SecurePuter

Series: CISSP Study Sheet
Entry: Information Security and Risk Management

The CISSP Study Sheet Series will identify the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP study sheets just before the test, and then doing a “brain dump” of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. Let’s begin with the Information Security and Risk Management Domain.

Information Security and Risk Management Study Sheet

Confidentiality – the security objective to protect from improper disclosure of sensitive information.
Availability – the requirement of business to have access to systems and data.
Integrity – the reliability of systems to properly function in order to prohibit improper modification of data.

Known as the CIA or AIC Triad, Confidentiality, Availability, and Integrity have to work in concert to keep data not only protected and accurate, but accessible to authorized users.

Policy – management stating the role security plays in an organization.
Procedure – a mandated series of steps to accomplish a task, such as software installation.
Standard – usually the implementation of a common hardware or software solution to a security risk, such as a Firewall.
Baseline – a consistent minimum benchmark for security configurations across a multitude of implementations, such as password rules.
Guideline – a recommendation until adopted as standards, but are considered best practices, such as the Common Criteria.

The Organization’s Security Policy is an abstract statement from management which is implemented through the IT staff. For example, the following of a procedure, to install a standard, in accordance with a guideline, and is setup referencing the baseline, is an instance of adhering to policy.

Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
Threat – a potential accidental or intentional danger to an information system.
Exposure – an opportunity for a threat to cause damage.
Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
Risk Transference – the passing on of risk to a third party, such as insurance.
Countermeasure – reactive controls applied after an incident.

Safeguards are installed to protect against threats, but if a vulnerability exists in a safeguard an exposure to a threat surfaces resulting in a risk which either has to be countered or transferred.

Strategic Planning – a long term plan focusing on high level requirements, such as the overarching security plan.
Operational Planning – a mid term plan focusing on an organization’s functional plans.
Tactical Planning – a short term “fire fighting” strategy usually at the keyboard level.

The Planning Horizon is the compilation of strategic, operational, and tactical planning.

Job Rotation – movement of employees to expose collusion and policy violations.
Mandatory Vacations – forced leave to detect elements of fraud.
Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
Need to Know – only those persons absolutely requiring information should have access to such information.
Least Privilege – allowing processes and users only enough permission to accomplish their job.
Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
Due Care – responsible acts reducing the probability of being held liable or negligent.

Data Owners – responsible for data classification, user access, related business continuity plans and disaster recovery.
Data Custodian – is the security enforcer for the data owner, such as an email server admin.
Auditor – independent assurance that the security controls are being implemented correctly and are operational.
Application Owners – addresses user permissions and security controls on data specific to a particular application.

Information Risk Management – implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
ISO 17799 & 27001 – guidelines, controls, and best practices for comprehensive security programs.
Asset Identification – are tangible, such as the facility, and intangible, such as data.
Assurance – a level of confidence that a particular security level is being upheld.
CobiT – four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate.

Governance – a set of management directives to ensure strategic direction, objective accomplishments, risk management, and appropriate use of enterprise resources.
Organization for Economic Co-operation and Development (OECD) – an international group assisting governments with economic, social, and governance challenges worldwide.

Project Sizing – a pre risk analysis documentation of the scope of the project.
Failure Modes and Effect Analysis (FMEA) – an assessment of manufacturing defects.
Fault Tree Analysis (FTA) – analytical approach to detect failures and system safety within a complex environment.
Quantitative Risk Analysis – a monetary determination of risk.
Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk, such as 1-5 or high med and low.
Delphi Technique – an anonymously communicated group decision.
Single Loss Expectancy (SLE) – amount that could be lost if a threat is executed upon, such as the value of data, cost to replace data, and potential opportunities missed.

Risk Analysis is performed to balance the economic impact of risk and the cost of the safeguards.

Risk Analysis Formulas

Total Risk = Threats X Vulnerability X Asset Value
Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year

More CISSP Study Sheets and other CISSP resources.

Fake Websites Exposed

Dancho Danchev’s Computer Security blog has been releasing consistent posts revealing fake websites on a number of topics. This information is invaluable to identify fake sites claiming to offer a legitimate service or product. In reality, a fake website is either mimicking the template of a genuine company’s webpages, or creating professional looking sites that run malicious code in the background infecting a visitor’s system.

A Diverse Portfolio of Fake Security Software

In this series, Dancho exposes domains, such as antivirus-scanonline.com, xpantivirus.com and other URL’s all parked on a few suspect IP addresses. He followed up this post with two more entries found here and here .

Barack Obama cannot be Trusted with Classified Information

How can the President of the United States be denied a basic security clearance? How can the Commander and Chief of the most powerful military be denied access to classified information? Barack Obama would be denied the necessary security clearance for President if he was held to the same standard as everyone else. If you can’t pass a Secret level background investigation, which is required for many soldiers, you should not be eligible for the Presidency.

What is a Security Clearance?

Having served in the U.S. military, law enforcement, and as a civilian government contractor, I’ve had my fair share of background investigations. The United States government employs a multitier security clearance paradigm.

Confidential – Unauthorized disclosure could cause “damage to national security.”
Secret – Unauthorized disclosure could cause “serious damage to national security.”
Top Secret – Unauthorized disclosure could cause “exceptionally grave damage to national security.”

Each level of access requires a progressively more in-depth background investigation before the clearance is obtained. The President of the United States should be able to flawlessly pass the most extensive investigation and a polygraph test. Both are required for workers in some Special Access Programs classified Top Secret.

The purpose of the clearance is to determine an individual’s honesty, trustworthiness, reliability, financial responsibility, criminal activity, emotional stability, foreign influences, family associations, drug use, mental health, judicial proceedings, employment history, traits of character, and loyalty to the United States. This collective data is used to evaluate your ability and willingness to safeguard national secrets. Based on the facts about Barack Obama, he fails to satisfy the minimum requirements for even a basic secret clearance. His background investigation would have “Red Flags” shooting up in so many places; the issuing panel would deny him a clearance outright.

Obama’s Answers on the Security Clearance Application

Instead of going through all the Security Clearance Application questions, I’ll examine the questions that would deny Barack Obama a Secret Clearance.

List foreign national relatives whom you or your spouse are bound by affection, obligation, or close and continuing contact.

Barack Hussein Obama, Sr. of Kenya, and Lolo Soetoro, the Indonesian oil manager his mother married. These two foreign relatives would probably initiate a Defensive Security Services or Department of Defense investigation that would take roughly a year to explore. I’m not sure how many degrees of separation are involved, but Obama Sr. and Soetoro’s associations are not friendly to the United States. However, they are not the primary concern.

Barack Obama’s brother, his kin Abongo Obama, is a militant Muslim who has been quoted saying, “A black man must liberate himself from the poisons of European cultures and western values.” Obama’s paternal cousin, Raila Odinga is also a Muslim extremist who recently lost the Kenyan Presidential election to a Christian. How can such relations exist between the President of the United States and radical Muslims?

Have you ever been an officer or a member or made a contribution to an organization dedicated to the violent overthrow of the United States Government and which engages in illegal activities to that end, knowing that the organization engages in such activities with the specific intent to further such activities?

Have you ever knowingly engaged in any acts or activities designed to overthrow the United States Government by force?

These two questions go hand and hand. Having gone through the interview phase of the clearance process a number of times, I can’t image the look on the face of the investigator nor the sheer amount of time it would take to explain Barack Obama’s anti American ties.

Sen. Barack Obama served as a paid director alongside a confessed domestic terrorist and granted funding to a controversial Arab group that dubbed the creation of Israel as a “catastrophe.” The founder of the Arab group in question, Columbia University professor Rashid Khalidi, also has held a fundraiser for Obama. Khalidi is a harsh critic of Israel, has made statements supportive of Palestinian terror and reportedly has worked on behalf of the Palestine Liberation Organization while it was involved in anti western terrorism.

Barack Obama also served on the Wood’s Fund board with William Ayers, a member of the Weathermen terrorist group which sought to overthrow of the U.S. government and took responsibility for the bombings of New York City Police Headquarters in 1970, of the Capitol building in 1971, and the Pentagon in 1972. Bill Ayers has killed hundreds of civilians, police officers, and was recently quoted saying, “I don’t regret setting bombs, I feel we didn’t do enough.”

I would deny a security clearance for anybody that even shook these men’s hands, never mind launching a campaign from Ayer’s living room.

Have you illegally used any controlled substance, for example, marijuana, cocaine, crack cocaine, hashish, narcotics (opium, morphine, codeine, heroin, etc.), amphetamines, depressants (barbiturates, methaqualone, tranquilizers, etc.), hallucinogenics (LSD, PCP, etc.), or prescription drugs?

Barack Obama has specifically admitted to using marijuana and cocaine in his book “Dreams From My Father.” He even confesses pursuing heroin, but was scared of the drug dealer. A clearance question such as this is used to test someone’s ethical fortitude to stand up for what is right, legally forbidden, and ultimately make correct decisions. Obama fails this test with his weakness to deny temptation.

Would anyone question your honesty?

Obama’s lies regarding his recollection of policies supported and the reality of what he actually did endorse are too numerous to count. However, these lies are unfortunately common in today’s politics. An article written in a conservative blog has outlined 26 more personal deceptions Obama has made to the American people. How can anyone trust this guy with confidence?

Barack Obama’s Patriotism and National Security

Although not a question on the Security Clearance application, “Are you a Patriotic American” should be.

The National Anthem is playing and Barack Obama is the only person on the stage not inclined to put their hand over their heart. The hand over the heart is symbolic of your respect and love for your country. Of all people, the President of the United States must be the most devote patriot in the nation. If you are not a patriot, how are you to provide unconditional national security? Three other instances come to mind that have me question how loyal he is to the U.S. and if he even loves this country.

Reverend Jeremiah Wright

I bet most of us have heard about Reverend Jeremaiah Wright’s radical anti American preaching and Barack Obama’s consistent attendance of this man’s sermons, but did you know Reverend Wright officiated Barack and Michelle’s wedding and even baptized their kids? It appears to me that Wright is a significantly influential person in the Obama family’s life. Do we want a President who has been barraged and apparently supports their religious leader’s lectures containing anti American propaganda, such as…

“We bombed Hiroshima, we bombed Nagasaki, and we nuked far more than the thousands in New York and the Pentagon, and we never batted an eye.”

“We have supported state terrorism against the Palestinians and black South Africans, and now we are indignant because the stuff we have done overseas is now brought right back to our own front yards. America’s chickens are coming home to roost.”

“The government gives them the drugs, builds bigger prisons, passes a three strike law and then wants us to sing ‘God Bless America.’ No, no, no, God damn America, that’s in the Bible for killing innocent people. God damn America for treating our citizens as less than human. God damn America for as long as she acts like she is God and she is supreme.”

“In the 21st century, white America got a wake-up call after 911. White America and the western world came to realize that people of color had not gone away, faded into the woodwork or just ‘disappeared’ as the Great White West kept on its merry way of ignoring black concerns.”

“Racism is how this country was founded and how this country is still run!…We [in the U.S.] believe in white supremacy and black inferiority and believe it more than we believe in God.”

“Barack knows what it means living in a country and a culture that is controlled by rich white people. Hillary would never know that. Hillary ain’t never been called a nigger. Hillary has never had a people defined as a non-person.”

“Hillary is married to Bill, and Bill has been good to us. No he ain’t! Bill did us, just like he did Monica Lewinsky. He was riding dirty.”

“The Israelis have illegally occupied Palestinian territories for over 40 years now. Divestment has now hit the table again as a strategy to wake the business community and wake up Americans concerning the injustice and the racism under which the Palestinians have lived because of Zionism.”

“God Damn America”

- Reverend Jeremiah Wright

I don’t care that Obama now condemns Wright’s remarks. He never denounced the man before, and continued to attend Wright’s church for over 20 years.

Michelle Obama
The person you marry is your closest confidant and Barack Obama has recently said that Michelle is one of the people he listens to and respects the most. Michelle has been quoted saying, “Our souls are broken in this nation”; “For the first time in my adult life, I am proud of my country”; and “…as a member of the black community, I am obligated to this community and will utilize all of my present and future resources to benefit the black community first and foremost” to name a few. As a President’s closest adviser and the country’s first lady, take pride in how far this nation has come, and work toward the benefit of all not just your ethnicity. Can this woman, with such animosity toward ancestral shortcomings, come into the present and forget about skin color? Isn’t that what Martin Luther King Jr. meant by, “…all men are created equal” and “…not be judged by the color of their skin but by the content of their character?” Michelle’s narrow vision, obvious unwillingness to conform to unity and equality, and her desire to benefit the black community instead of the community at large is not first lady material.

Not visiting the troops
As a former enlisted soldier having been deployed twice and a current government contractor, Obama’s recent neglect to visit our country’s courageous troops is insulting. He had time to woo German citizens and play basketball, but opt out on supporting wounded soldiers. Retired Lt. Col. Joe Reypya had me nodding in approval when commenting on Obama’s decision, “”The most solemn duty of a commander in chief is to fulfill his responsibility to the men and women who serve this country in uniform. Barack Obama … broke that commitment, instead flitting from one European capital to the next…For a young man so apt at playing President, Barack Obama badly misjudged the important demands of the office he seeks. Visits with world leaders and speeches to cheering Europeans shouldn’t be a substitute for comforting injured American heroes.”

I could go on and on about how this man is not fit for office, but my point in this post is to express my opinion that the potential Commander and Chief of the United States could not receive a Nation Security Clearance to even hold a low level intelligence position within the government. How can he be President? Better yet, how is he even a Senator?

I’d like to get other’s opinions on this so please Digg.

Selling a Used Computer and Identity Theft

Identity Theft is the fastest growing crime over the last few years. The amount of data stored on computer systems is an ideal repository for criminals to attempt identity theft. When someone either discards or sells a used computer system, hard drive, or external storage device most people do not appropriately sanitize the media, but rather delete or format a disk falsely believing all the data is gone.

A friend of mine recently bought a new fancy rig costing $2,000 or so. When I asked him what he did with his old system, he said he sold it on craigslist for $550 to help fund the new purchase. “Did you put in a new hard drive?” “No, but I reformatted it.”

There is a misconception among those unfamiliar with the inner workings of computers that deleting files and formatting hard drives removes data completely. Think back and try to remember all the files you deleted over the past 10 years. Did you ever delete financial data, such as accounting spreadsheets, bank numbers, credit card data, or personal information? How about scanned documents, such as mortgage paperwork, driver’s licenses, birth certificates, or pay stubs? What happened to those computers or hard drives with which you think you deleted those files from? Did you sell the PC like my friend, donate it to an organization, or just throw it away? Who has used that computer since, and what may they have found? These are all important and scary questions.

I recall a thesis paper written by some graduate students from the Massachusetts Institute of Technology that outlined this very threat. They had purchased 150 or so used hard drives from eBay to study how much personal data was left on old systems. They reportedly found medical records, email correspondence, corporate financial data, illicit personal photographs, thousands of credit card numbers, and even an ATM drive with numerous bank accounts. This is a very real concern for every computer owner, especially my friend now that the system is out of his possession.

What Deleting and Formatting Really Does

I proceeded to give my friend a little education on how computers store information and what deleting and formatting actually does. Basically, the hard drive is broken down into sectors in which the data is stored. In the figure below, suppose File A is a Tax return for 2007. 2008 comes around and you delete 2007’s record and the file appears gone. All that has happened is the Operating System (OS) has marked those sectors as available and removed it from the user’s view. It is still easily recoverable through a variety of software. The file still exists and is in just as good of shape as before you deleted it.

When space is needed the Operating System will then overwrite the sector with a new file. Perhaps, 2008’s Tax return isn’t as large as 2007’s, and the OS decides to use Sector 1 and 2 to store the data. 2007 (File A) has now been overwritten, but part of Sector 2 was not needed. This extra space is called “Slack Space,” and still retains part of the deleted file. Again, this information is recoverable.

Because my friend decided to format the drive, he figured all the information on the drive was inaccessible regardless. In reality, formatting only redefines the hard drives characteristics to store information. The data is still physically embedded on the media and recoverable with simple tools, such as MediaRECOVER. This software even allows for the overwrite sanitization technique I explain below.

How to Really Erase Hard Drives

What needs to happen to totally remove the data yet keep the drive functioning is repetitive overwriting. This should be done multiple times. As an analogy, say your child writes his name with permanent marker on the living room wall. You take some left over paint and coat the area, but after it dries the writing is still visible. This is called residual data. The same applies with overwriting as a technique to sanitize your computer drives. You’ll need multiple coats or overwrites to sufficiently mask what was originally written. Tools, such as WipeDrive will overwrite all addressable sectors with random characters eliminating the slack space and the residual data. WipeDrive is a U.S. Department of Defense approved software solution to sanitizing hard disks. It is relatively inexpensive in comparison to its features and protections.

If you are going to donate, sell, or dispose of your computer be sure to appropriately safeguard your private information by using some sort of sanitization method. You don’t want to be a victim to evil folks whom actually purchased used computers for just this purpose.

CISSP Study Materials

I was recently required by the United States Department of Defense (DOD) to cram for the ISC2 Certified Information Systems Security Professional certification or CISSP . The company I work for graciously sent me to a Common Body of Knowledge (CBK) Seminar and paid the testing fee. As far as certifications go, the CISSP is by far the most sought after and reputable credential in the Information Security field. I had planned on taking the exam in the next couple of years, but a DoD directive has put a time constraint on me.

There is plenty I could write about the CISSP, but for this post I’ll share with you the study materials that have best prepared me for passing the exam. You could be in this field for 30 years and still not pass the exam. There are 10 domains of knowledge relating to all aspects of security that you must know in depth before you are ready.

My Top 3 Study Recommendations for the CISSP

CISSP Certification All-in-One Exam Guide, 4th Ed. (All-in-One) – Considered by many as the premier book geared toward teaching you what is required to pass the exam. The All in One Exam Guide is the highest rated book on Amazon and my instructor at my CBK seminar even recommended it. Included is an excellent disc of practice tests for question drilling, which helped me the most.

Official (ISC)2 Guide to the CISSP CBK ((Isc)2 Press Series) – The only officially sanctioned resource offering a compendium of the Common Bodies of Knowledge by the governing body of the CISSP certification. Remember, the answers on the test are what they are looking for and not another’s interpretation or practice. Going with an official source is always recommended.

www.CCCure.org – is a massive collection of CISSP practice questions. You can choose from which domain(s) you wish the questions generated, the relevancy of the questions, and the difficulty. The site allows you to choose the number of questions you wish to try and a timer to judge your speed. Upon completion of a question you can check your answer and see a detail description of why the answer is correct. Again, question drilling is my favored way of learning.

If anyone else knows of valid, recent, and accurate CISSP study resources, please comment.

It has been almost 2 months since my last post and for that I apologize. Anyone in the field will know that there are periods of straight out high priority projects, and times when days are mostly responsive. There are just not enough hours in the day. Anyhow, I had an article about 75% complete before the onslaught of work. You can expect this soon.

A coworker of mine just sent me a hysterical application form that asks your significant other (in this case female) permission for a night out with the boys. I just had to share this with everyone as it brightened my day in an altogether busy week.

Permission Slip

Series: Do Not Fall Victim to Internet Scams
Entry 1: Auction Fraud Prevention

In 2007, the Internet Crime and Complaint Center (IC3) received 219,553 complaints that totaled $239,090,000 in financial losses. The average loss per complaint is around a thousand dollars. That is a mortgage payment, two months of groceries, or even a week of gas (soon enough anyhow ). Now take into consideration the reports of other agencies and all instances that go unreported and you have an enormous amount of e-commerce dollars being stolen yearly. According to the 2007 IC3 Report, Auction Fraud and Non-Delivery Fraud make up over 60% of all e-commerce crimes.

From the IC3 2007 Report

If I could have educated just one percent of the victims reporting auction or non-delivery schemes to IC3, I would have prevented almost a million and a half dollars from being unlawfully taken. This is one of the reasons I have created this blog . The best contribution I can make is educating the public. If that makes the smallest difference in preventing computer crimes, I have done my job. This will be my first entry in a series titled “Do Not Fall Victim to Internet Scams ” that will explore each of IC3’s top 10 internet crimes.

What is Auction Fraud?

Internet auctions are big business within the e-commerce marketplace, and as such make up the largest amount of reported complaints. Websites, such as eBay and Yahoo Auctions, complete millions of transactions a day by allowing anyone to post an auction. Although convenient, the anonymity of these sales requires buyers to be ever vigilant of auction scams.

Auction Fraud Example
I read an article a while back by Bob Sullivan for MSNBC which details how a man in South Salt Lake, Utah, masterminded one of the largest eBay fraud schemes in the history of the website. He victimized close to one thousand people, and received roughly $1 million in a matter of weeks. He owned a company called Liquidation Universe and sold laptops exclusively on eBay. After masquerading as a legitimate business for nearly 6 months, the company stopped shipping merchandise to buyers. Many of the victims were lured into a false sense of security due to a SquareTrade $1,000 protection logo. The assumption was that the buyer was guaranteed, up to $1,000, not to get scammed by this seller. However, on SquareTrade’s website the terms of service state that the $1,000 is allocated per seller, not buyer. Therefore, the victims are entitled to approximately a “buck” a piece. The example shows how even legitimate businesses, with promises of security, still need to be thoroughly researched before sending payment.

Protect yourself from Auction Fraud

There are a few symptoms to watch out for when attempting to discover a fraudulent internet auction.

• An extremely new account, with no feedback history, should be treated with extreme caution.
• A negative user rating indicates that other buyers and sellers dislike the business practices of an individual or company.
• Auctions that require payment by any other means than credit card or Paypal should be avoided, especially if the seller request payment be sent to a P.O. Box.

Some preventative measures are taken by the auction sites themselves, but the authenticity of an auction still requires some work on the part of the buyer.

• Ensure the auction site is legitimate and has a secure payment process. On any website that you are entering sensitive information, ensure that the site has an SSL Certificate. Double click the icon in the bottom right of your browser window to see the Certification Authority.
• Attain a clear understanding of the obligations of the buyer and the seller, as set forth in the auction details, to alleviate any confusion.
• Read the policy of the hosting website, and only participate in an auction if they are in full compliance.
• Research the seller’s feedback history, and check with the Better Business Bureau if they are a legitimate company.
• Scrutinize the shipping procedure, the return policy, and how the payment transaction is supposed to occur.
• If you are purchasing something fragile or highly valuable, it may be worth purchasing insurance on the item.
• International sales aren’t governed fully by United States laws, and should be thoroughly researched before doing business.
• Offer only information pertinent to completing the deal, ie. a social security number is never needed.
• I can’t stress this enough, use common sense. If something looks suspicious, smells suspicious, and tastes suspicious, avoid it completely. It is not worth the risk.
• And one more cliché for you, “If a deal looks too good to be true, it probably is.”

Free Auction Fraud Prevention Tool
If you can’t be bother to spend your time researching each and every auction, there is a FREE software tool for Windows and MAC users that screens for over 200 signs of auction fraud called Auction Inquisitor . It will examine user feedback, auction history, and a number of other factors. The system operates on best guess assumptions by flagging suspicious activity. However, it cannot identify definitively if the seller is a scammer. The tool basically does the legwork for you and presents the information in a simple report.

Reporting Auction Fraud

Victims of internet auction fraud and scams should immediately contact their local and state police departments. Complaints ought to be filed with the auction company, the Internet Crime Complaint Center , the National Fraud Information Center , the Better Business Bureau , and if possible, the law enforcement agencies at the perpetrator’s location. Internet auction frauds are tough to identify, but utilizing the preventative methods described herein is a step toward eliminating the chances of being victimized. As technology develops and consumers achieve a better understanding of the online marketplace, auction fraud will become less costly in the future.

Check back soon for Entry 2 of the Series, “Do Not Fall Victim to Internet Non Delivery Scams”

Computer Security Discounts and Coupons

Since the start of this blog, I have received affiliate offers for a number of security related products. However, I will not recommend a product or service lightly. You may find a couple links within a few articles that will send you to a product relevant to the topic, but I may not have personal experience with it. Keep in mind, these links are not recommendations per say, but rather a portal for you to explore your options and gather more information.

If I seriously recommend or despise a piece of hardware, a software package, or a service of some sort, it will be clearly stated in an article. I have also created a reviews category to facilitate expressing my opinion, either negative or positive, of anything pertinent to this blog.

With that said, a few of these affiliate companies are allowing me to offer certain products at a discounted price. Others are giving me affiliate coupons to share with you. I don’t want to pass up the opportunity for my readers to save on computer security related purchases. Therefore, I have created a “Discounts & Coupons ” menu item to display (what I consider) the best deals I’m permitted to offer.

These deals will change quite frequently as the sales and coupons expire. You’re more than welcome to bookmark this page and check back when your current security product is outdated. If you would like me to search for a specific discounted product for you, don’t hesitate to comment below and ask.

Setup a Secure Wireless Network

Creating a secure wireless network at home is more significant than many realize. Safeguarding the various amounts of personal data stored on home PC’s should be of utmost concern. I’ve drove around my neighborhood and found numerous unsecure wireless access points. If I wanted to, I could have waltzed into their network and acquired any unsecured data and transmissions. Instead, I notified the owner of the vulnerability. It is amazing how oblivious the masses are to wireless security. Hence, this article.

What needs to happen in a nutshell: purchasing the right hardware, appropriately configuring the wireless access point, installing beneficial software, setting up operating system security, and smart computer usage.

What is a Wireless Network?

A Wireless Local Area Network, or WLAN, is the linking of two or more computers without the use of a wired connection. The popularity of “going wireless” and the use of Laptops is growing in both business and home networks. The aggravation and mess that Ethernet cables and massive desktops create is an obvious benefit of installing a wireless network over a traditional LAN. Setting up a wireless infrastructure is also less physically and logistically demanding. However, with wireless flexibility comes a price.

The problem with wireless
Wired networks have a few characteristics that are advantageous over the WLAN. Wired technology, such as cables, hubs, and switches, have been in development for much longer than their wireless counterparts. Therefore, traditional Ethernet connected networks are more reliable, faster, and secure. Unfortunately, Wireless LANs also suffer from interference of various home appliances. Technology in the wireless family is ever improving, and will at some point rival the performance, dependability, and security of wired devices. Regardless of wireless’ shortcomings, mobility and the absence of cables may be more important to some.

Wireless network technology
Before I get into how to properly secure a wireless network, I would like to explain the technology just a bit. The three popular standards for wireless communications are IEEE 802.11a, 802.11b, and 802.11g commonly referred to as Wi-Fi. 802.11a transfers data up to 54 Mbps at a frequency of 5 GHz, is the most expensive, and is utilized by businesses more so than home users. 802.11b can only reach a data transfer of 11 Mbps at a frequency of 2.4 GHz, is more affordable, and use to be seen in home networks quite frequently. The newer wireless standard is 802.11g which is an extension of 802.11b, but allowing for 54 Mbps data transfer rate.

An important security concern for wireless networks is that 802.11b and 802.11g both transmit over the unlicensed radio spectrum of 2.4 GHz. The signal can be intercepted hundreds of feet away giving neighbors and anyone with enough desire a direct gateway into your network. To protect the gateway and secure your machines, multilevel security measures have to be implemented. However, there are currently a variety of standards in development that are attempting to improve upon the security of wireless technology.

Wireless Needs
Assessing the needs of your wireless network is an important part of choosing the right equipment. Any wireless infrastructure requires a wireless Network Interface Card and a Wireless Access Point with the same standard, such as 802.11g. I do not suggest connecting systems Ad-Hoc, they are void of the protections offered by routing devices. Security concerns can be addressed with correct configuration of access points, firewalls, authentication requirements, access permissions, and encryption techniques.

Many router manufacturers offer step by step installation instructions via documentation or software. The basic setup is the connection of the wireless access point (router) to your service provider’s modem. Follow the wizard’s directions and connect the computers to the network. Immediately update drivers for all devices, hardware, and the operating system. Below is an example of a router and price range.

How to Configure a Wireless Router

The wireless router requires configuring before any sense of security is available. The first thing you should do is place the wireless hub as close to the center of your house as possible. This will reduce the area of service outside the home. You want to keep your Wi-Fi broadcast radius to a minimum.

The next step should be to enable the wireless encryption, such as WEP or WPA. Wired Equivalent Privacy (WEP) encrypts traffic regardless of network protocol at the physical and data level layers. Unfortunately, the WEP encryption key is vulnerable to sniffing attacks. WPA is the newest encryption system implemented with the latest wireless standard 802.11i. WPA can utilize a pre-shared key mode where encryption keys are automatically changed and authenticated between devices after a specified period of time, or after a specified number of packets has been transmitted. Encryption is a key element of a multilayered defense.

Many wireless access points broadcast their Service Set Identifier (SSID) to allow for roaming connections. A home network has little use for this feature and should be disabled. It is also advised to change the default network name and password. Turning off broadcasting will hide the SSID from unauthorized users without powerful scanning software.

Disabling the dynamic hose configuration protocol would add another layer of protection. By manually assigning IP addresses you eliminate the routers ability to non discretionally distribute IP addresses. Unfortunately, all the systems on the network now need their TCP/IP settings manually inputted. See your Operating system and wireless router’s manual on how to do these steps.

Additional Wireless Security Measures

Firewalls
Another component of the wireless access point should be a firewall. A Firewall is software built into a device that runs on at least one network interface. The firewall’s rule base determines what data is to be transmitted. Various rules can be configured, with appropriate syntax, to suit the user’s needs. To allow access of private machines the user will need to enable port forwarding on the network address translation (NAT) and define in the firewall’s rule set what IP addresses are allowed access. Devices containing firewalls built for homes are customarily user friendly with step by step manuals. Each is different, so please refer to the manufacturers instructions for specifics.

Microsoft has released a Windows Firewall with XP’s service pack 2 for persons without routers containing firewall protection. Microsoft’s firewall is fairly simple to set up. Configuring access exceptions to programs, user defined inbound traffic, and identifying local systems are easy. Microsoft even incorporated a wizard for file sharing and other settings making security for the “non-techie” achievable. However, I recommend a more robust solution, such as the firewalls included in complete security packages or even a cheap third party stand alone firewall .

Access Control List
Home networks are small enough to create a MAC access control list. A MAC address is the unique identifier attached to each network card. Enabling MAC ID filtering will create a list of approved systems which have access to the network. To locate the MAC address type ipconfig /all in the command prompt. Add the resulting displayed physical address into the MAC ID access list. This will help prevent users with unauthorized MAC addresses from entering the network.

AntiVirus
After the wireless access point is properly configured, a few basic measures should be taken on the attached systems. Security has many facets, two of which are the need to prevent unauthorized access and the need to support authorized access. The installation of antivirus software is an integral part of protecting users from the multitude of malicious software that is constantly traversing the internet. The software should be from a reputable company, automatically updated, and able to clean or quarantine infections. It should also scan stored files, random access memory, removable media, e-mail, and web transmissions. You could go with the popular but expensive brandname Symantec Norton AntiVirus , try discount versions MacroVirus or Custodia , or attempt to manage a free solution, such as AVG

User Accounts
Administrative and user account security needs to be considered. Many home networks are connected to the internet through a constant broadband connection. Users should define strong passwords to protect their accounts. Unneeded protocols, applications, and services should be disabled or uninstalled to limit the exposure to threats unnecessarily. The automatic launching of programming languages, such as Java, JavaScript, and Active X, should be turned off in the web browser and email client’s settings. Due to the storing of logon and email information, the disabling of cookies is also recommended. Customize security restrictions are configured in Internet Explorer through the use of the internet options menu, where websites can be categorized and prohibited at the user’s discretion. I have written up a tutorial on the proper way to configure user accounts for Windows XP Home. Regardless of which version of Windows you are operating, the steps are fairly similar. See the secure user accounts walkthrough for specifics.

Additional considerations should be taken if security is a high priority. Email encryption may be important to some, especially individuals working at home. You may consider using Pretty Good Privacy (PGP) which uses both symmetric and asymmetric encryption. SC Magazine recently rated PGP’s Whole Disk Encryption the "Easiest to Install" and a "Best Buy." Also, implementing a system auditing or intrusion detection system is important, otherwise intrusions may go unnoticed.

I also recommend disabling file and print sharing if you don’t need it. If you are only using the wireless technology for a roaming internet connection and don’t intend to share files with other systems on the network, follow Microsoft’s instructions below.

To configure a network to safely share files and printers on a network adapter exposed to the Internet, unbind File and Printer sharing to TCP/IP binding to the exposed adapter:

1. Click Start, point to Settings, click Control Panel, and then double-click Network.
2. Click TCP/IP->Network adapter, click Properties, and then click the Bindings tab.
3. Click to clear the File and Printer Sharing check box, click OK, and then click OK. Restart your computer.
4. Install NetBEUI. Click Start, point to Settings, click Control Panel, and then double-click Network.
5. Click Add, click Protocol, under Manufacturers, click Microsoft and then double-click NetBEUI.
6. Click OK to restart your computer.

These procedures should be repeated on computers that need to share files or obtain access to shared files but whose adapter is exposed to the Internet.

Regardless of how many security tactics are employed, no network is flawlessly safe from intrusion. Therefore, intelligent browsing of the internet and smart email management is of utmost importance.

- Do not linger on shady websites
- Download content from reputable sources only
- Do not open mail from an unfamiliar address
- Be wary of all attachments
- Basically, use common sense

I’ve previously written an article about phishing scams if you wish to expand your awareness of the internet’s fraudulent activity. If you have any questions, feel free to comment.