Cybersecurity Processes and Technologies

Project #1: Incident Response Procedures Manual (Part 1)

March 31, 2019

3

Title: Procedure 1: Windows 10 Windows Defender

Tool Identification: Windows Defender

Description of the Tool:

Windows Defender is own by Microsoft and is a trusted built-in security program that comes with windows 8.1 and above which includes antivirus protection, firewall, malware and spyware protection and removal, real time protection, cloud-based protection, account protection, device security and performance, free automatic updates, app and browser control, and parental controls and runs until a third-party program is installed. It doesn’t include many features however, it is good enough (Nadel, 2018). Windows Defender is tremendously improved over the years and it is only going to get better. Any Operating Systems below windows 8.1 is required to install Windows Defender manually. It is called Microsoft Security Essentials. Windows Defender doesn’t ask you to upgrade to a paid package because it is just free. Unlike any other security program, Windows Defender works quietly behind the scene. Windows Defender will scan your computer for known signatures and it will monitor its behavior for signs of infection (Nadel, 2018). You are able to upload any files that you think are embedded with virus to Microsoft and it will analyze it for you. The suspicious that Windows Defender acquired will be uploaded to cloud-based for analysis unless you disable the Automatic Sample Submission. It has the ability to scan your drive such as USB drive and file or directory. It includes a SmartScreen for app and browser with level of protection. Firewall runs separately in the system. Emails are scanned before they can do harm once the user receives emails. There are three level of scan options, full scan, custom scan and Windows Defender Offline scan. The full scan will scan all your files in your system, running or not running. You can custom choose to scan the file you want with custom scan. The important thing of Windows Defender Offline scan is to remove difficult malicious software from your device with up-to-date threat definitions. It requires Microsoft Updates to up-to-date with Windows Defender. For real-time protection configuration, you need to click the Virus and threat protection in windows Defender and turn on the Real-time protection on. The Windows Defender itself is different from one Operating to another. Windows 7 Microsoft Security Essential has quick scan and full scan. From Windows 10, you need to go to Task Scheduler Library, Microsoft, Windows, and Windows Defender. You can configure schedule full scan from there. Any suspicious files found during scan will be placed in the quarantined tab. You will have the choice to delete the files. It will show the file type of the file, when it was created and installed in your computer.

Typical Uses for Incident Response:

Windows Defender provides detecting malware at the point of entry to the system. It is called block at first sight. It detects and blocks any malwares within seconds. The settings are preset by default when you started the software however you can also manually turn on all the features with Group-Policy. When Windows Defender finds a suspicious file but undetected, it will send to the cloud and determine whether file is clean or malicious. Any executable files will be blocked that are downloaded from internet or email. A hash value will be checked by the cloud to determine whether it has been altered or not. Windows Defender will lock the file once there is no solution (Nadel, 2018). Immediately report to manager or IT department when malicious files are found. Real-time protection is very important in business because it will monitor behavior, gives real-time protection, identify suspicious and malicious activities such as changing or modifying files, creating a startup registry key, or any other changes to the file system. It will also monitor program activity in your computer, scan all attachments, and the AV will monitor processes, registry changes and any know malicious activity. You can summit file to analyze whether they are threat or safe. Any level of threat files that are found are moved to quarantine (Paul, 2017). These files must be deleted from the quarantine in Windows Defender. It also has the capability to scan any removable media. Every file has integrity code and when these codes are different, we can determine that the files have been altered. The windows event log has detail information of applications, system, and security. This information can be reviewed to diagnose the problem and potentially predict future issues. It keeps a record of time, date, user, computer, and even event ID (Rouse, 2018).

Resources (Further Reading):

1. Ghosh, D. (2019, February 13). The evolution of Microsoft threat protection, February update. Retrieved from https://www.microsoft.com/security/blog/2019/02/13/the-evolution-of-microsoft-threat-protection-february-update/

2. Nadel, B. (2018, September 05). Microsoft windows defender: Finally good enough. Retrieved from https://www.tomsguide.com/us/windows-defender,review-2209.html

3. Paul, I. (2017, July). Meet windows defender security center, your PC’s safety belt in the Creators Update. PCWorld, 35(6), 29. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=f5h&AN=123537951&site=eds-live&scope=site

4. Rouse, M. (2018, May). Windows event log. Retrieved from https://searchwindowsserver.techtarget.com/definition/Windows-event-log

How to Use This Tool:

If Sifers-Grayson company is using Operating System below Windows 8.1, IT needs to install Microsoft Security Essential manually. IT needs to go to https://support.microsoft.com/en-us/help/14210/security-essentials-download and choose the language preference and bits version to download the Microsoft Security Essential. However, if the computers are above Windows 8.1, Windows Defender is already intergraded within the Operating System. There is no installation required.

This Windows Defender is from my computer to show you how Windows Defender looks like and there is no threats or warning that I need to be aware of. Once you have downloaded or ran the program, click on every category to enable protection. Navigate to Virus and Threat Protection to enable the real-time protection. Account protection is for Microsoft account only. Make sure all Firewall is turned on in domain, private and public network. You can also allow specific app to go through firewall. You are to choose security level for App and Browser control to protect the device by checking unrecognized application and files from the internet. You also need to turn on the SmartScreen for Microsoft Edge to protect from malicious site and download. You are required to meet the requirements for standard hardware security for Device Security. Device performance will report you with health report of your computer. It will include report of any issues impacting your devices.

Notes / Warnings / Restrictions:

Windows Defender may have false positives. Windows Defender can assume a file is a threat to the computer although it isn’t. It doesn’t have a lot of features available for user. It is a little complicated to start full or quick scan on Windows 10 whereas Windows 7 Microsoft Essential required just two to three clicks to do quick scan. Windows 10 requires about at least seven click to do quick scan and eight clicks to do full scan. It is not friendly user interface however, it isn’t complicated either. Some third-party Antivirus software will be not affected by Windows Defender. Windows Defender will run in passive mode. There are some third-party programs that are not compatible with Windows Defender. It will require you to uninstall Windows Defender from your system in order to install third-party Antivirus such as Trend Micro.

Title: Procedure 2: Windows 10 Windows SmartScreen

Tool Identification: Windows Defender SmartScreen

Description of the Tool:

SmartScreen will help you identify phishing and malware website and inform you about download. SmartScreen is added from Windows 8 and above. When you download file from the internet, it will check against Microsoft database and let you know if it is safe to proceed or not (Hoffman, 2017). If it is safe to proceed, SmartScreen will allow you to download it. When the files aren’t recognized by Microsoft and known to be dangerous, it will display a warning on your screen, but you could bypass the warning. SmartScreen is also available on Microsoft Edge and Microsoft Store. It doesn’t matter what application you choose to download, SmartScreen will help you protect your system. SmartScreen is another layer of protection for your system (Hoffman, 2017). Having multiple security layer is safer than having just one security on your computer.

Typical Uses for Incident Response:

Like I talked about the App and Browse control in Windows Defender, you can choose the security level you want for the company. SmartScreen will help protect your computer in three ways. It analyzes the web page when you browse the web and analyzes if the web is suspicious or not. SmartScreen will display you with warning if it finds a suspicious page (Leonhard, nd). SmartScreen will check your site and compare with list of reported phishing and malicious sites and it will show you warning if it finds a match. SmartScreen check the files that you have downloaded against the malicious site and if it finds a match, it will warn you that the intended download file has been blocked. SmartScreen is running in the background with utilizing a small amount of CPU and memory. The file uses CPU and memory as it computers a hash of the file when you launch a file that you have downloaded and sends it to the Microsoft server (Hoffman, 2017). If it doesn’t save, SmartScreen will not allow you to run the application because SmartScreen will prevent any unrecognized application from starting. If any files of the integrity aren’t original, SmartScreen will warn you on your screen. In the event log viewer, application will be dated and stamped with event ID and task category. The event log records any errors or events that happen in the system with their own format and interface. When there are errors in the system, IT must recover the data, and should also prevent from occurring future errors. IT can use the event log to determine what caused the errors and context in which it occurred. Proper viewing the event log may be able to identify problems before they can cause damage.

The SmartScreen supports Anti-phishing and malware. It helps protect employees from sites that have been reported phishing attacks, deceptive advertisement, and scam. It analyzes the Uniform Resource Locator (URL) to determine if they are hosting unsafe content or not. It will check for applications and downloaded files. If the application or downloaded file has established a reputation in your system, the employees will not see any warning display. Since SmartScreen is running in a background, it always stays up-to-date.

Resources (Further Reading):

1. Hall, J., Schonning, N., & Poggemeyer, L. (2017, July 07). Windows defender smartscreen overview (Windows 10). Retrieved from https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview

2. Hoffman, C. (20178, August 21). What is “SmartScreen” and why is it running on my pc?. Retrieved from https://www.howtogeek.com/320711/what-is-smartscreen-and-why-is-it-running-on-my-pc/

3. Leonhard, W. (n.d). What is smartscreen? Retrieved from https://www.dummies.com/computers/operating-systems/windows-10/what-is-smartscreen/

How to Use This Tool:

In order to enable this tool, you need to open the Windows Defender Security Center on your device or computer then you could click on App and Browse control. It will direct you to the bottom of the image.

Notes / Warnings / Restrictions:

Employees could accidently bypass the security warning of a threat. Employees should also pay careful attention to the activity on the computer. If there is a warning display on an application that you need to run, inform the manager and they will take care of the situation. Although there could be false positive, always pay attention to your application. When there are warning display on your screen, do not continue to go on the site. Any program that didn’t run will be stuffed into quarantined programs and IT won’t find it unless looking through the History tab (Lenohard, n.d).

Title: Procedure 3: Windows 10 Control Panel & Windows Settings Tools

Tool Identification: Control Panel & Windows Settings Tools

Description of the Tool:

Control Panel is an intergraded application for Windows and it is used to managed or change settings for Windows such as computer hardware and software features (Rouse, 2014). By using this tool, we can turn on or off windows feature, uninstall or repair application or update application.

Typical Uses for Incident Response:

When a hacker installs application on the system, the application that is installed will be in Program and Features. The Program and Features have date of the installation, the size, and the version of the application as well as the link where the application was downloaded from. App & Features is a place where you can add additional feature on your computer. Update and Security tools is used to update the Windows software and application to stay up-to-date. From the Windows Features, hacker could add a telnet client from your computer and have access to your whole computer. Turning off features that are vulnerable from attack will mitigate data loss. When your computers have been targeted by hacker, all the activity will be logged in the event log and IT can analyze it to prevent future threats. Vulnerable program should be removed from your computer. Install updates from only Windows Update and from manufacture website. Any other updates from different source could lead to vulnerability to your system. Applying manually updates could prevent hacker update patch to auto install in your system.

Resources (Further Reading):

1. Christensson, P. (2007, October 18). Control panel definition. Retrieved 2019, Mar 31, from https://techterms.com

2. Hope, C. (2017, September 09). Control panel. Retrieved from https://www.computerhope.com/jargon/c/controlp.htm

3. Huculak, M. (2017, February 01). How to manage windows 10’s many ‘optional features’. Retrieved from https://www.windowscentral.com/how-manage-optional-features-windows-10

4. Rouse, M. (2014, July). Microsoft windows control panel. Retrieved from https://searchwindowsserver.techtarget.com/definition/Microsoft-Windows-Control-Panel

How to Use This Tool:

Control Panel is the important tool for Windows computer because everything is in Control Panel. In order to turn on or off the Windows 10 Features, you need to go from Control Panel. Depending on your version of your computer, accessing Control Panel may be varied. Right click on the Windows Symbol from your screen and choose Control Panel. Click the uninstall a program and you will be able to see what program or application you have installed, or you have in your system. If you click the Programs, you will be provided with more links to navigate through the system. You will see the Turn Windows features on or off link and you can select or deselect Windows features that you need, or you don’t need. For Windows 10, changing update time isn’t possible on Control Panel. When you search Windows update from the search bar, you will see the Windows update from System Setting not from Control Panel. This is the case for Windows 8.1 and above. You can change active hours when you want itself to update automatically. You can also click on the install update to choose update that you want to install.

Notes / Warnings / Restrictions:

Any unnecessary features and programs should be turned off and uninstalled from Windows. Windows updates option is not in Control Panel anymore. It is in Windows Setting.

1