The Ping of Death

Ping is primarily used to see whether a computer is responding to IP requests. Usually, when you ping a remote host, what you’re really doing is sending four normal-sized Internet Control Message Protocol (ICMP) packets to the remote host to see if it’s available. But during a Ping of Death attack, a humongous ICMP packet is sent to the remote host victim, totally flooding the victim’s buffer and causing the system to reboot or helplessly hang there, drowning. It’s good to know that patches are available for most operating systems to prevent a Ping of Death attack from working.

Unreachable Gateway

An attacker can make a host’s default gateway unreachable; the end game is to get the host to change their gateway address to that of one controlled by the attacker to accomplish a man-in-the-middle attack.

1. First, the attacker takes control of a secondary gateway available to the host, shown as G1 in Figure 14.1.
2. The attacker, acting as the destination host, sends a TCP open packet to the acting source host.
3. While a reply is in transit from the source host to the destination host through gateway G2, the attacker, spoofing as G2, sends an ICMP route redirect message to the source host.
4. The source host will accept the route change control message as valid and thus change its routing table to route all traffic bound for the destination host through gateway G1.
5. Now the attacker, acting as a man-in-the-middle host, will quietly read/modify and forward all traffic bound for the destination host to gateway G2.

Botnet

A botnet is a group of programs connected on the Internet for the purpose of performing a task in a coordinated manner. Some botnets, such as those created to maintain control of Internet Relay Chat (IRC) channels, are legal, while others are illegally created to foist a DDoS. An attacker can recruit and build a botnet to help amplify a DoS attack, as illustrated in Figure 14.2.

The steps in the process of building a botnet are as follows:

1. A botnet operator sends out viruses or worms whose payloads are malicious applications, the bots, infecting ordinary users’ computers.
2. The bots on the infected PCs log into a server called a command and control (C&C) server under the control of the attacker.
3. At the appropriate time, the attacker, through the C&C server, sends a command to all bots to attack the victim at the same time, thereby significantly amplifying the effect of the attack.

Traffic Spike

One of the hallmarks of a DDoS attack is a major spike in traffic in the network as bots that have been recruited mount the attack. For this reason, any major spike in traffic should be regarded with suspicion. A network intrusion detection system (IDS) can recognize these traffic spikes and may be able to prevent them from growing larger or in some cases prevent the traffic in the first place.

Some smaller organizations that cannot afford some of the more pricy intrusion prevention systems (IPSs) or IDSs make use of features present on their load balancers. Many of these products include DDoS mitigation features such as the TCP SYN cookie option. It allows the load balancer to react when the number of SYN requests reaches a certain point. At that point, the device will start dropping requests when the SYN queue is full.

Coordinated Attack

Another unmistakable feature of a DDoS attack is the presence of a coordinated attack. As shown in Figure 14.2 and as just described in the section “Botnet,” to properly amplify the attack the bots must attack the victim at the same time. The coordination of the bots is orchestrated by the command and control server depicted in Figure 14.2. If all the bots can be instructed to attack at precisely the same second, the attack becomes much more dangerous to the victim.

Friendly/Unintentional DoS

An unintentional DoS attack (also referred to as attack from “friendly fire”) is not one that is not caused by malicious individuals; instead, it’s a spike in activity to a website or resource that overpowers its ability to respond. In many cases, it is the result of a relatively unknown URL suddenly being shared in a larger medium such as a popular TV or news show. For example, when Michael Jackson died, the amount of Twitter and Google traffic spiked so much that at first it was thought that an automated attack was under way.

Physical Attack

Physical attacks are those that cause hardware damage to a device. These attacks can be mitigated, but not eliminated, by preventing physical access to the device. Routers, switches, firewalls, servers, and other infrastructure devices should be locked away and protected by strong access controls. Otherwise, you may be confronted with a permanent DoS, covered in the next section.

Permanent DoS

A permanent DoS attack is one in which the device is damaged and must be replaced. It requires physical access to the device, or does it? Actually, it doesn’t! An attack called a phlashing denial of service (PDoS) attacks the firmware located in many systems. Using tools that fuzz (introduce errors) the firmware, attackers cause the device to be unusable. Another approach is to introduce a firmware image containing a Trojan or other types of malware.

Smurf

Smurfs are happy little blue creatures that like to sing and dance, but a Smurf attack is far more nefarious. It’s a version of a DoS attack that floods its victim with spoofed broadcast ping messages. I’ll talk about spoofing in more detail later; for now, understand that it basically involves stealing someone else’s IP address.

Here’s how it works: The bad guy spoofs the intended victim’s IP address and then sends a large number of pings (IP echo requests) to IP broadcast addresses. The receiving router responds by delivering the broadcast to all hosts in the subnet, and all the hosts respond with an IP echo reply—all of them at the same time. On a network with hundreds of hosts, this results in major network gridlock because all the machines are kept busy responding to each echo request. The situation is even worse if the routers have not been configured to keep these types of broadcasts confined to the local subnet (which thankfully they are by default!). Figure 14.3 shows a Smurf attack in progress.

Fortunately, Smurf attacks aren’t very common anymore because most routers are configured in a way that prevents them from forwarding broadcast packets to other networks. Plus, it’s really easy to configure routers and hosts so they won’t respond to ping requests directed toward broadcast addresses.

SYN Flood

A SYN flood is also a DoS attack that inundates the receiving machine with lots of packets that cause the victim to waste resources by holding connections open. In normal communications, a workstation that wants to open a Transmission Control Protocol/Internet Protocol (TCP/IP) communication with a server sends a TCP/IP packet with the SYN flag set to 1. The server automatically responds to the request, indicating that it’s ready to start communicating with a SYN-ACK. In the SYN flood, the attacker sends a SYN, the victim sends back a SYN-ACK, and the attacker leaves the victim waiting for the final ACK. While the server is waiting for the response, a small part of memory is reserved for it. As the SYNs continue to arrive, memory is gradually consumed.

Figure 14.4 shows an example of a simple DoS/SYN flood attack.

You can see that the preyed-upon machine can’t respond to any other requests because its buffers are already overloaded, and it therefore rejects all packets requesting connections, even valid ones, which is the idea behind the attack. The good news is that patches to help guard against this type of attack are available for the various network operating systems today.

Stacheldraht

This is actually a mélange of techniques that translates from the German word for barbed wire. It basically incorporates Tribal Flood Network (TFN) techniques (certain botnet attacks including ICMP floods, SYN floods, UDP floods, and Smurf attacks) and adds a dash of encryption to the mix. The nightmare begins with a huge invasion at the root level, followed with a DoS attack finale.

Reflective/Amplified Attacks

Reflected or amplified attacks increase the effectiveness of a DoS attack. Two of the more effective of these types of attacks involve leveraging two functions that almost all networks use, DNS and NTP. In the next two sections these attacks are described.

DNS

A DNS amplification attack is a form of reflection attack in that the attacker delivers traffic to the victim by reflecting it off a third party. Reflection conceals the source of the attack. It relies on the exploitation of publicly accessible open DNS servers to deluge victims with DNS response traffic.

The attacker sends a small DNS message using the victim’s IP address as the source to an open resolver. The type of request used returns all known information about the DNS zone, which allows for the maximum level of response amplification directed to the victim’s server. The attack is magnified by recruiting a botnet to send the small messages to a large list of open resolvers (DNS servers). The response from the DNS server overwhelms the victim, as shown in Figure 14.5.

ARP Cache Poisoning

ARP cache poisoning is usually a part of a man-in-the middle attack. The ARP cache contains IP address to MAC address mappings that a device has learned through the ARP process. One of the ways this cache can be poisoned is by pinging a device with a spoofed IP address. In this way, an attacker can force the victim to insert an incorrect IP address to MAC address mapping into its ARP cache. If the attacker can accomplish this with two computers having a conversation, they can effectively be placed in the middle of the transmission. After the ARP cache is poisoned on both machines, they will be sending data packets to the attacker, all the while thinking they are sending them to the other member of the conversation.

Packet/Protocol Abuse

After an attacker has broken into the system, attained access, and escalated their privileges, it is important for them to maintain their authority on the system so they can access it at a later time. They could put an operating system backdoor on the target, but in some cases the firewall on the victim may not allow outgoing TCP connections.

One of the ways in which a hacker can get traffic through a firewall that would typically not be allowed is by concealing one protocol within another, which is a form of tunneling. TCP can be encapsulated into either DNS or ICMP, thereby bypassing the firewall restrictions.

An example of this is using a program called Iodine to encapsulate IP traffic in DNS packets. Once the DNS packets reach the local DNS server, they are forwarded to a second machine running Iodine that de-encapsulates the packets and sends them on to the hacker. The DNS traffic is allowed by the firewall and is able to reach the client. In this way, the attacker is able to communicate with the victim machine. This process is illustrated in Figure 14.6.

Spoofing

IP spoofing is the process of changing a source IP address so that one computer appears to be a different computer. It’s usually done to get traffic through a firewall that would normally not be allowed. It may also be used to access a server to which the hacker would normally be disallowed access by their IP address.

While IP spoofing may be the most well-known type of spoofing, it is not the only type used by hackers. The following forms of this subterfuge also exist:

• ARP spoofing (discussed earlier in the section “ARP Cache Poisoning”).
• Referrer spoofing, in which the referrer header of an HTTP packet is changed to reflect an allowed referral page, which some sites require for access.
• Email spoofing, in which the “from” field is changed to hide the true origin of an email. In most cases this is to conceal the identity of an email spammer.

Brute Force

A brute force attack is a form of password cracking. The attacker attempts every possible combination of numbers and letters that could be in a password. Theoretically, given enough time and processing power, any password can be cracked. When long, complex passwords are used, however, it can take years.

Setting an account lockout policy is the simplest mitigation technique to defeat brute force attacks. With such a policy applied, the account becomes locked after a set number of failed attempts.

Session Hijacking

Session hijacking attacks attempt to take over a user’s session with a secure server after the user has been authenticated. This can be done in the following ways:

Session Fixation The attacker sets the session ID ahead of time by sending a link to the victim with the ID preset. When the user connects, the attacker waits for the authentication to complete and takes over the session by disconnecting the user and using the ID to reconnect.

Session Sidejacking The attacker uses a sniffer to steal a session cookie from the user. Alternately, if the attacker has physical access to the user’s machine, they can steal the session key from memory.

Cross-Site Scripting The attacker uses the user’s computer to run code on the site that may allow him to obtain the cookie. The attacker does this by putting malware on the user’s computer; the malware runs the code on the site after the user authenticates to the site.

VLAN Hopping

VLANs, or virtual LANs, are Layer 2 subdivisions of the ports in a single switch. A VLAN may also span multiple switches. When devices are segregated into VLANs, access control lists (ACLs) can be used in a router to control access between VLANs in the same way it is done between real LANs. When VLANs span switches, the connection between the switches is called a trunk link, and it carries the traffic of multiple VLANs. Trunk links are also used for the connection from the switch to the router.

A VLAN hopping attack results in traffic from one VLAN being sent to the wrong VLAN. Normally, this is prevented by the trunking protocol placing a VLAN tag in the packet to identify the VLAN to which the traffic belongs. The attacker can circumvent this by a process called double tagging, which is placing a fake VLAN tag into the packet along with the real tag. When the frame goes through multiple switches, the real tag is taken off by the first switch, leaving the fake tag. When the frame reaches the second switch, the fake tag is read and the frame is sent to the VLAN to which the hacker intended the frame to go. This process is shown in Figure 14.7.

TACACS/RADIUS Misconfiguration

Terminal Access Controller Access-Control System Plus (TACACS+) and Remote Access Dial-In User Service (RADIUS) are both examples of authentication, authorization, and accounting (AAA) servers that verify the identity of, grant access to, and track the actions of users. Misconfiguration of these devices can result in an inability of users and devices to connect to the access devices that are clients of the AAA server (switches, WAPs, dial-up servers, VPN servers). Some of the most common mistakes that result in this situation prevent communication between the AAA server and the AAA client. When this happens, check the following:

• Verify the port numbers. Even if standard port numbers for these services have been selected, that doesn’t mean the product you are using uses those port numbers. Make sure the client and server are using the correct port numbers.
• Check to see if there is a mismatch in the pre-shared key between the client and the server.

When the problem is an issue between the supplicant (user or device requesting access) and the authenticating server (switch, WAP, dial-up server), check the following:

• Verify that the AAA method configured on the supplicant lists the appropriate RADIUS or TACACS+ server group.
• Verify that the authentication port number matches the configured port number.
• Verify that the user is configured on the AAA server (user account).

Default Passwords/Settings

All network devices are configured with default administrator accounts and their default passwords. These accounts should be disabled and renamed if possible. At the very least, the passwords for these accounts should be changed from the default because they are well known, available in documentation that comes with the product, and also widely available on the Internet.

Logic Bomb

A logic bomb is a type of malware that executes when a particular event takes place. For example, that event could be a time of day or a specific date or it could be the first time you open notepad.exe. Some logic bombs execute when forensics are being undertaken, and in that case the bomb might delete all digital evidence.

Ransomware

Ransomware is a class of malware that prevents or limits users from accessing their information or systems. In many cases the data is encrypted and the decryption key is only made available to the user when the ransom has been paid.

Effect of Malware on the Network

Malicious software (or malware) is a term that describes any software that harms a computer, deletes data, or takes actions the user did not authorize. There is a wide array of malware types, including ones you have probably heard of, like viruses. Some types of malware require the assistance of a user to spread, while others do not.

A worm is a type of malware that can spread without the assistance of the user. A worm is a small program that, like a virus, is used to deliver a payload. One way to help mitigate the effects of worms is to place limits on sharing, writing, and executing programs. However, the real solution is to deploy antivirus and anti-malware software to all devices in the network. This software is designed to identify viruses, Trojans, and worms and delete them, or at least quarantine them until they can be removed.

File Viruses

A file virus attacks executable application and system program files like those with filenames ending in .com, .exe, and .dll. These viruses do their damage by replacing some or all of the target program’s code with their own. Only when the compromised file is executed can the virus do its dirty work. First, it loads itself into memory and waits to infect other executables, propagating its destructive effects throughout a system or network. A couple of well-known file viruses are Jerusalem and Nimda, the latter of which is actually an Internet worm that infects common Windows files and other files with filename extensions like .html, .htm, and .asp.

Don’t fall into the trap of thinking that just because you have a Mac, you don’t need to worry about viruses. It’s a common misconception that Mac operating systems are immune to viruses, but they’re not. Today’s Macs are really BSD Unix machines with a couple of proprietary programs running on top that provide users with a slick interface. And although it’s true that more sophisticated programming skills are required to write viruses for Mac, BSD Unix, and Linux operating systems than for DOS-based operating systems like Windows, all operating systems are vulnerable to attacks. True, it’s a lot easier for a bad guy to write malicious code for Windows machines, but the real reason few programmers spend their time creating viruses for Sun workstations and Macs is that there aren’t nearly as many people using them. On the other hand, Windows machines are everywhere, so viruses written for them will clearly infect multitudes, giving bad guys who want to infect as many computers as possible a lot more bang for their evil programming buck!

Macro Viruses

A macro is basically a script of commonly enacted commands used to automatically carry out tasks without requiring a user to initiate them. Some popular programs even give you the option of creating your own, personal scripts to perform tasks you do repeatedly in a single step instead of having to enter the individual commands one by one.

Similar to this, a macro virus uses something known as the Visual Basic macro-scripting language to perform nasty things in data files created with programs like those in the Microsoft Office Suite. Because macros are so easy to write, they’re really common and usually fairly harmless, but they can be super annoying! People frequently find them infecting the files they’re working on in Microsoft Word and PowerPoint. Suddenly you can’t save the file even though the Save function is working, or you can’t open a new document, only a template. As I said, these viruses won’t crash your system, but they can ruin your day. Cap and Cap A are examples of macro viruses.

Boot-Sector Viruses

Boot-sector viruses work their way into the master boot record that’s essentially the ground-zero sector on your hard disk where applications aren’t supposed to live. When a computer boots up, it checks this area to find a pointer for its operating system. Boot-sector viruses overwrite your boot sector, making it appear as if there’s no pointer to your operating system. You know you’ve got this type of virus when you power up the computer and get a Missing Operating System or Hard Disk Not Found error message. Monkey B, Michelangelo, Stoned, and Stealth Boot are a few examples of boot-sector viruses.

Multipartite Viruses

A multipartite virus is one that affects both the boot sector and files on your computer, making such a virus particularly dangerous and exasperatingly difficult to remove. Figure 14.9 gives you an idea of how a multipartite virus works. You can see that it is attacking the boot sector, memory, and the disk at once.

Anthrax and Tequila are both multipartite viruses. These viruses are so nasty that you might end up reformatting your computer if you get one. The Anthrax virus, however, was more of a hoax then a real virus; what is really interesting about the Tequila virus is that it does nothing until the next reboot—it was no hoax!

Although many software companies can handle these, the best way to save your computer from a complete overhaul is to make sure you do not get a virus in the first place by using a good virus scan program as well as Windows Defender.

Some viruses infect your system through something known as a Trojan horse. Troy was successfully invaded by troops hidden inside a giant horse; a Trojan virus hides within other programs and is launched when the program it’s lurking in starts up. Often viruses come as attachments to emails with double filename extensions to hide the true extension. Dmsetup.exe and love-letter-for-you .txt.vbs are examples of viruses. Displaying filename extensions for known file types can help spot naming tricks like these, but they make up only a short list of the viruses out there. For a more complete inventory, see your antivirus software manufacturer’s website.

Trusted Users

While we would like to think that all of our own people can be trusted, that’s often not the case. Even your “trusted” users can go to the dark side with the proper motivation. The following are among the motives that can turn a trusted user into a malicious user:

• Perceived slight by the company
• Jealousy of other employees
• Monetary reward

The real danger presented by a trusted employee who turns malicious is that the employee is already inside your network and probably knows quite a bit about it. This is the reason for following the principle of least privilege, which prescribes that users be given access only to resources required to do their job.

Untrusted Users

While it may take untrusted users or users outside your network a bit longer to make their way into your network, once they get there they will probably have a significantly higher level of skill than a disgruntled employee has. Discovering and penetrating your network from outside takes some skill. The best mitigation for these attacks is a combination of perimeter defense (keep them out) and strong access control at the point of resource access (prevent access to devices holding information). A multilayer approach works best.

Packet Sniffing

One of the basic tools a hacker will possess is a protocol analyzer, or packet sniffer. These devices capture raw packets off the network for analysis. Normally, a device will only process packets that are destined for itself, but this software places the network interface of the hacker’s device in promiscuous mode, which means it captures all packets on the network.

This software can also be used legitimately to examine your network traffic for things that should not be there. Figure 14.10 shows an example of the output from the packet analyzer Wireshark. In the output, it can be seen that packet 4 failed a Frame Check Sequence, which would require it to be sent again. While the list of packets captured is displayed, you can click on any packet and examine it in detail. If the data is in clear text, you will be able to read it.

War Driving

War driving is one of the oldest wireless threats and perhaps one of the easiest to discourage (although you can’t defeat it if the hacker is determined). The attacker simply drives around with a high-powered antenna connected to a wireless laptop scanning for networks. The networks will be listed by network name (SSID) in the wireless client software, and depending on the software, the channel and security measures in use will also be displayed.

If the network is not secured, the attacker can connect to it. This is not just a matter of stealing bandwidth for Internet access. Once connected, the attacker may be able to proceed on into your wired network as well. They can then attempt other attacks, such as port scanning and peer-to-peer attacks. The point is that they have completed the first step in the hacking process, which is penetration.

War driving cannot be entirely prevented, but you can make it harder for an attacker. One of the simplest things you can do is limit the transmission power on the access point (AP) such that the signal does not go any further than required! Additionally, if you set the access point to not broadcast the SSID, the name of the network will not appear in the display when they scan for networks. This means that to connect, they will have to know the SSID and create a wireless profile specifying it.

If an attacker is determined, however, they can learn the SSID by using a wireless protocol analyzer or sniffer to capture the raw packets. This is something you cannot prevent without turning off the AP. When you set the AP to not broadcast the SSID, it will remove the SSID from packets called beacons (these are the packets that populate the display when you scan for networks), but the SSID will still be present in many other packet types.

In most cases, hiding the SSID will be sufficient because if an attacker doesn’t see your network when scanning, they probably won’t be motivated to use the sniffer.

War Chalking

War chalking is really just an extension of war driving. The hacker simply writes the SSID and security employed on the sidewalk or wall somewhere near your facility, sort of like advertising “here’s a wireless network” to anyone who recognizes that code. Most of this type of activity has moved online where websites have sprung up that allow hackers to post and share these networks on maps indicating their location.

WEP Cracking

Wired Equivalent Privacy (WEP) is a security protocol created in the early years of 802.11 development that was designed to both authenticate users and encrypt the wireless data they transmitted. It uses the RC4 algorithm in the encryption process. Soon after its adoption as a security measure, it was discovered that due to a weakness in the way the algorithm was employed, programs that became widely available on the Internet could be used to crack the WEP key. Once the key was known, it could be used to decrypt the data. Because of this, WEP is no longer considered to be a sufficient security mechanism in any situation where the data is sensitive.

WPA/WPA2 Cracking

After WEP cracking became an issue, the manufacturers of wireless equipment were faced with a problem. The IEEE was working on creating a new security standard (which became known as 802.11i) but were moving at their usual deliberate pace. In the meantime, companies were not deploying wireless networks because of security concerns. The Wi-Fi Alliance created a temporary solution called Wi-Fi Protected Access (WPA) that was an improvement on WEP.

Soon after WPA was rolled out, it was discovered that it also could be cracked. Cracking WPA required more effort than cracking WEP, and it required what is called a dictionary file (a file of words that could possibly be used as a password). It also required that the passphrase or password be a word in the dictionary. Finally, it required capturing a large number of wireless frames, and the cracking process took a lot of time. Keep in mind that this type of attack is effective on any password-based system, including Wi-Fi Protected Access 2 (WPA2) when it uses passwords.

But the point is that if the hackers had good reason to believe they were capturing valuable data, it could be done. Therefore, WPA is not considered good security unless it is employed as WPA2, which is based in the secure 802.11i architecture.

Deauthentication

A wireless deauthentication attack is a form of a DoS attack in which the attacker sends a large number of management packets called deauthentication frames on the WLAN, causing stations to be disconnected from the access point.

WPS Attacks

Wi-Fi Protected Setup (WPS, originally Wi-Fi Simple Config) is a network security standard that attempts to allow users to easily secure a wireless home network. It works by enabling the user to add a device to the network without typing credentials; all the user needs to do is push the WPS button located on many home wireless access points.

When this function is enabled, which it is by default on many systems, it is possible for a hacker to perform a brute force attack on the password and then later on the network pre-shared key for WPA or WPA2. Users should disable this feature if the device allows this change.

Rogue Access Points

Rogue access points are access points that you do not control and manage. There are two types: those that are connected to your wired infrastructure and those that are not. The ones that are connected to your wired network present a danger to your wired and wireless network. They may be placed there by your own users without your knowledge, or they may purposefully be put there by a hacker. In either case, they allow access to your wired network. Wireless intrusion prevention system (IPS) devices are usually used to locate them and to alert administrators of their presence.

Rogue access points that are not connected to your wired infrastructure are usually used as part of a hijacking attack, which is discussed in the next section.

Evil Twin

An evil twin is an AP that is not under your control but is used to perform a hijacking attack. A hijacking attack is one in which the hacker connects one or more of your users’ computers to their network for the purpose of a peer-to-peer attack.

The attack begins with the introduction of an access point that is under the hacker’s control. This access point will be set to use the same network name or SSID your network uses, and it will be set to require no authentication (creating what is called an open network). Moreover, this access point will be set to use a different channel than the access point under your control.

To understand how the attack works, you must understand how wireless stations (laptops, PDAs, and so on) choose an access point with which to connect. It is done by SSID and not by channel. The hacker will “jam” the channel on which your access point is transmitting. When a station gets disconnected from an access point, it scans the area for another access point with the same SSID. The stations will find the hacker’s access point and will connect to it.

Once the station is connected to the hacker’s access point, it will receive an IP address from a DHCP server running on the access point and the user will now be located on the same network as the hacker. At this point, the hacker is free to commence a peer-to-peer attack.

Bluejacking

Bluejacking is an attack aimed at Bluetooth connections. It sends unsolicited messages to the devices. These messages are typically in the form of a vCard that contains the message in the name field. While these attacks are annoying, they are not serious when compared to the attack in the next section, which is also a Bluetooth attack.

Bluesnarfing

Bluesnarfing is unauthorized access of a Bluetooth-enabled device. These attacks allow access to the data on the device and make use of the pairing function used to connect two devices to transfer data between them. Users should be advised to disable the function that makes their device “discoverable” and enable it manually only when a connection needs to be made.

Application-Layer Attacks

Application-layer attacks usually zero in on well-known holes in software that’s running on our servers. Favorite targets include FTP, sendmail, and HTTP because the permissions level granted to these accounts is often privileged. This means that bad guys who break in not only gain access to your network but also get the added bonus of having privileged status while they’re in there—yikes!

ActiveX Attacks

A fairly new form of attack makes its way to your computer through ActiveX and Java programs (applets). These are miniature programs that run on a web server or that you download to your local machine. Most ActiveX and Java applets are safe, but some contain viruses or snoop or spyware programs. Snoop or spyware programs allow a hacker to look at everything on your hard drive from a remote location without you knowing about it, which is really bad, so be sure you properly configure the on-access component of your antivirus software to check and clean for these types of attacks.

Autorooters

You can think of autorooters as a kind of hacker automaton. Hackers use something called a rootkit to probe, scan, and then capture data on a strategically positioned computer that’s poised to give them “eyes” into entire systems automatically. This is clearly very bad for you and your data. Note that this is typically how a cracker can attack a Mac or Unix box.

Backdoors

Backdoors are simply paths leading into a computer or network. From simple invasions to elaborate Trojan horses, villains can use their previously placed inroads into a specific host or a network whenever they want to—that is, unless you can detect them and stop them in their tracks.

Network Reconnaissance

Before breaking into a network, bad guys gather all the information they can about it because the more they know about the network, the better they can compromise it. This is called network reconnaissance. Hackers accomplish their objectives through methods like port scans, Domain Name Service (DNS) queries, and ping sweeps—even social engineering, or phishing, which I’ll cover in a bit.

Packet Sniffers

A packet sniffer is a software tool that can be incredibly effective in troubleshooting a problematic network, but it can also be a hacker’s friend. Here’s how it works: A network adapter card is set to promiscuous mode so it will send all packets snagged from the network’s Physical layer through to a special application to be viewed and sorted out. A packet sniffer can nick some highly valuable, sensitive data, including, but not limited to, passwords and usernames, making such a tool a prize among identity thieves.

Port Scanners

Port scanners are programs that ping every port on the target to identify which ports are open. It does this by pinging the IP address of the target with the port number appended after a colon. If an answer is received, the port is open. Open ports can lead to services the hacker can potentially exploit.

FTP Bounce

This attack is a variation of the port scan in that the attacker uses the FTP PORT command to request access to ports indirectly by using the victim machine as a middleman for the request. This cloaks the identity of the device performing the port scan.

Port-Redirection Attacks

A port-redirection attack requires a host machine the hacker has broken into and uses to redirect traffic that normally wouldn’t be allowed passage through a firewall. The attacker gains access to a trusted computer that is outside the firewall and installs software on the machine. They then redirect traffic bound for a particular port on the trusted yet now compromised host to their machine.

Trust-Exploitation Attacks

Trust-exploitation attacks happen when someone exploits a trust relationship in your network. The attacker gains control of a host that is outside the firewall yet is trusted by hosts that are inside the firewall. Once compromised, the host outside the firewall can be used as a platform to exploit the fact it is trusted by those inside the firewall.

Man-in-the-Middle Attacks

Interception! But it’s not a football, it’s a bunch of your network’s packets—your precious data. A man-in-the-middle attack happens when someone intercepts packets intended for one computer and reads the data. A common guilty party could be someone working for your very own ISP using a packet sniffer and augmenting it with routing and transport protocols. Rogue ATM machines and even credit-card swipers are tools that are also increasingly used for this type of attack. Figure 14.11 shows a man-in-the-middle attack.

Improper Access/Backdoor Access

A backdoor is a piece of software installed by a hacker that allows them to return later and connect to the computer without going through the normal authentication process. Some commercial applications inadvertently include backdoors because programmers forget to remove them before release to market. In many cases, the program is listening on a specific port, and when attempting to connect to that port, the attacker is allowed to connect without authentication. An example is Back Orifice 2000 (BO2K), an application-level Trojan horse used to give an attacker backdoor network access.

ARP Issues

ARP cache poisoning, usually a part of a man-in-the-middle attack, was discussed earlier in the section “ARP Cache Poisoning.”

Banner Grabbing/OUI

Banners are messages that are configured on some devices (routers, switches, servers) and appear under certain conditions, such as when someone is presented with a login screen, upon making a connection or when an error is encountered. These messages can impart information that can be used during the discovery phase of the hacking process. It may reveal the operating system or the version of firmware.

Banner grabbing is the process of connecting to the device using protocols such as Telnet, SMTP, or HTTP and then generating an error displaying the banner. Once the hacker discovers information contained in the banner such as the operating system and its version, they can research weaknesses in the system. For this reason, any service not in use should be disabled to eliminate it as a source of connection.

Domain/Local Group Configurations

In cases where computers are part of a domain, the domain member computers will have both domain accounts and local accounts. Local accounts are thus only effective on the local machine and cannot be used to access the domain.

However, there are default local accounts that exist on these computers that can be used to log on locally to the computer, thereby circumventing the domain login process. It’s dangerous to leave some of these enabled, such as the local administrator account. While they cannot be deleted, it is possible to rename them and/or disable them.

Jamming

Jamming is the process of sending out radio waves on the frequency used by a wireless network. It will have the effect of disassociating (disconnecting) all of the stations from the AP, at least while the jam signal is still there. When used for that purpose, jamming could be considered a DoS attack.

However, it is usually part of an evil twin attack, when the hacker is attempting to get your wireless stations to connect to their access point. They will set their AP to the same SSID as your wireless network but in a different channel (frequency). When they jam the real frequency, it causes the stations to seek another frequency with the same SSID, and they will find the hacker’s AP all too willing to allow their association.

Misconfigured Firewall

If the access control lists are misconfigured on a firewall, the damage will fall into one of three categories:

• Traffic is allowed that shouldn’t be allowed.
• Traffic that should be allowed is blocked.
• No traffic is allowed at all.

The first two problems are a matter of specifying the wrong traffic type in a permit or deny rule. Because in many cases the traffic type is specified in terms of a port number, it is critical to know the port numbers of the traffic you are dealing with.

The last problem can be either a simple omission or a complete misunderstanding of how ACLs work. At the end of every ACL is an implied rule that blocks all traffic that has not been allowed by earlier rules in the rule set. This means that all ACLs should have a rule at the end that allows all traffic that should be allowed. An ACL with no permit statements will block all traffic.

Misconfigured ACLs/Applications

Misconfigured applications can also cause issues. Web applications that do not perform proper input validation can allow for attacks such as buffer overflows. They can also in some cases allow for commands to be executed on the web server. For this reason, web-based applications should undergo strict code review and fuzz testing, and you should ensure that all input is validated before it is accepted by the application.

Open/Closed Ports

As discussed in the section on misconfiguration of firewalls, destination services and applications are specified in a packet in terms of a port number. When a device is open to receiving a connection to a service or application, it is said to be listening on the corresponding port. Therefore, closing or disabling a port eliminates the possibility of a malicious user connecting to that port and leveraging any weakness that may be known to be present with that service.

It is a standard device hardening practice to close any ports not required for the proper functioning of a device based on its role in the network. For example, a DNS server should have no other ports open but port 53, which is used to service DNS.

Unpatched Firmware/OSs

The best defense against the majority of malware types and attack modes is to keep current on all updates. This includes operating system patches, firmware updates, and application updates. Many devices that fall prey to malware and attacks do so needlessly because a patch existed that would have prevented the attack. A formal update system should be in place to ensure that no updates fall through the cracks.

Incident Response

Often when an attack or security breach occurs in the network, valuable time and information are lost in the critical first minutes and hours after the incident occurs. In some cases, evidence is inadvertently destroyed, making prosecution of the offending party impossible. In other cases, attacks that could have been interrupted and prevented before damage occurs are allowed to continue.

An incident response policy is designed to prevent this by establishing in advance the procedures that should be followed when an attack occurs. It may categorize incidents in such a way that certain event types (such as an active port scan) may require a response (such as disabling certain services) within 10 minutes while other events (such as an attempt to access a file without proper credentials) may only require a notation and follow-up in the next few days. The point is to establish these rules ahead of time to ensure that events are handled in a way that minimizes damage and preserves evidence.

There is a host of great shareware and freeware available on the Internet today, including Windows Defender, Spybot Search & Destroy, and Ad-Aware as well as Windows Update.

First Responder

The first responder is responsible for securing the crime scene and protecting the evidence from corruption. This requires addressing the evidence in the order of volatility. Some types of data may be fragile and therefore need to be collected before other types. For example, a Polaroid photo (not a digital photo) should be taken of anything showing on the computer screen since that could go away at any time if the system goes off.

Secure the Area

The area should be sealed off to prevent anyone from touching or tampering with anything. Access to the crime scene should be tightly controlled and limited only to individuals who are vital to the investigation. As part of the documentation process, make sure to note anyone who has access to the crime scene. Once a crime scene is contaminated, there is no way to restore it to the original condition.

Escalate When Necessary

In any case where the first responder is not trained in forensics, the issue should be escalated to other personnel. In some cases it may involve calling the police, but be aware that when you do that you may lose control of the crime scene because they will take over the investigation. All users should be trained in basic crime scene concepts, such as don’t turn the machine off and don’t touch anything.

Document the Scene

Everything about the crime scene should be recorded and documented. Polaroid pictures should be taken to show the position of everything in the scene. Diagrams can be drawn to indicate positioning as well. Interviews of witnesses and first responders should be conducted as soon as possible because memory of details fades quickly.

eDiscovery

In the United States, discovery is the exchange of evidence by both sides in a lawsuit. eDiscovery is simply the application of this principle to electronic documents, such as emails, chat records, and other electronic forms of data. When this data is identified as potentially relevant to a case, it is placed on legal hold. Then it is gathered using digital forensic procedures to prevent its contamination as evidence.

Evidence/Data Collection

When you’re collecting evidence, the order of volatility is critical. Collecting it in the following order ensures that investigators get evidence from the components that are most volatile first. The order of volatility is as follows:

1. Memory contents
2. Swap files
3. Network processes
4. System processes
5. File system information
6. Raw disk blocks

You should create a bit-level copy of the system image and isolate the system from the network when you do this. Keep two copies of this image, one to be stored as an accurate backup copy of the evidence and the other to use to examine the image. You should create message digests (hashes) of the images to ensure that you can later prove that the images have not been tampered with.

Chain of Custody

Chain of custody records document who controlled the evidence, who secured the evidence, and who obtained the evidence. To successfully prosecute a suspect, a proper chain of custody must be preserved and the evidence must be collected following predefined procedures in accordance with all laws and regulations. Proper chain of custody ensures that all evidence is admissible in court.

Data Transport

When the data or evidence is being transported in any way, the process must be recorded and documented in detail. All physical evidence must be tagged, and the evidence tags must document the mode and means of transportation, a complete description of the evidence (including quality), who received the evidence, and who had access to the evidence. Any transmission of evidence should include a hash so the integrity of the evidence can be maintained.

Forensics Report

A forensics report should be created based on the findings. While evidence is being examined, any characteristics, such as time stamps and identification properties, should be determined and documented. Once the evidence has been fully analyzed using scientific methods, the full incident should be reconstructed and documented.

Legal Hold

During the eDiscovery process, evidence that is deemed to be possibly relevant will be placed on legal hold. This process may be initiated by a notice or communication from legal counsel to an organization. It requires suspension of normal processing of the data, such as backup tape recycling, archiving media, and using other forms of document and information storage and management.

Security Audit

Let me take a minute to explain all this a little more, beginning with security audits. A security audit is a thorough examination of your network that includes testing all its components to make sure everything is secure. You can do this internally, but you can also contract an audit with a third party if you want the level of security to be certified. A valid and verified consultant’s audit is a good follow-up to an internal audit. One reason for having your network’s security certified like this is that government agencies usually require it before they’ll grant you contract work, especially if that work is considered Confidential, Secret, or Top Secret.

Clean-Desk Policy

That clean-desk policy doesn’t mean just “get rid of the crumbs from your last snack.” It means requiring that all potentially important documents like books, schematics, confidential letters, notes to self, and so on aren’t left out in the open when someone’s away from their desk. Instead, they’re locked away, securely out of sight. And make sure it’s clear that this rule applies to users’ PC desktops too. Policies like this apply to offices, laboratories, and workbenches as well as desks, and it’s really important for employees who share workspaces and/or workstations.

It’s super easy to nick something off someone’s desk or screen. Because most security problems involve people on the inside, implementing and enforcing a clean-desk policy is a simple way to guard against security breaches.

The International Computer Security Association (ICSA, www.icsa.net) reports that as many as 80 percent of all network break-ins occur from within the company and are carried out by employees, so protecting your data with a firewall is just the beginning of establishing network security.

It might sound really nitpicky, but for a clean-desk policy to be effective, users have to clean up their desks every time they walk away from them—without exception. The day someone doesn’t will be the very day some prospective tenant is being shown the building’s layout and a sensitive document suddenly disappears. You should make sure workstations are locked to desks and do random spot checks once in a while to help enforce the policy. For obvious reasons, before company picnics and parties and before “bring your child to work day” are good times to do this.

The ICSA is a vendor-neutral organization that certifies the functionality of security products as well as makes recommendations on security in general.

Recording Equipment

Recording equipment—such as tape recorders, cell phones, and small memory devices like USB flash memory keychains—can contain sensitive, confidential information, so a good security policy should prohibit their unauthorized presence and use.

Just walk into almost any large technology company and you’ll be immediately confronted with signs. A really common one is a camera with a circle surrounding it and a slash through the center of the circle. Read the text below the sign and you’ll be informed that you can’t bring any recording devices onto the premises.

Here’s a good example. The NSA has updated its policy to include prohibiting Furby dolls on government premises because they have reasonably sophisticated computers inside them, complete with a digital recording device. The doll repeats what it hears at a certain interval of time, which is either cute or creepy but pretty much harmless—maybe even protective—in a children’s daycare center. Not so much at the NSA, though—no recording conversations there. Maybe, at least in some locations, it’s not such a good idea for your company either.

Licensing Restrictions

Software piracy is the unauthorized reproduction or distribution of copyrighted software. Although software piracy is a worldwide issue, it is much more prevalent in Asia, Europe, Latin America, and Africa/Middle East.

Security professionals and the organizations they work with must ensure that the organizations take measures to ensure that employees understand the implications of installing pirated software. They also need to ensure that these issues are covered specifically in the security policy.

In addition, large organizations might need to utilize an enterprise software inventory application that will provide administrators with a report on the software that is installed.

International Export Controls

Many organizations today develop trade relationships with organizations that are in other countries. Organizations must be aware of the export and import laws of both the source and destination countries. Encryption technologies are some of the most restricted technologies when it comes to import and export laws. Although the United States does limit the export of encryption technologies for national security reasons, other countries, such as China and Russia, limit the import of these same technologies because they do not want their citizens to have access to them. Publicly available technology, including software, is exempt from most export laws, except for encryption technologies.

Any organization that engages in export and import activities with entities based in other countries should ensure that legal counsel is involved in the process so that all laws and regulations are followed. In addition, the organization should implement the appropriate controls to ensure that personnel do not inadvertently violate any import and export laws, regulations, or internal corporate policies.

Other Common Security Policies

So you get the idea—security policies can cover literally hundreds of items. Here are some common ones:

Notification Security policies aren’t much good if no one knows about them, right? So make sure you give users a copy of the security policy when you give them their usernames and passwords. It’s also a good idea to have computers display a summarized version of the policy when any user attempts to connect. Here’s an example: “Unauthorized access is prohibited and will be prosecuted to the fullest extent of the law.” Remember—your goal is to close loopholes. One hacker actually argued that because a computer didn’t tell him otherwise, anyone was free to connect to and use the system!

Equipment Access Disable all unused network ports so that any nonemployees who happen to be in the building can’t connect a laptop to an unused port and gain access to the network. And don’t forget to place all network equipment under lock and key.

Wiring Your network’s wires should never run along the floor where they can be easily accessed (or tripped over, getting you sued). Routers, switches, and concentrators should live in locked closets or rooms, with access to those rooms controlled by anything ranging from a good lock to a biometric access system, depending on the level of security your specific network and data require.

Door Locks/Swipe Mechanisms Be sure that only authorized people know the combination to the cipher lock on your data-center doors or that only the appropriate people have badges that allow access to the data center. Change lock combinations often, and never ever leave server room doors open or unlocked.

Badges Require everyone to wear an ID badge, including contractors and visitors, and assign appropriate access levels to everyone.

Tracking Require badge access to all entrances to buildings and internal computer rooms. Track and record all entry to and exits from these rooms.

Passwords Reset passwords at least every month. Train everyone on how to create strong passwords. Set BIOS passwords on every client and server computer to prevent BIOS changes.

Monitor Viewing Place computer monitors strategically so that visitors or people looking through windows can’t see them, and make sure unauthorized users/persons can’t see security-guard stations and server monitors. Use monitor privacy screens if necessary.

Accounts Each user should have their own, unique user account, and employees should never share user accounts. Even temporary employees should have their own account. Otherwise, you won’t be able to isolate a security breach.

Testing Review and audit your network security at least once a year.

Background Checks Do background checks on all network support staff. This may include calling their previous employers, verifying their college degrees, requiring a drug test, and checking for a criminal background.

Firewalls Use a firewall to protect all Internet connections, and use the appropriate proxies and dynamic-packet-filtering equipment to control access to the network. Your firewall should provide as much security as your company requires and your budget allows.

Intrusion Detection Use intrusion detection and logging software to discover security breaches, and be sure you’re logging the events you want to monitor.

Cameras Cameras should cover all entrances to the building and the entire parking lot. Be sure that cameras are in weather-proof and tamper-proof housings, and review the output at a security-monitoring office. Record everything on extended-length tape recorders.

Mail Servers Provide each person with their own email mailbox, and attach an individual network account to each mailbox. If several people need to access a mailbox, don’t give all of them the password to a single network account. Instead, assign individual privileges to each person’s network account so you can track activity down to a single person, even with a generic address like [email protected].

DMZ Use a demilitarized zone (DMZ) for all publicly viewable servers, including web servers, FTP servers, and email relay servers. Figure 14.12 shows a common DMZ setup.

It is not advisable to put a DMZ outside the firewall because any servers outside your firewall defeat the whole purpose of having one. However, it is possible that you may see a DMZ outside the firewall in some networks.

Mail Relay Mail servers relay to other email servers by design. When the email server relays from any server that requests it, it is called open relay. Hackers use this feature to forward spam. Modern email systems allow you to control which servers your email server will relay for, which helps to prevent this.

Patches Make sure the latest security updates are installed after being properly tested on a nonproduction computer.

Backups Store backup tape cartridges securely, not on a shelf or table within reach of someone working at the server. Lock tapes in a waterproof, fireproof safe, and keep at least some of your backups off site.

Modems Do not ever allow desktop modems because they can be used to get to the Internet without your knowledge. Restrict modem access to approved server-based modem pools.

Guards If you need security guards, they shouldn’t patrol the same station all the time. As people become familiar with an environment and situation, they tend to become less observant about that environment, so rotating guards to keep their concentration at the highest possible level makes a lot of sense. Clearly, guards are people who need breaks to ensure alertness, but make sure that all patrol areas are covered during shift changes, rotations, and breaks. Guards should also receive periodic training and testing to make sure they can recognize a threat and take appropriate action.

Believe it or not, covering all these bases still won’t guarantee that your network or facility is secure. All of this is really just a starting point that’s meant to point you in the right direction.

Breaking Policy

You know that for your policy to be effective it’s got to be enforced consistently and completely. Nobody is so special that they don’t have to adhere to it. And people have to understand the consequences of breaking policy too. Your network users need to have a clearly written document, called a security policy, that fully identifies and explains what’s expected of them and what they can and can’t do. Plus, people must be made completely aware of the consequences of breaking the rules, and penalties have to match the severity of the offense and be carried out quickly, if not immediately, to be effective.

Let’s take a minute and talk about those penalties. As far back as the mid-1980s, employees were immediately terminated for major technology policy infractions. For example, one guy from a large computer company immediately got his pink slip when pornography was found on his computer’s hard drive. The situation was handled decisively—his manager informed him that he was being immediately terminated and that he had one hour to vacate the premises. A security guard stood watch while he cleaned out his desk to make sure the employee touched only personal items—no computer equipment, including storage media—and when he had finished gathering his personal things, the guard then escorted him from the building.

Downloading and installing software from the Internet to your PC at work is not as major (depending on where you work), but from the things we’ve been over so far, you know that doing that can compromise security. Beta products, new software, and patches need to be tested by the IT department before anyone can use them, period! Here’s an example: After an employee installed the untested beta release of a web browser and rebooted their PC, the production Windows NT server at a national telephone company crashed. The resulting action was to revoke that employee’s Internet FTP privileges for three months.

The Exit Interview

Sometimes, the importance of an employee’s position and the amount of knowledge they have about the company and its systems justifies requiring an exit interview when they’re terminated. It’s done to minimize the risk of that employee being disgruntled and to attempt to ensure that they’re leaving under the most favorable circumstances possible. The interview can include the IT manager, a human resources representative, a sys admin, and sometimes even security personnel.

When an employee leaves the company—whether they’re quitting to move on to another job or being terminated—all company property needs to be turned in and logged. This includes things like company cell phones, pagers, toolkits, keys, badges, security tokens, models, and, obviously, all company documents.

And clearly, IT needs to disable all accounts immediately, including those for network access and voicemail, and remaining employees should be informed that the employee is leaving at this time. This is especially important when that employee has access to sensitive documents because even if they’re leaving under favorable conditions, they could still log in and copy data to take with them for their own use. For instance, salespeople can easily hurt a company by taking client information with them, and it has happened, as in the case of a salesperson who accessed their former company’s voicemail system and stole sales leads. So it’s not just the obviously disgruntled ex–network administrator who could demolish your website after leaving that you need to be concerned about.

Security Procedures

A security procedure defines how to respond to any security event that happens on your network. Here’s a short list of items you might include:

• What to do when someone has locked themselves out of their account
• How to properly install or remove software on servers
• What to do if files on the servers suddenly appear to be “missing” or altered
• How to respond when a network computer has a virus
• Actions to take if it appears that a hacker has broken into the network
• Actions to take if there is a physical emergency such as a fire or flood

Privileged User Accounts

Privileged user accounts represent those that have been provided rights normally reserved for the administrator. For example, if Jeff is granted the right to manage a printer, he now possesses a privileged account. Privileged accounts represent a potential security vulnerability, and their use should be monitored continually to ensure that they are used responsibly. When implementing them, you should always follow the principle of least privilege, which specifies that users should only be granted privileges required to do their job.

File Integrity Monitoring

File integrity refers to the prevention of unauthorized alteration. File hashing can be used to verify that changes to files have not occurred. See the section “File Hashing” later in this chapter for more details.

Role Separation

Separation of duties is a concept that specifies that any operation that is susceptible to fraud or abuse by employees should be broken into two tasks and then these two tasks should be assigned to different individuals. While there is no guarantee that these two individuals don’t collude, the chance of that occurring are much less than the chance of a single individual committing fraud.

Restricting Access via ACLs

Access control lists identify those who have access to resources and what type of access they have. ACLs are attached to the resource and are consulted whenever access is requested by an entity. These ACLs are your primary means of preventing access to unauthorized individuals. When implementing them you should always follow the principle of need to know, which specifies that users should only be granted access to information required to do their job.

End-User Training

End-user training is pretty easy—it can take just an hour or so to bring employees up to speed. The “keep it short and simple” rule applies here or you’ll just end up with nap time. This is a great time to include detailed security protocol training. But if you see eyes beginning to glaze over or hear anyone snoring, you might want to make security protocol training a separate session because, as I said, it’s really important to the effectiveness of your security policy for everyone to know about and understand it. You can even use a year-end bonus or something else cool as a motivational reward for the employees who complete their training and test well on it.

And you have to back up your training by providing your end users with hard-copy, printed reference manuals in case they forget something (which they will). Include things like the following items:

• Recommended policies for creating safe passwords
• The number to call if they’ve locked themselves out of their accounts
• What to do if they think someone is phishing for information
• What to do if they think their computer has a virus

Clearly, new employees to the company or division should be required to go through training, but requiring that everybody attend refresher courses is also a good idea. And don’t hesitate to call a meeting if new threats arise or any sudden changes occur to keep everyone up-to-date.

Administrator Training

Obviously, training sessions for your IT personnel have to be a lot more in depth because they’ll be the ones who set up and configure policies, and they’ll also be the first responders to any security emergency.

It’s important to cover every aspect of your security policy with these people. And be sure they understand the correct ways to escalate issues in case of an emergency. Reacting to a security emergency is pretty stressful, and you don’t want your administrators to panic or feel isolated if one occurs. Making sure they know where their lifelines are and how to reach them quickly if they need backup will relieve a lot of pressure when something nasty happens.

Automatic Updates Through Windows Update

It’s really easy to get updates for Windows-based operating systems from Windows via Windows Update—a utility that’s usually automatically installed when you install Windows. If you need to get more information, go to www.microsoft.com.

To ensure that Windows Update is enabled, open your System Properties dialog (right-click My Computer and then choose Properties). You will see a screen similar to the one shown in Figure 14.13.

If you have Windows Update installed, it will periodically scan your system for the version of Windows components you already have installed and compare them to the most current versions available from Microsoft. If your software is out-of-date, a Windows Update dialog box will appear, asking if you want to install the software updates. If you click Continue, the installation will proceed in the background; you’ll still be able to work in the foreground without skipping a beat.

Downloading Patches and Hotfixes

If you don’t have automatic updates set up, you can download patches and hotfixes manually. A hotfix is just like a patch that updates software, but this term is reserved for a solution to potentially serious issues that could compromise your network and hosts. When a company like Microsoft has created a whole bunch of patches, hotfixes, and upgrades, it will put them together in a larger bundle called a service pack. For instance, you can download Windows 7 Service Pack 1 (SP1) or Windows Server 2008 Service Pack 2 (SP2), which will update lots of components and address security, performance, and stability issues all at the same time. For the latest service pack for your Windows-based operating system or application, visit support.microsoft.com.

But let’s say you think you have a smaller, specific issue and you only want to download a patch for that particular problem. Maybe you’re dealing with an issue with IPSec and you want to know about creating IPSec security filters in Windows XP. After surfing Microsoft’s support site, you come across article KB914841 (https://www.microsoft.com/en-us/download/details.aspx?id=735). (KB stands for Knowledge Base, and it’s one way Microsoft organizes its support documents.) This article will give you background information as well as allow you to download hotfixes for the operating system you’re running.

Upgrading an Antivirus Engine

An antivirus engine is the core program that runs the scanning process, and virus definitions are keyed to an engine version number. For example, a 3.x engine won’t work with 4.x definition files. When the manufacturer releases a new engine, consider both the cost to upgrade and how much you’ll benefit before buying it.

Before installing new or upgraded software, back up your entire computer system, including all your data.

Updating Definition Files

I recommend that you update your list of known viruses—called the virus definition files—no less than weekly. You can do this manually or automatically through the manufacturer’s website, and you can use a staging server within your company to download and distribute the updates or set up each computer to download updates individually.

Scanning for Viruses

An antivirus scan is the process that an antivirus program deploys to examine a computer suspected of having a virus, identify the virus, and then get rid of it. There are three types of antivirus scans, and to really make sure your system is clean, you should use a combination of the types I’m covering in this section:

On-Demand Scan An on-demand scan is a virus scan initiated by you or an administrator that searches a file, a directory, a drive, or an entire computer but only checks the files you’re currently accessing. I recommend doing this at least monthly, but you’ll also want to do an on-demand scan when the following occurs:

• You first install the antivirus software.
• You upgrade the antivirus software engine.
• You suspect a virus outbreak.

Before you initiate an on-demand scan, be sure you have the latest virus definitions.

On-Access Scan An on-access scan runs in the background when you open a file or use a program in situations like these:

• Inserting a floppy disk or thumb drive
• Downloading a file with FTP
• Receiving email messages and attachments
• Viewing a web page

This kind of scan slows down the processing speed of other programs, but it’s worth the inconvenience.

Emergency Scan During an emergency scan, only the operating system and the antivirus program are running. You initiate one of these scans when a virus has totally invaded your system and taken control of the machine. In this situation, insert your antivirus emergency boot disk and boot the infected computer from it. Then, scan and clean the entire computer. If you don’t have your boot disk, go to another, uninfected machine and create one from it. Another possibility is to use an emergency scan website like https://housecall.trendmicro.com, which allows you to scan your computer via high-speed Internet access without using an emergency disk.