A+ Chapter 17: Security Concepts
You are investigating Common Security Threats. Describe the following: Denial-of-Service (DoS) Attacks There are several different types of DoS attacks. List the 3 you need to know:
An attack launched to disrupt the service or services a company receives or provides via the Internet. A DoS attack is executed with an extremely large number of false requests; because of the attack, the servers will not be able to fulfill valid requests for clients and employees. There are several different types of DoS attacks: - Reflective DoS - Amplified DoS - Distributed DoS (DDoS) - the most common today
You are engaging in Account Management. Describe the following: Disable AutoRun
AutoRun is a Windows feature designed to ease burdens on non-technical users by allowing Windows Explorer to automatically launch programs from inserted media (CD, DVD, USB). - this can obviously be a security risk as said media could contain malware. This type of attack that uses this feature is called a drop attack. As an admin, the best way to address this is to disable the AutoRun feature on the user's workstation. - newer Windows versions now disable this feature by default
As the security administrator for your organization, you must be aware of all types of attacks that can occur and plan for them. Which type of attack uses more than one computer to attack the victim? A. DoS B. DDoS C. Worm D. Rootkit
B A distributed denial‐of‐service (DDoS) attack uses multiple computer systems to attack a server or host in the network. A denial‐of‐service (DoS) is a one‐on‐one attack to disrupt service. Worms reproduce and move throughout the network to infect other systems and therefore do not attack one victim. Rootkits are software programs that have the ability to hide themselves from the operating system.
Which is an example of an authentication method in which you have something? A. Password B. Key fob C. Fingerprint D. Place
B A key fob is an example of authentication for something you have. A password is something you know. A fingerprint is something you are. A place is a geographical place in which you are.
Which type of device can detect weapons on a person entering a facility? A. Biometrics B. Magnetometer C. Motion sensor D. Badge reader
B A magnetometer, also known as a metal detector, can detect weapons on a person entering a facility. Biometrics are used to authenticate someone based on their face, retina, fingerprint, or some other method that biologically verifies their identity. A motion sensor is used to detect motion. A badge reader is used to scan security ID badges.
You're working late one night and notice that the hard drive on your new computer is very active even though you aren't doing anything on the computer and it isn't connected to the Internet. What is the most likely suspect? A. A spear phishing attack is being performed. B. A virus is spreading in your system. C. Your system is under a DoS attack. D. TCP/IP hijacking is being attempted.
B A symptom of many viruses is unusual activity on the system disk. The virus spreading to other files on your system causes this. A disk failure will not create high disk activity. A spear phishing attack is a social engineering attack and will not create high disk activity; neither denial‐of‐service attacks nor TCP/IP hijacking attacks will create high disk activity.
You need to protect your users from potentially being phished via email. Which of the following should you use to protect them? A. Antivirus software B. End‐user education C. SecureDNS D. The principle of least privilege
B End‐user education is the best way to protect your users from the threat of phishing via email. Antivirus software is used to prevent viruses, not phishing attempts. SecureDNS can be useful in protecting your users, but not from phishing emails. The principle of least privilege assigns only the permissions that users need to do their work, and no more.
You are analyzing Physical Security for Staff. Describe the following: Biometrics + Why are biometrics often used as part of a multifactor authentication?
Biometric devices use physical characteristics to identify the user. Biometric systems include fingerprint/palm/hand scanners, retinal scanners, facial recognition software, and DNA scanners. To gain access to resources, you must pass a physical screening process. - e.g. identifying fingerprints, scars, and markings on your hand - e.g. retinal scanners compare your eye's retinal pattern to a stored retinal pattern to verify your identity. Biometrics are often used as part of a multifactor authentication (being used along with a PIN number, for example) because of biometric error rates - biometrics are no strangers to false positives and false negatives In image: a typical biometric fingerprint device
You are engaged with Mitigating Software Threats. Follow the Steps to Test Your Antimalware
1. Navigate to the Eicar antimalware test file site at https://www.eicar.org/?page_id=3950. 2. Scroll down to the download section. 3. Download a few of the Eicar test files and notice how your antivirus detects the malware. 4. Examine the alerts as your antimalware software reports the malware. The Eicar website contains a totally benign piece of malware that triggers your antimalware engine. Any search for Eicar will produce similar results and the contents are benign.
Authentication is based on 5 types of identity-confirming credentials. List them.
1. Something you have - e.g. ID badge, key fob 2. Something you are - e.g. fingerprint, facial recognition 3. Something you know - e.g. password, pin number 4. Somewhere you are - e.g. secure facility, or a location-based service that detects you are at your home 5. Something You do - base on something you do, such as a signature, or (with newer technology) the way you type in a password
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. Describe the following: Impersonation + What is the best defense?
A methodology prevalent in many different social engineering attacks in which a threat agent portrays (impersonates) another employee or organization for many of the attacks to work. E.g. many phishing emails impersonate your bank, an online store, or some other reputable source in an attempt to steal credentials. Education and training is the best defense against impersonation. - training should help users identify suspicious email or phone calls
You are engaging in Destruction and Disposal Methods, particularly Recycling or Repurposing Best Practices. Describe the following: Overwrite
Overwriting the drive entails copying over the data with new data. - a common practice is to replace the data with 0s - a number of applications allow you to recover what was there prior to the last write operation, and for that reason, most overwrite software will write the same sequence and save it multiple times.
You are investigating Exploits and Vulnerabilities. Describe the following: Patching vs. Updates
Patches remediate the vulnerabilities found in the OS and fixed by the vendor. Updates add new features not included with the current build. - however, many updates include patches Patches and Updates should be up-to-date before placing the OS/hardware into service. - even after placing the OS and devices into service, you need to keep patches and updates current as they come out.
You are analyzing Logical Security Concepts. Describe the following: Authentication Factors (state 5 ways authentication can occur)
Something You Know - commonly a username and password or personal identification number (PIN) Something You Have - what you physically have, such as key fobs, keys, smartcards Something You Area - biometrics such as your fingerprints, your voice, and retina scans Something You Do - base on something you do, such as a signature or (with newer technology) the way you type in a password Somewhere You Are - such as a secured facility that already verifies your identify and grants access
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. Describe the following: Dumpster Diving + How can you prevent dumpster diving?
The act of a person rifling through the trash with the expectation to find information. A strong policy to prevent dumpster diving is the physical destruction of any sensitive data, instead of throwing it out.
You are analyzing Malware, particularly different types of Viruses. What is the best defense against a virus attack? What is the key to stopping most virus attacks?
The best defense against a virus attack is up-to-date antivirus/antimalware software installed and running - the software should be on all workstations as well as all servers. The key to stopping most virus attacks is to identify them quickly (a longer-lived virus has more time to spread) and educate administrators about them.
What is the first line of defense against threats to computer security?
The education of the user.
You are engaged with Mitigating Software Threats. What is, by far, the best prevention of security threats?
The education of your end users regarding common threats. For example, the most effective method of preventing viruses, malware, spyware, and harm to hara is to teach your users not to open suspicious files and to open only those files they're reasonably sure are harmless. End users should also be educated on how to identify Trojans and phishing email scams. End users should also be educated on how to keep their antivirus/antimalware up-to-date along with keeping their OS updated
You are analyzing Physical Security Concepts. Describe the following: Door Locks + Describe a tumbler lock + Describe a combination lock
The most common physical prevention tactic is the use of locks on doors and equipment. A tumbler lock requires a physical key to gain access. - this could be problematic as you can lose keys, and keys can be copied by unauthorized individuals. A combination lock (also called cipher locks) can be reprogrammed and does not require a physical key (shown in image) - they can be purchased as mechanical or electronic - you must know the cipher (code) in order to gain access
You are engaged with Mitigating Software Threats. When you are compromised by a virus or other type of malware, what is the only way to be sure you have removed it completely?
The only way to be sure you have removed it completely is to reinstall the OS. - this may seem extreme, but there is always the possibility that the threat has eluded antivirus/antimalware software and embedded itself somewhere in the OS. Fortunately, the Windows OS makes it easy to reinstall itself. - the Reset This PC option from the recovery console or the Settings app can do this for you, while also keeping your data files
You are engaging in Account Management. Describe the following: Disabling the Guest Account
When Windows is installed, one of the default accounts it creates is Guest. - this represents a weakness that can be exploited by an attacker - the account cannot do much, however it can provide initial access to a system, which the attacker can use to find another account or acquire information about the system. As an admin, you should disable all accounts that are not needed, especially the Guest account. - in Windows 10, the Guest account is disabled by default - after you disable the account, rename it, if you can then change the default passwords.
You ae engaging in End-User Best Practices. Describe the following: Locking Screens + How can you lock your screen in Windows?
When a user walks away from their computer and leaves themselves logged in, anyone who walks up to the computer has the same level of access as the owner of the account. As as administrator, train users to lock their screen when they walk away to prevent unauthorized access (in Windows, it's as easy as Windows key + L) Alternatively, you can require the user to use a screen saver lock - e.g. the screen saver lock can be set to 15 minutes, therefore after 15 minutes of idle time, the screen saver with turn on.
You are analyzing Malware, particularly Viruses. Sometimes, viruses won't destroy or otherwise tamper with your system. Instead, they will use your system as a carrier. What does this mean?
When a virus uses the victim system as a carrier, that system's purpose is to spread the infection by infecting servers, fileshares, and other resources with the virus.
Which type of attack involves passing a database query with a web request? A. Insider threat B. Evil twin C. SQL injection D. Tailgating
C A SQL injection attack is a method of passing a SQL query with a web request by using an escape code sequence. An insider threat is a threat from within your organization, such as a disgruntled employee. An evil twin attack involves a rogue access point with the same SSID as your organization. Tailgating is the act of walking behind someone who has swiped to get into an area so the attacker can gain entry.
You're in the process of securing the IT infrastructure by adding fingerprint scanners to your existing authentication methods. This type of security is an example of which of the following? A. Access control B. Physical barriers C. Biometrics D. Softening
C A fingerprint scanner, or any device that identifies a person by a physical trait, is considered a biometric security control. Access control is the system that controls access for users. Physical barriers are structures that limit physical access. Softening refers to weakening of security.
You are analyzing Physical Security Concepts. Describe the following: Video surveillance + Two types of cameras can be deployed for video surveillance. Which one is best for surveillance? + Video surveillance can be deployed using three common media types. Describe each of them and their differences: - coaxial - ethernet - wireless + What is a media converter?
Considered the backbone of physical security, it is the use of video cameras that allows an investigator to identify what happened, when it happened, and (most importantly) who made it happen. Two types of cameras can be deployed for video surveillance: Fixed cameras - best choice when recording for surveillance activities Pan-tilt-zoom (PTZ) cameras - allow for 360-degree operations and zooming in on an area - most commonly used for intervention, such as covering an area outside during an accident or medical emergency. - more expensive and require more maintenance than fixed cameras It is always best to use a fixed camera or multiple fixed cameras (unless you need a PTZ for a really good reason) - when an incident occurs, you do not want the camera to be panning elsewhere! Video surveillance can be deployed using two common media types: Coaxial cable - typically used in areas where preexisting coaxial lines are in place or distances are too far for typical Ethernet. - these systems are typically called closed-circuit television (CCTV) - CCTV recorders generally have a finite number of ports for cameras and a finite amount of storage in the form of direct-attached storage (DAS) - CCTV recorders also need their own power supplies, whereas Ethernet surveillance can utilize PoE Ethernet - Ethernet (or IP) surveillance is becoming the standard for new installations - anywhere an Ethernet connection can be installed, a camera can be mounted - Power over Ethernet (PoE) allows power to be supplied to the camera, so additional power supplies used with coaxial cameras are not needed - also provides the flexibility of virtual LANs (VLANS) for added security so that the camera network is isolated from operational traffic. - IP surveillance uses network video recorder (NVR) software, which are server applications so you can use traditional storage such as network area storage (NAS) or storage area network (SAN) storage - this allows you to treat video recordings like traditional data (whereas coaxial surveillance requires DAS) - the use of IP video surveillance allows for a number of higher-end features such as camera-based motion detection, license plate recognition, sending video to storage only when motion is detected on camera (saving storage for periods of nonactivity), and even facial/object recognition software. Wireless - popular for consumer applications, such as doorbells and home surveillance cameras - generally use cloud storage and requires an internet connection A media converter is a device that converts coaxial camera networks to IP surveillance networks. - they look similar to a CCTV recorder - they do not have any DAS, their sole purpose is to convert the coaxial camera to an Ethernet feed to the NVR
Which Active Directory component maps printers and drives during login? A. Home folders B. Organizational unit C. Login script D. Microsoft Management Console (MMC)
D A login script is used by Active Directory during login to map drives and printers. A home folder is a private network location in which the user can store their personal files. Organizational units (OUs) are used to group computers and users so that Group Policy can be applied. The MMC is used to manage various aspects of Active Directory and the local operating system.
A reflective attack attempts to use a broadcast ping on a network. The return address of the ping may be that of a valid system in your network. Which protocol does the reflective attack use to conduct the attack? A. TCP B. IP C. UDP D. ICMP
D The reflective attack is using a broadcast ping (ICMP) on a network. The return address of the ping may be that of a valid system in your network. The Transmission Control Protocol (TCP) is not typically used with a reflective attack. The Internet Protocol (IP) is a suite of protocols and solely used with a reflective attack. The User Datagram Protocol (UDP) is not described in this reflective attack.
A vice president of your company calls a meeting with the IT department after a recent trip to competitors' sites. She reports that many of the companies she visited granted access to the operating system or applications after an employee presented a number that rotated. Of the following, which technology relies on a rotating number for users for authentication? A. Smartcard B. Biometrics C. Geofencing D. Token
D Tokens are rotating numerical keys that you must physically have with you to gain access to the operating system or applications. Biometrics relies on a physical characteristic of the user to verify identity. Biometric devices typically use either a hand pattern or a retinal scan to accomplish this. Smartcards contain a private certificate key and are protected with a password. Geofencing uses your GPS coordinates to ensure that the authentication happens when you are in a defined geographic area.
You are engaging in Account Management. Describe the following: Changing Default Usernames
Default accounts represent a huge weakness because everyone knows they exist. - they are usually named admin, administrator, root, or sysadmin. Not only should the default passwords be changed immediately, but as an administrator you should also change the default usernames. - changing the default usernames makes it more challenging for someone to try to guess the credentials. - it ensures that a brute-force attack cannot be performed against a known, default username. Hackers will now need to know the username first before attempting a password attack.
You are investigating Common Security Threats. There are several different types of DoS attacks. Describe the following: Distributed DoS (DDoS)
Distributed DoS (DDoS) - the most common type of DoS, because the source of the DoS is varied. It involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a computer system with requests. - it is common for botnets to launch DDoS attacks on organizations. - when a single host is used to create a DoS, it can simply be blocked. However, when traffic is coming from millions of different hosts, it is impossible to isolate the DoS and firewall the source. Image shows a DDoS attack
You are engaging in Destruction and Disposal Methods, particularly Physical Destruction. Describe the following: Securing Physical Documents/Passwords/Shredding
Dumpster Diving can be used to acquire discarded physical documents that contain sensitive information, posing a threat to the security of an organization's assets. - sensitive papers should either be shredded or burned For small companies, they can purchase document shredding equipment. For larger companies, they can outsource the job to a shredding service company.
You are analyzing Physical Security for Staff. Describe the following: Key Fobs + What are they often used for?
Embedded radio frequency identification (RFID) circuits that fit on a set of keys and are used with physical access control systems. - they are close-proximity devices that authorize the user for entry - they open electronic locks on doors. They are often used for access to external and internal doors for buildings
You are engaging in Destruction and Disposal Methods. Whenever you plan to get rid of any device that contains data on it, you should have an appropriate destruction/disposal plan. Explain the three concepts with regard to disposing of hard drives: Formatting Sanitation Destruction
Formatting - prepares the drive to hold new information (which can include copying over data already there) - formatting a drive using the OS does not actually erase the data completely. Sanitation - wiping the data off the drive Destruction - renders the drive no longer usable.
You are analyzing Malware. Describe the following: Spyware + How does it differ from other malware?
Malware designed to covertly obtain information about a computer system's activities and then relay that data to sources outside of your computer system. Spyware differs from other malware in that it usually works on behalf of a 3rd-party. Spyware programs monitor the user's activity and responds by offering unsolicited pop-up advertisements (sometimes known as adware), gather information about the user to pass on to marketers, or intercepts personal data, such as credit card numbers.
You are analyzing Malware. Describe the following: Trojan Horse + What is the best preventative measure for Trojan horses? + What can reveal a Trojan horse?
Malware programs that enter a system or network under the guise of another program - may be included as an attachment or as part of an installation program. The Trojan horse can create a backdoor or replace a valid program during installation, it then accomplishes its mission under the guise of another program, usually to a completely unsuspecting user - they can exist for years without being detected The best preventative measure for Trojan horses is to not allow them into your system - immediately before and after you install a new software program or OS, back it up! - if you suspect a Trojan horse, you can reinstall the original program(s), which should delete the Trojan horse. A port scan may also reveal a Trojan horse on your system - if an application opens a TCP or UDP port that isn't supported on your network, you can track it down and determine which port is being used.
You are analyzing Malware. Describe the following: Rootkits + What is the best defense for rootkits?
Malware programs that have the ability to hide certain things from the OS. - they do so by obtaining (and retaining) administrative-level access With a rootkit, there may be a number of processes running on a system that don't show up in Task Manager, or connections that don't appear in a Netstat display of active network connections that may be established or available. - the rootkit masks the presence of these items by manipulating function calls to the OS and filtering out information that would normally appear Many rootkits are written to get around antivirus and antispyware programs that aren't kept up-to-date - make sure you keep them up to date - the best defense you have is to monitor what your system is doing and catch the rootkit in the process of installation
You are analyzing Malware. Describe the following: Worm + How is it different from a virus?
Malware that can reproduce itself, is self-contained, and doesn't need a host application to be transported. It's purpose is to self-replicate and spread copies itself to other computers/networks. It is different from a virus in that worms can reproduce themselves, whereas a virus can only spread by infecting file and other resources. - however, it is possible for a worm to contain or deliver a virus to a target system. Worms are supposed to propagate, and they use whatever services they're capable of to do that. - early worms filled up memory and bred inside the RAM of the target computer - worms can use TCP/IP, email, Internet services, or any number of possibilities to reach their target.
You are engaging in Destruction and Disposal Methods, particularly Physical Destruction. Describe the following: Shredder
Many commercial paper shredders are also capable of destroying DVDs and CDs. - for hard drives, you will need a shredder created for just such a purpose.
You ae engaging in Security Best Practices, particularly with Setting Strong Passwords. What approach do many password-based system use to store passwords? How does it work? What are best practices in creating a password? What is the Password Complexity policy in Windows Group Policy?
Many password-based system use a one-way hashing algorithm to store their passwords - you can't reverse the hash value in order to guess the password. Even if the database of stored hash-valued passwords is stolen, threat agents cannot obtain passwords with only their hash values. A hash value is stored in a database representing the user's designated password. When that user enters their password to login, the characters are sent through the hashing algorithm and turned into a hash value. That hash value is then compared to the hash value stored in the database. If they are the same, then the user is granted access. Best practices for passwords is that they should be long and complex. - at least 12 characters should be used, along with the use of different characters including digits and special characters (if your password is a 12-letter word, it can be easily cracked by a dictionary attack) Password Complexity policy is a Windows Group Policy that enforces rules for user passwords. - three of the four categories - lowercase, uppercase, numbers, and symbols - must be used in your password
You are analyzing Malware, particularly different types of Viruses. What is the immediate thing you should do when finding a virus? What are some symptoms you should look out for when determining if a virus infection has occurred (just have an idea, don't know them all)
Many viruses will announce themselves as soon as they gain access to your system. - they may take control of your system and flash annoying messages on your screen or destroy your hard disk - other viruses will cause your system to slow down, cause files to disappear from your computer, or take over your disk space. When finding a virus, you should immediately quarantine the infected system - it is imperative that you contain the virus and keep it from spreading to other systems within your network and beyond You should look for symptoms: The programs on your system start to load more slowly - due to the virus spreading to other files or taking over system resources) Unusual files appear on your hard drive, or files start to disappear from your system Program sizes change from the installed versions - due to the virus attaching itself to programs Your browser or other software begins to exhibit unusual operating characteristics - such as screen or menu changes Your system mysteriously shuts itself down or starts itself up. You mysteriously lose access to a disk drive or system resources - the virus has changed settings on a device to make it unusable Your system suddenly doesn't reboot or gives unexpected error message during startup
You are engaged with Mitigating Software Threats. Most malware can be simply prevented with the use of: Today, Windows comes preinstalled with ___ to protect your computer.
Most malware can be simply prevented with the use of antivirus software Today, Windows comes preinstalled with Windows Virus and Threat Protection to protect your computer even if you don't purchase antivirus software from 3rd-party vendors. - although Microsoft's antivirus program will work find for most computing needs, there are some advantages the purchasing antivirus software from 3rd-party vendors (such as having faster antivirus definitions updates and having a more comprehensive list of different antivirus definitions i.e. signatures)
You are analyzing Physical Security for Staff. Describe the following: Lighting
Most security cameras work on the principle of collecting light to record a picture. - therefore, areas in which you have video cameras or anywhere that contains sensitive data should have sufficient levels of lighting This form of lighting can come from a visible light source (such as overhead fluorescent lights or spotlights) or from infrared (IR) light sources (video cameras that can record in the dark and still view everything clearly)
You are engaging in Destruction and Disposal Methods, particularly Recycling or Repurposing Best Practices. Describe the following: Low-level Format vs. Standard Format + Should you perform a low-level format on IDE or SCSI drives? + What is the main thing to remember for the exam about standard format vs. low-level format?
Multiple levels of formatting can be done on a drive. Standard Format - accomplished using the OS's format utility (or similar) can make space occupied by files as available for new files without truly deleting what was there - such "erasing" doesn't guarantee that the information isn't still on the disk and recoverable Low-level Format - typically accomplished only in the factory - can be performed on the system, or a utility can be used to completely wipe the disk clean - this process helps to ensure that information doesn't fall into the wrong hands The manufacturer performs a low-level format on integrated device electronics (IDE) hard drives. - it must be performed before a drive can be partitioned - in low-level formatting, the drive controller and the drive meet for the very first time and learn to work together. You should never perform a low-level format on IDE or SCIS drives - they are formatted at the factory, and you may cause problems with them The main thing to remember is that most forms of formatting included with the OS do not actually erase the data completely - as such, formatting the drive and then disposing of it have caused many companies problems when individuals retrieve the data using commercially-available applications.
You're the administrator for a large bottling company. At the end of each month, you routinely view all logs and look for discrepancies. This month, your email system error log reports a large number of unsuccessful attempts to log in. It's apparent that the email server is being targeted. Which type of attack is most likely occurring? A. Brute‐force B. Backdoor C. Worm D. TCP/IP hijacking
A A brute‐force attack is a type of password attack in which a password is guessed over and over until the right password is guessed. A backdoor attack is an embedded account that allows unauthorized access through an unpatched coding hole. A worm is different from a virus in that it can reproduce itself, is self‐contained, and doesn't need a host application to be transported. A TCP/IP hijacking is an attack that attempts to redirect the TCP/IP conversation to the threat agent.
A junior administrator comes to you in a panic. After looking at the log files, he has become convinced that an attacker is attempting to use a legitimate IP address to disrupt access elsewhere on the network. Which type of attack is this? A. Spoofing B. Social engineering C. Worm D. Password
A A spoofing attack is an attempt by someone or something to masquerade as someone else (IP address) and is often used to disrupt access. Social engineering is a process in which an attacker attempts to acquire information about your network and system by social means, such as talking to people in the organization. Worms reproduce and move throughout the network to infect other systems. Password attacks are used in an attempt to guess passwords.
Which of the following is different from a virus in that it can reproduce itself, is self‐contained, and doesn't need a host application to be transported? A. Worm B. Smurf C. Phish D. Trojan
A A worm is different from a virus in that it can reproduce itself, is self‐contained, and doesn't need a host application to be transported. A smurf attack is a type of distributed denial‐of‐service (DDoS). A phishing attack is an attempt to gain a user's credentials to a network resource. Trojan horses are programs that enter a system or network under the guise of another program.
Which type of attack denies authorized users access to network resources? A. DoS B. Worm C. Trojan D. Social engineering
A Although the end result of any of these attacks may be denying authorized users access to network resources, a denial‐of‐service (DoS) attack is specifically intended to prevent access to network resources by overwhelming or flooding a service or network. Worms reproduce and move throughout the network to infect other systems. Trojans are programs that enter a system or network under the guise of another program. Social engineering is a process in which an attacker attempts to acquire information about your network and system by social means, such as talking to people in the organization.
You've discovered that credentials to a specific application have been stolen. The application is accessed from only one computer on the network. Which type of attack is this most likely to be? A. On‐path attack B. Zero‐day C. Denial‐of‐service (DoS) D. Smurf
A An on‐path attack intercepts data and then sends the information to the server as if nothing were wrong while collecting the information. Zero‐day attacks are attacks in which a developer has not properly patched a hole yet and is unaware of the hole. A denial‐of‐service (DoS) attack is used to disrupt legitimate requests from being answered. A smurf attack is a type of distributed denial‐of‐service (DDoS).
Which component of physical security addresses outer‐level access control? A. Fences B. Access control vestibule C. Multifactor authentication D. Strong passwords
A Fences are intended to delay or deter entrance into a facility. Access control vestibules are used for mid‐layer access control to prevent tailgating. Multifactor authentication is used for mid‐ and inner‐layer access control. Strong passwords are used for mid‐ and inner‐layer access control.
As part of your training program, you're trying to educate users on the importance of security. You explain to them that not every attack depends on implementing advanced technological methods. Some attacks, you explain, take advantage of human shortcomings to gain access that should otherwise be denied. Which term do you use to describe attacks of this type? A. Social engineering B. IDS C. Perimeter security D. Biometrics
A Social engineering uses the inherent trust in the human species, as opposed to technology, to gain access to your environment. IDSs are network‐based systems that detect intrusions. Perimeter security describes physical security. Biometrics describes an authentication method based on human physical traits.
Internal users suspect there have been repeated attempts to infect their systems, as reported to them by pop‐up messages from their antivirus software. According to the messages, the virus seems to be the same in every case. What is the most likely culprit? A. A server is acting as a carrier for a virus. B. A password attack is being carried out. C. Your antivirus software has malfunctioned. D. A DoS attack is under way.
A Some viruses won't damage a system in an attempt to spread into all the other systems in a network. These viruses use that system as the carrier of the virus. A password attack would not prompt your antivirus software to notify you. Your antivirus software could be malfunctioning, but it would not suggest the same virus is infecting you over and over again. A denial‐of‐service (DoS) attack would not prompt your antivirus to notify you.
Your boss needs you to present to upper management the need for a firewall for the network. What is the thesis of your presentation? A. The isolation of one network from another B. The scanning of all packets for viruses C. Preventing password attacks D. The hardening of physical security
A The thesis of your presentation should outline the need of a firewall to isolate the external network from the internal network. Firewalls will not scan packets for viruses. Firewalls will not prevent password attacks or harden physical security.
You are analyzing Physical Security for Staff. Describe the following: Magnetometer + Also known as + What are two ways magnetometers can be used?
A magnetometer, also known as a metal detector, uses an electromagnetic field to detect metallic objects. - commonly seen at choke points in the airport or government buildings. Two ways magnetometers can be used: - monitor metal objects from people entering a facility and monitor metal objects from people exiting a facility When a metal detector is used for people entering a facility, you can detect weapons such as guns or knives. - this protects your staff from threat agents with malicious intent A metal detector can also to monitor people leaving a facility - this can protect against data loss an theft
You are analyzing Logical Security Concepts. Describe the following: Folder Redirection + Why would you use this?
A Group Policy setting that allows the redirection of portions of users' profile folders to a network location - enables users and administrators to redirect the path of a known folder to a new location. Normally, when a user logs into the network and a roaming profile exists for the user: - the user's profile is completely downloaded to the computer the user is working on - during logout, all data is written back to the roaming profile location on the network file server This can substantially slow down the login and logout process when profiles become large in size, due to the fact that the user's folders are being downloaded and reuploaded every time they login/logout. When folder redirection is used, the roaming profile is still downloaded but the redirected folders are not downloaded - they are simply redirected to the network location - this speeds up login and logout times because the entire profile is no longer downloaded (login) and uploaded (logout)
You are engaged with Mitigating Software Threats. Describe the following: Recovery Console + What is the most useful function of WinRE?
A Windows feature that allows you to troubleshoot and recover a system after it is been compromised or damaged. - it can perform a number of useful functions for recovery from a security threat The Windows Recovery Environment (WinRE) is a recovery console. - the most useful function of this is the Reset This PC option, which allows you to refresh the OS while keeping your data file or remove everything and start from scratch (always have backups) - it also allows you to perform a system restore, where you can restore the OS back to a specific point in time, so long as a system recovery image exists (shown in image)
You are analyzing Logical Security Concepts. Describe the following: Principle of Least Privilege + What are internal vs external threats + in addition to reducing chances of attacks, following this principle is also beneficial in what way?
A common security concept that states a user should be restricted to the fewest number of privileges that they need to do their job. - by following this principle, you can limit internal and external threats by reducing the surface area of attack Internal threat - a security threat that stems from individuals from within the organization itself - e.g. if a front-line worker has administrative access on their computer, they can circumvent security External threat - a security threat that stems from individuals outside of the organization - e.g. a bad actor uses malicious email to gain administrative access from a worker in the organization Nn addition to reducing chances of attacks, following this principle is also beneficial in that it can cause fewer intentional or accidental misconfigurations.
You are analyzing Logical Security Concepts. Describe the following: Organizational Units (OUs) + Why should you have OUs? + OUs should be designed to group objects by the following criteria. Describe them: - Object Class - Geographic Location - Function - Hybrid
A container within a Microsoft Active Directory domain which can hold users, groups and computers You need to have some organization to the many different objects that you will create in your domain. OUs enable you to group objects together so that you can apply a set of policies to the objects OUs should be designed to group objects by the following criteria: Object Class - objects should be organized based on their class or type - you can organize all computers into an OU, and then all users into another OU Geographic Location - objects can be organized based on their location - it is common practice to use airport codes when the organization is spread across a large distance. - you can also use town names when the organization branches are in relatively close proximity Function - objects can be organized based on their function in the organization, such as servers, workstations, and users - objects can also be grouped by their job function, such as Sales, Marketing, and HR Hybrid - depending on how you are planning your domain, you could use a custom or combination organization of objects
You are analyzing Physical Security Concepts. Describe the following: Badge Reader
A device designed to read information encoded in an identification (ID) badge. - many ID badges contain a magnetic strip or RFID provision so that the badge can be used in conjunction with a badge reader. - when the information is read by the badge reader, it is sent to an access control system for authorization through a controlled door. A benefit of implementing badge readers is that it creates an electronic audit of all access to an area.
You are analyzing Logical Security Concepts. Describe the following: Group Policy Group Policy Object (GPO) + where are GPOs edited? What is a policy? + how often are they refreshed in AD? + how are policies different from preferences?
A feature of Windows Active Directory that enables you to apply policies to control users and computers. - typically, you do not apply policies to individual users or computers but instead to groups of users or computers (you then move users and computers to their respective group) A Group Policy Object (GPO) is a type of object in AD that allows you to apply a set of policies against an organization unit (OU) - GPOs are created, linked to a group, and edited in the Group Policy Management Console (GPMC) (shown in image) Policies are hard controls that you can force on an object. - they are refreshed every 90 minutes in AD - preferences are initial settings that are applied only during the first login, as such the user can change these settings afterward. However, they usually cannot change policies unless they are an administrator.
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. Describe the following: Phishing + What is a good countermeasure to phishing emails? + What is the only preventative measure to phishing?
A form of social engineering in which you ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. For example, an email might look as if it's from a bank and contain some basic information, such as the user's name, before asking you to go to a website and input sensitive information to resolve a non-existent problem with your bank account - one of the best countermeasures to phishing emails is to read the full URL of the provided link. Almost every time, the URL is an adaption of the legitimate URL, as opposed to a link to the real thing. The only preventative measure in dealing with phishing is to educate users and staff to never give out passwords and IDs over the phone or email or to anyone who isn't positively verified.
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. Describe the following: Tailgating + What is the best prevention?
A form of social engineering in you gain unauthorized access to a building or other form of controlled access point that requires a swipe card or other authentication factor by using the person in front in you. - i.e. you "tailgate" them as the enter, gaining access to the location The best prevention is education of staff to make sure it does not happen.
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. Describe the following: Shoulder Surfing + What can prevent shoulder surfing? + What is the best defense?
A form of social engineering the involves watching someone when they enter their sensitive data - i.e. looking "over their shoulder" to see an entered password, credit card number, PIN, etc. A privacy filter can be used to block people from looking at your screen from an angle. The best defense against this type of attack is to survey your environment before entering any personal data.
You are analyzing Malware. Describe the following: Botnet + What is a common task for a botnet?
A group of hijacked, zombie-like computers that are under the control of a malicious actor. Malware infects a computer and lies dormant awaiting a command from a command-and-control server. This computer is considered a zombie - when enough infected computers check in, the threat agent will send a command to the command-and-control server and the botnet of zombies will all collectively work on the task. - often the task is to launch a malicious DDoS attack or to send spam
You are analyzing Logical Security Concepts. Describe the following: Domain + Active Directory domains are named with what type of name? Why? + When a user authenticates against an AD domain, what is issued? How does this work?
A hierarchical collection of security objects, such as users, computers, and policies, among other components. Active Directory domains are named with a Domain Name System (DNS) name - e.g. sybex.com would be the root domain; if you wanted to add a new domain, you would append the namespace to the left as such: east.sybex.com - Using a DNS namespace is one of the ways AD is scalable and hierarchical. Many organizations never need anything more than one domain to contain all their security objects. When a user authenticates against an AD domain, a domain access token is issued (shown in image) - these are like keys to various locks (ACLs) on resources. When the user encounters a file that is secured with an ACL, a security token is presented. - if there is a matching credential between the security token and the user's token, then the user is granted the associated file permission on the ACL.
You are analyzing Logical Security Concepts. Describe the following: Active Directory (AD) + What protocol does AD use to look up objects in its database? + Is AD an authentication mechanism? + How does Kerberos protocol relate to AD? AD uses a directory partition called the ___ to describe classes of objects and the attributes that define each object.
A highly scalable Windows directory service that can contain many different objects, including users, computers, and printers, and provides a central management point for network administrators to view and manage these network objects. AD uses a protocol called Lightweight Directory Access Protocol (LDAP) to quickly look up objects in its database. AD is not the authentication mechanism - it is only the directory for storing and for the storing and the lookup of objects - AD works in conjunction with Kerberos, which is the protocol that performs the authentication of users. AD uses a directory partition called the schema partition to describe classes of objects and the attributes that define each object.
You are engaging in Destruction and Disposal Methods, particularly Physical Destruction. Describe the following: Electromagnet (Degaussing)
A large electromagnet can be used to destroy any magnetic media, such as a hard drive or backup tape set. - will not work on SSDs - the most common of these is the degaussing tool Degaussing involves applying a strong magnetic field to initialize the media (referred to as disk wiping). - you use a specifically designed electromagnet to eliminate all data on the drive and renders the hard drive unusable.
You are analyzing Physical Security Concepts. Describe the following: Equipment Locks Know 3 examples of equipment locks: - Cable Locks - Server locks - USB locks + What is a Universal Security Slot (USS)? + Which type of lock is declining in use? + Which type of lock is extremely rare to find?
A physical security mechanism that can secure information on a device, as well as the device that holds the information. Cable locks - used to secure laptops and any device with a Universal Security Slot (USS) (shown in left image) - a cable lock is just that - a cable with a lock at one end - the lock can be a tumbler or a combination (shown in right image) - the cable lock plugs into the USS, tethering the laptop to a physical post. This provides security to expensive equipment that can be stolen due to its portability or size. Server Locks - most servers come with a latch-style lock that prevents someone from opening the server - examples of a server lock can be a padlock that latches through the top cover and body of the server - however, servers with included server locks are declining in use, primarily due to the fact that servers are better secured behind a locked rack-mounted enclosure, which come with its own lock. USB locks - physically lock out USB ports on a workstation or server from use (preventing unwanted access through a USB port) - this type of lock is extremely rare to find, because most equipment and OSs allow for USB ports to be deactivated
You are analyzing Physical Security Concepts. Describe the following: Motion Sensors + What is the most common motion detection device used today? + What motion sensor devices are common in areas where wide coverage is needed? + What motion sensors are commonly implemented as seismic sensors (from natural disasters and accidental drilling) and are rarely used in physical security systems?
A physical security system where monitors are created based on perceived motion to detect unauthorized access. The most common motion detection device used today is the passive infrared (PIR) motion sensor (shown in image). - PIR sensors operate by monitoring the measurement of infrared radiation Microwave detectors are common in areas where wide coverage is needed. - they operate by sending pulses of microwaves out and measuring the microwaves received. Vibration sensors are often implemented as seismic sensors - they detect vibrations in area - they help protect from natural disasters and accidental drilling - they are rarely used in physical security systems
You are analyzing Physical Security for Staff. Describe the following: Physical keys + Should physical keys be avoided in security systems today? + If keys are absolutely necessary, what systems should be considered?
A piece of metal designed to fit into a lock. They are extremely hard to control and do not allow auditing for their usage. - it can be lent to someone, copied, stolen, or used by an unauthorized person. - because of this, their use should largely be avoided. If keys are absolutely necessary, a two-person system should be considered. - this system requires that two people must use their keys to open one lock. Another option is to use an electronic lock box for management of the keys - when a technician needs a particular key, they will log into the key box and check out they key needed - this system allows for auditing controls.
You are analyzing Malware. Describe the following: Keylogger
A piece of software/hardware that records an unsuspecting victim's keystrokes. - keyloggers can stay loaded in memory and wait until you log into a website or other authentication system - they will then capture and relay the information to an awaiting host on the Internet. Keyloggers don't have to be in the form of software, some keyloggers are hardware dongles that sit between the keyboard and computer. - these must be retrieved and the data must be downloaded manually, so they are less common.
You are analyzing Logical Security Concepts. Describe the following: Bring your own device (BYOD) BYOD Policy Mobile Device Management (MDM)
A policy utilized by organizations to alleviate the capital expense of equipment/convenience by allowing employees to use devices they already own as part of work devices. A BYOD policy is typically drafted, which defines a set of minimum requirements for the devices - e.g. type of OS, antivirus solutions, patches, etc. Many organizations use mobile device management (MDM) software that help them protect their data on devices that are personally owned by employees - e.g. MDM software can allow a secure remote wipe of the company's data on the device in the event it is stolen, and it can prevent direct download of company resources to the employee's device
You are investigating Common Security Threats. Describe the following: Threat + All attacks on an organization are either ___-based or ___-based
A potential danger to the network of the assets of the organization in the form of an attack that a threat agent can carry out. All attacks on an organization are either technology-based or physically-based. - a technology-based attack is one in which the network and OS are used against the organization - a physical-based attack uses human interaction or physical access, such as social engineering or tailgating.
You are analyzing Logical Security Concepts. Describe the following: Home Folder
A private network location in which the user can store their personal files. - the home folder is an attribute that can be set for a user account in the Active Directory Users and Computers MMC (shown in image - note the "local path" bar under "Home folder") The location can be a local path, if the user will use the same computer, and the files should be stored locally for the user.
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. Describe the following: Social Engineering + What is the best defense against any social engineering attack?
A process in which an attacker attempts to acquire information about your network and system by social means, such as talking to people in the organization. - this may occur over the phone, by email, or in person. The intent is to acquire access information, such as user IDs and passwords. The best defense against any social engineering attack is education. - make sure the employees of a company know how to react to requests made from unknown actors.
You are analyzing Malware. Describe the following: Cryptominers + What are common ways threat agents run cryptominers?
A purpose-built device or dedicated group of computers (called a cryptopool) that grinds out cryptographic computations. - when the computation is balanced, a cryptocoin is created and equates to real money - developed as a result of the rise of Bitcoin, Ethereum, etc. Malware in the form of crytominers uses other people's computers to grind out the computers - they can generate a lot of money for threat agents The most common way a threat agent will run a cryptominer remotely is with JavaScript embedded on a malicious web page - another common way is to create a virus in which the payload (cryptominer) uses your video card to grind out the computations.
You are analyzing Logical Security Concepts. Describe the following: Login Scripts + How are login scripts useful?
A script that is executed when a user logs into a computer. - login scripts are configurable attributes for a user account and are written using login scripting languages. They are useful on an Active Directory networks for connecting network-mapped drives and printers, among other administrative tasks - when a user logs on, they do not have to configure their network to access shared resources - the login script can already map the shared resource to their computer. Login scripts also provide uniformity across an enterprise by running the same commands for each user configured with the script. In Image: the Active Directory Users and Computers MMC, note the "logon script" bar
PBQ: Calculate the complexity of a simple 8‐character alphanumeric password versus a 25‐character alphanumeric password with symbols.
A simple 8‐character alphanumeric password contains 0-9 for a total of 10 characters, 26 uppercase and 26 lowercase characters. This gives you a total of 52 letters and 10 numbers, for a total of 62 combinations per character: 62 to the power of 8, or 62 × 62 × 62 × 62 × 62 × 62 × 62 × 62 = 218,340,105,584,896 combinations. A 25‐character alphanumeric password with symbols contains 95 combinations per character; 95 to the power of 25 is 2.77 x 1054 combinations. If you are using a calculator, you might see 2.7738957e+49 as a result. Although the exact math is not significant, the deep understanding of combinations and complexity is the underlying lesson.
You are analyzing Physical Security Concepts. Describe the following: Access Control Vestibule + also known as + What does it help prevent?
A small room that has two controlled doors (shown in image). When a person enters the first door, they are trapped in the room until they have been authorized to enter the second controlled door. - also known as a mantrap, it helps prevent nonauthorized users from tailgating - in the example shown in image, the door are controlled by radio frequency identification (RFID) readers
You are analyzing Physical Security for Staff. Describe the following: Smartcards and RFID Badges + Why are smartcards considered a multifactor authentication method? + What does it mean when you say RFID badges are passively powered?
A smartcard is the size of a credit card with an integrated circuit embedded into the card - also called an integrated circuit chip (ICC) - the chip is exposed on the face of the card with surface contacts (shown in image) Smartcards are used for physical authentication to electronic systems and access control systems and require a PIN or password. - therefore, smartcards are considered multifactor authentication methods because it is something you have (card), and something you know (PIN or password) An RFID badge is a wireless, no-contact technology used with RFID transponders - radio frequency identification (RFID) use electromagnetic fields to identify electronic tags attached to objects RFID badges typically work in the 125 kHz radio frequency and are passively powered by the RFID transponder. - when an RFID is placed in close proximity to the RFID transponder, the radio frequency energy emitted by the transponder powers a chip in the RFID badge - the RFID chip then varies the frequency back to the transponder in the effort to transmit its electronic signature (number)
You are analyzing Malware. Describe the following: Virus
A specific type of malware, the purpose of which is to multiply, infect, and do harm. - a virus distinguishes itself from other malware because it is self-replicating code that often injects its payload into documents and executables. - this is done in an attempt to infect more users and systems.
You are investigating Exploits and Vulnerabilities. Describe the following: Unprotected Systems
A system that does not have antivirus/antimalware protection or firewall protection, which poses a significant security risk. Ensure that your computer systems have antivirus/antimalware software installed, as well as a firewall. - also make sure they are configured properly. A misconfigured firewall is extremely vulnerable to threats.
You are investigating Common Security Threats. Describe the following: Cross-Site Scripting (XSS)
A tactic a threat agent uses to deliver a malicious script to the victim by embedding it into a legitimate web page - common delivery methods for XSS are message boards, forums, or any page that allows comments to be posted. The threat agent will submit a post to these types of pages with their malicious script (such as JavaScript) - when the victim browses the page, the threat agent's script will execute. Direct access to the OS is usually not permitted using this attack (due to scripting languages being controlled tightly by the browser), however the script will have access to the web page you are browsing or the cookies the actual page stores - this attack is common in hijacking web pages and trying to force the user into installing a piece of malware
You are analyzing Malware. Describe the following: Ransomware +How can you protect yourself from ransomware?
A type of malware that is designed to control/encrypt files on a device, rendering any files and the systems that rely on them unusable, until a ransom is paid. - it is becoming popular due to the advances in anonymous currency, such as Bitcoin - control can be established by encrypting the hard drive, changing the user password information, etc. You can protect yourself from ransomware by having antivirus/antimalware software with up-to-date definitions and by keeping current on patches.
You are investigating Common Security Threats. Describe the following: On-Path Attack (previously known as Man-in-the-Middle (MitM) attack)
An attack in which the attacker places themselves between two devices (often a web browser and a web server) and intercept or modify communications between the two without either party knowing.
You are analyzing Physical Security Concepts. Describe the following: Alarm System + What are the common reasons individuals/organizations implement alarm systems? + Each sensor in an alarm system will be installed in a different logical zone. Why? + What is a monitoring company's role in an alarm system?
A type of physical security system that provides a method to alert security personnel in the event of an unauthorized access or break in. It is most common to find alarm systems installed for break-in detection and response. An alarm system can be configured to use motion sensors, video surveillance, magnetic contacts, etc. Each sensor in an alarm system will be installed in a different logical zone (e.g. the outside perimeter is zone 1, the server room is zone 2, etc.) - this is to communicate to proper authorities the proper location of the sensor being tripped A monitoring company's role in an alarm system is to act as a buffer between the zone being tripped and a law enforcement agent. - the monitoring company will monitor the health of the alarms. Then, when an alarm is tripped, the zone information is sent to the monitoring company, who forwards it to proper personnel.
You are analyzing Malware, particularly different types of Viruses. A virus (in most cases) tries to accomplish one or both of two things: Most viruses are spread using ___
A virus (in most cases) tries to accomplish one or both of two things: 1. Render your system inoperable 2. Spread to other systems - viruses may try to attach itself to every file in your system and spread each time you send a file or document to other users. - viruses can also spread through hardware such as USB flash drives, CDs and DVDs Most viruses are spread using email (shown in image) - the infected system attaches a file to any email that you send to another user. The recipient opens the file and the virus now infects their system, as well.
You are analyzing Malware, particularly different types of Viruses. Describe the following: Armored Virus
A virus designed to make itself difficult to detect or analyze. They cover themselves with protective code that stops debuggers or disassemblers from examining critical elements of the virus. - the virus may even be written in such a way that some aspects of the programming act as a decoy to distract analysis programs while the actual code hides in other areas of the program.
You are analyzing Malware, particularly different types of Viruses. Describe the following: Phage Virus + What is the only way to remove this type of virus?
A virus that alters programs and databases. The only way to remove this type of virus is to reinstall the programs that are infected. - if you miss even a single instance of this virus on the victim system, the process will start again and infect the system once more.
You are analyzing Malware, particularly different types of Viruses. Describe the following: Companion Virus
A virus that attaches itself to legitimate programs and then creates a program with a different filename extension. When a user types the name of the legitimate program and chooses to open what they believe to be their program, the companion virus executes instead of the real program - this effectively hides the virus from the user. - the infected program may perform its dirty deed and then start the real program, all to an unsuspecting user.
You are analyzing Malware, particularly different types of Viruses. Describe the following: Multipartite Virus
A virus that attacks your system in multiple ways - it may attempt to infect your boot sector, infect all your executable files, and destroy your application files The goal of a multipartite virus is to create many problems for the system in the hopes that the user/administrator won't be able to cover all bases, thus allowing the infestation to continue
You are analyzing Malware, particularly different types of Viruses. Describe the following: Stealth Virus
A virus that attempts to avoid detection by masking itself from applications. When a system utility or program runs, the stealth virus redirects commands around itself to avoid detection. You may be able to detect stealth viruses by observing that a file size has changed (such as during a virus scan) indicating that file may be infected - however, stealth viruses are known to move themselves from file A to file B during a virus scan to avoid detection
You are analyzing Malware, particularly different types of Viruses. Describe the following: Retrovirus
A virus that bypasses the antivirus software installed on a computer. - a retrovirus is considered an anti-antivirus. They can directly attack your antivirus software and potentially destroy the virus definition database file, often without the user's knowledge (and leaving them with a false sense of security)
You are analyzing Malware, particularly different types of Viruses. Describe the following: Polymorphic Virus + What does it mean when a virus mutates? + What is a virus's signature?
A virus that changes form to avoid detection. These types of viruses attack your system, display a message on your computer, and delete files on your system. - it will also attempt to hide from your antivirus software. Frequently, the virus will encrypt parts of itself to avoid detection. - when the virus does this, it's referred to as mutation The mutation process makes it hard for antivirus software to detect common characteristics of the virus. A virus's signature is an algorithm or other element of a virus that uniquely identifies it - polymorphic viruses may have the ability to alter their signature, thus preventing antivirus software from properly identifying what the virus is and what it does
You are analyzing Malware, particularly different types of Viruses. Describe the following: Macro Virus
A virus that exploits the enhancements made to many application programs. Programmers are known to expand the capability of applications such as Microsoft Word and Excel - these programs are called macros - e.g. a macro can tell you word processor to spell-check your document automatically when it opens. Macro viruses use these macro files to infect all the documents on your system and spread to other systems via email and other methods - they are among the fastest-growing forms of exploitation today
You are analyzing Malware, particularly different types of Viruses. Describe the following: Boot Sector Virus + What security feature helps prevent this type of virus?
A virus that infects the Master Boot Record (MBR) of a hard disk or floppy disk. This type of virus loads when the computer boots and can re-infect the OS. Secure Boot helps prevent this type of virus by verifying the entire boot process with digital signatures and identifies any part of the boot process that has been modified.
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. Describe the following: Evil Twin + What is the best way to mitigate evil twin attacks?
A wireless phishing attack in which the attacker sets up a wireless access point (WAP) to mimic the organization's WAPs. When a user connects to the evil twin, it allows the attacker to listen in on the user's traffic. - evil twin access points often report a stronger signal to entice users to connect to the specific AP (shown in image) - the attacker will then create a connection back to the wireless network and passively sniff network traffic as it routes the traffic to the original destination (allowing the threat agent to stay undetected). The best way to mitigate evil twin attacks is to perform wireless site surveys on a regular basis to ensure that only valid APs are being used.
You are analyzing Logical Security Concepts. Describe the following: Security Groups + Why would you use security groups?
Active Directory groups that are used to delegate user rights and assign permissions on shared resources. - users from different parts of an organization are assigned to different security groups, and those users have different privileges and access depending on their group You use security groups because it is easier to apply permissions to a group of users rather than individual users. - as the resource needs to be shared to more people, instead of manually revisiting the resource and applying the new permission, all you need to do is add new users to the group and they will have access
You are investigating Exploits and Vulnerabilities. Describe the following: Operating Systems Life Cycle
All OSs have a life cycle of release, support, and eventually end of life (EOL) When most OSs reach their EOL, the vendor stops supplying security patches. - this creates a giant vulnerability for the organization, since the OS is no longer protected from the latest vulnerabilities. It is recommended that you keep your OS current - this includes continual upgrades to the OS as new versions are released, and to ensure you do not still have an OS version that is approaching its EOL.
You are engaging in Account Management. Describe the following: Requiring Screen Saver Passwords + In Windows, what can be used to force your users to turn on password-protected screen savers?
All the lengthy, complex passwords you require for your users won't mean anything if any person wandering by can access everything the user has privileges to when that user goes to the bathroom. As an admin, ensure that screen savers automatically start after a short period of time, along with a screen saver password that must be inputted before the user can begin the session again. A Group Policy can be put in place to turn on password-protected screen savers.
You are investigating Common Security Threats. There are several different types of DoS attacks. Describe the following: Amplified DoS + What are the most common third-party servers used to carry out this attack?
Amplified DoS - a variant of a reflective DoS attack - it is carried out by making a small request to the third-party server that yields a larger response to the victim. The most common third-party servers used to carry out this attack are DNS and NTP. For example, an attacker will request a DNS query for a single hostname that contains 20 aliases while forging the source IP address (the victim's IP address will be the source address, therefore the third-party server will return the results to that address) - the victim is then barraged with the 20 answers from the query (shown in image). Scale this up with numerous servers and you have a DoS attack.
You are analyzing Physical Security Concepts. Describe the following: Bollard + What are the two functions of bollards? + Where are they commonly found?
An architectural structure that acts as a visual indicator for a perimeter They are very sturdy, since their second function is to act as a barrier for the perimeter and protect the area. They are commonly found around areas where a vehicle can cause damage. In left image: a series of bollards protecting a building from a busy street In right image, a single bollard protecting a fiber-optic vault from accidental damage by a vehicle
You are investigating Common Security Threats. Describe the following: SQL Injection + What is the best way to prevent this?
An attack that occurs when a threat agent enters a series of escape codes along with a well-crafted SQL statement into a URL. - the seamlessly harmless page on the backend that is awaiting the request runs the SQL query along with its normal query For example, a normal post URL might look like this; http://www.wiley.com/phone.php?name=jones The threat agent will add their SQL injection after the normal post query string, such as: http://www.wiley.com/phone.php?name=jones; DROP TABLE Users - this would generate a SQL query on the backend and send the malicious query to the SQL database (query that is to be executed is shown in image - it will delete the users table and cause disruption) The best way to prevent this is by building input validation into the rendered page on the backend - also known as sanitization.
You are investigating Common Security Threats. Describe the following: Zero-Day Attacks (or Exploit) + What can you do as a security administrator encountering a zero-day attack?
An attack where a hole (vulnerability) is found in a web browser or other software, and attackers begin exploiting it the very day it is discovered by the developer (bypassing the one-to-two-day response time that many software providers need to put out a patch once the hold has been found). It is very difficult to respond to a zero-day exploit. Often, the only thing you as a security administrator can do when encountering a zero-day attack is to turn off the service until a patch is released. - you can do this by isolating or disconnecting the system(s) from the network for the meantime - although this may be costly, it is the only way to keep the network safe
You are investigating Common Security Threats. Describe the following: Spoofing attack + IP spoofing + ARP spoofing + DNS spoofing
An attempt by someone or something to masquerade as someone else. - this attack is usually considered an access attack - think of spoofing as fooling. Attackers try to fool the user, system, and/or host into believing something is what it is not. E.g. A programmer can write a fake login program that prompts the user for a user ID and password. - no matter what the user typed, the program would indicate an invalid login attempt and then transfer control to the real login program (after already capturing the user's credentials) The most popular spoofing attacks today are: IP spoofing - the creation of Internet Protocol (IP) packets which have a modified source address in order to hide the identity of the sender and masquerade as someone else - the goal is to make the data look as though it came from a trusted host when it didn't - thus, spoofing the IP address of the sending host (shown in image) - the threat agent will forge their packet with the victim's source address. ARP spoofing - also known as ARP poisoning - the creation of a forged media access control (MAC) address within sent data - it is possible to make it look as though the data came from a networked device (forging the MAC address), when in reality it did not come from that device. - this can be used to gain access to the network, to fool the router into sending to the device data that was intended to another host, or to launch a DoS attack - in all cases, the address being faked is an address of a legitimate user, making it possible to get around such measures such as allow/deny lists DNS spoofing - also known as DNS poisoning - an attack that uses altered Domain Name records to redirect traffic to a fraudulent site - the DNS server is given information about a name server that it thinks is legitimate when it isn't - this can send users to a website other than the one to which they wanted to go, reroute mail, or do any other type of redirection for which data from a DNS server is used t determine a destination
You are investigating Exploits and Vulnerabilities. Describe the following: BYOD + Two inherent risks with BYOD devices and what you can do to alleviate these risks.
An organization has less control over BYOD devices than over devices it issues and owns. BYOD devices come with two inherent risks: Data leakage - occurs when a device is lost or compromised in some way - organizations can use mobile device management (MDM) software that creates a partition for company data, which allows the company to encrypt their data without affecting user data Data portability - means that the user can cart away organizational data when they leave the organization - a line-of-business (LOB) application can be selected that displays only the data on a mobile device and does not allow data storage. - another tactic is to employ MDM software that allows remote wiping of the organization's data. When an employee leaves the organization or if the device is lost, the wipe is executed.
You are engaged with Mitigating Software Threats. What is the difference between antivirus products and antimalware products?
Antimalware software products are more extensive than antivirus products, as they check for a wider range of threats. Antivirus products will check the OS files for viruses, and may even check more than just the files. Antimalware products will not only check the filesystem for threats (like rootkits and trojans), but will also watch for incoming email for phishing scams and malicious websites (shown in image) - when these threats are detected, the user gets a notification and the threat is usually mitigated or avoided completely.
You are engaging in Account Management. Describe the following: AutoPlay
AutoPlay is a Windows feature that examines newly discovered removable media and devices and, based on content such as pictures, music or video files, launches an appropriate application to play or display the content. - AutoPlay distinguishes itself from AutoRun, since it does not automatically start an executable unless the user specifically clicks an option that they want to do so
You are engaged with Mitigating Software Threats. Antivirus software is made up of two main components. Describe them.
Antivirus Engine - responsible for the real-time scanning of the OS files and the notifications to the user. Various antivirus engines will scan OS files differently. - e.g. an antivirus engine that considers gaming will recognize when a game is being played and temporarily stop scanning so the game loads faster - e.g. notifications can also automatically submit files to the cloud for more extensive scanning Definitions Database - this is the primary component that determine why you would select one antivirus product over another A definitions database's effectiveness is based on two attributes: - the frequency of updates - the comprehensiveness of the database signatures Antivirus definitions (a.k.a. antivirus signatures) are discovered daily and are added to the antivirus database. - some antivirus products will download to the database every hours, and some will download them once a day.
You are investigating Common Security Threats. Describe the following: Password Attacks There are several types of passwords attacks. Describe the following: Brute-Force Attacks + how can you help prevent this attack? Dictionary Attacks Rainbow Tables Hybrid Attacks
Any of the various attacks that are used to maliciously authenticate into password-protected accounts. - usually accomplished by applications known as password crackers, which send possible passwords to the account in a systematic manner. - these attacks seek to gain passwords for access or modification of a computer system There are several types: Brute-Force Attacks - an attempt to guess passwords until a successful guess occurs - this type of attack usually occurs over a long period of time - to help prevent this type of attack, try to make passwords longer (at least 12 characters) and complex. Also implement password lockout policies. Dictionary Attacks - uses a dictionary of common words to attempt to find the user's password Rainbow Tables - databases that have had every permutation run through a hashing algorithm, so the hash can be looked up and cross-referenced back to the password that created it. - passwords are stored in the OS in their hashed format (a one-way cryptographic algorithm) - if you have access to the password hash, a rainbow table can be used to find the password Hybrid Attacks - an attack that uses a combination of different methods to gain passwords - typically uses a combination of dictionary entries with brute force
You are analyzing Malware. Describe what it is. What is the difference between malware and virus? What is the type of malware that poses the biggest threat today?
Any software with malicious intent. A virus is a specific type of malware, the purpose of which is to multiply, infect, and do harm. - a virus distinguishes itself from other malware because it is self-replicating code that often injects its payload into documents and executables. - this is done in an attempt to infect more users and systems. The type of malware that poses the biggest threat today is ransomware, because it is highly profitable for criminals.
You ae engaging in Security Best Practices. Describe the following: Password Expiration + What is the default password expiration in Windows Group Policy?
As an admin, ensure that passwords are set to expire on a monthly, bi-monthly, quarterly, semi-annual, or annual basis. - the more sensitive the account is, the more frequently the password should be changed For Windows Group Policy, there is a default password expiration of 42 days (shown in image)
You are engaging in Account Management. Describe the following: Limiting the Number of Failed Login Attempts
As an admin, you should configure user account settings to limit the number of login attempts before the account is locked for a period of time - this helps prevent brute-force password attacks The number of attempts and the time of lockout should be influenced by your security requirement and help desk volume - if you want maximum security, set only 3 failed attempts. However, if you don't want your company's help desk to be congested with legitimate users locked out of their accounts, consider setting it to 5, at the cost of added security. In image: Group Policy settings configured for a lockout of 30 minutes after 3 failed attempts
You are engaging in Account Management. Describe the following: Setting Time Restrictions/Account Expiration
As an admin, you should configure user accounts so that logins can occur only during times that the user can be expected to be working. - preventing logins at 2am can be an effective method of keeping hackers from your systems In addition, you can add a date at which time the account will expire - this is best used on contractor accounts. By adding an account expiration, you can be assured that the account will be disabled at the end of the contract.
You ae engaging in End-User Best Practices. Describe the following: Securing Equipment and Information
As an admin, you should train your users to identify what type of information is personally identifiable information (PII) and methods to protect such information - e.g. controlling printouts, using discretion when viewing PII with others around Along with training users, you should focus on securing equipment and devices that contain sensitive data, especially portable devices. - physical locks can be used to secure devices, as well as using MDM or MAM software.
You ae engaging in Security Best Practices. Describe the following: Requiring Passwords + Along with keeping passwords for security within the OS, where else should you make sure if password-protected? + What should you change immediately on all system accounts?
As an administrator, make absolutely certain that you require passwords for all accounts. Along with keeping passwords for security within the OS, you make sure the BIOS and UEFI firmware is password-protected. For system accounts, you should change the default password immediately - a common hacker can easily pull up the default passwords for various system accounts depending on the vendor and OS.
AAA is a three-process framework used to manage user access. What are the three As?
Authentication - verifying an individual's identify Authorization - granting resources to the individual based on their identity Accounting - monitoring and logging the actions performed by the individual while authorized
Your help desk has informed you that they received an urgent call from the vice president last night requesting his login ID and password. When you talk with the VP today, he says he never made that call. What type of attack is this? A. Spoofing B. Replay C. Social engineering D. Trojan horse
C Spear phishing is a type of social engineering, where someone is trying to con your organization into revealing account and password information by pretending to be a high‐level person. A spoofing attack is an attempt by someone or something to masquerade as someone else, with the intent of disrupting access. A replay attack is a form of on‐path attack, where packets are replayed at a critical time. Trojan horses are programs that enter a system or network under the guise of another program.
You are investigating Exploits and Vulnerabilities. Describe the following: Noncompliant Systems + What is a Windows product that can keep your OSs compliant?
Compliance is the state of being in accordance with established guidelines or specifications. When you fail to keep your computer systems compliant, you make your systems vulnerable and expose them to threats. - as an admin, you should always follow security regulation standards as well as compliance standards One product that can keep your OSs compliant is Microsoft Endpoint Configuration Manager (MECM) - it allows for the publishing of a baseline for the Windows OS - it will then monitor the baseline against the OSs in your organization and will remediate them if they fall out of compliance. Third-party compliance solutions also provide benefits for ensuring your systems are compliant with established standards.
You are engaging in Destruction and Disposal Methods, particularly Physical Destruction. Describe the following: Drill/Hammer
If you don't have the budget for a hard drive shredder, you can accomplish similar results (albeit in a more time-consuming way) with a power drill. - the goal is to physically destroy the platters in the drive. - start by removing the cover of the drive and then toss everything away until you have nothing but the platters - use the power drill or a drill press on the platters to create the smallest set of particles possible Alternatively, there are companies who specialize in destroying hard drives. They will pick up your hard drive and provide a certificate of destruction upon completion.
You are analyzing Logical Security Concepts. Two-factor authentication (2FA)/multifactor authentication are generally used in conjunction with a traditional user and password combination. Describe the following factor that can be used in 2FA/multifactor authentication: Hardware and Software Tokens + How do they work?
Physical hardware tokens are anything that a user must have on them to access network resources. - they are often associated with devices that enable the user to generate a one-time password (OTP) to authenticate their identity. - hardware tokens operate by rotating a code every 60 seconds, which is combined with a user's PIN or password for authentication. A software token is becoming the new standard. - it operates the same as a hardware token, but it is an application on your cell phone that provides the code Image shows an example of a physical hardware token
You are analyzing Physical Security Concepts. Describe the following: Fences + fences are usually installed in conjunction with what other system?
Physical security barriers to keep unauthorized persons out of a secure area. Exterior fences can be arranged so that they create a choke point where a guard (or electronic lock or RFID reader) can inspect credentials to allow authorized personnel into the area. Fences are usually installed in conjunction with a video camera system for heightened security. Fences are considered the outermost security layer for a multiple-barrier system. - however, innermost areas can also be segmented with a fence and additional access controls (such as standard keyed locks or electronic access control)
You are investigating Common Security Threats. There are several different types of DoS attacks. Describe the following: Reflective DoS + There are two victims of this attack
Reflective DoS - not a direct attack; it requires a third party that will inadvertently execute the DoS. - the attacker will send a request to a third-party server and forge the source address of the packet with the victim's IP address. - when the third party responds, it responds back to the victim. - scale this to many different servers, and you have a DoS attack (shown in image) There are two victims in this type of DoS attack: - the victim the attack is aimed at - the third-party server used to carry out the attack Image shown an ICMP-based smurf attack, a type of reflective attack
You are analyzing Physical Security Concepts. Describe the following: Security Guards
Security-focused personnel that are responsible for limited access from the outer perimeter of your installation. - typically use photo ID badges to allow access to the installation
You are analyzing Logical Security Concepts. Two-factor authentication (2FA)/multifactor authentication are generally used in conjunction with a traditional user and password combination. Describe the following factor that can be used in 2FA/multifactor authentication: Voice Call
Some applications that are protected by 2FA will allow voice calls to be initiated to the end user. - usually done if the person does not have a phone that accepts text messages (such as a landline) - the voice call will recite a 5- to 8-digit code that the user will use to satisfy the 2FA requirement.
You ae engaging in Security Best Practices. Describe the following: Data Encryption Three types of data for data encryption: + Data in use + Data in transit + Data at rest
The process of converting data from a readable format into an encoded format. Many methods can be used to prevent unauthorized access to sensitive data, while data encryption ensures that even if a malicious actor gains access to sensitive data, they won't be able to view/download it. There are three types of data that should be considered for encryption: Data in use - data that is in an inconsistent state and/or currently resident in memory. - most of the time, you don't need to be too concerned with data in memory - however, when data is written to a temporary location, it is considered data in use and therefore should be encrypted Data in transit - information traversing the network and should always be encrypted so that it is not intercepted Data at rest - data that is stored in a single place, such as a drive or server. This makes data vulnerable because it's in one spot. - if a drive needs to be replaced because it went bad, data encryption is a good idea to implement on the drive to ensure the data on it is inaccessible (outside of complete physical destruction)
You are engaging in Destruction and Disposal Methods, particularly Physical Destruction. Describe the following: Incineration
The use of fire to burn up and subsequently destroy hard drives/other devices that may contain sensitive data. - you ca use an accelerant such as gasoline or lighter fluid to aid the process - be sure that you are not burning anything capable of releasing toxic fumes and that you have the fire controlled and contained at all times.
You are analyzing Logical Security Concepts. Two-factor authentication (2FA)/multifactor authentication are generally used in conjunction with a traditional user and password combination. Describe the following factor that can be used in 2FA/multifactor authentication: Email + Why is this considered the least secure method of 2FA?
The use of validating an email sent to an email address for 2FA. - the email will either have a code or a link to click on in order to satisfy the 2FA requirement This is considered the least secure method of 2FA mainly due to the fact that people reuse passwords. - if your banking website username and password is compromised and you reuse the same credentials in email, there is no protection.
You are engaging in Destruction and Disposal Methods, particularly Physical Destruction. Describe the following: Certificate of Destruction/Certificate of Recycling
This certificate may be required for auditing purposes - such a certificate, which is usually issues by the organization carrying out the destruction of the hard drive/other hardware containing sensitive data, is intended to verify that the asset was properly destroyed - usually includes serial numbers, type of destruction done, etc.
You are investigating Common Security Threats. Describe the following: Insider Threat
Threats that originate form within your organization. e.g. a disgruntled employee carries out an attack on their organization by selling company information Inside threats do not always need to be criminal in intent - it can also be a simple as a employee plugging an unauthorized wireless access point into the corporate network
You are analyzing Logical Security Concepts. Describe the following: Access Control Lists (ACLs) + An ACL method consists of condition actions called what? + Understand how ACLs are used to protect resources
Used to control traffic and applications on a network. - every network vendor supports a type of ACL method An ACL method consists of multiple access control entries (ACEs) that are condition actions - each entry is used to specify the traffic to be controlled The control logic of an ACL system is defined with 4 simple questions: 1. How are the conditions of an ACL evaluated? 2. What is the default action if a condition is not met? 3. How is the ACL applied to traffic? 4. How are conditions edited for an ACL? In image: there are two different types of workers, HR workers and generic workers. Say you want to protect the HR web server from access by generic workers - you can protect the HR server by applying an ACL to traffic for the Eth 0/0 (the network line connecting the servers to the switch) and describing the source traffic and destination to be denied - in this case, the source traffic will come from the generic workers, and if the destination is the HR web server, then the conditions are met and therefore access will be denied by the ACL
You are analyzing Logical Security Concepts. Two-factor authentication (2FA)/multifactor authentication are generally used in conjunction with a traditional user and password combination. Describe the following factor that can be used in 2FA/multifactor authentication: Short Message Service (SMS)
Verifying 2FA through the use of a short message service (SMS) text message sent to phone number. - a simple text message is sent to the user's phone number, which will contain a random 5- to 8-digit code that the user will use to satisfy the 2FA requirement.
You are investigating Social Engineering Attacks, Threats, and Vulnerabilities. There are many different forms of phishing. Describe the following: Vishing Spear phishing Whaling
Vishing - an elevated form of social engineering that combines phishing with Voice over IP (VoIP) - VoIP makes it possible for someone to call you from almost anywhere in the world, without the worry of tracing, caller ID, and other features of landlines, and pretend to be someone they are not in order to get data from you. Spear phishing - a phishing strategy in which the attacker uses information that the target would be less likely to question because it appears to be coming from a trusted source. - e.g. a message that appears to be from your spouse linking you a supposed vacation video - name such because the appearance of a legitimate message cuts through your standard defenses like a spear. Whaling - spear phishing for so-called "big" users - e.g. instead of sending out a "To Whom It May Concern" message to thousands of users, the whaler identifies one person from whom they can gain all the data that they want (usually a manager or business owner) and targets the phishing campaign towards that specific person.
You are investigating Exploits and Vulnerabilities. Describe the following: What are vulnerabilities vs. exploits?
Vulnerabilities are weaknesses in security for an OS or network product. - they are the reason we need to constantly patch network systems. Exploits are scripts, code, applications, or techniques used in exploiting vulnerabilities by a threat agent
You are engaging in Account Management, particularly restricting user permissions. When assigning user permissions, you should follow which principle? As an admin, how should you assign permissions?
When assigning user permissions, you should follow the principle of least privilege: give users only the bare minimum that they need to do their job. As an admin, you should assign permissions to groups rather than to users, then make users members of those groups (or remove them) as they change roles or positions. - this is crucial because when you apply permission on NTFS for the user, you need to visit the resource to identify the permissions granted. When you use a group and apply the NTFS permission to that specific group, you can see who has access to the resource without having to visit the resource. - this not only saves time, but also prevents any malware from gaining access to the resource as a result of you configuring that resource every time a user needs access. An example is shown in image: A user is a member of both Sales and R&D groups; therefore he has access to the Sales and R&D folders.
You are engaging in Destruction and Disposal Methods, particularly Recycling or Repurposing Best Practices. Describe the following: Hard Drive Sanitation and Sanitation Methods
When disposing of hard drives, SSDs pose a greater problem since the media is flash memory and not mechanical (unlike HDDs). - low-level formats can be performed, but the 1s and 0s will still be technically on the flash memory. Therefore, many vendors have a sanitization utility for scrubbing information from SSDs completely. It's best to check with the vendor, as these tools are specific to them and model of the SSD.
You are analyzing Logical Security Concepts. Describe the following: Multifactor Authentication (MFA)
When more than one item (factor) is used to authenticate a user. E.g. when using an ATM, a user must provide a card (something you have) and a PIN number (something you know)
You ae engaging in End-User Best Practices. Describe the following: Logging Off
When users are not utilizing a system, they should be encouraged to log off the system. - when users remain logged in, the programs they were running stay running as well. If there is malware on the system, it will stay running as well, potentially allowing threat agents to carry out attacks - when a user logs off the OS, any malware running will terminate. Malware is considered persistent if it launches even on the next login. As an administrator, you can forcibly log off users automatically after a certain period of time the system is idle.
You are engaged with Mitigating Software Threats. What is the name of the built-in Windows Firewall? By default, which type of traffic is allowed and which type of traffic is blocked, unless a rule exists? In the Windows Firewall, there are 3 different profiles. Why?
Windows Defender Firewall and Windows Defender Firewall with Advanced Security - the latter offers more granular control in configuring your firewall By default, outbound network traffic is allowed and inbound network traffic is blocked, unless a rule exists. In the Windows Firewall, there are 3 different profiles: Domain Private Public These profiles allow the OS to be location-aware and protect itself based on your location - when the network service starts up, it contacts the default gateway (router) and configures itself to a profile. - the network service will remember your home router's IP address (default gateway), so when it detects your default gateway, the firewall will know you are in a private area and will configure itself accordingly (according to the private profile rules set) - however, if you are in a public place, the firewall will detect the absence of your home default gateway and configure itself to the rules of the public profile - the domain profile is automatically selected if the network is the corporate network and the OS is joined to the domain
You are engaging in Destruction and Disposal Methods, particularly Recycling or Repurposing Best Practices. Describe the following: Drive Wipe
Wiping a hard drive or using specialized utilities can verify beyond a reasonable doubt that a piece of hardware (most likely a drive) that's no longer being used doesn't contain any sensitive data - and therefore can be recycled. If you can't be assured that the hardware in question doesn't contain important data, then the hardware should be destroyed
