Fundamentals of Security
This is a guide on the fundamentals of security.
Traditional Physical Security Measures
In this section, we want to address the traditional physical security requirements. And the reality is that those have not changed, right? And they should be in place for most of us just right out of the box. Now that's not to say that they can't always be better, but I would think most of us have locks on our doors today.
When we think about physical security, that's exactly the kind of thing that we're thinking about, right? We want to limit physical access to protected information and facilities with physical access controls. When I think about my servers, we've all been in that situation, where the server sits under the receptionist's desk, and that's just the way it is. But you know as well as I do, that's not the way that you want to live. And it's a real concern when things are like that, because it's easy for that server to go out the door. And depending on what's on that server, that can be particularly painful, right?
So we think about locks, doors, fences, and perimeter defenses, which today should include solar powered lights, so in the event of a power outage I've got lights. It should include cameras and a place to store that data for at least a few days before you turn it over and run them again. Motion detectors, so that if somebody enters a corner of the property, and they're going to try to cut through the fence, suddenly they're bathed in light, right? That's what I want.
Physical controls are mechanical and used to protect the physical infrastructure, and can include things like fire suppression systems and positive airflow systems. And we all know fire suppression systems, right? The sprinkler system went off, right, and you've had that happen to you, you know people that's happened to at the very least. But not everybody is familiar with positive airflow systems. All you're doing with that system is you're just bringing up the air pressure. Say, in a clean room, right, in a clean room, I don't even want dust particles coming in here, right? Because we're manufacturing components for the new quantum computers that they're testing up at IBM. And I can't even have dust coming in here. So we raise the air pressure of the room just a little bit. And then air always flows out of the room, not never in.
Physically secure the computers, lock the servers in a secure server room. I don't want to find authentication servers or mail servers sitting out under the receptionist desk, right? Put it someplace safe. Secure the laptops, this is the biggest thing, right? It's the laptops that go missing. And when they're out of the office, there's not much you can do about that. But it's not a hard thing to rig cable locks at all the cubicles. And then whoever comes into that cubicle loops that lock into their laptop. And then that way if they step away for a minute, there's no danger of that machine going missing.
Physically secure the data backups. Not only must you keep a copy of your data back ups local so that if you need them right away you can get them, but it is a best practice today to store copies of those data backups off-site. And ideally, I would want them on a separate segment of the Internet backbone, or say in the United States, you could think about the power grid. So if I were in Manhattan, I wouldn't want my backups going to upstate New York, Southern Ontario. I'd want them going to Pennsylvania or to Connecticut, where they're on a separate power grid. And if there's a large-scale blackout, if the whole grid is down, well, they're going to be up over there. And then if we have other disaster recovery, if that's also a DR site, we know that that's going to be up. And at least folks outside of the affected area of the blackout will have access to our business. Business can keep happening.
Physical security includes things like, right, a lot of locks here in this list, and most of us are familiar with most of these, I would think. Maybe privacy screens. They're those filters that you can stick right on the screen so that unless you're looking at the screen directly on, you can't see anything. They're awfully handy.
And mantraps, that's where the foyer will actually trap a person in there. If someone were to say forcibly enter through the front door. Well, they would then immediately be in a vestibule where they're confronted with another security door. And what happens is the door that they thought they just broke behind them suddenly is sealed through one of any number of mechanisms. Something as simple as a steel shutter that drops down. That door is sealed and they're trapped in there. That's a mantrap, that's what those are referred to as.
And then door locks, security guards, cable locks, server locks, and entry control rosters, I think would be familiar to everybody.
So guys when we think about security, we don't think about just the software and the hardware, we think about the potential of other people to do us harm. What do they say? They say hope for the best, plan for the worst, and that's about the best any of us can do. So lock it up and keep it safe.
This is a look at physical security.
Authentication Devices
In this section, we'd like to introduce the concept of authentication devices. And this is part of multi-factor authentication. There is no doubt in the marketplace today there is a movement away from simple usernames and passwords, and traditional ACLs. We're moving into an age where things are more complex, and so they require more complex solutions. I need more than just your username and password to know that it's you.
And what I get with this particular authentication device is a smart card. And the badge reader is what reads the smart card. And what there is to read is the firmware. Firmware is just software that lives on a chip, right? And so there's software embedded in the chip that's on this card. And I put that chip into a badge reader and it can tell who I am, or at the very least, whose card this is. I should be in possession of that card. That should be something that I have that I can show who I am. And commonly, these cards will feature my photograph, and what group I'm with within the company, and what office I'm out of.
And then the reader, and this is true whether we're talking about walking through a door, door reader, or badge reader that I plug into my laptop, that device will use the certificate, so there's x.509 version 3 or better certificate on that chip, for the purposes of user identification. And that's an extremely secure solution because the only place that that thing is, is right there on that chip. And then of course in whatever your redundancy or backup solution is for those.
The smart card can include my permission settings. Those door locks that I badge in and out of, the card tells which doors will open for me. They don't all open for me, but this set will open for me, at least during these hours, right? That can be refined with hours, days of the week, building access, general access, office access only, etc. Or server room access, and so nobody gets into the server room maybe without a smart card.
Now in addition, there are devices called hardware tokens or people call them key fobs, people call them security tokens. They have a lot of different names and they're implemented in a variety of different ways. [Video description begins] Hardware tokens may be implemented as software. [Video description ends]
The simplest of them is a device, and RSA is the principal manufacturer of those. And at any given time of the day or night, I can turn the device on, bring up the screen. And it will display a randomly generated number for me. And that number comes from a central authentication service that's hooked into my Active Directory authentication services. And when I provide my username and password to log in, I'm challenged to give this ID, or this PIN number, or this token ID. One time use, right? I'll never see that code again. It changes constantly, changes every time I go to log in.
There was a big problem with RSA a few years ago. You may have heard, right? The root certificate for a series of certificates they had issued was compromised. And when that happens, the bad guys are able to forge certificates as if they are you. And that was a real problem for RSA, from which they have not yet recovered.
Biometric locks, biometric devices are increasingly reliable and increasingly ubiquitous. You just see them on everything, everywhere. Fingerprint scanners are the most common of these kinds of devices. And if you have an iPhone, you probably have Touch enabled so that you can open it with your fingerprint.
You should be aware, the machine doesn't actually store your fingerprint, right? It calculates a set of algorithms that run against the data points of your fingerprint, the graphical representation of it, to generate a complex number that represents your fingerprint. And they do that math every time it scans your fingerprint again. So if a bad guy gets your device, they don't have your fingerprint unless they dust it.
And then finally, USB locks, you plug these things into the USB, then nobody can use the USB without unlocking the lock. And these are a security measure, in high-security environments, right? You may have heard the story. The very first time that the Pentagon ordered some Windows machines, it was an emergency because they realized that there were all of these USB ports. And suddenly data was very portable out of the Pentagon.
Not a good thing, right? Not what they wanted, and the best solution to that problem that I ever saw, this was in the days before we had USB locks, was a couple tubes of epoxy. They just epoxied them all up and nobody could put anything in those drives again. So that's certainly one way to secure your USBs. Today, with the USB lock, you can have it secure and only those with authorized access can use a USB device.
This is a discussion of authentication devices for multi-factor authentication today.
Active Directory
In this demonstration we want to take a look at domain structures and the importance of group policy and some of the basic group policy settings.
And so I've opened on the screen here for you the Active Directory Users and Computers console. [Video description begins] The presenter opens the Active Directory Users and Computers window. There is a navigation pane, which lists a folder – Saved Queries and an EarthFarm.com domain under the Active Directory Users and Computers node. There is a content pane that currently lists the contents of EarthFarm.com. [Video description ends]
And in the console, if I look in the left-hand navigation pane, I can see a Saved Queries choice up top if I've run searches in here before and I've saved those searches. And those are searches of the Active Directory database. And when we think about the Active Directory database, that's the common security context that we provide for our users and our computers. It's the basis of our authentication. And this in fact is an authentication server, this is a domain controller.
The domain name is EarthFarm.com, and I see that over on the left in the navigation bar there, right? That's the top of our tree, EarthFarm.com. And next to that there's a little drop-down arrow. I can pop that open [Video description begins] He expands the EarthFarm.com node. Several organizational units are listed. [Video description ends] and I can see the list of what we call organizational units.
Now, this is a side note, for any of you guys that grew up in a Novell world, organizational units in Active Directory are completely different. They have no security context of their own. They are used only to group objects, okay? That's just an aside for the Novell guys, to warn them about a pitfall. If you're not a Novell guy, you don't have to worry about it.
Now here, for the rest of us, when we look in here, what we want to understand is that inherent to Active Directory is my ability to organize the objects that I manage. And so my user accounts, my computer account objects, based on the common needs of management. I have a design here that looks something like this. There's the IT organizational unit, and within that are the assets. [Video description begins] He expands the IT organizational unit. There are two assets – IT Computers and IT USERS. [Video description ends]
So the computers that everybody's issued in IT look the same, right? We all have the same things on them. And nobody else in this company has what's on our laptops. And so we manage them as a unit. As same, too, for the IT USERS. And I can drill down into what we would call a sub-OU. [Video description begins] He selects IT USERS. Two users named Jon Wheezer and MJMurphy are listed in the content pane. Both have the type User. [Video description ends]
And you can nest these, today the Microsoft recommendations are you can go as many as ten deep. Though, honestly, I would never go more than four generally. I want to keep that shallow because it affects group policy processing as we will see in a moment. Now, here I can see there's the MJMurphy user account. It's in the IT USERS sub-OU of IT of EarthFarm.com. Now all of that together, guys, you think about that, that's a unique path in a unique directory, to a unique object in that directory, my account. [Video description begins] He points to the EarthFarm.com domain, then the IT organizational unit, then IT USERS, and finally MJMurphy. [Video description ends]
Now, one of the great benefits of Active Directory, of course, is group policy. Group policy lets me configure settings for computers and for users in group policy objects. So I'm going to minimize the Active Directory Users and Computers console here using the Minimize button in the upper right-hand corner. And I have opened for us the Group Policy Management console which you will note looks very much like Active Directory. [Video description begins] He switches to the Group Policy Management window. There is a navigation pane on the left. There are other panes, named Default Domain Policy, Security Filtering, and WMI Filtering. [Video description ends]
If I look over here on the left, I see those same organizational units that I saw in AD. And I look down the list and there's IT USERS. [Video description begins] He points to the IT USERS asset in the navigation pane. [Video description ends] And I have created a group policy object called IT LOGON scripts and home directories. [Video description begins] He clicks a group policy object named IT LOGON scripts and home directories, which is a subitem of IT USERS. A message displays indicating that he has selected a link to a Group Policy Object (GPO), and any changes made here will impact anywhere that the GPO is linked. [Video description ends] This is where we've configured the login scripts for the IT users and the path to their home directories.
Now, the login script runs every time a user logs in. So I'm going to right-click on this Group Policy Object and the Group Policy Object Editor will open. [Video description begins] He right-clicks IT LOGON scripts and home directories and selects Edit from the shortcut menu. The Group Policy Management Editor opens. [Video description ends] And if I look in the left-hand navigation pane, I see that I have two components here, two principal nodes, the Computer Configuration settings and the User Configuration settings. [Video description begins] Each of these has two subnodes – Policies and Preferences. [Video description ends]
These are user settings that we're configuring today. So I'll open up Policies, [Video description begins] He expands the User Configuration - Policies node. There are three subnodes – Software Settings, Windows Settings, and Administrative Templates. [Video description ends] and under Windows Settings there's the Scripts choice. [Video description begins] He expands Windows Settings and clicks Scripts (Logon/Logoff). In the right pane two scripts are listed – Logon and Logoff. [Video description ends]
And if I look, there's a login script choice. If I right-click that and say Properties, it opens. [Video description begins] He right-clicks Login and selects Properties. The Logon Properties dialog box opens. It has two tabs– Scripts and PowerShell Scripts. Scripts are selected. [Video description ends] And here we can see I've already configured this logon policy, right, run this script at login for this Group Policy Object setting. [Video description begins] He points to a table with two columns – Name and Parameters. In the names column there is a single value – C:\Share\Logon.bat. [Video description ends] And so this is the script that will run.
Now, it's worth noting, I think, if I just jump over to Windows Explorer for a second [Video description begins] He switches to Windows Explorer. [Video description ends] and open the batch file. What you'll notice here is. that ran it, of course, no help to me, so I'll Edit instead. [Video description begins] He double-clicks Logon.bat. It executes very quickly. He right-clicks Logon.bat and selects Edit. The file opens in Notepad. [Video description ends] And what you see is a couple of NET USE commands that map drives.
So when the user logs in, this drive mapping processes. [Video description begins] He points to the first section: NET USE H: \\ScaleOutFileServer\IT /PERSISTENT:No IF ERRORLEVEL 1 ( ECHO error mapping drive G:). [Video description ends] If they're in the IT GROUP, they get this one. [Video description begins] He points to the third section: NET GROUP IT /DOMAIN | FINDSTR /R /I /B /C:"%UserName%$" > NULL IF NOT ERRORLEVEL 1 ( NET USE I: \\ScaleOutFileServer\ KB /PERSISTENT:No. [Video description ends]
Everybody gets this one. [Video description begins] He points to the first section again. [Video description ends] Everybody gets one with their name. That's the environmental variable that we call for substitute the username. [Video description begins] He points to the second section: NET USE U: \\ScaleOutFileServer\%
I would point out to everybody the NET commands are getting deprecated in the Windows world. NET TIME is gone already, NET USE is still available. Most of the NET commands have been deprecated in the Microsoft world. And if you're not learning PowerShell, you're not making yourself competitive in the marketplace. Everybody should be learning PowerShell. Everybody is doing all of this kind of stuff in PowerShell today.
So with that said, let me come back over to our Group Policy Object. [Video description begins] He closes Notepad and File Explorer and returns to the Logon Properties dialog box. [Video description ends] Here's where I can configure logon scripts, and then just below it is Folder Redirection. [Video description begins] He closes the Logon Properties dialog box and in the Group Policy Management Editor, he clicks Folder Redirection under Windows Settings. [Video description ends]
And Folder Redirection, I use this because I'm concerned that I have users who will never save anything except in the Documents folder. It's all they know, and their Pictures folder, that's all they know. And they're never going to know anything else. And I have concerns about that because those machines don't get backed up. It's local only there. And we could lose company data, corporate data, proprietary data, IP even. And so I redirect the Documents folder, maybe other folders too, Pictures folder, Music folder, these are the ones I can redirect out to a share on the network. [Video description begins] He points to several folders listed in the right context pane. [Video description ends]
Now it looks to the user like they're saving in Documents, and they are. The only thing is, Documents is in a share out on the network that's getting backed up, and it gets maintained, so that we know that we're not going to lose that data, right? That's the idea with Folder Redirection. And there are a number of settings with this that we don't have time to delve into.
But I would point out to everybody that in this example I used Basic - Redirect everyone's folder to the same location. [Video description begins] In the right context pane, he right-clicks Documents and selects Properties. The Document Properties dialog box opens. [Video description ends] And there I created a folder for each user under the root path. [Video description begins] There are two tabs – Target and Settings. Target is selected. A message indicates that the location of the Documents folder can be specified. And the folder will be redirected to the specified location. There is a Setting drop-down list that's set to Basic - Redirect everyone's folder to the same location. He points to the Target folder location. It's set to create a folder for each user under the root path. There is a Root Path field. [Video description ends]
So when the user logs in, their My Documents are there. And what I did over here on Settings was I said Move the contents of the Documents to the new location. [Video description begins] He clicks the Settings tab and points to the checkbox option, which is selected. [Video description ends] And so those files get copied off of the client's machine and copied up to the new location. And then there's a synchronization feature that can be employed so that the files are also on the local machine for offline use.
This is a look at domain structures, organizational units, Group Policy Objects, and group policy settings in Windows Server 2016.
Software-Based Security
In this section, we want to talk about software-based security. And one of the problems that we've had with mobile devices is that you don't have the kind of management over many of them that you'd like to have, right? That you have over your laptops and desktops internally. And so, the market bloomed.
There's a double dozen providers of mobile device management services. You can buy these packages right off the shelf. They do different things, right? Some of them have special features that you pay for. [Video description begins] A diagram displays an MDM Server connected via APIs to MDM agents – a phone and a tablet. [Video description ends] But what they all do is at least this. They provide data encryption enforcement. So I know that the company data that's on that device that was just lost at the tie rack tie is secure. Nobody's getting at that data. And they provide inventory and tracking of these devices, as well as remote wipe. So if the device is left at the tie place, we can remotely wipe it, and nobody's getting at that data. That's a thing of beauty, right?
If the device supports it, I can do password enforcement. But I've got to know that the device supports it, or have a shim to make the device support it. And then everybody knows what a whitelist and a blacklist is, right? The whitelist says, this is the list of applications that can run here and no others, very secure. And then a blacklist is, don't let these applications run, a subset of applications. [Video description begins] Whitelisting or blacklisting relates to app distribution from app stores. [Video description ends] Less secure but still the place to start.
[Video description begins] A network diagram displays. Starting from the left is the Internet, connected to a router then connected to a firewall, that's linked to another firewall that allows access to internal servers and the Intranet. A DMZ with remote access VPN servers is between the two firewalls. The first firewall indicates four types of controls: service, direction, user, and behavior. The second firewall applies rules based on IP: Source/destination, Port: Source/destination, and Protocol/service. [Video description ends]
Now firewalls, we all know what a firewall is, right? It stands between me and thee, and it brokers the traffic. It says what can get through. And so here, we have a network diagram. Over on the far left there's the external router to the public Internet, and then I see the firewall.
And it says that there's three types of firewalls. There's a packet filter, which looks at particular packets, and headers and port numbers. So I can say the only traffic that gets through here is over port 443. They'll check the packets, every one that's not to port 443 gets dropped, right? But through stateful inspections, I actually watch all the packets through the course of the conversation to validate that they are integral to the established TCP session, and more secure. And then a proxy server lets me get off the network out to the public Internet, right?
MAC address filtering, this is handy on a wired network. What you can do with MAC address filtering is you can provide your firewall or router device with the list of approved MAC addresses. And those are the only ones that can come in, right? [Video description begins] The same diagram as before displays, except the DMZ is replaced by a Wireless network, which is marked as ineffective. A note on the first firewall indicates that MAC addresses are whitelist or blacklisted per port. [Video description ends] And very obscure for somebody outside the network. Unfortunately, it's ineffective on wireless networks because wireless traffic is so easily snooped for legitimate MAC addresses. And then MAC address spoofing is an easy thing to do. So it can be effective on the wired network. It is ineffective on the wireless network.
Software-based security, port security. [Video description begins] A network diagram displays. The Internet is connected to a router that connects to a firewall. The firewall connects to a WAN, a Trusted DHCP server, and Internal servers. An Access and Distribution network connects to the Internal servers and the DHCP server. [Video description ends]
Now, this is a feature of the Cisco corporation. It's a layer two traffic control feature on the catalyst switches. And what it lets you do is you can specify a port on the switch that allows only a specified number of source MAC addresses to connect to that port. Or to use the proper term, to ingress, right, to ingress the port. There's a number of areas where this particular solution is very valuable and secure, and I would refer you to the Cisco documentation on it.
[Video description begins] The notes on the router indicate DHCP Snooping (v4/v6), DHCP relay agent, Remote ID. On the WAN is IP Source Guard (v4/v6). Internal servers use Circuit ID, Vendor ID, and DAI. The Access and Distribution network uses MAC Limiting, Sticky MAC, and Restricted Proxy ARP. [Video description ends]
Finally here, everybody knows this. You got to have antivirus and you got to have antimalware. I would argue that you also have to have antispyware, that that's a different thing. But not everybody thinks that way, and certainly the folks over at CompTIA don't. They talk about antivirus and antimalware, and the antispyware category right in with the malware. Which many would say it is.
The features of antivirus. I can schedule scans, I can run manual scans. And I've got real-time scanning, looking for those emergent threats of the 21st century Internet. We hope that it removes the malicious software, that it runs in the background without taking up too much services. And generally these have configurable notifications.
There's principally two methods that antiviruses use. They use the signature method. So they look for the signature file and they validate the signature of a known virus. These are worthless, these solutions. They're absolutely pointless. Polymorphic viruses made signature scanning obsolete three, four years ago now. Heuristic analysis is behavior-based analysis, right? We take a look at what's out there and we can sandbox something that we think is bad.
Anti Malware can be installed on individual machines at the gateway network appliances, out in your cloud service, or embedded in the firmware. But you gotta have it. And we hope that it protects against rootkits, ransomware, and spyware, right? That's what the CompTIA folks say. And then detection methods, signature-based, behavior-based, and uses a sandbox just like most of the antivirus do.
Now just to put a bug in your ear, just a thought, and this my own thought. But when we look at the range and the delivery vectors of the new generation of ransomware. My concern is that I see some very specific people in the antispyware camp designing algorithmic sets to detect that behavior. But I don't necessarily see that happening with the malware providers. And so I kind of think of spyware as a separate thing. But the industry does not, folks.
So that's just something that I'm thinking about that I thought some of you would like to think about, too. If you have any comments on that, feel free to email me.
Authentication Security
In this section, we want to talk about authentication security and how we extend security to the authentication process.
And you may be thinking to yourself, well, wait a minute, I thought that the authentication process was the security process. And of course, it is. And that makes it one of the principal targets because that's where the credentials are, right? If I can get those credentials, then I can do a credential escalation, or elevation of privilege, and get out on the network as you. And that's what we want to avoid.
So a couple of things here, the very first thing that you do is you create password policies and account lockout policies. And that way, passwords are harder to guess, right. I set a ten-character password as exponentially harder to guess than an eight-character password. Exponentially, and that's the critical bit. [Video description begins] Password Policies include: maximum and minimum password ages, a minimum password length, and enforcing password history. [Video description ends] And the account lockout policies right off the bat defend me from those dictionary attacks. [Video description begins] Account lockout policy covers account lockout duration and threshold, and resetting the lockout counter after. [Video description ends]
Credential management, we want to extend modern authentication protection to legacy systems. You've gone with a multifactor certificate-based authentication protocol and single sign on. Except there's this one thing that doesn't do it, make it do it, or get rid of it, right? These holes in the cheese are where the mice get in.
Extended protection for authentication, what that really means is the extensible authentication protocol. The extensible authentication protocol provides extended protection for authentication by saying that legacy system only does basic authentication. Well, gosh, basic authentication sends passwords in clear text over the network, I don't want that.
So I leverage the extensible authentication protocol to layer in a certificate based smart card as my multi factor authentication mechanism. And that smart card provides the wire data encryption, so it encrypts my password for me. Does that make sense? The actual password hash or password in a clear text environment is actually encapsulated in another encrypted packet. And you want to disable NTLM authentication on any Windows network today.
When we think about the trifecta of multifactor authentication, it's not two factor authentication, it's three factors where we depend on something that the user knows, [Video description begins] These are knowledge factors and include challenge answers. [Video description ends] like their password, their username. Something that they have, like a MAC address on the machine, security token, their phone, PIN. One of those hardware key fobs, right, the RSA devices. [Video description begins] These are also known as possession factors. [Video description ends] And then finally, something that they are, fingerprint, retinal scan. [Video description begins] These are inheritance features and include biometrics, fingerprints, and cookies left on computers. [Video description ends]
Now, I had a really energetic conversation with some friends of mine about whether or not the cookie left on the computer should be something you are or something you have. Or even, someone argued, something you know. And I put it where I did because that is the one example here that is exclusively used for computer authentication. For extending and for secondary authentication of the machine. And so, the authentication service generates this cookie, the authentication's HTTPS service, generates this cookie to the client. And this encrypted cookie sits on the client and it identifies the client.
And the analogy that I make is, and it depends on the vendor because it can be a randomly generated number, or it can be based on unique characteristics of the machine. And it generates a hash value based on those unique characteristics of the machine. And then that hash becomes the secondary authentication mechanism for the machine. Which is very much the way that your fingerprint device calculates, right, a hash value based on a set of algorithms that applies to the dataset that represents your fingerprint.
Your fingerprint scanner doesn't store your fingerprint, right, guys? It just stores, generally, the hash value that's generated from the algorithmic set. You don't want your fingerprint stored on your phones, that's for sure, they're all over them anyway. That solution is a great solution, but it requires a public key infrastructure and not all of us have a public key infrastructure. [Video description begins] The acronym for Public Key Infrastructure is PKI. [Video description ends]
However, I'm going to encourage everybody to spend some time if you've got a virtual lab set up and you've got a MSDN license, you have all the software you need to do this. Set up a certificate server and work with certificates, this is a very in demand skill. Very in demand, you got to know this. And this is how we're going to secure everything. Well, until they put the quantum computer online, right?
Digital certificates. For certificate-based authentication we present a digital certificate. Now, as a two-factor authentication mechanism, you might also still need the username though you may not. Certificate revocation list, I have to know if the certificates are any good or not in this certification authority. So I have to be able to find that out from an authoritative source. [Video description begins] The acronym is CRL. [Video description ends]
And finally, what you want to know is that today in the Microsoft world, we use an X.509 version 3 with Subject Alternative Name support. Now, in the Unix world, you just drop the version 3, or better. Version 3 equates to the Windows Server 2008 operating system. Version 4, today, would be 2016. But they want you at least on version 3 from Microsoft.
What are the fields in there? What's really important here is the validity period. And the subject name, and whether or not this thing supports subject alternative names. Because that's going to let me map this single certificate to lots and lots of services on that machine. [Video description begins] The fields are Version number, Serial number, Signature Algorithm ID, Issuer name, Validity period, Subject name, and Public Key Algorithm. The Thwarts list is Phishing, Keystroke logging, Man-in-the-middle (MITM) attacks, and other common problems. [Video description ends]
And directory permissions, I'm going to look at later in a separate section in the A+ course. So if you follow along with this, we'll come back to this [Video description begins] Windows securable permissions with an ACL include files, folders, regkeys, printers, users, computers, groups, and other windows objects. Permissions are cumulative. Exception – Explicit Deny overrides Allow permissions. The Security tab is the Properties page. Command line tools and PowerShell cmdlets include Get-ACL. [Video description ends] and how that's represented on an access control list which this is changing.
New objects do still inherit permissions from their parent containers. Administrators and object owners get full control. And permissions can be either inherited from the parent container or explicitly assigned. Advanced permissions are very granular, I can be very, very specific with them. And finally, there is a new set of technologies for data loss prevention.
And what this is about is if I manage the email servers and we're currently in negotiations, very hush, hush. And there's only a few people that should send an email that has this particular company name in it. If I see an email go out that has the merging companies name in it that's not on that list of approved people, right? The legal team, the board of directors, etc. I'm going to ask why that email's... I'm going to grab that email out of the system, I'm not going to let it exit the network, and we do this through rules. And then I'm going to read the email, or I'm going to send it to the compliance officer and we're going to read it together. Because if it's an insider trading account of the merger, that's going to be a problem for everybody.
[Video description begins] Data loss prevention detects possible data breaches, remote commands to delete data from the network, and monitors or blocks deletion. Data may be in use, in transit, or at rest. It's designed to prevent sensitive company information from leaving the network. And it prevents data being accessed by a third party outside of our control. [Video description ends]
So this is a look at securing the authentication process in Windows today.
General Security Mechanisms
The virtual private network lets me traverse the public Internet to reach my office, my internal network, in a secure fashion. And it does this in a number of ways. When I think about any remote connection, I don't think about just one thing. When I think about remote connections, I think about a stack of protocols that have to be negotiated. And where do those protocols start? Well, they start with the authentication protocols. How does the device I'm connecting to authenticate me? What information does it need from me? What information do I not want to give it? What information do I not want to transmit across the public Internet? How do I secure that with encryption protocols?
If I'm going to transit to the public Internet, I want to know that the payload, the data in my packets, is always encrypted. Anybody snooping the wire, they get garbage, that's what we want. And so what's the encryption algorithmic set that the client supports and the device supports? And then I got to bring the two together. And so the first thing when you are doing any hardware buying like this, say for VPN servers or VPN access gateways, do the clients we have in the field support the protocol set?
Now that's less of a problem today, right, because we've got these standard Internet protocols. I want to know that the data arrives integrally. That it gets there exactly as I sent it. If anybody flips even one bit in transit, or a bit degrades, I want that entire packet flagged, dumped, and resent, retransmitted, right? And that's the function of the hash algorithm, right?
I think of this like a protocol parfait. If I want to have secure remote access, I'm going to not just have a single piece to this puzzle. There's going to be a collection of things that make it secure. And principally, that will be the authentication protocols, the encryption protocols, and the hash algorithms.
Now where does the client, they get them from the certificate that you provision them with. And then network protocols including secure DNS and IPSEC. IPSEC also provides wire data encryption. And where do they get it all from? The certificates, of course.
For my email servers, I want to do email filtering, and I can do that on incoming or outgoing mail. I might use it to organize incoming email, remove spam, scan for viruses, and inspect outgoing email as part of a data loss prevention solution. Because today Microsoft Office, for example, is all an XML based file. And if you're using Microsoft Exchange, everything is XML based. It means that the metadata can be readily parsed. If I want to look for particular tags as a rule that automatically searches every email before it leaves the network, I can do that.
So let's say, we've made some fantastic discovery, project XYZ. And project XYZ should not be discussed by anybody except the legal team and the board of directors. I can set up a rule that looks for the language: project XYZ. And any email that goes out with that in it, I can flag it and forward it to the compliance officer. That's the kind of thing we can do today. Users use these kinds of things for their inbox rules to prioritize messages and to sort them into folders.
Some of the common filters that we can specify are integration points for our antivirus and anti-spam solutions. I can do URL filtering, so if it comes from a particular address space, we don't take it, that can also be based on the IP address ranges. So if I subscribe to a real time block list that gives me all the IP addresses of the dark net that we know of as it moves around the world, right, cropping up here and there, we just don't accept anything from those. And then finally, authentication-based rejections, if you can't authenticate, we're not accepting it.
Now that's a problem, because traditionally SMTP had no authentication mechanism. So I would layer in certificate infrastructure between myself and anybody I wanted to email me. See, that's the problem with it, right, if you demand the authentication. But for particular, you know that XYZ project that's so important to us? Well, we have a critical vendor, our success is dependent on theirs and theirs is dependent on ours. They're going to be critical to getting XYZ out there. So those guys we set that kind of encrypted and mutually authenticated transport, it's actually mutual transport layer security, MTLS, that you configure between you and the vendor and then maybe dedicate an email server to that. And then that email is encrypted, nobody sees it except the recipient.
Finally, two notions here, the idea of clean source principles, and management by least privilege. A problem that we've had for a long time are malicious software writers adding their executable payloads to things like device drivers. So you go up to a Torrent site, you grab a device driver, you think it's okay, you install it and bang, you're hosed now, right, to use the technical term.
So today, we talk about the clean source principle, which is that I only install software from right off the manufacturer CD/DVD, that I've downloaded from the manufacturer, and that is digitally signed by the manufacturer. And that download from the manufacturer, I don't just download it, I go to two separate download locations of theirs from two separate machines, and compare the files that come down, ideally.
Finally, the principle of least privilege, [Video description begins] The least privilege needed for a role should be assigned. [Video description ends] backups and restores, this is a great example to me. There's something in Windows called the backup operators group. If I hired you to do backups, and I put you in the backup operators group, I've just also given you the rights to do restores. Which means you can override local file system security and encryption to do backups and restores. You can walk out of this place with everything any day you want.
So for me, I always separate those two roles. They're separate groups with separate rights. The restore people don't talk to the backup people. The backup people don't talk to the restored people. It's less of a chance of a conspiracy, right. If just one can do it, you know they may, but if you need two, that's a conspiracy. Conspiracies don't work.
And the benefits of this improves security. It foils elevation of privilege attacks. It gives me better stability, right? No "oops, my bad" moments. And finally, when applied to applications, it will ease your deployment and reduce the risk of exploits.
And these are some of the general security principles and concerns that we have here in the early part of the 21st century Internet.
Wireless Protocols and Encryption
In this section, I want to introduce wireless protocols and encryption.
And the key takeaway here is, right, if you look on the left, there is this chart. And the three protocols in question are WEP, the wired equivalent C protocol, WPA, and WPA2. And then, is it secure, what encryption does it use, what authentication, and how does it perform on the WAN?
And if you take a look at secure, the first two are no. Well, if they're not secure you can't use them. You just can't. And so nobody should be using WEP, nobody should be using WPA. If you are at home because you think to yourself, well, I'm home, right, I know WEP is no good, but it's easy, I'll just put it in a router. And that's what I'm using. You should know that anybody in your neighborhood that wants to read your traffic is reading the traffic, right? Well, I mean, except for anything else that's also encrypted with a higher level encryption protocol, like SSL traffic, which today, thank goodness, is most of our Internet traffic. You see that all the time these days. You go to a website and it's not HTTP. It's HTTPS. That's a far more secure world to be living in.
And now, WPA2 says that it's secure, but with AES only, not with TKIP. Now what they are, the encryption options that are available when I use the wireless protocol. And so I have these two encryption protocols. Do I care about TKIP, if it's not secure? I don't.
AES, the Advanced Encryption Standards. AES today has replaced Triple DES, if you remember Triple DES, which used to be the federal government's standard for data encryption. But today if you have any hope of becoming a federal government contractor, and you're going to connect your laptop to a federal network, you're going to have to be running AES. That's the standard today. And on any 802.1x network, you should have everything you need to support such a connection. [Video description begins] WEP uses WEP encryption, has no authentication and isn't suitable for a WAN. WPA encryption is TKIP/AES, authentication is PSK, and is better for a WAN. WPA2 encryption is TKIP/AES, authentication is 802.1x and is best for a WAN. [Video description ends]
Now when we think about those networks, those wireless networks, what is beyond the scope of this course but what everybody here wants to know is that the gold standard for security in connecting to those wireless networks is a configuration we call PEAP with passwords, P-E-A-P. That's, now first of all, EAP. That's the Extensible Authentication Protocol, right, and so the P is Password Protected Extensible Authentication Protocol, or PEAP with passwords, and that has been the gold standard for wireless connectivity for some time. It takes a little bit to get it provisioned because it's a certificate based authentication mechanism. But you know when you live in that world, you know at the very least that the communication is encrypted on the wire. It's encrypted in the air. It's encrypted in such a way that anybody snooping in the air is not going to be able to interpret that data.
And you may be saying to yourself, well, nobody snoops like that anymore. That doesn't happen, because everything's encrypted so nobody bothers trying. Well, I would encourage you to go to wigle.net, with just one g, W-I-G-L-E, .net. Now, some of you might remember wigle.net from when wireless networks first became prevalent and the hobby or pastime perhaps would be better of what they used to call war driving. You'd load yourself up and you'd go out with some equipment and you would map networks and fingerprint networks all over town. And those maps are still available at wigle.net and are still being updated. They're current.
When I used to teach this class in front of people when I would say that, I've had more than one person bring up Wigle, look at the map for where their business is, and just get up and leave the room pale faced knowing what is published about their business out there. So I'd encourage you to take a look. If you haven't been there, go to wigle.net, take a look, see if you're on there, and see if it says that you've got an open network. If you do, right, or what it says about you and your business there, and then close those doors.
This is a look at wireless protocols and encryption.
Wireless Authentication
In this section, we'd like to talk about the wireless authentication process and how we manage that. What are the technologies we use to manage that? Because something simple like this, single-factor authentication, user-based authentication. The user provides their credentials and they get access to the network, and that's all there is to it.
Well, okay, but what are they connecting to? They're connecting to a wireless router, right? A WAP, a wireless access point. Now, does that WAP know anything about authenticating an Active Directory domain credential, which is commonly the credential... or at least a Kerberos v5 credential, right? It's commonly the credential you're going to be validating.
The device doesn't know anything about that. So I need an infrastructure in the background to manage that authentication. And I don't want to just manage the authentication, who came in or who tried to get in, but additionally, I want to record all of that. I want to do accounting, right? How many people came in, when do they come in, what are the peak hours? How do we scale the solution as we need to? And I also need a solution for authorization. What can you access? And so, I need somebody in the middle to broker that for me. And we'll talk about those solutions in this section. [Video description begins] Single factor authentication is user-based. The user provides credentials for network access. [Video description ends]
Now of course, you could do multi factor authentication for the user. It means that the user gets issued a smart card, or a key fob device, or some biometric device, or a combination thereof. For the machines, most commonly we provision them with a certificate. And we enable certificate-based authentication for the machine.
Now, you may be saying to yourself, what do you mean by machine? Well certainly, in an Active Directory world, in a Windows network world, when the machine starts up, it looks for a domain controller. And it authenticates to that domain controller, and it gets its group policy processed against it. It shares a common security context. It has a user account with a SID and a GUID just like you do. And so, when we look in, say, Microsoft's Active Directory at the authenticated users group, it's important that you recognize that that includes all users and computer accounts. The authenticated users group, the computers are seen as users.
So with your machine, what might its multi factor wireless authentication look like? Well, it's got a certificate, it can authenticate itself. Then it can go through the process of what it calls the secure session establishment. Now, all communication between me and thee is encrypted as it traverses the air. What that lets the machine then do is connect to a captive portal that's inaccessible to any device that doesn't have that certificate. At that secure portal that only you and other authenticated users can get to, you can provide your credentials and you get network access. And when I'm using the machine as the multifactor authentication mechanism, much as I would my smart card for my user account, that process looks something like that.
Now, this is the infrastructure that provides authentication, accounting, and authorization services, the triple-A services. Today, in the Microsoft world, we say quad-A because it also does auditing. [Video description begins] A network diagram displays for a wireless network. A user is connected to a wireless network and sends an authentication request. The wireless network is connected to RADIUS servers and a firewall. The RADIUS servers connect to Authentication servers. The firewall connects to the Authentication servers and the Intranet. [Video description ends] But it's RADIUS.
Now, RADIUS stands for, are you ready for this? The remote authentication dial-in user service. Now dial-in service, right, it's a remote connectivity protocol, RADIUS. And dig it, the machines coming into the network, that wireless access point, it doesn't know anything about Active Directory. But the RADIUS server is configured to talk to Active Directory. And so, it can accept your authentication request, pass it on the backend to an authentication and authorization server, and deliver the appropriate authentication response to you. So that you are, in fact, authenticated and able to access the network. And not just authenticated, but authorized to access the resources that you've been assigned permissions to. And so, both the authentication and authorization is in there.
Now, Cisco has its own proprietary answer to RADIUS. [Video description begins] It is called TACACS+. [Video description ends] And this uses a TCP protocol rather than the connectionless UDP protocol. So they're going to say it's more reliable, TACACS+. Authentication, accounting, and authorization. In RADIUS they're all combined. But Cisco separates the authentication piece, securing it further. And that's something to look at. What's the implication of that on my network? And especially if you've got the Cisco devices already. If not, in a Windows world, you'd designate a Windows server out in the DMZ as your RADIUS server.
This is a look at wireless authentication.
Malware
In this section, we want to talk about malware, and malware is evolving. There are just no two ways about it, and a particularly awful version of it is called ransomware where the data on your hard drive gets encrypted and you don't get the decryption keys until you pay a ransom for it. I mean it's just straight up gangsterism. And it cost American companies, it's anticipated to cost in the billions of dollars in the next few years. If it's not there already, it may well be. So it's really an awful kind of thing and something to be aware of and to be educating your users about, right? You don't enter your network credentials to open a file attachment for example, generally.
So antimalware prevents, detects, and removes malware, we hope, right? As far as we know it does. Some of the malware that's out there today and of these, I would say that the big one to be aware of is ransomware. That's the one where money is the root of all evil, my friends. Some of these others we're probably familiar with, like keyloggers that track every keystroke and give an output to the bad guys. So if they're trying to figure out your password or your login credentials, or other data, if you're typing it, they're seeing it.
Rootkits, particularly kernel level, in the Windows world, what we would call a kernel level rootkit, is installed down at the low level of the operating system features and functions. And it gets full control over the system at the lowest possible level or virtually the lowest level. And we'll talk about some more of these. Spyware spies on you. I mean, it literally spies on you. So all very disconcerting. [Video description begins] Other types of malware include trojans and botnets. [Video description ends]
Worms, what makes a worm a worm is that it's self-propagating, right? It doesn't just infect your machine, it infects everybody else on your network. It gets itself off the local machine and onto other machines. And that's what makes them so particularly hard to get rid of. [Video description begins] A worm is self propagating malicious code. [Video description ends]
Trojan horses, these are seemingly harmless programs but they've got a malicious payload. That you may think you may know where they come from but you don't. Like viruses, worms and trojans can harm your data, impact the performance, impact the network, have noticeable effects on the machine, and are designed to hide themselves. All of these today are polymorphic. That is to say that they re-encrypt themselves, generating new hashes for the file headers. Signature based antivirus since that kind of thing is worthless today.
These are some of the symptoms of malware infection. I think that we're all too familiar with these. [Video description begins] Malware symptoms include decreased system performance, disappearance of data, data modification, failure to launch OS or software, high network activity, increase in file size, and reports of suspicious behavior by friends and coworkers. [Video description ends]
Entire systems can be quarantined in the same way that the antivirus software on your machine. Look, there's a bug in the code. See that's what that is. In the same way that your machine will quarantine an infected file, if there's a machine that's on the network, you want to quarantine that machine from the rest of the network, right? Put it on a remediation network, where it can get its updates, it can get its new signature files, or whatever it is that you're using. And you can scan that machine or take appropriate action to eliminate the threat before you let it back on the network.
How do we remediate infected systems? Well CompTIA recommends this six-step approach for remediating infections of malware. Update your malware prevention software, run a scan, follow the software directions to quarantine or remove the infection, restore the system to a restore point. Now hang on, I've a question about that. Research the malware online and very often what we end up doing in the end is just format and reinstall the OS. I found half the time that saves me more time than everything else does.
Two things, restore the system to a restore point. It’s no good if the infection has been there and it's in the restore points too. And so, what I might want to do instead is disable system restore, validate when the infection happened. Can we fail back to a restore point or do I need to abandon them completely because they're already infected?
Outdated malware and virus prevention software are as risky to a system as no prevention software at all. Most software can be scheduled to update automatically, you should do that. When the software is updated, it's the antivirus signature definition file, or data file, that gets modified. And so when that software is updated, then run your scan again.
Now you can get what they call a boot sector virus and that's a problem. That's going to require some additional software to get in there and deal with that. Because this is a virus that injects its instruction set before the computer starts up, right? Before the operating system comes online, this instruction set gets injected, that's a problem.
Windows Defender integrates with a lot of third-party solutions today and of course is included with Windows 10.
[Video description begins] During the boot process, read only memory or ROM, tells the computer to read the first block of data on the boot sector and load whatever program is there. If system files are found, they direct the computer to load the operating system. If malware is found, it is loaded. Special virus removal software is necessary to remove boot sector viruses. [Video description ends]
This is a look at malware.
Tools and Methods
In this section, I'd like to talk about the security tools and methods, or some of them. And some of these we've talked about already, for example, antivirus. If you've been following along with the A+ curriculum, we know what antivirus is, we know what antimalware is, and why we want them.
The recovery console is a recovery tool set from the Microsoft Corporation for Windows. And it can be loaded into your system partition or a separate recovery partition at the time that you image your machines. If you don't load the tools, then they're not going to be there when the machine has a problem later on. So I want to make sure that they're baked into my images, or I want to have the installation media handy. I can boot the machine with the installation media, and then I can launch the recovery console in that fashion.
Backups and restores, now this section is not really about backups and restores, but just to point out to you it's a critical part of securing your data. Now one of the things that is a pet peeve of mine is that there's this backup operators group in Microsoft. And if I put you in the backup operators group, you have all the rights to override local file system, security and encryption for the purposes of running the backup. And you get those rights for the restores as well. And in my world that's too much responsibility for any one person to have. That responsibility should be split between two people, right?
For the same reason that when we lock our servers in a cage, those cages always have two locks. And they use different keys and there's somebody else during your shift that has the other key. And no one opens that door without two people knowing that the door was opened. So backups and restores, I want to first secure the positions, and the job roles and responsibilities, under least privilege rules by creating separate groups for those two and separating their rights.
And then the other thing is the group that does the restore that's tasked with that, part of their job has to be every month to do a test restore, make sure that this is working, that the backups are good. If nobody is doing test restores in your place, I can almost guarantee you that the day you go to take the backup down off the shelf, it's going to be no good.
Software firewalls, every Windows machine has a software implemented firewall that's on by default. You have to go out of your way to turn it off. It's not good, in my opinion, unless it's giving you a real conflict that's preventing users from doing their jobs, leave it on. And then secure DNS, we want to talk about that. But these are some of the security tools and methods. And I want to wrap this section up about two things that you might not think of as tools and methods at all.
Now DNS has been famous for its lack of security. It's got no authentication mechanism, it doesn't care who you are, it answers your queries. And in fact, that function of it, has been exploited as we saw in October of 2016 against the DYN Corporation, who manages a lot of the DNS servers in the world. And they were targeted by variations of Mirai is the exploit for distributed denial of service attack. So, out there in the world is a botnet, which is a network of zombie machines that can be activated to do the bidding of this malicious author who, on that morning, October 26th, I think, 2016, basically shut the Internet down on the western coast of Europe and the east coast of the United States early in that morning for a few hours.
Now one of the things that the Internet is doing about that is securing DNS. With DNS security, we validate where the DNS replies come from. We know that they come from a trusted source. And then there's some other things that we can do with that as well. You want to know what this is, but I wouldn't sweat trying to worry about implementing it too much. Get familiar with the lingo, and know these definitions of trust points and name resolution policy tables, etc., and what keys get created, get added.
[Video description begins] DNSSEC is a group of extensions that secure the DNS infrastructure, which identifies DNS response origin. Enable DNSSEC to create additional records. Managing keys requires a Resource Record Signature, or RRSIG, and a DNSKEY, a public cryptographic key that verifies the signature. Trust points provide a way to share the public key. A Name Resolution Policy Table, or NRPT, list zones or namespaces that perform DNSSEC queries and those that do not. [Video description ends]
The two things that I want to mention that you may not have thought of as tools or methods, because I'm not a cynic, and I do think that end user training works. And so education and training, and security training for the end users is critical. Awareness training for groups with sensitive positions, technical security training for the IT staff, advanced information security training for your compliance officer and your security practitioners. And finally, specialized training for senior management because they have no idea what's going on, commonly. There's a few exceptions.
And then often overlooked, but you can also overdo this, is getting in people's faces and making them aware of what the problem is. And of course in these situations, the eighth layer of the OSI model comes into play, which is politics. So moderation is desirable. But you want to talk to people, and you want to make available for their consumption, lectures, videos, and computer-based training. Put up some posters, post some newsletter articles, or email them around. Maybe make up a security bulletin that comes out quarterly where you present awards for good security practices, politics, right? Reminders like login banners, mouse pads, coffee cups, and notepads. [Video description begins] These are all strategies for increasing awareness. [Video description ends]
Guys, nobody should be entering their network credentials to open a file attachment just because that's what the email says to do and it looks like it came from somebody you know. It's a bad scene.
So these are some of the things that we think about, when we think about readiness and response, the tools and methods of securing our networks today.
Physical Destruction
In this section, we want to talk about the physical destruction of storage media when that media is no longer of value, right?
The most common hardware failure are traditional platters disks. And so these disks go bad, they die, often before the equipment that houses them does. And what do I do with that disk? Do I just throw it in the trash? Maybe that machine was a domain controller. My whole ntds.dit database is on there with the username and password hash of every user and computer in the place. Not something I'd want out there in the wild.
So we think about actually physically destroying those kinds of storage media when we're done with them, and it's a recommended practice to go ahead and incinerate them. Where appropriate, right? Where law and concern for the environment don't preclude that. Or you can ensure that the electronic data that was once on the disk is destroyed. A strong electromagnetic field, the process of degaussing will purge that data from the disk. Drill or hammer works very well in my experience. Right, it's easy, simple. Get yourself a five-pound hammer, it will take out any ATA or SATA drive that you got.
Or, I don't want to say the right thing to do, but where it's appropriate, where the data that's on the drives is problematic should it be divulged publicly, you may want to contact a shredding company. They shred these things into a recyclable format commonly. And what they'll do is they'll actually issue you a certificate of destruction, so if that data does pop up out there in the wild, it shouldn't be on you that it's out there. Because you destroyed your copies of it when you purged those disk drives.
So these are the things that when we think about, the physical destruction of storage media when it's reached the end of life.
Recycling or Repurposing Best Practices
So let's say you have a drive, and that drive has hosted your e-mail messaging database for the last five years. And it's a good drive, you could repurpose it to something else, but you're going to upgrade the exchange servers, the e-mail servers, so you're getting all new hardware for them. Once you've transitioned over and you've got this drive, what do you do with it before you repurpose it?
Well, at the very least, you want to erase the data from there. So you could do a quick erase or drive wipe. Better would be to overwrite that data that's on there. And so, you purge the actual data on the disk and overwrite it with a bunch of ones and zeros, meaningless garbage, right, but just to hide and obfuscate what's underneath. And these are represented here the difference between these two approaches are represented here in the formatting choices, too. There's the low-level format versus the standard format.
Now, a low-level format overwrites the hard drive with random 1s and 0s across the drive platters. So it skips the file system, right, which a normal erasure, all it does is it purges the pointers to the files. So there's a file system, there's pointers to where the files are on the disk. If I get rid of the pointers, as far as the operating system is concerned, that's free space out there. But If I were to go in with recovery tools, I could peel that data off. And so, instead I'm going to overwrite it. I'm going to go right to the platters and overwrite that data to make sure that there's nothing there.
Personally, I mean, the opinions vary about this. But people will tell you you're paranoid if you think you have to overwrite the data three times. That's just unrealistic. Nobody's ever going to go to the trouble of trying to figure out what was there three passes ago. Well, I don't know that that's true. Depends on the data and who wants it, in my opinion.
So at any rate, at the very least, get rid of what's actually on the disk, don't just get rid of the pointers to it. So do a low level format to re-format that drive and overwrite all that data. If you want to ensure that the data on the drive is not recoverable, a low-level format is the better choice. And so, if you're going to recycle these drives, make sure you thoroughly purge the data that's on them.
This is a look at recycling.
Securing Mobile Devices
In this section, we want to have a discussion about securing mobile devices. And the very first thing that we want to talk about is that this is a very different job if you own all the devices.
So if we're provisioning users with corporate-owned devices, we can say what the devices are, how they work, what policies go on them, etc. But if the user is required to bring their own device, and it can be anything, it can be a laptop, it can be a tablet, it can be a Mac, it can be a Windows, it can be a Linux distro. Whatever they have at home, they can use for this job, they bring it. Well, that's a different world to live in. And this, again, is where politics comes into play. Because you need to decide what kind of relationship you're going to have with your employees, and how demanding you can be about what they have to spend their money on.
So, we want to document, regardless of whether we are going BYOD or corporate-owned. When you've figured out how you're going to secure these devices and to what level risk is acceptable, then you want to document those policies and procedures. Write them down and hand them out. And maybe nobody ever reads them. But at least when they break the rules, you can say to them, it's in the handbook, and then maybe they will look at it. It's hard to say.
Some of the things that we think about with this, are communication across firewalls. How do we manage that, or is that even a concern for us? Remote wipes, does the device support a remote wipe? And can we enforce those remote wipes if the device is lost? Can we impose a lockout policy on the device? So the device gets locked if the kid picks it up and starts trying to guess his mom or dad's password. Does it lock up then, so you know somebody was trying your password. Locator app, so we can find the device if you leave it on a bus.
And then remote backup applications that provide cloud storage, ideally. And we want to know, in my opinion, I want to know that that cloud storage facility is on a separate segment of the Internet backbone from the one that I'm on. So that if I'm suffering a catastrophic loss of the power grid, that the power grid in the neighboring state is online and I know that that's where my data center is.
There are the locks. There's the screen lock, right? And generally, you put in a PIN for that, and the passcode lock. There's a swipe lock where you have to swipe pattern that you design. You know those matrices are usually 12 dots on the screen, 4 by 3. And generally, you have to connect at least four, right, you have to have four connections between the dots. Well then, that's 4 to the power of 9 possible combinations. And so that's a big number, hard to guess. Biometric authentication, fingerprint lock, and face locks, so that it's got to be you. If that's not your face, you're not getting in.
Securing mobile devices, antivirus, anti-malware, full device encryption, you want devices that can be encrypted. Enforce multifactor authentication, invest in some hardware, some badges, some badge readers, or another solution. RSA key fobs, but something, some other multifactor authentication mechanism, even an authenticator application. You can even get free ones. I don't know, I haven't done a comparative analysis on them. But I know that there's some freeware out there that acts like a software implemented key fob. So, it'll generate a number for me, text the number to my phone, say, the text pops up, I see it, there's the code. I can use that to then authenticate as something I have, the PIN, for that challenge response.
Only permit authorized applications from trusted sources to be installed. That's why for iOS devices, right, your iPhones, you can only install something if it comes from the App Store. For some, the Android devices, you've got the Play Store. And then Windows has the Microsoft Store, right, the Windows Store.
Now dig it, patching and updating these things is important to note as well. That Microsoft has announced the end of Windows Mobile 10, and I assume the end of Windows Mobile. And so the end of Windows looks like Microsoft is getting out of the phone business, looks like it. Now they've changed their mind about things before. But they have announced that December 2019 is the end of life. No more updates to Windows Mobile 10. And in the future, and I swear this is true, Microsoft has recommended iOS or Android for your phone solution, there you have it.
So guys, when we think about securing our mobile devices, we think about full device encryption, remote wipe particularly, multifactor authentication, and how do we do the patches?
This is a look at securing mobile devices.