Chapter 7: Secure Internet Access

This chapter focused on allowing Internet access in a secure method.

This is done by putting in place methods to disallow access to restricted sites.  If browsers are allowed to connect to sites without content control, then they could be used as a vector to attack the host system.  This can range from displaying unwanted or inappropriate content or pop-up ads, to using the web browser to contaminate the host system by allowing it to conduct a denial of service (DoS) attack that might crash or freeze the browser or the user's computer.

Common methods are to restrict access to selected websites by using the Restricted Zone in Internet Explorer and to use the Content Advisor software that is built into Windows XP.  It’s important to refuse access to untrusted sites by varying from Internet's Explorer's default level of security, which is not sufficient to provide adequate security.  The Content Advisor uses published ratings to check and limit access to individual sites.

Another important security consideration pertaining to web browsing relates to the installation of cookies on the local system.  These text files are stored on the hard drive, and can be used to record information about the user by websites that are visited.      

When transferring sensitive or confidential information, it's important to use the Secure Socket Layer (SSL) protocol.  This protocol, denoted by the use of HTTPS in the site address header, allows the user to verify the owner of a site by a digital certificate issued by a recognized authority.  This assures the user that the website is secure, and provides for authentication as well as message privacy and integrity.

When using a wireless access point, if the user fails to connect in a secure manner they can lay themselves open to interception and theft of data.  While the text talks about using the Wired Equivalency Privacy (WEP) protocol to ensure that Wi-Fi connections are secure, this is actually risky as WEP passphrases are easily discoverable.  More modern security protocols such as Wireless Protected Access (WPA2) have longer and more complex password strings, leading to enhanced security in their use.

Chapter 6: Incident Response

This chapter covers basic incident triage and discusses in detail first the definition of an incident as it relates to computer and network security; and secondly goes into detail as to the proper and effective response to care for a security incident.

The course text defines an incident as "the occurrence of an event or series of events that threatens the security of a computer or computers.  It can occur when one user tries to connect to another user for the purpose of data and resource sharing, or when a hacker tries to gain undue advantage of resources of a computer over the Internet illegally.  It also includes system crashes, which may have been caused by virus attacks, or unauthorized use of another user's account."  The text goes on to mention that these events can also include external incidents such as fire, flood, electrical outages or excessive heat.

When one responds to an incident, it's important to follow a minimal set of protocols, which are known as the incident response:

1 - Keep track of the events or activities that have occurred,
2 - Analyze what occurred in order to determine the extent of any possible damage;
3 - Determine the provenance of an issue (find out how it happened)
4 - Determine what steps should be taken in future to prevent similar attacks.

There are many common vectors for attack, including the Trojan attack and the Boot Sector virus attack.

Trojan attacks are often transmitted by opening an infected email attachment.  In the case of a Trojan attack, the text shows how to respond to the vector of infection by showing how to edit the system registry so as to prevent the Trojan from running.  This is accomplished by removing the entry for the executable file that contains the malware, and then to remove the registry entry that starts that file automatically.

In the boot sector attack, a virus that is obtained by downloading files from a compromised access point is named in the text as a virus called FORMS.  This infection is dealt with by booting to a floppy drive containing a minimal system image, and then to rebuild the boot sector using the DOS FDISK command.  It's vital to remember that you must use the /mbr switch to only rebuild the master boot records, and not to reformat the hard drive!

The text does contain a procedural error in that the reader is told to set the initial boot device to the hard drive in the system BIOS.  This will in fact cause the system to boot from the infected media, even if the floppy disk (or in the modern day an optical or flash drive) that contains an uninfected operating system.  The system BIOS needs to be set to try to boot the floppy, optical or flash device prior to trying to boot from the infected hard drive.

While there are software programs that can automatically repair the damage done by these attacks, a professional needs to be aware of these methods to effect a repair.

The text goes on to describe an attack where home page settings have been changed in the user's web browser.  It goes on to show how to edit the registry to restore the correct setting for Internet Explorer.  This is done by deleting the Default_Page_URL value located in the Internet Explorer key inside the registry editor.  The point is made that the location that is opened when Internet Explorer starts can also be changed from inside the browser.

Although modern and arguably more popular browsers such as Google Chrome and Mozilla Firefox are not discussed, they can likewise be changed from inside the browser software.

The text continues by discussing how to backup, export and restore a corrupted system registry.  An ability to restore a previously made backup can easily solve the types of virus attacks that target the registry.  The text, using the procedure from Windows XP, states that the ability to back up the registry is done via an applet available from the Accessories/System Tools menu.  While this may have been true for XP (my memory does not support this and no longer have a copy of XP to check on), it will not work in Windows 7.  The only way to backup and export the registry in Windows 7 is through REGEDIT.

In my opinion, the text wrongly conflates the exporting and importing of the system registry with the action of creating and the restoring of a system restore point.  In Windows 7, this is done by clicking on the start button, right clicking on Computer and selecting Properties.   You then click on the System Protection applet to create a restore point.  Existing restore points can be reapplied by using the applet on the Accessories/System Tools menu as stated in the text.

The chapter concludes with the example of an incident in which a compact disc is inserted into a machine, and the optical disc runs automatically, installing an autorun.inf virus.  While the text describes how to change the system registry to not allow the AUTORUN feature in Windows XP to function automatically, it does not address recovering from possible damage that might be caused by such a virus.

In Windows 7, things get a little more confusing by the introduction of the AutoPlay feature  and as well AutoRun.

Microsoft's website says that:  "AutoPlay is a Windows feature that lets you choose which program to use to start different kinds of media, such as music CDs, or CDs or DVDs containing photos. For example, the first time you try to play a music CD, AutoPlay asks which media player you want to use, if you have more than one installed on your computer. You can change AutoPlay settings for each media type.

"Autorun is a technology used to start some programs or enhanced content (such as video content on a music CD) automatically when you insert a CD or another media type into your computer. This is different from AutoPlay, but the result is often the same: when inserted, the CD starts automatically, using a particular program. Autorun is incorporated into the media types that use it, and you can't modify it.

Autoplay and Autorun are two different features of Windows. Disabling Autoplay from Control Panel and making changes in the system registry to set NoDriveTypeAutoRun key to FF does not change the Autorun behavior.

When you try to play a CD or another media type that uses autorun, AutoPlay asks you to choose an action to perform (for example, to play the autorun content or to skip it)."

If Windows performs any task automatically when you connect an external device then Autoplay is enabled.

AutoPlay in Windows 7 can be disabled by clicking the start button and invoking the "gpedit.msc"  snapin by typing it into the search box , then clicking the result to open gpedit.

Expand Administrative Templates /Windows Components/Autoplay Policies in order, then double click "Turn off Autoplay".  Click Enabled, and then select All drives so that you can disable Autorun on all drives.Click Ok at last.

After restarting your computer, you have done all the needed work to disable Auto Play in Windows 7.

This chapter was another lesson that was well explained, but hampered by procedural errors that are illustrated on an out of date operating system.

Chapter 5: Security Threats and Attacks

This chapter dealt with common threats and attacks that are likely to be encountered by computer users.
These may include social engineering and phishing threats; viruses, worms and Trojan horses; and denial of service system attacks.

Social engineering is defined as a process whereby con artists try to get users to inadvertently reveal data that can then be used on networks or systems.  This might be by getting the user to respond to a spammy advertisement promising what it could never deliver, or by inducing you to click on an email attachment which then could spam to everyone in your email address book.  Other attacks along this line include “shoulder surfing”, which involves peering over the user’s shoulder in an attempt to discover useful data such as login ID’s and passwords, or bank account credentials.

Phishing is along the same line, but the hackers attempt to trick the user into turning over sensitive personal financial data such as website login credentials or other confidential information.

A common ploy is an email supposedly from an online shopping service such as EBay, PayPal or Amazon that attempt to get the user to go to a “lookalike” page and enter their user credentials.  This has the possibility of allowing fraudulent purchases or financial transfers.

Viruses, worms and Trojan horses are spread by many different vectors, including email, web pages and peer to peer file sharing.

A Trojan horse looks innocent, but contains malicious code which can often create an entry into the infected machine.  This infected machine then might be used to spread viruses, which are pieces of malicious code which are written to damage the host machine in some way.  This could be an action as simple as displaying the contents of a file such as “All your base are belong to us”, corrupting or deleting system files or user data, or to turn the machine into a “zombie” which can then infect other machines or be used as mail replay points to send out massive amounts of spam.  Worms are similar in intent to viruses, but while viruses require the user to activate them, worms are self-replicating and require no user action once placed on the host system.  Worms can also be used to exhaust system resources.

A denial of service attack (DoS) is an attack that causes a system to not be available for its intended users.  This usually involves a loss of connectivity due to consuming all available bandwidth or by consuming all the resources of a web server.  A distributed denial of service attack (DDoS) is organized by “zombie” home computers caused by a computer worm which opened an exploit in the affected computers.  These legions of harnessed zombie machines can then be used to deny services on even the largest websites across the internet.

Chapter 4: Administering Windows Securely

This chapter discusses how to use common Windows commands to help secure the operating system.  Even though the text uses Windows XP examples and command structures, most of it still works with Windows 7.

Although I have been working with these concepts and commands for years, it was still nice to get a refresher and reminder.  It is important to be able to understand open ports on a computer and what they are used for.  Open ports can be used by an attacker to gain control of a vulnerable machine.

Another good tip was how to backup and restore the windows registry in case of any problems.  THis can help safeguard the machine in case of attack or subversion.

Reading and understanding the system event logs is also important.  It's nice to be able to figure out what is happening "under the hood" of a possibly infected computer.