policy include: > Minimum password length requires passwords to have a minimum length. In general, longer passwords are more secure than shorter ones (although they can be harder to remember). > Password complexity prevents using passwords that are easy to guess or easy to crack. It forces passwords to include letters, symbols, a combination of lower case and caps, and numbers. > Maximum password age forces users to change the password after the specified time interval. > Minimum password age prevents users from changing the password too quickly. > Enforce password history requires users to input a unique (previously unused) password when changing the password. This prevents users from reusing previous passwords.
Dumpster diving
The process of looking in the trash for sensitive information that has not been properly disposed of.
Disable Unused Switch Ports
The security of a wired network can be increased by disabling unused network wall jacks and switch ports. If an unused network jack is left in an active state, it can be used to connect to the wired computer network. Likewise, an unused port on the switch that is left in an active state can provide an attacker with an easy way to connect to the wired network. To prevent this from happening, disable all unused switch ports. This is especially true for switch ports connected to network jacks located in insecure areas of your organization, such as the reception area.
You just bought a new computer. This system uses UEFI firmware and comes with Windows 10 preinstalled. You recently accessed the manufacturer's support website and saw that a UEFI firmware update has been released. You download the update. However, when you try to install the update, an error message is displayed that indicates the digital signature on the update file is invalid. Which of the following is MOST likely caused this to happen? SecureBoot has been enabled in the UEFI firmware configuration. The update file has been tampered with. Interim UEFI updates released since the system was manufactured need to be installed before you can install the latest update. The system has a rootkit malware infection.
The update file has been tampered with. UEFI requires firmware updates to be digitally signed by the hardware vendor. Using digital signatures, unauthorized changes to firmware updates (such as the insertion of malware) can be detected. The SecureBoot feature requires that operating systems be digitally signed before they can be booted on the system. The latest UEFI update most likely includes all of the changes implemented in early updates. There is no indication that the system has been infected with rootkit malware in this scenario.
Use File and Folder Permissions
This practice ties back to principle of least privilege. Users should be able to access the files and folders they need on the hard drive of the system and no more. Use file and folder permissions to explicitly specify who can do what with files and folders.
Hijacked Emails
To hijack an email account, attackers use password hints set up by the user to try to gain access to the user's email account. Users should not use personal information such as their birthplace or mother's maiden name. This information is relatively easy to obtain using social media. Once an account has been hijacked, the attacker can use it to propagate spam or malware to every contact in the user's address book.
What is a program that appears to be a legitimate application, utility, game, or screensaver, but performs malicious activities surreptitiously? Worm Scareware Trojan Ransomware
Trojan A Trojan horse is a program that appears to be a legitimate application, utility, game, or screensaver, but performs malicious activities surreptitiously. Trojan horses are commonly internet downloads. To keep your systems secure and free from such malicious code, you need to take extreme caution when downloading any type of file from just about any site on the internet. If you don't fully trust the site or service that is offering a file, don't download it. A worm is a type of malicious code similar to a virus. A worm's primary purpose is to duplicate itself and spread, while not necessarily intentionally damaging or destroying resources. Ransomware is a form of malware that denies access to an infected computer system until the user pays a ransom. Scareware is a scam that fools users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.
You are a security consultant and have been hired to evaluate an organization's physical security practices. All employees must pass through a locked door to enter the main work area. Access is restricted using a biometric fingerprint lock. A receptionist is located next to the locked door in the reception area. She uses an iPad application to log any security events that may occur. She also uses her iPad to complete work tasks as assigned by the organization's CEO. Network jacks are provided in the reception area such that employees and vendors can access the company network for work-related purposes. Users within the secured work area have been trained to lock their workstations if they will be leaving them for any period of time. Which of the following recommendations are you MOST likely to make to this organization to increase their security? (Select TWO). Move the receptionist's desk into the secured area. Require users to use screensaver passwords Train the receptionist to keep her iPad in a locked drawer when not in use. Replace the biometric locks with smart cards. Disable the network jacks in the reception area.
Train the receptionist to keep her iPad in a locked drawer when not in use. Disable the network jacks in the reception area. You should recommend the following: Disable the network jacks in the reception area. Having these jacks in an unsecured area allows anyone who comes into the building to connect to the company's network. Train the receptionist to keep her iPad in a locked drawer when not in use. Tablet devices are small and easily stolen if left unattended. The receptionist's desk should remain where it is currently located because it allows her to visually verify each employee as they access the secured area. Biometric locks are generally considered more secure than smart cards because cards can be easily stolen. Training users to lock their workstations is more secure than screensaver passwords, although this may be a good idea as a safeguard in case a user forgets.
Which of the following components is a special hardware chip included on the computer motherboard that contains software in firmware that generates and stores cryptographic keys? USB device Trusted Platform Module (TPM) BitLocker partition BIOS/UEFI
Trusted Platform Module (TPM) A Trusted Platform Module (TPM) is a special hardware chip included on the computer motherboard that contains software in firmware that generates and stores cryptographic keys. The TPM chip must be enabled in the BIOS/UEFI. A USB device is used to save the BitLocker key on a system that does not have a TPM chip. Implementing BitLocker requires two NTFS partitions.
You manage two computers with the following user accounts: Wrk1 has user accounts Mary and Admin. The Mary account does not have a password set; the Admin account does. Wrk2 has user accounts Mary and Julia. The Mary account has a password set; the Julia account does not. You are working from Wrk2 and would like to access a shared folder on Wrk1. Which of the following credentials would BEST allow you to access the shared folder? Type 'Admin' for the username and specify the password. Type 'Mary' for the username and specify the password. Type 'Julia' for the username and leave the password blank. Type 'Mary' for the username and leave the password blank.
Type 'Admin' for the username and specify the password. Type Admin for the username and specify the password. To access a shared folder or use Remote Desktop for a workgroup computer, you must supply a username and password that matches a user account configured on the computer you are trying to access. For Wrk1, you would use either Mary or Admin for the user account name. You cannot use the Mary account to access Wrk1 over the network. When accessing shared folders or Remote Desktop on a network computer, the user account must have been configured with a password. User accounts with blank passwords cannot be used to gain network access to a computer.
UEFI-Specific Security Features
UEFI systems include several security features that are not available on BIOS-based systems: > UEFI requires firmware updates to be digitally signed by the hardware vendor. Using digital signatures, unauthorized changes to firmware updates (such as the insertion of malware) can be detected. > UEFI provides a security feature called SecureBoot, which requires the operating system installed on the system hard drive to be digitally signed. If it isn't digitally signed, then the UEFI firmware will not boot it by default. This is designed to block a special type of malware called a rootkit. A rootkit inserts itself into the boot sector of a storage device, causing it to be loaded first. Then the rootkit loads the actual operating system. By doing this, the rootkit gets loaded before any anti-malware software, making it more difficult to detect. SecureBoot also prevents the booting of unauthorized operating systems. For example, it prevents the system from booting an operating system installed on a removable USB drive that could be used to access data on the system hard drive.
While trying to log on, a user accidentally typed the wrong password three times, and now the system is locked because he entered too many incorrect passwords. He still remembers his password, but he just typed it wrong. He needs access as quickly as possible. Which of the following would allow the user to log on? Enable the account Change the password for the account Unlock the account Have the user wait for the account to be unlocked automatically
Unlock the account With the account lockout policy configured, an account will be locked (and cannot be used for logon) when a specified number of incorrect passwords are entered. You can unlock a locked account by editing the account properties in Local Users and Groups. Depending on the policy settings, locked accounts might be unlocked automatically after a period of time. However, to allow immediate access, manually unlock the account. A disabled account cannot be used for logon. Accounts are not disabled automatically, and enabling an account does not unlock it. Changing the password is not required because the user still remembers the correct password.
While browsing the internet, a pop-up browser window is displayed warning you that your system is infected with a virus. You are directed to click a link to remove the virus. Which of the following are the next BEST actions to take? (Select TWO). Use a search engine on the Internet to learn how to manually remove the virus. Update the virus definitions for your locally-installed anti-malware software. Click on the link provided to scan for and remove the virus. Run a full system scan using the anti-malware software installed on your system. Close the pop-up window and ignore the warning.
Update the virus definitions for your locally-installed anti-malware software. Run a full system scan using the anti-malware software installed on your system. This is an example of a rogue anti-virus attack. As such, you should assume that your system may have been infected by some time of malware, possibly by one of the sites you visited recently. You should first close your browser window and then update the virus definitions for your locally-installed anti-virus software. Once done, you should Run a full system scan using the anti-virus software installed on your system. Clicking the link provided would be the worst choice as it will most likely install a host of malware on your system. Ignoring the message is unwise as your system has probably been infected with malware that should be removed. You shouldn't try to manually remove the virus as the message displayed by the rogue anti-virus attack is probably fictitious.
Account Lockout Policy
Use account lockout settings to protect user accounts from being guessed and to also prevent accounts from being used when hacking attempts are detected. Lockout policy settings are: > Account lockout threshold specifies the maximum number of incorrect logon attempts. Once the number has been reached, the account will be locked and logon disabled. A common setting is to lock the user account when three consecutive incorrect passwords have been entered. > Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. Setting this to 0 means that the account remains locked until manually unlocked by an administrator. > Reset account lockout counter after determines the amount of time (in minutes) that passes before the number of invalid attempt counter is reset. For example, if a user enters two incorrect passwords, the incorrect counter will be cleared to 0 after the timer has expired.
You have just installed a wireless access point (WAP) for your organization's network. You know that the radio signals used by the WAP extend beyond your organization's building and are concerned that unauthorized users outside may be able to access your internal network. Which of the following steps will BEST protect the wireless network? (Select TWO. Each option is a complete solution.) Disable SSID broadcast on the WAP. Use the WAP's configuration utility to reduce the radio signal strength. Install a radio signal jammer at the perimeter of your organization's property. Configure the WAP to filter out unauthorized MAC addresses. Disable the spread-spectrum radio signal feature on the WAP. Implement a WAP with a shorter range.
Use the WAP's configuration utility to reduce the radio signal strength. Configure the WAP to filter out unauthorized MAC addresses. To increase the security of the wireless network, you can use the WAP's configuration utility to reduce the radio signal strength. This will reduce or even eliminate signal emanation outside of your building. You can also configure the WAP to filter out unauthorized MAC addresses. Enabling MAC address filtering denies access to unauthorized systems.
What is the best countermeasure against social engineering? Acceptable use policy Strong passwords User awareness training Access auditing
User awareness training The best countermeasure to social engineering is user awareness training. If users understand the importance of security and the restrictions on types of information, they are less likely to reveal confidential information or perform unauthorized activities at the prompting of a stranger or a claimed identity over the phone.
While on a business trip, an employee accesses the company's internal network and transfer files using an encrypted connection. Which of the following digital security methods is being used? Firewall Access control list DLP VPN
VPN A Virtual Private Network (VPN) is an encrypted tunnel between remote users and a private network. Data Loss Prevention (DLP) programs or devices monitors operations such as file transfers and email for user activities that could compromise data security. An access control list contains users and groups of users that are granted access to files, folders, and other resources. Firewalls are placed between the company network and the internet to filter network traffic at the IP level. VPNs are usually allowed to tunnel through these firewalls. In some cases, both functions may be available on one device.
Your organization employs a group of traveling salespeople who need to access the corporate home network through the internet while they are on the road. You want to funnel remote access to the internal network through a single server. Which of the following solutions would be BEST to implement? Site-to-site VPN DMZ Host-to-host VPN VPN concentrator
VPN concentrator With a remote access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network. A demilitarized zone (DMZ), also called a screened subnet, is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the internet). With a host-to-host VPN, two hosts establish a secure channel and communicate directly with each other. With a site-to-site VPN, the routers on the edge of each site establish a VPN connection with the router at the other location.
What is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found? Trojan Buffer overflow Virus Password attack
Virus A virus is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found. Viruses are a serious threat to computer systems, especially if they are connected to the internet. You should install anti-malware software on every computer in your network to protect against viruses. Trojan horses are programs that claim to serve a useful purpose, but hide a malicious purpose or activity. A buffer overflow is partially correct in that a buffer overflow may be used as an insertion vector for a virus. A password attack attempts to identify the password used by a user account.
Which of the following wireless security methods uses a common shared key configured on the wireless access point and all wireless clients? WPA Personal and WPA2 Personal WPA Enterprise and WPA2 Enterprise WEP WEP, WPA Personal, WPA Enterprise, WPA2 Personal, and WPA2 Enterprise WEP, WPA Personal, and WPA2 Personal
WEP, WPA Personal, and WPA2 Personal Shared key authentication can be used with WEP, WPA, and WPA2. Shared key authentication used with WPA and WPA2 is often called WPA Personal or WPA2 Personal. WPA Enterprise and WPA2 Enterprise use 802.1x for authentication. 802.1x authentication uses usernames and passwords, certificates, or devices such as smart cards to authenticate wireless clients.
Disable Wi-Fi Protected Setup (WPS)
While WPS makes wireless networks easier to manage, it also introduces security issues. For example, devices that support the PIN number method have been found to be susceptible to brute-force attacks. An attacker can simply send one PIN number after another to an access point until the correct one is identified. If the access point is not physically secured (which is common in small business and in homes) then attackers can use the push-button or NFC methods to associate their device with the access point. Because of these issues, a best practice is to disable WPS functionality on the access point.
Disk Encryption
Whole disk encryption encrypts the entire contents of a hard drive, protecting all files on the disk. > During system startup, a special key is required to unlock the hard disk. Without the key, data on the drive is inaccessible. Providing the key allows the system to decrypt files on the hard drive. > You cannot access the contents of an encrypted drive by moving it to another computer because the encryption keys needed to decrypt the data do not exist on the other computer system. > Most solutions provide for a backup recovery key that can be used to unlock the drive if the original key is lost. If both the encryption key and the recovery key are lost, data cannot be retrieved. > BitLocker is a Microsoft solution that provides whole disk encryption. BitLocker is supported on Ultimate or Enterprise editions of Windows. > You can implement BitLocker with or without a Trusted Platform Module (TPM) - When using BitLocker with a TPM, the key required to use the disk can be stored in the TPM. This means that the computer can boot without a prompt as long as the hard drive is in the original computer. - Without a TPM, the startup key must be stored on a USB drive. *On Windows 10, you can also supply a password at system boot to unlock a BitLocker-encrypted drive. - When the startup key is saved in the TPM, you can require an additional PIN or startup key that must be used to start the system. > You can use BitLocker to encrypt removable storage devices (such as USB flash drives).
13.10.4 Configure a Windows Firewall
You are the IT administrator for a small corporate network. The Office 1 computer needs the Windows Firewall enabled. In this lab, your task is to configure the Windows Firewall as follows: Turn on the Windows Firewall for the Public network profile only. In addition to the programs and ports currently allowed, allow the following service and applications for the Public network profile: Key Management Service Arch98 Apconf Complete this lab as follows: > Select Start. > Select Settings. > Maximize the window for easier viewing. > Select Network & Internet. > Select Windows Firewall. > In the left pane, select Turn Windows Firewall on or off to enable the firewall. > Under Public network settings, select Turn on Windows Firewall. > Click OK. > In the left pane, select Allow an app or feature through Windows Firewall to allow a program through the firewall. > Select Change settings. > For the Key Management Service, select the box in the Public column. > Select Allow another app to configure an exception for an uncommon program. > Select the program from the list. > Select Add. > For the program you just added, make sure the box in the Public column is selected. > For the program you just added, unmark the box in the Domain column. > Repeat steps 12-16 for additional programs. > Click OK.
13.8.4 Configure File Encryption
You are the IT administrator for a small corporate network. The employee in Office 1 shares her computer with other users. She needs your help to secure the contents of the D:\Finances folder so that unauthorized users cannot view the documents in the folder. In this lab, your task is to complete the following: Encrypt the D:\Finances folder and all of its contents. Add Emily as an authorized user for the D:\Finances\2018report.xlsx file. Complete this lab as follows: 1. Encrypt a folder as follows: > From the taskbar, open File Explorer. > Expand This PC. > Select Data (D:). > Right-click Finances and select Properties. > Select Advanced. > Select Encrypt contents to secure data; then click OK. > Click OK to close the Finances Properties window. > Make sure Apply changes to this folder, subfolder and files is selected; then click OK. Notice the lock that appears over the Finances folder. 2. Authorize users for a file as follows: > Double-click Finances. > Right-click 2018report.xlsx and select Properties. > Select Advanced. > Select Details. > Select Add. > Select Emily; then click OK. > Click OK. > Select OK to close the Advanced Attributes dialog. > Click OK to close the 2018report.xlsx Properties window.
13.7.5 Enforce Password Settings
You are the IT administrator for a small corporate network. You are attempting to improve the password security of the Windows 10 laptop in the Lobby. In this lab, your task is to use the Local Security Policy tool to configure password restrictions as follows: Passwords must be at least 10 characters long. Passwords must be changed every 30 days. New passwords cannot be the same as the previous 4 passwords. New passwords cannot be changed for at least 2 days. Passwords must contain non-alphabetical characters. Lock the user account after 4 incorrect logon attempts within a 30 minute period. Automatically unlock locked accounts after 1 hour. Policy changes will not be enforced within the simulation. Require passwords of 10 characters or more Force password changes every 30 days Remember the last 4 passwords Do not allow password changes within 2 days Require complex passwords Lock accounts after 4 invalid attempts Count bad logon attempts within a 30 minute period Unlock locked accounts after 60 minutes Complete this lab as follows: > Select Start > Select Windows Administrative Tools. > Select Local Security Policy. > In the left pane, expand Account Policies. > Select Password Policy. > Double-click the policy you want to configure. > Configure the policy settings. > Click OK. > Repeat steps 6-8 to configure additional policies. > Select Account Lockout Policy. > Repeat steps 6-8 to configure policy settings. *Select the Explain tab for a description of the effects of the policy to help you identify which policy to configure with which value.
13.5.4 Configure BIOS/UEFI Security
You are the IT administrator for a small corporate network. You need to configure additional security in the BIOS for the computer in Office 1. In this lab, your task is to complete the following: Restart the computer. As the computer boots, press F2 to enter the BIOS configuration utility. Configure the following security settings:Add an Admin password used to make changes to BIOS settings. Use t67xab1 for the password.Add a password that prevents hard disk access even when the hard disk is moved to another system. Use dog8b0b for the password. (0 is a zero.)Enable chassis intrusion detection to show an alert during POST when an intrusion is detected.Enable the TPM.Save your changes. When you are finished, restart the computer to verify the changes you have made. At the bottom of the BIOS window, select Send Ctrl + Alt + Del to restart the computer if necessary. Complete this lab as follows: 1. Set Admin password as follows: Select Start. Select Power. Select Restart. When you see the BIOS loading screen, press F2 to enter the BIOS. On the left, expand Security. Select Admin Password to set the admin password. In the Enter the new password field, type t67xab1. In the Confirm new password field, type t67xab1. Click OK. 2. Set hard disk password as follows: On the left, select Internal HDD-1 Password to configure a hard drive password. In the Enter the new password field, type dog8b0b. (0 is a zero.) In the Confirm new password field, type dog8b0b. (0 is a zero.) Click OK. Read the Warning message on the screen. Select Yes. 3. Enable intrusion detection as follows: On the left, select Chassis Intrusion. Select Enable. Click Apply. 4. Enable TPM as follows: On the left, select TPM Security. On the right, select TPM Security. Select Apply. Select Activate. Select Apply. Click Exit. To exit and save the changes. The system reboots. 5. Verify the changes made as follows: Press Delete during the BIOS load to test the admin password. When you are prompted for the Admin password, enter t67xab1. The Admin password was set correctly. Select OK. Select Exit to exit the BIOS. When prompted for the hard drive password, type dog8b0b. (0 is a zero.) Press Enter. The hard drive password was set correctly. The system loads the operating system.
13.11.4 Use a Proxy Server
You are the IT administrator for a small corporate network. You need to configure the laptop computer in the Lobby to use the corporate proxy server. The proxy server is used to control access to the internet. In this lab, your task is to configure the proxy server settings as follows: Address: proxy.corpnet.com Port: 9000 Complete this lab as follows: > From the taskbar, open Internet Explorer. > To the right of the URL field, select Tools. > Select Internet options. > Select the Connections tab. > Select LAN settings. > Enable Use a proxy server for your LAN. > In the Address field, enter proxy.corpnet.com. > In the Port field, enter 9000. > Click OK. > Click OK.
Passwords
You can configure passwords in the BIOS/UEFI configuration to control access to the system. > If set, the administrator password (sometimes called the supervisor or setup password) requires the user to authenticate in order to enter the setup program to make changes to BIOS/UEFI configuration. > If set, the user password (sometimes called the system or power on password) requires the user to authenticate in order to boot the operating system. Usually, the administrator password can also be used to start the system. BIOS/UEFI passwords offer only a limited degree of protection. > Passwords can typically be cleared by removing the motherboard battery or setting a motherboard jumper. > If you have set an administrator password and then find the password is no longer set, you know that someone has tampered with the system. > Use a chassis lock to prevent users from opening the case to reset passwords.
Non-TPMSecurity
You have the following options for implementing Bitlocker on systems without a TPM chip: > You can save the BitLocker key on a USB device. The USB device is inserted before starting the computer and provides authentication before the operating system drive is decrypted. *The BIOS must support reading USB devices during startup. > Windows 8 and later allows you to configure an unlock password for the operating system drive. To use this feature, enable Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives node of Computer Configuration. > Windows supports authentication using a smart card certificate. The smart card certificate is stored on a USB device and is used similarly to the BitLocker key on a USB device.
13.12.4 Configure a VPN Connection
You need to configure a VPN connection on a laptop in your organization. The user needs to be able to establish a secure connection to the company network while working on the road. You need to choose a VPN type that operates using firewall ports that are left open on most networks. You need to use the most secure password-based authentication possible without using a smart card. It isn't necessary to specify a domain when configuring this VPN connection. In this lab, your task is to complete the following: Configure a VPN connection on Exec-Laptop using the following settings: VPN provider: Windows (built-in). Connection name: SalesVPN. Server address: 198.10.20.12. VPN type: Secure Socket Tunneling Protocol (SSTP). SSTP works by encapsulating PPP traffic over the SSL channel of the HTTPS protocol. This type of VPN runs on port 443, which is typically left open in most network firewalls. Don't allow Windows to remember authentication credentials. Set the following VPN security properties: Authentication: Microsoft: Secured password (EAP-MSCHAP v2). This is the most secure password-based authentication protocol. Connect to SalesVPN Username: MaryS49 Password: Sm4rt72# Complete this lab as follows: 1. Create a VPN connection on Exec-Laptop as follows: > In the notification area, right-click the Network icon and select Open Network & Internet settings. > Maximize the window for easier viewing. > On the left, select VPN. > Select Add a VPN connection. > Under VPN provider, select Windows (built-in). > In the Connection name field, enter SalesVPN. > In the Server name or address field, enter 198.10.20.12 for the server address. > Under VPN type, select Secure Socket Tunneling Protocol (SSTP). > Under Type of sign-in info, make sure User name and password is selected. > Unmark Remember my sign-in info. > Click Save. 2. Set VPN security properties on Exec-Laptop as follows: > Select Change adapter options. > Right-click SalesVPN and select Properties. > Select the Security tab. > Under Type of VPN, make sure Secure Socket Tunneling Protocol (SSTP) is selected. > Under Authentication, select Use Extensible Authentication Protocol (EAP). > From the drop-down list, select Microsoft: Secured password (EAP-MSCHAP v2). > Select OK. > Close the Network Connections window. 3. Connect to SalesVPN as follows: > Under VPN, select SalesVPN. > Select Connect. > In the User name field, enter MaryS49 as the username. > In the Password field, enter Sm4rt72# as the password. > Click OK .
Manage Antenna Placement
You need to reduce data emanation as much as possible. If your network's radio signal emanates outside your facility, an attacker can intercept that signal and potentially gain access to your organization's computer network. You can minimize data emanation by doing the following: > Consider where wireless access points are placed and where their antennae are transmitting the wireless network's radio signal. Be aware that omni-directional wireless access points transmit in all directions with equal signal strength. If placed near an exterior wall, these antennae will transmit the wireless network's radio signal outside the structure. > Implement directional antennas, which can be aimed in a certain direction. Use these antennae to ensure your wireless network's radio signal is aimed only towards the interior of your facility.
13.6.6 Configure Windows Defender
You recognize that the threat of malware is increasing, even for your home computer. You want to use Windows Defender to protect your home computer from malware. In this lab, your task is to configure Windows Defender as follows: Add a file exclusion for D:\Graphics\cat.jpg. Add a process exclusion for welcome.scr. Update protection definitions before performing the scan. Perform a quick scan. Complete this lab as follows: 1. Add a file exclusion as follows: In the search field, enter Windows Defender. Under Best match, select Windows Defender. Maximize the window for easier viewing. Select Virus & threat protection. Select Virus & threat protection settings. Under Exclusions, select Add or remove exclusions. Select the + (plus sign) next to Add an exclusion. From the drop-down lists, select File. Under This PC, expand Data (D:). Select Graphics. Select cat.jpg. Select Open. 2. Add a process exclusion as follows: Select the + (plus sign) next to Add an exclusion. From the drop-down lists, select Process. In the Enter process name field, enter welcome.scr. Select Add. 3. Update protection definitions as follows: In the left menu, select the shield icon. Select Protection updates. Select Check for updates. 4. Perform a quick scan as follows: In the left menu, select the shield icon. Under Scan History, select Quick Scan to run a quick scan now.
Change Default Usernames and Passwords
You should change the default username and password used on wireless access points. The default username and password assigned to a device by the manufacturer are widely known and posted on the internet.
Maintain Firewalls
You should ensure that network hosts are protected by a firewall. A firewall monitors incoming and outgoing network traffic to make sure it is allowed by the organization's security policy. Firewalls should be implemented: > On each individual host > On the network itself The validity of network traffic is determined by the access control list (ACL) configured on the firewall. To increase the security of your wired network, ensure your firewall ACLs are configured to allow only authorized traffic on the network. The best way to do this is to start with all traffic blocked. This is usually enabled by default on most network firewalls using a preconfigured implicit deny rule in all ACLs. Then add ACL rules that allow specific types of traffic through the firewall that are permitted by your organization's security policy. If network traffic that does not match any allow rules in the ACL tries to go through the firewall, it will be denied by default.
Implement Encryption and Authentication
You should implement encryption and authentication on your wireless network using the strongest algorithms available: > Avoid implementing an open (unencrypted) network. > Avoid using WEP to protect the network. A WEP key can be cracked quickly with software available on the internet. > Use one of the following versions of WPA2 to implement wireless encryption and authentication: - WPA2-PSK is best suited for wireless networks used by home or small business users. WPA2-PSK requires the same pre-shared key to be configured on the access point and on each wireless client. This key is used to both authenticate the host to the wireless network and to encrypt transmissions. - WPA2-Enterprise is a best suited for wireless networks that are part of a large corporate network. WPA2-Enterprise requires a separate authentication process to access the wireless network. Whenever a host wants to connect, credentials are forwarded to a RADIUS server for authentication.
13.6.9 Malware Protection Facts
You should protect all systems with malware protection software in order to help prevent infections and remediate systems if an infection occurs. This lesson covers the following topics: Malware Malware symptoms Malware infection remediation
13.7.6 Manage Linux Passwords
You use a special user account called administrator to log on to your computer; however, you think someone has learned your password. You are logged on as Administrator. In this lab, your task is to change your password to r8ting4str. The current administrator account uses 7hevn9jan as the password. As you type in the password, the cursor will not move. Continue entering the password anyway. Complete this lab as follows: > At the prompt, type passwd and press Enter. > When prompted, enter 7hevn9jan as the current password and press Enter. > At the New password prompt, enter r8ting4str and press Enter. > Retype r8ting4str as the new password and press Enter.
In which of the following situations should you install a firewall? You want to improve internet performance by saving popular websites locally. You want internet users to see a single IP address when accessing your company network. You want to restrict internet users from accessing private data on your network. You want to implement a password system for internet users who access your private website.
You want to restrict internet users from accessing private data on your network. Firewalls limit traffic by blocking connections that are initiated from an untrusted network, such as the internet, unless the traffic matches rules you configure in the firewall's access control list (ACL).
A large number of compromised computers are infected with malware that allows an attacker (herder) to control them to spread email spam and launch denial-of-service attacks. Which of the following does this security threat describe? Spoofing Man-in-the-middle Phishing Zombie/botnet
Zombie/botnet Devices that are infected with malware that can be remote controlled by an attacker are known as zombies. A collection of these zombies that are controlled by the same attacker are known as a botnet (robot network). Phishing is an attempt to trick a user into compromising personal information or downloading malware. Most often, it involves an email containing a malicious attachment or hyperlink. A man-in-the-middle (MITM) attack intercepts communications between two systems and alters the message before sending it on to the original recipient. Spoofing is when an entity misrepresents itself by using a fake IP address or, more commonly, a fake email address that resembles a real address. The person being spoofed may not immediately discover that the address is fake.
Use Strong Passwords
A strong password is one that: > Is at least 8 characters long (longer is better) > Is not based on a word found in a dictionary > Contains both upper-case and lower-case characters > Contains numbers > Does not contain words that can be associated with you personally > Is changed frequently
Notification
After you have analyzed the attack and gathered evidence, be aware that in some states you will be required to notify individuals if their personal information might have been compromised. For example, if an incident involves the exposure of credit card numbers, identifying information (such as Social Security numbers), or medical information, you might be legally obligated to notify potential victims and take measures to help protect their information from further attack.
Acceptable Use Policy (AUP)
An Acceptable Use Policy (AUP) defines an employee's rights to use company property, such as: > Using computer equipment > Accessing data stored on company computers > Using the company's network > Accessing the internet through the organization's network For example, the AUP may identify whether users are allowed to: > Connect their personally-owned mobile devices to the organization's wireless network. If they are, it may also specify rules for what internet resources they are allowed to access using those devices. > Use company-owned computers for personal uses, such as shopping for personal items on ecommerce websites. The AUP should also set expectations for user privacy when using company resources. Privacy is the right of individuals to keep personal information from unauthorized exposure or disclosure. However, when using company-owned resources, organizations may need to monitor and record employee actions. To protect against potential legal issues, the AUP should disclose when employees may expect such monitoring to occur. For example, the AUP should: > Clearly communicate that monitoring may occur. > Define the types of activities that will be monitored. It is common for a business to reserve the right to monitor all activities performed on company computers, even if those activities might be of a personal nature. > Comply with all legal requirements for privacy. For example, personal medical information is protected and cannot be shared without prior authorization.
13.2 Incident Response
As you study this section, answer the following questions: - What actions should be taken when an incident occurs? - What types of things would a computer forensic investigator want to analyze if he selected a live analysis rather than a dead analysis? - What methods can be used to save the contents of memory as part of a forensic investigation? - How should you ensure the integrity of collected digital evidence? - Why is chain of custody so important to forensic investigations?
13.4 Social Engineering
As you study this section, answer the following questions: > What characteristics of human nature does social engineering exploit? > Who is usually the target of social engineering? > How can dumpster diving give attackers valuable information? > How can you prevent unauthorized persons from entering your facility? > What are the characteristics of a phishing attack? > What kind of information is classified as personally identifiable information? What are some industry or government regulations that protect customers from personal data theft? > What is the best defense against a social engineering attack? Key terms for this section include the following:
Don't Use Default User Names
Avoid using default user names, such as Administrator. Change these names to something else.
Jose, a medical doctor, has a mobile device that contains sensitive patient information. He is concerned about unauthorized access to the data if the device is lost or stolen. Which of the following is the BEST option to prevent this from happening? Install a locator application on the device so that it can be traced. Configure the device to remote wipe as soon as it reported lost. Configure the device for multifactor authentication. Configure the device to wipe after a number of failed login attempts.
Configure the device to remote wipe as soon as it reported lost. Mobile devices can be configured to be perform a factory reset or wipe when the device is reported lost or stolen. This is the BEST of the presented options. Configuring the device for multifactor authentication will make it harder to hack, but is not the best solution presented. Installing a locator application on the device makes it possible to trace, but is not the best solution presented. Configuring the device to wipe after a number of failed login attempts is a good solution, but not the best solution presented.
One of the Windows workstations you manage has four user accounts defined on it. Two of the users are limited users while the third (your account) is an administrative user. The fourth account is the Guest user account, which has been enabled to allow management employees convenient workstation access. Each limited and administrative user has been assigned a strong password. File and folder permissions have been assigned to prevent users from accessing each other's files. Autorun has been disabled on the system. Which of the following actions is MOST likely to increase the security of this system? Enable autorun on the system. Change the two limited user accounts to administrative users. Change your user account to a limited user. Disable the Guest account.
Disable the Guest account. The Guest user account has no password and provides too much access to the system. Unless you have an overriding reason to do so, the Guest user account should remain disabled. Changing your administrative user account to a limited user would prevent you from completing management tasks on the workstation. Changing the two limited user accounts to administrative users would decrease the security of the system as would enabling autorun functionality.
A technician upgrades the hard drive on a computer in the accounting department and decides to donate the old drive to a local trade school. Which of the following is the BEST method to ensure that the accounting data can't be recovered? diskpart format Degauss Standard format Drive wipe
Drive wipe Drive wipe is a software-based method of overwriting the actual data that makes up files on the hard drive. The overwriting process is performed multiple times to remove the magnetic traces of previous data. The drive remains usable after a disk wipe. A standard format removes only the reference to files and does not remove the actual data that made up the files. Software tools can easily recover this data. Degaussing a disk removes the data, but also removes lower-level formatting making the disk unusable for the local trade school. Like a standard format, data from a disk that is repartitioned using diskpart can be recovered.
A technician wants to destroy the data on a hard drive and repurpose it as a spare drive. Which of the following data destruction methods allow the reuse of the hard drive? Shredding Drive wipe Degaussing Incineration
Drive wipe Drive wipe is a software-based method of overwriting the actual data that makes up files on the hard drive. The overwriting process is performed multiple times to remove the magnetic traces of previous data. The drive remains usable after a disk wipe. Incineration completely destroys both the data and the physical hard drive. Degaussing destroys the data on a hard drive, but also removes the low-level formatting. Degaussing can also destroy the electronic hardware in the drive. In either case, the drive will be unusable. Shredding completely destroys both the data and the physical hard drive.
Computer Tracking Service
If you are concerned about stolen devices being used to view confidential data, you can sign up for a computer tracking service. These services can help locate stolen devices, or take other actions such as deleting data or disabling the device. Remember that: > Most services use the IP address or a wireless signal to locate the device. The device must connect to the internet to be located. > Tracking protections might work only as long as the original hard drive has not been reformatted. > Some device manufacturers can help you track stolen devices by registering the service tag on the device. If technical support is requested for a stolen device, they can alert the authorities. > Many mobile devices can be remotely disabled using cellular signals that do not rely on an internet connection.
You have implemented a regular backup schedule for a Windows system, backing up data files every night and creating a system image backup once a week. For security reasons, your company has decided to not store a redundant copy of the backup media at an offsite location. Where would be the next best place to keep your backup media? In a locked fireproof safe. In a locked room. In a drawer in your office. On a shelf next to the backup device.
In a locked fireproof safe. If you can't store backup tapes at an offsite location, you should make sure that the backup tapes are locked up (for security), and that measures are taken to protect the tapes from a disaster (such as a fire). Strategies such as locking the tapes in a different room, keeping them on a shelf, or storing them in a drawer do not address both concerns.
Masquerading
Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. > The attacker usually poses as a member of senior management. > A scenario of distress is fabricated to the user to convince them that the actions are necessary.
Phishing
Phishing uses an email and a spoofed website to gain sensitive information. In a phishing attack: > A fraudulent message that appears to be legitimate is sent to a target. > The message requests the target to visit a website which also appears to be legitimate. > The fraudulent website requests the victim to provide sensitive information such as the account number and password. Hoax virus information email are a form of a phishing attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks fail to double check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually these hoax messages instruct the reader to delete key system files or download Trojan horses.
You have a set of DVD-RW discs that have been used to archive files for your latest development project. You need to dispose of the discs. Which of the following methods should you use to BEST prevent extracting data from the discs? Delete the data on the discs Write junk data over the discs 7 times Degaussing Shredding
Shredding To completely prevent reading data from discs, destroy them using a DVD shredder or crushing. Degaussing only works for magnetic media such as floppy and hard disk drives. Simply deleting data offers little protection. Overwriting the data multiple times is not efficient in this scenario as the discs can simply be destroyed.
Mobile Devices
Some organizations implement security policies that forbid users from connecting their personal mobile devices to the organizational network (wired or wireless). Some organizations allow mobile devices; in fact, they may even provision users with mobile devices. However, there is a risk in this situation that company data may be copied to these devices that could be compromised if a device is lost. As a safeguard, many of these organizations require that remote wipe be enabled on the device such that if it is lost or stolen, a command can be sent remotely to the device to remove all data on it.
Disable the Guest User Account
The Guest user account has no password and provides too much access to the system. The Guest user account should remain disabled.
User Education and Awareness Policy
The strongest technological security measures can be quickly defeated if employees engage in unsafe behaviors, such as: > Clicking links in a phishing email. > Visiting malicious websites. > Responding to social engineering attempts. > Downloading and installing unauthorized software. Employee awareness is the key to prevent these behaviors. The User Education and Awareness Policy is designed to: > Familiarize employees with the organization's security policy. > Communicate standards, procedures, and baselines that apply to the employee's job. > Facilitate employee ownership and recognition of security responsibilities. > Explain how to respond to security events. > Establish reporting procedures for suspected security violations.
You are responsible for disposing of several old workstations formerly used by accountants in your organization's Finance department. Before being shipped to a computer recycler, you decide to make sure any old data on the hard drives is erased. To do this, you use the Windows XP Installation CDs that came with these systems to delete all partitions from the hard drives. Which of the following BEST describes what needs to be done before the systems are ready to be recycled?
Use disk wiping software to fully erase the drives on the systems. You should use disk wiping software to fully erase the drives. The problem here is that partitioning and even reformatting doesn't completely remove old data from the drive. Data could potentially be recovered from the drive. To keep this from happening, you should use disk wiping software to erase the drive and write random characters multiple times to the drive to completely destroy any old data.
Storage Media Disposal
When disposing of data storage media, make sure to remove any sensitive data, especially data containing personal health or financial information. Simply deleting data is insufficient as deleted files can still be recovered. Data remanence are remnants of data (after the data has been erased) that allow the data to be recovered and reconstructed by data recovery software. > If you will be reusing a disk, use data wiping software to remove any remnants. This software writes a random series of bits multiple times to each cluster on the disk. > When disposing of magnetic media, you can use degaussing with a strong magnet to remove any traces of data. > When disposing of optical media, shred or physically destroy discs (some paper shredders can also handle optical discs). Degaussing does not work with optical media because the media does not use magnetic fields for storing data.
13.3.6 Require a Screen Saver Password
You are the IT administrator for a small corporate network. The receptionist in the Lobby is concerned that while she is away from her desk, someone might be able to access files on her computer. You need to help her protect her computer with a screen saver that requires a password. In this lab, your task is to complete the following: Enable the screen saver (you choose the screen saver type to use). Start the screen saver after 10 minutes of inactivity. Show the logon screen when the computer wakes up. Complete this lab as follows: > Right-click the desktop and select Personalize. > Maximize the window for easier viewing. > From the left menu, select Lock Screen. > Select Screen saver settings. > Under Screen Saver, select the screen saver to use. > In the Wait field, enter 10. > Select On resume, display logon screen. > Click OK.
Building security
Access control to the location where the computers are located.
Which of the following security practices are the BEST example of the principle of least privilege? Autorun has been disabled on a Windows workstation. All users on a Windows workstation have been assigned strong passwords. The Guest user account on a Windows workstation has been disabled. All users on a Windows workstation are limited users except for one user, who is responsible for maintaining the system.
All users on a Windows workstation are limited users except for one user, who is responsible for maintaining the system. The principle of least privilege specifies that users should have only the degree of access to the workstation necessary for them to complete their work and no more. Making all users limited users except for those who need administrative access is an example of the principle of least privilege. The other practices listed are workstation security best practices, but are not necessarily examples of the principle of least privilege.
Organizational Security Policy
An Organizational Security Policy is a high-level overview of the organization's security program. The Organizational Security Policy is usually written by security professionals, but must be supported and endorsed by senior management. This policy usually identifies: > Roles and responsibilities to support and maintain the elements of the security program > What is acceptable and unacceptable regarding security management > The rules and responsibilities for enforcement of the policy
Password Policy
An organization's Password Policy identifies the requirements for passwords used to authenticate to company-owned systems. For example, this policy may specify: > Accounts should be disabled or locked out after a certain number of failed login attempts. > Users should be required to change their passwords within a certain time frame. > Users may not reuse old passwords. > Users must use strong passwords. Strong passwords should contain - Multiple character types, including uppercase letters, lowercase letters, numbers, and symbols. - A minimum of eight characters. (More is better.) > User passwords should never contain: - Words found in the dictionary. - Personally-identifiable information, such as an employee's spouse's name, child's name, birth date, favorite sports teams, etc. - Part of a username or email address
You have been asked to draft a document related to evidence gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. What type of document is this? CPS (certificate practice statement) Chain of custody FIPS-140 Rules of evidence
Chain of custody The chain of custody is a document related to evidence gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. A CPS (certificate practice statement) is a document written by a certificate authority outlining their certificate handling, management, and administration procedures. FIPS-140 is a government standard that defines procedures, hardware, and software that can be employed when performing forensic investigations of cyber crime. The rules of evidence are the restrictions that must be adhered to in order to ensure the admissibility of collected evidence.
Joe, a bookkeeper, works in a cubicle environment and is often called away from his desk. Joe doesn't want to sign out of his computer each time he leaves. Which of the following are the BEST solutions for securing Joe's workstation? (Select TWO). Change the default account names and passwords. Set a strong password. Configure the screen lock to be applied after short period of nonuse. Apply multifactor authentication. Configure the screen saver to require a password.
Configure the screen lock to be applied after short period of nonuse. Configure the screen saver to require a password. The BEST solution is to configure the screen saver or screen lock to be applied after a short period of nonuse and to require a password to return to the desktop. Setting a strong password is a best practice, but is not the best solution in this scenario. Applying multifactor authentication will make it harder to hack the workstation, but is not the best solution in this scenario. Change the default account names and passwords will make the workstation more secure, but is not the best solution in this scenario.
You work for a company that offers their services through the internet. Therefore, it is critical that your website performs well. As a member of the IT technician staff, you receive a call from a fellow employee who informs you that customers are complaining that they can't access your website. After doing a little research, you have determined that you are a victim of a denial of service attack. As a first responder, which of the following is the next BEST step to perform? Identify the issue further. Investigate how the attack occurred. Eradicate the issue. Contain the issue.
Contain the issue. You have already identified the issue, so the next step is to take actions to stop the attack and contain the damage. Although it is important to preserve as much information as possible to assist in later investigations, it might be better to stop the attack, even if doing so alerts the attacker or results in the loss of evidence regarding the attack. After the attack is contained, the forensic team should be contacted to investigate, eradicate the issue, and perform other tasks to bring this incident to a close.
Employees in a small business have a habit of transferring files between computers using a USB flash drive and often bring in files from outside the company. Recently, a computer was infected with malware from a USB flash drive even though the employee did not access any files. Which of the following options would prevent this issue in the future? Set strong passwords. Enable BitLocker. Disable autorun. Configure screen savers to require a password.
Disable autorun. Disabling autorun would prevent the malware from installing when the flash drive was attached. Setting strong passwords is a best practice, but would not prevent the malware on a flash drive from installing. BitLocker is used to encrypt drives and will not prevent malware on a flash drive from installing. Configure screen savers to require a password is a best practice, but would not prevent the malware on a flash drive from installing.
Your client has hired you to evaluate their wired network security posture. As you tour their facility, you note the following: Server systems are kept in a locked server room. User accounts on desktop systems have strong passwords assigned. A locked door is used to control access to the work area. Users must use ID badges to enter the area. Users connect their personal mobile devices to their computers using USB cables. Users work in three 8-hour shifts per day. Each computer is shared by three users. Each user has a limited account on the computer they use. Based on this information, which of the following would you MOST likely recommend your client do to increase security? Provision each employee with their own computer system. Assign users easy-to-remember simple passwords so they won't be tempted to write them down. Disable the USB ports on user's workstations. Move the server systems to an empty cubicle in the work area.
Disable the USB ports on user's workstations. Users connecting their personal mobile devices to their computers using USB cables represents a significant security risk. Malware could be spread throughout the network. They could also copy sensitive information from the network to the device. Disabling all USB ports on all workstations will prevent this from happening. You should configure the BIOS/UEFI firmware with a password to prevent users from re-enabling the ports. Moving the server to an empty cubicle and assigning simple passwords will decrease the overall security of the network. It isn't necessary for each employee to have their own dedicated computer system.
13.3.4 Configure Remote Wipe
Maggie Brown has lost her iPad. She has a lot of sensitive data on the iPad, and she is concerned that it could fall into the wrong hands. She would like you to help her remotely wipe the iPad. In this lab, your task is to assist her with the remote wipe as follows: Browse to icloud.com and login using the following credentials: Apple ID: [email protected]: maggieB123 Using Find iPhone, select her iPad and erase it. Enter a phone number and message to be displayed on the iPad. Complete this lab as follows: > In the URL field in Chrome, enter icloud.com and press Enter. > Maximize the window for easier viewing. > In the Sign in to iCloud field, enter [email protected] and press Enter. > Enter maggieB123 and press Enter. > Select Find iPhone. > Select All Devices. > Select Maggie's iPad. > Select Erase iPad. > Select Erase. > In the Enter AppleID to continue field, enter [email protected] and press Enter. > Enter maggieB123 and press Enter. > In the Number field, enter a phone number of your choosing to be displayed on the iPad. Click Next. > Enter a message of your choosing to be displayed on the iPad. > Click Done. > Click OK.
Code of Ethics
Many organization's implement a code of ethics to prevent user-facilitated security issues. A code of ethics is a set of rules or standards that define ethical behavior. Because the issues involved in different situations may vary and can be quite complex, the code of ethics does not prescribe actions for every situation. Instead, it identifies general principles of ethical behavior that can be applied to various situations. For example, a company's code of ethics may require that everyone: > Conduct themselves in accordance with the highest standards of moral, ethical, and legal behavior. > Not commit or be a party to any unlawful or unethical act that may negatively affect their professional reputation or the reputation of the organization. > Appropriately report activity related to the profession that they believe to be unlawful. > Openly cooperate with ongoing investigations.
You have purchased new computers and will be disposing of your old computers. These computers were previously used for storing highly-sensitive customer order information, including credit card numbers. To properly protect the accidental discovery of the company's sensitive information, which of the following steps MUST be completed prior to getting rid of the computers? Repartition the hard drives. Reformat the hard drives. Reinstall a fresh copy of Windows on the drives. Physically destroy the hard drives with a hammer. Delete user data and applications from the hard drives.
Physically destroy the hard drives with a hammer. Because the hard drives contained very sensitive information (such as credit card numbers), the best solution in this scenario is to physically destroy the drives. For example, they could be rendered useless with a hammer or hard disk shredder. Reinstalling Windows, repartitioning the drives, or even reformatting them will not remove all data remnants. Deleting data and applications from the hard drives also will not permanently remove data from the system.
A technician assists Joe, an employee in the sales department who needs access to the client database, by granting him administrator privileges. Later, Joe discovers he has access to the salaries in the payroll database. Which of the following security practices was violated? Multifactor authentication Strong password policy Principle of least privilege Entry control roster
Principle of least privilege The technician violated the principle of least privilege, the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Strong passwords are recommended to prevent unauthorized access, but in this scenario, the database is not password-protected. Multifactor authentication is the process of authenticating a user by validating two or more claims presented by the user, each from a different category, such as a password and the possession of a mobile phone, or a password and a fingerprint. Security personnel can grant access to a physical area using the entry control roster. A database is not normally protected by physical security.
During an airline flight, a laptop user makes last-minute changes to a presentation that contains sensitive company information. Which of the following would make it difficult for other passengers to view this information on the laptop display? Mantrap Cable lock Smart card Privacy filter
Privacy filter A privacy filter narrows the viewing angle of the laptop display so that only the person directly in front can see the display. A cable lock can be used to secure valuable items that can be easily removed from the workplace, like laptops. It would do nothing to prevent others from viewing the laptop display. Smart cards can provide authentication, but do nothing to prevent others from viewing the laptop display. A mantrap is used to control access between two areas that have different security levels. It helps prevent tailgating by requiring that the entry into the mantrap from one area close before entry to the second area is possible.
Match each security policy on the left with the appropriate description on the right. Each security policy may be used once, more than once, or not at all.
Provides a high-level overview of the organization's security program. Organizational Security Policy Defines an employee's rights to use company property. Acceptable Use Policy Identifies the requirements for credentials used to authenticate to company-owned systems. Password Policy Identifies a set of rules or standards that define personal behaviors. Code of Ethics Sets expectations for user privacy when using company resources. Acceptable Use Policy Specifies that user accounts should be locked after a certain number of failed login attempts. Password Policy An Organizational Security Policy is a high-level overview of the organization's security program. An Acceptable use Policy (AUP) defines an employee's rights to use company property. The AUP should also set expectations for user privacy when using company resources. Password Policy identifies the requirements for passwords used to authenticate to company-owned systems. For example, this policy may specify that user accounts should be disabled or locked out after a certain number of failed login attempts.
Removable Storage
Removable media is any type of storage device that can store data and be easily removed and transported to other locations. Removable media includes floppy disc, tape, USB/flash storage, CD/DVD, and external hard drive. Removable storage: > Increases the threat of removal and theft of sensitive data. Users can copy sensitive data to portable devices, or media containing data may be lost or easily stolen. > Increases the chances of introduction of malware. Be aware of the following recommendations for protecting removable media: > In secure environments, remove and disable removable media devices to prevent copying data to or from the device. You can disable USB and IEEE 1394 ports in the BIOS and require a BIOS password to edit BIOS settings. However, this may also disable necessary USB devices such as the mouse and keyboard. You can use endpoint management software to disable USB ports on a system if storage devices are connected, but enable them if a mouse or keyboard is connected. > Use USB port locks to block all ports and ensure no USB will be inserted into the devices. > Keep backup media and other removable media in a secure location. > If possible, use disk encryption to prevent users from being able to read data on removable media.
You provide desktop support at the branch office of a bank. One of the Windows workstations you manage is used by a bank employee to set up new customer accounts and fill out customer loan applications. Each user account on the system has been assigned a strong password. A cable lock has been installed to prevent it from being stolen. Which of the following steps could be completed to BEST increase the security of this system? (Select TWO). Remove the optical drive Move the system to a locked room Disable the network jack to which the system is connected Disable all USB ports in the BIOS/UEFI firmware configuration Disconnect the system from the network
Remove the optical drive Disable all USB ports in the BIOS/UEFI firmware configuration Because this system is used in a public are in close proximity to customers, you should disable all USB ports in the BIOS/UEFI firmware configuration and also remove the optical drive if it is capable of burning optical discs. This will help prevent data from being stolen from the system if it is left unattended. Because this system is used by bank personnel to service customers, it really can't be locked in a separate room. Likewise, disconnecting from the network or disabling its network jack would also make it unable to perform its required function.
You provide desktop support at the branch office of a bank. One of the Windows workstations you manage is used to set up new customer accounts and fill out customer loan applications. Each user account on the system has been assigned a strong password. File and folder permissions have been assigned to prevent users from accessing each other's files. Which of the following would MOST likely increase the security of this system? (Select TWO. Each option is a complete solution.) Enable the Guest account. Make user accounts members of the Administrators group. Secure the computer system to the desk with a cable lock. Assign each user a simple password so they won't be tempted to write it down. Install a privacy filter on the monitor.
Secure the computer system to the desk with a cable lock. Install a privacy filter on the monitor. Because this system is used in close proximity to customers, you should install a privacy filter on the monitor. The privacy filter prevents customers from viewing sensitive information displayed on the monitor (such as usernames, passwords, and account numbers). You should also secure this system to the desk with a cable lock. Securing the computer to the desk prevents a malicious person from stealing the computer and all of the sensitive information it contains. Enabling the Guest user account would decrease the security of the system as would assigning simple passwords to user accounts and making all users members of the Administrators group.
One of the Windows workstations you manage has three user accounts defined on it. Two of the users are limited users while the third (your account) is an administrative user. Each limited and administrative user has been assigned a strong password. File and folder permissions have been assigned to prevent users from accessing each other's files. Which of the following would MOST likely increase the security of this system? (Select TWO). Set a screensaver password. Change the two limited user accounts to restricted users. Enable the Guest account. Disable autorun on the system. Assign each user a simple password so they won't be tempted to write it down.
Set a screensaver password. Disable autorun on the system. You could increase the overall security of this system by disabling autorun on the system and setting a screensaver password. Enabling the Guest user account would decrease the security of the system, as would assigning simple passwords to user accounts. There's no such thing as a restricted user on Windows operating systems.
Block Untrusted Software Sources
Software from untrusted sources could potentially contain malware. In fact, many modern network exploits attempt to trick users within an organization into downloading and installing malicious software. By doing this, an attacker can easily circumvent network security devices and launch an attack from behind the firewall. To prevent this from happening, consider the following: > Restrict user's ability to install software. For example, standard users on a Windows system are not allowed to install any software. > For users that are allowed to install software, restrict them to trusted software sources. For example: - Software for desktops and notebooks should be restricted to trusted software publishers, such as Microsoft or Adobe. - Software for mobile devices should be restricted to trusted app stores such as Google Play, the Microsoft Store, or Apple App Store. > No user should be allowed to download and install software from untrusted sites on the internet. Unknown software publishers should be carefully investigated before allowing their software into your organization.
A security incident is currently occurring on the company network. You discover that the attack involves a computer system that is attached to the network. You're unsure what kind of damage is being done to the network systems or data. Which of the following actions should you take FIRST? Examine the active computer system to analyze the live network connection, memory contents, and running programs. Determine whether you have the expertise to conduct an investigation, or whether you need to call in additional help. Document and photograph the entire scene of the crime including the current state of the attached computer system. Stop the attack and contain the damage by disconnecting the system from the network.
Stop the attack and contain the damage by disconnecting the system from the network. The first step in responding to an incident should be to take actions to stop the attack and contain the damage. If the attack involves a computer system attached to the network, the first step might be to disconnect it from the network. Although you want to preserve as much information as possible to assist in later investigations, it is better to stop the attack, even if doing so alerts the attacker or results in the loss of evidence regarding the attack. After containing the damage, subsequent steps you can take include, but are not limited to, the following: Examine the active computer system to analyze the live network connection, memory contents, and running programs. Document and photograph the entire scene of the crime, including the current state of the attached computer system. Determine whether you have the expertise to conduct an investigation, or whether you need to call in additional help.
Incident Response
The action taken to deal with an incident during and after the incident. Prior planning hjelps people know what to do when a security incident occurs, especially the first responder. The first responder: > Is the first person on the scene after a security incident has occurred. > May be dedicated member of the security response team. > Has the following goals: - Contain the damage (or incident) as much as posible - Do not damage any evidence. > Initiates an escalation procedure to ensure that the right people are informed and that the right people are brought on the incident site. > Initiates the documentation of the incident. Incident response should involve: > Identification and containment of the problem > Investigation of how the problem and the forensics to preserve evidence that may be used in a criminal investigation. > Removal and eradication of the cause of the incident. > Recovery and repair of any damages > Documentation and report of the incident, and implementation of countermeasures and processes to reduce the likelihood of a future attack.
Building Security
The first line of defense in protecting computer systems is to control access to the location where the computers are located. > Many businesses use cubicles which leave computers in plain sight and easily accessible to anyone. Controlling access to the building is critical to prevent unauthorized people from gaining access to computers. > Place critical or sensitive devices in a locked room. > Move printers used for confidential documents away from public areas. > Disable network jacks in public areas, such as reception areas. For good physical security, implement the following protections: > Implement controlled access to any point inside the building beyond the lobby (such as locking doors and security checkpoints). > Require all authorized personnel to have identification while inside the building. > Escort visitors at all times. > Keep room doors locked when not in use. > For added protection, use keypads or card readers to control building or room access. > Use software to track who has gained access at any given time. > Periodically change passwords or locks, especially after key employees are terminated. > Implement mantraps. A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas. - When a person enters into the space between the doors, both doors are locked. - To enter the facility, authentication must be provided. This may include visual identification and identification credentials. - Mantraps should permit only a single person to enter and authentication must be provided by each person. > Security guards can use an access list (sometimes called an entry control roster) which explicitly lists who can enter a secure facility.
Social Engineering Countermeasures
The most effective countermeasure for social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately. Specific countermeasures include: > Train employees to demand proof of identity over the phone and in person. > Define values for types of information, such as dial-in numbers, user names, passwords, network addresses, etc. The greater the value, the higher the security around those items should be maintained. > Keep employees up-to-date on local regulations applicable to your industry, such as PCI data security standards, General Data Protection Regulation (GDPR), and Protected Health Information (PHI). > If someone requests privileged information, have employees find out why the person wants it and whether the person is authorized to obtain it. > Verify information contained in emails and use bookmarked links instead of links in emails to go to company web sites. > Dispose of sensitive documents securely, such as shredding or incinerating. > Dispose of discs and devices securely by shredding floppy discs or overwriting discs with all 1's, all 0's, then all random characters. > Verify information from suspicious emails by visiting two or more well-known malicious code threat management websites. These sites can be your antivirus vendor or a well-known and well-regarded internet security watch group. > Train employees to protect personally identifiable information (PII). An organization is legally obligated to ensure that employee and customer PII within its possession is protected. PII includes any information that can be used to exclusively identify an individual from others. Examples of information that could be considered PII include an individual's: Full Name Address Telephone number Driver's license number Email address National identification number (such as a Social Security Number in the USA) Credit card number Bank account number Fingerprints Facial image Handwriting sample
You have 5 salespersons who work out of your office and who frequently leave their laptops laying on their desk in their cubicles. You are concerned that someone might walk by and take one of these laptops. Which of the following is the BEST protection to implement to address your concerns? Require strong passwords in the local security policy. Use cable locks to chain the laptops to the desks. Encrypt all company data on the hard drives. Implement screen saver passwords.
Use cable locks to chain the laptops to the desks. The main concern in this case is with laptops being stolen. The best protection against physical theft is to secure the laptops in place using a cable lock. Requiring strong passwords or using encryption might prevent unauthorized users from accessing data on the laptops, but does not prevent physical theft.
You have purchased new computers and will be disposing of your old computers. Instead of recycling the computers, you decide to resell them by placing an ad on the Internet. These computers were previously used for storing sensitive information. To properly protect the accidental discovery of the company's sensitive information, which of the following steps MUST be completed prior to getting rid of the computers? Include the original operating system discs and product keys with the computers Reformat the hard drives Delete user data and applications from the hard drives Use data wiping software to clear the hard drives
Use data wiping software to clear the hard drives Data wiping software will sanitize or clean a device by removing all data remnants. Sanitization is necessary because deleting, overwriting, and reformatting (even multiple times) does not remove all data remnants. Sanitization securely removes sensitive data from storage media and is designed to solve the data remanence problem for devices that will be reused. It is the best way to remove Personally Identifiable Information (PII) from a hard disk before reuse. Deleting data and applications from the hard drives or reformatting the drive will not permanently remove data from the system. Many tools can recover deleted files.
Implement the Principle Of Least Privilege
Users should have only the degree of access to the workstation necessary for them to complete their work and no more. Observe the following: > Only those users who need administrative access should have it. You should use limited user accounts for everyone else. Don't make a user a member of the Administrators group unless the user needs administrative access to the system. > The workstation should have the software required for it to fulfill its function on the network and no more. > Use delegated administration. Don't make all admin users members of the Administrators group. Make admins members of the Windows group that most closely matches the level of access they need: - Backup operators: members of this group can backup or restore files, regardless of permissions assigned to those files. - Cryptographic operators: members of this group can perform cryptographic operations. - Network Configuration Operators: members of this group can manage the IP configuration on the system. - Performance Log Users: members of this group can manage performance logs and alerts. - Remote Desktop Users: members of this group can remotely access a workstation's desktop. - Performance Monitor Users: members of this group can manage performance counters.
Lock the Workstation
You can set the following passwords in the BIOS to require a password when booting or when modifying BIOS settings: > Configure a user password to require the password before loading the operating system. > Configure an administrator password to require the password to edit BIOS settings. > Configure a hard disk password to require the password before data on the disk can be accessed. Leaving your computer unattended while you are logged on potentially gives free access to your computer. Use the following methods in Windows to secure unattended computers: > Configure the screen saver to display the logon screen. The screen saver will be activated automatically when the system is inactive for a period of time. > Press the Windows logo key + L to lock the workstation. > Under Personalization in Control Panel, require a password when the computer wakes up. When leaving the computer for an extended time, use the keyboard sleep button to put the computer to sleep.