TESTOUT NETWORK PRO V 4.1.0 Part 3

802.1x

802.1x is an authentication method used on a LAN to allow or deny access based on a port or connection to the network.

•

802.1x is based on EAP and can use a variety of methods for authentication (e.g., usernames and passwords, certificates, or smart cards).

•

802.1x is used for port authentication on switches and authentication to wireless access points.

•

802.1x requires an authentication server for validating user credentials. This server is typically a RADIUS server.

•

A certificate is a digital document that identifies a user or a computer. The certificate includes a subject name, which is the name of a user or a computer.

•

An Authentication Server (AS) accepts and processes authentication requests.

•

An EAP authentication scheme is called an EAP type. Both the client and authenticator have to support the same EAP type for authentication to function.

•

Certificates are obtained from a public key infrastructure (PKI). A PKI is a collection of hardware, software, policies, and organizations that create, issue, and manage digital certificates.

Authentication Method

Description Example

Extensible Authentication Protocol (EAP)

EAP allows the client and server to negotiate the characteristics of authentication.

•

EAP is used to allow authentication with smart cards, biometrics, and certificate-based authentication.

•

Encryption of SNMP information

•

Encrypts the shared secret on each system so it is not saved in plaintext.

•

If a user's ID and password are compromised in the system, an intruder can access all of the resources authorized for the user.

•

Implementation with microcomputer systems is difficult and can prevent full implementation.

•

Information sent in plain text.

•

Provides a mechanism for changing the password over the remote connection.

Strong

Requires two or more methods, but they can be of the same type. To log on to an online banking system, you enter your username, password, and then must answer a personal question (such as your birthplace or mother's maiden name).

Trivial File Transfer Protocol (TFTP)

Secure FTP (SFTP)

Unsecure Protocol

Secure Protocol Description

Remote Shell (RSH)

Secure Shell (SSH) SSH allows for secure interactive control of remote systems. SSH uses RSA public key cryptography for both connection and authentication. SSH is also a protocol that can be used to provide security services for other protocols.

•

Ticket schemes do not scale very well.

•

Users gain access to all authorized resources with a single instance of authentication through a single set of user credentials.

•

VPNs work by using a tunneling protocol that encrypts packet contents and wraps them in an unencrypted packet.

o

Verifies the information provided by the requester.

•

When a connection is established, the client and server negotiate the authentication type that will be used based on the allowed or required authentication types configured on each device.

3.

When the client needs to access a resource, it submits its TGT to the TGS. The TGS validates that the user is allowed access and issues a client-to-server ticket.

•

6 (Information): Informational messages

Backdoor Access

A backdoor is an unprotected access method or pathway into a network system. Backdoors may include hard-coded passwords and hidden service accounts. Backdoors are sometimes added by engineers during development as a shortcut to circumvent security. Other backdoors may be added by attackers who gain unauthorized access to a system.

Blackout

A blackout is a complete power failure. A blackout can have a variety of sources, such as downed power lines or failed transformers.

Brownout

A brownout is a reduction in voltage that lasts longer than a few seconds. A brownout is generally caused at the utility company during times of high power usage. The ANSI standard defines a brownout as an 8 percent drop between the power source and the voltage meter, or as a 3.5 percent drop between the voltage meter and the wall outlet.

•

A capture filter captures only the frames identified by the filter. Frames not matching the filter criteria will not be captured.

•

A device used with QoS ensures timely delivery of time-sensitive data streams.

•

A digital signature is a digital document that is altered in such a way that it could only have come from the subject identified in the certificate. A certificate obtained from a PKI is signed by the CA that issued the certificate (the digital signature of the issuing CA is included in the certificate).

•

A display filter shows only the frames that match the filter criteria. Frames not matching the filter criteria are still captured, but are not shown.

•

A double blind test is where the penetration tester does not have prior information about the system and the network administrator has no knowledge that the test is being performed. The double blind test provides more accurate information about the security of the system.

Fault

A fault is a momentary power outage that can have a variety of sources.

•

A file backup includes specified files and folders backed up to a compressed file. File backups do not include system files, program files, encrypted files (including EFS-encrypted files), files in the Recycle Bin, user profile settings, or temporary files.

Location

A key consideration is the location of the data center inside the building. Recommendations for the location of the data center include the following:

Line Conditioner

A line conditioner modifies the power signal to remove noise and create a smooth alternating current (AC) signal.

Load tester

A load tester simulates a load on a server or service. For example, the load tester might simulate a large number of client connections to a website, test file downloads for an FTP site, or simulate large volumes of email. Use a load tester to make sure that a system has sufficient capacity for expected loads. It can even estimate failure points where the load is more than the system can handle.

Lockout or screen lock

A lockout (or screen lock) disables the ability to use the device after a short period of inactivity. The correct password or PIN unlocks the device.

Network mapper

A network mapper is a tool that discovers devices on the network and displays the devices in a graphical representation. Network mappers typically use a ping scan to discover devices and a port scanner to identify open ports on those devices.

•

A network-based IDS (NIDS) is a dedicated device installed on the network. It analyzes all traffic on the network. A NIDS is:

Protocol Analyzer

A protocol analyzer is a special type of packet sniffer that captures transmitted frames. A protocol analyzer is a passive device in that it copies frames and allows you to view frame contents but does not allow you to capture, modify, and retransmit frames (activities that are used to perform an attack). Use a protocol analyzer to:

o

A server room needs between 20 and 30 air changes per hour.

•

A service pack includes all hotfixes released up to that point. If you install the service pack, you do not need to install individual hotfixes. A service pack also includes all previous service packs.

Service pack (SP)

A service pack is a collection of hotfixes and other system enhancements.

•

A service server (SS) provides or holds network resources.

•

A single blind test is where one side has advanced knowledge. For example, either the attacker has prior knowledge about the target system, or the defender has knowledge about the impending attack.

•

1 (Alert): Serious errors in primary subsystem that should be addressed immediately.

SecureConfigured

A SecureConfigured address is a MAC address that has been manually identified as an allowed address.

SecureDynamic

A SecureDynamic address is a MAC address that has been dynamically learned and allowed by the switch:

SecureSticky

A SecureSticky address is a MAC address that is manually configured or dynamically learned and saved. With sticky learning enabled:

•

A UPS is designed to provide enough power to shut a system down safely during an extended power outage. Most are not intended as long-term power solutions.

•

A VPN can be used over a local area network, across a WAN connection, over the Internet, and even over a dial-up connection.

Walk

A Walk uses GETNEXT messages to navigate the structure of an MIB.

o

FTK

•

Fans are a critical component in preventing hot spots in a computer room. There are two categories of fans that need to be managed:

o

Fans inside the computer equipment.

•

Fingerprinting (also called footprinting) scans a target system to identify the operating system, the patch level, and the applications and services available on it.

•

Fingerprinting identifies an operating system or network service based on its ICMP message characteristics.

•

Firewalking (using traceroute techniques to discover which services can pass through a firewall or a router)

•

For additional updates, you can use Microsoft Update instead of Windows Update. Microsoft Update includes updates for Microsoft applications, such as Office applications.

•

For electronic components, keep temperature between 70 and 74 degrees.

•

Grant more privileges to the system or perhaps the entire network.

•

Internet Key Exchange (IKE) negotiates the connection. As two end points are securing an IPsec network, they have to negotiate what is called a Security Association (SA). An inbound and outbound SA is necessary for each connection with a remote endpoint. IKE uses the Diffie-Hellman key exchange to generate symmetric keys used for the encryption of the negotiation of the SA.

3.

Interpreting the results

•

Host-to-host communications within a LAN.

o

Investigate the cause of incorrectly opened ports. Make sure that administrators do not open ports unnecessarily. Verify that the system does not have malware installed that could have opened ports for its own purposes.

•

Investigation of how the problem occurred and the forensics to preserve evidence that may be used in a criminal investigation.

o

IDS signatures are written and updated by the IDS vendor in response to identified vulnerabilities.

•

IP address resolution is much less accurate than the other options, tracking the location of devices to within roughly 20 kilometers.

Internet Protocol Security (IPsec)

IPsec provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes the following three protocols for authentication, data encryption, and connection negotiation:

•

Identification and containment of the problem.

Facility

Identifies the facility that created the message. In this example:

•

Identify frames that might cause errors.

•

Is not supported by older operating systems.

•

Is supported by most operating systems and servers.

•

Is the least intrusive method to check the environment for known software flaws (port scanners and penetration testers are potentially more intrusive; protocol analyzers cannot check for known software flaws).

o

Is typically unaware of other devices on the network, but it can be detected and become the target of an attack itself.

o

Is used to detect attacks that are unique to the services on the system. It can monitor application activity and modifications, as well as local system files, logon audit files, and kernel audit files.

•

Identify the types of traffic on a network.

o

Identify unencrypted traffic that includes sensitive data

o

Identify users that are connecting to unauthorized websites

•

Identify who should handle the response to the incident. This person is designated as the first responder.

1.

Identifying suspicious network sessions and packets

•

Identifying systems that will not be included in the test

o

Accepts certificate requests.

•

Access servers or workstations without authorization

•

Access wiring closets

Device management

If a user brings a personally-owned device on site, then the question of who is responsible for managing the device needs to be clearly identified. Responsibility for the following needs to be defined:

•

After a snapshot has been taken with File History, a previous version of a file can be restored if a file gets lost or corrupted.

7.

Agents and the manager are configured to communicate with each other using the community name. The community name identifies a group of devices under the same administrative control. The community name is not a password but simply a value configured on each device. Devices with different community names are unable to send SNMP messages to each other.

Hot and Cold Aisles

Air flow is an important factor in controlling temperature in the data center. Be aware that:

Presentation in court

All evidence needs to have been submitted to the court and deemed admissible before it is presented during trial. Continue to maintain proper handling procedures and document the chain of custody during all stages of the trial.

Return to owner

All evidence should be returned to the original owner after the case is completely settled, with exclusion of some types of evidence, such as drugs or drug paraphernalia. It is important to note that some trials can take several years to be completely resolved, possibly resulting in the evidence not being returned during its usable lifetime.

•

An active IDS (also called an intrusion protection system or IPS) performs the functions of an IDS but can also react when security breaches occur. An IPS:

Agent

An agent is a software process that runs on managed network devices. The agent communicates information to the manager and can send dynamic messages to the manager.

Alert

An alert can be configured so that when an event occurs (e.g., a trap), a message will be sent via email or SMS (text message).

•

An intrusion detection system

Response capability

An intrusion detection system can be classified by how it responds when a threat is detected.

o

An office area needs approximately two air changes an hour.

o

An offline UPS powers the computer from the wall outlet. If the power fails, a switch causes the UPS to begin powering the computer from the battery. This is the most common form of UPS.

o

An online UPS constantly powers the computer from the battery.

o

Anomaly recognition usually causes more false positives than signature-based IDS.

•

Anomaly recognition, also referred to as behavior or heuristic recognition, monitors traffic to define a standard activity pattern as "normal."

o

Anomaly-based recognition systems can be fooled by incremental changes within the clipping level, which cause the changed state to become the normal level of activity, thus allowing a higher level of irregularity to go unnoticed.

o

Anomaly-based systems can recognize and respond to some unknown attacks (attacks that do not have a corresponding signature file).

•

Anti-malware definition updates Relying on the end user to implement these updates is unwise. Instead, consider implementing a network access control (NAC) solution that remediates devices before allowing them to connect to your network.

•

Anti-malware installation

6.

Archived media

•

Authenticated users are allowed full access to the network; unauthenticated users only have access to the RADIUS server.

•

Authenticates the server to the client using public key cryptography and digital certificates.

•

Authentication Header (AH) enables authentication with IPsec.

•

Authentication credentials are passed from the client, through the access point device, and on to the authentication server.

•

Authentication for agents and managers

o

Automatically before changes occur such as application installation, system updates, unsigned driver installation, and restoring a computer.

o

Available guarantees a minimum level of service. Additional capacity can be used if it is available, but only the minimum is guaranteed.

•

Avoid large, rapid changes in humidity. Keeping a narrow range of temperature in the computer room will help to avoid condensation.

Full server

Backs up all volumes if you want to be able to recover the full server. You can use a full server backup to perform all types of recoveries, including system state and bare metal recoveries. It is best practice to choose this option. Use the Full Server option in Windows Server Backup wizard to select this type of backup.

Folders or files

Backs up individual folders or files. Use this option if you want to be able to recover only those items. Use the Custom option in Windows Server Backup wizard to select this type of backup.

Individual volumes

Backs up individual volumes. Use this option if you want to be able to recover data from only those volumes. Use the Custom option in Windows Server Backup wizard to select this type of backup.

System state

Backs up the system state. This option is a subset of a full server backup. Use the Custom option in Windows Server Backup wizard to select this type of backup.

•

Backups can be configured to occur only once every day, week, or month. To perform the backup more than once a day, week, or month, use the Task Scheduler to configure multiple tasks or to execute the task more frequently. Scheduled tasks must run with administrative privileges.

Backup location

Backups can be saved to:

DVD, other optical media, or removable media

Backups can be stored on a DVD. However, this backup media has more limitations than other media.

•

Backups can span multiple DVDs if necessary. When one DVD reaches capacity, the system prompts you to insert the next DVD.

•

Backups can use the shadow copy feature to allow open files to be backed up.

•

Backups stored on a shared folder are not saved consecutively. Rather, each backup operation overwrites the previous backup. If a backup operation fails, you may be left without a backup. You can avoid this by storing your backups in subfolders of the shared folder.

•

Backups to DVDs are compressed, so it's likely that the backup size on the DVD is smaller than the actual size of the volume.

Shared folder

Backups to a shared folder are saved to a network share.

•

Backups to a shared folder can be used to recover files, folders, applications, and full volumes, or to perform system state or bare metal recoveries.

•

Backups to an external disk can be used to recover the full server, critical volumes, non-critical volumes, individual files and folders, and applications and their data.

External disk

Backups to external disks are much the same as backups stored on an internal disk.

•

Bandwidth throttling to restrict the amount of data sent within a specific time period (e.g., to limit the amount of data that can be downloaded from a website in an hour).

•

Banner grabbing (capturing information transmitted by the remote host including the application type, application version, and even operating system type and version)

Secure Copy Protocol (SCP)

Both SFTP and SCP are file copy protocols that use SSH for security. SSH provides authentication and encryption. FTPS uses SSL to encrypt data.

•

Browse the system.

•

Browsing the organization's web site

•

By default, Windows automatically checks for, downloads, and installs updates.

•

By default, a NIC will only accept frames addressed to itself. To enable the packet sniffer to capture frames sent to other devices, configure the NIC in promiscuous mode (sometimes called p-mode). In p-mode, the NIC will process every frame it sees.

•

By default, port security allows only a single device to connect through a switch port. You can, however, modify the maximum number of allowed devices.

•

By default, some logging is enabled and performed automatically. To gather additional information, you can usually enable more extensive logging.

Common Address Redundancy Protocol (CARP)

CARP is an implementation of fault tolerance that allows multiple firewalls and/or routers on the same local network to share a set of IP addresses. If one of the firewalls or routers fails, the shared IP address allows hosts to continue communicating with the firewall or router without interruption.

Challenge Handshake Authentication Protocol (CHAP)

CHAP is a three-way handshake (challenge/response) authentication protocol used for remote access connections. Both devices are configured with a password called a shared secret. For unique user authentication, this value is associated with a user account. The challenge/response authentication mechanism occurs in three steps:

o

COFEE

Caching engine

Caching is the process of saving previously acquired data for quick retrieval at a later time. With caching, data is stored in memory or on disk within a network device, where it can quickly be retrieved when needed. Recalling the data from the cache is faster than requesting the data from the original location.

•

Cain and Abel

o

Can analyze encrypted traffic (because services running on the host decrypt the traffic).

o

Can automate responses, which may include dynamic policy adjustment and reconfiguration of supporting network devices to block the offending traffic.

•

Can be paired with other protocols, such as IPsec or PPTP, to create a secure VPN connection.

•

Can be used to scan again after a security hole has been patched in order to verify that the vulnerability has been removed and the system is secure.

o

Can send an alert, but it is the network administrator's job to interpret the degree of the threat and to respond accordingly.

o

Can terminate sessions by using the TCP-RST command. It can also terminate or restart other processes on the system.

o

Cannot be detected on the network because it takes no detectible action.

o

Check for Microsoft updates, but not automatically update driver files.

o

Check for error messages.

•

Check for specific protocols on the network, such as SMTP, DNS, POP3, and ICMP.

•

Client computers have a component called the enforcement client.

NAP Client

Client computers must have NAP-aware software, either through the operating system or through other components.

•

Client software for a variety of operating systems.

•

Client software generates a Statement of Health (SoH) that reports the client configuration for health requirements. If the system is not in compliance with health requirements, the client software prevents the system from accessing the network.

Support

If a user brings a personally-owned device on site, then the question of who will provide support for the device and the apps used on the device needs to be clearly identified. Will the organization's help desk provide support, or must the user depend upon support provided by the device manufacturer? Implement an acceptable use policy that specifies:

•

Documents the integrity of the evidence by providing a record of every person it has come in contact with and under what conditions. Without a chain of custody document, there is no way to prove who might have had access to the evidence, meaning that the evidence could have been altered after discovery. Failure to provide a valid chain of custody could make the evidence worthless in court.

•

Does not offer any type of encryption.

o

Download updates, but ask your permission to install them.

Loss of control of sensitive data

If a user copies sensitive data to their device, your organization could potentially lose control of that information. Even the question of who owns the data after it has been copied to the personal device becomes problematic. Consider the following scenarios:

Malicious insider attacks

If a user is so inclined, they could use their mobile device to conduct a malicious insider attack. For example, they could:

Malware propagation

If a user's tablet or phone has been infected with malware, then the infection can be spread when they connect their device to your organization's network. Consider implementing a network access control (NAC) solution that remediates devices before allowing them to connect to your network.

o

If it is necessary to isolate a system to stop or prevent future attacks, disconnect the system from the network rather than shutting it down (if possible). In some situations, you may be able to connect the system to a quarantine network to perform a forensic investigation.

•

If necessary, block all ICMP traffic in your network and host firewalls. This will prevent your systems from responding to the ICMP requests used in a DoS attack.

o

If possible, always back up a device's configuration before installing a new firmware update.

o

If possible, reproduce the problem.

•

If the AAA configuration uses a shared secret, that shared secret must be the same on both the host and on the AAA server.

Control and Reporting

Control and reporting is the process of documenting the following with as much detail as possible:

•

Controls the distribution of logging messages to various destinations (e.g., the logging buffer, terminal lines, or a syslog server) depending on the configuration.

•

Current connections

6.

Escalate the problem if it is beyond your ability to fix or the scope of your management. For example, the problem might be a configuration error on a router that you are not authorized to access. When forwarding the problem on to someone else, be sure to describe the nature of the problem, the actions you have already taken, and the symptoms that lead you to believe the problem is outside of your area of responsibility.

4.

Establish a theory of potential causes. As you do this, consider multiple approaches.

•

Establishing the scope and timeline

Encryption

Data encryption ensures data confidentiality on the device. Voice encryption (on mobile phones) ensures data confidentiality during transit.

•

Default gateway

•

Default or blank passwords

•

Default user accounts that have not been disabled

•

Define what is considered an incident.

•

Delegating personnel who are experts in the areas being tested

•

Differentiated Services Code Point (DSCP)

10.

Document the solution and process. In the future, you can check your documentation to see what has changed and to remember solutions to common problems.

•

Documentation and notification of the incident and implementation of countermeasures and processes to reduce the likelihood of a future attack.

o

Documenting what is on the computer screen.

o

Laser printers require more power than most UPS systems are capable of providing. If you must provide power to a laser printer, use a dedicated UPS with adequate capacity.

•

Launch attacks deeper into the corporate network from this system.

Load balancing

Load balancing configures a group of servers in a logical group (called a server farm). Incoming requests to the group are distributed to individual members within the group. Incoming requests can be distributed evenly or unevenly between group members based on additional criteria such as server capacity.

•

Locate devices with side or top exhausts in their own part of the datacenter.

•

Locate the data center as close as possible to the center of the building.

2.

Locate to the SYSLOGD_PARAMS directive and set it to a value of -r.

•

Logging requires system resources (processor, memory, and disk). You should only enable additional logging based on information you want to gather, and you should disable logging after you obtain the information you need.

Logs

Logs contain a record of events that have occurred on a system. Logging capabilities are built into operating systems, services, and applications. Log entries are generated in response to changes in configuration, system state, or network conditions.

•

Logs must be analyzed to be useful; only by looking at the logs will you be able to discover problems. Depending on the log type, additional tools might be available to analyze logs for patterns.

•

Long-term (follow up) actions include implementing additional countermeasures and processes to reduce the likelihood of a future attack.

•

MAC address

•

MAC addresses are stored in RAM in the CAM table and are identified with the port and by a MAC address type. Port security uses the following three MAC address types:

•

Message integrity to ensure that data is not altered in transit

o

Microwave ovens

•

Mid-term (action/reaction) actions focus on restoring operations to a normal state.

o

Might perform shunning, which simply drops offending traffic without additional actions.

•

Missing security controls

Redundant Power Supplies

Mission-critical systems (e.g., servers, switches, routers) should be configured with redundant power supplies. If one power supply fails, then a redundant power supply takes over and keeps the system running until the failed unit can be replaced.

Request process

Mobile devices will usually contain confidential information, thereby creating a security risk for an organization. To control the risk, an organization should control who is issued a device and what information is put on the device.

•

Nessus is a comprehensive vulnerability assessment tool.

Network Enumeration

Network enumeration (also called network mapping) involves a thorough and systematic discovery of as much of the corporate network as possible. Enumeration methods include:

•

Network monitoring uses specialized tools to monitor and log network activities.

•

Network Attached Storage (NAS) or Storage Area Network (SAN).

•

On an Ethernet network, a device must have multiple NICs connected to different switch ports.

Point-to-Point Tunneling Protocol (PPTP)

PPTP was developed by Microsoft as one of the first VPN protocols. PPTP:

•

Perform data theft.

•

Perform operating system (bare metal) recoveries if the backup used contains all the critical volumes.

•

Perform system state recoveries if the backup used contains the system state.

o

Performs behaviors that can be seen by anyone watching the network. Usually these actions are necessary to block malicious activities or discover the identity of an intruder. Updating filters and performing reverse lookups are common behaviors of an active IDS.

•

QoS might include a guaranteed level of service, usually outlined in a Service-Level Agreement.

Quality of Service (QoS)

QoS refers to a set of mechanisms that try to guarantee timely delivery or minimal delay of important or time-sensitive communications. QoS is particular important when implementing Voice over IP (VoIP), Video over IP, online gaming, or unified communications where delay or data loss make the overall experience unacceptable.

•

Radio frequency interference (RFI) refers to stray radio waves that can interfere with wireless network signals. Sources can include:

•

Raise the floor 1.5 feet so that air being pushed by air conditioning equipment can pass through.

•

Rate limiting to restrict the maximum bandwidth available to a customer (used by an ISP or a WAN provider).

•

Reliable.

o

Room fans which circulate the air in the room.

o

SANS Investigative Forensics Toolkit

6.

SNMP uses the following components:

Simple Network Management Protocol (SNMPv1/2)

SNMPv3 The original version of SNMP has several vulnerabilities including:

Remediation Server

Remediation servers are a set of resources that a non-compliant computer can access on the limited-access network. The purpose of a remediation server is to provide the resources necessary for non-compliant clients to become compliant. For example, remediation servers might hold operating system patches or antivirus definition files.

o

Save and extract the page file.

•

Save copies of files to set the frequency of the backup. The default is every hour. The backup can be configured to occur more or less frequently as needed.

3.

Save the changes and exit the file.

•

Save the contents of memory by taking one of the following actions:

3.

Save the file and exit your edito.

•

Secondary internal hard drives

•

Secure Shell (SSH)

ping6 (Linux IPv6)

Sends an ICMP echo request/reply packet to a remote host. A response from the remote host indicates that both hosts are correctly configured and a connection exists between them. Using the -t switch with ping can be useful in determining whether the network is congested, as such a condition will cause sporadic failures in the ping stream.

•

Sends messages, including debug command output, to the console.

•

Server rooms require special cooling systems due to the high concentration of equipment.

•

Server software for a limited number of operating systems.

•

Service packs might include additional functionality beyond simple bug fixes.

•

Services and systems exploited.

•

Signature recognition, also referred to as pattern matching or dictionary recognition, looks for patterns in network traffic and compares them to known attack patterns called signatures.

o

Signature-based recognition cannot detect unknown attacks; only attacks with published signature files can be identified. For this reason, it is important to update signature files on a regular basis.

5.

Simple Network Management Protocol (SNMP) is designed for managing complex networks. SNMP lets network hosts exchange configuration and status information. This information can be gathered by management software and used to monitor and manage the network.

•

Sniffing captures packets without altering or interfering with the flow of traffic on that medium.

•

Social engineering

•

Soliciting host-specific banners to identify the function of a remote host

o

Some data might be lost when the computer is turned off.

Spanning tree

Spanning tree is a protocol on a switch that allows the switch to maintain multiple paths between switches within a subnet. The spanning tree protocol (STP) runs on each switch and is used to select a single path between any two switches.

•

Spanning tree provides only a single active path between switches. Switch ports that are part of that path are placed in a forwarding state.

(config)#logging buffered

Specifies that the messages are to be buffered.

(config)#logging host [hostname]

Specifies the host IP address or hostname of the syslog server that will receive the messages.

(config)#logging source-interface [type] [number]

Specifies the source IP address of system logging packets.

•

Specifies where and when mobile devices can be possessed within the organization. For example, the possession of mobile devices may be prohibited in high security areas.

(config)#logging trap [0-7]

Specifies which messages will be redirected to the syslog server based on severity. Messages at or numerically lower than the specified level are logged. System logging message severity levels include the following:

•

Subsequent backups include only the changes that have occurred since the last backup.

o

Suited for detecting and blocking port scanning and DoS attacks.

•

Supports TCP/IP only.

•

Supports multiple protocols (not just IP).

•

Surge protectors can be destroyed by surges over time and lose their ability to protect.

•

Surrounding a server room with a faraday cage to protect a system from RFI.

•

Switch ports that are part of redundant but unused paths are placed in a blocking (non-forwarding) state.

Switch-dependent

Switch-dependent teaming requires the adapters in a team to be connected to the same switch. This configuration is used to implement bandwidth aggregation. All of the NICs within the team are in an active/active state, meaning they are online and processing frames all of the time.

Switch-independent

Switch-independent teaming allows the adapters in a team to be connected to different switches. This configuration is used to provide failover redundancy and increase the system's availability. Using multiple NICs and switches protects the system from a failed network card and a failed network switch. In this configuration:

System Enumeration

System enumeration is the process of gaining as much information about a specific computer as possible. System enumeration initiates fingerprinting. Important facts about fingerprinting are:

•

System scanning uses discovery protocols such as ICMP and SNMP to get as much information as possible from a system.

Detection scope

Systems can be classified based on where the system runs and the scope of threats it looks for.

o

Taking photos of the scene.

Target Selection

Target selection is the process of identifying servers that appear available. An attack typically involves targeted servers that:

•

Telnet opens a plaintext, unsecure connection. Telnet uses TCP port 23.

•

Temperature sensors are generally located about 1.5 to two feet above the floor and five to six feet above the floor throughout the room. A variation of more than 12 degrees between low-mounted and high-mounted sensors indicates a problem.

•

Tempting the attacker. This is known as enticement and is usually legal.

Types of backup

The Backup and Restore console supports two types of backups:

•

The ability to show a remote desktop in a browser without installing client software.

Acceptable use

The acceptable use policy should define personal use and after-hours use. Irresponsible, illegal, or malicious use of the device could leave an organization liable for damages if such use is not prohibited by a policy.

•

The access point enables or disables traffic on the port based on the authentication status of the user.

•

The client (or viewer) software, which runs on a remote system (when you run the client software, you see the desktop of the server system)

4.

The client connects to the SS and submits the client-to-server ticket as proof of access.

•

The data server room should be the most restricted area of the facility; thus, it should be located in an area where security can be easily and thoroughly implemented.

•

The date the device was purchased and the vendor it was purchased from

o

The desktop changes are transferred and displayed on the client.

•

The device may become infected with malware, potentially exposing the sensitive data. Implement an acceptable use policy that defines what kind of data is allowed on personally-owned devices and what kind of data is prohibited. Information classification labels can be useful when implementing this policy.

•

The device serial number

•

The drivers used for the NICs must support teaming. Check with the hardware manufacturer to verify whether a particular driver supports teaming.

•

The employee to whom the device has been issued

•

The end-of-warranty date for the device

•

The examiner is responsible for all actions on the evidence.

•

The files to be backed up can be manually selected, or Windows can automatically choose them.

•

The host operating system must be configured to bond the network adapters into a single entity.

•

The initial backup backs up selected files or the entire system image.

•

The level of access or control that was gained during the testing.

•

The local routing table

•

The make and model number of the device

•

The need for multiple passwords and change synchronization is avoided.

•

The operating system version number

•

The optimum temperature for computer equipment is 68 degrees Fahrenheit (20 degrees Celsius).

o

Transmitting devices

•

Transport Layer Security (TLS)

•

Troubleshoot communication problems or investigate the source of heavy network traffic.

Recognition method

The recognition method defines how the system distinguishes attacks and threats from normal activity.

•

The results of a capture can be saved in order to analyze frames at a later time or on a different device.

•

The same disk being backed up

•

The schedule can be modified using Backup and Restore.

3.

The server checks the response against its own value created using the same hash. If the values match, the client is authenticated.

o

The server executes the actions performed on the client, which modifies data on the server and results in changes to the desktop.

1.

The server generates a challenge message and sends it to the client.

•

The server software, which runs on the target desktop

•

WINS servers

o

Time to wait before beginning a shutdown

o

Time to wait before sending a warning to clients

•

To check for updates to applications or drivers, go to the manufacturer's website.

o

To prevent users from disabling NAP on the client computer, enable the NAP agent and the corresponding enforcement client through Group Policy.

o

To protect or ensure the integrity of collected digital evidence, create a checksum using a bit-level hashing algorithm. In the future, the same hashing algorithm can be used to create another checksum. If the two checksums are identical, this proves that the media was not altered (and that the copy is an exact copy of the original).

1.

To provide additional bandwidth. If you configure the team so all of the NICs are active at the same time, then the system gets the aggregated bandwidth of all the NICs in the team. For example, if you were to create a team from two 1 Gbps network cards, the server would get an aggregated network bandwidth of 2 Gbps.

2.

To provide fault tolerance. Multiple network cards are bound together into a team and are then configured so that if one interface fails, the other one will take over for the failed interface. This helps ensure that the system remains accessible over the network in the event of a failed network interface.

o

To reduce the amount of power required by the UPS, do not plug non-critical devices in to the UPS.

o

Too little humidity results in electrostatic discharge (ESD).

o

Too much humidity results in condensation.

Task

Tool (OS) Description

•

Track man hours and expenses for each incident. This may be necessary to calculate a total damage estimation and possibly restitution.

•

Tunnel endpoints are devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. The endpoints create a secure, virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents.

o

Turning off the device or interrupting the update process could permanently damage the device.

•

mail: This facility is used for log messages from the mail MTA service running on the system.

•

War dialing (trying to access phone lines that will answer a calling modem)

•

Wardriving (scanning for wireless access points within the organization)

Ethernet bonding

With Ethernet bonding (also called NIC teaming), two or more physical connections to the same network are logically grouped (or bonded). Data is divided and sent on multiple interfaces, effectively increasing the speed at which the device can send and receive on the network.

o

With a host-to-host VPN, two hosts establish a secure channel and communicate directly. With this configuration, both devices must be capable of creating the VPN connection.

o

With a remote access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.

o

With a site-to-site VPN, routers on the edge of each site establish a VPN with the router at the other location. Data from hosts within the site are encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN.

•

With over the shoulder reconnaissance, attackers eavesdrop or obtain sensitive information from items that are not properly stored.

•

Without STP, switches that are connected together with multiple links would form a switching loop.

•

You may need to capture and analyze network traffic to understand the incident. This may include:

•

You need to install at least two Ethernet interfaces in the system.

View the ARP table

arp (Windows) Shows MAC address-to-IP address mappings, including the local MAC and IP addresses.

Test host-to-host connectivity using ARP

arping (Linux) Sends an ARP request to the specified IP address. The arping command works much like ping, in that the host with the specified IP address will respond. Be aware of the following:

•

arping will often work even if the destination host is blocking ICMP messages.

•

arping works only on the local subnet (not through routers).

•

authpriv: This facility is used by all services associated with system security or authorization

•

user: This facility is used for user-related log messages (such as failed login attempts).

•

v2 allows for mutual authentication, where the server authenticates to the client.

View and modify the routing table

route Displays the contents of the routing table. Can also be used to add or remove static routes.

Identify the path between two hosts

tracert (Windows IPv4)

•

Incoming and outgoing connections

•

Running applications or services

•

.vhd files

•

0 (Emergency): Errors that will cause the system to become unusable.

•

5 (Notice): Issues of concern that do not represent a problem

•

2 (Critical): Serious errors in secondary subsystem that should be addressed immediately.

•

3 (Error): Non-urgent errors that need to be addressed when possible.

•

4 (Warning): Issues that, if not addressed, could become a problem.

•

7 (Debug): Debug information

•

A Bitlocker-enabled volume

•

A DVD if the system image backup is scheduled

Denial of Service

A DoS attack depends upon the ability to flood a target system with spurious network traffic to the point that it can no longer process legitimate network requests. Your network can be involved in a DoS attack in two different ways:

Get

A Get is a message sent from a management system, requesting information about a specific OID.

•

A PKI is made up of certificate authorities (CAs), also called certification authorities. A CA:

•

A computer that receives a certificate verifies the issuing CA's signature and accepts the identity of the user or computer if the CA is trusted.

•

A honeynet is a network of honeypots.

•

A honeypot is a device or virtual machine that entices intruders by displaying a vulnerability, configuration flaw, or appearing to contain valuable data.

Sniffing

A host on your network with its network card configured to run in promiscuous mode can capture all network frames being transmitted, not just those directly addressed to it. On a switched network, the attacker may conduct a MAC flood attack to expose all network frames to its network interface so they can be captured.

•

A host-based IDS (HIDS) is installed on a single host and monitors all traffic coming into the host. A HIDS:

Hotfix

A hotfix is an operating system patch that fixes bugs and other vulnerabilities in the software.

Manager

A manager is the computer used to perform management tasks. The manager queries agents and gathers responses by sending messages.

Packet sniffer

A packet sniffer is special software that captures (records) frames that are transmitted on the network. Use a packet sniffer to:

•

A passive IDS monitors, logs, and detects security breaches but takes no action to stop or prevent the attack. A passive IDS:

Password cracker

A password cracker is a tool that performs cryptographic attacks on passwords. Use a password cracker to identify weak passwords and passwords protected with weak encryption. Common password cracking tools include the following:

Ping scanner

A ping scanner is a tool that sends ICMP echo/request packets to one or multiple IP addresses. To protect against attacks that use ICMP, use a ping scanner to identify the systems on the network that respond to ICMP requests, and then configure those systems to block ICMP messages. A vulnerability scanner often includes a ping scanner.

Port scanner

A port scanner is a tool that probes systems for open ports. The most common use of a port scanner is to perform a TCP SYN scan.

•

A port scanner performs a two-way handshake (also called a half-open scan), which does not complete the TCP three-way handshake process (the TCP session is not established).

•

A port violation occurs when the maximum number of MAC addresses has been seen on the port, and an unknown MAC address is then seen.

Power Converter

A power converter is a device that converts electrical energy. This can be as simple as a transformer that changes the voltage of AC power, but also includes far more complex systems. The term power converter can also refer to a class of electrical machinery used to convert one frequency of alternating current into another frequency. Power conversion systems often incorporate redundancy and voltage regulation.

Inverter

A power inverter is a device that changes direct current (DC) to alternating current (AC). In this scenario, a power inverter can be used to convert the DC power stored in the batteries to AC power that your servers, switches, and routers can use in an emergency.

•

A power strip provides multiple power outlets from a single wall outlet, but it may not provide surge protection.

o

A priority value between 0 and 7 is assigned to the 3-bit COS field.

Reporting system

A procedure to immediately report the loss of a device will enable the device to be disabled quickly and reduce the chance of confidential information being compromised.

Sag/Dip

A sag or dip in power is a reduction in voltage for a short period of time (as long as a few seconds). Sources of sags or dips include chained power strips, faulty wiring, sudden power draws (e.g., when equipment is first turned on), and large inductive sources (e.g., an electric motor).

•

A security information and event management system

Standby Power Supply (SPS)

A standby power supply is an offline device that switches on to provide power when an undervoltage occurs. If the switchover is not fast enough, the computer loses power and shuts down.

Surge/Spike

A surge or spike in power is a sudden rise in voltage. It can be caused by a lightning strike, a power plant coming online or going offline, or even equipment inside the facility.

Surge Protector

A surge protector protects against overvoltage situations. Be aware of the following:

•

A system disk

Scheduling backups

A system image backup cannot be scheduled, but a system image backup can be included within a scheduled regular backup using the Backup and Restore console.

•

A system image backup consists of an entire volume backed up to a .vhd file. It contains everything on the system, including the operating system, installed programs, drivers, and user data files.

•

A system repair disc can be created.

•

A tape drive

•

A tarpit (also called a sticky honeypot) is a honeypot that answers connection requests in such a way that the attacking computer is "stuck" for a period of time.

Terminal emulation

A terminal is a monitor and keyboard attached to a device (e.g., mainframe, server, or router) through a serial or special console port. The terminal displays a text-based interface, and users interact with the device by typing commands. A terminal emulation utility is a program that allows a console connection through the network. The terminal emulation software communicates with the device over the network and displays the text-based console screen. There are two common terminal emulation programs used.

Throughput tester

A throughput tester measures the amount of data that can be transferred through a network or processed by a device (such as the amount of data that can be retrieved from a disk in a specific period of time). On a network, a throughput tester sends a specific amount of data through the network and measures the time it takes to transfer that data, creating a measurement of the actual bandwidth. Use a throughput tester to validate the bandwidth on your network and to identify when the bandwidth is significantly below what it should be.

•

A ticket granting server (TGS) grants tickets that are valid for specific resources on specific servers.

Traffic shaper

A traffic shaper (also called a bandwidth shaper or packet shaper) is a device that is capable of modifying the flow of data through a network in response to network traffic conditions. Specific applications for a traffic shaper include the following:

Transient

A transient is a fluctuation caused by line noise or disturbance.

Trap

A trap is an event configured on an agent. When the event occurs, the agent logs details regarding the event.

Vulnerability scanner

A vulnerability scanner is a software program that passively searches an application, computer, or network for weaknesses, such as:

HVAC

A well-maintained heating, ventilating, and air conditioning (HVAC) system is important for employee comfort and the protection of equipment. Be aware of the following facts:

o

AH by itself does not provide data encryption.

o

AH provides a message integrity check with the Keyed-Hash Message Authentication Code (HMAC). With HMAC, a symmetric key is embedded into a message before the message is hashed. When the message is received, the recipient's symmetric key is added back into the message before the message is hashed. If the hash values match, message integrity is proven.

o

AH uses SHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest v5) for integrity validation.

Command

Action

•

Active IP addresses

•

Active fingerprinting analyzes the response to a stimulus. The analysis can determine the operating system and even the patch level.

•

Active sessions, ports, and sockets

•

Actively testing security controls

•

Add features or provide support for new hardware

2.

Add the following line to the beginning of the file: *.* @IP_address_of_loghost.

•

Administrative privileges are needed to configure scheduled backups or to manually initiate a backup.

•

All ARP requests and responses are intercepted.

Authentication

All devices should be accessible only after a password, PIN, or gesture has been supplied by the user.

Collection and identification

All evidence must be properly marked as evidence at the time it is found. Any identifying characteristics of the evidence must also be recorded at this time. If at all possible, evidence should be placed in a plastic bag or clean storage container and properly marked. A chain of custody document should be started at this time.

o

Always follow the instructions when performing firmware updates.

Enforcement Server (ES)

An Enforcement Server (ES), also called an enforcement point, is the connection point for clients to the network. Clients connect to the ES, submitting the SoH for validation. The ES forwards the SoH to the NAP server for validation. When the response from the NAP server is received, the ES allows or denies network access.

Uninterruptible Power Supply (UPS)

An uninterruptible power supply is a device that is constantly providing battery power to the computer and is recharged by the wall outlet.

•

Analyze packets sent to and from a specific device.

o

Analyze the problem by using the OSI model and how data flows through it from both top-to-bottom and bottom-to-top.

o

Analyze traffic that might be sent by attackers

•

Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, as well as countless others.

•

App updates

•

As an amplifier network that is being exploited to attack a target system.

•

As the target of the attack itself.

o

Ask the user to describe the symptoms of the problem.

•

Assess the situation to determine whether you have the expertise to conduct further investigations, or whether you need to call in additional help.

•

Attackers are offered targets that will occupy their time and attention, distracting them from valid resources.

•

Attempt to cover the tracks by scrubbing the logs, hiding root kit files, and hiding the services and ports that may have been made available on the system.

•

Attempt to maintain access through the installation of root kits, back doors, and perhaps Trojan horse applications used to capture information.

•

Attempt to modify existing permissions to grant the hacker further access to the system.

•

Be fully supported by senior management and administration with appropriate funding and resources, such as camera equipment, forensic equipment, redundant storage, standby systems, and backup services.

•

Be legally reviewed and approved.

Asset tracking and inventory control

Because mobile devices are not tied to a physical location, asset tracking and inventory control are very important. At a minimum, you should track the following for each device owned by your organization:

•

Before touching the computer, document and photograph the entire scene of the crime including the current state of the computer screen. A traditional camera is preferred over a digital camera to avoid charges that an image was digitally altered.

•

Best practice dictates that you use USB 2.0 (or later) or IEEE 1394 disks with 2.5 more times capacity than the size of data you need to back up.

•

Block all inbound ICMP traffic on your network firewall.

•

Block broadcast packets on your network routers. This will prevent external ICMP packets from being sent to broadcast addresses.

•

Bypassing security controls

•

Cell phone tower triangulation can track the location of devices to within a kilometer, depending upon the signal strength and number of cell towers within range.

o

Cellular phones

•

Class of Service (COS)

o

Classification occurs at Layer 3.

o

Clients run the enforcement client type that corresponds to the enforcement server type they are connecting to.

o

Clipping levels or thresholds are used to identify deviations from the norm.

•

Clone or image hard disks.

o

Close all unused ports.

•

Collected fairly and lawfully.

•

Computers accept any certificate issued by a trusted CA as valid. By default, most computers trust well-known public CAs. If you configure your own PKI, you need to configure each computer in your organization to trust your own CAs.

Issue

Condition

•

Configure System Restore on the drive containing operating system files and any other drives that contain critical applications.

•

Configure your firewall to block OUTBOUND traffic from your network that has a source IP address that isn't on your network. A DoS attack spoofs the source IP address with the address of the victim.

•

DNS servers

Storage segmentation

Consider segmenting personal data from organizational data on mobile devices. This storage strategy allows:

o

Constant or reserved means that a certain level of service is guaranteed to always be available. This level is only possible by reserving service, even when no data is being sent.

3.

Contact the first responder.

o

Contain the damage (or incident) as much as possible.

7.

Create an action plan and account for possible side effects. Your plan might include purchases of hardware or equipment that need approval, or it might involve taking some services offline for a period of time. Identifying the effects ahead of time helps eliminate or reduce any potential negative consequences.

Bare metal recovery

Creates a backup for recovering the operating system (critical volumes only). This option is a subset of a full server backup. Use the Custom option in Windows Server Backup wizard to select this type of backup.

•

Creates a tunnel between two routers.

o

Creates and issues the certificate to the requester.

•

Creating a TEMPEST (Transient Electromagnetic Pulse Emanating Surveillance Technology) environment or control zone to reduce electronic noise from devices.

•

DHCP server used for configuration

o

Daily, at a specified time.

o

Depending on the naturally occurring humidity level of your area and the season, you may have to add humidity or use a de-humidifier.

•

Deploy security software that is designed to monitor each network device's ARP table and compare it against a known-good table of MAC addresses mappings.

•

Describe what action should be taken when an incident is detected.

Backup Considerations

Description

Component

Description

Consideration

Description

Device�

Description

Issue

Description

Method

Description

Option

Description

Problem

Description

Protocol

Description

Solution

Description

Stage

Description

Storage Type

Description

Teaming Configuration

Description

Tool

Description

Type

Description

Update Type

Description

BYOD Issue

Description Possible Remedies

o

Detect many malformed or fragmented packets

3.

Determine if anything has changed in the environment. Most often, problems are caused by new hardware, software, or configuration changes. If necessary, ask questions to discover what changes might have caused the problem.

o

Determine which flags are set in a TCP handshake

•

Devices that respond have ports that are in a listening state.

•

Directly related to the crime.

o

Discover cleartext passwords allowed by protocols or services

#show logging

Displays logging settings on the device, as well as the number of messages logged.

o

Do a complete memory dump to save the contents of physical RAM. The page file will be lost but the physical memory will be preserved.

o

Do not damage any evidence.

•

Do not locate under water pipes or in any other area that might be subject to flooding or water damage.

•

Do not turn off the computer until the necessary evidence has been collected.

o

Drivers that have passed Microsoft certification and are made available through Windows Update

o

Drop all frames and generate an SMNP trap.

o

Drop all frames from unauthorized MAC addresses.

•

Dumpster diving

•

IP address and mask

3.

Dynamic memory and temporary file systems

•

Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. Valid IP-to-MAC address bindings are stored in the DHCP snooping binding database.

•

Each network host needs to be configured to use the AAA server for authentication instead of its own local system by specifying the AAA server's host name or IP address and UDP port numbers. If you're having problems, verify that the IP address information for the AAA server is correct.

o

Each priority value specifies a specific traffic type.

•

Each vulnerability, configuration issue, program, or patch that might be present on a system is called a definition.

•

Eavesdropping on employee conversations

o

Electrical systems

•

Electromagnetic interference (EMI) is caused by electrical circuits and can disrupt the signal in a data cable. Common causes of EMI are:

•

Elevate privilege to local administrator or domain administrator.

o

EnCase

•

Encrypts the entire communication session.

(config)#logging on

Enables the message logging process.

•

Encapsulates other LAN protocols and carries the data securely over an IP network.

•

Encapsulates packets by adding a GRE header and a new IP header to the original packet.

•

Encapsulating Security Payload (ESP) provides data encryption.

•

Encouraging the attacker to attack. This is known as entrapment and is usually not legal.

•

Encryption to be applied only to sensitive organizational data on the device.

•

Ensure that appropriate personnel have access to shut off values for HVAC system in the event of an emergency.

•

Ensure that the authentication settings you configured on the device match those required by the AAA server.

•

Enter a building without authorization

Environmental Monitoring

Environmental conditions have a substantial impact on the reliability and life span of IT equipment. Environmental monitoring should be implemented in server rooms and data centers to ensure the proper functioning of environmental controls. The goal of environmental monitoring is to maintain environmental conditions and keep them as stable as possible. Keep the following in mind:

•

Environmental sensors and software can also help you to identify hot spots.

Preservation and analysis

Evidence analysis should be made by trained specialists only. Thorough examination and documentation of each piece of evidence is crucial. The International Organization on Computer Evidence (IOCE) sets the standards concerning preservation and analysis of computer evidence. According to the IOCE, preservation and analysis of all computer data must comply with the following rules:

•

Evidence is never altered by procedure. Instead, copies of digital evidence are made and procedures are performed on those copies.

Transportation and processing

Evidence needs to be protected during all stages of transportation. Take all necessary measures to ensure that transported evidence is in the same condition when it arrives at the court room as it was when it left the lab or investigation site. Materials should be packaged to prevent damage, and the transportation method should ensure the appropriate environmental requirements for the evidence (e.g., heating, air conditioning, or humidity requirements). Electronic information should include a hash to ensure that the data has not been altered or changed in any way.

•

Examine the data contained within a packet.

Test

Examples

•

Explain how and to whom an incident should be reported.

•

Explain when management should be notified of the incident and also outline ways to ensure that management is well-informed.

•

Exploiting vulnerabilities

•

External hard drives

•

File History backs up files in the background.

•

File History does not back up the entire system. Only the library files, contacts, and Internet favorites associated with the user account are backed up. A user can add files to a library and have those files backed up using File History.

•

File History is turned off by default.

•

Filters can be configured to show only frames or packets to or from specific addresses, or frames that include specific protocol types.

o

Find devices that might be using restricted protocols (such as ICMP) or legacy protocols (for example IPX/SPX or NetBIOS)

•

Fix bugs (errors) in programming code

•

Flash memory

o

Florescent lighting

•

For some investigations, you might need to review archived log files or data in backups to look for additional evidence. Be sure to design your backup strategy with not only recovery but also investigation and preserving evidence in mind.

•

For the highest level of security, apply hotfixes as they are released (after you verify that the hotfix will not cause additional problems).

Generic Routing Encapsulation (GRE)

GRE is a tunneling protocol that was developed by Cisco. GRE can be used to route any Layer 3 protocol across an IP network. GRE:

Gaining Access

Gaining access is the act of performing the exploit. A successful exploit on a service or application typically leads to an attempt to:

•

Gaining approval from the Internet provider to perform the penetration test

1.

Gather information in order to identify the problem.

•

Generic or static teaming requires that the switch and the host identify the links in the team.

•

Giving higher priority to some traffic means that less important traffic might be delayed. It is assumed that while the delay might make the end user wait, the delay would not make the resulting data unusable.

Hypertext Transfer Protocol (HTTP)

HTTP over SSL (HTTPS) HTTPS is a form of HTTP that uses SSL to encrypt data before it is transmitted.

•

HVAC controls the temperature and humidity of a building.

•

HVAC keeps temperatures cool for computer systems.

4.

Hard disk data

•

Harden the system to prevent another attacker from gaining access.

•

Hardware devices, such as the BIOS or many networking devices, store code in a special hardware ROM chip. This software is referred to as firmware. Updates are done by flashing (replacing or updating) the code stored on the chip.

•

Has the following goals:

•

Health policies on the NAP server identify the action to take in response to compliant or non-compliant clients: allow access, deny access, or allow access to the quarantine or limited access network.

•

Heat reduces the life span and reliability of computer equipment. The hotter computer components run, the faster they age and degrade.

o

Heavy machinery

o

High availability is when a network or a service is up and accessible most of the time.

•

Inactivity timeout and attempt thresholds are applied closer to the user point of entry.

•

Hotfixes and service packs are specific to an operating system version. A hotfix for Windows 8.1 will not work on Windows 7. However, a hotfix for Windows 7 Ultimate will typically also apply to Windows 7 Enterprise.

•

Hotfixes may be released on a regular basis as fixes are created.

•

Humidity should be keep within a range of 40 to 65 percent:

2.

Identify the affected area and determine the size of the problem. Fixes for one client workstation are likely very different from fixes for an entire network segment.

9.

Identify the results and effects of the solution. Make sure that the solution has fully fixed the problem and has not caused any additional problems.

2.

If the maximum number of allowed devices has not been reached, its MAC address is added to the table, and use of the port is allowed.

4.

If the maximum number of allowed devices has not been reached, its MAC address is added to the table, and use of the port is allowed.

•

If the packet has a valid binding, the switch forwards the packet to the appropriate destination.

•

If the packet has an invalid binding, the switch drops the ARP packet.

o

If you disable the sticky feature, all sticky addresses are converted to SecureDynamic addresses.

•

If you do not manually configure allowed MAC addresses for a port, the switch will allow the first MAC addresses it detects to connect, up to the maximum number.

o

If you enable the sticky feature, all SecureDynamic addresses are converted to SecureSticky addresses, even if they have been learned before the sticky feature was enabled.

•

If you need to allow inbound ICMP traffic, enable a committed access rate (CAR) for ICMP traffic on your routers and set it very low. This will reduce ICMP traffic significantly. Any ICMP traffic that exceeds the threshold you set will be dropped.

•

There should be a properly documented chain of custody.

2.

Improve the response and performance of network services or devices.

ARP Poisoning

In ARP Poisoning, spoofed ARP messages are sent to hosts on an Ethernet LAN which contain false source MAC addresses. By doing this, the ARP tables on each host are updated with incorrect information. The attacker's goal is to associate his or her MAC address with the IP address of another legitimate network host.

•

In a business environment, it is wise to test updates before installing them on multiple systems.

•

Including in the authorization a statement which limits the tester's liability

•

In a full knowledge test (also called a white box test), the tester has detailed information prior to starting the test.

•

In a partial knowledge test (also called the grey box test), the tester has the same amount of information that would be available to a typical insider in the organization.

Physical Penetration

In a physical penetration test, the tester attempts to:

1.

In a text editor, open /etc/sysconfig/syslog.

•

In a zero knowledge test (also called a black box test), the tester has no prior knowledge of the target system.

•

In addition to delay, QoS mechanisms seek to limit the effects of packets arriving out of order, corrupt packets, and lost or dropped packets.

•

In addition to looking for obvious evidence on computer systems (such as saved files), use special forensic tools to check for deleted files, files hidden in slack (empty) space, or data hidden in normal files through the use of steganography.

Electronic Penetration

In an electronic penetration test, the tester attempts to gain access and information about computer systems and the data on those systems. Definitions of the types of electronic penetration testing are as follows:

Operations Penetration

In an operations penetration test, the tester attempts to gain as much information as possible using the following methods:

•

In dumpster diving, the attacker looks through discarded papers or media for sensitive information.

•

Independent Computing Architecture (ICA) is the protocol used by Citrix products (WinFrame and MetaFrame/XenApp).

Interface reset

Indicates the number of times an interface has been completely reset. This happens if packets queued for transmission were not sent within several seconds.

Severity level

Indicates the severity level of the message. In this example:

Timestamp

Indicates when the message was generated. In this example:

o

Individual frames are marked and classified at Layer 2.

•

Initiates an escalation procedure to ensure that the right people are informed and the right people are brought on the incident site.

•

Initiates the documentation of the incident. This includes:

•

Install automatic doors in the data center.

•

Install internal fans to bring air into or exhaust it out of individual units to act with, not against, the overall pattern of air flow in the center.

Remote desktop

Instead of showing a simple command line interface, a remote desktop utility displays the graphical user interface of a remote device. Remote desktop solutions are used to remotely manage a computer or to allow support personnel to view and troubleshoot a remote user's system. Remote desktop software typically has the following three components:

Interference

Interference is an environmental concern that should be addressed. There are two forms of interference that you need to be aware of:

•

It has the ability to add and delete accounts across the entire network from a centralized database and one user interface, improving the process of disabling all network and computer accounts for terminated users.

•

It is a more efficient logon process because users only need to type their user ID and password once.

•

It is best to use a surge protector with an indicator light to show whether it is working correctly.

•

John the Ripper

Unused features

Just as with a desktop or server system, you should disable or uninstall unused features on mobile devices. Unused features or services can expose threat vectors into the device.

•

Keep operating systems and applications up to date with the latest patches. Download the most recent signature files to protect against attacks.

•

Keep saved versions to specify how long the backups are saved. The default is forever as long as disk space is available.

Kerberos

Kerberos is used for both authentication and authorization to services. Kerberos grants tickets (also called security tokens) to authenticated users and to authorized resources. The process of using tickets to validate permissions is called delegated authentication. Kerberos uses the following components:

o

Keystrokes and mouse movements on the client are sent to the server.

•

L0phtcrack (also called LC6)

Layer Two Tunneling Protocol (L2TP)

L2TP is an open standard for secure multiprotocol routing. L2TP:

o

Lights

tracert -6 (Windows IPv6)

Like ping, traceroute uses ICMP packets to test connectivity between devices, but it also shows the path between the two devices. Responses from each hop on the route are measured three times to provide an accurate representation of how long the packet takes to reach, and be returned by, the destination device.

•

Link Aggregation Control Protocol (LACP) teaming uses LACP to dynamically configure the links between the host and the switch.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

MS-CHAP is Microsoft's proprietary challenge-response authentication method used for remote access connections. MS-CHAP:

•

Make sure walls have a minimum fire rating of one hour and go all the way to the true ceiling.

•

Making sure that all tools or programs used in the testing are legal and ethical

o

Manually by a system administrator or other authorized user.

•

Many applications include a feature that periodically checks the manufacturer's website for updates. These programs typically ask your permission to download the updates.

•

Many systems have logs for different purposes, such as a system log for operating system entries, a security log for security related entries, and an application log (also called a performance log) for events related to specific services and processes, such as connections from a web server.

o

Many updates are performed through a browser; some updates can only be performed by booting to special startup disks while outside of Windows.

•

Marked correctly.

•

May be a dedicated member of the security response team.

o

May rely on the auditing and logging capabilities of the operating system.

o

Motors

•

Methods used during the penetration test.

•

Microsoft Baseline Security Analyzer (MBSA) is used to evaluate security vulnerabilities in Microsoft products.

•

Microsoft assigns a number to each hotfix. This number also identifies a Knowledge Base (KB) article that describes the issues addressed by the hotfix.

•

Misconfigurations

•

Missing critical patches

•

Monitor system logs for unusual activity that could indicate an attempted (or successful) attack. Check firewall logs in order to identify the type of traffic that has been blocked to identify past attempted attacks. If possible, take additional measures to block unwanted traffic before it reaches your network.

•

Monitoring the network (usually performed from a remote site)

•

Most AAA servers employ the user of a security certificate to secure communications. Verify that the certificate has not expired.

o

Most Linux distributions support NIC teaming, but it is referred to as bonding.

•

Most UPS systems also condition the line and remove power spikes and sags.

•

Most UPS systems sound an alarm when the AC power is lost. This alarm continues until AC power is restored, although many systems have a switch to mute the alarm.

o

Most Windows workstation operating systems do not natively support NIC teaming.

o

Most versions of Windows Server support NIC teaming.

o

Mostly unaware of individual hosts on the network. It cannot be detected by attacking systems.

o

Names of programs or commands to run during shutdown

•

Network shares

o

Newer versions of Windows Server support up to 32 interfaces in a single NIC team.

•

No authentication of devices. Any device configured with the correct community name can send messages that will be received and processed.

Multilayer switch/content switch

Normal switching occurs at the OSI model layer 2, using the MAC address to perform frame forwarding. Switches use specialized hardware called an application-specific integrated circuit (ASIC), which performs switching functions in hardware rather than using the CPU and software. ASIC allows switches to perform the switching function at wire speed, meaning that frames are switched without the delay that would be introduced if the CPU and software were required to process the frame.

o

Not check for updates (you can manually check for updates at any time).

•

Non-Microsoft applications and many drivers will not be updated through Windows Update.

•

Notifies users that personally-owned devices are subject to random searches if brought on site.

o

Notify you of updates, but require your permission to download or install them.

•

OVAL is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

•

OVAL regulates the proper XML format for describing and documenting system vulnerabilities.

•

OVAL repositories are like libraries or databases that contain multiple definitions.

•

Obtaining a written and signed authorization from the highest possible senior management

•

Obtaining an order authorizing search and seizure. This is usually in the form of a search warrant and is legal.

•

Obtaining an order to summon a witness to appear in court. This is known as a subpoena and is legal.

5.

Off-site logging and monitoring data

Passive Reconnaissance

Passive reconnaissance is characterized by gathering data. Passive reconnaissance does not directly affect the target. Examples of this stage include:

•

Once every hour, File History creates a shadow copy of user account files. This creates a snapshot of user account files at a particular point in time.

•

One interface in the team operates in passive mode. It doesn't process frames unless one of the other interfaces in the team fails.

•

Only one scheduled backup can be created with a single set of settings (multiple backup jobs and schedules cannot be created).

•

Only organizational data to be removed during a remote wipe, preserving personal data.

1.

Open /etc/syslog.conf in a text editor.

•

Open ports

•

Operating system updates

•

Optical drives

•

Packets arriving on trusted interfaces bypass all DAI validation checks.

•

Packets arriving on untrusted interfaces undergo the DAI validation process.

•

Passive fingerprinting analyzes communications to and from a remote host.

•

Patch security vulnerabilities

•

Ping scans identify open ports using ping (ICMP) messages.

Serial Line Internet Protocol (SLIP)

Point-to-Point Protocol (PPP) PPP is used to create a connection between two devices. It uses PAP or CHAP for authentication and can also provide encryption.

•

Port scanning scans ports on remote hosts looking for well-known services.

•

Port security does not protect against MAC address spoofing (where an attacker changes the MAC address to match the MAC address of an allowed device).

•

Port security uses the MAC address to identify allowed and denied devices.

o

Precedence values are inserted in the DiffServ field of an IP packet.

•

Present the path of least resistance.

2.

Preserve any evidence that may be used in an investigation.

•

Probing the corporate network with scanning tools, often using the same tools used by hackers such as SATAN and Nessus

•

Procedures should be performed by a trained examiner.

•

Protect filter air intakes. The air intakes are the source of air for the positive pressure system. Air intakes can be a target of sabotage or contaminated by toxic chemicals if an incident occurs in the surrounding area.

•

Provide a detailed outline of steps to be taken to handle an incident both efficiently and effectively, while mitigating its effects.

1.

Provide redundancy of services or devices so that network access can continue in the event of a failure of one or more components.

Message text

Provides a description of the event. In this example:

Mnemonic

Provides a mnemonic to help the administrator quickly identify the nature of the message. In this example:

o

Publishes a list of revoked certificates known as the certificate revocation list (CRL).

•

Purchase a UPS with at least enough battery power to power critical devices, such as the computer and a single monitor.

•

Putting a sniffer on the wire

2.

RAM

1.

Recognize and declare the event.

•

Recognized or acknowledged by either the witness, prosecutor, or defendant.

•

Recognizing that even if this process is approved by management, some aspects of it may be illegal

•

Recover files, folders, applications, and volumes.

•

Recovery and repair of any damages.

•

Redirecting printing, sound, or storage from the server to devices connected to the client.

•

Reduce the number of inbound doors.

o

Redundancy to provide access is often called fault tolerance.

1.

Registers and caches

Remote wipe

Remote wipe, also known as sanitization, remotely clears specific, sensitive data on the mobile device. This task is also useful if you are assigning the device to another user or after multiple incorrect entries of the password or PIN.

•

Removal and eradication of the cause of the incident.

•

Repair any damage created by the incident and restore services only after the above procedures are complete.

2.

Replaying or reconstructing sessions and packets

Requirements for backup

Required permissions for backups include the following:

Mutual

Requires that both parties authenticate with each other before beginning communications. To log in, your computer sends its digital certificate to prove its identity to a network server. The server then proves its identity to your computer. Only then will they exchange messages.

Multi-factor

Requires two (or more) different authentication types. To enter a secured building, you must insert your key card (Type 2) and undergo a retina scan (Type 3).

4.

Restart the syslogd daemon.

•

Restore points are created in one of three ways:

•

Retina Vulnerability Assessment Scanner is used to remotely scan an organization's network for vulnerabilities.

5.

Review the list of potential causes and select the most probable cause. Look for common errors and try quick solutions.

•

Reviewing test findings with administrative personnel

o

Revokes certificates (revoked certificates are not valid).

•

Routers use the unencrypted packet headers to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents.

•

Routing network cables away from EMI emitters.

•

Run security scanning software on each system to detect malware or other security vulnerabilities (such as opened ports, weak passwords, or missing operating system patches).

•

SSH provides the same capabilities as Telnet, but encrypts data. SSH uses TCP port 22.

•

SSO presents a single point of failure.

•

Secure Sockets Layer (SSL)

•

Short-term (triage) actions focus on stopping the attack, mitigating its effects, and restoring basic functionality.

•

Should be maintained throughout the evidence life cycle to document the people and procedures used at each stage.

•

Should be started the moment evidence is discovered and should include what the evidence is, who found it, under what circumstances it was found, its location, the date and time of its original discovery, how it was handled, and all precautionary actions that have been taken to ensure its integrity.

•

Should be updated regularly to include the latest known vulnerabilities.

•

Shut down power or other services

o

Shut down the port; this is the default setting.

•

Size of offline cache to specify the disk space allocated to file backup. The default is 5%. Setting a small number results in older files being overwritten by newer files as the allocated disk space is used.

•

Some switches can transform packets at wire speed (e.g., by performing NAT or adding/removing encryption with SSL or digital certificates).

•

Sometimes evidence is found on a corporate system that is not otherwise violated. This is known as co-mingling. Evidential data should be extracted from the corporate system with great care to maintain its integrity and also the safety of the corporate system.

•

Statically configure the ARP table on each network hosts with the correct MAC address and IP address mappings. Most operating systems will discard ARP messages received on the network if a static entry already exists in the ARP table for the MAC address in the ARP frames. This strategy is cumbersome to implement and difficult to maintain on a network that changes frequently (such as a wireless network).

•

TCP connect scans discover TCP servers that are running on a host even if ICMP is blocked.

2.

The AS validates the user identity and grants a ticket granting ticket (TGT), which validates the user identity and is good for a specific TGS.

o

The Coroner's Toolkit

•

The Global Position System (GPS) can track the location of GPS-enabled devices to within a meter.

5.

The MAC address is automatically entered into the running-config file as a sticky address.

Management Information Base (MIB)

The MIB is a database of host configuration information. Agents report data to the MIB, and the manager can then view information by requesting data from the MIB. Object identifiers (OIDs) specify managed objects in a MIB hierarchy.

NAP Server

The NAP server is responsible for keeping track of health requirements and verifying that clients meet those requirements before gaining access. A Windows server running the Network Protection Service role is a NAP server.

Open Vulnerability and Assessment Language (OVAL)

The Open Vulnerability and Assessment Language is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system.

Ping of Death

The Ping of Death attack uses the ping utility to send oversized ICMP packets (larger than 65,536 bytes). The attacker sends a Ping of Death packet directly to the victim, which overflows the memory buffers on that system and causes it to freeze, crash, or reboot.

•

The Remote Desktop Protocol (RDP) is the protocol developed by Microsoft and used in Microsoft's Remote Desktop Services and Remote Assistance solutions. Aqua Connect has licensed RDP and created a version for Mac OS X as a server. RDP uses TCP and UDP port 3389.

•

The SNMP manager can send messages to a device, and the device will perform an action.

5.

The SS accepts the ticket and allows access.

Secure Sockets Layer (SSL)

The SSL protocol has long been used to secure traffic generated by IP protocols such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote access scenario. SSL:

•

The System Health Validator (SHV) runs on the NAP server and identifies the client health requirements. The SHV compares the statement of health submitted by the client to the health requirements.

•

The UPS connects to the power source (usually a wall socket), the computer plugs in to the UPS, and the UPS is connected through a serial or USB port to the computer. Software on the computer uses this connection to monitor battery life and to detect when the regular power is lost. You can configure the software to shut the system down automatically when the battery charge reaches a certain level. You usually need to configure the following settings when working with UPS software:

•

The air exchange rate for a computer room is much higher than for an office area.

2.

The client responds with the username and a value created using a one-way hash function on the challenge message.

1.

The client sends an authentication request to the AS.

•

The computer's operating system must support NIC teaming.

o

The graphical desktop on the server is sent to the client.

•

The port scan output is a combination of the IP address and port number separated by a colon (e.g., 192.168.0.1:x, where x is the port number) for both the source and the destination of the port scan.

•

The remote desktop protocol, which is responsible for communication between the server and the client

•

The submission of authentication credentials occurs based on the rules defined by the authentication type.

•

The switch distributes packets between multiple servers.

•

The switch ports must be bonded together to recognize both ports as a valid destination for the same device.

•

The switches are not aware that the interfaces on the server are members of a NIC team.

•

The system security policy must be followed to ensure that access is granted and/or limited to appropriate users.

•

The time offset is the difference in system time that the machines use compared to the actual time. You should record the time offset for each machine involved with the incident to ensure accurate and sequential date and time stamps for collected data.

•

The user can create stronger passwords because there are fewer to remember.

•

The user may lose the device, allowing anyone who finds it to access the sensitive data.

•

The user may not have implemented appropriate security settings on their device, allowing anyone who gains access to the device to view the sensitive data.

Storage

The utmost care must be taken to store and preserve evidence. For example, a hard disk should be stored in an antistatic bag that is then sealed and placed in a cardboard box with foam lining.

•

The vendor providing support for the device

AAA Misconfiguration Issues

There are several misconfiguration issues that you need to be aware of when managing a network that uses a TACACS or RADIUS server for authentication:

•

There are two types of UPS systems:

•

There is a variety of environment sensors and software available to monitor the temperature in server rooms and data centers.

•

Type 1: Something you know

•

Type 2: Something you have

•

Type 3: Something that you are

o

Typically implemented as part of a firewall device acting as a router. When a NIDS is implemented as a standalone device, all traffic must be directed to the device using one of the following strategies:

•

UDP scans determine which UDP service ports are opened on a host by sending UDP packets to a target port. If an ICMP port unreachable message is returned, then the target does not use that port.

•

UPS size is measured by the volt-amp (VA) rating. The capacity of the UPS determines the number of devices and how long the devices can run when power is interrupted.

•

Updates are classified as Important, Recommended, or Optional. By default, Important and Recommended updates are installed automatically.

•

USB flash drives

o

Unable to analyze encrypted traffic.

o

Unspecified service provides whatever service is available with little to no guarantee. This level of service should only be used for data that can tolerate long delays.

o

Up to 64 different classifications are possible, but most networks use only the following classes:

o

Uptime is the percent of time the network or service is up and accessible.

•

Use a packet sniffer to examine network traffic. It can look for specific types of traffic that should not be on your network or for traffic types associated with known attacks.

•

Use a port scanner to check for open ports on a system or a firewall. Compare the list of opened ports with the list of ports allowed by your network design and security policy.

o

Use the divide and conquer technique to isolate the problem to a specific domain. For example, if other workstations can ping a router, then the problem might be limited to a single workstation.

•

Use positive pressure systems. Positive pressure systems protect the air quality in the facility by causing air to be forced out through doors, windows, and other openings. Negative pressure systems draw air in, potentially bringing in airborne particles such as dust, smoke from a fire, or contamination from a chemical leak. Positive pressure systems are more energy effective.

•

Use the built-in camera, which nearly all modern mobile devices have, to take pictures of sensitive internal information.

•

Use the built-in microphone to record conversations.

•

Use the built-in video function to record proprietary processes and procedures.

•

Use the device's mobile broadband connection to transfer stolen data to parties outside the organization, bypassing the organization's network security mechanisms. Implement an acceptable use policy that:

•

Used for intended purposes only.

•

Users can easily browse and restore previous versions of files backed up using File History.

•

Uses IPsec for encryption.

•

Uses MPPE for data encryption.

•

Uses TCP port 1701 and UDP port 500.

•

Uses TCP port 1723.

One-factor

Uses credentials of only one type, but may require multiple methods within the same type To log in, you provide a username and a password (the username is not used for authentication, so the only credential supplied for authentication is the password)

•

Uses port 443, which is already open on most firewalls.

•

Uses standard authentication protocols, such as CHAP and PAP.

•

Using social engineering, attackers act as an imposter with the intent to gain access or information.

•

Utilities available to help in the analysis of the evidence include:

•

VPN communications through the Internet, either by itself or in conjunction with the L2TP VPN protocol.

•

VPNs can be implemented in the following ways:

o

Variable service guarantees a certain capacity, but service might vary depending on conditions. This level of service is sufficient for voice or video.

Method

Variations

•

Verifying that a threat exists

•

View packet contents.

•

View the exchange of packets between communicating devices. For example, you can capture frames related to DNS and view the exact exchange of packets for a specific name resolution request.

•

Virtual Network Computing (VNC) was originally developed for UNIX. Applications using VNC include RealVNC, TightVNC, UltraVNC, and Vine Server.

1.

When a device connects to the switch port, its MAC address is identified.

3.

When a device connects to the switch port, its MAC address is identified.

•

When File History is enabled, Windows 8 monitors users' libraries, desktop, contacts, and Internet Explorer favorites. Once an hour, Windows checks to see if any of this data has changed since the last check. If it has, Windows saves copies of the changed files to the configured location.

•

When File History is enabled, the location for storing the data must be specified. The best practice is to use a drive other than the drive the user files are on.

o

When a threshold is reached, an alert is generated or actions are taken.

•

When an active path goes down, STP automatically recovers and activates the necessary backup ports to provide continued connection between devices.

•

When performing a backup to a shared network folder, the credentials used for the backup must have Full Control at the share and NTFS permissions of the destination folder.

8.

When side effects have been weighed and all concerns have been addressed, fix the problem. If necessary, implement additional steps to correct the problem if your first solution does not work. After you think you have resolved the problem, test the result.

•

When the maximum number of MAC addresses for a port has been reached, either through manual, dynamic, or sticky learning, no more MAC addresses will be allowed, and a violation will occur.

•

When using Voice-over-IP phones and workstations on a single port, increase the maximum allowed number above 1, allowing at least one MAC address for the phone and one for the workstation. The recommended value is 3.

•

When using a switch, the switch will forward packets only to the switch port that holds a destination device. When your packet sniffer is connected to a switch port, it will not see traffic sent to other switch ports. To configure the switch to send all frames to the packet sniffing device, configure port mirroring on the switch; all frames sent to all other switch ports will be forwarded on the mirrored port.

•

Where users can get support for personally-owned mobile devices.

•

Where users can get support for these apps.

•

Which apps are allowed for use with organizational data.

•

You can configure the switch to take one of the following actions when a violation occurs:

•

Wi-Fi triangulation can track the location of devices in heavily-populated urban areas to within a few meters, depending upon the number of networks in range and the accuracy of their signal strength data.

•

Will be the easiest to exploit.

•

You have the option of dedicating the disk for storage.

•

local0-local7: These facilities can be used to capture log messages from your own applications that you develop.

•

Windows Update can install both hotfixes and service packs. For example, after installing a new version of Windows, Windows Update will download and install the latest service pack.

•

Windows Update includes updates for the following:

o

Windows operating system and utilities

•

Windows should be too small for humans to go through.

o

Wireless devices

o

You can manually configure an address and identify it as a sticky address.

•

You can observe attackers and gather information about their attack methods or gather evidence for identification or prosecution purposes.

•

You can obtain certificates from a public CA (such as DigiCert) or install your own PKI and CAs to issue certificates to users and computers in your organization.

•

You can only enable port security on an access port.

Authentication Strength

You can strengthen authentication by configuring systems to use multiple authentication factors. There are three categories of authentication factors:

•

You can turn off automatic downloading or installation of updates. You can configure your computer to:

•

You can use backups stored on optical or removable media to perform full volume or bare metal recoveries.

Internal disk

You can use the backups stored on internal disks to:

•

You can view a list of installed updates and remove any updates.

•

You cannot recover applications, individual files, or the system state from backups stored on optical or removable media.

•

lpr: This facility handles messages from the printing subsystem.

•

cron: This facility accepts log messages from the cron and at services, which are used to automatically run tasks on the system.

•

daemon: This facility is used by system services (called daemons) that do not have their own dedicated facility.

View IP configuration information

ipconfig (Windows 2000 and later) Displays IP configuration information for network adapters:

•

kern: This facility is used for all Linux kernel log messages.

View NetBIOS over TCP/IP information

nbtstat (Windows) Displays the NetBIOS name tables for both the local computer and remote computers, as well as the NetBIOS name cache.

View IP and routing statistics

netstat (Windows) Shows IP-related statistics:

Test name resolution

nslookup (Windows and Linux) Resolves (looks up) the IP address of a host name and displays information about the lookup, such as the DNS server used for the lookup request.

Test host-to-host connectivity

ping (Windows and Linux IPv4)

•

syslog: This facility is used for internal messages from the syslog service itself.

•

syslog is a standard for managing and sending log messages from one computer system to another. syslog can analyze messages and notify administrators of problems or performance.

•

{Informational | 6} - Informational messages only

•

{Notifications | 5} - Normal but significant conditions

•

{Warnings | 4} - Warning conditions

•

{Alerts | 1} - Immediate action needed

•

{Critical | 2} - Critical conditions

•

{Debugging | 7} - Debugging messages

•

{Emergencies | 0} - System unusable

•

{Errors | 3} - Error conditions