Ch 13 Security
7 Step Best Practice Procedure for Malware Removal
1. identify and research malware symptoms 2. quarantine infected systems 3. disable system restore (in windows) 4. remediate infected systems 5. schedule scans and run updates 6. enable system restore and create restore points (in windows) 7 educate end user
Data is moved/copied to a different volume
Will inherit new permissions
Dumpster Diving
in person type of attack where attacker rumages through trash to find confidential documents
Local accounts are stored
in the Local Security Accounts database of a local machine
Tailgating
in-person attack where attacker quickly follow authorized person into secure location
Shoulder surfing
in-person type of attack where attacker inconspicuously looks over someones shoulder to steal info
Spam
junk mail, unsolicited email which often contains harmful links, malware, or deceptive content
Account Lockout Policy
helps prevent brute force attacks
TPM
specialized chip on mb, stores info specific to host comp such as encryption keys and digital certificates and passwords
Syn flood
type of DoS attack that exploits TCP 3 way handshake, attacker sends continuous false SYN requests to the target, target is eventually overwhelmed and unable to establish valid SYN requests creating a DoS attack
WPA2
use a wireless encryption system to encode the info being sent to prevent unwanted capture and use of data.
Rootkit
used to gain administrator-level account access to computer and control remotely, very difficult to detect
Electromagnetic degaussing device
useful for erasing multiple drives, consists of magnet with an electrical current applied to it to create a very strong magnetic field that disrupts/eliminates the magnetic field on a hard drive, expensive but fast
An unauthorized wireless access point is discovered
A user added a wireless AP to increase range, enforce security policy on their asss
Domains accounts are stored in the
Active Directory on a Windows Server Domain Controller (DC) and are accessible from any computer joined to the domain
Active Directory Users and Computers console on Windows servers is used to manage
Active Directory users, groups, and Organizational Units (OUs).
Firewall Operation
Allow traffic from any external address to the webserver, to FTP server, SMTP server, and internal IMAP server Deny all inbound traffic with network addresses matching internal-registered IP addresses, all inbound traffic to server from external address, all inbound ICMP echo request trafic, all inbound MS Active Directory queries, all inbound traffic to MS SQl server queries, all MS domain local broadcasts
Many anti-malware programs can be set to run on system start before loading Windows
Allows program to access all areas of the disk without being affected by the OS or any malware
Distributed DoS
Amplified DoS attacked using many infected hosts (zombies) to overwhelm targets, attackers control zombies using a handler computer, a botnet is an army of compromised hosts, botnets remain dormant until instructed by the handler, botnets can also be used for SPAM and phishing attacks
Denial of Service
Attacker overwhelms target device with false requests to create a denial of service for legit users. Can also cut/unplug a network cable to cause outage.
Types of viruses
Boot sector: attacks boot sector, file partition table, file system Frimware Macro: uses MS office macro feature maliciously Program Script: attacks OS interpreter used to execute scripts
Users are being redirected to malicious websites
Compromised domain name resolution = DNS spoofing. Use ipconfig/flushdns
An unknown printer repair person is observed looking under keyboards and on desktops
Contact police
Types of Secure Locks
Conventional, deadbolt, electronic, token-based, biometric, multifactor
OS system restore service may include infected files in a restore points, so what should you do once the computer has been cleaned of any malware?
Delete the system restore files
Your email contacts report spam coming from you
Email has been hijacked
Users with flash drives are infecting computers on the network with viruses
Flash drives aren't scanned by the antivirus software when a network computer accesses it
Standard Format
High-level formatting, process creates a boot sector and file system, standard format can only be performed after low level format
Security Policies
Identification and authentication Password Policies Acceptable Use Policies Remote Access Policies Network Maintenance Policies Incident Handling Policies
Data is copied to the same volume
Inherit new permissions
Web Browser Security Features
Inprivate browsing, pop up blocker, activex filtering, smartscreen filter
Data is moved to the same volume
Keep original permissions
secpol.msc
Local Security Policy in Windows 8 and 8.1 and 10
Exploitation Tools
Metasploit, Core Impact
User is receiving tons of junk emails each day
Network isn't providing detection/SPAM protection for the email server
Vulnerability Scanners
Nipper, Secuna PSI
Port scanners
Nmap, SuperScan
Firewall configurations
Packet filter (can be filtered based on different attributes such as source IP, source port/destination IP address/port, destination services/protocols) Stateful Packet Inspection (SPI) Application layer Proxy
Types of trojan horses
Remote-access Data-sending Destructive Proxy (uses victim computer as source device to launch attacks) FTP Security software disabler Denial of service Keylogger
Zero Day
Sometimes referred to as zero-day attacks/threat/exploit, this is the day an unknown vulnerability has been discovered by the vender
Browser opens page other than what the user is attempting to access
Spyware !
To fix some issues caused by viruses, it may be necessary to boot the computer using what?
The Recovery Console, which is able to perform functions such as repairing the boot file and writing a new master boot record/volume boot record.
Low level format
The surface of the disk is marked with sector markers identifying tracks where the data will be physically stored on the disk. Most often performed at the factory after the hard drive is assembled.
lusrmgr.msc
To configure all of the users and groups on a computer using the Local Users and Groups Manager
System files have been renamed, applications crash, files are disappearing, file permission have been changed
Virus !
Your wireless network is compromised even though 128-bit WEP encryption is used
WEB can be decrypted using commonly available hacking tools, upgrade to WPA and used MAC address filtering broke bitch
Since 2006 any device that bears the wi fi certified logo is
WPA2 certified
Degaussing wand
Wand with very powerful magnet, held over exposed hard drive platters to disrupt/eliminate the magnetic field on a hard drive, must be approx. 2 mins
WPS
Wi Fi Protected Setup both the router and wireless device will have a button that, when both are pressed, automatically configure wifi security between the devices. A software solution using a PIN is also common. WPS is not entirely secure, it's vulnerable to brute force attacks, should be turned off as best practice.
wf.msc
Windows Defender Firewall with advanced features: inbound and outbound rules, connection security rules, monitoring
The security alert is displayed
Windows firewall is disable, virus definitions are out of date, malware has been detected
Trojan horse
a program that looks useful but also carries malicious code.
Replay
a type of spoofing attack where the attacker has: captured an authenticated packet, altered their contents, sent it to its original destination
Data wiping software
aka secure erase, software tools specifically designed to overwrite existing data multiple times until it's unreadable
Pretexting
an attacker pretends to need personal/financial data in order to confirm the identity of the recipient
Spear phishing
attacker creates a targeted phishing attack tailored specificaly for an individual/organization
Spoofing
attacker forges IP addresses to gain access to resources
DNS poisoning
attacker infects a host to accept false DNS records pointing to malicious servers, traffic is diverted there to capture confidential info
Man in the Middle
attacker intercept communications between two hosts, can be created using ARP poisoning spoofing attack
Baiting
attacker leaves a malware infected flash drive in a public location. Victim finds it and puts it into their computer like a Dumbo
Impersonation
attacker pretends to be someone to gain trust
Something for something
attacker requests personal info from a party in exchange for something such as a free gift
Phishing
attacker sends fraudulent email disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal/financial info
Right
authorizes a user to perform certain actions on a computer (backing up files, shutting down comp, etc)
Software Firewall
available as 3rd party software, cost varies, free version included with windows OS, typically only protects comp that has it installed, uses comp resources (potential impact on performance)
Heuristic malware identification techniques
can detect specific behavior associated with some types of malware
Adware
can display unsolicited advertising using pop-up web browser windows, new toolbars, or unexpectedly redirect a webpage to a different website. Usually distributed by downloading online software, fast pop up windows
Hardware Firewall
dedicated hardware component, initial cost for hardware and software updates can be expensive, multiple comps can be protected, no impact on performance. Passes 2 types of traffic into your network: responses to traffic that originates from inside your network, traffic destined for a port that you have intentionally left open
Permissive settings vs restrictive settings
easier to implement, less secure, easier to hack vs. harder to implement, more secure, more difficult to hack
BitLocker
encrypt an entire hard drive. At least 2 volumes must be present on a hard disk. A system volume is left encrypted and must be at least 100 MB. This volume holds the files required by Windows to boot. Built into the Windows Enterprise editions, Windows 7 ultimate, 8 pro, 10 professional Trust Platform Module must be enabled in BIOS.
Ransomware
encrypts files on the target and demands a ransom be paid for the decryption key to decrypt the files, no up to date backups = pay the fee
Symmetric Encryption
ensures confidentiality of message, both sides of encrypted convo must used encryption key to encode and decode data. Advanced Encryption Standard (AES) and older Triple Data Encryption Algorithm (3DES)
Hash encoding/hasing
ensures integrity of message. Uses mathematical function to create numeric value (message digest-unique to that data). Function can only be used one way. Secure Hash Algorithm (SHA) replacing Message Digest 5 (MD5)
Firewall services can be provided as:
host-based (windows defender firewall) small office home office (SOHO) (provides routing and wifi services, NAT, DHCP, and firewall) Small to medium sized organization Network based solution using dedicated device such as Cisco Adaptive Security Appliance (ASA) or enabled on a cisco Integrated Services Router (ISR). These use Access Control Lists to filter packets
User receives access denied errors when attempting to open files
malware has changed the permissions of file
Zero hour
moment when exploit is discovered
Non-compliant system
one which as not been updated with OS or application patches or missing antivirus and firewall security software.
Organizational Units
provide a way to subdivide a domain into smaller administrative units
Shared Key
provides mechanisms to authenticate and encrypt data between a wireless client and AP or wireless router WEP: Wired Equivalent Privary, original 802.11 spec securing WLANS, however the encryption key never changes when exchanging packets, making it easy to crack WPA: Wifi Protected Access, uses WEP but secure data with much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm, changes key for each packet (much more difficult to crack) 802.11i/WPA2: now industry standard for securing WLAN, uses Advanced Encryption Standard (AES, strongest encryption protocol)
Virus
requires human action to propagate and infect other computers. Hides by attaching itself to computer code, software, or documents. Can alter/corrupt/delete files, erase drives, cause booting issues, corrupt applications, steal sensitive info, access + use email accounts to spread, lay dormant until summoned by attacker
Asymmetric Encryption
requires private and public key. RSA, smart cards
Permission
rule that is associated with an object, regulates which users can have access to that object and in what manner
Worm
self-replicating program that propagates automatically without user actions by exploiting vulnerabilities in legitimate software, uses network to search for other victims with same vulnerability, slow/disrupt network operations
Spyware
similar to adware, used to gather info, can be low or high threat
Malware
software developed by cybercriminals to perform malicious acts.