CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [272]
While rubber hose attacks are sensationalized on television and in the movies, most often they are more benign in nature and less noticeable. In fact, most victims of successful attacks are unaware that they were ever considered a target. This form of attack is called social engineering. Social engineering involves a con artist running a scam on unsuspecting people to gain access or privilege the attacker would otherwise be unable to obtain. Social engineering attacks exploit human nature and thus everyone is vulnerable.
Unfortunately, there are no technical security controls that will directly affect, prevent, block, or deter social engineering attacks. Understanding that you are a potential target for social engineering attacks is the best defense against such attacks. Watching out for abnormal, strange, or slightly confusing events, communications, or interactions will often reveal elements of social engineering. Social engineering can take place face-to-face, over the phone, via e-mail, or via a website. Never take anything for granted—verify, verify, verify.
A sure sign of a social engineering attack is when someone asks you to perform an action that is a violation of security policy or that seems unethical or questionable. Never reveal private, confidential, proprietary, or valuable data to anyone via phone, e-mail, the Web, or even face-to-face without absolutely verifying their identity. In most cases, asking for proof of identity will scare away the social engineering attacker. When anything that is slightly odd occurs, report it to your security administrator immediately.
System Hardening Basics
No computer is ever without vulnerabilities. It is not possible to make a fully secured, impenetrable system. However, it is possible to make a system so secure that most attacks will fail and those that don’t will be noticed before significant damage is done. Fully hardening a system is beyond the scope of this appendix, but the foundations of system hardening are well within your grasp.
System hardening has many facets, but one core and overriding principle to follow is this: If you don’t need it, get rid of it. By eliminating all but the bare essentials needed to accomplish your work tasks, you remove numerous vulnerabilities and avenues of attack. Any active process that is not actually being used is simply increasing the complexity of the environment and expanding your attack surface.
The attack surface is the conceptual idea of the area exposed to potential attackers. A nonhardened system is said to have a larger attack surface than a hardened one because more exposed vulnerabilities exist for the attacker to target. Your job is to understand your systems thoroughly enough to know what is essential and what is extraneous.
One obvious place to start removing the chaff from a computer system is to examine its services. After you think you know which services are extraneous, you need to test them one by one. Here is the basic process:
1. Perform a systemwide backup (an image-level backup is preferred for complete recovery ability).
2. Disable a single service.
3. Reboot the system.
4. Verify that the service is not functioning.
5. Test all required features, functions, and capabilities, both locally and on the network.
6. If all is working as needed, leave this service disabled and repeat the process, starting with step 2, for another service.
7. If all is not working as needed, reenable this service, reboot, and start again with step 2 for another service.
Obviously, this process will take considerable time because there are often dozens of services on basic systems to consider. However, as you learn more about the services themselves and the system you are managing, this process can be truncated greatly. You’ll soon recognize which services can be disabled without negative consequences and thus you won’t need to test every service change.
This “keep it only if you need it” mentality should be applied to every aspect of your computer,