Ch 13 Security

7 Step Best Practice Procedure for Malware Removal

1. identify and research malware symptoms 2. quarantine infected systems 3. disable system restore (in windows) 4. remediate infected systems 5. schedule scans and run updates 6. enable system restore and create restore points (in windows) 7 educate end user

Data is moved/copied to a different volume

Will inherit new permissions

Dumpster Diving

in person type of attack where attacker rumages through trash to find confidential documents

Local accounts are stored

in the Local Security Accounts database of a local machine

Tailgating

in-person attack where attacker quickly follow authorized person into secure location

Shoulder surfing

in-person type of attack where attacker inconspicuously looks over someones shoulder to steal info

Spam

junk mail, unsolicited email which often contains harmful links, malware, or deceptive content

Account Lockout Policy

helps prevent brute force attacks

TPM

specialized chip on mb, stores info specific to host comp such as encryption keys and digital certificates and passwords

Syn flood

type of DoS attack that exploits TCP 3 way handshake, attacker sends continuous false SYN requests to the target, target is eventually overwhelmed and unable to establish valid SYN requests creating a DoS attack

WPA2

use a wireless encryption system to encode the info being sent to prevent unwanted capture and use of data.

Rootkit

used to gain administrator-level account access to computer and control remotely, very difficult to detect

Electromagnetic degaussing device

useful for erasing multiple drives, consists of magnet with an electrical current applied to it to create a very strong magnetic field that disrupts/eliminates the magnetic field on a hard drive, expensive but fast

An unauthorized wireless access point is discovered

A user added a wireless AP to increase range, enforce security policy on their asss

Domains accounts are stored in the

Active Directory on a Windows Server Domain Controller (DC) and are accessible from any computer joined to the domain

Active Directory Users and Computers console on Windows servers is used to manage

Active Directory users, groups, and Organizational Units (OUs).

Firewall Operation

Allow traffic from any external address to the webserver, to FTP server, SMTP server, and internal IMAP server Deny all inbound traffic with network addresses matching internal-registered IP addresses, all inbound traffic to server from external address, all inbound ICMP echo request trafic, all inbound MS Active Directory queries, all inbound traffic to MS SQl server queries, all MS domain local broadcasts

Many anti-malware programs can be set to run on system start before loading Windows

Allows program to access all areas of the disk without being affected by the OS or any malware

Distributed DoS

Amplified DoS attacked using many infected hosts (zombies) to overwhelm targets, attackers control zombies using a handler computer, a botnet is an army of compromised hosts, botnets remain dormant until instructed by the handler, botnets can also be used for SPAM and phishing attacks

Denial of Service

Attacker overwhelms target device with false requests to create a denial of service for legit users. Can also cut/unplug a network cable to cause outage.

Types of viruses

Boot sector: attacks boot sector, file partition table, file system Frimware Macro: uses MS office macro feature maliciously Program Script: attacks OS interpreter used to execute scripts

Users are being redirected to malicious websites

Compromised domain name resolution = DNS spoofing. Use ipconfig/flushdns

An unknown printer repair person is observed looking under keyboards and on desktops

Contact police

Types of Secure Locks

Conventional, deadbolt, electronic, token-based, biometric, multifactor

OS system restore service may include infected files in a restore points, so what should you do once the computer has been cleaned of any malware?

Delete the system restore files

Your email contacts report spam coming from you

Email has been hijacked

Users with flash drives are infecting computers on the network with viruses

Flash drives aren't scanned by the antivirus software when a network computer accesses it

Standard Format

High-level formatting, process creates a boot sector and file system, standard format can only be performed after low level format

Security Policies

Identification and authentication Password Policies Acceptable Use Policies Remote Access Policies Network Maintenance Policies Incident Handling Policies

Data is copied to the same volume

Inherit new permissions

Web Browser Security Features

Inprivate browsing, pop up blocker, activex filtering, smartscreen filter

Data is moved to the same volume

Keep original permissions

secpol.msc

Local Security Policy in Windows 8 and 8.1 and 10

Exploitation Tools

Metasploit, Core Impact

User is receiving tons of junk emails each day

Network isn't providing detection/SPAM protection for the email server

Vulnerability Scanners

Nipper, Secuna PSI

Port scanners

Nmap, SuperScan

Firewall configurations

Packet filter (can be filtered based on different attributes such as source IP, source port/destination IP address/port, destination services/protocols) Stateful Packet Inspection (SPI) Application layer Proxy

Types of trojan horses

Remote-access Data-sending Destructive Proxy (uses victim computer as source device to launch attacks) FTP Security software disabler Denial of service Keylogger

Zero Day

Sometimes referred to as zero-day attacks/threat/exploit, this is the day an unknown vulnerability has been discovered by the vender

Browser opens page other than what the user is attempting to access

Spyware !

To fix some issues caused by viruses, it may be necessary to boot the computer using what?

The Recovery Console, which is able to perform functions such as repairing the boot file and writing a new master boot record/volume boot record.

Low level format

The surface of the disk is marked with sector markers identifying tracks where the data will be physically stored on the disk. Most often performed at the factory after the hard drive is assembled.

lusrmgr.msc

To configure all of the users and groups on a computer using the Local Users and Groups Manager

System files have been renamed, applications crash, files are disappearing, file permission have been changed

Virus !

Your wireless network is compromised even though 128-bit WEP encryption is used

WEB can be decrypted using commonly available hacking tools, upgrade to WPA and used MAC address filtering broke bitch

Since 2006 any device that bears the wi fi certified logo is

WPA2 certified

Degaussing wand

Wand with very powerful magnet, held over exposed hard drive platters to disrupt/eliminate the magnetic field on a hard drive, must be approx. 2 mins

WPS

Wi Fi Protected Setup both the router and wireless device will have a button that, when both are pressed, automatically configure wifi security between the devices. A software solution using a PIN is also common. WPS is not entirely secure, it's vulnerable to brute force attacks, should be turned off as best practice.

wf.msc

Windows Defender Firewall with advanced features: inbound and outbound rules, connection security rules, monitoring

The security alert is displayed

Windows firewall is disable, virus definitions are out of date, malware has been detected

Trojan horse

a program that looks useful but also carries malicious code.

Replay

a type of spoofing attack where the attacker has: captured an authenticated packet, altered their contents, sent it to its original destination

Data wiping software

aka secure erase, software tools specifically designed to overwrite existing data multiple times until it's unreadable

Pretexting

an attacker pretends to need personal/financial data in order to confirm the identity of the recipient

Spear phishing

attacker creates a targeted phishing attack tailored specificaly for an individual/organization

Spoofing

attacker forges IP addresses to gain access to resources

DNS poisoning

attacker infects a host to accept false DNS records pointing to malicious servers, traffic is diverted there to capture confidential info

Man in the Middle

attacker intercept communications between two hosts, can be created using ARP poisoning spoofing attack

Baiting

attacker leaves a malware infected flash drive in a public location. Victim finds it and puts it into their computer like a Dumbo

Impersonation

attacker pretends to be someone to gain trust

Something for something

attacker requests personal info from a party in exchange for something such as a free gift

Phishing

attacker sends fraudulent email disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal/financial info

Right

authorizes a user to perform certain actions on a computer (backing up files, shutting down comp, etc)

Software Firewall

available as 3rd party software, cost varies, free version included with windows OS, typically only protects comp that has it installed, uses comp resources (potential impact on performance)

Heuristic malware identification techniques

can detect specific behavior associated with some types of malware

Adware

can display unsolicited advertising using pop-up web browser windows, new toolbars, or unexpectedly redirect a webpage to a different website. Usually distributed by downloading online software, fast pop up windows

Hardware Firewall

dedicated hardware component, initial cost for hardware and software updates can be expensive, multiple comps can be protected, no impact on performance. Passes 2 types of traffic into your network: responses to traffic that originates from inside your network, traffic destined for a port that you have intentionally left open

Permissive settings vs restrictive settings

easier to implement, less secure, easier to hack vs. harder to implement, more secure, more difficult to hack

BitLocker

encrypt an entire hard drive. At least 2 volumes must be present on a hard disk. A system volume is left encrypted and must be at least 100 MB. This volume holds the files required by Windows to boot. Built into the Windows Enterprise editions, Windows 7 ultimate, 8 pro, 10 professional Trust Platform Module must be enabled in BIOS.

Ransomware

encrypts files on the target and demands a ransom be paid for the decryption key to decrypt the files, no up to date backups = pay the fee

Symmetric Encryption

ensures confidentiality of message, both sides of encrypted convo must used encryption key to encode and decode data. Advanced Encryption Standard (AES) and older Triple Data Encryption Algorithm (3DES)

Hash encoding/hasing

ensures integrity of message. Uses mathematical function to create numeric value (message digest-unique to that data). Function can only be used one way. Secure Hash Algorithm (SHA) replacing Message Digest 5 (MD5)

Firewall services can be provided as:

host-based (windows defender firewall) small office home office (SOHO) (provides routing and wifi services, NAT, DHCP, and firewall) Small to medium sized organization Network based solution using dedicated device such as Cisco Adaptive Security Appliance (ASA) or enabled on a cisco Integrated Services Router (ISR). These use Access Control Lists to filter packets

User receives access denied errors when attempting to open files

malware has changed the permissions of file

Zero hour

moment when exploit is discovered

Non-compliant system

one which as not been updated with OS or application patches or missing antivirus and firewall security software.

Organizational Units

provide a way to subdivide a domain into smaller administrative units

Shared Key

provides mechanisms to authenticate and encrypt data between a wireless client and AP or wireless router WEP: Wired Equivalent Privary, original 802.11 spec securing WLANS, however the encryption key never changes when exchanging packets, making it easy to crack WPA: Wifi Protected Access, uses WEP but secure data with much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm, changes key for each packet (much more difficult to crack) 802.11i/WPA2: now industry standard for securing WLAN, uses Advanced Encryption Standard (AES, strongest encryption protocol)

Virus

requires human action to propagate and infect other computers. Hides by attaching itself to computer code, software, or documents. Can alter/corrupt/delete files, erase drives, cause booting issues, corrupt applications, steal sensitive info, access + use email accounts to spread, lay dormant until summoned by attacker

Asymmetric Encryption

requires private and public key. RSA, smart cards

Permission

rule that is associated with an object, regulates which users can have access to that object and in what manner

Worm

self-replicating program that propagates automatically without user actions by exploiting vulnerabilities in legitimate software, uses network to search for other victims with same vulnerability, slow/disrupt network operations

Spyware

similar to adware, used to gather info, can be low or high threat

Malware

software developed by cybercriminals to perform malicious acts.