Computer and network security helps to ensure that only authorized personnel have access. It also helps
to keep data and equipment functioning properly. Threats to security can be internal or external to
come from the inside or outside of an organization, and the level of potential damage can vary greatly.
Internal threats - Users and employees who have access to data, equipment, and the
External threats - Users outside of an organization who do not have authorized access to
the network or resources
Theft, loss, network intrusion, and physical damage are some of the ways a network or computer
can be harmed. Damage or loss of equipment can mean a loss of productivity. Repairing and
replacing equipment can cost the company time and money. Unauthorized use of a network can
expose confidential information, violate the integrity of data, and reduce network resources.
To successfully protect computers and the network, a technician must understand both types of
threats to computer security:
Physical - Events or attacks that steal, damage, or destroy equipment, such as servers,
switches, and wiring
Data - Events or attacks that remove, corrupt, deny access to authorized users, allow
access to unauthorized users, or steal information
Malware is any software created to perform malicious acts. Malware includes adware, spyware,
grayware, phishing, viruses, worms, Trojan horses, and rootkits. Malware is usually installed on a
computer without the knowledge of the user. These programs open extra windows on the computer or
change the computer configuration. Malware can also collect information stored on the computer
without the user’s consent.
Types of Security Threats
(i) Adware is a software program that displays advertising on your computer. Adware is usually
distributed with downloaded software. Most often, adware is displayed in a pop-up window.
Adware pop-up windows are sometimes difficult to control and open new windows faster than
users can close them.
(ii) Spyware is similar to adware. It is distributed without user intervention or knowledge. After
spyware is installed and run, it monitors activity on the computer. The spyware then sends this
information to the individual or organization responsible for launching the spyware.
(iii) Grayware is similar to adware. Grayware may be malicious and is sometimes installed with the
user’s consent. For example, a free software program may require the installation of a toolbar
that displays advertising or tracks a user’s website history.
(iv) Phishing is where the attacker pretends to represent a legitimate outside organization, such as a
bank. A potential victim is contacted via email, telephone, or text message. The attacker might
ask for verification of information, such as a password or username, to possibly prevent some
terrible consequence from occurring.
A virus is a program written with malicious intent and sent by attackers. The virus is transferred to
another computer through email, file transfers, and instant messaging. The virus hides by
attaching itself to computer code, software, or documents on the computer. When the file is
accessed, the virus executes and infects the computer. When the file is accessed, the virus
executes and infects the computer. A virus has the potential to corrupt or even delete files on
your computer, use your email to spread itself to other computers, prevent the computer from
booting, cause applications to not load or operate correctly, or even erase your entire hard
A worm is a self-replicating program that is harmful to networks. A worm uses the network to
duplicate its code to the hosts on a network, often without user intervention. A worm is
different from a virus because it does not need to attach to a program to infect a host. Worms
typically spread by automatically exploiting known vulnerabilities in legitimate software.
A Trojan is malicious software that is disguised as a legitimate program. It is named for its
method of getting past computer defenses by pretending to be something useful.
A rootkit is a malicious program that gains full access to a computer system. Often, a direct
attack on a system using a known vulnerability or password is used to gain Administrator-
account level access. Because the rootkit has this privileged access, the program is able to hide
the files, registry edits, and folders that it uses from detection by typical virus or spyware
Virus protection software, also known as antivirus software, is designed to detect, disable, and remove
viruses, worms, and Trojans before they infect a computer.
Tools that are used to make web pages more powerful and versatile can also make computers more
vulnerable to attacks. These are some examples of web tools:
o ActiveX was created by Microsoft to control interactivity on web pages. If ActiveX is on a
page, an applet or small program has to be downloaded to gain access to the full
o Java is a programming language that allows applets to run within a web browser.
Examples of applets include a calculator or a counter.
allow interactive web sites. Examples include a rotating banner or a popup window.
Adobe Flash - used to create interactive media (animation, video and games) for the
o Microsoft Silverlight -used to create rich, interactive media for the web, similar to
To prevent against these attacks, most browsers have settings that force the computer user to authorize
the downloading or use of these tools.
SmartScreen Filter (Internet Explorer)
Spam, also known as junk mail, is unsolicited e-mail. In most cases, spam is used as a method of
advertising. However, spam can be used to send harmful links or deceptive content.
TCP/IP is the protocol suite used to control all communications on the Internet. The most common
TCP/IP attacks are:
• Denial of Service (DoS) is a form of attack that prevents users from accessing normal services,
such as e-mail or a web server, because the system is busy responding to abnormally large
amounts of requests. DoS works by sending enough requests for a system resource that the
requested service is overloaded and ceases to operate.
• Distributed DoS (DDoS) uses many infected computers, called zombies or botnets, to launch an
attack. With DDoS, the intent is to obstruct or overwhelm access to the targeted server. Zombie
computers located at different geographical locations make it difficult to trace the origin of the
• SYN Flood randomly opens TCP ports, tying up the network equipment or computer with a large
amount of false requests, causing sessions to be denied to others
• Spoofing - uses a forged IP or MAC address to impersonate a trusted computer.
• Man-in-the-Middle - intercepting communications between computers to steal information
transiting through the network.
• Replay - data transmissions are intercepted and recorded by an attacker, then replayed to gain
• DNS Poisoning - changing DNS records to point to imposter servers.
Social engineering occurs when an attacker tries to gain access to equipment or a network by
tricking people into providing the necessary access information. Often, the social engineer gains the
confidence of an employee and convinces the employee to divulge username and password
To protect against social engineering:
• Never give out your password.
• Always ask for the ID of unknown persons.
• Restrict access to visitors.
• Escort all visitors.
• Never post your password in your work area.
• Lock your computer when you leave your desk.
• Do not let anyone follow you through a door that requires an access card.
Hard Drive Disposal and Recycling
(i) Data wiping is often performed on hard drives containing sensitive data such as
financial information. It is not enough to delete files or even format the drive.
Software tools can still be used to recover folders, files, and even entire partitions if
they are not erased properly. Use software specifically designed to overwrite data
multiple times, rendering the data unusable. It is important to remember that data
wiping is irreversible, and the data can never be recovered.
(ii) Degaussing disrupts or eliminates the magnetic field on a hard drive that allow for
the storage of data.
(iii) Hard Drive Destruction: The only way to fully ensure that data cannot be recovered
from a hard drive is to carefully shatter the platters with a hammer and safely
dispose of the pieces.
(iv) Hard Drive Recycling - Hard drives that do not contain sensitive data can be
reformatted and used in other computers.
A security policy is a collection of rules, guidelines, and checklists.
A security policy includes the following elements:
• An acceptable computer usage statement for the organization.
• The people permitted to use the computer equipment.
• Devices that are permitted to be installed on a network, as well as the conditions of the
installation. Modems and wireless access points are examples of hardware that could expose
the network to attacks.
• Requirements necessary for data to remain confidential on a network.
• Process for employees to acquire access to equipment and data. This process may require the
employee to sign an agreement regarding company rules. It also lists the consequences for
failure to comply.
Security Policy Requirements
The security policy should also provide detailed information about the following issues in case of
• Steps to take after a breach in security
• Who to contact in an emergency
• Information to share with customers, vendors, and the media
• Secondary locations to use in an evacuation
Steps to take after an emergency is over, including the priority of services to be restored
Password guidelines are an important component of a security policy. Passwords help prevent theft of
data and malicious acts. Passwords also help to ensure that logging of events is correct by ensuring that
the user is the correct person.
Three levels of password protection are recommended:
BIOS - Prevents the operating system from booting and the BIOS settings from being
changed without the appropriate password.
Login - Prevents unauthorized access to the local computer.
Network - Prevents access to network resources by unauthorized personnel.
Guidelines for creating strong passwords are:
Length - Use at least eight characters.
Complexity - Include letters, numbers, symbols, and punctuation. Use a variety of keys
on the keyboard, not just common letters and characters.
Variation - Change passwords often. Set a reminder to change the passwords you have
for email, banking, and credit card websites on the average of every three to four months.
Variety - Use a different password for each site or computer that you use.
File and Folder Permissions
Permission levels are configured to limit individual or group user access to specific data.
Both FAT32 and NTFS allow folder sharing and folder-level permissions for users with
NTFS – File system that uses journals which are special areas where file changes are recorded
before changes are made.
• Can log access by user, date, and time.
• Has encryption capability.
FAT 32 - no encryption or journaling
Principle of Least Privilege - only allow users access to the resources they need.
Restricting User Permissions-. If an individual or a group is denied permissions to a network
share, this denial overrides any other permission given.
Lab 10.2.1.7, 10.2.1.8, 10.2.1.9
The value of physical equipment is often far less than the value of the data it contains. To protect data,
there are several methods of security protection that can be implemented.
• A firewall is a way of protecting a computer from intrusion through the ports. The user
can control the type of data sent to a computer by selecting which ports will be open
and which will be secured.
• Biometric Security compares physical characteristics against stored profiles to
authenticate people. A profile is a data file containing known characteristics of an
individual such as a fingerprint or a handprint. Common biometric devices available
include fingerprint readers, handprint readers, iris scanners, and face recognition
• Smart cards store private information such as bank account numbers, personal
identification, medical records, and digital signatures. Smart cards provide
authentication and encryption to keep data safe.
• Data backups are one of the most effective ways of protecting against data loss.
Establish data backup procedures which account for frequency of backups, storage for
data backups, and securing data backups using passwords.
• Data Encryption is where data is transformed using a complicated algorithm to make it
unreadable. A special key must be used to return the unreadable information back into
readable data. Software programs are used to encrypt files, folders, and even entire
Malware Software Protection Programs
It may take several different programs and multiple scans to completely remove all malicious software.
Run only one malware protection program at a time.
Virus protection - An antivirus program typically runs automatically in the background and monitors for
problems. When a virus is detected, the user is warned, and the program attempts to quarantine or
delete the virus.
Spyware protection - Antispyware programs scan for keyloggers, which capture your keystrokes, and
other malware so that it can be removed from the computer.
Adware protection - Anti-adware programs look for programs that display advertising on your
Phishing protection - Antiphishing programs block the IP addresses of known phishing websites and
warn the user about suspicious websites.
Common Communication Encryption Types
Hash Encoding: Hash encoding, or hashing, ensures that messages are not corrupted or
tampered with during transmission.
Symmetric encryption requires both sides of an encrypted conversation to use an
encryption key to encode and decode the data. The sender and receiver must use identical keys.
Asymmetric encryption requires two keys, a private key and a public key. The public key
can be widely distributed, including emailing in cleartext or posting on the web.
The Service Set Identifier (SSID) is the name of the wireless network. A wireless router or access
point broadcasts the SSID by default so that wireless devices can detect the wireless network.
Mac Address Filtering (MAC) address filtering is a technique used to deploy device-level security
on a wireless LAN.
Wireless Security Modes
Most wireless access points support several different security modes. The most common ones are:
Wired Equivalent Privacy (WEP) – The first generation security standard for wireless. Attackers
quickly discovered that WEP encryption was easy to break.
Wi-Fi Protected Access (WPA)- An improved version of WEP, uses much stronger encryption.
Wi-Fi Protected Access 2 (WPA2) -WPA2 supports robust encryption, providing government-
A hardware firewall is a physical filtering component that inspects data packets from the network
before they reach computers and other devices on a network.
A hardware firewall passes two different types of traffic into your network:
• Responses to traffic that originates from inside your network
• Traffic destined for a port that you have intentionally left open
There are several types of hardware firewall configurations:
• Packet filter - Packets cannot pass through the firewall, unless they match the established rule
set configured in the firewall. Traffic can be filtered based on different attributes, such as source
IP address, source port or destination IP address or port. Traffic can also be filtered based on
destination services or protocols such as WWW or FTP.
• Stateful packet inspection - This is a firewall that keeps track of the state of network
connections traveling through the firewall. Packets that are not part of a known connection are
• Application layer - All packets traveling to or from an application are intercepted. All unwanted
outside traffic is prevented from reaching protected devices.
• Proxy - This is a firewall installed on a proxy server that inspects all traffic and allows or denies
packets based on configured rules. A proxy server is a server that is a relay between a client and
a destination server on the Internet.
• Demilitarized Zone
• A Demilitarized Zone (DMZ) is a subnetwork that provides services to an untrusted network. An
email, web, or FTP server is often placed into the DMZ so that the traffic using the server does
not come inside the local network. This protects the internal network from attacks by this
traffic, but does not protect the servers in the DMZ in any way.
• Port forwarding is a rule-based method of directing traffic between devices on separate
• Used when specific ports must be opened so that certain programs and applications can
communicate with devices on different networks.
• Router determines if the traffic should be forwarded to a certain device based on the
port number found with the traffic. For example HTTP – Port 80.
• Port triggering allows the router to temporarily forward data through inbound ports to a
• For example, a video game might use ports 27000 to 27100 for connecting with other
players. These are the trigger ports.
Lab: 10.3.1.4, 10.3.1.5, 10.3.1.6, 10.3.1.8, 10.3.1.9, 10.3.1.10
A user receives a phone call from a person who claims to represent IT services and then asks that user
for confirmation of username and password for auditing purposes. Which security threat does this
phone call represent?
Which two security precautions will help protect a workplace against social engineering? (Choose two.)
performing daily data backups
encrypting all sensitive data stored on the servers
registering and escorting all visitors to the premises
ensuring that all operating system and antivirus software is up to date
ensuring that each use of an access card allows access to only one user at the time
What are two typical physical security precautions that a business can take to protect its computers and
systems? (Choose two.)
Perform daily data backups.
Implement biometric authentication.
Disable the autorun feature in the operating system.
Replace any software firewalls with a hardware firewall.
Ensure that all operating system and antivirus software is up to date.
Which physical security technology can hold user authentication information, include software license
protection, provide encryption, and provide hardware and software authentication that is specific to the
card key access
Trusted Platform Module (TPM)
It has been noted that the computers of employees who use removable flash drives are being infected
with viruses and other malware. Which two actions can help prevent this problem in the future?
Set virus protection software to scan removable media when data is accessed.
Configure the Windows Firewall to block the ports that are used by viruses.
Disable the autorun feature in the operating system.
Repair, delete, or quarantine the infected files.
Enable the TPM in the CMOS settings.
In which situation would a computer technician use the fixmbr command at the command prompt of a
Windows XP computer to resolve a security issue?
when a virus has damaged the boot sector of the system disk
when a virus has damaged the master boot record of the system disk
when the folder permissions for user members of a group are incorrect
when unauthorized users have changed the CMOS settings and the CMOS password must be reset
All users working with a particular Windows 7 computer are able to install unauthorized software. In
addition to educating the users about correct security behavior, which action should also be performed
to solve this issue?
Disable the users' accounts.
Enable UAC on the computer.
Set the user folder permissions to Deny.
Change the user file permissions to Read Only.
You want to dispose of a 2.5 terabyte hard drive that contains confidential financial information. What is
the recommended procedure to achieve this?
Drill through the HDD.
Smash the platters with a hammer.
Immerse the HDD in a weak solution of bicarbonate of soda.
Use data wiping.
What is the most effective way of securing wireless traffic?
wireless MAC filtering
Which two items are used in asymmetric encryption? (Choose two.)
a DES key
a private key
a public key
Which two characteristics describe a worm? (Choose two.)
executes when software is run on a computer
hides in a dormant state until needed by an attacker
infects computers by attaching to software code
travels to new computers without any intervention or knowledge of the user
Which type of security threat uses email that appears to be from a legitimate sender and asks the email
recipient to visit a website to enter confidential information?
Which three questions should be addressed by organizations developing a security policy? (Choose
What assets require protection?
How should future expansion be done?
What is to be done in the case of a security breach?
When do the assets need protecting?
What insurance coverage is required?
What are the possible threats to the assets of the organization?
What does a malware detection program look for when running a scan?
a service pack
patterns in the programming code of the software on a computer
patches that prevent a newly discovered virus or worm from making a successful attack
Port triggering has been configured on a wireless router. Port 25 has been defined as the trigger port
and port 113 as an open port. What effect does this have on network traffic?
Any traffic that comes into port 25 allows outgoing port 113 to be used.
All traffic that is sent into port 25 to the internal network will also be allowed to use port 113.
Any traffic that is using port 25 going out of the internal network will also be allowed to transmit
out port 113.
All traffic that is sent out port 25 will open port 113 to allow inbound traffic into the internal
network through port 113.
Which two characteristics of network traffic are being monitored if a network technician configures the
company firewall to operate as a packet filter? (Choose two.)
What is the primary goal of a DoS attack?
to facilitate access to external networks
to prevent the target server from being able to handle additional requests
to obtain all addresses in the address book within the server
to scan the data on the target server
Which question would be an example of an open-ended question that a technician might ask when
troubleshooting a security issue?
Is your security software up to date?
Have you scanned your computer recently for viruses?
Did you open any attachments from a suspicious email message?
What symptoms are you experiencing?
Which action would help a technician to determine if a denial of service attack is being caused by
malware on a host?
Disconnect the host from the network.
Log on to the host as a different user.
Disable ActiveX and Silverlight on the host.
Install rogue antivirus software on the host.
A technician is troubleshooting a computer security issue. The computer was compromised by an
attacker as a result of the user having a weak password. Which action should the technician take as a
preventive measure against this type of attack happening in the future?
Check the computer for the latest OS patches and updates.
Verify the physical security of all offices.
Ensure the security policy is being enforced.
Scan the computer with protection software.
A user has reported that a computer web browser will not display the correct home page even if the
default page is reset. What is the likely cause of this problem?
UAC has been disabled on the computer.
The computer has been infected with spyware.
A virus has damaged the boot sector of the system disk.
Folder permissions have been changed from Deny to Allow.
What is the name given to the programming-code patterns of viruses?
virus definition tables