Average User Security (Tutorial)
Many of the same questions keep surfacing in different form over and over again and I figured it would be useful for users to have a singular reference to answer (mostly) all the security needs of your average computer security neophyte.
1.1q. Do I need a firewall?
1.1a. If you find yourself in the position of needing to ask this question, odds are the answer is “Yes, you do need a firewall.” The reason being that your knowledge of computer security isn’t sufficient to determine your needs, much less establish alternate means of security. Everybody has to start somewhere, and while a firewall may or may not be the best solution for you, it is better to error on the side of what would be considered an industry best practice.
1.2q. Does every system need a firewall?
1.2a. No. While it is true that nearly every system will find its security enhanced by using a very high assurance, bi-directional proxying firewall appliance, frequently the added cost is simply not justified. Other firewall types are more frequently useless.
1.3q. What is the best firewall?
1.3a. For the type of user asking this question, I would recommend the filtering functionality that is included with Windows 2000/XP since that is probably what you are using. Other third party firewalls do not, in my opinion add anything significant in way of functionality and are invariably of a lower assurance.
1.4q. What are the different types of firewalls?
1.4a. There are generations of firewalls and firewall architectures, do not confuse these very real, and correct terms for the casual, useless, and downright incorrect “software” vs. “hardware” firewall types. (The proper term for a “hardware” firewall is either a “dedicated firewall” or “firewall appliance”.)
There are five generations of firewall:
1. Packet Filtering: A basic ACL firewall operating at the Network or Transport level.
2. Application Level: These are typically proxying firewalls and run in level seven of the OSI model. Circuit Level firewalls are a variation on the application level that maintains a virtual circuit between the client and the firewall server
3. Stateful Inspection: These operate at the network level and analyze traffic at all OSI levels. By using a state table and operating at a lower level than the application firewalls this firewall is able to offer better performance, a more complete scan of the packets and tracking of "connectionless" protocols like UDP and RCP based applications.
4. Dynamic Packet Filtering: a dynamic firewall that enables real time rule changes, mostly used to provide UDP support. It remembers all UDP traffic for a short time and makes judgments (based on rules of course) on what to and not to allow.
5. Kernel Proxy: a modular, kernel based, multi-layer firewall that runs in the NT executive and utilizes dynamic and custom TCP/IP based stacks to inspect traffic and enforce applicable security policies.
ACL Based Routers (ABR) are considered 1st generation firewalls
Bastion Hosts (BH) can be providing any firewall from generation two to five
All firewalls exist between the Untrusted Network (UN) and the Trusted Network (TN)
There are four different firewall architectures:
1. Packet Filtering Router: UN > ABR > TN This structure provides simple packet filtering for the trusted network.
2. Screened-Host: UN > ABR > BH > TN This structure provides both network-layer and application-layer filtering
3. Dual-Homed Host: UN > ABR > BH > ABR > TN This structure provides network-layer filtering at both sides of the application-layer filter. This is ideal for translating between multiple network access layer protocols.
4. Screened-Subnet (w/DMZ): UN > ABR > BH > DMZ || ABR > TN This works like the dual-homed architecture, with an added network segment for public servers. This ensures that the external ABR and the BH protect the public servers, while the TN is protected from the DMZ with the BH and internal ABR. This can greatly reduce the risk to the TN in the event of a public server (on the DMZ) compromise.
2. Anti-Virus Systems
2.1q. Do I need an anti-virus system?
2.1a. If you find yourself in the position of needing to ask this question, odds are the answer is “Yes, you do need an anti-virus system.” The reason being that your knowledge of computer security isn’t sufficient to determine your needs, much less establish alternate means of security. Everybody has to start somewhere, and while an anti-virus system may or may not be the best solution for you, it is better to error on the side of what would be considered an industry best practice.
2.2q. Does everyone need an anti-virus system?
2.2a. No. As a system’s assurance level goes it, it is better able to mitigate the effects of malicious software.
2.3q. What is the best anti-virus system?
2.3a. It is my understanding that at the consumer level most anti-virus systems function largely in the same manner. I suggest you try some of the links below to get a feel for each system’s support and functionality at removing viruses or offering online scans and make your decision based on these impressions. If you stick to a major name brand, you will find not a huge difference from vendor to vendor in thei capacity to protect you.
2.4q. My system has a virus, how do I fix it?
2.4a. If you have an anti-virus system, refer to it to correct the problem. If you lack an anti-virus system, but you know what virus you have several sites offer specific virus removal tools to the general public:
If you suspect that you have a virus, but are not sure which and you have no anti-virus system try an online anti-virus system like:
3.1q. A pop-up window said I am broadcasting my IP address, is this bad?
3.1a. No. This is most likely an advertisement attempting to sell you bad software that you don’t need. While using the Internet it is imperative that the systems you attempt to connect to have your IP address (or that of a proxy), without this they cannot send you any information.
3.2q. How do I hide my IP address?
3.2a. The simple answer is to use an anonymous proxy server (APS). The APS accepts your request and forwards it on to the intended destination as its own. When the destination server receives the request, the APS IP address is attached. The destination server than sends its response to the APS, which then forwards this response back to you. Only the APS can see your real address.
View http://www.tech-faq.com/anonymous-surfing.shtml for more information.
3.3q. How do I find my IP address?
3.3a. http://www.whatismyip.com/ will show your IP address as others see it, which may be useful if your system is behind an APS or on a non-routable network. To find your actually system’s IP address: http://support.dlink.com/faq/view.asp?prod_id=1372
4. Operating Systems
4.1q. What is the best operating system?
4.1a. This question is entirely based on the use of the system. Windows is great for office workstations, gaming systems, and servers. Linux is great for computer science students, gaming systems, and servers. UNIX is great for engineering workstations and servers. Mac OS is great for media workstations.
In my opinion Mac OS 9 and AIX are the best standard operating systems. Why? They really feel like finished systems to me. Windows, OS X, Linux, and other Unices all feel like works in progress… I suppose this is rather intangible. I also like a number of high assurance operating systems, but few of them are what I’d call the best general-purpose systems.
4.2q. What is the most secure operating system?
4.2a. Over the years there have been many exceptionally secure operating systems developed by or through the US Department of Defense. The very most secure examples include:
- Kernelized Secure Operating System (KSOS) developed by Ford Aerospace
- Secure Communications Processor (SCOMP) developed by Honeywell Federal Systems
- Secure Trusted Operating Program (STOP) a descendent of SCOMP
- Logical Coprocessing Kernel (LOCK) developed by the Secure Computing Corporation
All of these systems utilize advanced security models, enforce least privilege over the entire operating system via a security kernel, and utilize a reference monitor.
4.3q. What operating system should I use?
4.3a. If you’re a total novice to computers with gobs of money, I’d suggest a Mac.
If you are a total novice with little money I’d suggest Windows.
If you are a total novice with next to no money I’d suggest a beginner Linux distribution like Mandrake.
If you’re an intermediate user with lots of media requirement, I’d suggest a Mac.
If you’re an intermediate user with lots of standard office/student type requirements, I’d suggest Windows.
If you’re an intermediate user with lots of computer science requirements, I’d suggest Linux (Linux is a big world… http://distrowatch.com/ might help you navigate it).
4.4q. How do I secure my operating system?
4.4a. I would start with:
http://www.nsa.gov/snac/ for Windows NT/2000/XP/2003, OS X, and Solaris 8/9.
http://www.cert.org/tech_tips/usc20_full.html for UNIX
http://www.tldp.org/HOWTO/Security-HOWTO/index.html for Linux security
Other documents exist, but these are simple and will get you by.
5.1q. What is DRM and TCPA?
5.1a. DRM stands for Digital Rights Management (Not Digital Restrictions Management as many claim) and TCPA stands for Trusted Computer Platform Architecture.
DRM is a technology based that allows intellectual property owners to license their property in a very finely grained manner.
TCPA is a new type of system that uses a hardware based DRM key management system to enforce DRM at all levels of the system, including the operating system kernel.
5.2q. Is DRM or TCPA a good or bad thing?
5.2a. This is a very complicated question, to make matters worse it seems that very few people really have much of an idea as to exactly how TCPA/DRM work.
Opponents say that TCPA will take control of the system out of the system owner’s hands and place it into software and media corporations’ hands. This is partially true, software and media corporations will be able to exert significantly more control over how users are able to use their DRM protected products. The fear is that malicious software would be afforded the same level of control and that the operating system vendors and hardware vendors would be able to pick and choose what they will allow to run on their systems.
Proponents cite the power that DRM/TCPA gives them, for example Allowing users to rent songs or movies or even do things like creating technical drawings that can only be viewed on a particular vendor’s system for no more than the duration of the project. This alleviates the vendor of much of the responsibility to protect the drawing. Internal memos that can only be viewed within the given organizations systems for a limited amount of time. They also cite that TCPA systems will give users greater control over what is installed.
5.3q. Will DRM or TCPA kill open source software?
5.3a. No. TCPA provides systems with an untrusted ring specifically for DRM-free software (including if they wish, the entire operating systems and all applications). Additionally TPM extensions already exist for the Linux kernel.
6.1q. How many characters is enough for the password policy at my work?
6.1a. Eight, with basic complexity requirements and a reasonable life-cycle (30-90 days). Any less than this and you are failing to meet industry best practices. Any more than this and you are putting unfair pressure on your employees consequently increasing the likelihood of them writing the passwords down or calling tech support all the time.
6.2q. What kind of resource monitoring policy should I adopt at my work?
As far as enforcing the policies, users must be notified that their activities can be monitored at anytime and for any reason and any information gathered may be used against them in accordance with the policy and strictly at the manager’s discretion. Mandatory policies such as blocking some sites shows a lack of trust by treating the employees like children. This will damage morale and lead to bored, listless, and overall unproductive and resentful workers.
6.3q. What is the best way to develop and maintain a secure work environment?
6.3a. Review the links in 8.2 for ISO 17799, as well as ISO 21827 (SSE-CMM), and x-CMM (including the IDEAL model). These should set you on the right path to accomplish the often very nebulous task of consistently improving complicated process enviornments.
6.4q. How do I keep morale high while keeping the environment restrictive?
6.4a. Remember that employees are people and what’s more adult people. Don’t apply senseless filters to their web access, don’t require them to remember overly lengthy or complicated passwords. In fact don’t require them to do much more than what common sense dictates. Draconian policies tend to do little more than harm morale and lower employee willingness and eventually reduce compliance.
6.5q. What is the best way to get users to report policy violations?
6.5a. An anonymous whistle blower website is the best method. Provide the users with a list of free/free trial anonymous surfing websites and provide the users instructions on using this account to report infractions. Users provided with external assurance of anonymity are likely to be far more honest about problems that might make them politically unpopular otherwise.
6.6q. Who should Information Security report to in my organization?
6.6a. Ideally your organization will have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) most importantly, yet most commonly the InfoSec department must not report to a department that should fall under its jurisdiction, like the IT department. In these instances IT will avoid spending money on security recommendations and instead focus on fulfilling its project schedules and when a breech occurs InfoSec will take the blame since they failed to enforce the security requirements (even though they just plain lacked the power to do so). Politics get very messy at this point.
7.1q. What is hacking/cracking?
7.1a. Hacking (as referred to by the world at large and “cracking” by people who take themselves way too seriously) is the malicious act of exploiting or attempting to exploit a flaw in an automatic data processing system (computer/ATM/etc). Basically forcing a system to do something it shouldn’t either for personal gain or to harm the system owner.
7.2q. How do I become a hacker in six easy steps?
7.2a. Since hacking is illegal (see 10.1) this question is not likely to be received with warm fuzzies from pretty much anyone you ask.
Your best bet to quickly become a hacker is to join the ranks of the script kiddies. Script kiddies are noted for having the lowest level of knowledge and the highest level of effectiveness. Why? Because script kiddies don’t tend to target specific systems, they target specific vulnerabilities.
1. Monitor your favorite computer security news website or mailing list for new exploits.
2. Once you find one that you like search for systems that utilize the effected software.
3. Attack the vulnerable system with your packaged exploit (“script”).
4. Find an IRC network (irc.fbi.gov) is a popular one.
5. Brag about your hack to everyone you can find.
6. If the system from step 2 was important enough or you repeated steps 2 & 3 enough times the government and then the media will declare you a “hacker” to the world.
7.3q. I’ve been/am being hacked, what should I do?
7.3a. Read http://www.cert.org/tech_tips/win-UN...ompromise.html and come back with specific questions at any point.
7.4q. What is the difference between “White hat” and “Black hat” hacking?
7.4a. Ideally “White hat” hacking would be non-malicious hacking (which seems to fly in the face of the original definition of hack I listed above), in that the white hat hacker will attempt to compromise a system without damaging it and report the vulnerability to the system owner (see 10.1). This of course has great legal risks and is an infrequent use. Normally a “white hat” is someone who lacks the resources to actually compromise systems and as a method of saving ego, they claim this is for moral reasons and not lack of ability. White hat hacking may also, but not typically include penetration testing, where an organization pays the hacker to trying and compromise their system and report back the findings.
8. General Information Security
8.1q. Where can I learn about security standards and regulations?
8.1a. Non-Official Sites (NOS) are sites that I have found to be the most useful on a subject though not strictly a 100% trustworthy source, e.g. they may be selling a related product or service.
http://www.radium.ncsc.mil/tpep/libr...bow/index.html Rainbow Series
http://niap.nist.gov/cc-scheme/index.html Common Criteria
http://www.17799.com/ (NOS) ISO 17799
http://www.sse-cmm.org/index.html SSE-CMM/ISO 21827
http://csrc.nist.gov/publications/nistpubs/ NIST 800 Series
http://www.aicpa.org/info/sarbanes_oxley_summary.htm (NOS) Sarbanes-Oxley
8.2q. Between programming language X and Y, which is more secure?
8.2a. The question of secure programming languages must be one of assurance. Since all the programming languages eventually get turned into the same machine code language, all the high level language can offer is tools that ensure bounds checking, garbage collection, type constraints, synchronization/serialization checks, object reuse checks, etc. However such a language isn’t really anymore secure, it just allows for the simpler development of secure code. (This of course assumes no significant flaws in the compiler/interpreter.)
8.3q. Between application X and Y, which is more secure?
8.3a. Since applications are not capable of enforcing the level and type of system resources they can access the idea of relying on applications for security is a foolish one.
That said, you want to seek applications that require minimal access to system resources, this ensures that it can be locked up in the smallest compartment by the operating system, which is ultimately responsible for all system security functionality.
9. Industry Certifications
9.1q. What certification should I get?
9.1a. For my money I would have to say that the CISSP is the most universally useful security certification. It is known by everyone, it is respected, it includes experience and education requirements giving your resume more overall assurance.
9.2q. Will X certification get me more money or a better job?
9.2a. Your best bet here is to search sites like dice or careerbuilder (they more frequently list the rate of pay) for the certification you are pondering. Keep in mind that geography typically plays a part in the value of a given cert. As a rule, most of the big name certs will give you better potential for higher paying jobs, but depending on the rest of your resume, your mileage will vary.
9.3q. Where can I learn about the different certifications?
9.3a. https://www.isc2.org/ for CISSP, SSCP, and CAP
http://www.isaca.org/ for CISA and CISM
http://www.comptia.org/ for Security+
http://www.giac.org/ for a whole slew of G* certs
http://www.iatrp.com/ NSA’s IAM certification
I am NOT, I repeat NOT a lawyer. I do, however work with many lawyers and have seen the following questions addressed many times in many different situations. My advice is based on these observations and should be used for nothing more than potential topics of conversation to have with your own lawyer should you find yourself in any of these situations.
10.1q. Is X illegal?
10.1a. A major component of illegality is “does the action incur undue cost on the victim?” and sadly this is nearly impossible to predict. The important part is the “undue” part. If you click the “buy it now” button on the victim’s website and this kills their webserver, clearly the cost is not “undue” as their faulty system has incurred the costs upon them. However if you use nMap to fingerprint the webserver with malformed packets and it dies you may well find yourself in court.
The difference is “normal use” and as a rule of thumb ANYTHING outside of normal use could, in theory land you in court. Cyber-law is a new and still developing field, but if you don’t wish to be an example I would say your best bet is to use common sense about what “normal use” might be.
10.2q. How do I report a cyber-crime?
10.2a. http://www.cybercrime.gov/reporting.htm Should have all the information you need.
10.3q. How do I fight a file sharing violation?
10.3a. The simplest way to fight the RIAA is to make one or both of two claims:
1. “My system was compromised and I had no idea it was being used for such things, thank you for reporting this, I have contacted my local law enforcement agency.”
2. “I was using that file sharing application to download music, which I am legally allowed to do. As to the sharing, I have been told the application does that by default and I really don’t know enough about computers to change this. Ignorance of the law is no excuse, but unless you are willing to train me how to not only use this file share application, but also to secure my computer in a usable manner that prevents my files from being shared, I am not legally responsible for not being a computer security expert.
I have personally used the latter with good success.