Appendix B. Memory Tables Answer Key

Chapter 2

Table 2-1. Summary of Malware Threats

Table 2-2. Summary of Malware Prevention Techniques

Chapter 3

Patch Management

• Planning—Before actually doing anything, a plan should be set into motion. The first thing that needs to be decided is whether the patch is necessary and if it will be compatible with other systems. Microsoft Baseline Security Analyzer (MBSA) is one example of a program that can identify security misconfigurations on the computers in your network, letting you know if patching is needed. If the patch is deemed necessary, the plan should consist of a way to test the patch in a “clean” network on clean systems, how and when the patch will be implemented, and how the patch will be checked after it is installed.

• Testing—Before automating the deployment of a patch among a thousand computers, it makes sense to test it on a single system or small group of systems first. These systems should be reserved for testing purposes only and should not be used by “civilians” or regular users on the network. I know, this is asking a lot, especially given the amount of resources some companies have. But the more you can push for at least a single testing system that is not a part of the main network, the less you will have to cover your tracks if a failure occurs!

• Implementing—If the test is successful, the patch should be deployed to all the necessary systems. In many cases this will be done in the evening or over the weekend for larger updates. Patches can be deployed automatically using software such as Microsoft’s Systems Management Server (SMS).

• Auditing—When the implementation is complete, the systems (or at least a sample of systems) should be audited; first, to make sure the patch has taken hold properly, and second, to check for any changes or failures due to the patch. SMS, and other third-party tools can be used in this endeavor.

Keeping a Well-Maintained Computer

Step 1. Use a surge protector or UPS—Make sure the computer and other equipment connect to a surge protector, or better yet a UPS if you are concerned about power loss.

Step 2. Update the BIOS—Flashing the BIOS isn’t always necessary; check the manufacturer’s website for your motherboard to see if an update is needed.

Step 3. Update Windows—This includes the latest SPs and any Windows updates beyond that and setting Windows to alert if there are any new updates.

Step 4. Update antimalware—This includes making sure that there is a current license for the antimalware (antivirus and antispyware) and verifying that updates are turned on and the software is regularly scanning the system.

Step 5. Update the firewall—Be sure to have some kind of firewall installed and enabled; then update it. If it is the Windows Firewall, updates should happen automatically through Windows Update. However, if you have a SOHO router with a built-in firewall, or other firewall device, you need to update the device’s ROM by downloading the latest image from the manufacturer’s website.

Step 6. Maintain the disks—This means running a disk cleanup program regularly and checking to see if the hard disk needs to be defragmented from once a week to once a month depending on the amount of usage. It also means creating restore points, doing Complete PC Backups, or using third-party backup or drive imaging software.

Chapter 4

Table 4-1. Common Applications and Safeguards

Table 4-2. Summary of Programming Vulnerabilities

Chapter 5

Table 5-1. Private IP Ranges (as Assigned by the IANA)

Table 5-3. Port Ranges

Table 5-4. 23 Ports and Their Associated Protocols

Chapter 6

Table 6-1. Summary of NIDS Versus NIPS

Chapter 7

Table 7-1. Weak, Strong, and Stronger Passwords

Privilege Escalation

• Vertical privilege escalation—When a lower privileged user accesses functions reserved for higher privilege users, for example, if a standard user can access functions of an administrator. This is also known as privilege elevation and is the most common description.

• Horizontal privilege escalation—When a normal user accesses functions or content reserved for other normal users, for example, if one user reads another’s e-mail. This can be done through hacking or by a person walking over to other people’s computers and simply reading their e-mail! Always have your users lock their computer (or log off) when they are not physically at their desk!

Table 7-2. Wireless Encryption Methods

Chapter 8

Table 8-1. VPN Tunneling Protocols

Table 8-2. Summary of Authentication Technologies

Chapter 9

Mandatory Access Control

• Rule-based access control—Also known as label-based access control, this defines whether access should be granted or denied to objects by comparing the object label and the subject label.

• Lattice-based access control—Used for more complex determinations of object access by subjects. Somewhat advanced mathematics are used to create sets of objects and subjects and define how the two interact.

Table 9-1. Summary of Access Control Models

Here are a couple more tips when it comes to user accounts, passwords, and logons:

• Rename and password protect the Administrator account—It’s nice that Windows has incorporated a separate administrator account: The problem is that by default the account has no password. To configure this account, navigate to Computer Management > System Tools > Local Users and Groups > Users and locate the Administrator account. In a domain, this would be in ADUC > Domain name > Users. By right-clicking the account, you see a drop-down menu in which you can rename it and/or give it a password. (Just remember the new username and password!) Now it’s great to have this additional administrator account on the shelf just in case the primary account fails; however, some OSs such as Vista disable the account by default. To enable it, right-click the account and select Properties. In the General tab, deselect the Account Is Disabled check box. Alternatively, open the command line and type net user administrator /active:yes. The way that the administrator account behaves by default will depend on the version of Windows. The Linux/UNIX counterpart is the root account. The same types of measures should be employed when dealing with this account.

• Verify that the Guest account (and other unnecessary accounts) are disabled—This can be done by right-clicking the account in question, selecting Properties and then selecting the checkbox named Account Is Disabled. It is also possible to delete accounts (aside from built-in accounts such as the Guest account); however, companies usually opt to have them disabled instead so that the company can retain information linking to the account.

• Use Ctrl+Alt+Del—Pressing Ctrl+Alt+Del before the logon adds a layer of security to the logon process. This can be added as a policy on individual Windows computers. It is implemented by default with computers that are members of a domain.

• Use policies—Policies governing user accounts, passwords, and so on can help you to enforce your rules, as discussed in the next section. Large organizations with a lot of users will usually implement a self-service password management system. This means that users reset their own passwords after a given amount of time (set in a group policy); the administrator does not create passwords for users.

Chapter 10

Table 10-2. Summary of Risk Assessment Types

Table 10-3. Summary of Chapter 10 Security Tools

Chapter 11

Table 11-1. Summary of Monitoring Methodologies

Network adapters can work in one of two different modes: promiscuous and non-promiscuous.

• Promiscuous mode—When the network adapter captures all packets that it has access to regardless of the destination of those packets.

• Non-promiscuous mode—When a network adapter captures only the packets that are addressed to it specifically.

Chapter 12

Table 12-3. Summary of Symmetric Algorithms

Chapter 14

Table 14-1. RAID Descriptions

Redundant Sites

• Hot site—A near duplicate of the original site of the organization that can be up and running within minutes (maybe longer). Computers and phones are installed and ready to go, a simulated version of the server room stands ready, and vast majority of the data is replicated to the site on a regular basis in the event that the original site is not accessible to users for whatever reason. Hot sites are used by companies that would face financial ruin in the case that a disaster makes their main site inaccessible for a few days of even a few hours. This is the only type of redundant site that can facilitate a full recovery.

• Warm site—Will have computers, phones, and servers, but they might require some configuration before users can start working on them. The warm site will have backups of data that might need to be restored; they will probably be several days old. This is chosen the most often by organizations because it has a good amount of configuration, yet remains less inexpensive than a hot site.

• Cold site—Has tables, chairs, bathrooms, and possibly some technical setup; for example basic phone, data, and electric lines. Otherwise, a lot of configuration of computers and data restoration is necessary before the site can be properly utilized. This type of site is used only if a company can handle the stress of being nonproductive for a week or more.

Data Backup

• Full backup—When all the contents of a folder are backed up. It can be stored on one or more tapes. If more than one is used, the restore process would require starting with the oldest tape and moving through the tapes chronologically one by one. Full backups can use a lot of space, causing a backup operator to make use of a lot of backup tapes which can be expensive. Full backups can also be time-consuming if there is a lot of data. So, quite often, incremental and differential backups are used with full backups as part of a backup plan.

• Incremental backup—Backs up only the contents of a folder that has changed since the last full backup or the last incremental backup. An incremental backup must be preceded by a full backup. Restoring the contents of a folder or volume would require a person to start with the full backup tape and then move on to each of the incremental tapes chronologically, ending with the latest incremental backup tape. Incremental backups started in the time of floppy disks when storage space and backup speed were quite limited. Some operating systems and backup systems will associate an archive bit (or archive flag) to any file that has been modified; this indicates to the backup program that it should be backed up during the next backup phase. If this is the case, the incremental backup will reset the bit after backup is complete.

• Differential backup—Backs up only the contents of a folder that has changed since the last full backup. A differential backup must be preceded by a full backup. To restore data, a person would start with the full backup tape and then move on to the differential tape. Differential backups do not reset the archive bit when backing up. This means that incremental backups will not see or know that a differential backup has occurred.

Other Backup Schemes

• 10 tape rotation—This method is simple and provides easy access to data that has been backed up. It can be accomplished during a 2-week backup period, each tape is used once per day for 2 weeks. Then the entire set is recycled. Generally, this will be similar to the one-week schedule shown previously, however, the second Monday might be a differential backup instead of a full backup. And the second Friday might be a full backup, which is archived. There are several options; you would need to run some backups and see which is best for you given the amount of tapes required and time spent running the backups.

• Grandfather-father-son—This backup rotation scheme is probably the most common backup method used. When attempting to use this scheme, three sets of backup tapes must be defined—usually they are daily, weekly, and monthly, which correspond to son, father, and grandfather. Backups are rotated on a daily basis; normally the last one of the week will be graduated to father status. Weekly (father) backups are rotated on a weekly basis with the last one of the month being graduated to grandfather status. Quite often, monthly (grandfather) backups, or a copy of them, are archived offsite.

• Towers of Hanoi—This backup rotation scheme is based on the mathematics of the Towers of Hanoi puzzle. This also uses three backup sets, but they are rotated differently. Without getting into the mathematics behind it, the basic idea is that the first tape is used every 2nd day, the second tape is used every 4th day, and the third tape is used every 8th day. Table 14-3 shows an example of this. Keep in mind that this can go further; a fourth tape can be used every 16th day, and a fifth tape every 32nd day, and so on, although it gets much more complex to remember what tapes to use to backup and which order to go by when restoring. The table shows an example with three tape sets represented as set A, B, and C.

Chapter 15

Table 15-1. Summary of Social Engineering Types

Table 15-4. Acts Passed Concerning the Disclosure of Data and PII

Table 15-5. Summary of Policy Types