AS VIII

SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit VIII Upon completion of this unit, students should be able to:

3. Prepare vulnerability assessments related to information systems (IS) security. 3.1 Prepare a vulnerability assessment for a health care facility. 3.2 Determine potential impacts resulting from unauthorized access to a health care system. 3.3 Identify the regulations associated with the health care market.

Required Unit Resources Chapter 7: Host Hardening Chapter 10: Incident and Disaster Response In order to access the following resources, click the links below. You can access transcripts for the videos by clicking on the three dots below the video on the right, then clicking “Open transcript.” Professor Messer. (2021, January 26). Vulnerability scans - SY0-601 CompTIA Security+ : 1.7 [Video].

YouTube. https://www.youtube.com/watch?v=j9BdMP8Buq8 Professor Messer. (2021, April 29). Incident response planning - SY0-601 CompTIA Security+ : 4.2 [Video].

YouTube. https://www.youtube.com/watch?v=G6W_JkImDdg Professor Messer. (2021, April 29). Incident response process - SY0-601 CompTIA Security+ : 4.2 [Video].

YouTube. https://www.youtube.com/watch?v=fU_w8Ou9RVg Unit Lesson

Introduction In this unit, we will conclude our discussion of security hardening; then, we will look at more advanced topics. We have learned quite a bit this term about exploits, vulnerabilities, access controls, auditing, and logs. Now that we are here, what is the next logical step in the security management process?

Host Hardening First, let’s return to already well-trodden ground: hardening our systems. As the textbook notes, hackers have become so sophisticated nowadays that a server installed using the installation media it came with—and set to its pre-assigned defaults—can be under a hacker’s control within seconds. That is an alarming prospect for an information technology (IT) professional. Additionally, this unit shows us that it is not just servers that are at risk. Any device can be considered a host if it has an IP address. An IP address means a device is capable of being on the network and therefore may be affected by malware. In addition to servers, our vulnerable hosts, therefore, include workstations, clients, routers, and firewalls. They all need to be protected. We have discussed host hardening, which involves protecting the hosts by making them more difficult to access and therefore less attractive, in other units. How you protect each host will be different, depending on

UNIT VIII STUDY GUIDE Vulnerability Assessment and Incident Response

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE Title

the specifics of the host. Despite the variability aspect of host hardening, basic rules apply to almost any device or software.

Security Baselines We can also use security baselines to harden the network. Baselines provide us with a mapping or measurement to compare against future data and findings. They can be used to create a checklist of steps and are the norm when dealing with performance issues. Using baselines to create a checklist of actions to take and to have a point of comparison could help with diagnoses. Disk images are sometimes used to replicate an exact installation process and the setting designation so that all installations are safe and consistent. The textbook also addresses the concept of virtualization, which is a way of allowing a device to run multiple operating systems simultaneously and share local resources.

Vulnerabilities and Patches Vulnerabilities can show us the weaknesses in applications or software, but the term can actually be used to describe any security weakness in systems or hosts on the network. Hackers are constantly trying to identify weaknesses to exploit, and we need to continually identify the updates or patches to address any weakness issues. Although they can be fast and avoid the worst types of damage, patches can also be problematic when vendors release too many, or where they have unintended consequences like reduced functionality or system freezing. Other potential fixes include things such as workarounds and version upgrades. Service packs are large updates that are deployed all at once; these can be used as patches for database servers.

Managing Users, Groups, and Permissions Organizations can also create user groups to help manage permissions. Every user should be assigned an account, and multiple user accounts can be grouped. Applying a security standard to a group is much easier and more efficient than applying it to individual accounts. Mistakes are also less likely because the rules apply to the entire group rather than allowing each individual to follow unique security measures. Administrators are “super users” who can completely control the system. Therefore, the fewest number of people possible should be added to the administrator group. Limiting the administrator group is one example of the principle that users should generally only be given the access they need, which is accomplished by assigning appropriate permissions. Permissions dictate what that user, or user group, is allowed to do to files or directories. There are database permissions as well as Windows permissions.

The Importance of Strong Passwords As mentioned previously, organizations should also have a firm password policy. There are some basic rules for creating passwords discussed in our textbook relating to the overall character length, use of case changes, use of digits, and use of alphanumeric characters. But policies can be broken. Therefore, passwords should be hashed when created (converted to a string of other characters) and shadowed when stored.

Testing Vulnerabilities There are times when we need to review known vulnerabilities. One way of doing this is to create test cases to determine if previous fixes closed the openings to the exposure. Luckily, there are software packages that help with this—vulnerability testing software. The IT department can either deploy the software in a production environment, or it can be deployed in a test environment if it has the same configuration and updates production data.

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE Title

Intrusion Response Process Despite routine and extensive vulnerability testing, IT professionals may find that one day an attack is successful despite their best efforts. In such a case, there must be an intrusion process in place to ensure that the attacked company initiates the proper response to an incident. According to Boyle and Panko (2021), an intrusion detection system, or IDS, is “software and hardware that capture suspicious network and host activity data in event logs” (p. 493). This becomes a manual process because you need a dedicated resource to review the logs and determine if the alerts are significant. This person must also know how to report the incident, and they must do so quickly and accurately. Is the intruder still poking around so that containment is still possible, or are they long gone with valuable, sensitive data? The remedy depends on many factors. A proper intrusion response will focus on recovery, such as repairing server operation, restoring any lost data, and reinstalling the software. The textbook offers an extensive discussion around the concept of punishment after a successful intrusion, including criminal and civil prosecution options. Where legal redress is sought, jurisdictional considerations come into play, such as the proper court in which to pursue the wrongdoer and considerations of applicable law. For instance, are there any relevant state laws addressing the offense? Do any federal laws apply? If the incident originated from another country, do international laws apply, and if so, in which court should legal action be pursued? Which agencies are responsible for arrests, punishments, or seizure of assets to satisfy a judgment?

Business Continuity We also have to consider business continuity activities. We have to perform these activities to prepare for future disruptions in operations. For example, what would happen if operations were offline for a power company, a water supplier, an oil refinery, or a nuclear plant? In such instances, there are literally lives on the line. Have no doubt, as an IT specialist, your expertise may be the difference between life and death for the many people who are affected by your industry or by a national emergency resulting from an attack. There have been many instances of such attacks in the news, including the Colonial Pipeline hack in early 2021. Experts agree that killware, or malware that is intended to result in death, could be the next threat on the IT front. A component of business continuity is disaster recovery (DR). This is the process of recovering data, which can be a stressful time and situation. Victims would lose not only system access but also data. At this time, they would need to execute DR steps to repopulate the data. Next, they would need to communicate the incident and notify their departments. Most of the time, key executives will want to know what happened and how to ensure that it does not happen again.

Conclusion This course started with concepts at a granular level and built upon in the units to address protection of the organization, systems, network, physical access, and data. As we found, it is best practice to continually review all security sections and components in order to have a stable and protected environment.

Reference Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354