TestOut (PC Pro, Security Chapter)
What does POP3 stand for?
Post Office Protocol
Hardware locks
Prevent theft of computers or components.
Minimum password age
Prevents users from changing the password too quickly.
Password complexity
Prevents using passwords that are easy to guess or easy to crack. It forces passwords to include letters, symbols, a combination of lower case and caps, and numbers.
Data transmission encryption
Protects data sent through a network. Data that is sent through a network can potentially be intercepted and read by an attacker. Use some form of encryption to protect data sent through a network. You should be aware of the following solutions to protect data communications. • A virtual private network (VPN) uses an encryption protocol to establish a secure communication channel between two hosts, or between one site and another site. Data that passes through the unsecured network is encrypted and protected. • IPsec, PPTP, and L2TP are common protocols used for establishing a VPN. • Secure Sockets Layer ((SSL) is a protocol that can be added to other protocols to provide security and encryption. For example, HTTPS uses SSL to secure Web transactions. • Use WPA, WPA2, or WEP to secure wireless communications, which are highly susceptible to eavesdropping (data interception). WEP, WPA Personal, and WPA2 Personal use a common shared key configured on the wireless access point and on all wireless clients. • When implementing network services, do not use protocols such as FTP or Telnet that pass logon credentials and data in clear text. Instead, use a secure alternative such as FTP-S or SSH.
Rainbow Table
Rainbow table is a reference table for hashed passwords. When a password is hashed, a reference key is added to a database. The rainbow table can be used for reversing the hashed cryptography into the original password.
Ransomware
Ransomware is a form of malware that denies access to an infected computer system until the user pays a ransom.
(Windows Defender) Facts What is Real-Time Protection?
Real-time protection alerts you when spyware or potentially unwanted software attempts to install itself or run on your computer. It also alerts you when programs attempt to change important Windows settings. Real-time protection uses security agents to monitor specific system components and software.
Malware Infection Remediation
Remediation is the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (i.e. you are prompted to identify the action to take).
What does RDP stand for?
Remote Desktop Protocol
Computer tracking service
Removable media is any type of storage device that can store data and be easily removed and transported to other locations. Removable media includes floppy disc, tape, USB/flash storage, CD/DVD, and external hard drive. Removable storage: • Increases the threat of removal and theft of sensitive data. Users can copy sensitive data to portable devices, or media containing data may be lost or easily stolen. • Increases the chances of introduction of malware.
What does SMTP stand for?
Simple Mail Transfer Protocol
Block Untrusted Software Sources
Software from untrusted sources could potentially contain malware. In fact, many modern network exploits attempt to trick users within an organization into downloading and installing malicious software. By doing this, an attacker can easily circumvent network security devices and launch an attack from behind the firewall.
Hoax Virus
Some malicious software warnings, such as those seen in pop-ups or received through email, are hoax viruses. A hoax virus instructs you to take an action to protect your system, when in fact that action will cause harm. Two common hoaxes are: • Instructing you to delete a file that is reported as a virus. The file is actually an important system file that will lead to instability or the inability to boot your computer. • Instructing you to download and run a program to see if your system is compromised or to add protection to your system. The file you download is the malicious software.
Drive locking
Some motherboards allow you to set a password on the system hard disk. This practice is sometimes referred to as drive locking. • When set, the password must be given at system startup or the disk cannot be used. • There are two different passwords: user and master. • Set the password(s) by using the motherboard's BIOS/UEFI configuration program. • Passwords are saved on the hard disk itself. • If you forget the user password, use the master password to access the drive. If you do not know either password, you cannot access any data on the drive. • Most drive locking systems allow a limited number of incorrect password attempts. After that time, you must restart the system to try entering additional passwords. • Some systems ship with a default master password already set. However, these passwords (if they exist) are not publicly available and cannot be obtained from disk manufacturers.
Physical security for Mobile Devices
Some organizations implement security policies that forbid users from connecting their personal mobile devices to the organizational network (wired or wireless). Some organizations allow mobile devices; in fact, they may even provision users with mobile devices. However, there is a risk in this situation that company data may be copied to these devices that could be compromised if a device is lost. As a safeguard, many of these organizations require that remote wipe be enabled on the device such that if it is lost or stolen, a command can be sent remotely to the device to remove all data on it.
Type 3 Authentication Factor: Something you are
Something you are authenticating uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is generally considered to be the most secure form of authentication. Common attributes used for biometric systems are: • Fingerprints (end point and bifurcation pattern) Hand topology (side view) or geometry (top down view) • Palm scans (pattern, including fingerprints) • Retina scans (blood vein pattern) • Iris scans (color) • Facial scans (pattern) • Voice recognition • Handwriting dynamics • Keyboard or keystroke dynamics (behavioral biometric systems) - Dwell time (key press time) - Flight time (how fingers move from key to key)
How does BitLocker use Trusted Platform Module (TPM)?
The TPM chip must be enabled in the BIOS/UEFI. The TPM chip stores the BitLocker key that is used to unlock the disk partitions and stores information about the system to verify the integrity of the system hardware. The TPM ensures system integrity as follows: 1) The TPM examines the startup components present on the unencrypted partition. 2) Based on the hardware and system components, a system identifier is generated and saved in the TPM. 3) At startup, components are examined and a new system identifier is generated. 4) The new identifier is compared to the saved identifier. If the identifiers match, the system is allowed to boot.
Lock the Workstation
*You can set the following passwords in the BIOS to require a password when booting or when modifying BIOS settings:* -Configure a user password to require the password before loading the operating system. -Configure an administrator password to require the password to edit BIOS settings. -Configure a hard disk password to require the password before data on the disk can be accessed. *Leaving your computer unattended while you are logged on potentially gives free access to your computer. Use the following methods in Windows to secure unattended computers:* -Configure the screen saver to display the logon screen. The screen saver will be activated automatically when the system is inactive for a period of time. -Press the Windows logo key + L to lock the workstation. -Under Personalization in Control Panel, require a password when the computer wakes up. When leaving the computer for an extended time, use the keyboard sleep button to put the computer to sleep.
A suggested procedure for remediating a system with a malware infection is as follows:
1) Identify the symptoms of the infection. 2) Quarantine the infected system. 3) Disable System Restore in Windows. This prevents the infection from being included in a restore point. 4) Update the anti-malware definitions. 5) Scan for and remove the malware. Some malware cannot be removed because it is running. If possible, stop its process from running, then try to remove it. If you are unable to stop the malware's process, try booting into Safe Mode and then run the scanning software to locate and remove the malware. 6) If necessary, schedule future anti-malware scans and configure the system to automatically check for signature file updates. 7) Install any operating system updates. 8) Re-enable System Restore and create a new restore point. 9) Educate the end user to prevent future infections.
To configure proxy settings using Windows 10 settings:
1) Right-click Start, then select Settings. 2) Select Network & Internet. 3) Select Proxy. 4) From the right pane, configure the proxy settings as required.
Post Office Protocol port(s) number?
110 TCP
NetBIOS port(s) number?
137 TCP 138 TCP 139 TCP
IMAP4 port(s) number?
143 TCP and UDP
File Transfer Protocol port(s) number?
20 TCP 21 TCP
Secure Shell port(s) number?
22 TCP and UDP
Telnet port(s) number?
23 TCP
Simple Mail Transfer Protocol port(s) number?
25 TCP
Remote Desktop Protocol port(s) number?
3389 TCP
Service Location Protocol port(s) number?
427 TCP and UDP
HTTP with Secure Sockets Layer (SSL) port(s) number?
443 TCP and UDP
Server Message Block (SMB)/Common Internet File System (CIFS) port(s) number?
445 TCP
Domain Name System port(s) number?
53 UDP
Apple Filing Protocol port(s) number?
548 TCP
Hypertext Transfer Protocol port(s) number?
80 TCP
Trojan Horse
A Trojan horse is a malicious program that is disguised as legitimate or desirable software. A Trojan horse: • Is usually hidden within useful software such as games. A wrapper is a program that is used legitimately, but has a Trojan attached to it that will infiltrate whichever computer runs the wrapper software. • Cannot replicate itself • Relies on user decisions and actions to spread • Often contains spy or backdoor functions that allow a computer to be remotely controlled from the network
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a special hardware chip included on the computer motherboard that contains software in firmware that generates and stores cryptographic keys. • You can use the BIOS/UEFI configuration program to initialize the TPM. • During initialization, you can set a TPM owner password. The TPM password is required to manage TPM settings. • The TPM includes a unique key on the chip that can be used for hardware system identification. • The TPM can generate a cryptographic key or hash based on the hardware in the system. It then uses this key value to verify that the hardware has not changed. This value can be used to prevent the system from booting if the hardware has changed. • The TPM can be used by applications to generate and save keys that are used with encryption.
Botnet
A botnet refers to a group of zombie computers that are commanded from a central control infrastructure. A botnet is: • Under a command and control infrastructure where the zombie master (also known as the bot herder) can send remote commands to order all the bots they control to perform actions. • Capable of performing distributed denial of service attacks. • Detected through the use of firewall logs to determine if a computer is acting as a zombie and participating in external attacks.
Brute force attack
A brute force attack tries to identify a user's password by exhaustively working through all possibilities of all letter, number, and symbol combinations until the correct password is identified. Brute force attacks will always be successful if given enough time, yet they are frequently the most time consuming method of attack.
Denial-of-Service Attack
A denial-of-service attack, also known as DoS or DDos (distributed denial-of-service) is when a service or an application is overwhelmed with remote connections from botnets, and it crashes because it cannot process all of them.
Firewall
A device that inspects network traffic and allows or blocks traffic based on a set of rules. A firewall is a device or software running on a device that inspects network traffic and allows or blocks traffic based on a set of rules. There are two types of firewalls that you should be familiar with: A network-based firewall and a host-based firewall.
Dictionary attack
A dictionary attack tries to guess a user's password using a list of words from a dictionary. Often symbols and upper and lower case characters are substituted inside the dictionary word. The dictionary attack frequently works because users tend to choose easy-to-guess passwords. A strong password policy is the best defense against dictionary attacks.
Intrusion detection system (IDS)
A feature that detects intrusion attempts and alerts the system administrator.
Cloud-based protection
A feature that provides real-time protection by sending Microsoft information about potential security threats discovered by Windows Defender.
MAC address filtering
A feature that restricts access to the wired network switch to hosts that have specific MAC addresses.
Organizational security policy
A high-level overview of the organization's security program.
Host-based firewall
A host-based firewall inspects traffic received by a specific host.
Hybrid attack
A hybrid attack adds appendages to known dictionary words. For example, 1password, password07, p@ssword1.
Rootkit
A rootkit is a stealthy type of malware. After infection, a rootkit can be very difficult to detect and remove from a system. A rootkit is installed in the boot sector of the hard disk drive. On systems that do not include the secure boot function, this causes the rootkit to be loaded before the operating system. As a result, a rootkit can hide itself from detection methods used by typical anti-malware software. If a rootkit is detected, it usually can't be removed from the system without completely re-installing the operating system from scratch.
Man-in-the-middle
A man-in-the-middle attack is used to intercept information passing between two communication partners. With a man-in-the-middle attack: • An attacker inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker. • Both parties at the endpoints believe they are communicating directly with each other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials. Man-in-the-middle attacks are commonly used to steal credit card numbers, online bank credentials, as well as confidential personal and business information.
Wi-Fi Protected Setup (WPS)
A network security standard that makes wireless networks easier to manage.
A best practice is to implement what two types of firewalls?
A network-based firewall and a host-based firewall
A network-based firewall
A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect against attacks from internet hosts. A network firewall is created using two (or more) interfaces on a network device: one interface connects to the private network, and the other interface connects to the external network.
Phishing
A phishing scam employs an email pretending to be from a trusted organization, asking to verify personal information or send a credit card number. In a phishing attack: • A fraudulent message (that appears to be legitimate) is sent to a victim. • The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to legitimate websites they are trying to imitate. • The fraudulent website requests that the victim provide sensitive information, such as an account username and password.
Privacy filter
A polarized sheet of plastic to restrict screen visibility.
Install Privacy Filters
A privacy filter is a polarized sheet of plastic that is placed over a computer screen to restrict screen visibility from any angle other than straight on. This prevents office guests and passers-by from being able to read information from the user's computer monitor.
Proxy Server
A proxy server is a device that stands as an intermediary between a host and the internet. A proxy server is a specific implementation of a firewall that uses filter rules to allow or deny internet traffic. With a proxy, every packet is stopped and inspected, which causes a break between the client and the server on the internet.
security policy
A security policy defines the overall security configuration for an organization. To be effective, the security policy must be: Planned: Good security is the result of good planning. Maintained: A good security plan must be constantly evaluated and modified as needs change. Used: The most common failure of a security policy is the lack of user awareness. The most effective way of improving security is to implement user education and training.
Automatic sample submission
A software feature that allows Windows Defender to send information to Microsoft for use in analyzing and identifying new malware.
Real-time protection
A software function that alerts you when spyware attempts to install itself or run on your computer.
Use Strong Passwords
A strong password is one that: 1) Is at least 8 characters long (longer is better) 2) Is not based on a word found in a dictionary 3) Contains both upper-case and lower-case characters 4) Contains numbers 5) Does not contain words that can be associated with you personally 6) Is changed frequently
Offline scanning
A system feature that causes the system to reboot and Windows Defender to run a scan in an offline state.
Scheduled scanning
A system feature that checks computer files for malware.
Malware
A type of software designed to take over or damage a computer without the user's knowledge or approval.
What is a VPN?
A virtual private network (VPN) is a type of network that uses encryption to allow IP traffic to travel securely over the TCP/IP network. A VPN is used primarily to support secure communications over an untrusted network.
Virus
A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus has the following characteristics: • A virus requires a replication mechanism which is a file that it uses as a host. When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed through email and are distributed to everyone in your address book. They can also be inadvertently downloaded from a malicious or compromised website. • The virus replicates only when an activation mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated. • The virus is programmed with an objective, which is usually to destroy, compromise, or corrupt data.
BitLocker partition
A volume that contains the boot files. Implementing BitLocker requires two NTFS partitions: • The system partition is a 100 MB volume that contains the boot files. This partition is set to active, and is not encrypted by the BitLocker process. • The operating system partition must be large enough for the operating system files. This partition is encrypted by BitLocker. Be aware of the following: • A new Windows installation creates both partitions prior to the installation of the operating system files. • For operating systems already installed on a single partition, you may need to resize the existing partition and create the system partition required by BitLocker.
Worm
A worm is a self-replicating program. A worm: • Does not require a host file to propagate. • Automatically replicates itself without an activation mechanism. A worm can travel across computer networks without requiring any user assistance. • Infects one system and spreads to other systems on the network.
Zero Day
A zero day attack (also known as a zero hour or day zero attack) is an attack that exploits computer application vulnerabilities before they are known and patched by the application's developer.
Botnet/Zombie
A zombie is a computer that has been infected with a Trojan and is remote controlled by a zombie master. A botnet is a network of computers infected with the same Trojan. To find out if your computer has been turned into a zombie, examine the computer's firewall log files. The log will show the outbound traffic from the zombie going through the firewall to the zombie master. A botnet: • Uses IRC channels to communicate with the zombie master. • Is controlled by an infrastructure created by a zombie master (also known as the bot herder). • May be used for spamming, committing click fraud, and performing distributed denial-of-service attacks.
Zombie
A zombie is a computer that is infected with malware that allows remote software updates and control by a command and control center called a zombie master. A zombie: • Is also known as a bot (short for robot). • Is frequently used to aid spammers. • Can commit click fraud. The internet uses an advertising model called pay per click (PPC). With PPC, ads are embedded on a website by the developer. The advertiser then pays the website owner for each click the ad generates. Zombie computers can imitate a legitimate ad click, generating fraudulent revenue. • Can be used to perform denial of service attacks.
ARP Spoofing
ARP spoofing (also known as ARP poisoning) uses spoofed ARP messages to associate a different MAC address with an IP address. ARP spoofing can be used to perform a man-in-the-middle attack as follows: • When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with its own MAC address. • The client receives the spoofed ARP response and uses that MAC address when communicating with the destination host. For example, packets sent to the default gateway are sent instead to the attacker. • The attacker receives all traffic sent to the destination host. The attacker can then forward these packets on to the correct destination using its own MAC address as the source address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or nonexistent MAC addresses.
AUP stands for?
Acceptable Use Policy
Building security
Access control to the location where the computers are located.
To configure proxy settings using Internet Explorer and Control panel:
Access the Internet Options, "Connections" dialog. • Using Internet Explorer: - Open Internet Explorer. - To the right of the URL field, select Tools and then select Internet options. - Select the Connections tab. • Using Control Panel: - From Control Panel, select Network and Internet > Internet Options. - Select the Connections tab. Select LAN settings. Enable Use a proxy sewer for your LAN. Configure the Address and Port fields as needed.
(Windows Defender) Facts What is Automatic Sample Submission?
Automatic sample submission allows Windows Defender to send information to Microsoft for use in analyzing and identifying new malware.
In Windows, edit the Local Security Policy to modify password settings for a local computer, or the Default Domain Policy to control passwords for all computers in an _______ _________ domain.
Active Directory
Adware
Adware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Adware: • Is usually passive • Invades the user's privacy • Is installed by visiting a malicious website or installing an infected application • Is usually more annoying than harmful
Forensic Investigation
After containing a threat, forensic investigation can be performed on computer systems to gather evidence and identify the methods used in the attack. When working with computer systems, use special computer forensic tools to analyze the system. Investigations can be performed in the following ways: • A live analysis examines an active (running) computer system to analyze the live network connection, memory contents, and running programs. • A dead analysis examines data at rest, such as analyzing hard drive contents.
Notification
After you have analyzed the attack and gathered evidence, be aware that in some states you will be required to notify individuals if their personal information might have been compromised. For example, if an incident involves the exposure of credit card numbers, identifying information (such as Social Security numbers), or medical information, you might be legally obligated to notify potential victims and take measures to help protect their information from further attack.
Require Passwords
All user accounts should have a password assigned. Passwords should also be required to unlock the screensaver and to resume from standby or hibernation.
Acceptable Use Policy (AUP
An Acceptable Use Policy (AUP) defines an employee's rights to use company property, such as: • Using computer equipment • Accessing data stored on company computers • Using the company's network • Accessing the internet through the organization's network The AUP should also set expectations for user privacy when using company resources. Privacy is the right of individuals to keep personal information from unauthorized exposure or disclosure. However, when using company-owned resources, organizations may need to monitor and record employee actions. To protect against potential legal issues, the AUP should disclose when employees may expect such monitoring to occur. For example, the AUP should:
Organizational Security Policy
An Organizational Security Policy is a high-level overview of the organization's security program. The Organizational Security Policy is usually written by security professionals, but must be supported and endorsed by senior management. This policy usually identifies: • Roles and responsibilities to support and maintain the elements of the security program • What is acceptable and unacceptable regarding security management • The rules and responsibilities for enforcement of the policy
security incident
An event or series of events that result from a security policy violation that has adverse effects on a company's ability to proceed with normal business. Security incidents include employee errors, unauthorized acts by employees, insider attacks, hacker attacks, malware attacks, and unethical gathering of competitive information.
Password Policy
An organization's Password Policy identifies the requirements for passwords used to authenticate to company-owned systems. For example, this policy may specify: • Accounts should be disabled or locked out after a certain number of failed login attempts. • Users should be required to change their passwords within a certain time frame. • Users may not reuse old passwords. • Users must use strong passwords. Strong passwords should contain: - Multiple character types, including uppercase letters, lowercase letters, numbers, and symbols. - A minimum of eight characters. (More is better.) • User passwords should never contain: - Words found in the dictionary. - Personally-identifiable information, such as an employee's spouse's name, child's name, birth date, favorite sports teams, etc. - Part of a username or email address
Don't Use Default User Names
Avoid using default user names, such as Administrator. Change these names to something else.
What does AFP stand for?
Apple Filing Protocol
Do Not Allow Port Forwarding
Because of the wide-spread use of NAT routing to conserve registered IP addresses, some organizations implement port forwarding to allow access to internal network resources (such as a web server) from the internet. However, when you enable port forwarding you allow untrusted traffic into the internal network, which should be an area of high security. In this configuration, you must rely on the security configuration of the internal host that is being accessed externally to protect the rest of the network. For this reason, port forwarding implementations should be avoided.
BitLocker
BitLocker protects against unauthorized data access on lost or stolen laptops and on other compromised systems. BitLocker encrypts the entire contents of the operating system partition, including operating system files, swap files, hibernation files, and all user files. A special BitLocker key is required to access the contents of the encrypted volume. • BitLocker uses integrity checking early in the boot process to ensure that the drive contents have not been altered and that the drive is in the original computer. If any problems are found, the system will not boot and the drive contents remain encrypted. The integrity check prevents hackers from moving the hard disk to another system in order to try to gain access to its contents. • BitLocker requires data to be decrypted before it can be used, which reduces disk I/O throughput. • BitLocker is available only on Ultimate and Enterprise editions of Windows. • In Windows 8 and later, you can choose to encrypt the entire volume or just the used space on the volume.
Chassis intrusion detection
Chassis intrusion detection helps you identify when a system case has been opened. With chassis intrusion detection a sensor switch is located inside the system case. When the case cover is removed, the switch sends a signal to the BIOS/UEFI. Depending on the system configuration, a message might be displayed on the screen at startup, or the message might be visible only from within the BIOS/UEFI configuration program.
(Windows Defender) Facts What is Cloud-Based Protection?
Cloud-based protection provides real-time protection by sending Microsoft information about potential security threats discovered by Windows Defender. This feature requires automatic sample submission to be enabled.
What does CIFS stand for
Common internet file system
Program
Configuring an exception for a program automatically opens the ports required by the application only while the application is running. Be aware of the following: • You can select from a list of known applications or browse to and select an unlisted application. • You do not need to know the port number used; the firewall automatically identifies the ports used by the application when it starts. • After the application is stopped, the required ports are closed.
Port
Configuring an exception for a specific port and protocol (either TCP or UDP) keeps that port open all the time. Be aware of the following: • You must know both the port number and the protocol. • Some services require multiple open ports, so you must identify all necessary ports and open them. • Ports stay open until you remove the exception.
Protect User Accounts and Passwords
Consider implementing the following measures to increase the security of user accounts and passwords: • Require strong passwords. A strong password is at least 8 characters long, uses upper- and lower-case letters, and includes numbers or non-alphabetic characters. • Don't allow users to write down their passwords. • Ensure all user accounts have passwords assigned. • Disable guest user accounts. • Change default user names (such as Administrator) to something less obvious (such as Winifred). • Immediately disable or remove accounts when users leave the organization. • Change default usernames and passwords. Many network devices, such as routers and switches, use a default user name and password for initial setup. These default user names and passwords are widely posted on the internet.
As a PC technician, there are many key security threats that you need to be aware of: Cookies
Cookies are data files placed on a client system by a web server for retrieval at a later time. Cookies are primarily used to track the client. By default, cookies can be retrieved only by the server that set them. The cookies themselves are fairly benign; however, cookies can be exploited by an attacker to steal a client's session parameters. This allows the attacker to impersonate the client system and hijack the session, potentially exposing sensitive information.
Crimeware
Crimeware is designed to facilitate identity theft by gaining access to a user's online financial accounts, such as banks and online retailers. Crimeware can: • Use keystroke loggers, which capture keystrokes, mouse operations, or screenshots and transmits those actions back to the attacker to obtain passwords. • Redirect users to fake sites. • Steal cached passwords.
DLP
Data loss prevention
Acceptable use policy (AUP)
Defines an employee's rights to use company property.
DMZ stands for?
Demilitarized Zone
DOS stands for
Denial of Service
Network appliances
Devices that are dedicated to providing certain network services.
Autorun
Disable autorun.
Disable Autorun
Disable autorun. This prevents malware from automatically running when an optical disc or USB drive is inserted in the system.
Implement Browser Security
Do the following: • Disable pop-ups on all web browsers. Pop-ups can covertly install malware or redirect users to malicious websites. Enable pop-ups only for legitimate sites that require them. • Override automatic cookie handling. Configure your browser to prompt you before allowing cookies. • Disable third-party browser extensions. • Disable sounds in web pages.
Implement Malware Prevention
Do the following: • Install anti-malware on all systems to search for malware, viruses, worms, trojans, and rootkits. • Enable automatic definition updates on your anti-malware software. • Configure frequent quick malware scans along with less frequent full system scans. • Implement anti-spam measures. This can be done using anti-spam software on each individual workstation. However, it's usually advantageous to implement an anti-spam appliance that filters email messages for your entire organization.
What does DNS stand for?
Domain Name System
Dumpster Diving
Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.
Removable storage
Easily removable data storage.
Eavesdropping
Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics.
Educate Users
Educate users about current security threats and how to respond to them. For example, teach them to: • Use strong passwords. This includes email account passwords as well as workstation account passwords. • Distrust anything coming from the web: Don't click anything just because the site says you must do so. • View email with suspicion. A reputable company in the modern world will not send an email asking users to respond with personal information. Any message that does is using phishing to gather personal information. • Recognize social engineering attempts and respond appropriately.
Configure Automatic Updates
Enable automatic updates for all operating systems.
File encryption
Encrypts individual files so that only the user who created the file can open it. • The Encrypting File Service (EFS) on Windows systems encrypts individual files. Windows automatically decrypts a file when the file owner accesses it. • With EFS, you can add other users who are also allowed to access the encrypted file. • EFS is available only on NTFS partitions. Moving an encrypted file to a non-NTFS partition removes the encryption. • Files remain encrypted and inaccessible even when the drive is moved to another computer or if another operating system is used. This is because the encryption keys needed to decrypt the file do not exist on these other systems. • Encryption cannot be used together with compression (you can use either, but not both).
_________ _________ ___________ (UTM) or ___________ ____________ _____________ (USM), is a network gateway defense solution for organizations. UTM is the evolution of the traditional firewall into an all-in-one device that can perform multiple security functions within one single system.
Unified threat management (UTM) or unified security management (USM)
Disk encryption
Encrypts the entire contents of a hard drive. • During system startup, a special key is required to unlock the hard disk. Without the key, data on the drive is inaccessible. Providing the key allows the system to decrypt files on the hard drive. • You cannot access the contents of an encrypted drive by moving it to another computer because the encryption keys needed to decrypt the data do not exist on the other computer system. • Most solutions provide for a backup recovery key that can be used to unlock the drive if the original key is lost. If both the encryption key and the recovery key are lost, data cannot be retrieved. • BitLocker is a Microsoft solution that provides whole disk encryption. BitLocker is supported on Ultimate or Enterprise editions of Windows. • You can implement BitLocker with or without a Trusted Platform Module (TPM). • You can use BitLocker to encrypt removable storage devices (such as USB flash drives).
You should frequently check your logs in ______ _______ to identify suspicious behaviors.
Event Viewer
What does FTP stand for?
File Transfer Protocol
Maximum password age
Forces users to change the password after the specified time interval.
VPN Tunneling Protocols for: Generic Routing Encapsulation (GRE)
GRE is a tunneling protocol that was developed by Cisco. GRE can be used to route any Layer 3 protocol across an IP network. GRE: • Creates a tunnel between two routers. • Encapsulates packets by adding a GRE header and a new IP header to the original packet. • Does not offer any type of encryption. • Can be paired with other protocols, such as IPsec or PPTP, to create a secure VPN connection.
What does GRE stand for?
Generic Routing Encapsulation
Grayware
Grayware is software that might offer a legitimate service, but which also includes features that you aren't aware of or features that could be used for malicious purposes. • Grayware is often installed with the user's permission, but without the user fully understanding what is being adding. • Some grayware installs automatically when another program is installed, or in some cases it can be installed automatically. • Features included with grayware might be identified in the end user license agreement (EULA), or the features could be hidden or undocumented. The main objection to grayware is that the user cannot easily tell what the application does or what was added with the application.
HTTP (session) Hijacking
HTTP (session) hijacking is a real-time attack in which the attacker hijacks a legitimate user's cookies and uses the cookies to take over the HTTP session.
Hardware Locks
Hardware locks prevent theft of computers or components.
Computer tracking service
Helps locate stolen devices.
code of ethics
Many organization's implement a code of ethics to prevent user-facilitated security issues. A code of ethics is a set of rules or standards that define ethical behavior. Because the issues involved in different situations may vary and can be quite complex, the code of ethics does not prescribe actions for every situation. Instead, it identifies general principles of ethical behavior that can be applied to various situations.
What does HTTP stand for?
Hypertext Transfer Protocol
IP spoofing
IP spoofing changes the IP address information within a packet. It can be used to: • Hide the origin of the attack by spoofing the source address. • Amplify attacks by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with responses.
An _____ detects intrusion attempts, notifies the administrator, and also tries to block the attempt.
IPS
VPN Tunneling Protocols for: Internet Protocol Security (IPsec)
IPsec provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes the following three protocols for authentication, data encryption, and connection negotiation: • Authentication Header (AH) enables authentication with IPsec. • Encapsulating Security Payload (ESP) provides data encryption. • Internet Key Exchange (IKE) negotiates the connection. IPsec can be used to secure the following types of communications: • Host-to-host communications within a LAN • VPN communications through the internet, either by itself or in conjunction with the L2TP VPN protocol • Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, as well as countless others IPsec uses either digital certificates or pre-shared keys
Implement a Demilitarized Zone (DMZ)
If internet users need to access internal network resources (such as a web server), do not allow their traffic to flow into the internal network. Instead, use a high-end router or network security appliance to create a DMZ and place the resource to which they need access within it. This divides the network into three areas of differing levels of security: • External network: Little or no security • DMZ: Moderate security • Internal network: High security In this configuration, external traffic enters the DMZ instead of the internal network. If a server in the DMZ is compromised by an external attacker, the rest of the network is not affected.
Only those users who need administrative access should have it. You should use limited user accounts for everyone else. Don't make a user a member of the Administrators group unless the user needs administrative access to the system.
Implement the Principle Of Least Privilege
The workstation should have the software required for it to fulfill its function on the network and no more.
Implement the Principle Of Least Privilege
Use delegated administration. Don't make all admin users members of the Administrators group. Make admins members of the Windows group that most closely matches the level of access they need:
Implement the Principle Of Least Privilege
Replay Attack
In a replay attack, the attacker uses a protocol analyzer or sniffer to capture authentication information going from the client to the server. The attacker then uses this information to connect at a later time and pretend to be the client.
Implement Static IP Addressing
In order to use IP addresses efficiently, most networks use a DHCP server to automatically assign an IP address to hosts whenever they connect to the network. However, this configuration presents a security weakness. If attackers are able to successfully connect a system to an open network jack in your wired network, they automatically receive all the configuration information they need to communicate with other hosts on the network. To prevent this, use static IP addressing instead of DHCP. In this configuration, an attacker who manages to successfully connect to your wired network won't receive any IP addressing information. Be aware that using static IP addressing isn't a fool-proof security measure. Determined attackers will eventually be able to determine the IP addressing scheme used on your network and configure their system appropriately. However, it does make your network more difficult to compromise.
What does IMAP4 stands for?
Internet Message Access Protocol
What does IPsec stand for?
Internet Protocol Security
What does IDS stand for?
Intrusion Detection System
IPS stands for?
Intrusion Prevention System
Authentication
Is the process of submitting and checking credentials to validate or prove user identity. On a computer system, authentication typically occurs during logon where the user provides a username and password or some other form of credential (such as a smart card or a biometric scan). The system verifies the credentials, allowing access if the credentials are valid.
Install firmware updates
It is important that you keep the firmware of your network devices updated, including: • Switches • Routers • Firewalls The firmware contains software instructions that allow these devices to run. It's not unusual for security weaknesses to be discovered in the firmware of these devices when they are deployed in production environments. To address these weaknesses, the hardware vendor should release updates to the firmware. Unlike standard software, which can be automatically updated over a network connection, firmware updates must usually be installed manually. You should watch for updates for your devices to be released and install them when they become available.
VPN Tunneling Protocols for: Layer Two Tunneling Protocol (L2TP)
L2TP is an open standard for secure multiprotocol routing. L2TP: • Supports multiple protocols (not just IP) • Uses IPsec for encryption • Is not supported by older operating systems • Uses TCP port 1701 and UDP port 500
What does L2TP stand for?
Layer Two Tunneling Protocol
Lo-jack
Lo-Jack is a mechanism that is used to secure systems that are prone to being stolen, such as notebooks systems. The Lo-Jack software is implemented within a chip on the motherboard itself and you can use it to recover a stolen system. The Lo-Jack service running on the computer periodically contacts a Lo-Jack server at the vendor's site to: • Report its current location using GPS coordinates. • Query Lo-Jack headquarters to see if that system's been reported as stolen. If the system has been reported as stolen, then Lo-Jack will continuously update the server with its current location, making it easier for law enforcement to figure out where it is. The software that performs these two tasks is not actually contained in the motherboard chip. The software contained in the motherboard chip is just a downloader that downloads and installs the Lo-Jack software as a Windows service.
Implement MAC Address Filtering
MAC address filtering restricts access to the wired network switch to hosts that have specific MAC addresses. This can be done in two different ways: • Use a whitelist, which defines a list of MAC addresses that are allowed to connect to the switch. • Use a blacklist, which defines a list of MAC addresses that are not allowed to connect to the switch. With MAC address filtering enabled, a switch checks a computer's MAC address when it connects to the wired network. If the switch has been configured to use a whitelist, it will compare the computer's MAC address to the whitelist. If its address is listed in the whitelist of allowed MAC addresses, then the switch will allow the host to connect to the wired network. If the computer's MAC address is not in the whitelist, then the host will be denied access. If the switch is configured to use a blacklist, the opposite occurs. If the computer's MAC address is on the blacklist, the switch will not allow the host to connect to the network. If its MAC address is not listed in the blacklist, the switch will allow the computer to connect to the network. For security reasons, whitelists are usually the preferred option. This configuration locks out all hosts except for those specifically allowed in the whitelist. However, MAC address filtering provides only a basic level of network security and can be defeated by a determined attacker. However, it does make the network harder to compromise and hopefully less attractive to an attacker.
When you turn on the ____________, you can block all incoming connections or allow exceptions. If all incoming connections are blocked, any defined exceptions are ignored.
firewall
MAC Spoofing
MAC spoofing occurs when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device. This can be used to bypass: • A wireless AP with MAC filtering on a wireless network • Router ACLs • 802.1x port-based security
Masquerading
Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. • The attacker usually poses as a member of senior management. • A scenario of distress is fabricated to the user to convince them that the actions are necessary.
Backup Operators
Members of this group can backup or restore files, regardless of permissions assigned to those files.
Performance Monitor Users
Members of this group can manage performance counters.
Performance Log Users
Members of this group can manage performance logs and alerts.
Network Configuration Operators
Members of this group can manage the IP configuration on the system.
Cryptographic operators
Members of this group can perform cryptographic operations.
Manage Power Levels
Most wireless access points are set to run at maximum power by default. However, this can result in the wireless network's radio signal being transmitted outside of your facility. Usually you can decrease an access point's signal strength to reduce emanation. However, this will require additional access points to be deployed because the reduced signal strength can create areas of poor coverage. Usually, directional antennae are used in conjunction with customized power levels to provide the best coverage while reducing data emanation. You should use a site survey tool to measure the strength of the wireless signal at various locations both inside and outside the structure to customize the configuration of each access point. This ensures appropriate wireless coverage with minimal emanation.
NAT stands for?
Network Address Translation
What does NetBIOS stand for?
Network Basic Input/Output System
(Windows Defender Facts) What is Offline Scanning?
Offline scanning causes the system to reboot and Windows Defender to run a scan in an offline state before returning to Windows. This allows some types of malware to be removed that normally can't be removed from a running system.
VPN Tunneling Protocols for: Point-to-Point Tunneling Protocol (PPTP)
PPTP was developed by Microsoft as one of the first VPN protocols. PPTP: • Uses standard authentication protocols, such as CHAP and PAP • Supports TCP/IP only • Is supported by most operating systems and servers • Uses TCP port 1723
Forensic investigation
Performed to gather evidence and identify the methods used in the attack.
As a PC technician, there are many key security threats that you need to be aware of: Pharming
Pharming redirects one website's traffic to another, bogus, website that is designed to look like the real website. Once there, the attacker tricks the user into supplying personal information, such as bank account and PIN numbers. Pharming works by resolving legitimate URLs to the IP address of malicious websites. This is typically done using one of the following techniques: • Changing the hosts file on a user's computer • Poisoning a DNS server • Exploiting DHCP servers to deliver the IP address of malicious DNS servers in DHCP leases.
As a PC technician, there are many key security threats that you need to be aware of: Phishing Emails
Phishing is the process used by attackers to acquire sensitive information such as passwords, credit card numbers, and usernames by masquerading as a trustworthy entity. Phishing emails are drafted such that they appear to have come from a legitimate organization, such as banking, social media, or e-commerce websites. They convince the user to click a link that takes them to a malicious website (that looks exactly like the legitimate website) where they are tricked into revealing sensitive information.
Phishing
Phishing uses an email and a spoofed website to gain sensitive information. In a phishing attack: • A fraudulent message that appears to be legitimate is sent to a target. • The message requests the target to visit a website which also appears to be legitimate. • The fraudulent website requests the victim to provide sensitive information such as the account number and password. Hoax virus information email are a form of a phishing attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks fail to double check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually these hoax messages instruct the reader to delete key system files or download Trojan horses.
Piggybacking
Piggybacking refers to an attacker entering a secured building by following an authorized employee. This is also called tailgating.
What does PPTP stand for?
Point-to-Point Tunneling Protocol
Password policy
Requirements for passwords used to authenticate to company-owned systems.
Minimum password length
Requires passwords to have a minimum length. In general, longer passwords are more secure than shorter ones (although they can be harder to remember).
Enforce password history
Requires users to input a unique (previously unused) password when changing the password. This prevents users from reusing previous passwords.
As a PC technician, there are many key security threats that you need to be aware of: Rogue Antivirus
Rogue antivirus exploits usually employ a pop-up in a browser that tells the user the computer is infected with a virus and that the user must click a link to clean it. Sometimes this exploit is used to trick users into paying for worthless software they don't need. However, it also is frequently used to deploy malware on the victim's computer.
Scareware
Scareware is a scam that fools users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.
(Windows Defender Facts) What is Scheduled Scanning?
Scheduled scanning checks computer files for malware. Windows Defender can run three different types of scans: • A Quick scan checks file system locations that are most likely to be infected by spyware. • A Full scan checks all files in the file system, the registry, all currently running applications, and other critical areas of the operating system. • A Custom scan checks only the locations you specify. Windows Defender performs a quick scan at 2 a.m. each day. You can also manually initiate a scan, if necessary. The results of the scan are shown in the Home tab in Windows Defender.
What does SSH stand for?
Secure Shell
What does SSL stand for?
Secure Sockets Layer
Some malware can corrupt the boot block on the hard disk preventing the system from starting. To repair this problem, try performing an automatic repair. Use_________ or _________ in the Recovery Console to try to repair the damage. Alternatively, if your organization uses imaging solutions, you can quickly re-image an infected machine. Re-imaging is often faster and more effective than malware removal and cleanup.
fixmbr or fixboot
What does SMB stand for?
Server Message Block
What does SLP stand for?
Service Location Protocol
Code of ethics
Set of rules that define ethical behavior.
Shoulder Surfing
Shoulder surfing is looking over the shoulder of someone working on a computer.
Type 2 Authentication Factor: Something you have
Something you have (also called token-based authentication) is authentication based on something a user has in their possession. Examples of something you have authentication controls are: • Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip. • Smart cards with a memory chip containing encrypted authentication information. Smart cards can: - Require contact such as swiping, or they can be contactless. - Contain microprocessor chips with the ability to add, delete, and manipulate data on it. - Can store digital signatures, cryptography keys, and identification codes. - Use a private key for authentication to log a user into a network. The private key will be used to digitally sign messages. - Be based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.
Type 1 Authentication Factor: Something you know
Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of something you know include: • Passwords, codes, or IDs • PINs • Passphrases (long, sentence-length passwords) • Cognitive information such as questions that only the user can answer, including: - Your mother's maiden name - The model or color of your first car - The city where you were born Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.
Spam
Spam is unwanted and unsolicited email sent to many recipients. Spam: • Can be benign as emails trying to sell products. • Can be malicious containing phishing scams or malware as attachments. • Wastes bandwidth and could fill the inbox, resulting in a denial of service condition where users can no longer receive emails.
As a PC technician, there are many key security threats that you need to be aware of: Spam
Spam may or may not be malicious in nature. However, it wastes time, network bandwidth, and storage space as many organizations are required by law in the United States to retain all email communications for a period of time. The best way to combat spam is to implement an anti-spam appliance that is placed between your network and the internet. The appliance scans all emails as they enter the organization and quarantines anything deemed to be spam.
Spoofing
Spoofing is used to hide the true source of packets or to redirect traffic to another location. Spoofing attacks: • Use modified source and/or destination addresses in packets • Can include site spoofing that tricks users into revealing information
Spyware
Spyware is software that is installed without the user's consent or knowledge, designed to intercept or take partial control over the user's interaction with the computer. Spyware: • Is usually installed on your machine by visiting a malicious website or installing an infected application. • Collects various types of personal information, such as your internet surfing habits and passwords, and then sends the information back to its originating source. • Uses tracking cookies to collect and report a user's activities. • Can interfere with user control of the computer such as installing additional software, changing computer settings, and redirecting web browser activity.
Maintain Awareness
Stay current by subscribing to security alerts offered by many security software vendors.
TCP/IP (session) Hijacking
TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user. • The attacker takes over the session and cuts off the original source device. • The TCP/IP session state is manipulated so that the attacker is able to insert alternate packets into the communication stream.
Acceptability
identifies the degree to which the technology is accepted by users and management.
Maintain Physical Security
Technological security measures can be circumvented if the computer systems connected to the wired network are not physically secure. Consider the following physical security measures: • Keep server systems in a locked server room where only authorized persons who have the appropriate keys or access codes are allowed in. • Ensure that the screen savers on workstations and notebook systems have a very short timeout period and require a password whenever a user tries to resume the session. • Ensure workstation and notebook systems require the user to authenticate before they're allowed to resume a session from sleep or hibernation. • Control access to work areas where computer equipment is used. For example, you could use a proximity badge reader on a locked door to regulate access. • Ensure computers in low security areas (such as a receptionist's desk) are secured with a cable lock. • Disable external ports on desktop and servers systems, especially USB and FireWire ports. This can be done in the BIOS/UEFI configuration or using Windows Group Policy. • Disable or completely remove optical disc burners. • Uninstall any software from servers and workstations that isn't necessary.
Disable the Guest User Account
The Guest user account has no password and provides too much access to the system. The Guest user account should remain disabled.
VPN Tunneling Protocols for: Secure Sockets Layer (SSL)
The SSL protocol has long been used to secure traffic generated by IP protocols such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote access scenario. SSL: • Authenticates the server to the client using public key cryptography and digital certificates • Encrypts the entire communication session • Uses port 443, which is already open on most firewalls Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.
Network appliances are devices that are dedicated to providing certain network services. Common network appliances include?
• Switches • Wireless access points • Routers • Firewalls • Security threat management devices
Incident response
The actions taken to deal with an incident during and after the incident.
Incident response
The actions taken to deal with an incident during and after the incident. Prior planning helps people know what to do when a security incident occurs, especially the first responder.
As a PC technician, there are many key security threats that you need to be aware of: Browser History
The browser history and its cache contain information that an attacker can exploit. If an attacker can gain access to the cache or the browser history, they can learn things about the user such as: • The email service they use • The bank where they keep their accounts • Where they shop An attacker can exploit this information to conduct other attacks, such as stealing cookies or sending phishing emails.
Building Security
The first line of defense in protecting computer systems is to control access to the location where the computers are located.
Damage Containment
The first step in responding to an incident should be to take actions to stop the attack and contain the damage. For example, if the attack involves a computer system attached to the network, the first step might be to disconnect it from the network. Although you want to preserve as much information as possible to assist in later investigations, it might be better to stop the attack, even if doing so alerts the attacker or results in the loss of evidence regarding the attack.
These devices are unlike common network hosts in that they don't typically provide monitor, keyboard, or mouse connections. Instead, they are designed to be plugged directly into the network and then managed using a web-based interface from the system administrator's workstation.
• Switches • Wireless access points • Routers • Firewalls • Security threat management devices
Use Content Filters
The internet contains illicit and illegal content. If your users access this type of content from your organization's network, then your organization could be held liable for their actions. To keep this from happening, implement a content filter that inspects network traffic to ensure that it meets your organization's Acceptable Use Policy (AUP). This prevents users from: • Wasting time accessing content that is not work-related • Accessing content that could be construed as creating a hostile work environment • Engaging in illegal activities Most content filters can be configured to use pre-defined blacklists of websites categorized according to content. However, there will always be unapproved sites that slip past these pre-defined blacklists. When this happens, most content filters allow you to manually add specific sites to the blacklists. As with network firewalls, content filters can be implemented for an entire network or on individual network hosts: • A network-wide content filter usually sits near the network firewall and router, inspecting the contents of all incoming and outgoing network traffic. • A host-based content filter is implemented as software on a specific host.
Social Engineering Countermeasures
The most effective countermeasure for social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately. Specific countermeasures include: • Train employees to demand proof of identity over the phone and in person. • Define values for types of information, such as dial-in numbers, user names, passwords, network addresses, etc. The greater the value, the higher the security around those items should be maintained. • Keep employees up-to-date on local regulations applicable to your industry, such as PCI data security standards, General Data Protection Regulation (GDPR), and Protected Health Information (PHI). • If someone requests privileged information, have employees find out why the person wants it and whether the person is authorized to obtain it. • Verify information contained in emails and use bookmarked links instead of links in emails to go to company web sites. • Dispose of sensitive documents securely, such as shredding or incinerating. • Dispose of discs and devices securely by shredding floppy discs or overwriting discs with all 1's, all 0's, then all random characters. • Verify information from suspicious emails by visiting two or more well-known malicious code threat management websites. These sites can be your antivirus vendor or a well-known and well-regarded internet security watch group. • Train employees to protect personally identifiable information (PII). An organization is legally obligated to ensure that employee and customer PII within its possession is protected. PII includes any information that can be used to exclusively identify an individual from others.
Password Policy in regards to Password Strength
The password policy defines characteristics that valid passwords must have. Settings that you can configure in the password policy include: • Minimum password length requires passwords to have a minimum length. In general, longer passwords are more secure than shorter ones (although they can be harder to remember). • Password complexity prevents using passwords that are easy to guess or easy to crack. It forces passwords to include letters, symbols, a combination of lower case and caps, and numbers. • Maximum password age forces users to change the password after the specified time interval. • Minimum password age prevents users from changing the password too quickly. • Enforce password history requires users to input a unique (previously unused) password when changing the password. This prevents users from reusing previous passwords.
Disable Unused Switch Ports
The security of a wired network can be increased by disabling unused network wall jacks and switch ports. If an unused network jack is left in an active state, it can be used to connect to the wired computer network. Likewise, an unused port on the switch that is left in an active state can provide an attacker with an easy way to connect to the wired network. To prevent this from happening, disable all unused switch ports. This is especially true for switch ports connected to network jacks located in insecure areas of your organization, such as the reception area.
Common symptoms of malware on your system include:
• The browser home page or default search page has changed. • Excessive pop-ups or strange messages are displayed. Firewall alerts about programs trying to access the internet. • System errors about corrupt or missing files are displayed. • File extension associations have changed to open files with a different program. • There are files that disappear, are renamed, or are corrupt. • New icons appear on the desktop or taskbar, or new toolbars are displayed in the browser. • The firewall or antivirus software is turned off, or you can't run antivirus scans. • The system won't boot. • The system runs very slowly. • Unusual applications or services are running.
User Education and Awareness Policy
The strongest technological security measures can be quickly defeated if employees engage in unsafe behaviors, such as: • Clicking links in a phishing email. • Visiting malicious websites. • Responding to social engineering attempts. • Downloading and installing unauthorized software. Employee awareness is the key to prevent these behaviors. The User Education and Awareness Policy is designed to: • Familiarize employees with the organization's security policy. • Communicate standards, procedures, and baselines that apply to the employee's job. • Facilitate employee ownership and recognition of security responsibilities. • Explain how to respond to security events. • Establish reporting procedures for suspected security violations.
Manage the SSID
There are several practices you can implement regarding your wireless network's SSID to increase the security of the wireless network: • Change the SSID from the default. Lists of default SSIDs assigned by manufacturers are posted on the internet. If you use the default SSID, an attacker can quickly determine the make and model of your access point. Using this information, an attacker can: - Identify the default username and password used by that device. - Research known security weaknesses associated with that device, making it easier to compromise your wireless network. • Use a network name that is not easily associated with your organization. • Disable SSID broadcast. If SSID broadcast is enabled, then the name of the network is advertised to all wireless devices within range of your wireless access points. Disabling SSID makes your wireless network harder to locate.
Use File and Folder Permissions
This practice ties back to principle of least privilege. Users should be able to access the files and folders they need on the hard drive of the system and no more. Use file and folder permissions to explicitly specify who can do what with files and folders.
As a PC technician, there are many key security threats that you need to be aware of: Hijacked Emails
To hijack an email account, attackers use password hints set up by the user to try to gain access to the user's email account. Users should not use personal information such as their birthplace or mother's maiden name. This information is relatively easy to obtain using social media. Once an account has been hijacked, the attacker can use it to propagate spam or malware to every contact in the user's address book.
____ ____________ _________________ requires the user to provide an authentication factor from more than one category.
True multifactor authentication
TPM
Trusted Platform Module
UEFI-Specific Security Features
UEFI systems include several security features that are not available on BIOS-based systems: • UEFI requires firmware updates to be digitally signed by the hardware vendor. Using digital signatures, unauthorized changes to firmware updates (such as the insertion of malware) can be detected. • UEFI provides a security feature called Secure Boot, which requires the operating system installed on the system hard drive to be digitally signed. If it isn't digitally signed, then the UEFI firmware will not boot it by default. This is designed to block a special type of malware called a rootkit. A rootkit inserts itself into the boot sector of a storage device, causing it to be loaded first. Then the rootkit loads the actual operating system. By doing this, the rootkit gets loaded before any anti-malware software, making it more difficult to detect. Secure Boot also prevents the booting of unauthorized operating systems. For example, it prevents the system from booting an operating system installed on a removable USB drive that could be used to access data on the system hard drive.
What does USM stand for?
Unified Security Management
What does UTM stand for?
Unified Threat Management
Account Lockout Policy
Use account lockout settings to protect user accounts from being guessed and to also prevent accounts from being used when hacking attempts are detected. Lockout policy settings are: • Account lockout threshold specifies the maximum number of incorrect logon attempts. Once the number has been reached, the account will be locked and logon disabled. A common setting is to lock the user account when three consecutive incorrect passwords have been entered. • Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. Setting this to 0 means that the account remains locked until manually unlocked by an administrator. • Reset account lockout counter after determines the amount of time (in minutes) that passes before the number of invalid attempt counter is reset. For example, if a user enters two incorrect passwords, the incorrect counter will be cleared to 0 after the timer has expired.
Implement the Principle Of Least Privilege
Users should have only the degree of access to the workstation necessary for them to complete their work and no more.
Principle of least privilege
Users should have only the necessary degree of access to the workstation.
What does VPN stand for?
Virtual Private Network
Storage Media Disposal
When disposing of data storage media, make sure to remove any sensitive data, especially data containing personal health or financial information. Simply deleting data is insufficient as deleted files can still be recovered. Data remanence are remnants of data (after the data has been erased) that allow the data to be recovered and reconstructed by data recovery software. • If you will be reusing a disk, use data wiping software to remove any remnants. This software writes a random series of bits multiple times to each cluster on the disk. • When disposing of magnetic media, you can use degaussing with a strong magnet to remove any traces of data. • When disposing of optical media, shred or physically destroy discs (some paper shredders can also handle optical discs). Degaussing does not work with optical media because the media does not use magnetic fields for storing data.
Disable Wi-Fi Protected Setup (WPS)
While WPS makes wireless networks easier to manage, it also introduces security issues. For example, devices that support the PIN number method have been found to be susceptible to brute-force attacks. An attacker can simply send one PIN number after another to an access point until the correct one is identified. If the access point is not physically secured (which is common in small business and in homes) then attackers can use the push-button or NFC methods to associate their device with the access point. Because of these issues, a best practice is to disable WPS functionality on the access point.
VPN Facts
• VPNs work by using a tunneling protocol that encrypts packet contents and wraps them in an unencrypted packet. • Tunnel endpoints are devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. The endpoints create a secure, virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents. • Routers use the unencrypted packet headers to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents. • A VPN can be used over a local area network, across a WAN connection, over the internet, and even over a dial-up connection.
WPS stands for?
Wi-Fi Protected Setup
Mobile devices
Wired or wireless personal devices.
Non-TPM Security
You have the following options for implementing Bitlocker on systems without a TPM chip: • You can save the BitLocker key on a USB device. The USB device is inserted before starting the computer and provides authentication before the operating system drive is decrypted. The BIOS must support reading USB devices during startup. • Windows 8 and later allows you to configure an unlock password for the operating system drive. To use this feature, enable Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives node of Computer Configuration. • Windows supports authentication using a smart card certificate. The smart card certificate is stored on a USB device and is used similarly to the BitLocker key on a USB device.
Manage Antenna Placement
You need to reduce data emanation as much as possible. If your network's radio signal emanates outside your facility, an attacker can intercept that signal and potentially gain access to your organization's computer network. You can minimize data emanation by doing the following: • Consider where wireless access points are placed and where their antennae are transmitting the wireless network's radio signal. Be aware that omni-directional wireless access points transmit in all directions with equal signal strength. If placed near an exterior wall, these antennae will transmit the wireless network's radio signal outside the structure. • Implement directional antennas, which can be aimed in a certain direction. Use these antennae to ensure your wireless network's radio signal is aimed only towards the interior of your facility.
Change Default Usernames and Passwords
You should change the default username and password used on wireless access points. The default username and password assigned to a device by the manufacturer are widely known and posted on the internet.
Maintain Firewalls
You should ensure that network hosts are protected by a firewall. A firewall monitors incoming and outgoing network traffic to make sure it is allowed by the organization's security policy. Firewalls should be implemented: • On each individual host • On the network itself The validity of network traffic is determined by the access control list (ACL) configured on the firewall. To increase the security of your wired network, ensure your firewall ACLs are configured to allow only authorized traffic on the network. The best way to do this is to start with all traffic blocked. This is usually enabled by default on most network firewalls using a preconfigured implicit deny rule in all ACLs. Then add ACL rules that allow specific types of traffic through the firewall that are permitted by your organization's security policy. If network traffic that does not match any allow rules in the ACL tries to go through the firewall, it will be denied by default.
Implement Encryption and Authentication
You should implement encryption and authentication on your wireless network using the strongest algorithms available: • Avoid implementing an open (unencrypted) network. • Avoid using WEP to protect the network. A WEP key can be cracked quickly with software available on the internet. • Use one of the following versions of WPA2 to implement wireless encryption and authentication: - WPA2-PSK is best suited for wireless networks used by home or small business users. WPA2-PSK requires the same pre-shared key to be configured on the access point and on each wireless client. This key is used to both authenticate the host to the wireless network and to encrypt transmissions. - WPA2-Enterprise is a best suited for wireless networks that are part of a large corporate network. WPA2-Enterprise requires a separate authentication process to access the wireless network. Whenever a host wants to connect, credentials are forwarded to a RADIUS server for authentication.
Circumvention
allows for acceptable substitutes for the attribute in case the original attribute is missing or can't be read.
Collectability
ensures that the attribute can be measured easily.
Data loss prevention
is a strategy for making sure that sensitive or critical information does not leave the corporate network. Compliance policy should be implemented to regulate company rules and expectations. This should be clearly communicated to the employees. By enforcing compliance policies, the organization will be safeguarded against any laws and government regulations that employees may break.
Universality
means that all individuals possess the attribute.
Permanence
means that the attribute always exists and will not change over time.
Performance
means that the attribute can be accurately and quickly collected.
Uniqueness
means that the attribute is different for each individual.
Remote Desktop Users
members of this group can remotely access a workstation's desktop.
Some malware infections could require that you reinstall applications or features, restore files from a backup, or even restore the entire operating system from scratch. If the infection has damaged or corrupted system files, you might be able to repair the infected files using the __________ ____________. Before running sfc, be sure to first remove the malware that caused the damage (or it might re-introduce the problem later). You might need to boot into Safe Mode in order to check system file integrity and repair any problems found.
sfc.exe command
What does SOHO stand for?
small office/home office
Common phishing scams include:
• A Rock Phish kit uses a fake website that imitates a real website (such as banks, PayPal®, eBay®, or Amazon®). Phishing emails direct victims to the fake website where they enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection. • A Nigerian scam, also known as a 419 scam, involves email which requests a small amount of money to help transfer funds from a foreign country. For their assistance, the victim is promised a reward for a much larger amount of money that will be sent at a later date. • In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing emails for the specific bank that the victim uses. • Whaling is another form of phishing that is targeted to senior executives and high profile victims. • Vishing is similar to phishing but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.
Large organizations typically purchase separate appliances for each network function they require. However, this strategy can be quite expensive. To reduce costs, smaller organizations may choose to use an all-in-one device instead of purchasing separate network appliances. For example, an all-in-one security appliance combines many network security functions into a single device. All-in-one security appliances are also known as unified threat security devices or web security gateways. This type of device may be the best choice for?
• A small company without the budget to purchase individual components • A small office without the physical space for individual components • A remote office without a technician to manage individual security components
While they are less expensive, all-in-one appliances have several drawbacks that you should consider before implementing one:
• All-in-one appliances perform many tasks adequately. However, they usually can't perform any one task extremely well. If high-performance is a concern, then using dedicated appliances might be more appropriate. • All-in-one devices create a single point of failure. Because so many services are hosted by a single device, then all of the services are affected if that device goes down. • All-in-one devices create a single attack vector that can be exploited by an attacker. Compromising the single device could potentially expose many aspects of the network.
Security functions implemented within an all-in-one security appliance may include components such as:
• An endpoint management server to keep track of various devices, while ensuring their software is secure • A network switch to provide internal network connectivity between hosts • A router to connect network segments together • An ISP interface for connecting the local network to the internet • A firewall to filter network traffic • A syslog server to store event messages • A spam filter to block unwanted emails • A web content filter to prevent employees from visiting inappropriate websites • A malware inspection engine to prevent malware from entering the network • An intrusion detection system (IDS) or intrusion prevention system (IPS) to detect hackers trying to break into systems on the network
Procedures when collecting and analyzing computer evidence
• Before touching the computer, document and photograph the entire scene of the crime including the current state of the computer screen. A traditional camera is preferred over a digital camera to avoid allegations that an image was digitally altered. • Do not turn off the computer until the necessary evidence has been collected • Assess the situation to determine whether you have the expertise to conduct further investigations, or whether you need to call in additional help. • Analyze data in order from most volatile to least volatile: • Save the contents of memory by taking one of the following actions: - Save and extract the page file. - Do a complete memory dump to save the contents of physical RAM. The page file will be lost but the physical memory will be preserved. • Clone or image hard disks In addition to looking for obvious evidence on computer systems (such as saved files), use special forensic tools to check for deleted files, files hidden in empty space, or data hidden in normal files. • For some investigations, you might need to review archived log files or data in backups to look for additional evidence. Be sure to design your backup strategy with not only recovery but also investigation and preservation of evidence in mind. • Track hours and expenses for each incident. This may be necessary to calculate a total damage estimation and possibly restitution.
BitLocker differs from the Encrypting File System (EFS) in the following ways:
• BitLocker encrypts the entire volume. EFS encrypts individual files. • BitLocker encrypts the volume for use on the computer, regardless of the user. Any user who has the PIN or startup key and who can successfully log on can access a BitLocker volume. With EFS, only the user who encrypted the file can access the file unless access has been granted to other users. • BitLocker protects files against offline access only. If the computer boots successfully, any authorized user who can log on can access the volume and its data. EFS protects against offline access as well as online access for unauthorized users. EFS does not provide online protection if an authorized user's credentials are compromised.
To protect against phishing:
• Check the actual link destination within emails to verify that they go to the correct URL and not a spoofed one. • Do not click on links in emails. Instead, type the real bank URL into the browser. • Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. If the website is using an invalid certificate, then an invalid SSL certificate warning appears when you try to access the website. • Implement phishing protections within your browser.
Be aware of the following when using proxy servers:
• Configure a proxy server as a firewall device between the private network and the internet to control internet access based on user account. • You can use a third-party service that uses proxy servers at your ISP or on the internet for content filtering. • When using a proxy server, all traffic must be sent to the proxy server first before being forwarded to the destination device. This redirection is typically done by configuring the client to use the proxy server. • Content filtering solutions reconfigure the client such that the redirection is done automatically and cannot be bypassed. • Internet Explorer automatically detects and uses a proxy server if one is on the network. If the proxy server is not detected, use Internet Options to identify the proxy server IP address and port number.
When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind (part 4):
• Configure port forwarding to allow incoming traffic directed to a specific port to be allowed through the firewall and sent to a specific device on the private network. - Inbound requests are directed to the public IP address on the router to the port number used by the service (such as port 80 for a Web server). The port number is often called the public port. - Port forwarding associates the inbound port number with the IP address and port of a host on the private network. This port number is often called the private port. - Incoming traffic sent to the public port is redirected to the private port.
Proxies can be configured to?
• Control internet access based on user account and time of day. • Prevent users from accessing certain websites. For example, proxy servers used in schools or at home protect children from viewing inappropriate sites. • Restrict users from using certain protocols. For example, a proxy server at work might prevent instant messaging, online games, or streaming media. • Cache heavily accessed web content to improve performance.
The chain of custody
• Documents the integrity of the evidence by providing a record of every person it has come in contact with and under what conditions. Without a chain of custody document, there is no way to prove who might have had access to the evidence, meaning that the evidence could have been altered after discovery. Failure to provide a valid chain of custody could make the evidence worthless in court. • Should be started the moment evidence is discovered and should include what the evidence is, who found it, under what circumstances, the location of the evidence, the date and time of original discovery, how it was handled, and all precautionary actions that have been taken to ensure its integrity. • Should be maintained throughout the evidence life cycle to document the people and procedures used at each stage.
When defining firewall rules, you should be aware of the following port numbers for common network protocols:
• File Transfer Protocol (FTP) • Secure Shell (SSH) • Telnet • Simple Mail Transfer Protocol (SMTP) • Domain Name System (DNS) • Hypertext Transfer Protocol (HTTP) • Post Office Protocol (POP3) • Network Basic Input/Output System (NetBIOS) • Internet Message Access Protocol (IMAP4) • HTTP with Secure Sockets Layer (SSL) • Service Location Protocol (SLP) • Server Message Block (SMB)/Common Internet File System (CIFS) • Apple File Protocol (AFP) • Remote Desktop Protocol (RDP)
Countermeasures to prevent spoofing use:
• Firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network. Filters will drop any packet suspected of being spoofed. • Certificates to prove identity • Reverse DNS lookup to verify the source email address • SecureDNS to identify emails with malicious domains. SecureDNS will redirect the user to a safe landing page or send the bad traffic to a sinkhole. • Encrypted communication protocols, such as IPsec • Ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.
Be aware of the following when working with Windows Defender:
• For best protection, keep the definition files up to date. By default, Windows Defender checks for new updates every time a system scan takes place. Windows Defender also uses Windows updates to automatically download definition files. • Non-administrators can use Windows Defender to run scans. • To run a program on the Quarantined Items list, you must restore it on your system. When you run it, Windows Defender will identify it again as a potential security threat. Select Allow to add the program to the list of allowed items so that you can run it in the future without a prompting. • You can review past actions taken by Windows Defender through the History tab. You can also check for Windows Defender events in Event Viewer. • In a corporate environment, use Group Policy to manage Windows Defender settings on domain members. • If a third-party anti-malware scanner is installed on the system, Windows Defender may need to be disabled.
Incident response should involve?
• Identification and containment of the problem • Investigation of how the problem occurred and the forensics to preserve evidence that may be used in a criminal investigation • Removal and eradication of the cause of the incident • Recovery and repair of any damages • Documentation and report of the incident, and implementation of countermeasures and processes to reduce the likelihood of a future attack
If you suspect a system has been infected, you should observe the following best practices to remove the malware:
• Identify the malware symptoms. • Quarantine the infected system. • Disable system restore to prevent the malware from being saved in a restore point (and to prevent an uninfected restore point from being potentially deleted to make room for a new restore point). • Remediate the infected system. • Update the anti-malware definitions. • Scan for and remove the malware. Some malware can be removed while the system is running normally. However, some malware can be removed only while in Safe Mode or in the Pre-Installation Environment. • Schedule future scans and updates. • Re-enable system restore and create a new restore point. • Educate users to prevent the infection from happening again.
Building Security examples:
• Implement controlled access to any point inside the building beyond the lobby (such as locking doors and security checkpoints). • Require all authorized personnel to have identification while inside the building. • Escort visitors at all times. • Keep room doors locked when not in use. • For added protection, use keypads or card readers to control building or room access. • Use software to track who has gained access at any given time. • Periodically change passwords or locks, especially after key employees are terminated. • Implement mantraps. A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas • Security guards can use an access list (sometimes called an entry control roster) which explicitly lists who can enter a secure facility.
Computer tracking service recommendations
• In secure environments, remove and disable removable media devices to prevent copying data to or from the device. You can disable USB and IEEE 1394 ports in the BIOS and require a BIOS password to edit BIOS settings. However, this may also disable necessary USB devices such as the mouse and keyboard. You can use endpoint management software to disable USB ports on a system if storage devices are connected, but enable them if a mouse or keyboard is connected. • Use USB port locks to block all ports and ensure no USB will be inserted into the devices. Keep backup media and other removable media in a secure location. If possible, use disk encryption to prevent users from being able to read data on removable media.
Countermeasures for malware include:
• Install anti-malware scanning software on email servers. Attachments are scanned before email is delivered. You can also block all attachments to prevent any unwanted software, but this can also block needed attachments as well. • Implement spam filters and real-time blacklists. When implementing filters, be sure not to make the filters too broad, otherwise legitimate emails will be rejected. • Train users to use caution when downloading software or responding to emails. • Train users to update their malware definition files frequently and to scan removable storage devices before copying files. • Disable scripts when previewing or viewing emails. Implement software policies that prevent downloading software from the internet. • Keep your operating system files up-to-date; apply security-related hot fixes as they are released to bring all non-compliant systems into compliance. A non-compliant system is any computer that doesn't meet your security guidelines.
Two Common Hoax Virus Are?
• Instructing you to delete a file that is reported as a virus. The file is actually an important system file that will lead to instability or the inability to boot your computer. • Instructing you to download and run a program to see if your system is compromised or to add protection to your system. The file you download is the malicious software.
The First Responder
• Is the first person on the scene after a security incident has occurred • May be a dedicated member of the security response team • Has the following goals: - Contain the damage (or incident) as much as possible. - Do not damage any evidence. • Initiates an escalation procedure to ensure that the right people are informed and that the right people are brought on the incident site • Initiates the documentation of the incident
Hardware Locks examples:
• Keep servers and other devices inside locked cabinets or locked rooms. • Bolt or chain workstations to desks or other stationary objects to prevent theft. • Lock cases to prevent opening up devices and removing components such as memory and hard drives. • For laptops, use removable cable locks when leaving computers unattended in public areas (such as a library). You can also use motion detectors that sound an alarm when a laptop is moved. • Tablet devices can be secured with a cable lock or simply locked in a cabinet or drawer when not in use.
To detect phishing email, train users to recognize their key characteristics:
• The source address of the message may not match the domain of the company it claims to be coming from. • The message tries to create a sense of urgency. For example, it may warn that your bank account will be frozen, that your credit card has been stolen, or that you will be subject to arrest if you don't follow the instructions in the message. • The hyperlinks in the message go to websites that are not associated with the organization the message claims to be coming from. If you hover your mouse over a link (without clicking it) you can see where the link actually leads. If it isn't pointing to the organization's URL, there's a pretty good chance the message is an exploit.
In addition to using scanning software to detect Malware, you should also do the following:
• Keep your operating system and browser up to date. Make sure to apply security-related hotfixes as they are released. • Implement software policies that prevent downloading software from the internet. • Scan all files before copying them to your computer or running them. • In highly-secure areas, remove any removable drives (such as recordable optical drives and USB drives) to prevent unauthorized software from entering a system. • Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change the qualities of files that are normally deemed harmless. For example, adding the extension .txt.exe to a file will make the file appear as a text file in an attachment, when in reality it is an executable. • Use Security and Maintenance, in Control Panel to check the current security status of your computer. Security and Maintenance shows if you have antivirus, firewall, and automatic updates running. • Train users about the dangers of downloading software and the importance of anti-malware protections. Teach users to scan files before running them, and to make sure they keep the virus protection definition files up to date.
Be aware of the following when using anti-malware software:
• Malware definition files are provided by the software vendor. These files are used to identify viruses and are a vital component of the anti-malware software. • Protection against malware is provided only after a definition file has been released which matches the target malware. • For maximum protection, you must keep the definition files updated. Most software will automatically check for updated definition files daily. • You should scan new files before they are copied or downloaded to the system. You should also periodically scan the entire system.
When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind (part 1):
• Most SOHO routers and access points include a firewall to protect your private network. • By default, most SOHO routers allow all traffic initiated on the private network to pass through the firewall. Responses to those outbound requests are typically also allowed. For example, a user browsing a website will receive the web pages back from the internet server. • All traffic initiating from the external network is blocked by default. • You can configure individual exceptions to allow or deny specific types of traffic. A best practice is to block all ports, then open only the necessary ports.
Possible actions in response to Malware Infection problems are:
• Repair the infection. This may be possible for true viruses that have attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state (if possible). Configuration changes made by the infection may also need to be repaired. For example, if the virus changed the default browser home page or search page, you may need to manually reset them using Internet Options, in Control Panel. • Quarantine the file. This moves the infected file to a secure folder where it cannot be opened or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file at another time. • Delete the file. You should delete malicious files such as worms, Trojan horse programs, spyware, or adware programs. In addition, you should periodically review the quarantine folder and delete any files you do not want to recover.
Countermeasures for password attacks include the following:
• Require that user passwords: - Contain multiple character types, including uppercase, lowercase, numbers, and symbols. - Are a minimum length of eight characters (longer is even better). - Do not contain any part of a username or email address. - Do not contain words found in the dictionary. • Require that user passwords be changed frequently (such as every 30 days). This is called password aging. Be aware that requiring overly complex passwords or changing them too frequently can cause users to circumvent security policies by writing down their passwords. • Retain password history to prevent re-use. • Implement multifactor authentication. • Audit computer systems for excessive failed logon attempts. • Implement account lockout to lock accounts when multiple incorrect passwords are used. • Monitor the network or system for sniffing and password theft tools
As a PC technician, you should be familiar with the symptoms of a malware infection. Look for the following:
• Slow computer performance • Internet connectivity issues • Operating system lock ups • Windows update failures • Renamed system files • Disappearing files • Changed file permissions • Access denied errors
When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind (part 3):
• Some applications identify incoming ports dynamically once a session is established with the destination device. The ports that the application might use are typically within a certain range. - For some applications, you can configure the application to use a specific port instead of a dynamic port. You can then open only that port in the firewall. - If you are unable to configure the application, you will need to open the entire range of possible ports in the firewall. - Use port triggering to dynamically open the ports when the application runs instead of permanently opening all required ports.
When you configure a network-based firewall, you identify the traffic type that is allowed both into and out of your private network. Keep the following in mind (part 2):
• Some firewalls support port triggering, which allows the firewall to dynamically open incoming ports based on outgoing traffic from a specific private IP address and port. - On the firewall you identify a private IP address and port, then associate one or more public ports. - When the router sees traffic sent from the private network from that host and port number, the corresponding incoming ports are opened. - The incoming ports remain open as long as the outgoing ports show activity. When the outgoing traffic stops for a period of time, the incoming ports are automatically closed. - Use port triggering to open incoming ports required for specific applications (such as online games).
If you suspect that your system is infected with malware, keep the following in mind:
• Some malicious software can hide themselves such that there might not be any obvious signs of their presence. Other symptoms of an infection include: -Slow internet access. -Excessive network traffic, or traffic during times when no activity should be occurring. -Excessive CPU or disk activity. -Low system memory. -An unusually high volume of outgoing email, or email sent during off hours. • Regular system scans can detect and fix many problems. -Most software lets you schedule complete system scans, such as daily or weekly. -If you suspect a problem, initiate a full system scan immediately.
VPNs can be implemented in the following ways:
• With a host-to-host VPN, two hosts establish a secure channel and communicate directly. With this configuration, both devices must be capable of creating the VPN connection. • With a site-to-site VPN, routers on the edge of each site establish a VPN with the router at the other location. Data from hosts within the site are encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN. • With a remote access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.