SECURITY

Identifying Types of Attacks

A hacker is someone who has the technical expertise to bypass the security of a network or operating system.

A hacker also knows how to use features of a piece of software or hardware to gain access to restricted areas of a network and how to use those features against you and your system.
There are two types of hackers:
White-hat hackers try to hack or break software or hardware for the purpose of understanding how to protect the environment from blackhat hackers. These are the good guys. Black-hat hackers are people who break into a system or network for malicious reasons or for personal gain. The reasons could be for financial gain, bragging rights, or revenge.

Authentication
Authentication is the process of proving ones identity to the network environment. Typically, authentication involves typing a username and password on a system before you are granted access, but you could also use biometrics to be authenticated.

Biometrics are the use of ones unique physical characteristics, such as a fingerprint or the blood vessels in ones retina, to prove ones identity.
Figure 1-7 shows a fingerprint reader that is used to scan your fingerprint in order to log on.

 When you type a username and password to log on to a system, that username and password are verified against a database, known as the user account database, which has a list of the usernames and passwords that are allowed to access the system.

If the username and password you type are in the user account database, you are allowed to access the system otherwise, you get an error message and arent allowed to access the system.
The name of the account database that stores the usernames and passwords is different depending on the environment. In a Microsoft network, the account database is known as the Active Directory Database and resides on a server known as a domain controller (shown in Figure 1-8).

Generating the access token

When you log on to a Microsoft network environment, the username and password you type are placed in a logon request message that is sent to the domain controller to be verified against the Active Directory Database. If the username and password that you have typed are correct, then an access token is generated for you. An access token is a piece of information that identifies you and is associated with everything you do on the computer and network. The access token contains your user account information and any groups you are a member of. When you try to access a resource on the network, the user account and group membership in the access token are compared against the permission list of a resource. If the user account in the access token or one of the groups contained in the access token are also contained in the permission list, then you are granted access to the resource if not, you get an accessdenied message.

Smart card
Another type of logon supported by network environments today is the use of a smart card. A smart card is a small, ATM cardlike device that contains your account information. You insert the smart card into a smart card reader that is connected to a computer, and then you enter the PIN (Personal Identification Number) associated with the smart card. This is an example of securing an environment by forcing someone to not only have the card but also know the PIN.

 Here are some variations of smart cards:

One type of smart card is a key fob, so called because it fits conveniently on a keychain. RSA Security (www.rsasecurity.com), a leader in authentication technologies, makes several types of smart cards, called SecurIDs. One SecurID key fob by RSA Security is shown in Figure 19-13. The number on the key fob changes every 60 seconds. When a user logs on to the network, she must enter the number on the key fob, which is synchronized with the network authentication service. Entering the number proves that the user has the smart card in hand.

 Other smart cards that look like a credit card also have an embedded microchip that displays a number every few seconds for a user to enter during the authentication process. The advantage of using smart cards that display a number to key in is that no special equipment needs to be installed on the computer. The disadvantage is that the smart card can only validate that the person has the token in hand but can provide no additional data about the user.

 Other smart cards have magnetic stripes that can be read by a smart card reader that has a slot for the card (see Figure 19-14). Because these cards dont contain a microchip, they are sometimes called memory cards, and are sometimes used to gain entrance into a building. They can also be read by a smart card reader, such as the one shown in Figure 19-15, that connects to a PC using a USB port. Used in this way, they are part of the authentication process into a network. The magnetic stripe can contain information about the user to indicate their rights on the system.

Using Biometric Data

As part of the authentication process, rather than proving a person is in possession of a token, some systems are set to use biometric data to validate the persons physical body. A biometric device is an input device that inputs biological data about a person, which can be input data to identify a persons fingerprints, handprints, face, voice, eye, and handwritten signatures.

Figure 19-17 shows one biometric input device, an iris reader, that scans your iris.
Iris scanning is one of the most accurate ways to identify a person using biological data. The biometric data collected is then used to authenticate that person using some type of access control system.

Strong passwords

Its really hard to talk about authentication without talking about ensuring that users create strong passwords. A strong password is a password that is very difficult for hackers to guess or crack because it contains a mix of upperand lowercase characters, contains a mix of numbers and letters, and is a minimum of six characters long.

Software-based attacks

Just as there are a number of different types of network attacks, there are a number of software attacks as well. A software attack is an attack through software that a user runs. The most popular software attacks are mentioned in the sections that follow.

Trojan horse
A Trojan horse is a piece of software that a user is typically tricked into running on the system, and when the software runs, it does something totally different than what the user expected it to do. For example, a typical Trojan horse attack is with a program called NetBus. NetBus is an example of a Trojan horse program that is sent as a file called patch.exe. The user receiving the file, typically through an e-mail, believes that the file will fix a security issue. The problem is that patch.exe is a Trojan horse, and when that horse starts running, it opens the computer up to allow a hacker to connect to the system. The hacker then uses a client program, like the one shown in Figure 1-3, to connect to the system and start messing with the computer. The hacker can do things like launch other programs, flip your screen upside-down, eject your CD-ROM tray, watch your activity, and modify or delete files!

Virus
A virus is a program that causes harm to your system.

Typically, viruses are spread through e-mails and are included in attachments such as word processing documents and spreadsheets.
The virus can do any of a number of things it can delete files from your system, modify the system configuration, or e-mail all your contacts in your e-mail software. To prevent viruses, you should install antivirus software and not open any file attachments that arrive in your email that you are not expecting.

 A virus attacks your computer system and hides in several different ways.

A boot sector virus can hide in either of two boot sectors of a hard drive.
It can hide in the master boot program, which is the boot program in the very first 512-byte sector of a hard drive called the master boot record (MBR).

A boot sector virus can also hide in the OS boot program of a hard drive, floppy disk, or other boot media.
Recall that the OS boot program is stored in the first sector of the volume on which Windows is installed, called the active partition.

For most hard drives, this OS boot sector is the second sector on the drive, following the MBR.

 A file virus hides in an executable program having an .exe, .com, .sys, .vbs, or other executable file extension, or in a wordprocessing document that contains a macro. A multipartite virus is a combination of a boot sector virus and a file virus and can hide in either. A macro is a small program contained in a document that can be automatically executed either when the document is first loaded or later by pressing a key combination. For example, a word-processing macro might automatically read the system date and copy it into a document when you open the document. Viruses that hide in macros of document files are called macro viruses. Macro viruses are the most common viruses spread by email, hiding in macros of attached document files. A script virus is a virus that hides in a script, which might execute when you click a link on a Web page or in an HTML e-mail message or when you attempt to open an e-mail attachment.

Worm

A worm is a virus that does not need to be activated by someone opening the file. The worm is self-replicating, meaning that it spreads itself from system to system, infecting each computer.

To protect against a worm, you should install a firewall.

A firewall is a piece of software or hardware that prevents someone from entering your system.

Logic bomb

A logic bomb is malicious software that could run every day, but the software was designed to wreak havoc on your system on a certain date and time.

The scary thing about logic bombs is that they seem like useful software until the day the programmer decides it will become malicious!

 One type of malware, called a rootkit, loads itself before the OS boot is complete.

Because it is already loaded when the AV software loads, it is sometimes overlooked by AV software.
In addition, a rootkit hijacks internal Windows components so that it masks information Windows provides to user mode utilities such as Task Manager, Windows Explorer, the registry editor, and AV software.

This helps it remain undetected.

Rootkits can also install a backdoor (called a backdoor rootkit) that can be used by malware or hackers to secretly gain access even after the rootkit has been cleaned from the system. Using a backdoor, a hacker can sometimes hijack the system, gaining full control of it.

Adware
Adware produces all those unwanted pop-up ads. Adware is secretly installed on your computer when you download and install shareware or freeware, including screen savers, desktop wallpaper, music, cartoons, news, and weather alerts. Then it displays pop-up ads which might be based on your browsing habits (see Figure 19-32). Sometimes when you try to uninstall adware, it deletes whatever it was you downloaded that you really wanted to keep. And sometimes adware is also spying on you and collecting private information.

Spyware
Spyware is software that installs itself on your computer to spy on you and to collect personal information about you that it transmits over the Internet to Web-hosting sites. These sites might use your personal data in harmless or harmful ways such as tailoring marketing information to suit your shopping habits, tracking marketing trends, or stealing your identity for harm. Spyware comes to you by way of e-mail attachments, downloaded freeware or shareware, instant messaging programs, or when you click a link on a malicious Web site.

A keylogger
A keylogger tracks all your keystrokes, including passwords, chat room sessions, e-mail messages, documents, online purchases, and anything else you type on your PC. All this text is logged to a text file and transmitted over the Internet without your knowledge. A keylogger is a type of spyware that can be used to steal a persons identity, credit card numbers, Social Security number, bank information, passwords, e-mail addresses, and so forth.

A browser hijacker
A browser hijacker, also called a home page hijacker, does mischief by changing your home page and other browser settings. Figure 19-33 shows Internet Explorer after a user tried to install a free game downloaded from the Internet. The program installed two new toolbars in his browser and changed his home page. Browser hijackers can set unwanted bookmarks, redirect your browser to a shopping site when you type in a wrong URL, produce pop-up ads, and direct your browser to Web sites that offer pay-per-view pornography.

Spam
Spam is junk e-mail that you dont want, you didnt ask for, and that gets in your way.

A virus hoax
A virus hoax or e-mail hoax is e-mail that does damage by tempting you to forward it to everyone in your e-mail address book, with the intent of clogging up e-mail systems or tempting you to delete a critical Windows system file by convincing you the file is malicious. Also, some e-mail scam artists promise to send you money if youll circulate their e-mail messages to thousands of people. I recently received one that was supposedly promising money from Microsoft for testing the strength of the Internet e-mail system

Phishing
Phishing (pronounced fishing) is a type of identity theft where the sender of an e-mail message scams you into responding with personal data about yourself. The scam artist baits you by asking you to verify personal data on your bank account, ISP account, credit card account, or something of that nature. Often you are tricked into clicking a link in the e-mail message, which takes you to an official-looking site complete with corporate or bank logos where you are asked to enter your user ID and password to enter the site.

Scam artists

Scam artists use scam e-mail to lure you into their scheme. One scam e-mail I recently received was supposedly from the secretary of a Russian oil tycoon who was being held in jail with his millions of dollars of assets frozen. If I would respond to the e-mail and get involved, I was promised a 12 percent commission to help recover the funds.

USE BIOS FEATURES TO PROTECT THE SYSTEM

Many motherboards for desktop and laptop computers offer several BIOS features designed to secure the system. Here is a quick summary of these methods:
Power-on passwords. Set in BIOS setup and used to limit who can use the system or access BIOS setup. Drive lock password protection. Recall that some motherboards and hard drives allow you to set a password that must be entered before someone can access the hard drive. This password is kept on the drive and works even if the drive is moved to another computer. Some manufacturers of storage media offer similar products. For example, Seagate (www.seagate.com) offers Maxtor BlackArmor, a technology that encrypts an entire external storage media that is password protected.

 TPM (Trusted Platform Module) chip. Many high-end computers have a chip on the motherboard called the TPM (Trusted Platform Module) chip. BitLocker is designed to work with this chip; the chip holds the BitLocker encryption key (also called the startup key). A notebook might be secured to a table or other fixture with a lock and chain. Even though a thief cannot steal the notebook, its still possible to quickly remove the hard drive. If the hard drive is stolen from the notebook and installed in another computer, the data would be safe because BitLocker would not allow access without the startup key stored on the TPM chip. Therefore, this method assures that the drive cannot be used in another computer. However, if the motherboard fails and is replaced, youll need a backup copy of the startup key to access data on the hard drive.

 Intrusion detection. A motherboard BIOS feature used primarily with servers is intrusion detection. A sensor device is installed inside the computer case and connected to a header (group of pins) on the motherboard. When the case cover is removed, the device sends an alert (called an interrupt), and BIOS records the event. If the power is turned off when the event occurs, the event is still recorded in BIOS. The sensor device can work by a switch or magnet that detects the cover is removed or a light sensor that detects light inside the case when the case is opened.

 Boot sector protection for the hard drive. When you enable this protection, a boot sector virus cannot write to this sector. Figure 19-10, shows the option enabled. Recall that the boot sector must be healthy if the hard drive is bootable. However, before you upgrade your OS, such as when you upgrade Windows Vista to Windows 7, be sure to enable writing to the boot sector, which the OS setup will want to do.

Protecting the Operating System and Data

Several chapters have contained important security-related tips, steps, and information related to protecting the operating system and data.

Some of the more important ones follow:

Use the NTFS file system. Back up data often and keep the backups in a different location in case of natural disaster or fire. There are different types of backups which are done using a files archive bit status. A full backup backs up all selected files and sets the archive bit to off. An incremental backup backs up all files that have changed since the last backup. The files selected are the ones that have the archive bit set to on. The backup software resets those bits to off. A differential backup backs up files that have changed since the last full backup (files that have the archive bit set to on), but the backup software does not reset the archive bit like the incremental backup does.

 Back up the System State. Ensure operating system and application and updates are applied regularly. service packs

Install antivirus software with the latest virus definitions. Encrypt data that needs to be protected. Use BitLocker and TPM (Trusted Platform Module). BitLocker encrypts an entire disk volume, including the operating system, user files, swap files, and hibernation files. It is available on Vista/7 Enterprise and Ultimate and requires two NTFS disk partitions. Optionally place operating system files and data files on separate hard drive partitions.

NTFS
NTFS volumes can have files, folders, and subfolders encrypted using EFS (encrypting file system). When a folder or subfolder is encrypted, all newly created files within the folder or subfolder are automatically encrypted. If any files are copied or moved into an encrypted folder or subfolder, those files are automatically encrypted. System files cannot be encrypted. EFS can use a CA (certificate authority) such as one issued from a server or use a self-signed certificate.

Data Migration
When a new computer is purchased, data and applications may need to be migrated to the new machine. Several options are possible. If only data (no applications) needs to be transferred, the data can be copied to CD/DVDs, a Flash drive, or an external hard drive. Otherwise, a special cable can be used between the two computers serial, parallel, USB, FireWire, or network ports and data copied from one machine to the other. If data and applications need to be transferred, special software can help with this process. Keep in mind that if an external NTFS-formatted hard or Flash drive is used, Windows uses what is known as a lazy write to the drive. This means that the system doesnt always write quickly to the external drive exactly when you clicked Copy. The result of this is that external drives sometimes do not eject from a USB port when requested. Consider using a FAT32 or exFAT-based drive to avoid this issue.

Understanding Physical Security

Physical security has nothing to do with software; it refers to how you protect your environment and systems by making sure that a person cannot physically access the system.

In order to protect your systems, follow these physical security best practices:

Server placement: Lock your servers in a room that only a select few individuals have the key for. Disable boot devices: You can help secure the systems by disabling the ability to boot from a floppy disk or CD-ROM in the CMOS setup on the systems.

Set CMOS password: Because most hackers know how to go to CMOS and enable booting from CD-ROM, you want to make sure that you set a password on CMOS so that a hacker cannot modify your CMOS settings. Figure 1-5 shows a CMOS password being enabled.
Disable network ports: To ensure that a hacker doesnt enter your office, plug into the network, and then start performing a number of network attacks, ensure that network ports in lobbies and front entrances are disabled unless an administrator enables them. Lockdown cable: A lockdown cable is a cable that you connect to laptops, projectors, and other types of office equipment that locks the device to a table or desk unless unlocked. Figure 1-6 shows a lockdown cable being used to secure a laptop. A lockdown cable usually connects to a hole in the side of the computer equipment that usually has a picture of a lock next to it.

Security Incident Reporting

Many companies define what to do when a security incident has occurred. However, in some businesses or in an incident that occurs on a home network, people are not always sure what to do. Some tips for incident reporting and official reporting entities list in Table 14.11. If a security incident occurs and you do not know what to do, talk to your supervisor. He or she should have the experience to guide you or know to whom he/she should go to resolve the issue.

If you feel uncomfortable talking to your supervisor about this, consider the human resources department or a higher administrator.
Reporting and documenting security violations is very important, especially in the business environment and it is every persons responsibility to be security-aware and responsible.

Wireless Network Security Overview

Security has been a big concern with wireless network installers because most people are not familiar with network or wireless security. Wireless networks by their nature are insecure. Wireless access points (APs) are normally mounted in the ceiling or on the wall where they are conspicuous. Normal networking equipment such as hubs, switches, routers, and servers are locked in a cabinet or behind a locked door in a wiring closet. Customized cabinets can be purchased to secure APs indoors and outdoors. Data transmitted over air can be in clear text, which means that with special frame capturing software on a computer with a wireless NIC installed, the data can be captured and viewed. Negotiation between the wireless devices and the AP can be in clear text and that information can be captured. All frames include a source MAC address and someone with a computer with a wireless NIC installed can capture the frame, use the MAC address to gain access to other resources. (This is known as session hijacking or MAC spoofing.) By default, most APs transmit their SSIDs in clear text. All of these issues must be considered when installing a wireless network.

Authentication and Encryption

The original 802.11 standards define two mechanisms for wireless security: authentication and data confidentiality. Remember that authentication is the process of determining that a network device or person has permission to enter the wireless network through the access point.

The two types of authentication are open and shared key. Open authentication allows a wireless network device to send a frame to the access point with the senders identity (MAC address).
Open authentication is used when no authentication is required.

 Shared key authentication requires the use of a shared key, which is a group of characters that the wireless network device and access point must have in common.

Shared key authentication does not scale well with larger wireless networks because each device must be configured with the shared key authentication (and this is time-consuming), the users must be told of the shared key and their individual stations configured for this (which is timeconsuming), or a server is used to provide the shared key automatically.
Also, when manually input shared keys are used the key is not changed very often. APs that support 802.1x authentication use some form of EAP (Extensible Authentication Protocol). When any type of EAP is used, the user or client to be authenticated is called a supplicant. An authentication server holds valid usernames and passwords. The device that is in the middle that takes the client request and passes it on to the server is known as the authenticator. An AP can be an authenticator.

 When shared key authentication is being used, WEP must be enabled.

WEP (Wired Equivalent Privacy) encrypts data being transmitted.

Encryption is the process of converting data into an unreadable format. WEP commonly has two versions: 64-bit and 128-bit. Some vendors may have 256-bit. 64- and 128-bit WEP may also be seen as 40- and 104-bit. This is because each of the two versions uses a 24-bit initialization vector: 40 plus 24 equals 64 and 104 plus 24 equals 128. Sometimes you might even see that in documentation or Web site wording, the author mixes the two types of numbers such as 40-bit and 128-bit, so it can be confusing.

 With WEP enabled, the shared secret key is normally entered into the wireless NIC configuration window. Vendors have a variety of ways of inputting this alphanumeric key, but normally it is input in either hexadecimal or ASCII characters. Some wireless NIC manufacturers allow entering multiple WEP keys; however, only one key is used at a time. The multiple WEP keys are for multiple environments such as a WEP key for the business environment and a WEP key for the home wireless network using the same wireless NIC. Figure 14.14 shows the configuration dialog box for a wireless NIC and where the WEP is enabled.

 Notice in Figure 14.14 that there is a checkbox for enabling WEP.

The default configuration when WEP is enabled is for the The key is provided for me automatically checkbox to be enabled as well.
The 802.11 standard does not define how the WEP key is provided to the NIC. Some bigger companies use a server that provides the key to the wireless NIC securely. However, most installations require that the WEP key be entered manually. Notice how this adapter does not allow you to specify the length of the WEP key, so it is the 64-bit version.

Some vendors have configuration utilities that allow wireless NIC configuration.

 WEP can be hacked. With special software on a laptop with an NIC installed, WEP can be compromised. Enabling WEP is better than no encryption whatsoever. An improvement on WEP is WPA (Wi-Fi Protected Access).

WPA uses TKIP (Temporal Key Integrity Protocol) or AES (Advanced Encryption Standard) to improve security.
TKIP is an improvement on WEP in that the encryption keys change. Even better than TKIP is AES, which is an encryption standard with key sizes of 128-, 192-, or 256-bits. AES has been used in wireless government networks for some time. The 802.11i wireless standard specifically deals with wireless security.

 WPA2 is an improvement that includes dynamic negotiation between the AP and the client for authentication and encryption algorithms. WPA2 is a common choice for securing wireless networks. The 802.11i standard includes RSN (Robust Security Network), which includes some features of WPA2. Thirdparty products can be used with some vendors wireless solutions and some vendors provide extra security of their own with their NIC cards and access points. The drawback to this is that other vendors products are normally incompatible.

HOW TO PROTECT AGAINST MALICIOUS SOFTWARE

The best practices you need to follow to protect a system against malicious software and other grayware are listed next. The first three methods are the most important ones:
Always use a software firewall. Never, ever connect your computer to an unprotected network without using a firewall. Recall that Windows Firewall can be configured to allow no uninvited communication in or to allow in the exceptions that you specify (see Figure 19-36).

 Use antivirus (AV) software. As a defensive and offensive measure to protect against malicious software, install and run antivirus (AV) software and keep it current. Configure the AV software so that it automatically downloads updates to the software and runs in the background. To be effective, AV software must be kept current and must be turned on. Set the AV software to automatically scan incoming e-mail attachments.

 Use the Vista UAC box. The UAC box is one of your best defenses against malware installing itself. When software attempts to install in Vista, the UAC box appears. If you dont respond to the box, Windows aborts the installation.

 Limit the use of administrator accounts. If malware installs itself while youre logged on as an administrator, it will most likely be running under this account with more privileges and the ability to do more damage than if you had been logged on under a less powerful account. Use an account with lesser privileges for your everyday normal computer activities.

 Set Internet Explorer for optimum security. Internet Explorer includes the pop-up blocker, the ability to manage add-ons, the ability to block scripts and disable scripts embedded in Web pages, and the ability to set the general security level. Figure 19-37 shows the Internet Options window where many of these options are configured. For most Web browsing, set the security level to Medium-high, as shown in the figure. Also consider updating IE to the latest version because later versions are likely to have enhanced security features.

 Use alternate client software. Using alternate client software, including browsers and e-mail clients, can give you an added layer of protection from malicious software that targets Microsoft products. Firefox by Mozilla (www.mozilla.org) is an excellent browser, and Thunderbird, also by Mozilla, is a popular e-mail client. Some people even use a different OS than Windows because of security issues.

 Keep good backups. One of the more important chores of securing a computer is to prepare in advance for disaster to strike. One of the most important things you can do to prepare for disaster is to make good backups of user data.

PERFORM ROUTINE SECURITY MAINTENANCE

When you are responsible for the security of a computer or small network, make it a habit to check every computer for which you are responsible each month.
You can use the following checklist.

However, know that routine maintenance tends to evolve over time based on an organizations past problems that might need special attention.
Start with this list and then add to it as the need arises:

1. Change the administrator password. (Use a strong password.)

2. Check that Windows Automatic Updates is turned on and working. For applications that users routinely rely on, you might also download and install any critical or optional updates. 3. Check that AV software is installed and current. If you are running antiadware software, also verify that it is running and current.

4. Verify that Windows Firewall is turned on. Also, verify that port security is set so that only the exceptions made to open ports are those the users of this computer need to do their jobs. 5. If you are the only user with administrative privileges of this computer, verify that Windows settings are as you intend. For example, check that important folders are shared and encrypted as you set them and that only authorized software is installed. 6. Visually check the equipment to make sure the case has not been tampered with. Is the lock secure?

7. Check Event Viewer. Take a look at the Security list, looking for failed attempts to access the system.

8. Verify that user backups of data are being done and current backups of data exist. Also verify that System Protection is set to automatically create restore points.
9. If you find you must replace storage media, dont forget to destroy all data on the media before you throw it away. If a computer is changing users or you are moving a hard drive from one computer to another, be sure to wipe clean all data on the drive. Most hard drive manufactures offer a zero-fill utility for this purpose. The utility overwrites every sector of the drive with zeros. However, if you need to destroy data so that expert criminals cant recover destroyed, deleted, or overwritten data. 10. Document your monthly maintenance and note anything unusual that you see or must change.