





–
–
Security Fundamentals
Understand the mindset you should have when securing a computer.
Understand file systems, authentication, and how to protect against malware.
–
Data and Physical Security
–
Describe encryption types, the Local Security Policy, backups, and password management
Securing Wireless Networks
Explain wireless encryption and maximizing security on wireless devices.
Access Control Purposes and Principles
–
Explain User Access Control (UAC), NTFS permissions, and auditing.
Data Destruction /Disposal Techniques
Installing, Configuring, and Troubleshooting Security Features
• Demonstrate how to secure the BIOS, configure a firewall, and set up a secure wireless connection.

Probability  Low
Impact
Low
Medium
High
Medium High

 Secure Versus Insecure File Systems
– FAT16/ FAT32
• No File/Folder encryption
• No support for User and Group permissions
• Local login by anyone provides local access to the entire logical drive contents
• Windows Vista cannot use FAT
– NTFS
• Designed for security
• Encrypting File Systems (EFS)-capable
• Employs User permissions
– Each user is limited to his own documents by default.

 Authentication demands that a user verify his right to access data
 Relies on
– Something the user knows
• For example, a password or Personal Identification
Number (PIN)
– Something the user has
• For example, a smart card or other security token
– Something the user is
• For example, the biometric reading of a fingerprint or retina scan
– Something the user does
• For example, a signature

 Can be verified locally by the local system
– PC username/password
– Access codes on a door lock
 Can be verified remotely by a server
– Login can be matched to local PC or to a whole domain of
PCs.
 Passwords should be complex
– 6 to 8 characters minimum
• Use of extra characters increases difficulty of discovery
– Mix of uppercase/lowercase, numbers, and symbols
– Passphrase
• First letters of words in phrase become password characters
– Mitigates brute force dictionary attacks by hackers

 Options available in the local security policy for managing passwords
– Change passwords periodically (Local Policies, Security Options).
– Be informed in advance that passwords are about to expire (Account
Policies, Password Policy).
– Enforce a minimum password length (Account Policies, Password
Policy).
– Require complex passwords (Account Policies, Password Policy).
– Prevent old passwords from being reused continually (Account
Policies, Password Policy).
–
Wait a certain number of minutes after a specified number of unsuccessful logins has taken place before users can log in again
(Account Policies, Account Lockout Policy).

Things a user might have:
 A key
 SmartCard
Things a user might be:
 Fingerprint
– Effective when combined with username/password
– Can be fooled with tape or bubblegum
 Retinal Scan
Database of fingerprints and retinal scans must be securely maintained to prevent unauthorized access and replication.

 Program designed to examines data packets
– Criteria in headers are monitored:
• Destination source IP addresses
• Application ports and data
• Protocols
– Can filter packets coming in or going out:
• Windows XP and Vista use a one-way firewall.
– Allows ping out, but not in.
– Vista can be modified for two-way use.
 Hardware firewalls are dedicated devices with specially designed operating systems

 Your firewall is configured to block all connections:
– Clear No Exceptions check box.
 Your firewall does not have an exception set up for the program:
– Click Unblock to permit access.
 You might have two firewalls (Windows Firewall and a third-party firewall).
 You did not open the correct TCP or UDP ports for a program .

 Data Access Local Security Policy
– In Control Panel  Administrative Tools  Local Security Policy
 Policies that can be enabled/configured:
– Enable Auditing.
– Shutdown: Clear Virtual Memory Pagefile.
– Take ownership of files/objects in system.
– Enable/Disable Ctrl+Alt+Del for login purposes.

 From Administrative tools  Local Security Policy
– The following features can be enabled/disabled:
• Enable Auditing.
• Shutdown: Clear Virtual Memory Pagefile.
• Take ownership of files or other objects.
• Turn on Ctrl+Alt+Del.

 Encrypting File System (EFS)
– Supported by operating systems that can read NTFS drives:
Data can be opened only by
• User who encrypted them
• Administrator
• EFS Key holder
Caution : Should Windows not boot properly and the user attempts to attach a drive to and access the files via another system, the files will be encrypted and inaccessible.
– Export the user’s EFS certificate key, and keep in safe place should it ever be needed.
 BitLocker Encryption:
– Full disk encryption software on Windows Vista.
– Keys must be stored remotely.



Backups are necessary because
– Mechanical devices eventually fail.
Backups can be subject to hacking/tampering.
– Backup data drive/media should be password-protected.
Data Migration:
 Direct connection is best.
 Network connections offer opportunity for data retrieval by unauthorized parties.
– The Files and Settings Transfer Wizard offers passwordprotected transfer of files across the network connection.








Social Engineering
–
Trojan horse
Programs that claim to be useful utilities but actually install harmful programs on your computer, including spyware, remote access, and root kits.
–
Root kits
A concealment method used by many types of malware to prevent detection by normal antivirus and antimalware programs.
–
Spyware
Software that spies on system activities and transmits details of web searches or other activities to remote computers.
–
Remote access
Programs that enable unauthorized control of your system; can be used to set up networks of compromised computers known as botnets.
–
Adware
Software that displays pop-up ads and banners related to your web searches and activities.
–
Grayware
General term for dialers, joke programs, adware, and spyware programs.

 Pretexting
 Phishing
 Trojan horse
 Baiting
 Tailgaiting
 Shoulder surfing

Computer protection needs specialized software to perform
 Real-time protection to block infection
 Automatic periodic scans for known/suspected threats
 Automatic updating on a frequent (usually daily) basis
 Renewable subscriptions to obtain updated threat signatures
 Links to virus and threat encyclopedias
 Inoculation of system files
 Permissions-based access to the Internet
 Scanning of downloaded files and sent/received emails



Air is insecure data in transit must be encrypted.
Both the access point and the end host must use the same encryption.
–
Common encryption types
• WEP
– Not considered very secure
• WPA
– Secure but should still be protected further by using strong passwords
– TKIP (Temporal Key Integrity Protocol)
• WPA2
– AES (Advanced Encryption Standard)
– Preferred when available
– Availability is determined by all hosts being able to support a common standard

Two methods toprovide addresses:
 Static: Manual entry of IP address information
– Static IP addressing best for servers and devices that must be regularly contacted for their services
– More time-consuming
– More secure
 Dynamic: Allocating addresses automatically using a server program designed for that purpose
– Best for the network hosts
– Should adjust the number of IP addresses that can be assigned
• Prevents unwanted use of your network from a drive by users

 Default is easily seen by unwanted intruders:
– Often means there is no administrative password in place
• Most Wireless Access Points (WAP) use a generic password.
• Must be changed to ensure protection of the WAP.
– Can be confusing if more than one WAP of the same manufacturer/model is in the same locality
 Change name:
– Do not use: Family name, company name, location
 Disable the SSID Broadcast:
– This prevents the access point from announcing its presence
– Caution: XP will look for previously known networks by seeking for them using the SSID. Hckers can use this.

 MAC Address is burned into Network Card
– Can be allowed or denied access to Wireless Access Point
(WAP)
• Blocks casual Internet surfers from using your network.
• Serious hackers can get around this.
 Network Address Translation
– Hides the internal network numbers from external users
 Access Logs
– A list of traffic denied or permitted
 Traffic Filtering
– IP addresses, websites or ports can be specifically filtered.
 Support for Virtual Private Networking (VPN)

 Control access to the following operating system user accounts:
– User – Only has control over created folders/files
– Administrator – Has full control
– Guest – Disabled by default
 User Access Control (UAC)
– Automatically makes all accounts standard users
– Prompts administrator when system changes are made
– Reduces risk of malware using the administrator account
– Can be turned off if necessary:
• Control Panel  User Accounts  Family Safety  User
Accounts
– System must be restarted .

 Groups allow control of resources through grouping users together who need the same access levels to files and objects on the system.
– Installed groups include Administrators, Users, Power Users, and Guest
– Permissions that can be assigned to Groups/Users:
• Full Control
• Modify: Change file or folder contents
• Read & Execute
• List Folder Contents
• Read
• Write: Add a new file or folder
– Each permission can either be allowed or denied.

 Folder inherit permissions from parent folder by default
– If you change the parent permissions, it changes the subfolder permission.
 If you move a folder, it retains its permissions.
 If you copy a folder, it inherits permissions of the folder above it in the hierarchy.
 Printer permissions are managed from the Security tab.

 What do you do with an old PC that is no longer needed?
– Hard disks should be destroyed.
• Many data recovery programs can read deleted files.
– An exception is when the disk is intended for a second life as a donated computer.
• Remove data with DOD 5220.22-M-compliant program.
– CDs, DVDs, and floppy disks should be physically destroyed.

 BIOS Security
– Boot Sector virus protection
– Boot Sequence
– BIOS Setup password
– BIOS HDD password

A well-trusted and loyal employee asked to use a color printer instead of the black-and-white laser printer for some documents he is preparing for an A+ presentation this afternoon. His permission set allows him to print only to the black-and-white laser printer.
What do you do?

– What is malware?
– Why is WEP considered insecure?
– Name three things that must be known/configured for the WAP and client to connect securely?
– What is the encryption available to NTFS file systems?
– How is a passphrase superior to most passwords?







–
Security Fundamentals
Understand file systems, authentication, and how to protect against malware.
–
Securing Wireless Networks
Explain wireless encryption and maximizing security on wireless devices.
–
Data and Physical Security
Describe encryption types, the Local Security Policy, backups, and password management
Access Control Purposes and Principles
– Explain User Access Control (UAC), NTFS permissions, and auditing.
Installing, Configuring, and Troubleshooting Security Features
– Demonstrate how to secure the BIOS, configure a firewall, and set up a secure wireless connection.
Next: Chapter 18