CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [267]
Users should be trained to avoid malware and risky behavior. You should issue the following warnings to users:
■ Don’t download anything from the Internet.
■ Never install any unapproved software.
■ Don’t bring in storage media from outside.
■ Don’t leave removable media in drives.
■ Don’t boot with removable media connected to a computer.
■ Stay away from private or noncommercial sites.
■ Always type links into a browser; never click on them from e-mails or documents.
■ Don’t accept certificates from unknown CAs.
■ Never trust an entity just because you know the CA that issued their certificate.
Consider deploying a sheep-dip system for precleaning removable media before use on your LAN. A sheep-dip system is a stand-alone machine that is used solely to scan portable storage devices for malware before they are used on secured LANs. The sheep-dip system needs to be manually updated several times a day with signature database updates because it is air-gapped from the rest of the network. Every device that can store data must be checked by the sheep-dip system before it is connected to the LAN. This scrutiny needs to include cell phones, PDAs, audio/video players, digital cameras, USB drives, floppies, and CD/DVDs.
Each time a vendor releases a new version of its product, upgrade to it. Well, don’t rush and do this immediately in a knee-jerk fashion. Give the new version a few months of “public” testing before making the migration. This testing lets others discover and experience the growing pains of new solutions. You can learn and benefit from earlier adaptors. Plus, always thoroughly test new software before deployment. This testing applies to any code, including new versions of software, engine patches, function upgrades, and even signature and pattern database updates. The newer the technology, the more likely it will provide reliable protection against newer malware attacks.
Making Stronger Passwords
Passwords are the most common form of authentication; at the same time, they are the weakest form of authentication. Password attacks have become ubiquitous. Reliance solely on passwords is not true security. At least four attack methods are used to steal or crack passwords. All of them involve reverse hash matching. This is the process of stealing the hash of a password directly from an authentication server’s account database or plucking out of network traffic, then reverse-engineering the original password. Reverse-engineering, in this case, is done by taking potential passwords, hashing them, and then comparing the stolen hash with the potential password hash. If a match is found, then the potential password is probably the actual password. (By the way, even if the potential password is not the actual password, if it happens to produce the same hash, it will be accepted by the authentication system as the valid password.)
There are four password-cracking or -guessing attacks:
Dictionary These attacks generate hashes to compare by using prebuilt lists of potential passwords. Often these lists are related to a person’s interests, hobbies, education, work environment, and so forth. Dictionary attacks are remarkably successful against non-security professionals.
Brute force Brute-force attacks generate hashes based on generated passwords. A brute-force attack tries every valid combination for a password, starting with single characters and adding characters as it churns through the process. Brute-force attacks are always successful, given enough time. Fortunately, brute-force attacks against strong passwords eight characters long can take up to three years.
Hybrid These attacks take the base dictionary list attack and perform various single-character and then multiple-character manipulations on the base passwords. This includes adding numbers or replacing letters with numbers or symbols. Hybrid attacks are often successful against even security