Teknologi & Perkomputeran Penulis: FOR SECURITY BASIC BEGINNER KU SITI AISHAH BT KU AB HAMID HAZILA BINTI HASAN NOORMADINAH BINTI ALIAS
Table of Contents CHAPTER 1 Information Security 1 Goals of Security 2 Attacker vs Hacker 6 Threats 11 Types of Security Attacks 16 Tools in Information Security 23 Access to Data and Equipment 24 Exercise 27 CHAPTER 2 Security Policy 28 Security Policy Requirements 30 Security Policy Scope 37 File and Folder Permissions 43 Security Procedures 47 Exercise 72 Practical Task 73
This e-book represents a reference book for polytechnic students to gain more understanding of information security. The objective of this e-book is to make it easy for the students to understand the concept of information security. This e-book offers tutorials and a simple view of security practices while still contributing technical knowledge relating to security. As we move towards the world without borders, security becomes the growing concern everyone must deal with, either they are highly competent computer users or not. These risks range in danger and should always be dealt with accordingly. Therefore, this e-book is to educate the students on security practices and the standards that exist. It will also cover how tutorials and practicals tasks enhance students understanding. Preface
YOU WILL NEVER BE SAFE UNTIL EVERYONE IS SAFE BECAUSE IT'S ALL ABOUT TEAMMATE Chapter 1: Information Security
• INFORMATION SECURITY • WHAT IS INFORMATION SECURITY Definition 1 The term information security is frequently used to describe the tasks of securing information that is in a digital format. It refers to the protection of available information or information resources from unauthorized access, attacks, thefts, or data damage. The goal of information security is to ensure that protective measures are properly implemented to defend against attacks and prevent the total collapse of the system when a successful attack does occur. Every bit of data that is being used, shared, or transmitted must be protected to minimize risks and other consequences of losing important data. Definition 2 Information security may be defined as that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures. 1
Confidentiality Integrity Availability Information security is intended to protect information that provides value to people and organizations. The term “information security” also can be defined as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide: GOALS OF SECURITY 2
Use network security mechanisms (for example, firewalls and access control lists [ACL]) to prevent unauthorized access to network resources. Require appropriate credentials (for example, usernames and passwords) to access specific network resources. Encrypt traffic such that an attacker could not decipher any traffic he captured from the network. Confidentiality ensures that only authorized parties can view the information. Providing confidentiality can involve several different security tools, ranging from software to “scramble” the credit card number stored on the web server to door locks to prevent access to those servers. Confidentiality ensures that only authorized parties can view the information. Data confidentiality implies keeping data private. This privacy could entail physically or logically restricting access to sensitive data or encrypting traffic traversing a network. A network that provides confidentiality would do the following, as a few examples: CONFIDENTIALITY 3
Modifying the appearance of a corporate website Intercepting and altering an e-commerce transaction Modifying financial records that are stored electronically Data integrity ensures that data has not been modified in transit. Also, a data integrity solution might perform origin authentication to verify that traffic is originating from the source that should be sending it. Guarding against improper information modification or destruction and includes ensuring information authenticity. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered the data. In the example of the online purchase, an attacker who could change the amount of a purchase from RM10,000.00 to RM1.00 would violate the integrity of the information. Other examples of integrity violations include: INTEGRITY #1 #2 #3 4
He could send improperly formatted data to a networked device, resulting in an unhandled exception error. He could flood a network system with an excessive amount of traffic or requests. This would consume the system’s processing resources and prevent the system from responding to many legitimate requests. This type of attack is called a denial-of-service (DoS) attack. The availability of data is a measure of the data’s accessibility. For example, if a server were down only five minutes per year, it would have an availability of 99.999 percent (that is, “five nines” of availability). Availability is typically controlled through redundancy, fault tolerance and patching Availability is very important because it ensuring timely and reliable access to and use of information as well as ensures that data is accessible to authorized users. This means that the information cannot be “locked up” so tight that no one can access it. Here are a couple of examples of how an attacker could attempt to compromise the availability of a network: AVAILABILITY 5
They are person or other entity such as a computer program that attempts to cause harm (destroy, expose, alter, disable, steal, or gain unauthorized access) to an information system. This can be for monetary gain such as in ransomware attacks, cryptojacking etc. A N A T T A C K E R I S S O M E O N E W H O G A I N S U N A U T H O R I Z E D A C C E S S T O S O M E O N E E L S E ’ S N E T W O R K A N D C O M P U T E R S F O R M A L I C I O U S P U R P O S E S . A N A T T A C K E R P R O B E S F O R V U L N E R A B I L I T I E S , B U T U N L I K E A H A C K E R , T H E A T T A C K E R E X P L O I T S T H E M W I T H O U T P E R M I S S I O N O R W I T H O U T W A R N I N G T H E O R G A N I Z A T I O N . ATTACKER VS HACKER A T T A C K E R 6
Ethical hackers usually fall into the white-hat category, but sometimes they’re former grey hats who have become security professionals and who use their skills in an ethical manner.White Hats are the good guys, the ethical hackers who use their hacking skills for defensive purposes. H A C K E R S C A N B E D I V I D E D I N T O T H R E E G R O U P S : W H I T E H A T S , B L A C K H A T S , A N D G R E Y H A T S . ATTACKER VS HACKER H A C K E R 7
WHITE HATS HACKER White Hats are the good guys, the ethical hackers who use their hacking skills for defensive purposes. White-hat hackers are usually security professionals with knowledge of hacking and the hacker toolset and who use this knowledge to locate weaknesses and implement countermeasures. ATTACKER VS HACKER 8
BLACK HATS HACKER Black hats are the bad guys: the malicious hackers or crackers who use their skills for illegal or malicious purposes. They break into or otherwise violate the system integrity of remote machines, with malicious intent. Having gained unauthorized access, black-hat hackers destroy vital data, deny legitimate users service, and basically cause problems for their targets. Black-hat hackers and crackers can easily be differentiated from whitehat hackers because their actions are malicious. ATTACKER VS HACKER 9
GREY HATS HACKER Grey hats are hackers who may work offensively or defensively, depending on the situation. This is the dividing line between hacker and cracker. Both are powerful forces on the Internet, and both will remain permanently. And some individuals qualify for both categories. The existence of such individuals further clouds the division between these two groups of people. ATTACKER VS HACKER 10
A THREAT, IN THE CONTEXT OF COMPUTER SECURITY, REFERS TO ANYTHING THAT HAS THE POTENTIAL TO CAUSE SERIOUS HARM TO A COMPUTER SYSTEM. A THREAT IS SOMETHING THAT MAY OR MAY NOT HAPPEN BUT HAS THE POTENTIAL TO CAUSE SERIOUS DAMAGE. THREATS CAN LEAD TO ATTACKS ON COMPUTER SYSTEMS, NETWORKS AND MORE. S E C U R I T Y T H R E A T S A threat is an event that can take advantage of vulnerability and cause a negative impact on the network. Potential threats to the network need to be identified, and the related vulnerabilities need to be addressed to minimize the risk of the threat . T Y P E S O F S E C U R I T Y T H R E A T S A R E : M A L I C I O U S C O D E , H A C K I N G , A . N A T U R A L D I S A S T E R A N D A . T H E F T 11
Malware is capable of modifying web browsers to open specific web pages that are not the desired web page. This is known as browser redirection. It is also capable of collecting information stored on the computer without the user’s consent. To detect, disable, and remove malware before it infects a computer, always use antivirus software, antispyware, and adware removal tools. Be aware and stay safe! The primary vulnerabilities for end-user workstations are are worm, virus, and Trojan horse attacks. A worm executes arbitrary code and installs copies of itself in the infected computer’s memory, which infects other hosts. A virus is malicious software that is attached to another program to execute a particular unwanted function on a user’s workstation. A Trojan horse differs only in that the entire application was written to look like something else, when in fact it is an attack tool. Malicious code Malicious acts. The word malware is an malicious acts. The word malware is an abbreviation of malicious software. It is usually installed on a computer without the knowledge of the user. These programs open extra windows on the computer or change the computer configuration. 12
Hacking Hacking is an attempt to exploit a computer system or a private network inside a computer. Simply put, it is the unauthorized access to or control over computer network security systems for some illicit purpose. In fact, it's accurate to characterize hacking as an over-arching umbrella term for activity behind most if not all the malware and malicious cyberattacks on the computing public, businesses, and governments. Besides social engineering and malvertising, common hacking techniques include Botnets, Browser hijacks, Denial of service (DDoS) attacks, Ransomware, Rootkits, Trojans, Viruses, Worms and more. Hacking is typically technical in nature (like creating malvertising that deposits malware in a drive-by attack requiring no user interaction). But hackers can also use psychology to trick the user into clicking on a malicious attachment or providing personal data. These tactics are referred to as “social engineering.” 13
Natural disaster Natural disasters are extreme, sudden events caused by environmental factors that injure people and damage property. Hurricanes, tornados, floods, fires, and earthquakes Ttheft is the taking of another person's property or services without that person's permission or consent with the intent to deprive the rightful owner of it. Data theft is the act of stealing computer-based information from an unknowing victim with the intent of compromising privacy or obtaining confidential information. Information theft, one disgruntled (dissatisfied) employee who has either the desire to harm his or her employer or is motivated by financial gain to present an insider threat to the organization. Identity theft occurs when someone steals your name and other personal information for fraudulent purposes. Theft 14
SOURCESOFSECURITYTHREATS EXTERNALTHREATS External threats can arise from individuals or organizations working outside of a company. They do not have authorized access to the computer systems or network. They work their way into a network mainly from the Internet or dialup access servers. UNSTRUCTUREDTHREATS Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hacker’s skills can still do serious damage to a company. For example, if an external company website is hacked, the integrity of the company is damaged. Even if the external website is separate from the internal information that sits behind a protective firewall, the public does not know that. All the public knows is that the site is not a safe environment to conduct business. STRUCTUREDTHREATS Structured threats come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies. 1 3 4 INTERNALTHREATS Internal threats occur when someone has authorized access to the network with either an account on a server or physical access to the network. According to the FBI, internal 2 access, and misuse account for 60 percent to 80 percent of reported incidents. There are four primary classes of threats to network security which is External, Internal, Unstructured and Structured. 15
VARIOUS TYPES OF SECURITY ATTACKS 01 Reconnaissance attack 02 Access attack 04 Distributed Denial of Service attack 03 Denial of Service attack 03 Malicious code attack 16
TYPES OF SECURITY ATTACKS RECONNAISSANCE ATTACK Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, it precedes an actual access or Denial of Service (DoS) attack. Reconnaissance is somewhat analogous to a thief casing a neighborhood for vulnerable homes to break into, such as an unoccupied residence, easy-to-open doors, or open windows. Example of reconnaissance attack is sniffing and spoofing. SNIFFING Sniffing is a data interception technology. It used a program or device that captures the vital information from the network traffic. The objective of sniffing is to steal passwords (from elaim, the web, SMB, FTP, SQL or telnet), email text and file in transfer (email files, FTP files or SMB) SPOOFING Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls, and websites, or can be more technical, such as a computer spoofing an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server. Spoofing can be used to gain access to a target’s personal information, spread malware through infected links or attachments, bypass network access controls, or redistribute traffic to conduct a denial-ofservice attack. Spoofing is often the way a bad actor gains access to execute a larger cyber-attack such as an advanced persistent threat or a man-in-the-middle attack. 17
TYPES OF SECURITY ATTACKS ACCESS ATTACK Access attacks exploit known vulnerabilities in authentication services, FTP services, and Web services to gain entry to Web accounts, confidential databases, and other sensitive information. Access attacks can consist of the following Password attacks (Dictionary cracking, Brute-force computation), Trust Exploitation, Port Redirection, Man-in-the-middle Attack, Social Engineering and Phishing. HACKING Hacking is an attempt to exploit a computer system or a private network inside a computer. Simply put, it is the unauthorized access to or control over computer network security systems for some illicit purpose. BRUTE FORCE Brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information. The name "brute force" comes from attackers using excessively forceful attempts to gain access to user accounts. Despite being an old cyberattack method, brute force attacks are tried and tested and remain a popular tactic with hackers. Often a brute-force attack is performed using a program that runs across the network and attempts to log in to a shared resource, such as a server. When an attacker gains access to a resource, he has the same access rights as the user whose account has been compromised. If this account has sufficient privileges, the attacker can create a back door for future access, without concern for any status and password changes to the compromised user account. In fact, not only would the attacker have the same rights as the exploited, but he could also attempt privilege escalation 18
TYPES OF SECURITY ATTACKS DENIAL OF SERVICE ATTACK A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (example employees, members, or account holders) of the service or resource they expected. Victims of DoS attacks often target web servers of highprofile organizations such as banking, commerce, and media companies, or government and trade organizations. Though DoS attacks do not typically result in the theft or loss of significant information or other assets, they can cost the victim a great deal of time and money to handle. There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow down and eventually stop. Popular flood attacks include Buffer overflow attacks, ICMP flood and SYN flood. Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the system, so that it can’t be accessed or used. 19
TYPES OF SECURITY ATTACKS DISTRIBUTED DENIAL OF SERVICE ATTACK A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination. 20
TYPES OF SECURITY ATTACKS MALICIOUS CODE ATTACK Trojan horse - An application written to look like something else that in fact is an attack tool WORM Worm - An application that executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts VIRUS Virus - Malicious software that is attached to another program to execute a particular unwanted function on the user workstation TROJAN HORSE 21
TYPES OF SOCIAL ENGINEERING ATTACK Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer. Social Engineering attack Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims’ personal information. In these types of attacks, the scammer usually says they need certain bits of information from their target to confirm their identity. They steal that data and use it to commit identity theft or stage secondary attacks. More advanced attacks sometimes try to trick their targets into doing something that abuses an organization’s digital and/or physical weaknesses. For example, an attacker might impersonate an external IT services auditor so that they can talk a target company’s physical security team into letting them into the building. Pretexting Phishing is an Internet scam where the user in convinced to gibe a valuable information. Phishing will redirect the user to a different website through emails, instant messages, spyware and more. Phisher offer illegitimate websites to the user to fill personal information. The main purpose of Phishing is to get access to the customer’s bank account, password and other security information. Phishing attacks can target the audience through mass-mailing millions of email addresses around the world. Phishing Vishing, or voice phishing, takes place over the phone. In this form of social engineering attack, fraudsters represent themselves as legitimate representatives of a bank or other organization to trick users into handing over confidential information. These are not technical-based attacks. Social engineers rely on elaborate and very clever scripts to gain people’s confidence and trust, so they willingly disclose confidential information. Vishing in particular exploits human fears and the basic desire to help to steal information. Vishing 22
Netstat (network statistics) is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics. It is available on Unix –like operating system inc macOS, Linux, Solaris., and is available on Microsoft Windows (operating systems (Windows XP, Vista &, 8 and 10) various tools in information security NETWORK STATISTICS (NETSTAT) NETSCAN Netscan discovers machines on the network and is bundled and installed only with the gateway data center edition. Netscan discover routers and switches on an ethernet network. Nmap, short for Network Mapper, is a free, open-source tool for vulnerability scanning and network discovery. Network administrators use Nmap to identify what devices are running on their systems, discovering hosts that are available and the services they offer, finding open ports and detecting security risks. Nmap can be used to monitor single hosts as well as vast networks that encompass hundreds of thousands of devices and multitudes of subnets. NETWORK MAPPER (NMAP) 23
Protecting data also includes removing files from storage devices when they are no longer needed. Simply deleting files or reformatting the drive may not be enough to ensure your privacy. For instance, deleting files from a hard disk drive does not remove them completely. The operating system only removes the reference to the file in the file allocation table. Access to Data and Equipment Data Wiping 24
Crushing Technique Punching an irreparable hole through each hard drive with 3,400 kilos of force pressure. Completely destroying the drive platters, rippling, and fracturing the magnetic surfaces and rendering the drive data unrecoverable. Access to Data and Equipment Hard Drive Destruction 25
Hard drives that have been wiped can be reused in other computers. The drive can be reformatted, and a new operating system installed. Two types of formatting can be performed as described in table below. Access to Data and Equipment Hard Drive Recycling 26
Information security is also called_____ A. InfoSec B. InfoWar C. Firewall D. Secure System EXERCISE What is A stands for in CIA triad? A. Attack B. Asset C. Availability D. Augmentation .......is the practice and precautions taken to protect valuable information from unauthorised access, recording, disclosure or destruction. A. Information Security B. Database Security C. Network Security D. Physical Security Compromising confidential information comes under _________ A. Vulnerability B. Bug C. Threat D. Attack Self-repeating and do not require a computer program to attach themselves. A. Worms B. virus C. Spyware D. Ransomware Phishing is a form of______ A. login credentials and credit card numbers B. fraudulent attempt C. online scam D. All of the above What is the goal of social engineering? A. Sabotage a person's social media B. To gain vital personal information C. To catfish someone D. To build trust _____ hackers are bad guys that operate on the opposite side of law A. black hat B. white hat C. green hat D. red hat The first phase of hacking is A. Availability B. Authentication C. output D. Information gathering _________is a popular tool used for discovering network as well as security auditing. A. Ettercap B. Metasploit C. Nmap D. Burp Suit 1 2 3 4 5 6 7 8 9 10 27
YOU WILL NEVER BE SAFE UNTIL EVERYONE IS SAFE BECAUSE IT'S ALL ABOUT TEAMMATE Chapter 2: Security policy and procedures
• SECURITY POLICY • WHAT IS SECURITY POLICY? Definition 1 A security policy is a set of security objectives that ensure the security of a network, the data, and the computer systems in an organization. The security policy is a constantly evolving document based on changes in technology, business, and employee requirements. Definition 2 A security policy is a written document that states how an organization plans to protect the company’s information technology assets. 28
Security Policy MORE ABOUT SECURITY POLICY The policy outlines the protections that should be enacted to ensure that the organization’s assets face minimal risks. A security policy, along with the accompanying procedures, standards, and guidelines, is key to implementing information security in an organization. Having a written security policy empowers an organization to take appropriate action to safeguard its data. 29
Organize information security policies and standards into meaningful categories Security Policy Requirements Train all personnel in the organization’s information security policies and standards 1 3 4 Identify organizational issues that impact information security policy Identify the various classes of policy users What are the requirements in security policy? 2 30
Security policy Requirements MORE ON .... Identify organizational issues that impact information security policy Information security policies and standards need to accurately reflect the organization. Things need to consider: 1 1. The nature and type of information used in the organization. 2. The different classes of information users and the types of information each uses. 3. The needs for information sharing and protection between different parts of the organization 4. The needs for information sharing and protection between the organization and its suppliers 31
Security policy Requirements MORE ON .... Identify the various classes of policy users Different classes of users have different information security roles and responsibilities. The organization may very well need different information security policies and standards for each of its different classes of users. These different kinds of users may include: 1. Management, including Boards, executive management, and other management. 2. End users, including employees, contractors, and consultants. 3. Information system personnel, including employees, contractors, and consultants. 4. Customers 5. Vendors, suppliers and other business partners 2 32
Security policy Requirements MORE ON .... Organize information security policies and standards into meaningful categories While information security policies and standards can be organized in many different ways, we have found that they are most useful when organized as follows: 1. Introductory policies and standards, including information security management structure and responsibilities. 2. Information classification and control 3. Physical security 4. Personnel security 5. Policies and standards for employees and other Information users. 6. IT Infrastructure policies and standards. 7. System and Application Development Policies and standards 3 33
Security policy Requirements MORE ON .... Train all personnel in the organization’s information security policies and standards 4 All staff needs to be provided regular awareness training and education. Without such training and education, personnel will not know what they are to do nor why they are to do it. 34
When developing a security policy for the first time, one useful approach is to focus on the why, who, where, and what during the policy development process. An organization should strive to achieve the best and most affordable security protection against data loss or damage to software and equipment. When creating a security policy, ask the following questions to determine the security factors: Security policy Requirements MORE ON .... 35
The security policy should also provide detailed information about the following issues in case of an emergency: 1.Stepsto take after a breach in security 2.Who to contactin an emergency 3.Information to sharewith customers, vendors, and the media 4.Secondary locationsto use in an evacuation 5.Stepsto take after an emergency is over, including the priority ofservicesto be restored You should also define employee accessto data in a security policy. The policy should protect highly sensitive data from public access,while ensuring that employees can still perform theirjob tasks. Data can be classified from public to top secret,with several differentlevels between them. Public information can be seen by anyone and has no security requirements. Top secretinformation needsthe mostsecurity, because the data exposure can be extremely detrimentalto a government, a company, or an individual. When creating a security policy, these are some key areas to address: 1.Processfor handling network security incidents 2.Processto audit existing network security 3.Generalsecurity framework forimplementing network security 4.Behaviorsthat are allowed 5.Behaviorsthat are prohibited 6.Whatto log and howto store the logs: Event Viewer,system log files, orsecurity log files 7.Network accessto resourcesthrough account permissions 8.Authentication technologiesto access data: usernames, passwords, biometrics, and smart cards Security policy Requirements MORE ON .... Security policiesshould be reviewed regularly and updated as necessary. Keep a revision history to track all policy changes. Security isthe responsibility of every personwithin the company. All employees, including non-computer users, must be trained to understand the security policy and notified of any security policy updates. 36
Security Policy Scope Security policy should address all data, programs, system, facilities, other technology infrastructure, users of technology and third parties in a given organization, without exception. 37
A username and password are two pieces of information that a user needs to log on to a computer. When an attacker knows one of these entries, the attacker needs only to crack or discover the other entry to gain access to the computer system. It is important to change the default username for accounts such as administrator or guest, because these default usernames are widely known. Password guidelines are an important component of a security policy. Any user that must log on to a computer or connect to a network resource should be required to have a password. Passwords help prevent theft of data. Some home-networking equipment has a default username that cannot be changed. Whenever possible, change the default usernames of all users on computers and network equipment. Using secure, encrypted login information for computers with network access should be a minimum requirement in any organization. Malicious software could monitor the network and record plaintext passwords. If passwords are encrypted, attackers must decode the encryption to learn the passwords. Attackers can gain access to unprotected computer data. Password protection can prevent unauthorized access to content. All computers should be password protected. Username and Passwords 38
Username and Passwords MORE ON .... Three levels of password protection are recommended: BIOS - Prevents the operating system from booting and the BIOS settings from being changed withoutthe appropriate password. Login - Prevents unauthorized access to the local computer. Network - Prevents access to network resources by unauthorized personnel. 1 2 3 39
Passwords Requirements Passwords should be required to have a minimum length and include uppercase and lowercase letters combined with numbers and symbols. This is known as a strong password.Itis common for a security policy to require users to change their passwords on a regular basis and monitor the number of password attempts before an accountis temporarily locked out. These are some guidelines to creating strong passwords: 1.Length - Use atleast eight characters. 2. Complexity - Include letters, numbers, symbols, and punctuation. Use a variety of keys on the keyboard, notjust common letters and characters. 3. Variation - Change passwords often. Set a reminder to change the passwords you have for email, banking, and credit card websites on the average of every three to four months. 4.Variety - Use a different password for each site or computer that you use. 1 2 40
1.Length -Use atleast eight characters. 2.Complexity -Include letters, numbers,symbols, and punctuation.Use a variety of keys on the keyboard, notjust common letters and characters. These are some guidelines to creating strong passwords: Passwords Requirements MORE ON .... To create,remove, or modify a password in Windows 7 or Windows Vista, use the following path. Start >Control Panel >UserAccounts Screensaverrequired password Itisimportantto make sure that computers are securewhen users are away from the computer. Asecurity policy should contain a rule about requiring a computerto lockwhen the screensaverstarts. Thiswill ensure that after a shorttime away from the computer,the screen saverwillstart and then the computer cannot be used until the userlogsin. 3.Variation -Change passwords often. Set a reminderto change the passwords you have for email, banking, and credit cardwebsites on the average of every three to four months. 4.Variety -Use a different password for each site or computerthat you use. Tips for strong passwords: • Must be 6-24 characters • May not be all letters • May not be all numbers • May not be the same as yourUserID • May contain uppercase and lowercase letters, numbers, underscores(_), or hyphens(–) 41
To setthe screen saverlock inWindows 7 and WindowsVista, use the following path: Passwords Requirements MORE ON .... Screensaver Start >Control Panel > Personalization > Screen Saver. Choose a screen saver and awaittime, and then selecttheOn resume, display logon screen option 42
IF EL AN D F OLDER PERM I S S ION Permissions are rules you configure to limit folder orfile accessfor an individual orfor a group of users. The figure lists the permissions that are available for files and folders. F I L E A N D F O L D E R P E R M I S S I O N S T Y P E S O F P E R M I S S I O N S 43
IF EL AN D F OLDER PERM I S S ION F I L E A N D F O L D E R P E R M I S S I O N S F O L D E R P E R M I S S I O N S MORE ON .... Permission levels are configured to limit individual or group user accessto specific data. Both FAT32 andNTFS allowfoldersharing and folderlevel permissionsfor userswith network access. 44
IF EL AN D F OLDER PERM I S S ION F I L E A N D F O L D E R P E R M I S S I O N S F A T 3 2 A N D N T F S C O M P A R I S O N MORE ON .... Allfile systems keep track ofresources, but only file systemswith journals, which are special areaswhere file changes are recorded before changes are made, can log access by user, date, and time. The FAT32 file system lacksjournaling and encryption capabilities.As a result, situationsthatrequire good security are usually deployed usingNTFS. Ifincreased security is needed, itis possible to run certain utilities,such asCONVERT,to upgrade a FAT32 file system toNTFS. 45