1.6 - System Security

Forms of Attack

Picture
Boris is hacking. The faster he types, the harder he hacks.
You have to ask yourself why hacking is such a big deal. Why do people do it and why do people worry about it?

The answer to these questions is simple - Data. Data is worth a fortune. In fact its worth so much that practically any big business today is only worth as much as the data it stores. Sound mad? Well think about it... Facebook floated on the stock market in the US for an initial offering of $38 per share, and its value peaked at $108 billion dollars on the first day.

Today, as of 09/01/2018, Facebook is currently worth $547.11 Billion. Half a trillion dollars!!! And it's free to use?!

Stop and think for a minute - what is Facebook? On the surface, nothing more than a collection of what people had for dinner, people having very public breakdowns in their relationships, people selling tat to each other and posts from click bait farmers of "motivational" pictures or "you won't believe what she did next!!!!!" links. *sigh*.

That's worthless, right? Wrong. 

Sadly, for the users of any social network, you are giving away some of the most valuable data ever collected in human history. I'm not exaggerating. Never before the rise of social media have organisations been able to know so much about you and trust me, they tried. Companies 15 years ago would've ripped your hands clean off if you'd told them you could target exactly the people who are interested in your business - and now, because you give your information away for free, they can!

There's the absurdity here - your data, even the data you didn't know you had, is worth so much and you give it away!!

What am I talking about?

If you have a smartphone, in one way or another you have agreed that the following data can be collected, analysed and used in any way a company cares to use it:
  • Usage data (this is massive) such as:
    • How often you use your phone
    • Which apps do you use?
    • When do you use them - what time of day?
    • How long for?
    • Where do you use them?
    • What do you click on?
    • What do you share?
    • How long do you look at a page/post for?
    • What comments do you make?
  • Location and movement data:
    • Where do you live
    • Where do you work (you don't need to tell it, the phone can work this out easily for itself)
    • Where you frequently visit
    • How long you spend in certain places
    • If you pay for things - how much and where?
    • How you travel
    • How active you are - even to the point where it could work out what kind of lifestyle you have.
  • ​Your personal habits, preferences, likes and dislikes
    • Everything you do on social media (and many websites) is tracked. What do you look at, how long for, what do you click on, what do you like? The list is endless and it builds a very accurate picture of you as a person which can be used in many ways by advertisers and businesses.

This list could go on and on, but I'd hope it gives you just the slightest insight into the wealth of data technology enables companies to collect, store and investigate. Some of this data collection is good - Google for example have done projects where they've tracked the evolution of the English language over time. Other data collection is solely for making profit at your expense. It's getting to the stage where we're verging on creepy behaviour by social networks, for example, Facebook in 2017 said they know enough about their users to be able to tell what mood they're and in and what state of mind they are likely to be in! *shudder*
Picture
I Googled "creepy person." I think this fits the bill...
So, we've established that your personal information is worth an absolute fortune and sadly, we all give it away for free in return for the ability to share and view mindless pictures with text on, videos with large text above and below telling us what the video is about (because clearly we can't work it out for ourselves) and endless crying laughing face emojis next to things that are not funny in the slightest.

It's an odd world we live in.

We've also changed the way we communicate making it harder and more frustrating for law and security agencies to invade our privacy and listen in to what we say. However, please don't ever think your communications are secure, they're not. The NSA has a really interesting toolkit for intercepting anything you do and controlling your smartphone in any way they like. 

This means that now, more than ever, more and more people want access to our data and they're prepared to steal it from you to make profit.

Attacks take three main forms:
  • Physical - Either taking data on a physical device such as memory stick or laptop, or physically accessing a system and taking data.
  • Remote - Accessing a system through a network or the internet in order to compromise security and take data.
  • Socially Engineered - Tricking an individual or organisation into simply giving away their data.

All of these attacks are explained in the next section.

Threats Posed to Networks

Picture
Threats. Bless you, stock photos.

Malware

Malware is:
Any malicious software designed to damage data, spy on user actions, cause a system to malfunction or behave in an unwanted way.

Users usually fall victim to malware by:
  • Clicking on links in emails which then download the software onto a device
  • Opening attachments which contain malicious code
  • Visiting websites which have been compromised so they automatically install or run malicious code on user devices. Sometimes this is called a "drive by" attack and is exactly how the NHS computer systems ended up with ransomware on them in 2017.

Examples of malware include:
  • Viruses
  • Key Loggers
  • Root Kits
  • Trojans
  • Ransomware
  • Spyware

​Lets look at each in turn.
Picture
He's not a virus, he's a very naughty boy.
Viruses - A virus is software that is designed to replicate itself - this means it will try to automatically copy itself to as many devices as it possibly can (just like, er... a virus?)

How does it work?
  • Viruses are spread usually via email as attachments, but can also be spread via USB memory sticks, memory cards or any other removable storage
  • Once activated the virus will immediately try to spread itself. This may be by sending itself to all contacts in an email program or copying itself immediately when a computer is connected to a memory stick or drive.

What does it do?
  • Viruses are usually designed to take advantage of weaknesses in the security of a program or system
  • As a result they may:
    • Deliberately damage or delete data on a system
    • Stop programs from working or delete certain programs
    • Slow down a computer
    • Make the computer vulnerable to further attacks.

How can you protect yourself?
  • Don't open email attachments or emails from people you don't know!
  • Don't visit "suspect" websites
  • Don't plug in USB Storage or devices without some form of anti virus software on your system
  • Have up to data anti virus software
Picture
Key loggers really ruin your day.
Keyloggers - A keylogger can be either hardware or software. It is designed to record every key that is pressed on a keyboard, therefore giving access to all the data that is entered into a computer such as usernames, passwords or websites visited.

How does it work?
  • A hardware key logger would be plugged in between your keyboard and computer. They should be obvious, right? But let's face it, when was the last time you looked at the back of your machine? Ah, many an hour has been whiled away looking at the various sockets on the back of a PC...
  • A software keylogger will be silently installed on your machine and will simply save all key presses to a file. 

What does it do?
  • At regular intervals the key logger will try and send the data file to another computer or a server on a network where the data can quickly be analysed to remove passwords, websites and user names. 
  • Remember that a keylogger will also record the content of any messages or emails sent or any work carried out, meaning this is incredibly bad if you are working on sensitive or important information for a company.

How can you protect yourself?
  • Don't use public computers!! This is the most common target for hardware key loggers. If you have to use a public PC, check the cables and what they're plugged into!
  • Never use public wifi
  • Check the back of your own PC if you're paranoid
  • Use up to date anti virus or anti malware software (although these don't guarantee to catch key loggers)
  • Follow all the rules for not getting a virus
  • ​If in doubt, format your PC and start again.
Trojans - A trojan is a program which is designed to deliberately trick a user in to downloading and installing malicious software. Trojans often look like innocent programs such as system utilities or even forms that need filling in. Trojans "hide" things like viruses or ransomware which are wrapped up inside a legitimate looking program.

How does it work?
  • Users are tricked into downloading a file or program which looks innocent. A trojan can be disguised as any type of program, which makes them difficult to spot, however signs to look out for are:
    • ​Programs or files sent via emails
    • Programs that are "free"
    • Programs from websites that you've never heard of, or just "feel" wrong.
    • Sometimes, if a website is compromised, program downloads that are genuine and legitimate may be altered to hide malicious software.
  • Upon opening or running the program, malicious software is silently installed on the users computer without them knowing.

What does it do?
  • The effect of a trojan horse can vary depending on its pay load. Trojan horses usually hide code which is:
    • ​A virus
    • A "backdoor" which leaves your computer open to remote control, use in "bot  nets" or data theft
    • Ransomware

How can you protect yourself?
  • In exactly the same way as you'd try to prevent viruses.
  • Never, ever download software from an unknown source - if it looks too good to be true then it probably is. Also avoid "flashy" websites that try too hard.
  • Sometimes trojans mimic Windows themes, so some older ones will look like part of Windows XP or 7 - this is usually a sign something smells of rodent.
Picture
If this happens to you, whatever you do - DO NOT PAY. You won't get your files back. Take a backup!
Ransomware - Ransomware is one of the more modern types of malicious software and often very effective. It encrypts files and then demands a payment from the user to "unlock" them.

How does it work?
  • A user visits a website which has been compromised. They become the victim of a "drive by" attack where code on the website automatically downloads and installs the software or...
  • As with many forms of malware or virus, a user clicks on a link in an email which downloads the ransomware, or the ransomware is delivered as an attachment.
  • When the ransomware is opened, it almost instantly begins to encrypt files, spread itself to other machines like a virus and demands payment from the user.

What does it do?
  • Ransomware uses very strong encryption to scramble files on the target computer. Ransomware usually targets documents, images and sound files.
  • A message is then displayed to the user which demands payment to unlock the files. Payment is usually demanded in BitCoin or other crypto-currency to make it difficult to trace.
  • There is almost a 100% certainty that any user that does make a payment will not recover their files.

How can you protect yourself?
  • It can be very difficult to protect yourself against ransomware if you are the victim of a drive by attack on an infected website, or if it is delivered by a trojan,
  • As always, up to date security software is essential
  • Don't open those attachments!
  • Finally - take a back up of your files regularly!! This is the only way you can sensibly recover from ransomware.
Root Kits - Rootkits are a particularly nasty form of malware as once installed even anti virus software will have a hard time finding it. 

How does it work?
  • A Root kit works by installing itself in either the BIOS/UEFI or very early on in the boot loader of an operating system.
  • This means it is undetectable by the operating system as it loads before any part of the OS that would realise has loaded.
  • Consequently this means a root kit can bypass ALL security measures on a computer without detection

What does it do?
  • Rootkits are often used to gain complete, admin/super user access to a computer, enabling someone to do literally anything they want with the target machine.
  • This might include covert surveillance of a user and the collection of their data
  • Adding the machine to a "bot net"

How can you protect yourself?
  • Root kits are really, really hard to protect yourself against because of how they work. You can have the latest, up to date security software and still not know your machine is infected
  • Sony once installed root kits on peoples machines! That's nice of them...
  • As usual - good security practise goes a long way. Do I even need to repeat the list of things you should and shouldn't do?
Picture
Looks legit!!
Spyware Spyware comes in many forms, sometimes as a stand alone program and sometimes is a feature of other programs. It has one purpose and that is to collect data about the user/machine it is installed on.

How does it work?
  • Spyware is usually installed in an almost trojan like manner. Software may be presented as a system utility, a free tool or similar which might "improve your pc performance!"
  • Sometimes spyware is simply part of another piece of software. It has been argued that Windows 10 is spyware because even on "reduced" settings, Microsoft collect data about how you use your machine and send it to their servers so they can analyse how people use Windows.

What does it do?
  • Once installed, spyware will start collecting information about the machine and users. Usually this data is web browsing habits and "program metrics" which is a posh way of saying "how do people use the software and what do they do with it?"
  • More malicious spyware may well try to collect email addresses and other personal data which can be used to either send unwanted advertisements or as part of wider ID theft.

How can you protect yourself?
  • Do not download and install software unless you know what it is/does and where it is coming from.
  • Use reputable programs from reputable sources
  • Don't download "anti-spyware" software as, ironically, most of this is spyware itself!

Phishing

Picture
Yes! I will almost certainly click on the link and give you all my details!

How does it work?
  • Phishing is the use of emails, pretending to be from legitimate sources, are used to trick users into giving their personal information, log in details, bank details or any other data a criminal may require.
  • The victim is sent an email which looks like it has come from a bank, government source or other well known company
  • The email contains information designed to scare, shock or hook a user with an offer (usually "you are owed money")
  • The email then has a link for users to click on to "take action"
  • Upon clicking the link, users are taken to a fake website which will collect any data entered

What does it do?
  • Phishing scams are a form of social engineering and they are used to gather really valuable data such as bank details
  • Phishing is incredibly easy and profitable for criminals because there is no cost or effort in sending emails
  • There is also no "hacking" involved as users are, sadly, just giving their details away to criminals
  • Once collected, the data is either used for fraud, theft or offered for sale for others to use on the "dark web"

How can you protect yourself?
  • Does it sound too good to be true?! Then it is!
  • Don't. Ever. Click. Links. In. Emails.
  • If you're still in any doubt - call the company concerned. Tell them about the email and ask their advice. Make sure you get the number from their website and not from any dodgy emails you've been sent!
Picture
If you haven't seen the film "Catch Me If You Can" then you need to - one of the greatest true stories about social engineering ever.

Social Engineering

How does it work?
  • Criminals usually pose as employees from known organisations and gain the trust of the victim by:
    • ​Using shock tactics - "We're the police doing an investigation and your bank account has been compromised" or "Hi, I'm from Microsoft and during a routine scan we've realised your laptop is infected with a virus, we'd like to help."
    • Using language you'd expect of an employee or someone who "knows what they're doing."
    • If in person, simply looking the part - wearing official looking ID, dressing in company attire and mixing with real employees
  • Once the criminal has gained trust or access they simply abuse the good will/trust of the victim and either trick them into giving details or simply asking for the information they want.

What does it do?
  • Sadly, social engineering is one of the most effective methods of "hacking" that there is, and humans are nearly always the weakest link in any security system.
  • Think about it - if someone posed as a manager, high up in a company that you worked for; or even as IT support for your company and started asking you to do things or give them your log in details so they could "diagnose a fault" then... you'd give them the information, wouldn't you? After all, not many people are prepared to argue with their manager!
  • Social engineering relies on gaining trust and looking the part. Unfortunately we are all built to be nice, trusting, honest people and sadly that's easy to take advantage of.

How can you protect yourself?
  • If you receive a call from anyone asking you for any personal information, security details or "just some information to pass through security" or anything that even seems slightly out of the ordinary - end the call.
  • Any company that has your details and needs you for anything serious will be able to write you a letter - tell them to write to you or, in the case of a bank, send it to your local branch
  • Call the organisation yourself and ask them if they have been trying to contact you.
  • Do not believe anyone who tells you your computer needs attention, to download software so they can fix it for you
  • In a work place, if you are unsure of a request, simply respond "I'll be happy to help you out, I just need to check the details with my supervisor/manager first." or "I'll call you back when I've had time to process that." Then do just that - check with someone that it is normal for another department to call up and ask for information.

Brute Force Attack

Picture
Want to spend potentially millions of years trying to guess a password? Then Brute Force is the tool for you!
Brute Force is the most crude method of trying to gain access to a system. It is quite simply trying every single combination of possible username/password until a system lets you in.

Definition: The constant/systematic use of trial and error (or a dictionary) in an effort to discover login information and gain access to a system.

To put that in context, it's like if you came up against a code lock with 4 digits, you know there are only 10,000 possible combinations and it has to be one of them, so just keep clicking up by one until it unlocks!

Clearly the problem here is complexity. The more complex the password, the harder it is to break. Complexity is increased by:
  • Length - how many characters is the password?
  • Using a mixture of letters, numbers and symbols

Passwords these days should be at least 10 characters in length to ensure they are robust enough to not be vulnerable to brute force attacks. Click here to learn more...

There is one way to improve brute force and that's to use what's called a "dictionary attack"

A dictionary attack is where:
  • A huge list of (potentially hundreds of thousands or even millions) of known passwords are stored in a file
  • These are usually gathered from hacks and compromised websites - so they're real passwords people have used
  • The program then tries each password from the dictionary to see if it works
  • This is much quicker and usually successful due to people using easy/memorable/common passwords
Picture
Monty Python's Cheese Shop - The ultimate denial of service. Click the picture, I'd hate you to miss out...

Denial of Service

Denial of Service or "DDOS" - Distributed Denial of Service is not necessarily a method of breaching security or "hacking" a system. It is the act of using a constant stream of requests sent to a server to make a website appear as if it is no longer online.​

How does it work?
  • Usually a denial of service attack is carried out using a "bot net." A bot net is simply a huge list of computers that have been compromised by trojans, back door software or other security breach. Computers in a bot net can be remotely controlled and their internet connections used to send data anywhere a criminal decides.
  • Hackers/criminals will often sell access to a bot net, often selling access to blocks of hundreds/thousands of machines
  • The bot net is then used to send a flood of requests for data to a single web server

What does it do?
  • Once the flood of data requests is sent, the server receiving these requests begins trying to address these requests
  • Eventually, however, the volume of requests becomes higher than the server is able to handle and so it begins to time out/not respond to requests
  • Any legitimate requests made during this time are effectively "lost" as they too time out and the website appears  to be offline.

How can you protect yourself?
  • Hope that the men/women with beards in your organisation know what they're doing and can mitigate the effects of a DOS attack.
Picture
"You don't understand, I'm a geezer! I'll nick anything me!"

Interception and Theft

Sometimes, the best way to get what you want (if you're a criminal) is to simply steal it. In a networking/computing sense this could mean:
  • Tapping a connection
  • Plugging into a network and monitoring traffic
  • Intercepting wireless traffic
  • Physically stealing storage devices such as USB Memory Sticks
  • Physically stealing a machine such as a laptop or tablet
  • Old fashioned printing out of sensitive data!

​There is little that can be done to stop most interception or theft and the only real way of protecting yourself and your data is to ensure that all data and devices are using strong encryption and strong passwords meaning data or devices should be useless if stolen.
Picture
"We're cockneys!"

SQL Injection

Virtually all websites are connected to some form of database. The language we use to communicate with databases is called "SQL" or Structured Query Language. Some clever people realised that when you enter data into a web form or website you are creating an SQL query and could bolt on some SQL of your own to do damage or gain access to a system.

How does it work?
  • A malicious query is created which will carry out usually one of the following:
    • ​Delete a table or some data from a table
    • Create a new user, usually an administrator in a table
    • Change or amend data
  • This query is entered into a web form with the intention of modifying the SQL statement that will be executed on the server.

What does it do?
  • Once submitted, the malformed SQL statement will be executed by the server.
  • Once executed, it is likely a hacker would have unauthorised access to a system, have deleted data or inserted new data to gain access/modify a system

How can you protect yourself?
  • Have validation on user input - in other words all input must adhere to a set of rules. Anything that does not is rejected.
  • Use only stored statements or queries to restrict the possible queries that could be executed by the server to protect sensitive data
  • Use penetration testing (see the next section) to deliberately test the security of your website/server.

Poor Network Policy

A policy is simply a set of rules and expectations. You've come across all sorts of policies in your life, such as the "terms and conditions" that you don't read every time you sign up to a website or app. You will almost certainly have read and paid close attention to the school "Acceptable Use Policy" which we make your parents sign each year to indicate that you understand how we collect and use your data as well as how we expect you to behave when using our computer systems.

How does it work?
  • A company will normally have policies for all aspects of their business, including policies that cover how any form of technology is to be used.
  • A Network Policy will include rules, regulations and expectations that employees or individuals must follow when they are using any device connected to a network
  • These rules and regulations will be designed to ensure the company complies with laws such as data protection and the computer misuse act...
  • ...they will also be designed to protect data, keep users safe and prevent misuse of ICT systems

What might it contain?
  • A network policy will typically cover:
    • ​What users can and cannot do on a computer system
    • What users are entitled to view/use on shared areas
    • What users can/cannot do on the internet
    • Password strength requirements
    • Data protection rules - such as preventing the use of USB storage devices for taking copies of company data
    • Encryption procedures

What about poor policy?
  • The problems with policies are:
    • ​People don't read them
    • They are forgotten about
    • They are not easy to enforce - apart from access rights (such as stopping users accessing shares)
    • ​They are often outdated and do not cover changes in technology/new technologies

Identifying and Preventing Attacks

Now we know all about what kinds of attacks can be made on computer systems and networks, it'd be a good idea to work out how to either stop them in the first place or how to recover from an attack when it happens.

OCR would like you to know about the following:
  • Penetration Testing
  • Network Forensics
  • Network Policies
  • Anti-Malware Software
  • Firewalls
  • User Access Levels/Rights
  • User accounts and Passwords
  • Encryption
Picture
I know, I know... it's a book. But you really should read it. (Click the picture...)

Penetration Testing

Penetration testing must surely be one of the best jobs in the world. A penetration tester is someone who is paid or contracted to deliberately try to break through security - whether that's physical security (security guards, members of staff in a business) or IT system security. At the end of an agreed period of time, they produce a report highlighting any weaknesses that need to be addressed.

What is it?
  • A person or team of people are hired by a company. Very few people will know that the test is about to take place, this is to ensure the results are realistic as employees will not be expecting an attack.
  • The penetration tester will then spend a period of time observing the company, its employees and its systems to gather information
  • Once enough is known about the company, attempts will be made to gain access to the buildings and computer systems. This may involve:
    • ​Impersonating employees
    • Social engineering of staff
    • Creating fake credentials
    • Exploiting known security vulnerabilities in various systems
    • Exploiting poor staff security - e.g. holding doors open into a building for people you don't know, carrying data on removable devices, leaving computers logged in, leaving data out on desks etc.
  • The penetration tester will attempt to steal as much as they possibly can during the agreed time
  • Once the test is over, they produce a report highlighting all the security weaknesses they found.

How does it prevent attacks or help us recover from an attack?
  • This is the best way to truly test the security of your systems and how effective security policies are
  • It is one of the only ways to provide a "real world" test and see how employees of a company truly behave and how they are implementing security policy
  • It will provide an in depth analysis of your current level of security
  • It may highlight issues that had not been considered
  • It will almost certainly improve security in an organisation

Forensics

Sometimes attacks happen. We cannot possible prevent every singe attack from being successful and it simply isn't possible to mitigate attacks that use new and previously unknown techniques to gain access. We also can never be sure that people will not become socially engineered or simply lose data, especially that on removable storage.

What is it?
  • Forensics is the use of all available data to work out, after an attack:
    • ​What happened
    • How access was gained
    • When
    • What was taken
    • How much damage has occurred
  • Forensics will mainly make use of log files to piece together actions that have taken place.
  • Log files are:
    • ​A record of what has taken place, at what time, by whom and any other relevant information
    • They are automatically generated by systems and are very hard to fake/alter without it being obvious
    • Numerous! There are log files for literally everything:
      • ​Log in attempts
      • Programs used
      • System events, bugs and crashes
      • Files accessed/changed/deleted
  • Organisations such as the police also have access to many forensic and data recovery tools which can be used to find out what a user has done with a system and even bring back files that have long since been deleted.

How does it prevent attacks or help us recover from an attack?
  • Forensics will help to identify the method an attacker used to gain access to your systems. You should then be able to make changes to ensure the same type of attack cannot happen again.
  • Forensics will also be used in any kind of investigation (criminal, data protection reports etc)
Picture
"...install it? Nah... that's a different form!"

Policies

A policy is simply a document which describes a set of rules or expectations that people should follow when using a system or working in an organisation. Users have to agree to policies and if they break the rules in those policies then action could be taken. However, in computing, there are two types of policy we need to be aware of!

What is it?
Type 1 - Written rules and regulations:
  • Policies will cover the use of a whole range of systems. Some examples are:
    • ​Use of computer systems
    • Use of the internet
    • Data protection
    • The use of equipment for personal affairs
    • Data security procedures
  • These policies will explicitly, and in great detail, set out what users can and cannot, should and should not do.
  • Policies are used to ensure that people obey laws such as the Computer Misuse Act and Data Protection Act. They are also designed to ensure everyone maintains the security and integrity of data
Type 2 - Network/System Policies
  • Most networks are client-server type networks. This enables the server to set policies on client machines each time they log in.
  • Network and system policies can change virtually any setting on a client machine, they can restrict access to data and be used to effectively "lock down" a system.
  • When a user logs in, the server checks which policies should be applied to that user and sends them to the client machine which implements the changes.
  • Policies will effect things like:
    • User access rights - what users can and cannot do
    • The software available on a machine
    • What data users can share, access or modify
    • What settings a user is allowed to change on a system
    • How persistent data and changes are - in other words, if you log out will your changes be saved?
  • Good use of these policies should ensure that:
    • Different levels of users have different access
    • Users can only do/see/use what they are supposed to
    • Data is kept secure
    • Users cannot install or modify software, potentially causing damage.

How does it prevent attacks or help us recover from an attack?
  • Written policies should ensure everyone knows what they should and shouldn't do - they are more of a deterrent to put people off doing anything bad. They should also mean you're less likely to get malware and viruses on your system.
  • Network policies enforce these rules. Good policy should mean that users cannot do damage, even if they wanted to. If someone gains access to a system then the restrictions in place should at least minimise the damage that they can cause.

Anti-Malware

The very opposite of Malware - software that is designed to detect, remove and prevent the installation of malicious software.

What is it?
  • Anti-Malware comes in many flavours - but you'll usually know it as "anti-virus" software.
  • These packages may have varied functionality but usually include:
    • ​A file system scanner to find potentially malicious software
    • Real time scanning of running programs to monitor for virus like activity
    • Download/network connection scanners
    • Some kind of utility that will attempt to clean a system / rid it of malware
  • Because there are so many viruses and malicious programs, software like this will often use "heuristics"
  • Heuristics is simply a "rule of thumb" approach to detection - if a program looks or behaves like malware then it will be flagged up/detected

How does it prevent attacks or help us recover from an attack?
  • This is the most common form of protection a system may have. Malware detection is even standard in some operating systems now, for example "Windows Defender" in Windows 10.
  • This type of software should protect systems from most, but not all attacks
  • Anti-malware also helps to prevent the accidental installs of malware and should provide protection against "drive by" attacks when a user visits a compromised website

Firewalls

A firewall is a kind of gate keeper for your network connection. It examines all the packets that travel both in and out of a network connection and will allow packets to come in and out only if they conform to a set of rules that have been set. This is an absolute basic requirement of any kind of network security and often a first line of defence to filter out unwanted traffic. They can also be used to effectively "hide" sections of a network from the internet.

What is it?
  • A firewall can either be software running on a machine or a physical piece of hardware connected to a network
  • Firewalls will be configured with rules which are applied to both incoming and outgoing traffic
  • Every packet that is sent through the firewall will be allowed or disallowed based on these rules

How does it prevent attacks or help us recover from an attack?
  • Firewalls are one of the most effective methods of preventing malicious traffic from reaching a machine or network
  • When properly configured, firewalls can prevent many vulnerabilities being exploited
  • Firewalls do not stop people physically accessing a computer on the network, however!

User Accounts / Passwords

You're all familiar with this! Every website, every phone you've ever had and every time you use the school computers you've created or used a user name and password.

What is it?
  • A unique user name is generated for each user on the system. Users should only ever use their own user name!
  • Each user must create and use a secure password to gain access to a system or their account
  • User names and passwords are used to:
    • ​Identify which user is using a system
    • Log and record what users do, when and where
    • Apply policies and restrictions to users based on their level of access
    • Prevent users from causing damage to a system as their access to sensitive data should be restricted and users are usually aware that what they do is "in their name" and therefore easy to trace.

How does it prevent attacks or help us recover from an attack?
  • User names and passwords provide a huge amount of information that can be used in a forensic examination when a system is compromised or abused. 
  • All actions a user makes can be logged - you can record where a user logs in, which machine they use, how long for and which programs they use
  • If a username or password is stolen/abused then there is still a trail to that user - that information can be used to work out how the details were stolen/abused in the first place
  • Restrictions applied to users provide a very effective way of preventing abuse by simply not allowing access to sensitive systems or data shares

User Access Levels / User Access Rights

Depending on your job or role in an organisation, you will require different access to computer systems. For example, an office worker will need to be able to use office programs, access the internet and have a personal area to store files and data. They would never need to be able to configure settings or install new software. An administrator, on the other hand, would require complete access to all aspects of the system in order to do their job.

What is it?
  • Access RIGHTS:
    • ​Set by administrators and usually implemented by policies when a user logs in
    • Defines what a user can or cannot open or access
    • Usually this relates to file shares
      • ​Can the user read/write/modify/execute a file or program?
    • Can also apply to programs
  • Access LEVELS:
    • Set by administrators and usually implemented by policies when a user logs in
    • Defines what type of user an individual is:
      • ​Admin
      • Power user
      • Standard user
      • Restricted user/guest
    • Used to apply different rules/types of access depending on what administrators have decided users should and should not be able to do.
      • ​E.G. Administrators - all access to all systems
      • Power User - ability to modify systems in a controlled way, perhaps install software or change passwords. 
      • Standard user - has access to the system, can perform tasks necessary to complete work but cannot modify system settings, install software or change data shares
      • Restricted - has access to only a very small set of programs and data on the system. Think about your controlled accounts as an example, there is no internet access when logged in as a restricted user.

How does it prevent attacks or help us recover from an attack?
  • Access rights and levels, if configured correctly, provide a robust way to secure access to computer systems - users should only be able to do what they need to and nothing more
  • Access rights should stop users accessing data they do not have the right/need to
  • Access levels and rights are only as effective if correct security procedures are followed - for example keeping passwords secure and never sharing log in information. If an attacker gains access to an administrator account then all security can be bypassed

Encryption

Encryption is the process of scrambling data so that if it is stolen or intercepted then it will mean nothing without the key to decrypt it. This should keep data safe even if someone manages to gain access to physical hardware or your network.

What is it?
  • Encryption scrambles data using a complex, one way algorithm.
  • This encryption algorithm uses a "key" to encrypt the data
  • The data is scrambled and cannot be accessed without another, different key to "unlock" it.
  • A different key is required to decrypt data

How does it work?
  • The recipient of a file makes available a "public key"
  • The sender encrypts the data to be sent using this public key. This key can be used by anyone to encrypt data - it's public!
  • However, this key cannot be used to decrypt the data! It is a one way process
  • The scrambled data is sent to the recipient
  • The recipient uses their "private key" to decrypt the data so they can view it
  • The recipient keeps their private key secret - if it were to be revealed then anyone could unlock/decrypt data sent to them.

How does it prevent attacks or help us recover from an attack?
  • Decryption makes sending data over a network more secure as even if a connection is compromised then the data should remain unreadable.
  • Encryption buys us time to make changes, change passwords or make other steps to secure data before the encryption is broken