Download Ch01_StudyGuide

Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
Operating Systems Security - Chapter 1
Keeping Computers and Networks Secure
Chapter Overview
In this chapter, you will be introduced to Operating System and Network Security, from the
viewpoint that such security is vital, and to careers in information security. You will learn about the
cost of security and the cost of not having it. Also, you will learn about common types of attacks
from viruses to denial-of-service attacks, and spoofing. Finally, you will discover the basics of
important techniques used to guard against attacks on operating systems and on networks.
Learning Objectives
After reading this chapter and completing the exercises
you will be able to:
1)
2)
3)
4)
5)
Explain what Operating System and Network Security means
Discuss why security is necessary
Explain the cost factors related to security
Describe the types of attacks on operating systems and networks
Discuss system hardening, including features in operating systems and networks that enable
hardening
Lecture Notes
What is Operating System and Network Security?
Operating system and network security is the ability to reliably store, modify, protect, and grant
access to information, so that the information is available only to its owners and to users who are
authorized to access it, based on their roles in an organization. The designated users may be the
general public, or they may be users determined by a company policy or specified by the owner of
the information.
Operating Systems and Security
An operating system (OS) provides basic programming instructions to the computer hardware. An
operating system is ideal for providing security because it takes care of the computer’s most basic
input/output (I/O) functions, which enable other programs to easily talk to the computer hardware,
and permit the computer user to access a network. By serving as an interface between applications
software and hardware, an operating system performs the following tasks:
 Handles input from a keyboard, pointing device, and network.
 Handles output to the display monitor, printer, and network
 Enables communications through a modem or other communications adapter
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 1
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
 Controls input/output for all of its devices, including the network interface card
 Manages information storage and retrieval, through devices such as hard disks and CD-ROMs
 Enables multimedia functions, such as accessing video clips and playing music
At every level of operation, the operating system has the potential to provide security functions. For
example, the operating system can provide security to determine how the hard disk drive is accessed
or how software can control hardware functions. Figure 1-1 on page 4 of the text shows how an
operating system functions as an interface between the user, application software, and hardware. It
also shows the most basic operating system components:
 The application programming interface (API) translates requests from the application into
code that the kernel can understand and pass on to the hardware device drivers.
 The basic input/output system (BIOS) verifies hardware and establishes basic
communications with components such as the monitor and disk drives.
 The operating system kernel coordinates operating system functions, such as control of
memory and storage.
 Resource managers manage computer memory and central processor use.
 Device drivers take requests from the API via the kernel and translate them into commands
to manipulate specific hardware devices, such as keyboards, monitors, disk drives, and
printers.
One of the most basic forms of security is to configure the BIOS password security.
Some common password options offered in the BIOS are as follows:
 Setting a password that governs access to the hard disk drive
 Setting a password for access to the BIOS setup or to view the setup
 Establishing a special password that must be used to change the BIOS setup
 Specifying a password that must be entered in order for the computer to boot
 Specifying that the computer can only be booted from the floppy drive,
and only when a password is entered for that drive
Computer Networks and Security
A computer network is a system of computers, print devices, network devices, and computer
software linked by communications cabling or wireless technology. A local area network (LAN)
consists of interconnected computers, printers, and other computer equipment that share hardware
and software resources in close physical proximity. One example of a LAN is a library building in
which there are computers in each office, servers in a secured computer room, and reference
computers in the book stacks and study areas, all connected by communications cable and network
devices.
A metropolitan area network (MAN) spans a greater distance than a LAN and usually has more
complicated networking equipment for midrange communications. A wide area network (WAN) is at
the far end of the distance spectrum because it is a far-reaching system of networks that form a
complex whole. One WAN is composed of two or more LANs or MANs that are connected across a
distance of more than approximately 30 miles. Another way to classify a network is as an enterprise
network. This type of network connects many different kinds of users in one organization or
throughout several organizations, providing a variety of resources to those users, as shown in Figure
1-2 on page 6 of the text.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 2
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
Careers in Information Security
Many organizations, for example investment firms, accounting firms, and telecommunications
companies, rely on information security professionals to keep their systems and data resources safe.
Information security professionals are also used by computer consulting and financial auditing
companies to evaluate the security needs of their clients. One advantage of a career as an
information security professional is the potential for healthy salaries and organizational
advancement.
Why Security Is Necessary
Security is necessary because computer systems and networks house a wide range of information and
resources. Some of the reasons can be grouped under the following headings:





Protecting information and resources
Ensuring privacy
Facilitating workflow
Addressing security holes and software bugs
Compensating for human error or neglect
Protecting Information and Resources
Computer systems are often loaded with information and resources to protect. In a business these
may include accounting, human resources, management, sales, research, inventory, distribution,
factory, and research system information.
The computers at educational institutions house all kinds of resources, sometimes divided into
academic computing and administrative resources. Academic computing resources include research
databases, computers and software in student laboratories, class information and assignments, and
computers used for highly technical projects. Administrative computing involves student information
and registration resources, accounting and human resources systems, budget systems, grant
management software, and alumni and development systems. Governments are a huge source of
computer and electronic information resources, including military, legislative, judicial, executive,
and personal information.
Ensuring Privacy
Computer systems contain many kinds of information about us that should be kept private. Some
examples are:





Social Security numbers
Credit card numbers
Health information
Student information
Retirement account information
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004




Bank account numbers
Family information
Employment information
Investment account information
Page 3
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
Facilitating Workflow
Workflow consists of a chain of activities that are necessary to complete a task, such as filling out
and transmitting forms, entering data, updating databases, and creating new files. In a larger
company, a chain of activities might be performed by several people, each responsible for a
different task, such as a computer operator, a data entry person, and others. Security is important
at every step in the workflow. If a step is compromised because of a security problem, then an
organization may lose money, data, or both.
Addressing Security Holes or Software Bugs
Often new products that are rushed to market contain security holes or are unstable because they
have not been fully tested. Some new operating systems have come out with Internet access
security holes, bugs that have caused unexpected system crashes, new commands that do not work
properly, undocumented commands, and other problems.
When you purchase a new operating system, a new software, or new hardware, plan to rigorously
test it for security and reliability. Also, check the security defaults, such as the guest account, to
make sure you known how they are configured out of the box. Another source of problems is system
patches that are rushed out before they are fully tested.
Compensating for Human Error or Neglect
The security features of an operating system or a network are only as effective as the people who
configure and use them. An operating system or network-based directory service may include many
security features, but the features do no good if users fail to implement them, or fail to use them to
the best advantage.
A directory service is a large repository of data and information about resources such as computers,
printers, user accounts, and user groups that
1) provides a central listing of resources and ways to quickly find resources, and
2) provides a way to access and manage network resources.
Active Directory (AD) is a directory service provided through Windows Server 2000, 2003, & 2008.
Novel Directory Services (NDS) is offered through NetWare 6.x.
There are many reasons for the failure to fully use security features, including:






In adequate training or knowledge of the features
Choosing convenience and ease of use over security
Lack of time
Organizational politics
Improper testing
A history of doing things only in a specific way
There are several ways to overcome the human factors that diminish security in an organization.
One way is to use operating systems that enable the organizations to set up security policies within
the system. Developing written security policies is another way to ensure that people in the
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 4
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
organization known the policies and why they are important. Training is another approach that can
help limit human failure and neglect.
Cost Factors
There are two costs associated with security: the cost of deploying security, and the cost of not
deploying security. If you take no security measures, you will eventually lose money and data
because of a failed system or because of an attack on a system. The cost of deploying security
includes:







Training computer professionals
Training users
Paying a little more for systems that have comprehensive security features
Purchasing third-party security tools
Paying for time used by computer professionals and users to configure security
Testing system security
Regularly implementing security patches in systems
Deploying security is one element in the total cost of ownership (TCO) of a computer system. The
TCO of a computer network is the total cost of owning the network and computers, including
hardware, software, training, maintenance, security, and user support costs.
Types of Attacks
There are many kinds of attacks on computers, some targeted at operating systems, some at
networks, and some at both. Some typical attacks include:





Standalone workstation or server attacks
Viruses, worms, and Trojan horses
Source routing attacks
E-mail attacks
Wireless attacks




Attacks enabled by access to passwords
Buffer attacks
Spoofing
Port scanning
Standalone Workstation or Server Attacks
One of the simplest ways to attack an operating system is to take advantage of someone’s logged-on
computer when that person is not present. Many operating systems enable you to configure a screen
saver that starts after a specified time of inactivity. Sometimes even servers are targets, because a
server administrator or operator may step away, leaving an account with administrator permissions
logged on for anyone to use.
Attacks Enabled by Access to Passwords
Access to operating systems can be guarded by a user account name and a password. Sometimes
Account users defeat the purpose of this protection by sharing their passwords with others. Another
way that users defeat password protection is by writing down passwords and displaying them, or
leaving them where they can be found in the work area.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 5
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
Telnet is a TCP/IP application protocol that provides terminal emulation services over a network or
the Internet, as shown in Figure 1-4 on page 15 of the text. If an attacker is generally searching for
an account to access, they might use the Domain Name System on a network connected to the
Internet, to find possible user account names. The Domain Name System (DNS) is a TCP/IP service
that converts a computer or domain name to an IP address, or an IP address to a computer or
domain name, in a process called resolution.
Viruses, Worms, and Trojan Horses
A Virus is a program that is relayed by a disk or a file and has the ability to replicate throughout a
system. A virus hoax is not a virus, but an e-mail falsely warning of a virus. A Worm is a program
that endlessly replicates on the same computer, or that sends itself to many other computers on a
network. The difference between a worm and a virus is that a worm continues to create new files,
while a virus infects a disk or file and then that disk or file infects other disks or files with the virus.
A Trojan horse is a program that appears useful and harmless, but instead does harm to the user’s
computer. Often a Trojan horse is designed to provide an attacker with access to the computer on
which it is running, or it may enable the attacker to control the computer. Backdoor.IRC.Yoink,
Trojan.Idly, B02K, and NetBus are examples of Trojan horses designed to provide malicious access
and control of an operating system.
Buffer Attacks
Many systems use buffers to store data until it is ready to be used. A buffer attack is one in which
the attacker tricks the buffer software into storing more information in a buffer than the buffer is
sized to hold (a situation called buffer overflow). That extra information can be malicious software
that then has access to the host computer.
Denial of Service
A denial of service (DoS) attack is used to interfere with normal access to a network host, Web
site, or service, by flooding a network with useless information or with frames or packets containing
errors that are not identified by a particular network service. A remote attack might take the form
of simply flooding a system with more packets than it can handle. Ping is a utility that network
users and administrators frequently use to test a network connection. A different type of remote
attack is the use of improperly formed packets or packets with errors.
In some attacks, the computer originating the attack causes several other computers to send attack
packets. The attack packets may target one site or host, or multiple computers may attack multiple
hosts. This type of attack is called a distributed denial of service (DDoS) attack.
Source Routing Attacks
In source routing, the sender of a packet specifies the precise path that the packet will take to
reach its destination. Source routing is not typically used in network communications, except on
token ring networks and for network troubleshooting.
In a source routing attack, the attacker modifies the source address and routing information to
make a packet appear to come from a different source, such as one that is already trusted for
communications on a network. Network Address Translation (NAT) can translate an IP address
from a private network to a different address used on a public network or the Interneta technique
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 6
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
used to protect the identity of a computer on a private network from attackers, as well as to bypass
the requirement to employ universally unique IP addresses on the private network. Attackers may
get through a specific NAT device by using a form of source routing called loose source record
router (LSRR), which does not specify the complete route for the packet, but only a portion in the
route, which is through the NAT device.
Spoofing
In spoofing, the address of the source computer is changed to make a packet appear to come from a
different computer. Using spoofing, an attacker can initiate access to a computer or can appear as
just another transmission to a computer from a legitimate source that is already connected.
E-mail Attack
An e-mail attack may appear to come from a friendly or even trusted sourcea familiar company, a
family member, or a coworker. Sometimes an e-mail is sent with an appealing subject head, such as
“Congratulations you’ve just won free software.” The e-mail that is received may have an attached
file containing a virus, worm, or Trojan horse. A word-processing or spreadsheet attachment may
house a macro that contains malicious code.
Port Scanning
Communications through TCP/IP use TCP ports, or UDP ports when User Datagram Protocol (UDP) is
used with IP. A TCP port or UDP port is an access way, sometimes called a socket, in the protocol
that is typically associated with a specific service, process, or function. A port is like a virtual
circuit between two services or processes communicating between two different computers or
network devices. The services might be FTP, e-mail services, or many others. There are 65,535
ports in TCP and UDP.
NOTE: Communications on a TCP/IP network may involve UDP instead of TCP. TCP is a
connection-oriented protocol used by systems that need more thorough error checking during
communications. UDP is a connectionless protocol, which means it does not provide error
checking to ensure the success of a communication. UDP may be used to remotely boot
diskless workstations, or it may be used in conjunction with protocols that help troubleshoot a
network.
Examine Table 1-1 on page 19 of the text, which lists some sample TCP ports and their purposes .
One way to block access through an open port is to stop operating system services or processes that
are not in use, or to configure a service only to start manually with your knowledge. Figure 1-5 on
page 20 of the text illustrates the use of the kill command in Red Hat Linux 9.x to stop the gain
process, which is identified with the process ID of 1533.
NetWare uses NetWare Loadable Modules (NLMs), which extend the capabilities and services of the
operating system. For good security management, it is important to know what NLMs are loaded and
how to unload NLMs that are not necessary.
There are three NLMs that enable a workstation to remotely access the NetWare system console.
REMOTE.NLM enables remote access, which requires a password. RS232.NLM give the REMOTE.NLM
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 7
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
module the ability to work over a modem connection, and RSPX.NLM enables remote access over a
local network connection.
Wireless Attacks
Wireless networks are particularly vulnerable to attacks, because it can be hard to determine when
someone has compromised a wireless network. Attacks on wireless networks are sometimes called
war-drives, because the attacker may drive around an area in a car, using a portable computer to
attempt to pick up a wireless signal. Two key elements used in wireless attacks are a wireless
network interface card (WIC) and an omnidirectional antenna, which is one that receives signals
from all directions.
Organizations That Help Prevent Attacks
There are several public organizations that provide information, assistance, and training in the types
of attacks and how to prevent them.
Quick Reference
Discuss the list of organizations that can help prevent attacks on
pages 21 and 22 of the text.
Hardening Your System
Hardening involves taking specific actions to block or prevent attacks by means of operating system
and network security methods.
Quick Reference
Discuss the general steps that should be kept in mind as you work to
harden a system shown on page 23 of the text.
Overview of Operating System Security Features
Operating systems provide many features for hardening a system. This section provides a basic
introduction to some of these features:




Logon security
File and folder security
Security policies
Wireless security




Digital certificate security
Shared resource security
Remote access security
Disaster recovery
Logon Security
Logon security involves requiring a user account and password to access a particular operating
system or to be validated to access a network through a directory service. A domain is a
fundamental component or container that holds information about all network resources that are
grouped within itservers, printers, and other physical resources, users, and user groups. Every
resource is called an object and is associated with a domain, as illustrated in Figure 1-7 on page 24
of the text.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
Digital Certificate Security
In some operating systems, digital certificate services can be set up so that certificates are
exchanged between communicating stations on a network. The certificates are used to verify the
authenticity of the communication, to ensure that the communicating parties are who they say they
are.
Folder and File Security
Operating systems provide a way to protect directories, folders, and files through lists of users and
user groups that have permissions to access these resources. Attributes can also be associated with
directories, folders, and files to manage access and support the creation of backups. An attribute is
a characteristic or marker associated with a directory, folder, or file, and used to help manage
access and backups.
Shared Resources Security
Operating systems and network directory services offer the ability to share resources across a
network. Directories or folders and network printers are two important examples of resources that
can be shared. Shared resources typically employ lists of users and groups that can and should be
configured. Figure 1-8 on page 26 of the text illustrates an access list for a shared printer in
Windows Server 2003.
Security Policies
A security policy is one or more security default settings that apply to a resource offered through
an operating system or a directory service. Depending on the operating system, the security policy
may apply only to the local computer or to other computers beyond the local computer. You can set
many security policies on servers, such as which users are allowed to log on to the server over a
network, and whether sharing specific resources is allowed.
Remote Access Security
The Remote Assistance feature of Windows XP Professional and Windows Server 2003 allows users to
access operating system resources remotely. Also, Windows Server 2003 can be administered using
the Remote Desktop Protocol (RDP) also known as the Remote Desktop Client, and NetWare 6.x
can be remotely accessed when the REMOTE.NLM is loaded.
Some operating systems can be configured for remote access services or virtual private network
(VPN) services, which enable users to access those systems and use them to further access a local
network. The remote client’s access may be from a local network, through a dial-up or
telecommunications line, via a cable modem, or over the Internet. A sampling of the types of
available security includes the list on page 27 of the text.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 9
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
Wireless Security
There are several features available to help make communications more secure. First, plan to
implement Wired Equivalent Privacy (WEP), which is a wireless communications authentication
method. Another security feature offered by some wireless manufacturers is the ability to create a
list of authorized wireless users based on the permanent address assigned to the wireless interface in
a computer the Media Access Control (MAC) address.
Disaster Recovery
Disaster recovery involves using hardware and software techniques to prevent the loss of data.
Some examples, of disaster recovery include performing backups, storing backups in a second
location, and using redundant hard disks. Employing disaster recovery is vital when a hard disk is
damaged or crashes and must be replaced.
Quick Reference
Have students attempt Hands-on Project 1-9 to find out more about
the security features in Mac OS X.
Overview of Network Security Features
A sampling of network-hardening techniques includes:


Authentication and encryption
Topology


Firewalls
Monitoring
Authentication and Encryption
Authentication is the process of using some method to validate users who attempt to access a
network and its resources, in order to ensure that they are authorized. User accounts with
passwords are one method for performing authentication. Smart cards, which are small circuit
boards with built-in identification, are another method. Biometrics, such as fingerprint scans, are
yet another method of authentication.
Firewalls
A firewall is software or hardware placed between two or more networksbetween a public
network and a private network, for examplethat selectively allows or denies access.
Topology
Different network topologies and designs yield different results in terms of security planning and
hardening. For example, some networks have redundancy built in so that if one network path is
down because of a problem or network attack, another path is available to the same destination.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 10
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 1
Keeping Computers and Networks Secure
Monitoring
Monitoring involves determining the performance and use of an operating system or of a network.
Monitoring tools enable you to determine the weak points of a system or network and to address
them before there is a problem with too much traffic or too few resources, or before an attacker
strikes.
Class Discussion Topics
 Discuss the importance of ensuring privacy ant what it takes to achieve it.
 Discuss the configuration options used in implementing network firewalls.
Additional Activities
 Utilize the Internet to search for different types monitoring software and compare them.
 Utilize the Internet to search for different types of firewall software and compare them.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 11
ISBN: 0-619-16040-3