Security+ Guide to Network Security Fundamentals, 2e

13-1

Chapter 13 Advanced Security and Beyond At a Glance Instructors Notes

Chapter Overview Chapter Objectives Technical Notes Lecture Notes Quick Quizzes Discussion Questions Additional Activities

Security+ Guide to Network Security Fundamentals, 2e

13-2

Instructors Notes Chapter Overview

In this chapter, students will learn about the new and advanced areas of computer security. They will first study computer forensics and how it can be used. Students will then examine some of the new types of defense mechanisms that are available or will be ready shortly. Finally, students will survey the types of security careers and the skills necessary to become a security professional.

Chapter Objectives
After reading this chapter, students will be able to: Define computer forensics Respond to a computer forensics incident Harden security through new solutions List information security jobs and skills

Technical Notes
HANDS-ON PROJECTS Project 13-1 Project 13-2 Project 13-3 Project 13-4 Project 13-5 HARDWARE DEVICES REQUIRED Computer PC Computer PC Computer PC Computer PC Computer PC OPERATING SYSTEM REQUIRED Windows XP Windows XP Windows XP Windows XP Windows XP OTHER RESOURCES Microsoft Office Suite Internet connectivity Internet connectivity Internet connectivity Internet connectivity

This chapter should not be completed in one class session. It is recommended that you split the chapter into at least two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 3- to 6-hour period, plus any at-home exercises you wish to assign.

Lecture Notes Understanding Computer Forensics

Computer forensics can attempt to retrieve informationeven if it has been altered or erasedthat can be used in the pursuit of the criminal.

Quick Reference

Discuss the reasons why interest in computer forensics is heightened as described on page 447 of the text.

Forensics Opportunities and Challenges

Computer forensics creates opportunities to uncover evidence that would be impossible to find using a manual process. One reason that computer forensics specialists have this opportunity is due to the persistence of evidence. Electronic documents are more difficult to dispose of than paper documents.

Security+ Guide to Network Security Fundamentals, 2e

13-3

Quick Reference

Discuss the ways that computer forensics is different from standard investigations as shown on pages 447 through 449 of the text.

Responding to a Computer Forensics Incident

Generally, responding to a computer forensics incident involves four basic steps similar to those of standard forensicssecure the crime scene, collect the evidence, establish a chain of custody, and examine and preserve the evidence.

Securing the Crime Scene

The physical surroundings of the computer should be clearly documented. Photographs of the area should be taken before anything is touched. Cables connected to the computer should be labeled to document the computers hardware components and how they are connected. The team takes custody of the entire computer along with the keyboard and any peripherals.

Preserving the Data

The computer forensics team first captures any volatile data that would be lost when the computer is turned off and moves the data to a secure location. This includes any data that is not recorded in a file on the hard drive or an image backup, such as: Contents of RAM Current network connections Logon sessions Network configurations Open files

After retrieving the volatile data, the team focuses on the hard drive. A mirror image backup, also called a bitstream backup, is an evidence-grade backup because its accuracy meets evidence standards. Mirror image backups are considered a primary key to uncovering evidence because they create exact replicas of the computer contents at the crime scene.

Quick Reference

Discuss the criteria for mirror image backups as listed on pages 452 and 453 of the text.

Establishing the Chain of Custody

As soon as the team begins its work, it must start and maintain a strict chain of custody. The chain of custody documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence.

Security+ Guide to Network Security Fundamentals, 2e

13-4

Quick Quiz
1. 2. 3. 4. 5. ___________, or the application of science to questions that are of interest to the legal profession, is not limited to analyzing evidence from a murder scene, but can also be applied to technology. ANSWER: Forensic science One reason that computer forensics specialists have certain opportunities is due to the persistence of ___________. ANSWER: evidence ___________ the crime scene helps to document that the computer was working prior to the attack. ANSWER: Securing ___________ backups replicate all sectors of a computer hard drive, including all files and any hidden data storage areas. ANSWER: Mirror image The ___________ documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. ANSWER: chain of custody

Examining Data for Evidence

After a computer forensics expert creates a mirror image of a system, the original system should be secured and the mirror image examined to reveal evidence. In short, all of the exposed data should be examined for clues. Hidden clues can be mined and exposed as well. Microsoft Windows operating systems use a special file as a scratch pad to write data when sufficient RAM is not available. This file is the Windows page file. The steps taken by a computer forensics team are summarized in Table 13-1 on page 456 of the text. Another source of hidden data is called slack. Windows computers use two types of slack. The first is RAM slack. RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. This is known as file slack (sometimes called drive slack) because the padded data that Windows uses comes from data stored on the hard drive. File slack is illustrated in Figure 13-4 on page 455 of the text.

Hardening Security Through New Solutions

The number of attacks reported, the sophistication of the attacks, and the speed at which they spread continues to grow. Defenders are responding to the increase in the level and number of attacks. New techniques and security devices are helping to defend networks and systems.

Quick Reference

Describe the characteristics of recent attacks as shown on pages 457 and 458 of the text. Also, describe some of the most recent developments and announcements as listed on pages 458 and 459 of the text.

Exploring Information Security Jobs and Skills

You explore security jobs and the skills that are needed to perform in that role.

Security+ Guide to Network Security Fundamentals, 2e

13-5

Employment
The need for information security workers will continue to grow for the foreseeable future. Information security personnel are in short supply, and those that are in the field are being rewarded well. Security budgets have been spared the drastic cost-cutting that has plagued IT since 2001. One reason is that companies have recognized the high costs associated with weak security and have decided that prevention outweighs cleanup. Computer forensics specialists are critically needed.

Certification
Most industry experts agree that security certifications continue to be important. Preparing for the Security+ certification will help you solidify your knowledge and skills in cryptography, firewalls, and other important security defenses.

Job Skills
This section examines some of the most important skills that are demanded of information security workers.

TCP/IP Protocol Suite

One of the most important skills is a strong knowledge of the foundation upon which network communications rests, namely Transmission Control Protocol/Internet Protocol (TCP/IP). Understanding TCP/IP concepts helps effectively troubleshoot computer network problems and diagnose possible anomalous behavior on a network.

Packets
Another important area of study regards packets. No matter how clever the attacker is, they still must send their attack to your computer with a packet. To recognize the abnormal, you must first understand what is normal.

Firewalls
Firewalls are essential tools on all networks and often provide a first layer of defense. Network security personnel should have a strong knowledge of how firewalls work, how to create access control lists (ACLs) to mirror the organizations security policy, and how to tweak ACLs to balance security with employee access.

Routers
Routers form the heart of a TCP/IP network. Configuring routers for both packet transfer and packet filtering can become very involved.

Intrusion-Detection Systems (IDS)

Security professionals should know how to administer and maintain an intrusion-detection system (IDS). The capabilities of these systems have increased dramatically since they first were introduced, making them mandatory for todays networks. One problem with IDS is that it can produce an enormous amount of data that requires checking.

Other Skills
A programming background is another helpful tool for security workers. Security workers should also be familiar with penetration testing. Once known as ethical hacking, penetration testing probes the vulnerabilities in systems, networks, and applications.

Security+ Guide to Network Security Fundamentals, 2e

13-6

Computer Forensic Skills

In addition to basic computer and security skills, computer forensic specialists require an additional level of training and skills.

Quick Reference

Discuss the additional level of training and skills as listed on page 462 of the text.

Quick Quiz
1. ___________ can range from 100 million bytes to over a gigabyte and can be temporary or permanent, depending on the version of Windows and settings selected by the computer user. ANSWER: Windows page files ___________ slack pertains only to the last sector of a file. ANSWER: RAM ___________ protects computers by recognizing when they are not acting normally. ANSWER: Behavior blocking ___________ are essential tools on all networks and often provide a first layer of defense. ANSWER: Firewalls ___________ probes the vulnerabilities in systems, networks, and applications. ANSWER: Penetration testing

2. 3. 4. 5.

Discussion Questions
1. 2. Why is programming such a valuable tool for security workers? Discuss several different strategies used for examining evidence.

Additional Activities
1. 2. Have students observe normal traffic flow along a network and then activate a sniffer. Once the sniffer is in place, have student chart the differences in network traffic. Have students take a sample Security+ exam and discuss the results.