* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
Download Instructor`s Manual to Accompany
Document related concepts
Security+ Guide to Network Security Fundamentals, 2e Chapter 13 Advanced Security and Beyond At a Glance Instructor’s Notes Chapter Overview Chapter Objectives Technical Notes Lecture Notes Quick Quizzes Discussion Questions Additional Activities 13-1 Security+ Guide to Network Security Fundamentals, 2e 13-2 Instructor’s Notes Chapter Overview In this chapter, students will learn about the new and advanced areas of computer security. They will first study computer forensics and how it can be used. Students will then examine some of the new types of defense mechanisms that are available or will be ready shortly. Finally, students will survey the types of security careers and the skills necessary to become a security professional. Chapter Objectives After reading this chapter, students will be able to: Define computer forensics Respond to a computer forensics incident Harden security through new solutions List information security jobs and skills Technical Notes HANDS-ON PROJECTS Project 13-1 Project 13-2 Project 13-3 Project 13-4 Project 13-5 HARDWARE DEVICES REQUIRED Computer PC Computer PC Computer PC Computer PC Computer PC OPERATING SYSTEM REQUIRED Windows XP Windows XP Windows XP Windows XP Windows XP OTHER RESOURCES Microsoft Office Suite Internet connectivity Internet connectivity Internet connectivity Internet connectivity This chapter should not be completed in one class session. It is recommended that you split the chapter into at least two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 3- to 6-hour period, plus any at-home exercises you wish to assign. Lecture Notes Understanding Computer Forensics Computer forensics can attempt to retrieve information—even if it has been altered or erased—that can be used in the pursuit of the criminal. Quick Reference Discuss the reasons why interest in computer forensics is heightened as described on page 447 of the text. Forensics Opportunities and Challenges Computer forensics creates opportunities to uncover evidence that would be impossible to find using a manual process. One reason that computer forensics specialists have this opportunity is due to the persistence of evidence. Electronic documents are more difficult to dispose of than paper documents. Security+ Guide to Network Security Fundamentals, 2e Quick Reference 13-3 Discuss the ways that computer forensics is different from standard investigations as shown on pages 447 through 449 of the text. Responding to a Computer Forensics Incident Generally, responding to a computer forensics incident involves four basic steps similar to those of standard forensics—secure the crime scene, collect the evidence, establish a chain of custody, and examine and preserve the evidence. Securing the Crime Scene The physical surroundings of the computer should be clearly documented. Photographs of the area should be taken before anything is touched. Cables connected to the computer should be labeled to document the computer’s hardware components and how they are connected. The team takes custody of the entire computer along with the keyboard and any peripherals. Preserving the Data The computer forensics team first captures any volatile data that would be lost when the computer is turned off and moves the data to a secure location. This includes any data that is not recorded in a file on the hard drive or an image backup, such as: Contents of RAM Current network connections Logon sessions Network configurations Open files After retrieving the volatile data, the team focuses on the hard drive. A mirror image backup, also called a bitstream backup, is an evidence-grade backup because its accuracy meets evidence standards. Mirror image backups are considered a primary key to uncovering evidence because they create exact replicas of the computer contents at the crime scene. Quick Reference Discuss the criteria for mirror image backups as listed on pages 452 and 453 of the text. Establishing the Chain of Custody As soon as the team begins its work, it must start and maintain a strict chain of custody. The chain of custody documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. Security+ Guide to Network Security Fundamentals, 2e 13-4 Quick Quiz 1. ___________, or the application of science to questions that are of interest to the legal profession, is not limited to analyzing evidence from a murder scene, but can also be applied to technology. ANSWER: Forensic science 2. One reason that computer forensics specialists have certain opportunities is due to the persistence of ___________. ANSWER: evidence 3. ___________ the crime scene helps to document that the computer was working prior to the attack. ANSWER: Securing 4. ___________ backups replicate all sectors of a computer hard drive, including all files and any hidden data storage areas. ANSWER: Mirror image 5. The ___________ documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. ANSWER: chain of custody Examining Data for Evidence After a computer forensics expert creates a mirror image of a system, the original system should be secured and the mirror image examined to reveal evidence. In short, all of the exposed data should be examined for clues. Hidden clues can be mined and exposed as well. Microsoft Windows operating systems use a special file as a “scratch pad” to write data when sufficient RAM is not available. This file is the Windows page file. The steps taken by a computer forensics team are summarized in Table 13-1 on page 456 of the text. Another source of hidden data is called slack. Windows computers use two types of slack. The first is RAM slack. RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. This is known as file slack (sometimes called drive slack) because the padded data that Windows uses comes from data stored on the hard drive. File slack is illustrated in Figure 13-4 on page 455 of the text. Hardening Security Through New Solutions The number of attacks reported, the sophistication of the attacks, and the speed at which they spread continues to grow. Defenders are responding to the increase in the level and number of attacks. New techniques and security devices are helping to defend networks and systems. Quick Reference Describe the characteristics of recent attacks as shown on pages 457 and 458 of the text. Also, describe some of the most recent developments and announcements as listed on pages 458 and 459 of the text. Exploring Information Security Jobs and Skills You explore security jobs and the skills that are needed to perform in that role. Security+ Guide to Network Security Fundamentals, 2e 13-5 Employment The need for information security workers will continue to grow for the foreseeable future. Information security personnel are in short supply, and those that are in the field are being rewarded well. Security budgets have been spared the drastic cost-cutting that has plagued IT since 2001. One reason is that companies have recognized the high costs associated with weak security and have decided that prevention outweighs cleanup. Computer forensics specialists are critically needed. Certification Most industry experts agree that security certifications continue to be important. Preparing for the Security+ certification will help you solidify your knowledge and skills in cryptography, firewalls, and other important security defenses. Job Skills This section examines some of the most important skills that are demanded of information security workers. TCP/IP Protocol Suite One of the most important skills is a strong knowledge of the foundation upon which network communications rests, namely Transmission Control Protocol/Internet Protocol (TCP/IP). Understanding TCP/IP concepts helps effectively troubleshoot computer network problems and diagnose possible anomalous behavior on a network. Packets Another important area of study regards packets. No matter how clever the attacker is, they still must send their attack to your computer with a packet. To recognize the abnormal, you must first understand what is normal. Firewalls Firewalls are essential tools on all networks and often provide a first layer of defense. Network security personnel should have a strong knowledge of how firewalls work, how to create access control lists (ACLs) to mirror the organization’s security policy, and how to tweak ACLs to balance security with employee access. Routers Routers form the heart of a TCP/IP network. Configuring routers for both packet transfer and packet filtering can become very involved. Intrusion-Detection Systems (IDS) Security professionals should know how to administer and maintain an intrusion-detection system (IDS). The capabilities of these systems have increased dramatically since they first were introduced, making them mandatory for today’s networks. One problem with IDS is that it can produce an enormous amount of data that requires checking. Other Skills A programming background is another helpful tool for security workers. Security workers should also be familiar with penetration testing. Once known as “ethical hacking,” penetration testing probes the vulnerabilities in systems, networks, and applications. Security+ Guide to Network Security Fundamentals, 2e 13-6 Computer Forensic Skills In addition to basic computer and security skills, computer forensic specialists require an additional level of training and skills. Quick Reference Discuss the additional level of training and skills as listed on page 462 of the text. Quick Quiz 1. ___________ can range from 100 million bytes to over a gigabyte and can be temporary or permanent, depending on the version of Windows and settings selected by the computer user. ANSWER: Windows page files 2. ___________ slack pertains only to the last sector of a file. ANSWER: RAM 3. ___________ protects computers by recognizing when they are not acting normally. ANSWER: Behavior blocking 4. ___________ are essential tools on all networks and often provide a first layer of defense. ANSWER: Firewalls 5. ___________ probes the vulnerabilities in systems, networks, and applications. ANSWER: Penetration testing Discussion Questions 1. Why is programming such a valuable tool for security workers? 2. Discuss several different strategies used for examining evidence. Additional Activities 1. Have students observe normal traffic flow along a network and then activate a sniffer. Once the sniffer is in place, have student chart the differences in network traffic. 2. Have students take a sample Security+ exam and discuss the results.