© 2007 Cisco Systems, Inc. All rights reserved. module 16 Advanced Security 16.0 Introduction  This chapter reviews the types of attacks that threaten the security of computers and the data contained on them. A technician is responsible for the security of data and computer equipment in an organization. The chapter describes how you can work with customers to ensure that the best possible protection is in place. Risks to computers and network equipment come from both internal and external sources. Risks include physical threats, such as theft or damage to equipment, and data threats, such as the loss or corruption of data. After completing this chapter, you will meet these objectives: list of 5 items • Outline security requirements based on customer needs. • Select security components based on customer needs. • Implement customer's security plan. • Perform preventive maintenance on security. • Troubleshoot security. Computer Security • Outline Customer's Security Requirements • Select Security Components • Implement Security Plan • Perform Preventive Maintenance • Troubleshoot Security 16.1 Outline security requirements based on customer needs  An organization should strive to achieve the best and most affordable security protection against data loss or damage to software and equipment. Network technicians and the organization's management should work together to develop a security policy to ensure that data and equipment have been protected against all security threats. A security policy includes a comprehensive statement about the level of security required and how this security will be achieved. You may be involved in developing a security policy for a customer or organization. When creating a security policy, you should ask the following questions to determine security factors: list of 3 items • Is the computer located at a home or a business? Home computers generally are more vulnerable to wireless intrusion than business computers. Business computers have a higher threat of network intrusion, due to users abusing their access privileges. • Is there full-time Internet access? The more a computer is exposed to the Internet, the greater the chance of attacks from other infected computers. A computer accessing the Internet should include firewall and anti-virus solutions. • Is the computer a laptop? Physical security is an issue with laptop computers. There are measures to secure laptops, such as cable locks. list end After completing this section, you will meet these objectives: list of 3 items • Outline a local security policy. • Explain when and how to use security hardware. • Explain when and how to use security application software.  16.1   Outline security requirements based on customer needs       16.1.1   Outline a local security policy    table end A security policy is a collection of rules, guidelines, and checklists. Network technicians and managers of an organization work together to develop the rules and guidelines for the security needs of computer equipment. A security policy includes the following elements: list of 5 items • Defines an acceptable computer usage statement for an organization. • Identifies the people permitted to use the computer equipment in an organization. • Identifies devices that are permitted to be installed on a network, as well as the conditions of the installation. Modems and wireless access points are examples of hardware that could expose the network to attacks. • Defines the requirements necessary for data to remain confidential on a network. • Determines a process for employees to acquire access to equipment and data. This process may require the employee to sign an agreement regarding the company rules. It also lists the consequences for failure to comply. list end The security policy should also provide detailed information about the following issues in case of an emergency: list of 5 items • Steps to take after a breach in security • Who to contact in an emergency • Information to share with customers, vendors, and the media • Secondary locations to use in an evacuation • Steps to take after an emergency is over, including the priority of services to be restored list end CAUTION: A security policy must be enforced and followed by all employees to be effective.   Worksheet Security Policy Contribute to a security policy Emergency Checklist in the Security Policy Emergency Checklist Table of Contents (Example) Data Loss - Due to equipment theft - Due to wiretapping - Due to internal personnel - Due to external personnel - Due to temporary personnel /contractors /vendors Power related emergencies - Building or floor power outage - Local power outage - Large or regional power outage Terrorist Action - Terrorist attacks leads to evacuation - Terrorist attacks leads to lockdown Theft - Physical theft of network device - Physical theft of desktop computer - Physical theft of laptop  16.1   Outline security requirements based on customer needs       16.1.2   Explain when and how to use security hardware    table end The security policy should identify hardware and equipment that can be used to prevent theft, vandalism, and data loss. There are four interrelated aspects to physical security, which are access, data, infrastructure and the computer, as illustrated in Figure 1. Restrict access to premises with the following: list of 2 items • Fences • Security Hardware list end Protect the network infrastructure, such as cabling, telecommunication equipment, and network devices: list of 4 items • Secured telecommunications rooms • Wireless detection for unauthorized access points • Hardware firewalls • Network management system that detects changes in wiring and patch panels list end Protect individual computers: list of 4 items • Cable locks • Laptop docking station locks • Lockable cases • Secured cages surrounding desktop cases list end Protect data with hardware that prevents unauthorized access or theft of media: list of 3 items • Lockable HD carriers • Secure storage and transport of backup media • USB security dongles list end The Right Security Mix Factors that determine the most effective security equipment to use to secure equipment and data include the following: list of 3 items • How will the equipment be used? • Where is the computer equipment located? • What user access to data is required? list end For instance, a computer in a busy public place, such as a library, requires additional protection from theft and vandalism. In a busy call center, a server may need to be secured in a locked equipment room. Where it is necessary to use a laptop computer in a public place, a security dongle, shown in Figure 2, ensures that the system locks if the user and laptop are separated. Physical Security ACCESS DATA INFRA-STRUCTURE COMPUTERS  16.1   Outline security requirements based on customer needs       16.1.3   Explain when and how to use security application software    table end Security applications protect the operating system and software application data. The following products and software applications can be used to protect network devices: list of 3 items • Software Firewall – Filters incoming data and is built into Windows XP • Intrusion Detection Systems (IDS) – Monitors and reports on changes in program code and unusual network activity • Application and OS Patches – Updates applications and the operating system to repair security weaknesses that are discovered list end There are several software applications available to protect computers from unauthorized access by malicious computer code: list of 4 items • Virus protection • Spyware protection • Adware protection • Grayware protection list end In small offices and homes, computers generally connect directly to the Internet rather than through a protected LAN that organizations use. This puts computers outside of a LAN at high risk for viruses and other attacks. At a minimum, these computers should use anti-virus and anti-malware protection programs. Application software and the operating system should be updated with the latest patches. A software firewall may also be part of the solution. The security policy should determine the level of security applications put in place. Each step that increases protection costs money. In developing a policy, management should calculate the cost of data loss versus the expense of security protection and determine what tradeoffs are acceptable. graphic is: Security Applications Software Firewall Intrusion Detection Systems (IDS) Application and OS Patches 16.2 Select security components based on customer needs  The security policy helps customers to select the security components necessary to keep equipment and data safe. If there is no security policy, you should discuss security issues with the customer. Use your past experience as a technician and research the current security products on the market when selecting security components for the customer. The goal is to provide the security system that best matches the customer's needs. After completing this section, you will meet these objectives: list of 3 items • Describe and compare security techniques. • Describe and compare access control devices. • Describe and compare firewall types.  16.2   Select security components based on customer needs       16.2.1   Describe and compare security techniques    table end A technician should determine the appropriate techniques to secure equipment and data for the customer. Depending on the situation, more than one technique may be required. Passwords Using secure, encrypted login information for computers with network access should be a minimum requirement in any organization. Malicious software monitors the network and may record plain-text passwords. If passwords are encrypted, attackers would have to decode the encryption to learn the passwords. Logging and Auditing Event logging and auditing should be enabled to monitor activity on the network. The network administrator audits the log file of events to investigate network access by unauthorized users. Wireless Configurations Wireless connections are especially vulnerable to access by attackers. Wireless clients should be configured to encrypt data. Encryption Encryption technologies are used to encode data being transmitted on a network. Each technology is used for a specific purpose: list of 4 items • Hash encoding – Hash encoding, or hashing, ensures that messages are not corrupted or tampered with during transmission. Hashing uses a mathematical function to create a numeric value that is unique to the data. If even one character is changed, the function output, called the message digest, will not be the same. However, the function is one way. Knowing the message digest does not allow an attacker to re-create the message. This makes it difficult for someone to intercept and change messages. Hash encoding is illustrated in Figure 1. The names of the most popular hashing algorithms are SHA and MD5. • Symmetric encryption – Symmetric encryption requires both sides of an encrypted conversation to use an encryption key to be able to encode and decode the data. The sender and receiver must use identical keys. Symmetric encryption is illustrated in Figure 2. • Asymmetric encryption – Asymmetric encryption requires two keys, a private key and a public key. A private key is required for writing a message, and a public key is needed to decode the message. The advantage of asymmetric encryption is that only the private key needs to be kept secret. Public keys can be distributed openly by e-mail or by posting them on the web. Asymmetric encryption is illustrated in Figure 3. • Virtual private network (VPN) – A virtual private network uses encryption to secure data as if it was traveling in a private, corporate LAN, even though the data actually travels over any network, for example, the Internet. The secured data pipelines between points in the VPN are called "secure tunnels". The process is illustrated in Figure 4. list end   graphic Hash Encoding If digest is not identical, message has been changed or tampered with "Here is the quote you requested..." A7DE89DCA00ACB... Sender enters message to be hash encoded Hash algorithm produces message digest Message transmitted over network (secure or unsecure) Sender sends message digest along with message Hash algorithm (SHA or MD5) produces a message digest Receiver recovers sent message A7DE89DCA00ACB... "Here is the quote you requested..."  16.2   Select security components based on customer needs       16.2.2   Describe and compare access control devices    table end Computer equipment and data can be secured using overlapping protection techniques to prevent unauthorized access to sensitive data. An example of overlapping protection is using two different techniques to protect an asset. This is known as two-factor security, as shown in Figure 1. When considering a security program, the cost of the implementation has to be balanced against the value of the data or equipment to be protected. Physical Security Use security hardware to help prevent security breaches and loss of data or equipment. Physical security access control measures include the following: list of 5 items • Lock – The most common device for securing physical areas. If a key is lost, all identically keyed locks must be changed. • Conduit – A casing that protects the infrastructure media from damage and unauthorized access. • Card key – A tool used to secure physical areas. If a card key is lost or stolen, only the missing card must be deactivated. The card key system is more expensive than security locks. • Video equipment – Records images and sound for monitoring activity. The recorded data must be monitored for problems. • Security Guard – Controls access to the entrance of a facility and monitors the activity inside the facility. list end Network equipment should be mounted in secured areas. All cabling should be enclosed in conduits or routed inside walls to prevent unauthorized access or tampering. Network outlets that are not in use should be disabled. If network equipment is damaged or stolen, some network users may be denied service. The security policy should specify the level of security required for the organization. Biometric devices, which measure physical information about a user, are ideal for use in highly secure areas. However, for most small organizations, this type of solution would be too expensive. Data Security You can protect data by using data security devices to authenticate employee access. Two-factor identification is a method to increase security. Employees must use both a password and a data security device similar to those listed here to access data: list of 3 items • Smart card – A device that has the ability to store data safely. The internal memory is an embedded integrated circuit chip (ICC) that connects to a reader either directly or through a wireless connection. Smart cards are used in many applications worldwide, like secure ID badges, online authentication devices, and secure credit card payments. • Security key fob – A small device that resembles the ornament on a key ring. It has a small radio system that communicates with the computer over a short range. The fob is small enough so that many people attach them to their key rings. The computer must sense the signal from the key fob before it will accept a username and password. • Biometric device – Measures a physical characteristic of the user, such as their fingerprints or the patterns of the iris in the eye. The user is granted access if these characteristics match its database and the correct login information is supplied. list end The level of security that the customer needs determines which devices to select to keep data and equipment secure.   Activity Security Devices Complete the security device matching activity in Figure 2 Two-Factor Security Technique Password (good protection) Password (good protection) + + BioMetrics or Smart Card (good protection) BioMetrics or Smart Card (good protection) = = Two-Factor Security (much better protection) Two-Factor Security (much better protection)  16.2   Select security components based on customer needs       16.2.3   Describe and compare firewall types    table end Hardware and software firewalls protect data and equipment on a network from unauthorized access. A firewall should be used in addition to security software. Hardware and software firewalls have several modes for filtering network data traffic: list of 3 items • Packet filter – A set of rules that allow or deny traffic based on criteria such as IP addresses, protocols, or ports used. • Proxy firewall – A firewall that inspects all traffic and allows or denies packets based on configured rules. A proxy acts as a gateway that protects computers inside the network. • Stateful packet inspection – A firewall that keeps track of the state of network connections traveling through the firewall. Packets that are not part of a known connection are not allowed back through the firewall. list end Hardware Firewall A hardware firewall is a physical filtering component that inspects data packets from the network before they reach computers and other devices on a network. Hardware firewalls are often installed on routers. A hardware firewall is a free-standing unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance. Software Firewall A software firewall is an application on a computer that inspects and filters data packets. Windows Firewall is an example of a software firewall that is included in the Windows operating system. A software firewall uses the resources of the computer, resulting in reduced performance for the user. Consider the items listed in Figure 1 when selecting a firewall. NOTE: On a secure network, if computer performance is not an issue, you should enable the internal operating system firewall for additional security. Some applications may not operate properly unless the firewall is configured correctly for them.  Worksheet Firewalls Research hardware and software firewalls Hardware and Software Firewalls Hardware Firewall Software Firewall Free standing and uses dedicated hardware Available as third-party software and cost varies Initial cost for hardware and software updates can be costly Windows XP operating system provides software firewall Multiple computers can be protected Typically protects only the computer it is installed on Little impact on computer performance Uses the CPU, potentially slowing the computer 16.3 Implement customer's security policy  Adding layers of security on a network can make the network more secure, but additional layers of security protection can be expensive. You must weigh the value of the data and equipment to be protected with the cost of protection when implementing the customer's security policy. After completing this section, you will meet these objectives: list of 3 items • Configure security settings. • Describe configuring firewall types. • Describe protection against malicious software. Graphic Security Costs Keycards Biometrics Firewalls  16.3   Implement customer's security policy       16.3.1   Configure security settings     table end Two common security errors are incorrect permissions on folders and files and incorrect configuration of wireless security. Levels of Permission for Folders and Files Permission levels are configured to limit individual or group user access to specific data. Both FAT and NTFS allow folder sharing and folder-level permissions for users with network access. Folder permissions are shown in Figure 1. The additional security of file-level permissions is provided with NTFS. File-level permissions are shown in Figure 2. Wireless Security Configuration The following tools, which are shown in Figure 3, are used to configure wireless security: list of 5 items • Wired Equivalent Privacy (WEP) – Encrypts the broadcast data between the wireless access point and the client using a 64-bit or 128-bit encryption key. Figure 4 shows WEP configuration. • Wi-Fi Protected Access (WPA) – Provides better encryption and authentication than WEP. • MAC address filtering – Restricts computer access to a wireless access point to prevent the casual user from accessing the network. MAC address filtering, as shown in Figure 5, is vulnerable when used alone and should be combined with other security filtering. • Service Set Identifier (SSID) Broadcasting – The wireless SSID broadcasts the identity of the network. Turning off the SSID makes the network seem to disappear, but this is an unreliable form of wireless network security. • Wireless antennae – The gain and signal pattern of the antenna connected to a wireless access point can influence where the signal can be received. Avoid transmitting signals outside of the network area by installing an antenna with a pattern that serves your network users.  16.3   Implement customer's security policy       16.3.2   Describe configuring firewall types    table end A firewall selectively denies outside users from establishing connections to a computer or network segment. Firewalls generally work by opening and closing the ports that various applications use. By opening only the required ports on a firewall, you are implementing a restrictive security policy. Any packet not explicitly permitted is denied. In contrast, a permissive security policy permits access through all ports except those explicitly denied. At one time, software and hardware was shipped with all settings being permissive. As many users neglected to configure their equipment, the default permissive settings left many devices exposed to attackers. Most devices now ship with settings as restrictive as possible, while still allowing easy setup. Software Firewall Software firewalls usually exist as a software application running on the computer being protected, or as part of the operating system. There are several third-party software firewalls. There is also a software firewall built into Windows XP, as shown in Figure 1. The configuration of the Windows XP firewall can be completed in two ways: list of 2 items • Automatically – The user is prompted to "Keep Blocking", "Unblock", or "Ask Me Later" for any unsolicited requests. These requests may be from legitimate applications that have not been configured previously or may be from a virus or worm that has infected the system. • Manage Security Settings – The user manually adds the program or ports that are required for the applications in use on the network. list end To add a program, select: Start > Control Panel > Security Center > Windows Firewall > Exceptions > Add Program. To disable the firewall, select: Start > Control Panel > Security Center > Windows Firewall.  Lab Windows XP Firewall Configure a Windows XP firewall  16.3   Implement customer's security policy       16.3.3   Describe protection against malicious software    table end Malware is malicious software that is installed on a computer without the knowledge or permission of the user. Certain types of malware, such as spyware and phishing attacks, collect data about the user that can be used by an attacker to gain confidential information. You should run virus and spyware scanning programs to detect and clean unwanted software. Many browsers now come equipped with special tools and settings that prevent the operation of several forms of malicious software. It may take several different programs and multiple scans to completely remove all malicious software: list of 4 items • Virus protection – Anti-virus programs typically run automatically in the background and monitor for problems. When a virus is detected, the user is warned and the program attempts to quarantine or delete the virus. • Spyware protection – Anti-spyware programs that scans for keyloggers and other malware so it can be removed from the computer. • Adware protection – Anti-adware programs look for programs that display advertising on your computer. • Phishing protection – Anti-phishing programs block the IP addresses of known phishing websites and warn the user about suspicious websites. list end A dangerous form of malicious software that incorporates elements of social engineering is the phishing attack. NOTE: Malicious software may become embedded in the operating system. Special removal tools are available from the operating system manufacturer to clean the operating system. 16.4 Perform preventive maintenance on security  Several maintenance tasks are necessary to ensure that security is effective. This section covers how to maximize protection by performing updates, backups, and reconfiguration of the operating systems, user accounts, and data. After completing this section, you will meet these objectives: list of 3 items • Describe the configuration of operation system updates. • Maintain accounts. • Explain data backup procedures, access to backups, and secure physical backup media.  16.4   Perform preventive maintenance on security       16.4.1   Describe the configuration of operating system updates    table end An operating system is a likely target of attack because obtaining control of it can provide control of the computer. Then the compromised computer can be seized and put to work by the criminals. One popular use is to turn targeted computers into spam generators that launch attacking e-mails without the user being able to stop them. A computer compromised in this way is called a "zombie". Windows XP automatically downloads and installs updates to operating systems by default. However, this may not be the best way to update systems. The updates may conflict with the security policy of an organization or may conflict with other settings on a computer. Furthermore, a network administrator may wish to test the updates before the updates are distributed to all of the network computers. The following options available in Windows XP give users the ability to control when software is updated: list of 4 items • Automatic – Downloads and installs updates automatically without user intervention • Only download updates – Downloads the updates automatically, but the user is required to install them • Notify me – Notifies the user that updates are available and gives the option to download and install • Turn off automatic updates – Prevents any checking for updates list end If the user is on a dial-up network, the Windows Update setting should be configured to notify the user of available updates, or it should be turned off. The dial-up user may want to control the update by selecting a time when the update does not interrupt other network activity or use the limited resources available.  16.4   Describe preventive maintenance procedures for laptops       16.4.2   Maintain accounts    table end Employees in an organization may require different levels of access to data. For example, a manager and an accountant may be the only employees in an organization with access to the payroll files. Employees can be grouped by job requirements and given access to files according to group permissions. This process helps manage employee access to the network. Temporary accounts can be set up for employees that need short-term access. Close management of network access can help to limit areas of vulnerability that allow a virus or malicious software to enter the network. Terminating Employee Access When an employee leaves an organization, access to data and hardware on the network should be terminated immediately. If the former employee has stored files in a personal space on a server, eliminate access by disabling the account. If at a later time the employee's replacement requires access to the applications and storage space, re-enable the account and change the name to the name of the new employee. Guest Accounts Temporary employees and guests may need access to the network. For example, many visitors may require access to e-mail, the Internet, and a printer on the network. These resources can all be made available to a special account called Guest. When guests are present, they can be assigned to the Guest account. When no guests are present, the account can be suspended until the next guest arrives. Some guest accounts may require extensive access to resources, as in the case of a consultant or a financial auditor. This type of access should be granted only for the period of time required to complete the work.  16.4   Perform preventive maintenance on security       16.4.3   Explain data backup procedures, access to backups, and secure physical backup media    table end A data backup stores a copy of the information on a computer to removable backup media that can be kept in a safe place. If the computer hardware fails, the data backup can be restored so that processing can continue. Data backups should be performed on a regular basis. The most current data backup is usually stored offsite to protect the backup media if anything happens to the main facility. Backup media is often reused to save on media costs. Always follow your organization's media rotation guidelines. Backup operations can be performed at the command line or from a batch file using the NTBACKUP command. The default parameters for NTBACKUP will be the ones set in the Windows backup utility. Any options you want to override must be included in the command line. The NTBACKUP command cannot be used to restore files. A combination of backup types, as shown in Figure 1, allow the data to be backed up efficiently. A full backup is a copy of all files on the drive. An incremental backup backs up only those files created or changed since the last normal or incremental backup. It marks files as having been backed up. A differential backup copies files created or changed since the last normal or incremental backup, but it does not mark files as having been backed up. Backing up data can take time, so it is preferable to do backups when the network traffic is low. Other types of backups include daily backup and copy backup, which do not mark the files as having been backed up. The data backup media is just as important as the data on the computer.You should store the backup media in a climate-controlled offsite storage facility with adequate physical security. The backups should be readily available for access in case of an emergency. Backup Types Type Of Backup Description Full or Normal Backup Archives all selected files Incremental Backup Archives all selected files that have changed since last full or incremental backup Differential Backup Archives all selected files that have changed since last full or incremental backup Daily Backup Archives all selected files that have changed on the day of the backup Copy Backup Archives all selected files 16.5 Troubleshoot security  The troubleshooting process is used to help resolve security issues. These problems range from simple, such as creating a backup, to more complex, such as firewall configuration. Use the troubleshooting steps as a guideline to help you diagnose and repair problems. After completing this section, you will meet these objectives: list of 3 items • Review the troubleshooting process. • Identify common problems and solutions. • Apply troubleshooting skills.  16.5   Troubleshoot security       16.5.1   Review the troubleshooting process    table end Computer technicians must be able to analyze a security threat and determine the appropriate method to protect assets and repair damage. This process is called troubleshooting. The first step in the troubleshooting process is to gather data from the customer. Figures 1 and 2 list open-ended and closed-ended questions to ask the customer. Once you have talked to the customer, you should verify the obvious issues. Figure 3 lists issues that apply to laptops. After the obvious issues have been verified, try some quick solutions. Figure 4 lists some quick solutions to laptop problems. If quick solutions did not correct the problem, it is time to gather data from the computer. Figure 5 shows different ways to gather information about the problem from the laptop. At this point, you will have enough information to evaluate the problem, research, and implement possible solutions. Figure 6 shows resources for possible solutions. After you have solved the problem, you will close with the customer. Figure 7 is a list of the tasks required to complete this step.  16.5   Troubleshoot security       16.5.2   Identify common problems and solutions     table end Security problems can be attributed to hardware, software, networks, or some combination of the three. You will resolve some types of security problems more often than others. Figure 1 is a chart of common problems and solutions.  Common Problems and Solutions Problem Symptom Possible Solution A customer reports that a backup that was started the night before is still going. Advise the customer to implement a different type of backup that saves time. A visiting consultant using a guest account cannot access needed files. Grant access to the files for the duration of the visit. When the consultant leaves, disable the account. A user refuses your request to e-mail you their student ID number and password. Inform the user that there was no such request. Gather information and warn others against this phishing attack. A user can locate a file on the server but cannot download it. Change the user permissions on this file from read to read and execute. A user cannot connect to the network using a wireless router even after the proper security key has been installed. Verify that the user's MAC address is listed in the MAC address filter table.  16.5   Troubleshoot security       16.5.3   Apply troubleshooting skills    table end Now that you understand the troubleshooting process, it is time to apply your listening and diagnostic skills. The first lab is designed to reinforce your skills with security issues. You will instruct the customer on how to correct a security problem that is preventing connection to the wireless network. The second lab is designed to reinforce your communication and troubleshooting skills. In this lab, you will perform the following steps: list of 3 items • Receive the work order • Take the customer through various steps to try and resolve the problem • Document the problem and the resolution list end   Lab Security Problem Correct a security problem Lab Remote Technician Security Problem Instruct the customer on how to correct a security problem 16.6 Summary  This chapter discussed computer security and why it is important to protect computer equipment, networks, and data. Threats, procedures, and preventive maintenance relating to data and physical security were described to help you keep computer equipment and data safe. Security protects computers, network equipment, and data from lose and physical danger. The following are some of the important concepts to remember from this chapter: list of 4 items • Security threats can come from inside or outside of an organization. • Viruses and worms are common threats that attack data. • Develop and maintain a security plan to protect both data and physical equipment from loss. • Keep operating systems and applications up to date and secure with patches and service packs.