Security was not a big concern when computers were not networked and when the Internet was not as widely used as it is used today. Connecting to the Internet opens your computer or the entire network to the outside world. If security methods are not implemented, the computers or the Internet may be at risk of being exploited. Security threats come in various forms and can cause loss of connectivity or loss of valuable data. As a PC technician, you are expected to have a good knowledge of basic security concepts. In this section, we will discuss some fundamental security concepts.
In this section, we will study some basic elements of computer security. These topics include authentication technologies and protocols, malicious software, and elements of wireless security.
Authentication is the process of verifying the identity of a person. It is considered the first point of controlling access to a system. In the context of computer security, authentication is the method of verifying that the identity of a person or an application seeking access to a system, object, or a resource is true. For example, if a user wants to access a computer, the identity of the user is usually verified by having the user enter a valid username and password. If the username and password of the user matches the ones stored in the security database of the computer, the user is allowed access. This process is known as the authentication process. Depending on the requirements of an organization, one or more authentication mechanisms can be implemented to ensure security of an individual computer or for the entire network.
The following sections discuss a number of authentication technologies and protocols used in computer networks.
Almost all operating systems implement some kind of authentication mechanism wherein users can simply use a locally created username and password to get access to the system. When the user enters his credentials (the combination of username and password), the local security database is checked to verify that the credentials match the ones stored in the local security database of the computer. If a match is found, the user is granted access; otherwise, the user is not allowed to log on to the system. This is the simplest form of authentication and can be implemented easily, but it also comes with its own limitations. Many organizations document and implement password policies that control how users can create and manage their passwords in order to secure network resources.
Biometrics refers to the authentication technology used to verify the identity of a user by measuring and analyzing human physical and behavior characteristics. This is done with the help of advanced biometric authentication devices that can read or measure and analyze fingerprints, scan the eye retina, and facial patterns, and/or measure body temperature. Handwriting and voice patterns are also commonly used as biometrics. Biometric authentication provides the highest level of authenticity about a person, which is much more reliable than a simple username and password combination. It is nearly impossible to impersonate a person when biometric authentication is used for authentication.
Smart cards store a small amount of data that is generally used to authenticate the holder or owner of the card. These cards typically come in the size of a standard credit/debit card. When used for authentication and identification purposes, they prevent modification of the data stored on them. Smart cards are designed well to protect them against theft of data and are immune to EMI and RFI and have built-in protection against physical damage.
A security token (also known as an authentication token or a hardware token) is considered to be the most trusted method for verifying the identity of a user or a system. Tokens provide a very high level of security for authenticating users because of the multiple factors employed to verify the identity. It is almost impossible to duplicate the information contained in a security token in order to gain unauthorized access to a secure network. In its simplest form, an authentication token or a security token consists of two parts: a hardware device that is coded to generate token values at predetermined intervals, and a software-based component that tracks and verifies that these codes are valid.
Security tokens are also known as key fobs because they are small enough to be carried on a key chain or in a wallet. Some security tokens may contain cryptographic keys while others may contain biometrics data such as fingerprints of the user. Some tokens have a built-in keypad, and the user is required to key in a personal identification number (PIN).
Certificates or digital certificates are widely used for Internet-based authentications, as well as for authentication of users and computers in network environments, to access network resources and services where directory services such as Microsoft's Active Directory service are implemented. Certificates are a part of public key infrastructure (PKI). In a PKI, certificate servers are used to create, store, distribute, validate, and expire digitally created signatures and other identity information about users and systems. Certificates are created by a trusted third-party known as a Certification Authority or Certificate Authority (CA). Examples of commercially available CAs are Verisign and Thwate. It is also a common practice to create a CA within an organization to manage certificates for users and systems inside the organization or with trusted business partners. In Windows 2000 and later server operating systems, certificates are used for authenticating users and granting access to Active Directory objects. CA used within an organization is known as an enterprise CA or a Standalone CA.
Another common use of certificates is for software signing. Software is digitally signed to ensure the user that it has been developed by a trusted software vendor. It also ensures that the software has not been tampered with since it was developed and made available for download. Certificates are also implemented in Internet services to authenticate users and verify their identity.
In computer authentication-using secure methods, a factor is a piece of information that is present to prove the identity of a user. In a multifactor authentication mechanism, any of the following types of factors may be utilized:
A something you know factor, such as your password or PIN.
A something you have factor, such as your hardware token or a smart card.
A something you are factor, such as your fingerprints, your eye retina, or other biometrics that can be used for identity.
A something you do factor, such as your handwriting or your voice patterns.
Multifactor authentication is considered to be acceptably secure because it employs multiple factors to verify the identity of the user.
This protocol is widely used for local and remote access authentication. CHAP is a modified form of Password Authentication Protocol (PAP), which transmits user credentials in clear text. CHAP periodically verifies the authenticity of the remote user using a three-way handshake even after the communication channel has been established. CHAP authentication involves an authentication server and the client. The process is carried out as follows:
When the communication link has been established, the authentication server sends a "challenge" message to the peer.
The peer responds with a value calculated using a one-way hash function such as Message Digest 5 (MD5).
The authentication server checks the response to ensure that the value is equal to its own calculation of the hash value. If the two values match, the authentication server acknowledges the authentication; otherwise, the connection is terminated.
The authentication server sends the challenge message to the peer at random intervals and repeats steps 1 to 3.
One drawback of CHAP is that it cannot work with encrypted password databases and is considered to be a weak authentication protocol. Microsoft has implemented its own version of CHAP known as MS-CHAP, which is currently in version 2.
Kerberos is a cross-platform authentication protocol used for mutual authentication of users and services in a secure manner. Kerberos V5 is the current version of this protocol and is used on Windows servers as the default authentication protocol. The protocol ensures the integrity of authentication data (user credentials) as it is transmitted over the network. It is widely used in all other major operating systems, such as Unix and Cisco IOS.
Kerberos works in a Key Distribution Center (KDC), which is typically a network server used to issue secure encrypted keys and tokens (tickets) to authenticate a user or a service. The tickets carry a timestamp and expire as soon as the user or the service logs off. The following steps are carried out to complete the authentication process:
The client presents its credentials to the KDC for authentication by means of username/password, smart card, or biometrics.
The KDC issues a Ticket Granting Ticket (TGT) to the client. The TGT is associated with an access token that remains active until the time the client is logged on. This TGT is cached locally and is used later if the session remains active.
When the client needs to access the resource server, it presents the cached TGT to the KDC. The KDC grants a session ticket to the client.
The client presents the session ticket to the resource server, and the client is granted access to the resources on the resource server.
The TGT remains active for the entire session. Kerberos is heavily dependent on synchronization of clocks on the clients and servers. Session tickets granted by the KDC to the client must be presented to the server within the established time limits or else they may be discarded.
Malicious software or malware are software applications specifically written to launch attacks against individual computers or networks. The basic purpose of malicious software is to gain unauthorized access and cause damage to the system or steal confidential information. Examples of code attacks include viruses, Trojan horses, worms, logic bombs, spyware, and adware. These are discussed in the following paragraphs.
A virus is a self-replicating application that inserts itself into executable files on the computer and spreads itself using the executable. A computer virus is typically created for the sole purpose of destroying a user's data. In order for the virus to work or infect a computer, it must first load itself into system memory. When the hosting executable file is run, the virus code is also executed and destroys user data or critical system files.
A virus must first infect an executable file to run successfully. The infected file is known as the virus host. The infected program must be executed before the virus can spread to infect other parts of the system or data.
The following are different types of viruses:
Infects the first sector on the hard disk, which is used for booting or starting up the computer. The boot sector virus becomes active as soon as the computer is started.
Infects an executable file or an application on a computer. The infected file actually remains intact, but when the file is run, the virus runs first.
If the infected computer is connected to the network, the virus can travel from one computer to another and can infect every computer on its way. A virus can infect data stored on floppy disks, hard disks, and even on network storage devices.
A Trojan horse (or simply a Trojan) is a malicious code that is embedded inside a legitimate application. The application appears to be very useful or interesting and harmless to the user until it is executed. Trojans are different from other computer viruses in that they must be executed by the victim who falls for the "interesting software."
Most of the modern Trojans contain code that is basically used to gather information about the user. These Trojans fall into the category of spyware and appear as pop-up windows on a user's computer screen. The sole purpose of these Trojans is to somehow trick the user into executing the application so that the code can execute. Some Trojans are written very precisely to allow the user's computer to be controlled remotely by the attacker.
A worm is a computer virus that does not infect any particular executable or application but resides in the active memory of computers. This virus usually keeps scanning the network for vulnerabilities and then replicates itself onto other computers using those security holes. The effects of worms are not easily noticeable until entire systems or network resources appear to have been consumed by the virus. The most common type of worm is the email virus that uses email addresses from the address book of a user to spread itself.
Spam, or email spam, refers to unsolicited junk mail that fills up your mail box everyday. These messages come from unknown persons and are rarely of any interest or use to the recipient. Spammers collect email addresses from user forums, news groups, and so on. They also use specially created applications known as Spamware to collect email addresses and send messages to them. In most cases, the sending email address of spammers is not traceable by a normal computer user.
Spyware software is used to collect personal information stored in the computer and send it to a third party without the permission or knowledge of the user. This process is carried out in the background, and the user does not even know that his personal information has been stolen. The personal information is usually stored in cookies. The information may include your name and password that you use on other web sites. The third parties who receive this information use it to send you unsolicited advertisements for selling their products.
The term adware is used for software that displays advertisements on your computer. Adware appears as unsolicited pop-up windows on the computer screen. These advertisements appear when the computer is connected to the Internet. Most of these advertisements offer free software, screen savers, or tickets.
A firewall is a hardware device or a software application that sits between the internal network of the organization and the external network to protect the internal network from communicating with outside networks. A properly configured firewall blocks all unauthorized access to the internal network. It also prevents internal users from accessing potentially harmful external networks.
Firewalls can be implemented in the form of dedicated hardware devices or through the use of special software applications. When a computer or a network is protected using software applications, the firewall implementation is known as software firewall. Windows Firewall in Windows XP SP2 is a simple example of software firewall, which can be implemented on personal computers.
The three common firewall technologies are:
Packet-filtering firewalls inspect the contents of each IP packet entering the firewall device and, based on predefined and configured rules, allows or blocks packets inside the network. These firewalls permit or block access to specific ports or IP addresses and work on two basic policies: Allow by Default and Deny by Default. Following the Allow by Default policy, all traffic is allowed to enter the network except the specifically denied traffic. In the Deny by Default policy, all traffic entering the firewall is blocked except the one specifically allowed. Deny by Default is considered the best firewall policy, as only authorized traffic is allowed to enter the network using specified port numbers or IP addresses.
Application layer firewalls are also known as Application firewalls or Application Layer gateways. This technology is more advanced than packet filtering, as it examines the entire packet to allow or deny traffic. Proxy servers use this technology to provide application layer filtering to clients. Inspection of data packets at the application layer (of the OSI model) allows firewalls to examine the entire IP packet and, based on configured rules, allow only intended traffic through them. One of the major drawbacks of application layer firewalls is that they are much slower than packet filtering firewalls because every IP packet is broken at the firewall, inspected against a complex set of rules, and reassembled before allowing it to pass.
Stateful inspection firewalls work by actively monitoring and inspecting the state of the network traffic, and they keep track of all the traffic that passes through the network media. This technology overcomes the drawbacks of both packet filtering and application layer firewalls. It is programmed to distinguish between legitimate packets for different types of connections. Only those packets are allowed that match a known connection state. This technology does not break or reconstruct IP packets and hence is faster than application layer technology.
Windows operating systems provide file- and folder-level security using the NT File System (NTFS). Files can even be stored and transmitted over the network in secure encrypted form. To keep tight control of access permissions of shared resources, the Windows operating system allows you to configure two types of permissions: Share permissions and NTFS permissions. Share permissions provide an outer layer of control, while NTFS permissions provide more granular control on file and folder access. A list of standard NTFS permissions is shown next.
Grants the user all rights on the resource.
The Modify permission allows a user to change the contents of the file.
Allows a user to read the file and execute (run) it.
Allows the user to list the files and subfolders inside a folder.
Allows a user to read a file.
Allows a user to write files to a folder.
Wireless networks rely on radio frequencies to communicate instead of the network cabling used for normal computer networks. Radio frequencies create electromagnetic (EM) fields, which become the medium to transfer signals from one computer to another. Wireless networks are also prone to malicious attacks if they are not properly secured. This section covers a brief discussion of different mechanisms that can be used to protect computers using wireless networking.
Wireless networks defined in IEEE 802.11 standards use radio frequencies with spread spectrum technology. The two spread spectrum technologies are as follows:
This is the method of transmitting RF signals by rapidly switching frequencies according to a pseudorandom pattern, which is known to both the sender and the receiver. FHSS uses a large range of frequency (83.5 MHz) and is highly resistant to noise and interference.
This is a modulation technique used by wireless networks that uses a wide band of frequency. It divides the signal into smaller parts and transmits them simultaneously on as many frequencies as possible. DSSS is faster than FHSS and ensures data protection. It utilizes a frequency range of 2.4 GHz to 2.4835 GHz and is used in 802.11b networks.
The most popular of the IEEE 802.11 wireless network standards are 802.11b, 802.11a and 802.11g. The most popular of the IEEE 802.11 wireless network standards are 802.11b, 802.11a and 802.11g. Security standards for these protocols are defined in the 802.11i standard.
Wireless authentication is implemented in one of the following methods:
This is actually not authentication. Every computer trying to connect to a wireless network is granted a connection.
This method requires that every wireless client knows the shared secret key. The access point and all wireless clients must use the same shared secret key.
This method requires use of advanced encryption and authentication techniques to provide strong authentication.
This method can be used for smaller home or office networks that cannot implement the IEEE 802.1x authentication mechanisms. The preshared key consists of a 20-character-long paraphrase containing upper- and lowercase letters and numbers.
WEP is the primary security standard for 802.11 wireless networks and is designed to provide privacy in transmissions occurring between the AP and wireless client. It uses shared key authentication that allows encryption and decryption of wireless transmissions. Up to four different keys can be defined on the AP and the client, and these keys can be rotated to enhance security. WEP encryption can use either 40- or 128-bit keys. When WEP is enabled on the AP and the wireless clients, the encryption keys and the SSID must match on both ends. WEP is easy to implement because the administrator or the user can define the keys.
WEP uses CRC-32 checksum for data integrity, and privacy is ensured with RC4 encryption algorithm. RC4 is a stream cipher, and both the AP and the client encrypt and decrypt messages using a known preshared key. The sender runs the plain-text message through an integrity check algorithm (CRC-32) to produce the integrity check value (ICV). The ICV is added to the plain text message. A random 24-bit initialization vector (IV) is generated and added to the beginning of the secret key to ensure security of the key. The IV is changed every time to prevent reuse of the key.
WTLS is designed to provide end-to-end security for WAP devices. WTLS is based on the Transport Layer Security (TLS) protocol that is a further derivative of Secure Socket Layer (SSL). WTLS is designed to provide privacy and availability for both the WAP server and the WAP client. WTLS works for applications that run on devices with low-processing capabilities, low bandwidth, and limited memory. WTLS uses a compressed certificate format following the X.509v3 standard but defines a smaller data structure.
It is important that steps are taken to protect wireless networks from potential outside threats and attacks. Some of the protective measures are listed here:
Administrators should keep their software and hardware updated by regularly checking for updates on vendors' web sites.
When installing a wireless network, the default settings of the AP, such as the SSID, should be changed. Hackers usually know the default settings of devices.
WEP should always be used. Even if 40-bit encryption is used, it is better than not using encryption at all. WEP can be easily cracked, but the network can still be protected from a number of amateur hackers.
Wherever possible, wireless adapters and AP devices should support 128-bit WEP, MAC filtering, and disabling of SSID broadcasts.
If SSID broadcasts are not disabled on APs, use of a DHCP server to automatically assign IP addresses to wireless clients should be avoided. Wardriving software can easily detect your internal IP addressing scheme if SSID broadcasts are enabled and DHCP is in use.
Static WEP keys should be frequently rotated so that they are not compromised.
Place the wireless networks in a separate network segment. If possible, create a separate perimeter network (also known as a Wireless Demilitarized Zone) for the wireless network that is separate from the main network of the organization.
Conduct regular site surveys to detect the presence of rogue APs near your wireless network.
Placement of the AP is critical for wireless security. Place APs in the center of the building and avoid placing them near windows and doors.
Data security refers to securing critical user and system data using authentication mechanisms, encryption, and access control. A number of methods can be implemented to ensure security of critical data stored on computers. Some of these methods are listed in the following sections.
Access to data must be granted only to authorized employees of the organization. The following are some of the important considerations when setting access control:
Files and folders should be secured using appropriate NTFS permissions.
Local security policies such as the right to Log On Locally and Access This Computer From Network should be defined on computers to restrict access.
Users who need not access or work on critical or confidential files should not be allowed to access them.
Access to critical data files should be audited.
Use of floppy disks or CD/DVD discs to copy data should be prohibited.
Data backup is one of the fundamental elements of ensuring data security in the event of a disaster. Backed-up data is copied to another media such as magnetic tapes or compact disks (CDs or DVDs), which are safely and securely stored at an offsite location. Commonly used backup methods include the following:
This method backs up all the data in a single backup job. The backed-up data includes systems files, applications, and all user data on a computer. Full backup changes the archive bit on files to indicate that it has been backed up. It takes longer to complete the backup process, but the data can be restored faster, as only a single backup set is required.
This method backs up all the data that has changed after the last full or incremental backup was taken. It uses the archive bits and changes them after the backup process is complete. It takes the least amount of time to complete the backup process but it is the slowest method when data needs to be restored. The last full backup tape and all incremental tapes after the full backup are required to completely restore data.
This method backs up all the data that has changed after the last full backup. It does not change the archive bits and thus does not disturb any scheduled incremental backups. Since it does not use the archive bits, if differential backup is taken more than once after a full backup, the differential backup tapes will contain duplicate data. When restoring data, only the last full backup tape and the differential backup tape are required. It is faster to restore than the incremental backup
Most organizations implement a mix of one or more backup types to create weekly, monthly, and yearly backup plans. Depending on the requirements of an organization and the amount of data to be backed up, different organizations may adopt different backup schemes. One of the commonly used backup methods is to use a combination of full backup on weekends and incremental backups on weekdays.
Encryption is the process of encoding a message using cryptographic algorithms so that it is not readable unless it is decrypted. Encryption converts readable plain text into cryptographic text, or cyphertext. Encryption is used as a protective cover for the locally stored data as well for data transmitted over network media from one computer to another. Encryption keeps the data secure from unauthorized access by users and by professional hackers. Encryption algorithms lay the foundation for such security mechanisms as confidentiality, authentication, digital signatures, and public key cryptography. Encryption algorithms are used to calculate a secret key, which is used to encrypt and decrypt messages. Only the persons who possess the key can encrypt or decrypt messages. Encryption algorithms fall into the following main categories:
Symmetric algorithms, or symmetric key algorithms, use one key for both encryption and decryption of messages. The sender of data and the receiver each keep a copy of the secret key. The process is also known as secret key encryption or shared secret encryption. CompTIA refers to this mechanism as Private Key Encryption. Some of the popular symmetric algorithms are Data Encryption Standard (DES), 3DES, Advanced Encryption Standard (AES), and International Data Encryption Algorithm (IDEA).
Asymmetric algorithms are commonly used for Public Key Cryptography. Asymmetric algorithms use two keys, one for encryption (public key) and the other for decryption (private key). The encryption key can be freely distributed, but the private key must be held in strict confidence. Deffie-Hellman, RSA, and El-Gamal are examples of asymmetric algorithms.
A hashing algorithm (also called Hash Function) creates a small and unique digital "fingerprint" from any kind of data. This fingerprint is known as the hash value. The hash value is represented as a short string of random letters and numbers. If the original data changes even by one character, the hash function will produce a different hash value. Thus, the receiver will know that original data has changed. The hashing function is considered a one-way process because it is not possible to create the original text using any reverse hashing function. This is why hashing functions are also known as one-way hashing functions. Message Digest 5 (MD5) and Secure Hashing Algorithm (SHA-1) are examples of hashing algorithms.
Data migration is the process of transferring data from one operating system platform to another or from one database application to another. This process converts the data from one format to another. Data migration also refers to the transfer of data from one computer to another or from one partition of the hard disk to another partition. The process is typically performed after a full backup of data so that if the data becomes unavailable or is accidentally destroyed during migration, a working copy can be restored from the backup set. When the data has been successfully migrated, administrators may need to reconfigure access control permissions. Data migration is a common scene when organizations upgrade their operating systems or migrate from one OS platform to another.
Data remnant removal refers to the process of secure destruction of data stored on unused disks and other storage media such as magnetic tapes, floppy disks, CD/DVD discs, etc. This process is required when old systems are replaced or old storage media is upgraded with new media. Data destruction ensures that the data stored on old storage media does not fall into the wrong hands and cannot be misused by a third party. One of the common methods used for removing data from magnetic media is to degauss them. Hard disks can be formatted before they are sent out as garbage.
A password management policy describes how users should create, use, and change their passwords. A password is the user's key to gaining access to the organization's resources stored on computers. Without having a sound password policy, employees may make their passwords weak or disclose their passwords to unauthorized people. Professional hackers may exploit an organization's confidential resources by guessing insecure passwords. Password policies include the following essential elements:
Use of blank passwords should not be allowed for any employee.
Passwords should have at least eight characters.
A password should be made up of a combination of upper- and lowercase letters, special characters, and numbers.
Employees should be forced to change their passwords regularly.
Employees should not be allowed to reuse their old passwords for a certain amount of time.
Administrators should use normal user accounts when not performing any administrative tasks. Only designated IT employees should have administrative privileges.
Passwords should be longer and stronger to prevent brute force or dictionary attacks. Password policies can be enforced through operating systems.
Physical security refers to physically securing servers and desktops in a network. Some of the common methods used to ensure physical security are listed here:
Users should be educated to keep their workstations locked when not in use. For example, when a user has to go out for lunch, she should lock her workstation so that any unauthorized person may not get access to data stored on the computer. Additionally, users can configure screensaver passwords to protect their desktops.
Most organizations keep the critical servers and network equipment in a locked room, and unauthorized access is denied. Server rooms should be locked and equipped with alarm systems. Logbooks should be maintained for entries to the secure room. All equipment should be locked down with strong passwords. If some outsiders need to work inside secure rooms, an employee of the organization must remain with them all the time.
Incidents related to security can be disastrous for an organization. It can cause disruptions in network services, failure of one or more systems, or failure of the entire network. An organization can loose confidential and valuable data due to a security breach. If there is a security breach in the network or the network is under attack from an outsider, there should be a plan to handle the incident promptly. Incident reporting refers to the method of informing the management or any other responsible employee of the organization as soon as the incident is detected. If the incident is about to occur or is in progress, the management can take immediate action to prevent damage. If there is an Incident Response Policy in the organization, it should be followed. If there is evidence, it should be secured and preserved. Some organizations contract third-party organizations to investigate security related incidents.
Social engineering is the process of getting personal or confidential information or information about an organization by taking an individual into confidence. The so-called "social engineer" generally tricks the victim over the telephone or on the Internet to reveal sensitive information about the organization. Unfortunately, no technical configuration of systems or networks can protect an organization from social engineering. There is no firewall that can stop attacks that result from social engineering. The best protection against social engineering is to train users about the security policies of the organization.
Security should be implemented in such a way that it secures system and network resources. It should not become a problem for users who need to perform their everyday jobs on computers. Users should be able to access system and network resources with convenience but should be restricted from accessing confidential data of the organization. The following sections outline some of the common security-related problems and methods of performing regular preventive maintenance tasks for ensuring a secure working environment.
The following sections provide a summary of some common security-related problems:
BIOS in computers can be protected with a password. If a user does not know the password for accessing the BIOS setup, she will not be able to access the BIOS setup program and make any changes.
Smart cards are used to authenticate users. Problems with smart cards appear when the card is either worn out or an unauthorized person uses it.
Biometric devices use human characteristics to verify the identity of a person. A biometric device will immediately detect if an unauthorized person is trying to gain access to a secure system.
The purpose of malicious software is to destroy data on a user's computer or to obtain personal information. If an antivirus application is installed, it should be able to detect the presence of malicious software, provided that virus signatures are up-to-date.
Filesystem problems result due to incorrect settings of NTFS permissions. In some cases, unauthorized users may gain access to data that they are not supposed to. On the other hand, authorized users may complain that they are unable to access data that they should be usually allowed to access.
Backup problems result from a system's inability to access backup media, bad media, or an incomplete backup process. The best way to ensure that backup problems are prevented is to perform test restores.
Problems arising after data migration are related to differing sets of permissions on the source and target computers.
Some of the important preventive maintenance procedures for computer security include installation of antivirus software, keeping the applications and operating system updated, securing network devices, configuring auditing and logging, and educating users. The following is a summary of these procedures.
Every computer in a network should have antivirus software installed on it. This software regularly monitors for the presence of viruses and malicious software in computers. It helps with early detection and removal of malicious code. Antivirus applications use virus signatures to detect the presence of a malicious code in a computer. As new virus programs are written, the vendors of antivirus applications also update virus signatures for their applications. Administrators should ensure that the virus signatures are updated regularly.
Manufacturers of operating systems such as Microsoft, Novell, and others keep updating their operating systems and applications. These updates are known as software updates and are available free of cost for downloading from the manufacturers' web sites. Every computer user is not required to download and install all updates. Some updates are meant to add a new feature to an application, and some others are meant for repairing a security bug. Operating system updates fall into the following categories:
This is a small piece of software that is used to address a specific problem with the operating system. Hotfixes are generally released as soon as the manufacturer discovers a serious issue with the operating system. Test the hotfixes on nonproduction desktops before installing them on production systems. In some rare situations, hotfixes have opened up security holes in critical servers.
Software patches are released to immediately address a small problem in an application or an OS. Most of the patches are related to security but they often address other problems, such as compatibility issues or malfunctioning of a particular component of the OS.
This is a collection of a number of hotfixes and updates released by the manufacturer of the OS or NOS. Manufacturers usually test service packs on a variety of hardware platforms and check their compatibility with various applications. As with updates and hotfixes, service packs must be fully tested on nonproduction servers before they are installed on production servers.
Software applications should be kept updated with the latest patches or hotfixes. These updates are usually available free of cost from the vendors' web sites.
Auditing is the process of tracking or monitoring activities of users and services. Auditing allows administrators to keep an eye on malicious activities of internal users as well as of outside attackers. For example, the Object Access audit policy can reveal which users have tried to get unauthorized access to confidential data files. Audit entries are written to log files. Log files should be regularly checked to detect potential problem areas with system, network, or data access.
As with operating systems and applications, network devices also need to be updated with the latest device drivers, firmware updates, and proper configurations. An improperly configured network router can expose the entire network and critical servers to outside attackers. Default configurations of several network devices are known to professional attackers. Administrators should disable default usernames and passwords so that attackers do not use these credentials to launch attacks against the corporate network.
Security policies in an organization ensure that everyone follows the same set of rules related to computer and data security. Security policies in large networks are usually implemented using Group Policies. Procedures ensure that the policies are followed as required. If required, administrators can perform auditing to monitor that the security policies are followed as expected.
Perhaps the most important aspect of effectively implementing security polices in a network is to train and educate users about the importance of computer security in the organization. For example, there is no use implementing a strong password policy if users write their username or password on a piece of paper and stick it to their monitors. Users should know how important the security of the organization's data is for conducting its business. They should be trained to secure their individual workstations, applications, and data.