<

IDEAS FOR SAFEGUARDING IT ASSETS: For home and enterprise

Published on
11,738 Points
3,738 Views
5 Endorsements
Last Modified:
Approved
Most people are under the false impression that installing an antivirus package, antispyware package, OS updates/security patches, and firewall are all you need to secure your network resources. Those methods are a good start, but leaves your network open to many additional vulnerabilities. This is why you might have heard of a multi-layered approach to IT security. I am about to discuss multi-layered security with you and give you some things to think about for network security.

Let’s take a quick moment to define the open systems interconnect model (OSI model). Under the OSI model, there are seven layers that encompass all IT networking. They are, in order:
Physical Layer
Data Link Layer
Networking Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer— (Where most IT security products reside, including Anti-virus and Antispyware, and password authentication, {like Kerberos}.)

You might take a moment to familiarize yourself with the OSI model. The OSI model can be used for anything IT related, (especially troubleshooting and IT security). There are alternative models for differing types of systems but this is the most commonly referenced.

This is a pretty good article on the OSI model:
The OSI Layer Model

Before beginning, let's define a couple terms:

Remediation – in this article consider remediation as being a process to clean up malware after being infected.
Prevention– In this article, consider prevention as a means to stop the infection before it occurs.
PII- Stands for “Personally Identifiable Information”, including finance data and social security numbers.
Complex or Strong passwords- The term strong password implies that you use at least 12 characters. Within those characters, you should include numbers, special character, capital letters, and small letters. This helps protect against a dictionary attack, where the malicious user tries to guess your passwords using simple text phrases and number combinations for passwords.
Example Weak: johnspassword
Example strong: J0hn’sP@55word

So, let’s begin discussing each layer in layman's terms, what potential vulnerabilities you have, and ideas to combat these vulnerabilities.

1) PHYSICAL LAYER:
a. TERM- The Physical Layer is the medium that your digital signal travels. This includes, but is not limited to, Fiber Optic, WiFi, Cellular, Copper cabling, Microwave, Satellite, and Infra red. The most common media type is, of course, fiber, copper and wireless (through radio waves).
 
b. VULNERABILITIES- Vulnerabilities include unauthorized access to the medium. In other words, a patch point to plug into. Unauthorized access to points within the network can allow an attacker to circumvent many of your other Security features, like tapping into your network behind your firewall that blocks your network from the outside world.
c. IDEAS-

i. Prevention: (For home use and enterprise) Lock things up. This includes access to switches, routers, or server rooms, phone closets. So, prevent access to the network and the hardware interfaces that support then network. Also, disabling or disconnecting unused tap points is a great measure.
ii. Prevention/remediation: (For Enterprise or rich folks)Closed Circuit TV and security guards or limiting access to server rooms is certainly a good step for business. Physical controls mean that you monitor and safeguard your network assets. These observations can also be used for insurance claims.  
iii. Prevention: (For Home and Enterprise Use) Yet, another means of physical controls, that's not a part of the physical layer, is to lock up laptops or iPODS and Cell Phones. If, these get stolen, you risk loosing personally identifiable Information.
     
d. CONCLUSION: “Lock up your IT assets from direct access and thievery”. (Switch access, server access, server rooms, phone closets).

2) DATA LINK LAYER:
a. TERM- Each NIC (Network Interface Card), has a specific MAC (Media Access Control), address. That MAC address is provided by the manufacturer in most cases. That MAC identity is supposed to be unique for each NIC. The data link layer is all about the NIC’s MAC address. So, the MAC address identifies the networked node.
b. VULNERABILITIES- The Data Link Layer vulnerabilities include the hacker's ability to become a parasite on your wireless network, or to identify their computer as if it were your computer through MAC spoofing. In either case, the hacker is using your MAC address to make it appear to have the identity to be on your network.
i. Unauthorized access to switches through wireless routers means Johnny hacker may get into your network behind your firewall. It is rapidly becoming one of the most common security vulnerabilities to a wireless network. This particular vulnerability is known as WAR driving or WAR walking.
ii. MAC Spoofing means the hackers computer takes the MAC of another node's NIC. This means they could intercept packets intended for the intended computer. If they open these packets, they can modify the content or steal content and use that data against you.
c. IDEAS-
i. Prevention: (For home use or small enterprise, especially wireless) MAC filtering tells your wireless router to only allow specific MAC addresses that YOU configure. So, if you have only a few computers, (let's say 5 computers), and tell the router to only allow those five computer's MAC addresses are allowed to access the router, then you just made a big step to prevent WAR driving or WAR walking. This is great for a small wireless LANs, where administratively adding MAC addresses is not a lot of work. MAC filtering is best applied on a Wireless Access Point for small LANs. It can also be used on wired LANs. In addition to MAC filtering, there are authentication methods to secure a wireless router, that we will discuss, next. Combining MAC filtering with Wireless Authentication, makes for a VERY secure Wireless network.
ii. Prevention: (For home use and Enterprise Wireless) For Wireless connections use an encrypted password to connect to the wireless access point. There are a number of protocols. One is EAP.
Did you know that IT security college courses often teach how to decrypt EAP? It’s real easy to do. WPA1 has also been hacked. So, use WPA2 authentication with a strong password. As far as I know, WPA2 has never been deciphered or hacked. EAP has on a regular basis, and WPA1 has been hacked. This is configured on a Wireless router.
iii. Prevention: (For enterprise computers that don’t move around a lot) Sticky ports- The concept behind sticky ports is for the switch to register the MAC address when a computer is plugged in. Then, that MAC address is used to verify whether you get connected or not. You can hold a couple MAC addresses for this one port. But, once these run out, then the next computer to try and register will not get connectivity to a switch. In other words, the MAC addresses stick with the switch port that it is physically plugged into. (Please NOTE: This is not an option with Wireless because wireless is like a Network hub, where data is broadcast instead of switched).
iv. Prevention: (For enterprise) You can divide different departments into Virtual LANs, (VLANs, for short). In essence you designate what switch ports have what Virtual LAN Identifier. If on a different VLAN ID, they will not communicate. Now, with them completely separated, you can begin to grant access to certain services and applications. Allowing them to communicate will be discussed in the next OSI layer, under VLAN trunking. For now, at this layer of the OSI model, let's just say they are on separate LANs and can't communicate with one another.

iv. Prevention: (For Enterprise only). Frame relay is a point-to-point protocol that encapsulates the data. The headers that encapsulate the data Includes a Data Link Connection Identifier (DLCI) bits that tell two switches or a switch and router the local path between each other. That link between two nodes is routed with least cost routing. But, the link between the two nodes uses a DLCI that is a Layer 2 protocol. Frame relay is used to virtually connect two sites together by sort of a patching method.
Point to point protocols, like Frame Relay, are called packet switching. Packet switched links are used extensively in linking sites together because dedicated lines can be quite expensive to lease these lines from the Local Exchange Carrier. With a point to point protocol, you can also include Encrypting the data, which will be discussed in the application layer.

d. CONCLUSION: MAC filtering to prevent unauthorized access to patch points or wireless connection, Sticky ports to limit the number of computers that can access those patch points if your LAN is pretty static, WPA2 with strong password (authenticating) for wireless routers on home or enterprise, VLANs for enterprise separation of departments. On managed switches, disable ports that are not used.

 
3) NETWORK LAYER:
a. TERM- The network layer of the OSI model is more or less the IP world in a TCP/IP protocol, in an IPX/SPX based protocol it would be the IPX world. Layer 3 includes routers that can change an IP to another IP, called NAT (network address translation). NAT is very helpful in hiding your LAN from outsiders. NAT translates an Outside (or public) IP address to an Inside (or private) IP address or vice verse. To find out your Outside IP address. (NOTE:To find out your outside IP address, you can go to whatismyip.com)
b. VULNERABILITIES- The most common Vulnerabilities on the Network layer are:
i. IP scanners… IP scanners will scan sets of IP addresses until someone answers. They use a ping to find IPs that respond to them. The reply to this ping can be prevented. If a ping replies you now have more vulnerabilities to worry about. Those will be brute force attacks and Direct Denial of Service attacks (DDoS). We will review these, next.
ii. Packet interception means that someone intercepts the packets that were assigned to someone else. Then, a return packet can be modified and used against you. As an Example: If a DNS query packet is intercepted, the data can be modified to bombard your DNS server with requests, and flood the server. In this case, you have become a victim of a DNS Direct Denial of Service (DNS DDoS) ,attack.
c. IDEAS-
i. Prevention: (For home users and enterprise) You will want to prevent from answering Pings to anyone in the outside world. To prevent your network from answering an IP scanner’s ping, you should go to the router and prevent ICMP echo replies. This is short for Internet Connections Messaging protocol reply to a ping or tracert, or NSlookup. By disabling ICMP echo replies, this prevents you from answering a ping scanner, and that ping scanner will move on to someone else. Note: If an answer to a ping scanner is received by a hacker, they will then look at a port scanner to see what ports reply. This port scanner reply is also prevented through ICMP echo reply denied.
ii. Prevention: (For Enterprise use only) VLAN trunking allows different VLANs to communicate with one another. We already set up VLANs, in Layer two. This prevents different departments from communicating with each other, as if they were on different networks. Now, you will want to configure communicating with each other, but limit the capabilities. This is called VLAN trunking. With VLAN trunking, you can manually configure what you want to communicate between your Virtual LANs. So, let's say you want your financial department to get an IP address and domain controller authentication, but not speak to any other VLANs. You can do this through VLAN trunking and application port controls. VLANs is Layer 2 because it limits the switch from communicating. VLAN trunking is Layer 3 technology, because it uses IPs to route through a router as if it were an outside Network. So, in order to orchestrate that interconnection, you will need the router or L3 switch to trunk those two separate VLANs together.
With VLAN trunking, you also limit or control broadcast data and improve performance/security in doing so. Broadcast data includes file and print sharing as well as DHCP server services. Also, for any broadcast data to make it to other VLANs, you either need a relay agent, or IPhelper, or SIP. NOTE: This is very complex to configure and I recommend you use a consultant or Networking professional in order to do so.
iv. Prevention: (For Enterprise and coming soon for home users): Many IT security companies are starting to set their sites on Network Access Controls, (NAC). What is NAC, you ask? NAC simply verifies your computer passes all IT requirements prior to getting an IP address or Network access. It can make certain you have an Antivirus package that is updated. It can make sure your Windows version is updated with latest Security packs, It can also make sure an Antispyware package is installed. So, it makes sure your computer is compliant before being granted access. If not, it can grant you limited access to perform the updates or fix the problems before being granted full access to the rest of the LAN/WAN. Many schools are starting to use this, because the amounts of personal laptops that are coming into the school’s network.
v. Prevention: (For Enterprise): Before being granted access to the internal LAN/WAN, a RADIUS server will authenticate using administrator-defined criteria in order to be given an IP address. It can use a number of different verifications to make sure the user authenticating is that user’s PC or is that user. Without this verification a RADIUS server will deny access to the network from a remote location. This is great for enterprise WAN/LAN access from the outside world. But, make sure the authentication is strong, and not easily figured out. This includes strong passwords, (which we will discuss later).
vi. Prevention: (For home routers and Enterprise routers) Of course, you don’t want people finding access to your router. Most routers these days offer the ability to connect and program the router using a command line interface called telnet, or a web based interface (like a web page), or a console port for direct access. In order to safeguard anyone from taking control of your router, you want to make sure that you have it strong password protected and that password is not seen in clear text format. So, a strong password with the password being encrypted (PAP or CHAP). PAP means Password Access Protected, while CHAP means Challenge and Handshake Protocol. PAP uses a password to encrypt the data under a public key. CHAP uses a challenge and Handshake using a private key. CHAP is much more secure to authenticate access. So, to clarify, you have an authentication method called CHAP or PAP, and an encryption of that password to prevent it from being read in plain text.
vii. Prevention:  (For home users and Enterprise). NAT stands for Network Address translation. This means it takes your public IP address and changes it to a private IP address. This is performed by the router. This hides you behind your NAT router from anyone seeing you in the internet cloud. Most routers are NAT. Some are called PAT routers, which we will define in the next OSI layer, called the Session Layer. Most people refer to a NAT router as a Hardware firewall, or enterprise firewall. We will define firewalls much better in the next OSI layer.
d. CONCLUSION: Prevent ICMP Echo replies to the outside world on all routers, consider Radius servers for enterprise business, and also consider VPNs with IPsec encryption for remote access into the LAN. Also consider VLANs with VLAN trunking for virtually separating your internal enterprise LANs/WANs, Set up strong passwords with CHAP and encryption to prevent unauthorized access to router or switch configuration ports like the HTTP, console port, and telnet interfaces.  All, methods can be “Google Searched”. Some may need a networking professional. WARNING: Do not prevent all ICMP traffic; because that messaging protocol is used for assisting in maximum packet sizes as well as other abilities to communicate, NAT puts you behind a hardware firewall and in your own private IP space. Consider IPv6, but know how to configure it for home and enterprise use.

4) TRANSPORT LAYER
a. TERMS- In lay terms, this layer is used to control how data is transported across the network. TCP (Transmission Control Protocol). It is used to make sure packets have a sequence, have a set size, and a number of other specifications to the data packets. Then, there is a second protocol called User Datagram Protocol, (UDP). This is a connectionless protocol and is often used for broadcasting data to multiple endusers. The third types of protocols are called Secure Socket Layer and Transport Layer Security or SSL/TLS.  Not many IT security vulnerabilities were created for this layer. The vulnerabilities can be devastating to the network.
b. VULNERABILITIES-
i. Vulnerabilities are pretty much centered around intercepting broadcast data and manipulating the data to be used against the users. One is called a DoS attack and the other is a DDoS attack (for Denial of Service and Distributive Denial of Service).
A DoS attack can be a TCP SYN attack where the TCP flag for Synchronization is sent and holds up the synchronization queues. You see, when a connection based connection is made, a queue is set up to make sure the data is synchronized between two end points. But, there is a limited amount of queues that can be set up on one machine. So, the attacker send out multiple TCP SYN requests, and the unsuspecting users have multiple queues set up that takes up the connection between end users. So, after the limit in the amounts of queues is reached, the next connection is denied.
A UDP flood is another type of attack where the attacker sends out a User Datagram to the distant machine to make a connectionless request to an application port that is not associated with a specific application. If many of these UDP packets are sent, the user's computer will be flooded by receiving UDP packets and trying to send out an Internet Connection Messaging Protocol (ICMP) reply that says the destination is unreachable.
For more about Transport Layer Protocol Security Vulnerabilities, I found a great article that explains them in detail. Here it is: Transport Layer Security Vulnerabilities
i. Prevention: (for Home and Enterprise) There are two types of transports in TCP/IP. One is a direct transport, like TCP. It requires hand shaking and then making sure the complete data set arrives at the distant end. Because of the handshake, (much like a modem to modem handshake), it's pretty much a point to point communication.
The other just sends out the data without all these confirmations. So, it is often used for broadcast data to many computers. The second protocol is called UDP, (which stands for User Datagram Protocol). You might consider disabling some of these broadcast protocols that rely upon UDP, (like Netbios or NetBEUI). But, be extra careful and know what you are disabling on YOUR Network. By disabling these broadcasts, you prevent the wrong person from intercepting the packets and cause less traffic on the broadcast domain (...hence improving performance). Some of these broadcasts are specifically targeted to an attacker's desire to read the data, (especially NetBIOS broadcasts). But, the broadcast may not be needed. Let's go over a couple of them protocols that are most commonly used against you.
ii. Prevention: (For home users and Enterprise) NetBEUI is an outdated broadcast protocol that you can safely removed. There is no real need for NetBEUI any more. NetBEUI was replaced by NetBIOS. NetBIOS is allegedly being replaced by DNS but Microsoft (for instance) still support the WINS service allowing devices to be found using this protocol . NetBEUI sends out your shared file names and computer name all in easily readable information.
ii. Prevention: (For home users mostly and maybe Enterprise)NetBIOS is a broadcast protocol still used for file and print sharing to this day. Netbios and DNS structure and use are similar but used for different functions. An example is in the use of Netbios names and fully qualified domain names. A server called server1 is likely to be referenced using its netbios name whereas the same server contacted externally across the internet such as server1.internal.local would be accessed using its DNS name.
Think of NetBIOS as the means to reach out to many clients without a response, (sort of like a speech to a group of people). The speech includes information on your computer name and which files and printers it is sharing out. If you are a home user and don’t share files on your network or don’t map to printers by printer name, you should consider disabling NetBIOS. But, Netbios is also used by some software to communicate with groups of computers by its computer name. As an example, some Antivirus software will map to a list of computers to centrally manage the Antivirus program by computer name.  NetBIOS is used on an enterprise level to map printers, see computers in my network places, provide contact to common internet file shares (CIFS shares), work with some asset tracking and enterprise management software. NetBIOS shares are highly targeted because of the authentication protocol often associated with Netbios shares. For home users, you can map your networked printers by IP address to prevent from having to use NetBIOS for finding networked printers. NOTE: It is important you know the overall ramifications of preventing NetBIOS before you go ahead with disabling NetBIOS broadcasts. BUT, disabling NetBIOS is a big network security improvement. We will discuss the different authentication protocols after introducing DNS UDP packets.
iii. Prevention: (For Information, NOT to be disabled) . Microsoft tried to migrate all Common Information and File Sharing (CIFS) data to use DNS instead of Netbios broadcasts. DNS and Netbios are basically the very same structure and used for the same purpose. They are used to have a GUI display of computers, file shares, and identify the authentication server using these broadcasts. Every 2 minutes, a client computer will send out a UDP broadcast to tell the server "I am here". The server that uses these packets is the Authoritative server. This is the slight difference between Netbios and DNS. With DNS the authoritative server is an active directory server that provides Kerberos authentication. Kerberos authentication is much like the Public Key Infrastructure, where it uses a public and private key to authenticate.  For Netbios sharing, the security identification is saved on the local machine and the computer that orchestrates the connection between machines is called the Domain Master Browser. This is an elected machine and can be a client machine, mass storage device, and by default is usually the Domain Active Directory Server. These locally saved credentials are called either LAN Manager Hashes (LMhash), or a Hash, (both are easily hacked).
Yet another difference between DNS and Netbios is the GUI browser that it populates. The master browser service populates a browse list in "My Network Places". That is handled by Netbios broadcasts. DNS populates a list of computers and shares in an Active Directory Browser. The subtle differences and scalability of NetBIOS to accommodate NON-Domain CIFS sharing and working with older networking software, has kept Netbios from becoming obsolete.
iv. Prevention: (Mostly for home use) DHCP is another form of broadcast protocol, not a transport layer broadcast. It is used to broadcast out a request for an IP, or to provide an IP from the DHCP server. So, home users that have a stationary PC can disable DHCP and use a static IP addressing. By disabling DHCP, on small LANs, this could help prevent from an unauthorized person from gaining an IP address within your LAN and therefore communicating on your LAN.
v. Prevention: (For mostly enterprise) To prevent others from reading this data, you can implement Transport Layer Security or Wireless Transport Layer Security, (TLS or WTLS for short). That encrypts the packets and makes them unreadable if intercepted by the wrong person.
vi. Prevention: (For Home and Enterprise)The best prevention is a firewall that blocks unwanted traffic from the outside. A firewall can block protocols from Layer 3 of the OSI model to Layer 7 of the OSI model. By blocking unwanted TCP, UDP, SSL/TLS packets, you are securing your network considerably from DoS and DDoS attacks. Also, since a firewall is so versitile throughout the layers, you can block certain application ports and applications from running.
d. CONCLUSION: Prevent as much broadcast data as possible for your LAN (like Netbios, DHCP, and NetBUI). Doing so, will improve Network performance and security. Also consider TLS and WTLS where applicable. Control Transport Layer protocols over Virtual LANs or Virtual private connections that are not needed in your environment.Use Firewalls to block known attackers IP addresses from sending out UDP floods or TCP "SYN" requests.

5) SESSION LAYER
a. TERMS- The session layer primarily determines the application ports that are accessible to the outside or inside parts of your LAN. There are ports for every application, including ping, and mail. You can monitor and/or block these ports in either direction (meaning incoming or outgoing). But, to be very successful, you need to know what ports to block for your environment. As an example: Most home based users ONLY need port 80 to the outside world. That is the HTTP port, for World Wide Web access.
b. VULNERABILITIES- The vulnerabilities will include access to your application ports.If an attacker can find or utilize an open application port, they find a window of opportunity to that computer.
i. A good example is SMTP, (Simple Mail Transfer Protocol). Most home users, do not have need for this port. But, they may have been infected with software that sends spam out to others from the home computer. Once infected with this software to do this is called a SPAM BOT. So, a SPAM BOT is a computer that sends SPAM. A computer that is under the control of a SPAMMER is called a SPAM ZOMBIE. There are a lot of applications that allow your computer to be used as a zombie computer.To prevent from unknowingly spamming others, LANs without mail servers can most likely disable SMTP port 25.

i. Port scanners allows a hacker to see what application ports are an open target. Some port scanners are legitimate, and I am about to show you one of these in order for you to see what data a hacker readily sees on your network. Like IP scanners, port scanners look for that one target that is an open window, (in this case an application port), for a direct attack. Like any criminal, an open window is an invite.

c. IDEAS
i. Prevention: (For Home Use and Enterprise): Hardware firewalls for multiple computers and software firewalls on single computers will allow you to manipulate these ports. There are two fronts to combat port access. One will be internal, the other will be to the outside world. The internal ports can be controlled using a free software firewall, (like Windows firewall). The external ports can be hidden or prevented from being accessed by using an enterprise hardware firewall also commonly referred to as a router with network address translation (NAT).
NOTE: Even in an enterprise setup, you might consider software firewalls on each machine. Your enterprise firewall is good, but doesn't prevent internal LAN or WAN attacks if the attacker is behind the firewall. If you centrally manage a software firewall, It can be a huge step to controlling your application ports and preventing internal attacks behind your enterprise firewall. Windows firewall and ISA firewall are free and easy to centrally manage using group policies.
ii. Prevention: (For Home and Enterprise) Knowledge of what ports are what is key to your success. So, this is a list of ports that you can decipher what application ports do what. Block ports you do not need. For most home users, all you need is the HTTP port, (port 80) and HTTPS port (port 443). Anyway, here is a great port list for you.
iii. Prevention: (For Home and Enterprise use without a mail server) I mentioned above, how a SPAMMER can control your computer and make your computer send out SPAM to others. You may not even realize that your computer is a SPAM zombie. If you do not have a mail server on your network, you do not need the SMTP port. So, block it. GMail, Hotmail, MSNmail, all use a web based interface to send email to and from their servers. To make it simple, if you log onto a web site for email, you are not using the SMTP port for mail. SMTP is used for you to communicate with your own LAN mail servers. So, it's not usually needed unless you have your own mail server.
iv. Auditing and Prevention: For Home and Enterprise: I also mentioned, above, that I was going to give you a legitimate port scanner. Here you can audit what information a hacker sees from the outside world. This legitimate port scanner will scan your application ports of the enterprise or hardware firewall and tell you what ports are vulnerable to a direct outside attack. It's called "Shields Up." NOTE: GRC.com is a wonderful place for advice for free or to whomever wishes to donate.
v. Prevention: (For Enterprise) Hardware proxies are actual servers that act as a middle man for blocking or limiting communications on application ports. There are all types of proxy servers. The one I want to discuss in this layer is a WEB proxy. This proxy server can be used to limit the ability to surf or access any web sites you, (as the administrator), don’t want them on.  We will discuss limiting WEB surfing option, for home use, in the application layer.
vi. Prevention: (Mostly for Enterprise): PAT stands for Port Address Translation. Some will say that most routers are PAT routers, not NAT routers. I don’t believe this to be true. PAT changes a known application port to a different port. So, instead of communicating on port 80 to the world wide web, you could be communicating on port 8080 to the router, and the router changes that to port 80 to the world wide web. PAT is the same concept as NAT. But, one translates ports, the other translates IP addresses. Ports that you might consider PAT, are highly targeted ports, like WINS access for NetBIOS shares.
d. CONCLUSION: Enterprise firewall/NAT router for home and enterprise, knowledge of application ports, Block all unnecessary ports (including ICMP echo replies and SMTP if not needed), Hardware proxy servers for enterprise, PAT for enterprise (especially email, or Common Information file shares).

6) PRESENTATION LAYER
a. TERMS- The Presentation layer is best described as a means to present your data. This includes compression, and encryption. Things like ZIP, is a compression utility that compresses the data into smaller data sets. Public Key Infrastructure (PKI) is a real good encryption of the data.
b. VULNERABILITIES-There are some fictitious presentation-layer applications. Use presentation layer protocols that are known to be authentic and you can encrypt your data or compress it. The purpose of encryption is to render the data useless (meaning unreadable) if the wrong people intercept that data set.
c. IDEAS
i. Prevention: (For Enterprise) For Enterprise, the PKI, (Public Key Infrastructure), is a means to encrypt data using a public and private Key. Without these keys, the user at the other end will not be able to read the data. It's useless to them. This encryption type is the best for encrypting data. However, it requires a lot of administrative overhead.  PKI will provide the key for you when the distant end authenticates to the authoritative server.
ii. Prevention: (For Home use and Enterprise) (Encrypted zip)- Common compression utilities, or office products offer the ability to encrypt the file. Without the password, the file can’t be read unless they have the cipher. For home users, you can still encrypt your attached documents. Almost all applications allow you to encrypt, using a password authentication. If the distant end has the password, they can read the file. For any data that has Personally Identifiable Information in it, (including passwords, or SSN, or finance data), you want to use some sort of encryption. Once encrypted, you can just send the password in a separate email or over the phone. This way, you don't end up a victim of Identity fraud, (the number one growing crime world wide).
iii. Prevention: (For Home use and Enterprise) Watch out for fictitious presentation applications. Most important is to research these applications, by seeing if they are fraudulent or legit.You can ask many IT forum experts, or even Google search it for being fraudulent.An application I use that encrypts and compresses the files, is called SECUREZIP.
d. CONCLUSION: PKI for enterprise, encrypting individual documents with PII and send passwords separately, Use a compression utility that allows you to encrypt the file, watch out for fictitious presentation layer applications.

7) APPLICATION LAYER
a. TERMS- Applications basically encompass all software. It’s where most common network vulnerabilities reside. Malicious software comes in many forms, called Malware. To combat Malware, you will want to prevent it from being downloaded or spread.
b. VULNERABILITIES: The list of vulnerabilities for this layer is astonishing. It includes, but is not limited to: Dictionary attacks, spyware, Trojans, Worms, popup generators, Spam Bots, Zombie software, web browser hijacks, web spiders, False Alerts,Infected emails (hidden/attached scripts or malware attached to emails), key loggers (meaning records and sends keystrokes), Fishing (pointed to the wrong and infected web site that may ask for PII),
c. IDEAS
i. Prevention: (For Home use and Enterprise) Least User Authorization (LUA) is a concept to grant the users of the computer with the VERY LEAST amount of privileges for them to operate efficiently. Let’s say you have kids, and you grant them a user name and password that has administrator privileges. You just granted them rights to mess, tinker or download a virus that messes up the entire computer. User authority, on a windows computer, is not allowed to install applications. So, if they open up an infected email, then it is likely that will not be installed on that computer. If it is installed, then it is unlikely it will be spread to other computers. LUA is said to control the spread of about 99% of all Malware throughout networked computers. LUA can also be used to prevent your kids from changing settings and getting past you, (the administrator). For home users, assign your kids their own user account. That limits the ability for them to change settings on the computer administratively. For Home and Enterprise, LUA with strong passwords is probably the number two IT security feature, available to home or enterprise users.
ii. Remediation: (For home and enterprise use) Antispyware cleans known Malware off the computers. There are a lot of good Antispyware applications about. In enterprise LANs/WANs, you will probably want a centrally managed Antispyware application. Otherwise you have to go to each machine and configure it. Warning: having more than one Antispyware packages can conflict and cause negative effects on a computer or server.
iii. Remediation: (For home and enterprise use) Now, let's talk about Antivirus software. There are two types of scans that Anitivirus software performs. One is called Heuristic, and the other is for known viruses. A heuristic scan is looking for a trend that malicious software writers use. It doesn't often work. So, you have to wait until the virus becomes a full-blown virus on your network in order to be eliminated.
This is why it is important to keep your Antivirus definitions up to date. You all have searched Web sites using a Search engine, like Google. Antivirus software is the search engine, definitions are the input to the search engine. So, Antivirus definitions is strings of data that come from a KNOWN, virus. The point is, virus definitions can come out a couple months after a virus is discovered and reported. So, it is important to keep your Antivirus software and definitions up to date to prevent a virus that hasn't reached you yet, or remediate the virus if it is seen on the networked computers. Most all AV software allow you to update automatically.

iv. Prevention: (For home and enterprise use) Educated Users and Administrators is very important. Out of a test, I neglected to install an Antivirus software on my machine. I wanted to see how infected I could get by knowing what sites and emails to interface with. After six months of web surfing and pushing the envelope with low risk habits, I thoroughly scanned my computer, and my computer was still clean. For most viruses and Malware, the user or administrator has to interact with it in order to activate or install the infection. Probably, THE BEST PREVENTION technique involves implementing a plan to educate your users and administrators on what NOT to do. (Now, I am not an advocate that you go naked on your computer, like I did. That was just a test.) But, this site can be used to educate your computer users and administrators on various attacks, and how to avoid them. Then, you can test them for competency on this new knowledge. Educating your users and administrators is critical to good IT practices.
2. Here's another one that gets past parents. Children love to meet new people. It might be a great idea to tell your kids of Personal Identifiable Information, like your address, or phone numbers, on social sites.
3. Also you might let them know of the adult scum sex predators lurking about the internet. An eye opener could be footage from “To Catch a Predator” from Chris Hansen on Dateline NBC.
4. For administrators, IT forums are a great place to discover or discuss more IT security measures and integration. Experts Exchange is a great place to start. Microsoft’s Tech Net will give you many ideas on on IT security.
v. Prevention: (For home users and Enterprise): Operating system updates and security patches are designed to patch vulnerabilities in the system. What happens is the OS manufacturer hears of vulnerabilities and then creates a security patch to prevent that vulnerability from being exploited. Like Antivirus applications, you will want to keep your systems patched with the latest security packs, and hot fixes. Windows update is very important to IT security, for home users. Then, third party software, like Adobe Acrobat also has their patches. For enterprise patching, a WSUS server can help you patch your operating systems. But, you also should consider options to patch third-party software, like Adobe acrobat. Most patching can be configured to do this automatically.
vi. Prevention: (For home users and enterprise)  STRONG passwords works hand in hand with Least User Authorization. If they can’t guess your password, then they can’t install the virus or Malware if your network practices LUA. The Conficker/Downadup virus is a nasty virus. It downloads to a computer, (hopefully not the server), and then uses a dictionary attack to try and guess the domain administrator’s password. A dictionary attack is used to repetitively put in known or generic passwords for administrators in order to find the right one. If that password is guessed, then, using a service that domain computers use to communicate called Remote Procedure Call, it infects the entire domain without user interaction. This is why you will see in event logs many failed authentication attempts and if the password is guessed, your domain services start shutting, and registry corruption on all infected computers. While locking down passwords, don’t forget to make strong passwords for your printers, servers, computers, routers, and switches. You can keep passwords in encrypted password databases, like Password Safe.
vii. Prevention: (For home users with kids and small enterprise) You can consider a form of software that limits the kids from going to specific web sites. Web site control prevents kids from exercising their curiosity, like porn surfing or even risky social sites, or even sites that exercise peer-to-peer sharing. Blocking specific web sites allows you, as the parent to control your kid’s internet habits. There are a lot of internet applications to block web sites for kids, or adults. But, remember, kids are computer savvy these days. So you must also limit their ability to change these settings you implement. That limitation is discussed in Least User Authorization (LUA). An example for a single computer to limit internet web sites is called Net Nanny. Like I said, there are hundreds of these applications, and this is just an example: Net NannyThe concept behind this type of software is NOT much different than a web proxy for enterprise users. The difference being, web site controls is limited to one computer, while a proxy controls all computers that go through the proxy server (middle man).
viii. Prevention: (For home use and Enterprise): Group or local policies are used to control configuration settings on a group of computers, single computer (for home). This could include a strong password policy. It could also include a password expiration date. Policies can control just about EVERY aspect of a computer or user settings. For home users that are not familiar with local policies, I recommend you seek assistance through an IT forum to understand what local policies you can enforce on each computer. For enterprise users, you can also seek assistance through an IT forum to find out what security policies you can enforce, but you should know that group policies are administered through an authentication server, (meaning a domain controller). Workgroups will not work with group policies;only local policies. Hence, this one of the huge advantages of being on a domain instead of a Workgroup (centralized management).
ix.Prevention: (For home users or enterprise): There are applications that you can use to encrypt the data on the hard drive. One such application is called "Safeboot" from McAfee. Some IT professionals may recommend other products over Safeboot. By encrypting your hard drive, you render the data useless, if the laptop or computer is ever stolen. Since Cell phones are also often run on Windows operating systems these days, you might even be able to encrypt the cell phone's data drive (But contact your telephony service provider to ask). If you use this, DON'T FORGET THE PASSWORD.
x.Prevention: (For home use and enterprise) Your internet web browsers also come with IT security settings built in. They filter certain content as well as can recommend what web pages not to navigate to. There are a lot of security settings on Web browsers. Seeking advice on how to control the web browser is a great step to proper IT security.
d.CONCLUSION: Antispyware package (centrally managed for enterprise), Antivirus package (centrally managed and audited for enterprise), Operating system and third party patches (centrally managed for enterprise), STRONG passwords is a big one (centrally managed with Domain servers for enterprises), LUA is a big one (Centrally managed by Domain servers for enterprise), Educating users and administrators is a big one, web surfing restrictions (software proxies for home or hardware proxies for enterprise), Local policies for Home users, Encrypted hard drives, Internet browser settings and Internet content filtering, Group policies for enterprise use, local policies for workgroups of computers.


1) In addition: IT SECURITY PLANNING:
A couple things that were not discussed in this article are IT security plans and IT security auditing. We just covered actual ideas for IT security. So, now, it's time to set up a good IT security plan that suits your needs. It's easy to set up a Security plan using an OSI multi-layered approach. All you have to do is write down each layer and put in your ideas for that layer. I highly recommend EVERY Application layer security measure.

2) In addition: IT SECURITY AUDITING:
One thing, not yet discussed, is auditing. In order to make sure you are doing the right thing, you need to be able to audit. There are software applications that will audit for many IT security vulnerabilities. The key factor to good IT security audit is realizing what your audit applications are limited to. Then, “test the rest”. As an example: Audit software not determine if you took your I POD with you when you went shopping. So, you will have to test yourself for that by patting your pockets or checking your purse.  IT security auditing software usually includes checking for weak passwords, non-updated Antivirus, non-updated Antispyware, non-patched operating systems and third party software, router access, switch access, printer access, …etc. One example of this is called McAfee Vulnerability Management:
McAfee Vulnerability Management

3) In Addition: PROFESSIONAL ADVICE AND WHERE TO LOOK
When in doubt, or not keen on these configuration settings, seek assistance. Many IT problems relate to incorrectly configured IT security settings. This includes, but is not limited to: Anitivirus/Antispyware applications, Firewalls, routers filtering, and even policies or passwords. IT forums are a great start. Search Engines, like Google, will locate a lot of freely published articles for your information. Also, there are IT consultants, or contractors to help you with the big jobs.

CONCLUSION:
There is a common misconception that Antispyware, Antivirus, updates, and firewalls are the answer to all IT security vulnerabilities. But, Antivirus and Antispyware software are designed to remediate a virus or Malware after your computer is infected. You have to ask yourself, "What’s better, remediation or prevention of the attack?" Sometimes an attack can render your Antivirus, Firewall, and Antispyware applications useless.

This article was to help you understand the Multi-Layered approach to setting up a plan and implementing IT security. I like to look at a layered security approach as setting up road blocks to Malicious people. Whether home based or enterprise networks, you will be able to dramatically reduce attacks against you if you layer your security and educate your users/administrators. This could prevent massive troubles with identity fraud or even the safety of your children.

So, what does it mean to use a Multi-layered approach to securing your network? It means that you take into consideration all potential vulnerabilities and plan, prevent, remediation and audit methods to secure the network. It also means you are making life miserable to those who intend on making your life miserable in the IT world.
5
Comment
Author:ChiefIT
0 Comments

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Join & Write a Comment

If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month