Download Instructor`s Manual to Accompany

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Piggybacking (Internet access) wikipedia, lookup

Wireless security wikipedia, lookup

Wake-on-LAN wikipedia, lookup

Distributed firewall wikipedia, lookup

Cracking of wireless networks wikipedia, lookup

Computer security wikipedia, lookup

Security+ Guide to Network Security Fundamentals, 2e
Chapter 13
Advanced Security and Beyond
At a Glance
Instructor’s Notes
Chapter Overview
Chapter Objectives
Technical Notes
Lecture Notes
Quick Quizzes
Discussion Questions
Additional Activities
Security+ Guide to Network Security Fundamentals, 2e
Instructor’s Notes
Chapter Overview
In this chapter, students will learn about the new and advanced areas of computer security. They will first study
computer forensics and how it can be used. Students will then examine some of the new types of defense
mechanisms that are available or will be ready shortly. Finally, students will survey the types of security careers and
the skills necessary to become a security professional.
Chapter Objectives
After reading this chapter, students will be able to:
Define computer forensics
Respond to a computer forensics incident
Harden security through new solutions
List information security jobs and skills
Technical Notes
Project 13-1
Project 13-2
Project 13-3
Project 13-4
Project 13-5
Computer PC
Computer PC
Computer PC
Computer PC
Computer PC
Windows XP
Windows XP
Windows XP
Windows XP
Windows XP
Microsoft Office Suite
Internet connectivity
Internet connectivity
Internet connectivity
Internet connectivity
This chapter should not be completed in one class session. It is recommended that you split the chapter into at least
two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a
3- to 6-hour period, plus any at-home exercises you wish to assign.
Lecture Notes
Understanding Computer Forensics
Computer forensics can attempt to retrieve information—even if it has been altered or erased—that can be used in
the pursuit of the criminal.
Quick Reference
Discuss the reasons why interest in computer forensics is heightened as
described on page 447 of the text.
Forensics Opportunities and Challenges
Computer forensics creates opportunities to uncover evidence that would be impossible to find using a manual
process. One reason that computer forensics specialists have this opportunity is due to the persistence of evidence.
Electronic documents are more difficult to dispose of than paper documents.
Security+ Guide to Network Security Fundamentals, 2e
Quick Reference
Discuss the ways that computer forensics is different from standard
investigations as shown on pages 447 through 449 of the text.
Responding to a Computer Forensics Incident
Generally, responding to a computer forensics incident involves four basic steps similar to those of standard
forensics—secure the crime scene, collect the evidence, establish a chain of custody, and examine and preserve the
Securing the Crime Scene
The physical surroundings of the computer should be clearly documented. Photographs of the area should be taken
before anything is touched. Cables connected to the computer should be labeled to document the computer’s
hardware components and how they are connected. The team takes custody of the entire computer along with the
keyboard and any peripherals.
Preserving the Data
The computer forensics team first captures any volatile data that would be lost when the computer is turned off and
moves the data to a secure location. This includes any data that is not recorded in a file on the hard drive or an image
backup, such as:
Contents of RAM
Current network connections
Logon sessions
Network configurations
Open files
After retrieving the volatile data, the team focuses on the hard drive. A mirror image backup, also called a bitstream backup, is an evidence-grade backup because its accuracy meets evidence standards. Mirror image backups
are considered a primary key to uncovering evidence because they create exact replicas of the computer contents at
the crime scene.
Quick Reference
Discuss the criteria for mirror image backups as listed on pages 452 and 453 of
the text.
Establishing the Chain of Custody
As soon as the team begins its work, it must start and maintain a strict chain of custody. The chain of custody
documents that the evidence was under strict control at all times and no unauthorized person was given the
opportunity to corrupt the evidence.
Security+ Guide to Network Security Fundamentals, 2e
Quick Quiz
___________, or the application of science to questions that are of interest to the legal profession, is not limited
to analyzing evidence from a murder scene, but can also be applied to technology. ANSWER: Forensic science
One reason that computer forensics specialists have certain opportunities is due to the persistence of
___________. ANSWER: evidence
___________ the crime scene helps to document that the computer was working prior to the attack.
ANSWER: Securing
___________ backups replicate all sectors of a computer hard drive, including all files and any hidden data
storage areas. ANSWER: Mirror image
The ___________ documents that the evidence was under strict control at all times and no unauthorized person
was given the opportunity to corrupt the evidence. ANSWER: chain of custody
Examining Data for Evidence
After a computer forensics expert creates a mirror image of a system, the original system should be secured and the
mirror image examined to reveal evidence. In short, all of the exposed data should be examined for clues. Hidden
clues can be mined and exposed as well. Microsoft Windows operating systems use a special file as a “scratch pad”
to write data when sufficient RAM is not available. This file is the Windows page file.
The steps taken by a computer forensics team are summarized in Table 13-1 on page 456 of the text. Another source
of hidden data is called slack. Windows computers use two types of slack. The first is RAM slack. RAM slack
pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster
assigned to the file, then a different type of slack is created. This is known as file slack (sometimes called drive
slack) because the padded data that Windows uses comes from data stored on the hard drive. File slack is illustrated
in Figure 13-4 on page 455 of the text.
Hardening Security Through New Solutions
The number of attacks reported, the sophistication of the attacks, and the speed at which they spread continues to
grow. Defenders are responding to the increase in the level and number of attacks. New techniques and security
devices are helping to defend networks and systems.
Quick Reference
Describe the characteristics of recent attacks as shown on pages 457 and 458 of
the text. Also, describe some of the most recent developments and
announcements as listed on pages 458 and 459 of the text.
Exploring Information Security Jobs and Skills
You explore security jobs and the skills that are needed to perform in that role.
Security+ Guide to Network Security Fundamentals, 2e
The need for information security workers will continue to grow for the foreseeable future. Information security
personnel are in short supply, and those that are in the field are being rewarded well. Security budgets have been
spared the drastic cost-cutting that has plagued IT since 2001. One reason is that companies have recognized the
high costs associated with weak security and have decided that prevention outweighs cleanup. Computer forensics
specialists are critically needed.
Most industry experts agree that security certifications continue to be important. Preparing for the Security+
certification will help you solidify your knowledge and skills in cryptography, firewalls, and other important
security defenses.
Job Skills
This section examines some of the most important skills that are demanded of information security workers.
TCP/IP Protocol Suite
One of the most important skills is a strong knowledge of the foundation upon which network communications rests,
namely Transmission Control Protocol/Internet Protocol (TCP/IP). Understanding TCP/IP concepts helps effectively
troubleshoot computer network problems and diagnose possible anomalous behavior on a network.
Another important area of study regards packets. No matter how clever the attacker is, they still must send their
attack to your computer with a packet. To recognize the abnormal, you must first understand what is normal.
Firewalls are essential tools on all networks and often provide a first layer of defense. Network security personnel
should have a strong knowledge of how firewalls work, how to create access control lists (ACLs) to mirror the
organization’s security policy, and how to tweak ACLs to balance security with employee access.
Routers form the heart of a TCP/IP network. Configuring routers for both packet transfer and packet filtering can
become very involved.
Intrusion-Detection Systems (IDS)
Security professionals should know how to administer and maintain an intrusion-detection system (IDS). The
capabilities of these systems have increased dramatically since they first were introduced, making them mandatory
for today’s networks. One problem with IDS is that it can produce an enormous amount of data that requires
Other Skills
A programming background is another helpful tool for security workers. Security workers should also be familiar
with penetration testing. Once known as “ethical hacking,” penetration testing probes the vulnerabilities in
systems, networks, and applications.
Security+ Guide to Network Security Fundamentals, 2e
Computer Forensic Skills
In addition to basic computer and security skills, computer forensic specialists require an additional level of training
and skills.
Quick Reference
Discuss the additional level of training and skills as listed on page 462 of the
Quick Quiz
___________ can range from 100 million bytes to over a gigabyte and can be temporary or permanent,
depending on the version of Windows and settings selected by the computer user. ANSWER: Windows page
___________ slack pertains only to the last sector of a file. ANSWER: RAM
___________ protects computers by recognizing when they are not acting normally. ANSWER: Behavior
___________ are essential tools on all networks and often provide a first layer of defense. ANSWER: Firewalls
___________ probes the vulnerabilities in systems, networks, and applications. ANSWER: Penetration testing
Discussion Questions
Why is programming such a valuable tool for security workers?
Discuss several different strategies used for examining evidence.
Additional Activities
Have students observe normal traffic flow along a network and then activate a sniffer. Once the sniffer is in
place, have student chart the differences in network traffic.
Have students take a sample Security+ exam and discuss the results.