CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [251]
If you want to be able to experiment and implement anything, you should create your own personal lab environment at home. Your lab could consist of a small network of physical machines or a single high-end machine running a virtual operating system (OS) emulator system, such as VMware or Microsoft’s Virtual Server. Then, when you can’t implement something at work, you can do it at home. Unless you are the security administrator for your employer, it is doubtful you’ll be able to implement many of the security recommendations covered in this appendix. Although you should submit requests and suggestions to the appropriate personnel, if you want to gain hands-on experience, you’ll need to find another avenue to explore and develop your new security skills. A home lab is the best place to start. Even if your home lab is just one underpowered system with a dial-up modem to an ISP, it is enough to start the learning process.
VMware Player allows you to work in multiple environments on one system (http://www.vmware.com/products/player/).
In some cases, the actions you take, although motivated by good intentions and dictated by sound security concepts, can be perceived as unethical, abnormal, suspicious, antisocial, a breach of security, and even criminal. Think before you act. Consider the effects your actions will produce. Ponder how others will perceive you if they notice your actions. If you are seen peeking around a corner, you might be perceived as spying or trying to hide something. If you are caught looking at network traffic, you can be perceived as a hacker. If you are caught in an area where you are not assigned to work, you can be perceived as a thief or trespasser. Remember, even when doing good, without proper permission and authority your actions can be perceived as unethical and criminal.
If your job is important, then keep communication open with your superiors and the security administration. Often they will be supportive of your desire to learn and improve yourself, which is especially the case when your new skills will benefit the organization directly. However, pushing too far, overstepping your limits, or encroaching on another person’s boundaries or areas of responsibility can have negative consequences. These can range from minor verbal warnings to job termination or even criminal prosecution. When in doubt, don’t. Instead, be proactive and ask for help and guidance from those in your organization with the authority and the know-how.
Not only should you always seek permission, it is highly recommended that you get permission in writing.
There is at least one dark secret that everyone in the IT industry has been keeping from you: No operating system—not Windows, not Unix, not Novell, not Sun, not Linux, not Macintosh—can be fully and completely secured. Therefore, given enough time and resources, every network, every system, and every file can be compromised. While it is true that some solutions and systems offer more security than others, each product, hardware, or software has its own share of problems and issues. Every technological security mechanism has a fault, flaw, oversight, weakness, workaround, or maximum strength that can be overcome. Therefore, picking the “right” OS is not the whole solution—especially because anyone can be an attacker. Modern-day attack tools are powerful, and they don’t necessarily require a high level of sophistication from the attacker (hence the terms script kiddie and ankle biter).
Security breaches can arise from a myriad of vectors, including external intruders, internal attackers, misguided insiders, contractors, malicious code, accidents, and oversights. A complete security solution does not stop all attacks,