Chapter 8 Security Strategies and Documentation
Dictionary attack
-can be used to crack passwords by trying words in a dictionary. -password cracker software might combine a brute force attack with a dictionary attack to guess the password. -Dictionary attack is usually more efficient than using brute force.
Man-in-the-middle attack
-the attacker intercepts communication between two parties and reads and/or alters the content of messages. -The attacker can impersonate a legitimate website, network, FTP site, or person in a chat session. Example a user might connect to an "evil twin" Wi-Fi hotspot, thinking it's a legitimate hotspot, and attempt to start a chat session with a business associate. Attacker pretends to be the business associate to get private information out of the user.
Logical Security and Access Controls
Antivirus/anti-malware Email filtering -filters out suspicious messages based on database of known scams, spammers, and malware -Corps might route incoming and outgoing email through a proxy server for filtering with the following goals in mind: 1. Incoming email is inspected for scams or spam that might trick an employee into introducing malware into the network. 2. Outgoing email from employees might be filtered for inappropriate content. - is making sure employee is complying with privacy laws. Corp might use Data Loss Prevention (DLP) software to help protect against leaking corporate data. Trusted software sources -Always use a reputable source to download anything from the inet. -Be careful which sites you use for software downloads -might be hidden malware in installation/downloaded files. Access control lists -Access control list (ACL) includes which user, device, or program has access to a particular resource, such as a printer, folder, file, on a corporate network or computer. -access control on large corporate networks is managed through AD on a Windows domain and on SOHO each computer controls its own access to resources. -Both kinds of networks Group Policy can control user rights, and NTFS permissions and share permissions control access to files and folders. Port security and MAC address filtering -A switch is either unmanaged (is a pass through device) or managed -Managed switch has embedded web-based firmware to configure it by way of a browser on a local computer connected to the switch. -Can enable port security on a managed switch to control which devices can use any port or a specific port on the switch. -Most managed switches can provide MAC address filtering, which allows you to specify how many MAC addresses a port can accept or to provide a whitelist of MAC addresses the switch will accept. -Its easy to spoof a legitimate MAC address, so MAC address filtering is NOT considered a recommended best practice as your only layer of defense against attack. -MAC filtering should only be used as 1 layer in a multi-layer defense strategy called defense in depth VPN -VPN (virtual private network) protects data by encrypting it over a remote connection to a private network. -When VPN is setup the VPN software creates a virtual tunnel between the client computer and a VPN server behind the private network's firewall. -Network packets are encrypted at one end of the tunnel and decrypted as they exit the tunnel. -Are used for remote users to securely connect to a corporate or home network or to use inet security say at a coffee shop open network. -Managed switches sometimes have VPN services embedded in their firmware so they can provide VPN connections for remote users of the private network. Mobile Device management -Mobile device management (MDM) software provides tools for tracking mobile devices -- even when their turned off -- and managing the data on those devices. -MDM policies: Security policy enforcement (patches and password requirements), Data encryption requirements, Remote wipe capabilities (erase all data on the device) -MDM installs a small app called an agent on a managed mobile device which communicates through various WI-Fi or cellular connections back the MDM server in the company data center. -on-boarding is the initial installing of the agent and the agent checking the device for security compliance -off-boarding is when the device is removed from the MDM fleet
Malicious Software
AKA Malware Is any unwanted program that is intended for harm and is transmitted to your computer without your knowledge.
4. Remediating the infected system
When an infected computer will not boot: -The boot manager, boot loaders, or kernel mode drivers launched at startup might be infected or damaged. -Launch the computer into Windows RE and use Startup Repair process to repair the system. Update and Run Anti-Malware Software That's Already Installed: 1. Make sure anti-malware software is up-to-date. These updates download the latest malware definitions, also called signatures, which the software uses to define or detect new malware as it gets into the wild (becomes available on the inet) 2.Use the anti-malware software to perform a full scan of the system. - most cases when asked remove the malware - and keep the Scan Log 3. After the scan is complete and you have decided what to do with each suspicious file, reboot the system, allow the software to update itself again, and then scan the system again. Most likely, some new malware will be discovered. Keep rebooting and rescanning until a scan comes up clean. Run Anti-Malware Software From a Networked Computer: -If anti-malware is not already installed, most effective way to clean the computer is to run the software from another computer. 1. Make sure the remote computer has its software firewall set for maximum protection and its installed anti-malware software is up-to-date and running. 2. Network the two computer and share drive C: on the infected computer. (Don't connect the infected computer to the entire network. If necessary, you can connect the two computers using a crossover cable or using a small switch and network cables. 3. To make your work easier, you can map a network drive from the remote computer to drive C: on the infected computer. 3. Perform anti-malware scan on the remote computer, pointing the scan to drive C: on the infected computer Install and Run Anti-Malware Software On The Infected Computer: -If you don't have another PC that you are willing to risk connecting to the infected computer, you can use another computer to purchase and download anti-malware software then copy the downloaded files to a CD or flash drive that you can insert in the infected computer. -Don't make the mistake of using the infected computer to purchase and download anti-malware software because key loggers might be spying and collecting credit card information. -During the installation process, the anti-malware software updates itself and performs a scan. -You can also run free online anti-malware software without downloading and installing it, but be careful to use only reputable websites. Install and Run Anti-Malware Software in Safe Mode -Some malware prevents anti-malware software from installing or running. -In this situation, try booting the system in Safe Mode or performing a clean boot and installing the anti-malware software. -To boot into safe mode enter msconfig command in run > Boot tab > Safe Boot > select "network" in list of options -Now download and install the anti-malware and its updates and scan the system in safe mode. Run an Anti-Malware Scan Before Windows Boots -Microsoft offers a specialized utility called Windows Defender Offline (WDO) that loads before Windows and performs a scan in the Windows Preinstallation Environment (WinPE). -WinPE is a limited version of Windows that can be used for customizing Windows installations, modifying the Windows installation while it's not running or performing recovery tasks. -To use WDO: 1. Settings > Update & Security > Windows Securit > Virus & Threat Protection 2. Select Run new advanced scan > Windows Defender Offline Scan > Scan Now 3. After the scan complete, find information about the scan in the Virus & Threat Protection window by clicking Threat History -If unable to boot into Windows 10, or if you're working with an earlier version of Windows, use an uninfected computer to create a bootable CD or flash drive with the WDO tool and then boot from that device: 1. Depending on the architecture of the infected machine, download the 32-bit or 64-bit version of WDO from the Microsoft support website and save it to the flash drive or CD. 2. Boot from that WDO device, perform the scan, and check the results Other anti-malware companies offer preinstallation scanning tools, also called rescue disks or bootable antivirus tools Run More Than One Scan of Anti-Malware Software -Keep rebooting and running the scan until the scan comes clean -If running more than 3-4 times and still having symptoms of malware install a different AV/AM and run its scan a few times till it comes clean. -What one AV/AM won't find doesn't mean another one won't find it -Might try Microsoft Safety Scanner Clean Up What's Left Over -Might be orphaned registry entries from malicious software, startup entries, and registry entries that need cleaning up. 1. Respond to any startup errors -on the fist boot after anti-malware software has declared a system clean, you might still find some startup errors caused by incomplete removal of the malware, -Use System Configuration and/or Task Manager to find out how a startup program is launched. -If program is launched from the registry, you can back up and delete the registry key. -If program is launched from the startup folder, you can remove or delete the shortcut or program in the folder. 2. Research malware types and program files -If not sure that you should remove a suspicious file or find a weird process look it up on a reputable malware encyclopedia. -Process Library at processlibrary.com -DLL Library by Uniblue Systems Limited at liutilities.com -Anti-malware software websites 3. Delete Files -For each program file the anti-malware software told you it could not delete, delete the program files yourself by following these steps: a. first try File Explorer or Windows Explorer to locate a file and delete it. For peace of mind, don't forget to empty the Recycle Bin when you're done. b. If the files is hidden or access is denied, open an elevated command prompt window and use the commands in the picture of this card. If command don't work using an elevated command prompt window, use the command in a command prompt window in Windows RE. c. To get rid of other malware files, delete all Internet Explorer temporary files. Use the Disk Cleanup process in the Drive C: properties box, or delete the browsing history using Internet Options box d. Delet all subfolders and files int eat C:\Windows\Temp folder. 4. Clean the regsitry -Appendix B in book lists folders and registry keys that can affect startup. -You can search these folders and keys and delete entries you don't want. -After you finished cleaning up the folders and registry, don't forget to restart the system and make sure all is well before you move on. 5. Clean up your browsers and unlstinall unwanted programs -Adware and spyware might install add-ons to a browser, install cookie trackers, and change your browser security settings. -Anti-malware software might have found all these items, but as a good defense, take a few minutes and found out for yourself.
Zero-day attack
Can happen in 2 ways: 1. a hacker discovers a security hole in software that is unknown to the developer of the software. 2. A hacker takes advantage of a recently reported gap in software security before users apply patches released by the developer.
1. Identifying and Researching Malware Symptoms
IF ITS HIGHLY INFECTED AND HAVE DATA BACK UPS, FORMAT THE DRIVE AND REINSTALL OS Pop up ads and browser redirection: -basically user is losing control of his system -pop up adds are randomly appearing and the browser home page has changed -browser might also have an uninvited toolbar -Security alerts -- real or spoofed -- regularly interrupt the user's activity. Rogue antivirus software: -When the user tries to run Windows Defender (anti-malware software embedded in Windows 8), it refuses to run. -Opens Action Center to find that Defender has been disabled because other antivirus software she did not install Is running. -Windows allows only one anti-malware product to run at a time. -You can use Task Manager to stop the rogue antivirus software and then start Windows Defender. Slow performance or lockups: -Generally, the system works much slower than before. -Programs take longer than normal to load. -Strange or bizarre error messages appear. -Programs that once worked now give errors -Task Manager shows unfamiliar processes running. -The computer's operating system might lock up Internet connectivity issues, application crashes, and OS update failures: -These types of problems seem to plague the system with no reasonable explanation that is specific to the network, applications, or Windows update System and application log errors: -The Administrative Events logs in Even Viewer report system and application errors, system crashes, application crashes, and failed OS updates Problem with files: -File names now have weird characters or their file seizes seem excessively large. -Executable files have changed size or file extensions change without reason. -Files mysteriously disappear or appear -Windows system files are renamed. -Files constantly become corrupted. -Files you could once access now give access-denied messages, and file permissions change. Email problems: -You receive email messages from other users saying you have sen someone spam or an infected message, or you receive automated replies indicating you sent email you didn't know about. -This type of attack indicates that your email address or email client software on your computer has been hijacked. -Extra spam you're not accustomed to seeing shows up Problems updating your anti-malware software: -Even though you can browse to other website, you cannot access anti-malware forward sites such as Symantec.com or mcafee.com, and you cannot update your anti-malware software. Invalid digital certificates: -An OS is responsible for validating certificates used to secure communication. -For Windows, Microsoft maintains a database of trusted root certificates issued by Certificate Authorities (CAs). -Root Certificate - is the original certificate issues by the CA. -When a Windows system opens a secure email or visits a secure website and encounters a new digital certificate, it requests Microsoft's trusted root certificate, which is downloaded to the computer. -If Windows cannot obtain the root certificate to validate the email or website, it displays an error. -Don't trust websites, or emails whose certificates have expired or been revoked. -Can use certmgr.msc to view and delete root certificates. -Superfish virus injects a rogue root certificate into the Microsoft Store of trusted certificates on the local computer so that it can perform a man-in-the-middle attack to display adware on secure websites a user visits. -When partition table information is destroyed on a hard drive, the drive can appear to be physically damaged
Regulated Data, Licensing, and Security Policies
Regulatory and Compliance Policies: -Regulated data are certain types of data that are protected by special government regulations. -Regulatory and compliance policies are a variety of regulations, policies, and laws. -For example, in health-care industry patient data is highly regulated and hospitals have compliance officers to make sure the hospital stays compliant. Personal Identity: -PII (Personally identifiable information: is a legal term to describe data that can uniquely identify a person, including a Social Security number, email address, physical address, birthdate, birth place, mother's maiden name, marital status, phone numbers, race, and biometric data. -Some PII is more sensitive than other information and should be protected more vigilantly. Health Information: -PHI (Protected health information): includes any data about a person's health status or health care. -This data is protected by regulations defined in HIPAA (health insurance portability and accountability act), passed in 1996. -HIPAA gives pattens the rights to monitor and restrict the sharing of their medical information. -Hospitals, medical personnel, and other entities covered by HIPAA regulations risk steep penalties for privacy breaches. Credit Card Data: -Payment Card Industry (PCI) standards were defined to help prevent credit card fraud and are backed by all major credit card brands (Visa, MasterCard, and others). -PCI standards apply to how credit card data is transmitted (such as when receiving payments) and stored (such as when keeping records of recurring billing) by vendors, retailers, and financial institutions Citizens of the EU: -The GDPR (General Data Protection Regulation) is a group of regulations implemented in 2018 by the European Union (EU) to protect personal data of EU citizens, giving them control over how their data is collected, stored, and shared. -The GDPR also includes requirements for how individuals should be notified in the event their data is hacked. -Covered personal data includes name, address, photos , IP address, genetic information, and biometric data that uniquely identifies a person. Software Licensing: -When an individual or organization purchases the right to install one instance of stowage, the license is called a personal license. -By purchasing a site license, also called an enterprise license, a company can obtain the right to multiple installations of the software. -Digital rights management - are measures to control the use of their software. (Can only use a personal product key for one installation or one device not two). Incidient Response for Prohibited Content and Activities: -employees of an organization are often asked to agree to acceptable use policy (AUP) that documents a code of conduct when using corporate resources. -Incident: when an employee or other person has negatively affected the safety or corporate resources, violated the code of conduct for the organization, or committed a crime. -When starting a new job ask your employer what procedures you follow for incident response. -If you're the first person to discover an incident, such as use of prohibited continue or other activities, you're responsible to perform certain first response duties. Things to know about incident response: 1. Identify and go through proper channels - when you identify what you believe to be an infringement of the law or the company's code of conduct, where do you report the issue? - DON'T spread rumors or accusations. 2. Preserve data and devices - what data or device should you immediately preserve as evidence for what you believe happened? - i.e: should you remove and secure the HD or the entire PC? 3. Incident documentation surrounding the the evidence of an incident is important to prevent future incidents and crucial to a criminal investigation. - What documentation are you expected to submit and to whom is it submitted? -This documentation might track the chain of custody for the evidence, and how the evidence was secured while it was in your possession. -Also includes a paper trail of each person to whom the evidence has been passed on and when. -more information than a signature, such as a copy of driver's license might be required to identify people in the chain of custody.
Grayware
Is any annoying and unwanted program that might or might not indent hard Example, adware that produces all those unwanted pop-up ads.
multifactor authentication (MFA) and Two-Factor Authentication
MFA requires at least one or more factor or action to authenticate beyond the single-factor password. Two-factor authentication (most often used) Involves what the user: -Knows, such as a password -Possesses, which is called a token (smart card, key fob) -Does, such as typing a certain way -Is, which is called biometric data (fingerprint etc....) 2FA/MFA should NOT be used as a replacement of a normal password by an addition to it.
5. Protecting The System With Scheduled Scans and Updates
User anti-malware software: -keep AV/AM up to date -Make sure it runs in background in real time to alert users of malware that attempts to run or install -automatically scans incoming email attachments -Make sure it performs scheduled scans of the system and automatically downloads updates to the software. Always use a software firewall: -Never, ever connect your computer to an unprotected network without using a firewall. -Windows Firewall is turned on by default -You can configure Windows Firewall to allow no uninvited communication or to allow the exceptions that you specify. Keep Windows Updates Current: -Turn on Automatic Updates or have a scheduled time to update system ASAP when an update is rolled out by Microsoft
Good sites to debunk a Virus Hoax or email hoax
snopes.com securelist.com virusbtn.com
Hardware Security Tokens
Smart Card -smart card used as a security token has an embedded microprocessor, which is usually installed on the card under a small gold plate. -Microprocessor contains information that is read by a smart card reader or badge reader when device is inserted into the reader or transmitted wirelessly. -Most smart cards can receive information from the card reader to confirm that the reader is authentic -- called mutual authentication, which occurs when authentication goes in both directions at the same time and both entries confirm the identity of the other. -Cause smart card contain microprocessor and data its considered both a hardware token and a software token. Key fob -Key fob is a hardware token that fits conveniently on a keychain -contains a number that changes every 60 or so seconds -when user signs in to the network, he must enter the number on the key fob, which is synchronized with the network authentication service -Entering number proves that user has the key fob in hand because the device doesn't actually make physical contact with the system -- called contactless or disconnected token.
Zombies and botnets
Zombie - is a computer that has been hacked, and the hacker is using the computer to run repetitive software in the background without the knowledge of its user. Zombie might be email spamming or performing DDoS attacks. Hacker might build a network of zombies, which is called a botnet (a network of robots). CryptoLocker Trojan program was distributed by a botnet and ultimately isolated when the botnet was taken down.
User Education
Social engineering - practice of tricking people into giving out private information allowing unsafe programs into the network or computer. Acceptable use policy (AUP): -explains what users can and cannot do on the corporate network or with company data, and explains the penalties for violations. -Might also describe how these measures help protect the network's security Tailgating - when an unauthorized person follows an employee through a secured entrance to a room or building OR when a user steps away from a computer that's not properly locked and another person continues to use the Windows session. Should surfing - when other people secretly peek at your monitor as you work -- privacy filter can help with this Dumpster Diving - is looking for useful information in someone's trash to help create a convincing impersonation of an individual or company to aid in a malicious attack. - solved by shredding all papers and printouts before recycling and educate users about the importance of shredding Phishing - is a type of identity theft in which the sender of an email hoax scams you into responding with personal data about yourself. Spear phishing - where the email appears to come from companies you already do business with. - typically asks you to verify personal data on your bank account, ISP account, credit card account etc...... Spoofing - when the threat actor makes the website and email look official even though it's fake. If you think it is legit: To keep a script from running on a link type the websites home page into your browser address bar and navigate to the relevant page on the website NEVER CLICK THE LINK
Software Security Token
Software Tokens can be security tokens stored as an app or digital certificate. Software token apps -sometimes called authenticator apps, are installed on your smartphone or other computing device and can perform the same service as a key fob, providing a counter or number generator that serves as one factor in multi factor authentication Digital Certificates -digital certificate is a digital signature that proves a person or entity, such as a web server, is who they are. -Digital cert is a small file that hold information about the identity of the person or entity. -A public encryption key is used to move the certificate is legitimate and is similar to a notary verifying that a signature is legitimate. -Digital certificate and public encryption key are assigned by a Certificate Authority (CA) that has confirmed your identity in a separate process. -VeriSign (verisign.com) and GlobalSign (globalsign.com)are two well-known CAs -Can purchase Digital cert from a CA and then install it on your desktop, laptop, or other computing device, possible even on a flash drive or smart card -Digital certificate are used to authenticate individuals (such as to digitally sign and encrypt email or connect to a VPN), software (Windows can require that device driver be digitally signed), or server applications (many web servers are digitally signed).
Physical Security and Access Controls
If the data is really private, keep it behind a locked door or under lock and key: -Keep the PC with the sensitive data behind a locked and secured room -Biometric locks require special input called biometric data to identify a person by fingerprint, handprint, face, retina, iris, voice, or handwritten signature Use server locks or cable locks: -some computer cases allow you to add a lock so that you can physically prevent others from opening the case -- called server locks -Cable lock, or Kensington lock - used to secure a laptop or other computer to a table so someone can't walk away with it. -Most laptops have a Kensington Security slot OR K-Slot Secure ports with port locks: -These keep physical ports secure, not allowing an adversary to easily plug in a USB, RJ45 or other cable into the computer -USB lock by PadJack Inc. consists of three pieces - these pieces on ports cannot be removed without damaging the port or destroying the lock. -There are port locks that lock a cable into place so it cannot easily be removed. Use Privacy Screens: -Privacy screen/filter fits over the screen to prevent it from being read from a wide angle. -Is good for right quarters such as a airplane, but, subway, receptionist desk or other exposed locations Install a theft-prevention plate: -You can embed a theft-prevention plate into the case and engrave or tattoo your ID information to it -The numbers or barcode identify you as the owner and can clearly establish to police that the laptop has been stolen. -Two sources of theft-prevention plates and cable locks are Flexgaurd Security System (flexguard.com) and Computer Security Products (computersecurity.com) Use a mantrap and security guard: -mantrap consists of two doors on either end of a small entryway where the first door must close and/or lock before the second door can open. - separate form of identification might be required for each door, such as a badge for first door and fingerprint scan for second door. -Entry control roster a list of people allowed people into the restricted area and a log of any approved visitors - security guards use this.
Types of Documentation
Knowledge base: - is a collection of articles containing text, images, or video that give information about a network, product, or service. -2 examples of where this is used: 1. Customer service - To better support customers a company might publish a knowledge base about its products or services on its website. Tech support specialists have access to a knowledge base to aid in helping customers during support calls. Usually integrated into a ticket system. 2. IT training and troubleshooting - As IT personnel install, configure, and troubleshoot devices and software, the information they learn can be documented in the IT department's knowledge base to it's readily available for future troubleshooting and for training new IT personnel. Inventory Management: -documents inventory, including end-user devices, network devices, IP addresses, software licenses, and related licenses. -Hardware inventory might track equipment by using asset tags and theft-prevention plates. Password Policy: -ALWAYS have a password policy -length, special characters, time to expire...... Network topology diagrams: -are maps of network's topolofy -topology - refers to the pattern in which devices on a network are connected with each other.
Characteristics of TACACS+ (Terminal Access Controller Access Control System Plus)
Primary use: Intended for Cisco network device administrative access Encryption: Encrypts every message Underlying protocol: The TACACS+ protocol uses TCP to guarantee transmissions over a corporate network Network types: Works on wireless, wired, and VPN network connections
Characteristics of RADIUS (Remote Access Dial-In User Service)
Primary use: Intended for end-user network access Encryption: Encrypts user passwords only Underlying Protocol: The RADIUS protocol uses UDP, which does not guaranteee transmissions over the corporate network Network Types: Works on wireless, wired, and VPN network connections
AAA (authentication, authorization, and accounting) or Triple A
-2 AAA solutions are RADIUS and TACACS+ RADIUS (Remote Access Dial-In User Service) -was originally developed to authenticate end users accessing resources on a network through dial-up connections and has evolved to other types of connections to a network, including wired, wireless, and VPN TACACS+ (Terminal Access Controller Access Control System Plus) -Was developed by Cisco to improve on RADIUS for AAA services specifically designed for network administrators and technicians to remotely connect to a network to configure and manage Cisco network devices, such as router, switches, and firewalls. -RADIUS AND TACACS+ each can work with Active Directory or some other type of directory server to authenticate and authorize users, sometimes both devices are used on the same network. -RADIUS and TACACS+ each support wireless, wired, and VPN connections -Both use client, server, and user directory: Client: - A RADIUS or TACACS+ client can be a wireless access point (WAP) or switch that receives the initial connection from the user's laptop or other device. -Is responsible for querying the RADIUS or TACACS+ server to authenticate the user before allowing the user on the network. Server: -A RADIUS or TACACS+ server authenticate the user by querying a user directory. -Cisco calls its TACACS+ server the Identity Service Engine server (ISE server) User Directory: -The RADIUS or ISE server queries a user directory or database, where user credentials are stored. -Active Directory is the most popular user directory for today's large networks
Noncompliant systems and violations of security best practices
-A sys admin needs techniques in place to routinely scan BYOD and corporate-owned smartphones, tablets, laptops, desktops, and servers for noncompliant systems that violate security best practices, such as out-of-date anti-malware software or cases where it's not installed. -System Center Configuration Manager by Microsoft is designed to scan devices for noncompliance. -This works with Microsoft Intune. -Intune focuses specifically on mobile devices that connect to a corporate network.
7. Educating the End User
-After system is clean and patched up, sit down with the user and go over tips to keep the system free from malware. -No matter how much protections you put in place the end user can still download and run malware from attachments, malicious downloads, visiting unprotected sites etc......
Denial of service (DoS) or DDoS
-DoS overwhelms a computer or network with requests or traffic until new connections can no longer be accepted. -DDoS happens when multiple computers are involved in the attack. - sometimes performed by botnets
2. Quaranting an Infected System
-If an infected computer is connect to a wired or wireless network, immediately disconnect the network cable or turn off the wireless adapter. -You don't want to spread a virus or worm to other computers on your network. -Quaranted computer is not allows to use the regular network that other computers use. -If you need to use the internet to download anti-malware software or its updates, take some precautions first. -Can you connect to a special sandboxed/quaranted network that has inet access? -Can you disconnect other computers from the network so only the infected machine will her online? if neither of the options are available attempt to boot PC in safe mode with networking or after a clean boot. -Malware might still be running in safe mode or after a clean boot, but it's less likely to do so than when the system is started normally. BACK UP THE DATA TO ANOTHER SYSTEM AND CHECK IT FOR INFECTION
6. Enabling System Protection and Creating a Restore Point
-Now that the system is clean, you can turn system protection back on if necessary and create a restore point.
Data Destruction and Disposal
-PREVENT DIGITAL DUMPSTER DIVING BEING SUCCESSFUL FOR ATTACKERS TO GATHER DIGITAL INFORMATION Overwrite data on the drive: -a drive needs to be wiped clean before you recycle or repurpose it. -WIth older magnetic drives, an eu could perform a low-level format of a drive to redefine the sector marks on the drive's platters, making the existing data inaccessible -To wipe a drive EUs can use a zero-fill utility that overwrites all data on the hard rive with zeros; sometimes inaccurately called a low-level format -Make sure to run the zero-fill utility multiple times because it is known that data can be recovered up to and may be passed 14 re-format levels For solid-state devices, use a Secure Erase Utility: -ATA Secure Erase standards created by the American National Standards Institute to wipe clean a solid-stat device such as a flash drive or SSD. -Most drive manufacturers will have a utility on their website you can download and use to wipe the drive clean and reuse or dispose of it. Physically destroy the storage media: -Use a drill to drill many holes all the way through the drive housing. -Break CDs, DVDs in half and do similar physical damage with a hammer to flash drives or tapes, even to the point of setting them on fire to incinerate them. -Expert thieves can still recover some of the data For magnetic drives, use a degausser: -degausser exposes a storage device to a strongwomen electromagnetic field to completely erase the data on the magnetic hard drive or tape drive. -A degaussed drive can't be reused, but for the best destruction, use the degausser and physically destroy the drive. -Degaussing does not erase data on the solid-stat hard drive or other flash media because these device don't use magnetic surfaces to hold data. Use a shredder: -Use a shredder to destroy paper data -Use a Multimedia shredder to destroy optical discs -Use Disk drive shredders which can destroy magnetic hard drives, solid stat drives, flash drives, optical discs, and even mobile devices such as smartphones or small tablets. Use a secure data-destruction service: -For the very best destruction consider secure data-destruction service. -Make sure the service meets and guarantees the legal compliance that your organization is required to meet. -The service should provide you with a digital certificate of destruction, which verifies that the data has been destroyed beyond recovery. -Paper certificates can be forged, but Digital certificates produced by software that performs the destruction will provide dutiable results of the destruction process.
Rainbow Tables
-contain a long list of plaintext passwords, just as users would enter, and the password has list (after is encrypted). -Organizations store only hashed passwords and not plaintext passwords. -When a hacker obtains a stolen list of hashed passwords, she can compare this list with those in her rainbow tables to find a match. -When two hasted password match, she can use the plaintext password in the rainbow table to sign in to the system, impersonating the user. -rainbow table attacks make password cracking faster than dictionary cracking or brute force cracking. Best defense is to use the latest hashing techniques to encrypt passwords and to add extra characters to the password hash (called salting the hash)
Trojans
-does not need host program to work. -It substitutes itself for a legitimate program. -In most cases, a user launches it thinking she is launching a legitimate program. -often embedded in the files of the legitimate software that is downloaded from an untrustworthy website, or a user is tricked into opening an email attatchment.
Ransomeware
-holds your computer system hostage until you pay money. Example, CryptoLocker Trojan program that did damage in 2014 was embedded in email attatchments and was known to work on Windows, Android, and even some iOS systems. -When the use clicked the attachment, the program encrypted the computer's personal files. -If the user didn't pay within 24-hour period, all the files were lost. -Many users who did not have backups of their data chose to pay the ransom. -A computer infected with ransomware can infect all computers on the network and even cloud servers to which the computer connects. Best defense for ransomware is to keep backups of your data that are not accessible through windows explorer or the computer, basically a separate disconnected backup.
Worms
-is a program that copies itself through a network or the Internet without a host program. -Creates programs by overloading the network with replicates and can even hijack or install a server program such as a web serve.
Virus
-is a program that replicates by attaching itself to other programs. -The gram might be an application, a macro in a document, a Windows system file, or a boot loader program.
Change Management
-is closely related to project management and often involves the same teams. -A change manager might work with the same team to define how the software will affect people and manage all communication, scheduling, training, and support required so that affected people are satisfied, embracing and accepting the end result. Documented Business Processes: -are related activities that lead to a desired business goal, such as an efficient and cost-effective service, excellent customer satisfaction, or a superior product. -For example, if customer satisfaction is a defined business goal, IT operational processes might describe how customers are taken care of, support tickets are documented, and customer satisfaction is measured -As change happens, be aware of how this change affects documented business processes. For example, suppose help-desk software is changed so that the customer's electronic signature is required when a ticket is closed. If you forget the electronic signature, your company may not be able to collect payment or follow up with the customer for a satisfaction survey. Purpose of Change: -Questions to answer in request: 1. What will change? 2. What is the current situation and expected outcome? 3. Why is the change needed? 4. What happens if the organization does not initiate this change? 5. How will the success of the change be measured? -Change Advisory board (CAB) - meets on a regular basis to assess, prioritize, authorize, and schedule changes. -The change manager and other representatives approve changes based on the recommendations of the change advisory board. Change Plan and Scope: -Change plan defines the scope of change -Scope of change outlines: 1. Key components of the change and how they will be addressed 2. Skill sets, tasks, and activities required to carry out the change 3. Individuals or departments that will participate to carry out the change 4. How the success of change is measured and when the change is complete. -Scope of change defines your responsibilities in the change plan. Risk Analysis: -Is the process of identifying potential problems so there are no surprises or crisis situations once the change begins. -refers to a problem (event, situation, or condition) that may or may not occur as a result of the change Back-Out Plan: -What if a change goes bad--really bad? -back out plan defines the activities needed to recover to the original state in the event of an aborted or failed change implementation. -The back-out plan is created and sometimes tested even before the change starts, and includes detailed steps to restore service to users. End-User Acceptance: -End-user acceptance to change often fails because the focus of the change is on the technical side rather than the people side. -To gain end-user acceptance, users must know: 1. The purpose of the change, specifically the business reasons for the change. 2. That the leadership of the company agrees with the change. 3. How the change will affect them and their job. 4. How to get their individual concerns and questions answered and how their voices will be heard. 5. That they will receive end-user training for the changes that impact them. -Request for comments (RFC) - this is a request for feedback before the change is implemented -Technical users often have valuable inout in the RFC process. -Users who struggle with change will appreciate your empathetic and positive outlook. -When a proposed change has been clearly communicated and the user understands "what's in it for me," you have made a significant contribution to a successful change. Document Changes: -NO PART of change management should rely on spoken communication. -Everything, I mean everything, should be documented, even how the change process works. -Some large companies use change management software, such as Allow Software (alloy-software.com) to mange all stages of change management from the change request form to the final closing report. -Small companies may use MS word, Excel, and database software to document change management.
Spyware
-it spies on you to collect personal information that it transmits over the Internet to web-hosting sites. Example of spyware isa key logger. Key logger - tracks all your keystrokes and can be used to steal your identity, credit card number, social security numbers, bank information, passwords, emails, addresses etc.......
Rootkits
-loads itself before the OS boot is complete. -Can hide in boot managers, boot loader programs, or kernel mode device drivers. -UEFI secure boot is especially designed to catch rootlets that launch during the boot. -Because a rootlet is already loaded when most anti-malware software loads, it is sometimes overlooked by the software. -can hide folders that contain software it has installed, cause Task Manager to display a different name for its process, hide registry keys, and can operate in user mode or kernel mode. -Running in user mode it intercepts API calls between the time the API retrieves the data and when it is displayed in a window. -Running in kernel mode actually interferes with the Windows kernel and substitutes its own information in place of the raw data read by the Windows kernel. -Because most anti-malware software to one degree or another relies on Windows tools and components to work, the rootlet is not detected or cannot be deleted if the Windows tools themselves are infected. -If anti-malware software reports that a rootlet is present but cannot be deleted, the best solution is to immediately disconnect the computer from the network, back up your important data, format your hard drive, and reinstall Windows.
3. Disabling System Restore
-some malware hides its program files in restore points stored in the System Volume Information folder that's maintained by System Protection. -If System Protection is on, anti-malware software can't clean this protected folder. -To get rid of malware, turn off System protection so that anti-malware software can clean the System Volume Information folder. -Realize that when you turn off System Protection, ALL your restore points are lost, so first consider whether you might need those restore points to troubleshoot the malware infection before you disable System Protection. -If Windows won't allow anti-malware to run you might try restoring the system to a restore point before the infection because this might remote the start up entries the malware is using and may allow anti-malware software to run in Safe Mode or regular boot Windows. If turned off System Restore DON'T forget to turn it back on when system has been cleaned of infections.