Introduction
to
Security
A note about this guide
As you read through this guide you will see important terms in bold. These terms are
important to remember and are discussed throughout this chapter. Please refer to the Key
Terms at the end of this document for a complete list of where to find important
definitions. The majority of this document focuses on the Microsoft Windows®
operating system. The concepts covered within also apply to other operating systems, but
are not directly covered in this guide.
Each time you see this computer graphic it represents an exercise that you can
complete with this text. If you are reading this text in conjunction with a class,
be sure to complete any exercises required by your instructor.
Table of contents
A note about this guide ....................................................................................................... 1
Table of contents ................................................................................................................. 1
Things are still bad in security ............................................................................................ 2
What is information security? ............................................................................................. 3
Who are the attackers? ........................................................................................................ 4
Why such an increase in Attacks? ...................................................................................... 5
Identity Theft ...................................................................................................................... 6
The Security Paradigm ........................................................................................................ 7
Password Paradox ............................................................................................................... 7
Choosing a Password .......................................................................................................... 8
Phishing............................................................................................................................. 10
Social Networking ............................................................................................................ 11
Backups ............................................................................................................................. 12
Firewalls ............................................................................................................................ 12
Patch Management ............................................................................................................ 13
Antivirus ........................................................................................................................... 14
User Account Control ....................................................................................................... 15
Wireless Security .............................................................................................................. 16
Bluetooth ........................................................................................................................... 17
Final Thoughts .................................................................................................................. 17
Key Terms ......................................................................................................................... 18
Additional Labs:
Test My Firewall .......................................................................................................... 19
Patch Management ....................................................................................................... 20
Test My Antivirus ........................................................................................................ 21
1
Things are still bad in security
It is easy to think that computer security “isn’t my problem” or that “bad things won’t
happen to me.” Why do I need to know anything about information security? Here are a
few statistics:
• Web pages that infect by simply looking at them (6,000 new infected pages daily,
or 1 every 14 seconds)
• More attacks originate in U.S. than any other country (33%)
• Home users were the most highly targeted sector (93% all targeted attacks)
• An infected U.S. computer has an average of 8 instances of malware
• U.S. has highest number of infected computers
• 431 million adults experienced cybercrime in last year
• 1+ million daily victims (14 each second)
• 79% Internet users online 49+ hours per week have been victims
• 1 in 2.27 = odds consumer become cybercrime victim
• $388 billion total cost cybercrime
If you knew that your computer would be attacked today what would you do? On the
next few pages we will discuss what you can do to protect yourself, and your computer.
2
What is information security?
Information security is a term that is frequently used to describe the task of guarding
information that is in digital format. The goal in information security is to protect
information that has value to people and organizations, and avoid legal consequences.
Three key characteristics of information that must be protected
are:
1. Confidentiality – Ensures that only authorized parties
can view the information
2. Integrity – Ensures that the information is correct and
no unauthorized person or malicious software has
altered the data.
3. Availability – Ensures data is accessible to authorized
users.
These three characteristics of information security are better known as CIA.
Typically, we are extra cautious when we find ourselves in unfamiliar places. The same
caution should be used when on the internet. The internet is a network of interconnected
computers that share information. It is like a digital interstate system. Your automobile
can easily transport you from where you are to another location – in order to accomplish
some kind of task (grocery shopping, entertainment, etc). The same is true with the
internet – the internet allows you to gain information about something you do not know
without having to physically go there.
When dealing with information security, it is important to be able to understand the
language used – just as the medical profession has its own language. To make this
terminology easier to understand, let’s consider the following scenario.
There is inherent risk (the likelihood that something will happen) with many daily
activities we perform. If you were to drive an automobile there is a risk of an accident
caused by another driver. The automobile is an asset – something that has value. Other
drivers are a threat – an event or object that may defeat the security measures in place
and result in a loss. Just because there is a threat of an accident, does not mean that one
will happen. Therefore, a threat does not mean that security has been compromised, but
that there is a potential for a loss. Other drivers are considered a threat agent – a person
or thing that has the power to carry out a threat. In order to drive safely, drivers must
stay in his or her own lane. If a driver is not alert, due to being tired or intoxicated, the
driver may not stay in their own lane - creating a
vulnerability (a weakness that allows a threat agent to
bypass security). Intentionally taking advantage of a
vulnerability is known as exploiting the weakness.
Just as there are risks associated with driving an automobile on the interstate, there are
risks with using the internet. One such risk is that an attacker could select you as a target.
3
Who are the attackers?
Attackers come in several different categories. Here are just a few:
1. Hackers – a general term used to identify anyone who illegally breaks into, or
attempts to break into, a computer system. Hackers typically
have an advanced knowledge of computers and networks.
There are several subgroups, but the two primary groups of
hackers are Black Hat and White Hat. A “black hat” hacker
is an attacker that gains access to computer systems with
malicious intent. On the other hand, “white hat” hackers
(aka ethical hacker) break in for non-malicious reasons,
usually to expose security flaws in an effort to protect a
computer system or network from attacks.
2. Script kiddies – Unskilled users that do their work by downloading automated
hacking software (scripts) and using them to break into computers. Script kiddies
lack the advanced skills of hackers, but are sometimes considered more dangerous.
Their ability to use these tools, but not fully understand what they do or the impact of
their actions make them a threat.
3. Spies – A person who is hired to break into a computer to steal information. These
people target specific computers or networks to steal sensitive information.
4. Employees – Considered the largest information security threat to business,
employees typically have legitimate access to data, which can easily be compromised
through bribes, blackmail, and money.
5. Cybercriminals – Cybercriminals are a loose-knit group of attackers highly
motivated, better funded, and more eager than hackers. This group focuses their
attacks towards making money. They typically target credit card data and online
financial account information (cybercrime).
6. Cyberterrorists – This group of attackers should be the most feared. It is almost
impossible to predict when or where an attack may occur because this group is
motivated by ideology, not money. This group typically target computers or
networks that affect the largest number of people, such as power grids.
Security Awareness Assessment
If you are a reading this document in association with a class at CFCC, please
log into SAM to complete the Security Awareness Assessment BEFORE
reading further. This Assessment has no point value, so please answer the questions
honestly.
4
Why such an increase in Attacks?
The question is often asked, “What do I have that an attacker wants?” A better question
might be, “what do I have that I don’t want attackers to have?” While considering this
question, here’s a few difficulties faced when protecting your data:
Speed of attacks – Attackers can quickly scan systems to find weaknesses and launch
attacks very quickly. One such example was the Slammer Worm1, the fastest computer
worm in history. As it spread throughout the Internet, it doubled in size every 8.5
seconds. At its peak, the worm was scanning 55 million computers per second to find
other computers to infect.
Before Infection (5:30 UTC)
After Infection (6:00 UTC) 30 Minutes later
More sophisticated attacks – Attackers today are sending malicious data or commands to
attack computers, masking the attacks as legitimate data and commands. This makes it
very difficult to distinguish an attack from legitimate traffic.
Simplicity of attack tools – Many of the attack tools that attackers need are freely
available on the Internet and do not require any technical knowledge to use.
Faster detection weaknesses – Attackers are able to quickly respond to newly found
vulnerabilities and take advantage of the corresponding “window of exposure” (the time
between when the vulnerability is found, and a fix is developed). These attacks are
typically called zero day attacks, since there is no early warning that an attack is
eminent.
Delays in user patching – Software makers are constantly updating their software to
eliminate vulnerabilities. However, if a software maker was to keep their software 100%
secure at all times, it is estimated that they would have to update the software every 10
minutes in order to keep users protected.
Distributed attacks – Attackers can use thousands of computers in an attack against one
computer, or a network. By using multiple computers, it is much harder to locate a single
source point to determine where the attack started.
Exploit user ignorance & confusion – Users are often misinformed about what is the
correct way to protect their computer from attackers. This leads users to make decisions
without understanding the implications.
1
http://www.caida.org/publications/papers/2003/sapphire/sapphire.html
5
Identity Theft
How do you compare to
other computer users?
•
•
•
•
•
•
88% use their home computer
for online banking, stock
trading, reviewing personal
medical information, and
storing financial information,
health records, and resumes
98% agree important to be
able to know risk level of a
web site before visiting it (But
64% admit don’t know how
to)
92% think that their anti-virus
software is up to date (But
only 51% have current antivirus software that been
updated within last 7 days)
44% don’t understand
firewalls
25% have not even heard of
the term “phishing” and only
13% can accurately define it
22% have anti-spyware
software installed, an enabled
firewall, and anti-virus
protection that has been
updated within last 7 days
The 2003 survey from the
Identity Theft Resource Center
found that:
•
•
•
Only 15% of victims find out
about the theft through
proactive action taken by a
business
The average time spent by
victims resolving the problem
is about 330 hours
73% of respondents indicated
the crime involved the thief
acquiring a credit card
One often overlooked segment of Information Security is
securing one’s personal identity. The internet often gives a
false sense of security – since most people access the internet
on personal devices, in places where they feel secure.
Identity Theft occurs when someone’s personal information,
such as social security number, is used to establish bank or
credit card accounts that are then left unpaid, leaving the
victim with debts and ruining their credit rating.
Here are a few of the ways thieves can steal your identity:
• Unshredded personal documents (dumpster diving) – to
prevent be sure to completely destroy any documents that
contain personally identifiable information.
• Lost USB Drives/External storage devices – if personal
information must be stored on these devices, use a password or
some encryption technique to ensure personal information isn’t
readily available. When disposing of these devices be sure to
completely erase all personal information.
• Unsecure PDA’s/Cell Phones – to prevent be sure to
enable a security code on these devices so thieves don’t have
easy access to your information. When upgrading, or
repairing, be sure to properly wipe (sanitize) the device to
ensure no personal information is available to others.
• Stealing Bank/Credit Cards, ID Cards, Passports
(Pickpocketing, Mail Theft) – to prevent be sure to
periodically take a personal inventory of these to ensure none
are missing.
• Skimming of Bank/Credit Cards – Skimming is a
technique where a thief makes a “copy” of your card with a
compromised card reader, or hand-held card reader. To
prevent be sure you know where you use your card, and
monitor your statement for unauthorized charges.
It is important to periodically monitor your personal credit
report to ensure the information is accurate. You can request a
free credit report from http://annualcreditreport.com. (Beware
of “Imposter” sites offering your report for a fee!) Remember
that no amount of prevention is 100% fail safe.
For more information about Identity Theft, please visit
http://www.FTC.gov/IDTheft
6
The Security Paradigm
The biggest challenge in a security system is the
balance between Security and Convenience. As
Security increases, convenience decreases. The
difficulty is having a system that will keep the “bad
guys” out while also allowing the “good guys” to do
their job.
If you were to have the best security system in the
world installed at your home but then used a brick to
prop a door open, how useful would that system be?
The same is true in information security – there is a
tradeoff for ensuring your information is secure, and
that means we need to accept that some convenience
is lost.
Password Paradox
A password is a series of letters or numbers used to authenticate a user (verify you are
who you say you are). For a password to remain secure it should never be written down
but must be committed to memory. Passwords should also be of a sufficient length and
complexity that an attacker cannot easily determine. Here’s the “Paradox”: although
lengthy and complex passwords should be used and never written down, it is very
difficult to memorize these types of passwords. Most of us have multiple accounts for
computers at work, school, and home, e-mail accounts, banks, online Internet stores, and
each account should have its own unique password.
What makes a Weak Password?
1. Common words – like ones
found in a dictionary (e.g.: Eagles).
2. Short passwords – passwords that
contain the minimum number of
characters, or are sequential and easy to
guess (ABCDEF).
3. Personal information passwords
– passwords containing the name of a
child, pet, or family member.
4. Writing a password down –
anyone who has access to the note can
see your password
5. Not changing a password –
passwords are not designed to “last a
lifetime” change them, and change them
often!
7
6. Reuse of the same password – it’s not enough to change a password, make it
unique each and every time. Attackers know that eventually everyone will reuse a
password, so it’s just a matter of time before they find yours.
Password Principles
1. Any password that can be memorized is a weak password.
2. NEVER share your password with anyone.
3. Any password that is repeated on multiple accounts is a weak password – once an
attacker has your password, they can access everything that uses that same
password!
Choosing a Password
Which of the following passwords are more secure?
1. thisisaverylongpassword
2. Xp4!e%
Answer: Length always trumps complexity!!!
Number-of-Keyboard-Keys
Password-Length
= Total-Number-of-Possible-Passwords
If You Rely On Memory Only
Keyboard Password
Possible
1. Length is more important than
Keys
Length
Passwords
complexity longisthislongerpassword is better
95
2
9,025
than u$%#16
2. Do not use passwords that consist
95
3
857,375
of dictionary words or phonetic
words
95
4
81,450,625
3. Do not use birthdays, family
member names, pet names,
95
6
735,091,890,625
addresses, or any personal
information
189
6
4.5579633e+13
4. Do not repeat characters (xxx) or
use sequences (abc, 123, qwerty)
5. A minimum of 12 characters in length should be used (if allowed). For accounts
that require higher security a minimum of 18 characters is recommended
6. Consider using a longer passphrase: theraininspainfallsmainlyontheplain
7. Use nonkeyboard characters
8
What are nonkeyboard characters?
Make passwords stronger with special
characters not on the keyboard. The
characters are created by holding
down the ALT key on the keyboard
while simultaneously typing a number
on the numeric keypad (but not the
numbers across the top of the
keyboard).
For example, ALT + 0163 produces £.
To see a list of all the available nonkeyboard characters click Start
and Run and enter charmap.exe; click
on a character and the code ALT +
0xxx will appear in lower-right corner
if can be reproduced in Windows.
Microsoft Character Map
Verifying your Password
The following exercises will test how strong your passwords are. Enter one of
your passwords (past or current) to check it.
Visit Microsoft’s Safety and Security Center to see how strong your passwords are.
1. For this lab please visit
https://www.microsoft.com/security/pc-security/password-checker.aspx
2. Enter one of your currently used passwords to check the strength. Your
password strength is rated as Weak, Medium, Strong, or Best
3. If you do not have a rating of “Best” what can you do to increase the strength?
Visit “How Secure is my Password?” to test your password to see how long it would
take before an attacker could crack your password.
1. For this lab please visit http://howsecureismypassword.net
2. Enter one of your currently used passwords.
3. What could you do to increase the time before your password is cracked?
Other interesting password sites:
• http://www.passwordmeter.com
• http://www.testyourpassword.com
• Ultra High Security Passwords: www.grc.com/passwords.htm
9
Phishing
The key to a successful phishing attack is the use of
social engineering – the practice of deceiving someone
to obtain secure information. Phishing - is a common
form of social engineering where an attacker sends an email or displays a Web announcement that falsely claims
to be from a legitimate enterprise in an attempt to trick
the user into surrendering private information. The User
is asked to respond to an e-mail or is directed to a Web
site where he or she is instructed to update personal
information, such as passwords, credit card numbers,
Social Security numbers, bank account numbers, or other
information for which the legitimate organization already
has a record. However, the Web site is actually a fake
and is set up to steal the user’s information. This fake
site is called a spoofed site. It looks exactly like another, but does not belong to the
organization represented.
In September 2010 a massive data breach from computers belonging to South Carolina's
Department of Revenue (DOR) Exposed Social Security numbers of 3.8 million
taxpayers plus credit card & bank account data for a total of 74.7 GB. This breach started
with an employee's computer infected with malware after user opened phishing e-mail.
The attacker captured the person's username and password, and then installed tools that
captured user account passwords on 6 servers. Eventually the attacker gained access to
36 other systems. As of January 2013, this attack has cost the state of South Carolina $20
million and counting. Read more here:
http://www.thestate.com/2013/01/06/2578924/the-latest-on-sc-hacking-costs.html
Phishing Tests
How quickly can you recognize a phishing scam?
1. For this lab please visit http://www.sonicwall.com/furl/phishing/
2. You will complete a series of 10 questions that will be based on screenshots of
actual emails. You will have to decide if the email is phishing or legitimate.
Answer all ten questions to see your score.
3. To better prepare you to recognize Phishing attempts, a score of 80 or higher is
suggested. When you are ready to begin, click “Start The Test”
4. What is an example of a phishing attempt that looked legitimate and why?
How bad is phishing? To get a better understanding of the impact Phishing is having
worldwide visit http://www.antiphishing.org/resources/apwg-reports/ and select a
Phishing Attack Trends Report.
10
Social Networking
Typically, a social network is made up of individuals and
organizations grouped together based on some type of affiliation.
Web sites that facilitate linking individuals with common
interests like hobbies, religion, politics, or school contacts are
called social networking sites and function as an online
community of users. Some of the more popular social network sites
(aka online communities) are Facebook, Twitter, Google+, LinkedIn and others.
These various sites require a user to create an account containing a certain amount of
personal information. A user who is granted access to a social networking site can read
the profile pages of other members and interact with them. With the various types of
easily accessible personal information, these sites have increasingly become prime targets
of attacks.
Consider carefully who is accepted as a friend. Once a person has been accepted as a
friend that person will be able to access any personal information or photographs you
have posted. Show "limited friends" a reduced version of your profile. Individuals
designated as “limited friends” only have access to a smaller version of the user’s profile.
Disable options and then reopen them only as necessary. Re-enable options as needed
instead of making everything accessible and restricting access later after it is too late.
When using social networking sites it is important to understand that information posted
on these sites create a digital footprint, a data trail left behind by interactions in a digital
environment. What seems like something funny posted today may not be so funny 8-10
years from now, and could even affect a potential job opportunity. Just deleting
something from one of these sites does not mean it is gone. Since the Internet is a
network of many computers, there is no way to guarantee that something deleted is
deleted on all the various computers that your data may be on. A better perspective is to
view anything posted on a social networking site as something that “lives forever”.
11
Backups
It has long been said that the only
people who backup their data are
those who have lost something. It
cannot be stressed enough that your
data must be backed up. Creating a
backup involves making a copy of
your data and placing it in another
location. This creates what is called
data redundancy. In addition to
ensuring no data is lost, a backup
provides a copy of files that can be
replaced in the event that one
becomes damaged, deleted, or
changed accidentally. Deleting a file
does not mean that it is permanently
gone (even if the drive is reformatted) but that you no longer have access to it. Data
recovery centers and forensic recovery specialists have tools that oftentimes allow the
recovery of deleted data. However, having a backup is much less costly than paying to
recover data that could have easily been backed up.
Here is a good rule of thumb. If you have a file (whether it be a word document, picture,
or anything else) that you could never access again and it would be missed, this file
should be backed up.
Firewalls
A firewall restricts what can come in and go out of your computer across the network. It
is like a locked door on your computer. It stops harmful data from coming in and stops a
compromised computer from infecting other computers on your network. A two-way
personal software firewall inspects network traffic passing through it and denies/permits
passage based on rules. An application-aware firewall allows a user to specify which
desktop applications can connect to the network. Just as you close the door to your house
to stop unwanted visitors, a firewall does the same on your computer.
Firewall Test
In this exercise you can test your personal firewall. You may have a hardware
firewall or be using the built in firewall features of your specific operating
system. This lab will test to see if there are any flaws in your firewall. Please refer to the
Test my Firewall Lab at the end of this text.
12
Patch Management
It is essential that your computer is kept up
to date. Many of the vulnerabilities your
computer is exposed to can be closed
quickly and effectively by applying system
patches. A patch is piece of software
designed to fix a problem.
As you may recall, one of the reasons for
the increase in attacks is the lack of
software patches. A patch will only help if
it is installed. Microsoft Windows includes
the Windows Update utility to install system
updates. The MacOS includes the Apple
Microsoft Windows Update
Software Update tool to keep the system up
to date. Users don’t often patch their
systems because they don’t want to take the time to wait for their computers to reboot.
However, during this rebooting process, system files (files that are in use) are updated
and can then be placed back into service.
Patching should not be limited to only the operating system. Many vendors regularly
provide updates to their products. Acrobat Reader, Adobe Flash Player, and Java are just
a couple of key software packages that should be updated regularly.
A 2012 survey of American, British and German
computer users yielded the following:
•
•
•
•
•
40% do not always update software on computers when initially prompted
25% do not clearly understand what software updates do
25% do not understand the benefits of updating regularly
75% saw update notifications but over half said needed to see notification between 2-5 five
times before decided
25% do not know how to check if their software needs updating
Don’t leave your computer vulnerable. Take a few moments to see if your computer
needs to be updated!
Patch Management
In this exercise you can check to see if your computer is up to date. Please refer
to the Patch Management Lab at the end of this text.
13
Antivirus
Antivirus software monitors files in “real
time” to help prevent, detect, and remove
malware from a computer. Malware is a
broad term that describes any program
that is intended to cause harm. Malware
comes in many different forms – viruses,
worms, trojans, rootkits, spyware, and
adware.
Trojans
Rootkits
Worms
Viruses
Spyware
Malware
Adware
A virus instructs your computer to perform annoying or destructive activities. Viruses
are heavily dependent upon the user for its survival; the user must launch the program or
open a file for the virus to activate. Worms are malicious programs designed to take
advantage of vulnerabilities in an application or operating system in order to enter a
computer. Unlike viruses, a worm does not require any user interaction to spread.
Trojans are executable programs
advertised as doing one activity, but
doing something else. Trojans
contain hidden code that launches an
attack. Unlike viruses, a trojan is
installed on a computer system with
the user’s consent and knowledge.
One of the most common trojan
attacks comes in the form of fake
antivirus programs. These programs
typically present themselves as a
“popup” stating that your computer is
Fake Antivirus Screenshot
infected, and that their program will
fix the problem. Don’t be fooled! Rootkits are a set of software used by an attacker to
hide the presence of other types of malware. This is accomplished through changing the
operating system to force it to ignore any malicious activity. Rootkits are the hardest to
remove since they become an integrated part of the operating system. Oftentimes the
reinstallation of the operating system is the
only practical way to remove them.
Antivirus software searches files for
known infections based on a dictionary of
malware signatures (how they typically
behave). Since the majority of antivirus
solutions use a dictionary, it is essential that
they be maintained and kept up to date to
provide current protection. An antivirus
solution with an outdated dictionary is not
as effective in removing newly discovered
malware. The key is to update, and do it
often.
Microsoft Security Essentials Antivirus
14
It is essential that the chosen antivirus solution includes an anti-spyware component.
Spyware is software that tracks a computer user’s internet usage and sends that
information to a company or person, usually without the user’s permission or knowledge.
Unlike spyware, adware is software installed with another program, usually with the
user’s permission, that generates advertising revenue by generating targeted ads to the
user. To ensure maximum protection, you must periodically test and verify that your
antivirus solution is operating properly.
Test Antivirus
In this exercise you will test the effectiveness of your antivirus program. Please
refer to the Test My Antivirus Lab at the end of this text.
User Account Control
User Account Control (UAC) –
notifies a user when software attempts
to perform a task that requires
administrative access, and then prompts
for approval. If the current user is a
standard user, then an administrative
password would need to be provided to
continue. This tool was created to
PROTECT your computer! Too often
User Account Control Dialog Box
users turn off or disable UAC, just
because the notifications are
“annoying.” Instead of disabling, UAC should be leveraged as a tool to protect your
computer from malware. By accessing the Control Panel, then selecting User Accounts,
then “Change User Account Control settings” you can increase the level of protection to
“Always notify.” By doing
so, UAC will display the
authentication dialog box,
and it must be answered
before continuing. If you
are not installing any
software, you should never
see UAC interact with you.
This is one way to prevent
malware from unknowingly
infecting your computer.
User Account Control Settings
15
Wireless Security
Does wireless security matter? First, any unsecured wireless
device will allow an attacker to get into any folder set with file
sharing enabled. Second, an attacker can easily monitor and
capture wireless transmissions (find out what you are doing
online). An attacker can gain access to the network behind the
firewall and can inject malware, allowing additional access to
the entire network. An attacker could download harmful
content linked to the unsuspecting owner, all without his or her
knowledge.
Here’s a true story of one family’s experience of an attack performed by a neighbor:
After being accused of improper conduct with a family’s son, Barry A.
wanted to get even with the neighbors by using his computer hacking skills. He
started by breaking the family’s WiFi WEP encryption. He then created a
fictitious MySpace page with the husband's name on it and posted a picture of
child pornography. He included a note that the husband was a lawyer and could
get away with "doing anything.” Barry e-mailed the same pornography to the
husband's co-workers, and sent flirtatious e-mails to women in the husband's
office. He also sent threatening e-mails to the Vice President of the U.S. from the
husband's Yahoo account saying he was a terrorist and would kill the VP. The
husband’s law office hired a forensics investigator who installed a protocol
analyzer. This led to evidence that Barry was involved. Surrounding the
threatening e-mail sent to the Vice President was data that included Barry's name
and account information. The FBI searched Barry's house and found evidence
that Barry had done the same attack against a previous neighbor. Barry was
offered a 2-year sentence but turned it down, so prosecutors piled on more
charges. Finally, Barry pled guilty and was sentenced to 18 years in prison and
had to forfeit his house and all his computer gear.
http://www.wired.com/threatlevel/2011/07/hacking-neighbor-from-hell/
To secure a wireless network:
1. Lock Down the Device
• Create strong password (over 15 characters)
• Disable remote management (this eliminates the ability of accessing the wireless
device and changing the settings via the
Internet)
2. Turn on WPA2
• Locate the wireless security options
• Select WPA2 Personal security option,
which may be labeled as WPA2-PSK
[AES], is turned on by clicking the
appropriate option button
Wireless security settings
16
•
A key value, sometimes called a pre-shared key (PSK), WPA2 shared key, or
passphrase, must be entered. This key value can be from 8 to 63 characters in
length
After turning on WPA2 Personal on a wireless
router, and entering a key value, the same key
value must also be entered on each mobile device
that has permission to access the Wi-Fi network. A
mobile device that attempts to access a wireless
network with WPA2 Personal will automatically
ask for the key value. Once the key value is
entered, the mobile device can retain the value and
does not need to ask for it again.
3. Beware of Imposters
• When presented with a list of wireless networks, be
sure to NOT select the ad-hoc
(computer-to-computer) network icon
(see red arrow in wireless network list
to the right). This indicates a connection directly
Wireless network list
to another computer, and NOT to a network.
Attackers frequently use this technique to make a direct connection to another
user’s computer to steal information or install malware. The icons with the bars
represent a network connection.
•
Bluetooth
Bluetooth is a wireless technology that utilizes a radio frequency (RF) for transmitting
data over a short distance. When using a smartphone or tablet that supports Bluetooth, it
is advisable to disable Bluetooth and turn on this service only as necessary. Bluetooth
devices should be turned off when not being used or when in a room with unknown
people. Another option is to set Bluetooth on the device as undiscoverable, which keeps
Bluetooth turned on in a state where it cannot be detected by another device. Attackers
can use an open Bluetooth connection to gain access to your device, copy e-mails,
calendars, contact lists, or media stored on the phone without the owner’s knowledge or
permission.
Final Thoughts
Take a moment to compare your initial thoughts as reflected in the Initial Security
Awareness Assessment you took in SAM. Now that you have read through this guide see
if there are any answers you would change.
17
Key Terms
A
adware, 14
antivirus, 14
asset, 3
authenticate, 7
availability, 3
B
backup, 11
Bluetooth, 17
C
CIA, 3
confidentiality, 3
cybercrime, 4
cybercriminals, 4
cyberterrorists, 4
D
data redundancy, 11
digital footprint, 11
E
employees, 4
ethical hacker, 4
exploiting, 3
F
H
hackers, 4
I
identity Theft, 6
information security, 3
integrity, 3
internet, 3
M
malware, 13
N
nonkeyboard characters, 9
P
password, 7
password management app, 8
patch, 12
phishing, 10
R
risk, 3
rootkits, 14
security paradigm, 7
slammer worm, 5
social engineering, 10
social networking sites, 10
spies, 4
spoofed, 10
spyware, 14
T
threat, 3
threat agent, 3
trojans, 14
U
user account control, 15
V
virus, 13
vulnerability, 3
W
weak Password, 7
window of exposure, 5
worms, 13
Z
S
zero day attacks, 5
script kiddies, 4
firewall, 12
18
Test My Firewall
This lab will test your firewall for possible weaknesses.
1. For this lab please visit http://www.grc.com
2. In the menu, select Services, then select “Shields UP!”
3. The Shields UP page will load, giving you some initial feedback about your
connection. Select the “Proceed” button to begin.
4. Next the ShieldsUP!! Services application will load. To test your firewall, select
“All Service Ports” to begin. Be patient as this test will take some time.
5. Once the test is complete, you will receive
the results of the “grid scan” A “perfect
scan” would be completely green, with red
representing an open port and blue
representing a closed port. Scroll down
below the results to see a full explanation of
the results, and the meanings of the colors.
19
Patch Management
This lab will test your computer to see if you have any insecure versions of
common/popular programs installed on your PC. This lab runs through your browser, so
no installation or download is required.
1. For this lab please visit http://secunia.com/vulnerability_scanning/online/
2. If a java prompt opens asking “Do you
want to run this application?” and the
publisher is listed as Secunia, click Run.
3. On the right side of the screen select “Start
Scanner”
4. A security warning may open asking whether to “Block potentially unsafe
components from being run?” select “Don’t Block”
5. Now click Start to begin the system scan.
6. When the scan is complete, scroll down to the bottom of the screen to see the
results of the scan. Links to download updates should be provided for most
recommended updates.
20
Test My Antivirus
If you do not have a current Antivirus software program, or what you have is out of date,
you can download Microsoft Security Essentials for FREE by visiting:
http://www.microsoft.com/Security_Essentials/
If your computer is infected, and you know what infection you have, you can download a
removal tool provided by Norton Antivirus at:
http://us.norton.com/security_response/removaltools.jsp
This lab will test your Antivirus software to see if it is
functioning properly.
1. For this lab visit
http://www.eicar.org/anti_virus_test_file.htm
2. The website will initially open to an “Intended Use” page.
3. On the left menu, select Download
4. The download page will open, and a description of each
test file is discussed.
NOTICE: This test
does NOT contain
actual viruses. The
test file being used was
created to allow an
anti-virus software
package to react as if it
were a virus.
YOU DOWNLOAD
THESE FILES AT
YOUR OWN RISK.
21