Patch

The first rule of computer security is to check patches. This is true for networks, home computers, laptops, tablets, smart phones,...literally any computer. The operating system, database management systems, development tools, Internet browsers, and so forth all need to be checked for patches. In a Microsoft environment, this should be easy, as the Microsoft website has a utility that will scan your system for any required patches to the browser, operating system, or Office products. It is a very basic tenet of security to ensure that all patches are up to date. This should be one of the first tasks when assessing a system.

It is also important to consider the types of patches. The most important patches are labeled important or critical. (Microsoft labels them critical, but other vendors may use another designation.) These patches must be applied; without them, your system simply is not secure. Recommended patches should be applied unless you have some compelling reason not to. Finally, optional patches usually enhance or correct some minor functionality in the system but are not necessary for security. Your system will not be vulnerable without these. These optional patches usually enhance or correct some minor functionality in the system but are not necessary for security.

While home users might benefit from automatic patching, automatic patching is not appropriate for network administrators. It is always possible that a patch might interfere with some custom software or some system configuration. Therefore, patches need to be deployed first to a test system to ensure that they do not disrupt any other software or configurations. Once the testing is complete, you can push a patch out to the production network. Even then, patches should be rolled out in stages, in case something goes wrong. This does not mean that patches are not applied in a timely manner. If there is a critical patch, it must be tested promptly so that it can be rolled out to the production network.

Once you have ensured that all patches are up to date, the next step is to set up a system to ensure that they are kept up to date. One simple method is to initiate a periodic patch review during which, at a scheduled time, all machines are checked for patches. There are also automated solutions that can patch all systems in an organization. It is imperative that all machines be patched, not just the servers.

An important issue is when to patch. For home users, it is usually recommended that automatic patching be turned on so that their systems get patched as soon as patches are available. However, this is not recommended for network administrators. It is entirely possible that a particular patch might not be compatible with some software on the network. A good example occurred in 2010 with McAfee Antivirus Business Edition. In April 2010, an update to McAfee caused computers running Windows XP Service Pack 3 to shut down. This caused a great many problems for networks with Windows XP workstations. It is recommended that you install patches on a test machine that has an identical configuration to your network’s workstations. Then after the patch has been tested, it can be pushed out to the network.

Ports

As you learned in Chapter 2, “Networks and the Internet,” all communication takes place via some port. Any port you do not explicitly need should be shut down. Any unused services on servers and individual workstations should be shut down. Both Windows (XP, Vista, 7, 8, and 10) and Linux have built-in port-filtering capability. Windows 2000 Professional was the first Windows operating system to include port-filtering capability. Windows XP expanded this to a fully functional firewall. Windows 7 added a firewall that could block outgoing as well as incoming traffic. Shutting down a service in Windows and port filtering are both discussed in more detail in Chapter 9, “Computer Security Technology.”

You should also shut down any unused router ports in your network. If your network is part of a larger WAN, then it is likely that you have a router connecting you to that WAN. Every open port is a possible avenue of entry for malware or an intruder. Therefore, every port you can close eliminates an opportunity for such attacks to affect your system.

In Practice

Shutting Down a Service in Windows

For an individual machine that is not running firewall software, you do not directly close ports; instead, you shut down the service using that port. For example, if you do not use an FTP service but you see that the FTP port is on, chances are that you have an FTP service running on that machine. In Windows (7 or later) or in Windows Server 2008 (or later), if you have administrative privileges, you can take the following two steps to shut down an unneeded service:

1. Go to the Control Panel and double-click Administrative Tools. (Note that in Windows 7 and 8 you go to Control Panel, click on System and Security, and double-click Administrative Tools.)

2. Double-click Services. You should see a window similar to the one shown in Figure 11.1.

The window in Figure 11.1 shows all services installed on the machine, whether they are running or not. Notice that the window also displays information about whether a service is running, whether it starts up automatically, and so forth. In Windows XP, more information can be seen by selecting an individual service. When you double-click on an individual service in any version of Windows (Windows XP through Windows 10, Server 2003 through Server 2016), you see a dialog box similar to Figure 11.2 that provides details about that service.

In the example shown in Figure 11.1, you saw a service on a machine that does not require it. Then in figure 11.2 you see how to disable that service. To illustrate the procedure, this service is going to be disabled. (Before you turn off any service, however, you need to check whether other services depend on the one you are about to shut off. If other services depend on the one you want to turn off and you proceed to turn it off, you will cause the other services to fail.) Follow these steps to turn off a service:

1. Click on the Dependencies tab. In this case, the service has no dependencies.

2. Click the General tab.

3. Change the Startup type to Disabled.

4. Click the Stop button in the Service status section, if necessary. Your dialog box should look similar to Figure 11.2. The fax service is now shut down.

5. Click OK to accept the edits made and close the Properties dialog box. Close the Services dialog box and the Administrative Tools dialog box.

Shutting down unneeded ports and services is an essential and very basic part of computer security. As mentioned, every port that is open (and every service that is running) is a possible avenue for a hacker or virus to get to your machine. Therefore, keep in mind this important rule: If you don’t need it, shut it down and block it.

It is a best practice to make a list of all software that you are running. Then look up the ports and protocols that you need for that software and allow only those. It is important to keep in mind that these are ports for incoming traffic. If your machine is not used as a database server, web server, or other type of server and if your machine is a stand-alone one, you can (and should) close all ports. Workstations on networks may need some ports open for network utilities. We will examine some interesting utilities later in this chapter.

Protect

The next phase of assessing a system’s security is to ensure that all reasonable protective software and devices are employed. This means, at a minimum, having a firewall between your network and the outside world (refer to Chapter 2). You should also consider using an intrusion detection system (IDS) on that firewall and any web servers. (We discussed Snort IDS in Chapter 9). Some security experts consider IDSs to be nonessential; you can certainly have a secure network without one. However, using an IDS is the only way to know of impending attacks, and there are free, open-source IDSs available, and I highly recommend using them. A firewall and an IDS will provide basic security to your network’s perimeter, but you also need virus scanning. Each and every machine, including servers, must have a virus scanner that is updated regularly. The point has already been made that a virus infection is the greatest threat to most networks. As also previously discussed, it is probably prudent to consider installing antispyware software on all of your systems to prevent users of your network from inadvertently running spyware on the network.

Policies

While policies are discussed in detail in Chapter 10, “Security Policies,” we briefly review some aspects of policies here. It is absolutely essential that any organization have clearly written policies on computer security—and that those policies be strongly enforced by management. Those policies should cover acceptable use of organizational computers, the Internet, email, and any other aspect of the system. Policies should prohibit the installation of any software on the systems. Only IT personnel should install software—and only after they have verified its safety.

Policies should also advise users against opening unknown/unexpected attachments. I recommend that people within an organization or department use a code word. If that code word does not appear in the body of an email (or in the subject line), then they do not open the attachment. Most virus attacks spread via email attachments. The subject line and body of such email messages are generated automatically by the virus itself. All of your legitimate attachments can have a code word in the subject line; it is highly unlikely that this word would be in the subject line of an email sent by a virus. This alone could prevent your users from inadvertently opening a virus.

Policies should also clearly delineate who has access to what data, how backups are performed, and what to do to recover data in the case of a disaster (commonly called a disaster recovery plan). Data access must be limited to only those personnel with an actual need to access the data. For example, not everyone in the human resources department needs access to disciplinary files on all employees. Does your organization have a plan for what to do if a fire destroys your servers and all their data? Where do you get new machines? Who gets them? Is there an offsite copy of the data backup? Such questions must be addressed in a disaster recovery plan.

There should be a policy regarding passwords: acceptable minimum length, lifetime of a password, password history, and passwords to be avoided, such as any word that has a direct connection to the user. For example, a user who is a big fan of the Dallas Cowboys should not use a password that has any relationship to that sports team. Also, passwords that relate to personal data, such as spouse’s birthday, children’s names, or pet names, are poor choices. A password policy could also include recommendations or restrictions on a password.

Additionally, a password should not be kept for long periods of time. A 90- or 180-day password replacement schedule is good for most situations. More secure environments might require 30 or even fewer days. Microsoft recommends 42 days (6 weeks). This is referred to as password age. (This, of course, must be weighed against the user’s access to sensitive information or data. A company financial officer might change her password weekly; a nuclear arms engineer might change his password daily; and a mail clerk might need to change her password on a much less frequent basis.) You can set many systems (including Windows) to force the user to get a new password after a certain period of time. You should also make sure the person does not merely reuse old passwords, referred to as password history and also referred to in some operating systems as uniqueness. A good rule of thumb is a history depth of five—meaning that the person cannot reuse any of her previous five passwords. Additionally, you may need to implement a minimum password age to prevent users from immediately changing their password five times to return to her current password. Generally, a minimum of 1 day is recommended.

Finally, policies should include specific instructions on what to do in case of an employee termination. It is imperative that all of that person’s login accounts be immediately disabled and any physical access to any part of the system be immediately discontinued. Unfortunately, many organizations fail to address this properly and end up providing opportunities for disgruntled former employees to inflict retribution on the former employer.

Probe

An important step in assessing any network is to probe the network. We will look at several probes later in this chapter. The key is to periodically probe your own network for security flaws. This should be a regularly scheduled event—perhaps once a quarter. At a minimum, a complete audit of your security should be completed once per year. That would, of course, include probing your ports. However, a true security audit would also include a review of your security policies, your patching system, any security logs you maintain, personnel files of those in secure positions, and so forth.

Physical

Lastly, you cannot ignore physical security. The most robustly secure computer that is left sitting unattended in an unlocked room is not at all secure. You must have some policy or procedure governing the locking of rooms with computers as well as the handling of laptops, PDAs, and other mobile computer devices. Servers must be in a locked and secure room with as few people as is reasonably possible having access to them. Backup tapes should be stored in a fireproof safe. Documents and old backup tapes should be destroyed before disposal (for example, by melting tapes, magnetizing hard disks, breaking CDs).

Physical access to routers and hubs should also be tightly controlled. Having the most high-tech, professional information security on the planet but leaving your server in an unlocked room to which everyone has access is a recipe for disaster. One of the most common mistakes in the arena of physical security is co-locating a router or switch in a janitorial closet. This means that, in addition to your own security personnel and network administrators, the entire cleaning staff has access to your router or switch, and any one of them could leave the door unlocked for an extended period of time.

There are some basic rules you should follow regarding physical security:

• Server rooms: The room where servers are kept should be the most fire-resistant room in the building. It should have a strong door with a strong lock, such as a deadbolt. Only those personnel who actually have a need to go in the room should have a key. You might also consider a server room log wherein each person logs in when she enters or exits the room. There are actually electronic locks that record who enters a room, when she enters, and when she leaves. You may also wish to consider using biometric locks on critical areas such as server rooms. Consult local security vendors in your area for more details on price and availability.

• Workstations: Every workstation should have an engraved identifying mark. You should also routinely inventory them. It is usually physically impossible to secure them as well as you secure servers, but you can take a few steps to improve their security. Some companies choose to attach the workstations to the desks with cables. This can be effective and affordable.

• Miscellaneous equipment: Projectors, CD burners, laptops, and so forth should be kept under lock and key. Any employee who wishes to use one should be required to sign it out, and it should be checked to see that it is in proper working condition and that all parts are present when it is returned.

Securing an Individual Workstation

There are a number of steps that any prudent individual can take to make his own computer secure. These steps should be taken for both home computers and workstations on a network. In the former case, securing the individual computer is the only security option available. In the latter case, securing the individual computers as well as the perimeter allows for a layered approach to security. While some network administrators simply secure the perimeter via a firewall and/or proxy server, it is generally believed that you should also secure each machine in your organization. This is particularly vital in protecting against virus attacks and some of the distributed denial of service attacks that you learned about in Chapter 4, “Denial of Service Attacks.”

The first step with an individual computer is to ensure that all patches are appropriately applied. Microsoft’s website has utilities that will scan your machine for needed patches for both Windows and Microsoft Office. It is critical that you do this on a regular basis—once per quarter as a minimum. You should also check your other software vendors to see whether they have some similar mechanism to update patches for their products. It is amazing how many virus outbreaks have been widespread despite patches being available to secure the flaws they exploited. Too many people simply do not ensure that patches are applied regularly. For a home computer, this is the most critical step in your security strategy and will protect you from a number of attacks designed to exploit security flaws. For a networked workstation, this is still a vital piece of the overall security strategy and cannot be ignored.

The second step in securing an individual computer is restricting the ability to install programs or alter the machine configuration. In a network environment, this would mean that most users do not have permissions to install software or change system settings. Only network administrators and designated support staff should have that ability. In a home environment, this would mean that only a responsible party or parties (such as the parents) have access rights to install software.

One of the reasons for this particular precaution is to prevent users from accidentally installing a Trojan horse or other malware on their machine. If a person is prevented from installing any software, then there is no chance of inadvertently installing improper software such as a Trojan horse, adware, or other malware. Blocking users from altering the machine’s configuration also prevents them from changing system security settings. Novice users may hear of some way to change some setting and will do so, not realizing the security risks they are exposing their system to.

A perfect example in which a novice might adversely alter security settings involves the Windows Messenger service. This is not used for chat rooms or instant messaging, as many novices incorrectly assume. It is instead used for network administrators to send a broadcast message to all people on a network. Unfortunately, some adware programs also use that service to circumvent pop-up blockers and inundate you with ads. Thus, a security-conscious person might disable that service. You would not want an inexperienced person to turn it back on by thinking it is needed for instant messaging.

It is absolutely critical in any network environment that limits be placed on what the average user can do to a machine’s configuration. Without such limits, even well-meaning employees could eventually compromise security. This particular step is often met with some resistance from the organization. If you are in charge of a system’s security, it is your job to educate the decision makers as to why this step is so critical.

The next step has been discussed previously in this book. Each and every computer must have antivirus and antispyware software. You must also set it to routinely automatically update its virus definitions. Updated, running antivirus software is an integral part of any security solution. The two-pronged approach of antispyware and antivirus software should be a major component in your individual computer security strategy. Some analysts feel that antispyware is a nice extra but not a critical component. Others contend that spyware is a rapidly growing problem and will probably eventually equal or surpass the dangers of virus attacks.

Of course, if your operating system has a built-in firewall, it is a good idea to configure it and have it turned on. Windows (7, 8, and 10) and Linux both come with built-in firewall features. Turn them on and configure them properly. The only significant problem you may encounter in implementing this step is that most networks require a certain amount of traffic between key servers (such as the DNS server) and individual computers. When you configure your firewall, make certain you are allowing appropriate traffic through. If you are at home, you can simply block all incoming traffic. If you are on a network, you must identify what traffic you need to allow.

Passwords and physical security, as discussed earlier in this chapter, are a critical part of computer security. You must ensure that all users utilize passwords that are at least eight characters long and consist of a combination of letters, numbers, and characters. In general, make sure that your password policy is complete and that all employees follow it. This will ensure that your physical security system is sound.

Following these guidelines will not make your computer totally impervious to danger, but these guidelines will make your workstation as secure as it reasonably can be. Remember that, even in a network environment, it is critical to also secure each computer as well as the perimeter.

Securing a Server

The core of any network lies in its servers. This includes database servers, web servers, DNS servers, file and print servers, and so on. These computers provide the resources for the rest of the network. Generally, your most critical data will be stored on these machines. This means that these computers are an especially attractive target for intruders, and securing them is of paramount importance.

Essentially, to secure a server, you should apply the same steps that you would apply to any workstation and then add additional steps. There will not be a user on that machine routinely typing documents or using spreadsheets, so extra-tight restrictions are unlikely to cause the same difficulties for end users that they might on a workstation.

To begin with, you must follow the same steps you would for a workstation. Each and every server should have its software routinely patched. It should also have virus-scanning software and perhaps antispyware as well. It is critical that access to these machines, both via logging on and physical access, be limited to only those people with a clear need. There are, however, additional steps you should take with a server that you might not take with a standard workstation.

Most operating systems for servers (for example, Windows 2008 Server, Linux) have the ability to log a variety of activities. These activities would include failed logon attempts, software installation, and other activities. You should make sure that logging is turned on and that all actions that might pose a security risk are logged. You then must make certain that those logs are checked on a periodic basis.

Remember that the data on a server is more valuable than the actual machine. For this reason, data must be backed up on a regular basis. A daily backup is usually preferred but, in some cases, a weekly backup might be adequate. The backup tapes should be kept in a secure offsite location (such as a bank safety deposit box) or in a fireproof safe. It is critical that you limit access to those backup tapes just as you would limit access to the servers themselves.

With any computer, you should shut down any service you do not need. However, with a server, you may wish to take the extra step of uninstalling any software or operating system components you do not need, meaning that anything not required for the server to function should be removed. But think carefully about this before proceeding. Clearly, games and office suites are not needed for a server. However, a browser might be necessary to update patches.

There is another step that should be taken with servers that is not necessary with workstations. Most server operating systems have built-in accounts. For example, Windows has built-in administrator, guest, and power user accounts. Any hacker who wants to try to guess passwords will begin by trying to guess the passwords that go with these standard users. In fact, there are utilities on the Web that will do this automatically for the would-be intruder. First, you should create your own accounts with names that do not reflect their level of permission. For example, disable the administrator account and create an account called basic_user. Set up basic_user as the administrator account, with appropriate permissions. (Of course, only give that username and password to those people you want to have administrator privileges.) If you do this, a hacker would not immediately guess that this account is the one that he wants to crack. Remember, hackers ultimately want administrative privileges on a target system; concealing which accounts have those privileges is a vital step in preventing the hacker from breaching your security.

There are a variety of Registry settings in any version of Windows that can be altered to increase your security. If you use a scanning tool, such as Cerberus, it returns a report stating the weaknesses in your Registry settings. What items in the Registry settings might cause security problems? A few items that are commonly examined include the following:

• Logon: If your Registry is set so that the logon screen shows the last user’s name, you have done half of the hacker’s work for her. Since she now has a username, she only needs to guess the password.

• Default Shares: Certain drives/folders are shared by default. Leaving them shared like this presents a security hazard.

These are just a few of the potential problems in the Windows Registry. A tool such as Cerberus will not only tell you what the problems are but will make recommendations for corrections. To start the Registry editor, go to Start, select Run, and then enter regedit. You can then edit the Registry.

Securing a Network

Obviously, the first step in securing a network is to secure all computers that take part in that network, including all workstations and servers. However, this is just one part of network security. By now it should be clear that using a firewall and proxy server are also critical elements in network security. Chapter 12, “Cyber Terrorism and Information Warfare,” will provide more details on these devices. For now, it is important to realize that you need to have them. Most experts also recommend using an IDS. There are a number of such systems available—some are even free. These systems can detect things, such as port scanning, which might indicate that a person is preparing to attempt a breach of your security perimeter.

If your network is at all large, then you might consider partitioning it into smaller segments with a firewall-enabled router between segments. Of course, “large” is a vague term, and you will have to decide if your network is large enough to require partitioning. In this way, if one segment is compromised, the entire network will not be compromised. In this system, you might consider putting your most important servers (database, file) on a secure segment.

Since web servers must be exposed to the outside world and are the most common point of attack, it then makes sense to separate them from the rest of the network. Many network administrators will put a second firewall between the web server and the rest of the network. This means that if a hacker exploits a flaw in your web server and gains access to it, then he will not have access to your entire network. This brings up the issue of what should be on your web server. The answer is: only what you need to post web pages. No data, documents, or other information should be stored on that server, and certainly no extraneous software. The operating system and web server software are all that are required. You may add a few other items (such as an IDS) if your situation requires it. Any other software running on that server is a potential security risk.

Another concept you should consider is the DMZ. A DMZ is a demilitarized zone. It essentially involves setting up two firewalls: one outer and one inner. Resources that must be accessible to the outside world are between the two firewalls. The outer firewall is more permissive, and the inner firewall is highly restrictive. There are even routers that include this functionality in a single box. By plugging into certain ports, you are adding a device either behind the inner firewall or in the DMZ. This is shown in Figure 11.3.

You must also have policies that guide users in how to use the system, as we discussed earlier in this chapter. The most robust security in the world will not be of much use if a careless user inadvertently compromises your security. Keep in mind that you must have policies in place that guide users in what is considered appropriate use of the system and what is not.

Just as you take steps to harden your servers (such as patching the operating system and shutting down unneeded services), you should also harden your router. The specifics of what needs to be done will be contingent on your particular router manufacturer and model, but a few general rules should be followed:

• Use good passwords: All routers are configurable. They can be programmed. Therefore, you must obey the same password policies on a router that you would use on any server, including minimum password length and complexity, age of password, and password history. If your router allows you to encrypt the password (as Cisco and other vendors do), then do it.

• Use logging: Most routers allow for logging. You should turn this on and monitor it just as you would monitor server logs.

• Security rules: Some basic router security rules should also be followed:

  • Do not answer to Address Resolution Protocol (ARP) requests for hosts that are not on the user local area network (LAN).

  • If no applications on your network use a given port, that port should be also shut down on the router.

  • Packets not originating from inside your LAN should not be forwarded.

These rules are simply a beginning. You will need to consult your vendor’s documentation for additional recommendations. You must absolutely pay as much attention to securing your router as you do to securing your servers. The following links might be helpful:

• Router security: www.mavetju.org/networking/security.php

• Cisco router hardening: www.sans.org/rr/whitepapers/firewalls/794.php

MBSA

Microsoft Baseline Security Analyzer is a free tool from Microsoft. (Just do a web search on the name to get the latest version.) It is also very simple to use. Critics point out that it is not as robust as other tools, and that is an accurate assessment. I am not claiming this is the best vulnerability assessment tool; it certainly is not. However, it is easy to use, free, and ideal for a Windows administrator who may not be well versed in security.

MBSA (version 2.3 as of this writing) will check one or more Windows machines to see if they have the latest patches, have good password policies, and generally have basic security in place. Now Microsoft is discontinuing this, but you can still get it on the internet, and it still works.

Once you run the program, you choose whether you want to scan a single computer or multiple computers, as shown in Figure 11.4.

For demonstration purposes, we will scan a single computer. When you choose that option, you will see a screen that allows you to designate the computer to scan (it defaults to the computer you are on) and what scans to perform. This is shown in Figure 11.5.

Then you simply start the scan. For a single computer, it won’t take long, but for multiple computers it could take quite some time. When it is done, you will receive a report that details everything checked and if it was okay or not; it has links for deeper explanations if you need them. This is shown in Figure 11.6.

While I agree with critics that there are more robust scanning tools, I feel this particular tool is an excellent choice for someone who is a security novice. It is easy to use and will give you actionable information quickly.

NESSUS

Nessus (www.Nessus.org) is the premiere network vulnerability scanner. There was formerly a free version for personal use and a commercial version. It is now only available for a fee. This is perhaps the most widely used vulnerability scanner available today. It is not nearly as simple to use as MBSA but has many more capabilities. We will explore the basic functionality. If you have an interest in learning more about Nessus, then it is recommended that you consult the documentation available at the Nessus website.

Nessus is a well-known vulnerability scanner. It has been used for many years. Unfortunately, it is not free. The license is over $2100 per year and can be obtained from https://www.tenable.com. Its price has been a barrier for many penetration testers. The primary advantage of Nessus is that the vendor is constantly updating the vulnerabilities it can scan for. Nessus also has a very easy-to-use web interface, as shown in Figure 11.7.

If you select New Scan, you are given a number of options, as shown in Figure 11.8.

You can select Basic Network Scan to see a number of intuitive basic settings. You have to name your scan and select a range of IP addresses, as shown in Figure 11.9.

Then you can either schedule the scan to run later or launch it right away. Nessus scans can take some time to run because they are quite thorough. The results are presented in a very organized screen, as illustrated in Figure 11.10.

You can then drill down on any item of interest. If you double-click on a specific IP address, you can see details for that IP, as illustrated in Figure 11.11.

You can then double-click on any individual item for more details about the issues and how to remediate them.

OWASP Zap

The Open Web Application Security Project (OWASP) is the standard for web application vulnerability. OWASP offers a free vulnerability scanner called the Zed Attack Proxy, commonly known as OWASP ZAP. You can download it from https://github.com/zaproxy/zaproxy/wiki/Downloads. The interface, shown in Figure 11.12, is very easy to use.

Just type in the URL of the site you wish to scan and click Attack. After a few moments, the results will be displayed at the bottom of the screen. You can then expand any item. If you click on a specific item, details will be loaded as shown in Figure 11.13.

OWASP ZAP is a very easy-to-use tool. The basics can be mastered in a few minutes. And given that OWASP is the organization that tracks web application vulnerabilities, it is a very good source for testing the vulnerabilities of a website.

Shodan

This tool is widely used by black hat hackers and security professionals alike. The website https://www.shodan.io is essentially a search engine for vulnerabilities. You need to sign up for a free account to use it, but then it can be invaluable to a pen tester trying to identify vulnerabilities. Of course, the site can also be invaluable to attackers. You can see the website in Figure 11.14.

Shodan allows you to search using a number of options, including the following:

• Search for default passwords, using search terms such as the following:

  • default password country:US

  • default password hostname:chuckeasttom.com

  • default password city:Chicago

• Find Apache servers, using search terms such as the following:

  • apache city: “San Francisco”

• Find webcams, using search terms such as the following:

  • webcamxp city:Chicago

• OLD IIS, using search terms such as the following:

  • “iis/5.0”

With Shodan you can use a number of filters, including these:

• city: Find devices in a specific city.

• country: Find devices in a specific country.

• geo: Specify coordinates (such as latitude and longitude).

• hostname: Find values that match a specific hostname.

• net: Search based on an IP address or an /x CIDR address.

• os: Search based on operating system.

• port: Find particular ports that are open.

• before/after: Find results within a specified time frame.

For example, Figure 11.15 shows the results of a search for default password city:Miami.

When you are performing a penetration test, it is a good idea to search Shodan for your company domain to find information that can guide your penetration testing efforts. Of course, would-be attackers can also use Shodan to find the same information. You can restrict your search to the hostname or domain name of a client who has hired you to conduct a penetration test. You can use Shodan to seek out default passwords, old web servers, unsecured web cameras, and other vulnerabilities in the target network.

The search shown in Figure 11.15 was conducted using the free version of Shodan. Recently, Shodan began offering a paid version that costs $49 and provides additional tools. There are also corporate memberships available at a higher price.

Multiple Choice Questions

1. What are the six Ps of security?

A. Patch, ports, personnel, privacy, protect, policies

B. Ports, patch, protect, probe, policies, physical

C. Physical, privacy, patch, ports, probe, protect

D. Ports, patch, probe, physical, privacy, policies

2. John is now responsible for system security at a small bookkeeping firm. He wants to ensure that he implements good fundamental security. What is the most basic rule of computer security?

A. Keep systems patched.

B. Always use an IDS.

C. Install a firewall.

D. Always use antispyware.

3. You work in the network security department of a large bank. One of your jobs is to keep all systems patched. How might you ensure that system patches are kept up to date?

A. Use an automated patching system.

B. Patch any time you receive a vendor notification of a new patch.

C. Patch whenever a new threat is announced.

D. Use periodic scheduled patching.

4. Teresa is explaining basic security to a new technician. She is teaching him how to secure ports on any server or workstation. What is the rule about ports?

A. Block all incoming ports.

B. Block ICMP packets.

C. Block all unused ports.

D. Block all nonstandard ports.

5. Miguel is trying to secure a web server. He has decided to shut down any services that are not needed. His supervisor has told him to check dependencies first. Which of the following is a good reason to check dependencies before shutting down a service?

A. To determine whether you will need to shut down other services as well

B. To determine whether shutting down this service will affect other services

C. To find out what this service does

D. To find out whether this service is critical to system operations

6. If your machine is not used as a server and is not on a local network, what packet-filtering strategy should you use?

A. Block all ports except 80.

B. Do not block any ports.

C. Block all ports that you don’t need.

D. Do not block well-known ports.

7. You are trying to implement good fundamental security for a small company. Which of the following is the least essential device for protecting your network?

A. Firewall

B. Virus scanners on all machines

C. IDS system

D. Proxy server

8. Mohammed is responsible for security policies at a university. He is trying to ensure proper access policies. What is the rule of thumb on data access?

A. Data must be available to the widest range of people possible.

B. Only administrators and supervisors should access sensitive data.

C. Only those with a need for the specific data should have access.

D. All employees should have access to any data used in their department.

9. What is password age?

A. How long a user has had a password

B. The length of the password history

C. A reference to the sophistication (maturity) of the password

D. A reference to a password’s length

10. What is the minimum frequency for system probing and audits?

A. Once per month

B. Once per year

C. Every other year

D. Every other month

11. An audit should check what areas?

A. Perform system patching, review policies, check personnel records of all managers, and probe for flaws

B. Only probe for flaws

C. Perform system patches, probe for flaws, check logs, and review policies

D. Check all machines for illicit software, perform complete system virus scan, and review firewall policies

12. Jerod is setting up security for a server room for a university. Which of the following is true of the room in which the server is located?

A. It should be in the most fire-resistant room in the building.

B. It should have a strong lock with a strong door.

C. It should be accessible only to those who have a need for access.

D. All of the above.

13. Elizabeth is responsible for security policies at her policies. She is trying to implement sound end user security policies. What would be most important to block end users from doing on their own machine?

A. Running programs other than those installed by the IT staff

B. Surfing the Web and using chat rooms

C. Changing their screensaver and using chat rooms

D. Installing software or changing system settings

14. What is the preferred method for storing backups?

A. Near the server for quick restore if needed

B. Offsite in a secure location

C. In the IT manager’s office for security

D. At the home of one of the IT staff

15. Which of the following is a step you would definitely take with any server but might not be required for a workstation?

A. Uninstall all unneeded programs/software.

B. Shut down unneeded services.

C. Turn off the screensaver.

D. Block all Internet access.

16. Which of the following is a step you might take for large networks but not for smaller networks?

A. Use an IDS.

B. Segment the network with firewalls between the segments.

C. Use antivirus software on all machines on the network.

D. Do criminal background checks for network administrators.

17. Which of the following is a common way to establish security between a web server and a network?

A. Block all traffic between the web server and the network.

B. Place virus scanning between the network and the web server.

C. Put a firewall between the web server and the network.

D. Do not connect your network to the web server.

18. What is the rule on downloading from the Internet?

A. Never download anything.

B. Only download if the download is free of charge.

C. Only download from well-known, reputable sites.

D. Never download executables. Only download graphics.

19. Which of the following certifications is the most prestigious?

A. CISSP

B. PE

C. MCSA

D. Security+

20. Which of the following set of credentials would be best for a security consultant?

A. Ten years of IT experience, 1 year in security, CIW Security analyst, M.B.A.

B. Eight years of IT experience, 3 years in security, CISSP, B.S. in computer science

C. Eleven years of IT experience, 3 years in security, MCSE and CISSP, M.S. in information systems

D. Ten years of experience as a hacker and cracker, MCSE/CIW and Security +, Ph.D. in computer science

Exercises

Exercise 11.1: Patching Systems

1. Using a lab system, find and apply all operating system patches.

2. Check with all vendors of software installed on that machine and apply patches for those applications as well (if available).

3. Note the time taken to fully patch a machine. Consider how long it would take to patch a 100-machine network.

4. Write an essay that answers the following questions: Are there ways you could speed the process of patching a 100-machine network? How might you approach such a task?

Exercise 11.2: Learning About Policies

1. Using the resources given or other resources, find at least one sample security policy document.

2. Analyze that document.

3. Write a brief essay giving your opinion of that policy. Did it miss items? Did it include items you had not thought of?

Exercise 11.3: Learning About Disaster Recovery

1. Using the resources given or other resources, find at least one sample disaster recovery plan.

2. Analyze that document.

3. Write a brief essay giving your opinion of that disaster recovery plan. Also note any changes you would recommend to that policy.

Exercise 11.4: Learning About Audits

1. Using the resources given or other resources, find at least one sample security audit plan.

2. Analyze that document.

3. Write a brief essay giving your opinion of that plan. Do you feel the audit plan is adequate? What changes might you recommend?

Exercise 11.5: Securing Your Computer

Using either your home computer or a lab computer, follow the guidelines given in this chapter to secure that computer. Those steps should include the following:

1. Scan for all patches and install them.

2. Shut down all unneeded services.

3. Install antivirus software. (A demo version can be used for this exercise.)

4. Install antispyware software. (A demo version can be used for this exercise.)

5. Set appropriate password permissions.

Exercise 11.6: Secure Passwords

1. Using the Web or other resources, find out why longer passwords are harder to break.

2. Also find out what other things you should do to make a password harder to crack.

3. Write a brief essay describing what makes a perfect password.

Exercise 11.7: Securing a Server

This exercise is for those students with access to a lab server. Using the guidelines discussed in this chapter, secure a lab server. The steps taken should include the following:

1. Scan for all patches and install them.

2. Shut down all unneeded services.

3. Remove unneeded software.

4. Install antivirus software. (A demo version can be used for this exercise.)

5. Install antispyware software. (A demo version can be used for this exercise.)

6. Set appropriate password permissions.

7. Enable logging of any security violations. (Consult your operating system documentation for instructions.)

Exercise 11.8: Backups

Using the Web and other resources as a guide, develop a backup plan for a web server. The plan should cover how frequently to back up and where to store the backup media.

Exercise 11.9: User Accounts

This exercise is best done with a lab computer, not a machine actually in use.

1. Locate user accounts. (In Windows 8 or Windows 10, this is done by going to Start > Control Panel > Administrative Tools > Computer Management and looking for Groups and Users.)

2. Disable all default accounts (Guest, Administrator).

Projects

Project 11.1: Writing and Executing an Audit Plan

With the knowledge you have gained while studying six chapters of this text and in examining security policies in the preceding exercises, it is now time to devise your own audit plan. This plan should detail all the steps in an audit.

Note: The second part of this project is contingent upon getting permission from some organization to allow you to audit its security. It is also ideal for a group project.

Taking the audit plan you wrote, audit a network. This audit can be conducted for any sort of organization, but you should make your first audit one with a small network (fewer than 100 users).

Project 11.2: Forming a Disaster Recovery Plan

Using the knowledge you have gained thus far, create an IT disaster recovery plan for an organization. You may use a fictitious organization, but a real organization would be better.

Project 11.3: Writing a Security Policy Document

Note: This project is designed as a group project.

It is now time to bring all you have learned thus far together. Write a complete set of security policies for an organization. Again, you may use a fictitious company, but real organizations are better. This set of policies must cover user access, password policies, frequency of audits (both internal and external), minimum security requirements, guidelines for web surfing, and so on.

Project 11.4: Secure Web Servers

Using the information in this chapter as well as other resources, come up with a strategy specifically for securing a web server. This strategy should include the security of the server itself as well as securing the network from the server.

Project 11.5: Adding Your Own Guidelines

Note: This project is ideal for a group project.

This chapter has outlined some general procedures for security. Write an essay detailing your own additional guidelines. These can be guidelines for individual computers, servers, networks, or any combination thereof.