Monitor & Administer System & Network Security

Training, Teaching and Learning Materials Development Lo1
Under
Ethiopian TVET-System
Maychew Poly Technical College
HARDWARE AND NETWORK SERVICING

Level-III
LEARNING GUIDE # 15
Unit of Competence: Monitor and Administer System and
Network Security
Module Title: Monitoring and Administering System and

Network Security
LG Code: ICT HNS3 M05 LO1

TTLM Code: ICT HNS3 TTLM 0817
LO 1: ENSURE USER ACCOUNTS ARE CONTROLLED
Learning guide 15 Date 02-05-2018 Page 1 of 47

Author: IT Experts
Information sheet one: User Access
You’ve probably heard someone say that the most secure system is the one that has no users! It is probably
also one of the most useless systems. We do want our users to access the system; it’s just that we want them
to have the appropriate access.
The control of user access can take many forms and apply at several levels. Once a computer is physically
accessed, the user usually logs on to gain access to applications. These applications will access data in files
and folders.
We can simplify the process down to 3 things.
 Physical access: material existence/Concerned with material things
 Authentication: Verification/Validation of identity
 Authorization: The power or right to give orders or make decisions.
Physical access
The first layer of management and security is the physical access to the computer. To prevent unauthorized
access, a company may make use of:
 locks on the front doors
 locks on each floor
 locks on offices, etc
 Security guards
 Cameras
 keys on computer systems.
Only those who have permission and keys will be able to access a computer in the company’s premises. The
Internet, however, presents issues concerning access to corporate information or systems because physical
restrictions cannot be imposed.
Authentication
Authentication is the process of verifying the identity of people who are attempting to access the network or
system. Typically, users identify themselves to the system, and then this is required to provide a second
piece of information to prove their identity. This information is only known by the user or can only be
produced by the user.
The most common method used to authenticate users is the Username and Password method. Using this
method a user identifies itself with a username. They are then prompted for a password. The combination of
name and password are then compared by the system to its data on configured users and if the combination
matches the system’s data information the user is granted access.
Other authentication methods include:
 Username with static passwords: the password stays the same until changed by the user at some time.

Author: IT Experts
 Usernames with dynamic passwords: the password is constantly changed by a password generator
synchronized with the user and system.
 other challenge response systems: this may involve PINs, questions to the user requiring various answers or
actions
 Certificate based: this requires the user to have an electronic certificate or token. This may also need to be
digitally signed by a trusted authority. Kerberos is an example.
 Physical devices: these include the use of smartcards and biometrics. Generally the entire authentication
process occurs on the local workstation, thus eliminating the need for a special server.
Whatever method is used is determined by the organizational policy and security requirements.
Identity Management
In large organizations there may be thousands of users for a network. These users could be employees,
contractors, partners, vendors and customers. Being able to identify and manage each of these users is most
important because each user has different requirements and levels of access.
This information is managed using either the Network Operating System, Directory Services or specialized
Identity Management Software. Essentially, all of these use a central repository or database that contains all
the user information and credentials. This presents a single location for all applications and services to use
when authenticating users as required.
Authorization
Once a user has been authenticated (that is their identity validated) they are granted access to the network or
system. For the user to then access data or an application or execute some task or command they need be
authorized to do so. The authorization process determines what the user can do on the network. In other
words it enforces the organization policy as applicable to the user.
The Network and System administrators are responsible for the technical configuration of network operating
systems, directory services and applications. Part of the configuration includes security settings that
authorize user access. The administrators use an organizational policy to determine these settings.
User Account Configuration
Network and System Administrators are responsible for configuring user accounts. Network operating
systems and applications have many security options and setting relating to user access. How does an
administrator determine the configuration and setting for user accounts?
Organization policies and procedures provide the guidelines for administrators.

User Account Settings
The organization’s policies should make statements as to the degree of user control that is required. Network
procedures should contain details as to how these policies may be implemented. For example, the policy
may state that user passwords should not be less than six characters. The procedures will then describe how
the administrator should configure the operating system to ensure that all passwords are at least six
characters.
The administrator should review the policies to ensure that the procedures produce the desired outcomes.
The procedures should describe in detail how to make use of the operating system facilities to configure user
accounts in accordance with the security requirements.
The actual way you set these parameters will vary with each operating environment, however, here are some
basic parameters covered by most operating systems to consider when setting up user account options:
 Password requirements—whether a password is required, minimum length, complexity, needs to be
Author: IT Experts
changed at intervals, etc

 Account lock out settings—disabling accounts that have made a number of bad logon attempts
 Access hours—the standard days and time that users will be permitted to access the network
 Account expiry dates—date when account will be disabled
 Logon restrictions—accounts can only be used at specified locations or workstations.
 Home directory information—a home directory is a folder that usually has the name of the user and the
user has full permissions over.
 Logon scripts—these perform specific tasks or run specific programs when the user logs on
Configuring User Access
Once user account settings have been determined how do we know who should have accounts and what
access should be set?
Reflect: Configure user access
Before you read through the next section, think about who needs to be consulted in setting up user access.
User Authorizations
Once again, organizational policy and procedures provide the necessary information for the administrators.
There should be procedures in place that inform the appropriate people that a person requires a new user
account or changes to an existing account or a deletion of accounts. The notification procedure should cover
circumstances such as new employees joining the organization, employees changing positions in the
organization and employees leaving the organization. These notifications must come from authorized people
in the organization (managers, etc) as stated in the policy and
procedures.
Notifications also need to specify what information, data, resources etc the account is permitted to access.
The request for access must be authorized by an appropriate person in the organization (usually department
managers). The access permissions for users should be carefully planned and determined in writing by
appropriate people who have the
authority to allocate the access. Procedures should address:
o which managers can authorize a new user
o Standards for user id and passwords
o Groups that users can belong to and authority required for each group
o Basic accesses that all users are allowed
o Authorization requirements to access sensitive data
o Application accesses

Author: IT Experts
o ability to install additional software

o email and Internet accesses
o Special accesses that may be required.
Reflect: User authorization

Take a look on the net for examples or tutorials about Configuring user authorization. You may want to try
Microsoft (www.microsoft.com) or Linux (www.linux.org). You could also search for tutorials using Google
(www.google.com) and searching for the phrase’ ’account creation procedure’.
Use of Groups
The most common way of administering access permissions is to create groups and put user accounts into
appropriate groups. The group is then permitted or denied access as required. Using groups is an efficient
way of managing authorization because you only need to set access permission to a group and not individual
accounts.
For example, a company may have thousands of users, but analysis of what those users want to do may show
that there are twenty or more different combinations of access permissions required. By assigning users to
groups and then allocating permissions to the group, the security administration is greatly simplified.
Once we have users allocated to groups we can explore other levels of controlling access. Allocating
permissions to folders and files is a major security provision of network operating systems and one that is
important to set up correctly. Can we go lower and look at the content of a specific file and restrict access
there?
The restriction of file access is most applicable in controlling access to database files.
For example, imagine a Payroll system using a database in which the data is stored in tables. These tables
have columns and rows of data. Let us think about two groups of user, the payroll department staff and the
manager of a department. The payroll groups are likely to be allowed full access to all the data although in a
very large organization there may be segregation of access.
But what about a department manager? This person may be allowed to see salary details for the staff that
work in the department only.
In the table containing salary details there may be a row for every employee in the organization. This means
that we only want to show this manager the rows that relate to the one department. This would be secured
with a filter that only displays staff in the department being examined.
Furthermore there may be information about an employee that even their manager may not be able to see,
such as medical or financial information. This information may be restricted by controlling the columns
returned in a report or query.
This type of security is really part of the application control rather than the network but it is still an important
part of the overall security of the system and needs to be addressed by the organizational procedures.
Learning guide 18 Date 09-2017 Page 5 of 47

Author: IT Experts
Permissions and Rights

Permissions generally refer to file and directory access. The user account or group can be set with the
following type of permissions:
o No access at all to files and directories
o Read only.
o Modify where the contents of files and directories may be accesses but changed or added to but not deleted
o Full Control or Supervisory where files and directories can be view modified and deleted.
Rights (or privileges) generally refer to the restriction on user accounts or group in performing some task or
activity. For example a user account or group may be assigned administrator or supervisor rights meaning that
the user can perform administration tasks like create, modify or delete user accounts. Care must be taken with
rights to ensure security is not compromised.
Managing User Accounts
Once user accounts are configured we still need to manage the accounts as required by organizational policy.
For example user accounts for contractors are active only for as long as the contractor are physically on site.
This means that accounts need to be enabled and disabled. This activity should be addressed by procedures.
Note, also that many networks on different OS’s allow’ ’guest’ and’ ’temporary’ accounts. These are usually set
up for either read-only or short-term access to people who would not normally have access to the system. Great
care must be taken in configuring or using these accounts firstly because they can allow anonymous and
uncontrolled use of a system and secondly guest passwords can sometimes be guessed easily and provide a
doorway for hackers/crackers.
Administrators need to review procedures to ensure that they remain current and address any changes to the
organization and the network.
Administrators need to be aware of user activities and practices when accessing the network. Organizational policy
and procedures should address how users should access the network. In time users may develop shortcuts and
practices that knowingly or unknowingly are in break of policy and may compromise network security. For
example a user may log on to the network on one workstation. Then to allow access for a colleague who has
forgotten their password the users logs in on another workstation for the colleague. The result is two concurrently
network connections for one user account but for two different people who have different user access requirements.
To manage user accounts appropriately administrators should:
o Regularly review organizational policies and procedures to be aware of requirements and address any
organizational or network changes
o Conduct regular checks to ensure the change management procedures are working for new, changed and
deleted users
o Review and investigate current work practices regarding user network access
o Conduct information and training sessions for network users to reinforce appropriate practices and
organizational policy
o Conduct regular audits of network access—verifying current users and deleting expired accounts
Managing user accounts can be a complex and tedious task but we can things easier by ensuring appropriate
policy and procedures are in place.
Reflect: Policies and procedures
Many larger organizations post the policies that govern their user authorization processes on their intranets. Try
searching intranet sites for larger companies—particularly IT based organizations. You may need to look under
’Publications’ or ‘Policies’. Also try a Google search for the term’ ’user authorization policy’ (use’

Author: IT Experts
’authorization’ for US companies).
Summary
How user accounts are managed is principally determined by organizational policy. Administrators need to
use policies and procedures to determine how to configure accounts and how to set appropriate access
permissions to application and data.
Once accounts are established, again policies and procedures will clearly define how the accounts will be
managed with regard to changes, disabling and deletion
Self check
1. What is Authentication?
2. What is Authorization?
3. Is the following statement True or False?
Identity Management Systems store user information and credentials to many separate network locations in
many separate databases making user management difficult.
4. Before giving individual or group users access to a network, access privileges and restrictions need to
be set up. List at least 5 settings usually associated with configuring user accounts
The network administrator decides which documents users will access on the network.
6. What should user authorization policy and procedures address? List at least 6 items.
7. How does the use of groups facilitate user management and administration?
Network operating systems and Application software have the means to control user access to data.

Author: IT Experts
Under
Maychew Poly Technical College
Level-III
LEARNING GUIDE # 16
Unit of Competence: Monitor and Administer System and

Network Security
Module Title: Monitoring and Administering System and Network

Security

LO 2: SECURE FILE AND RESOURCE ACCESS

Author: IT Experts
Information sheet one: Monitoring threats

Where do threats come from?
The network administrator will need to consider the main sources of security threats so as to determine
what to monitor or look for. These sources are:
 Internal Security Threats
 External Security Threats
Internal threats
Internal threats mean danger from within an organization or inside the network. The majority of
security breaches are a result of employees accessing data that they should not have access to, making
errors such as deleting files or introducing viruses.
Access to data, and the ability to delete files should be controlled by permissions and access rights
depending upon employee roles in the organization. Employees may deliberately seek access to
sensitive or confidential data for personal gain or to ’get back at management’ for various reasons. In
some cases employees are oblivious to the need to keep their username and passwords a secret so their
credentials may be used by others to gain unauthorized access. Lack of employee training or
awareness of computer security and lack of user account management processes also constitute
internal threats.
External threats
An external threat means danger from outside the organisation’s network. The security events that
get the biggest press coverage are the external attacks on sites. These can include hackers
attempting to break into a network to obtain confidential data or to overload the system and so deny
normal service.
The important tools that are used by a network administrator to monitor the network may also be
used to eavesdrop or attack the network.
Network monitors
In a very large network the administrator may need to make use of a network monitor. These
devices can read and display every packet on the network. They can also report on the physical state
and operation of network devices. They have high-speed processors and can receive and store
packets for later review. It is this feature that could lead to a security breach. Normally the
administrator will use these to obtain statistics on such things as:
 the operation of the network
 the numbers of lost and/or corrupted packets
 the number of packets ignored

Author: IT Experts
 The number of packets re-sent.
Network monitors can also be used to gather event logs, system logs and audit logs from various
network devices. If these devices are used on a wide area network then it is conceivable that someone
could capture packets of data that contain sensitive information. It is very difficult to know if such a
device is in use since the telecommunications company can have several of these devices on the
network as a normal monitoring process. This becomes a real security threat if confidential data or
passwords are sent in plain text on the network.
What to monitor
In understanding threats and where they originate, we can now determine what to monitor in
conjunction with organizational policy. In most cases we need to monitor events like:
o network user logon/logoff
o failed logon/logoff attempts
o specific file or data accesses
o internal and external connections
o administrator or privileged system access and changes
o Business processes relating to IT data access.
o email content (if organizational policy specifies this)
o Web site access and downloads.
What you decide to monitor will depend upon organizational policy, network design and threats specific
to the business.
Reflect: Current threats

Just as news quickly spreads around the world, so too do threats to network security. Hackers are
among the most sophisticated of computer users and have mastered the art of spreading viruses and
knowledge of security weaknesses to a global community. As a result an industry has developed to
monitor security threats and provide up to the minute information on how to deal with new threats.
Search online for latest updates on worms, Trojans, viruses and hoaxes. Start by looking at
www.symantec.com—
However there are many other vendor sites and dedicated user groups.
Using log files
Most network operating systems and network devices will record events and activities in a log or audit
file. If you are trying to track down a security problem then these may be able to provide useful
information. There are three main issues concerning log files:

Author: IT Experts
Log files can become very large and so take up disk space.
Logging events can slow system performance.
Log files may be difficult to read because of the amount of detail recorded.
In addition to the log files created by the operating system there may be applications that create
similar files that can give you more information about user access and activities. In addition, audit
logs may be generated by operating systems, applications and network devices. Usually, auditing
features need to be turned on in the operating system, application or device and options enabled as
to what information will be recorded in the audit logs.
It must be noted that log files are historical records – they contain information about events that have
occurred. Administrators need to decide how to use this historical information. Generally, log files
are reviewed on a regular basis for example once a week to look for any unusual activity or events.
Should a breach of security be suspected, the dates, times and events can be correlated using
information contained in the various log files.
As human beings we are not very well suited to sifting through complex log files to find possible
events. Fortunately we can use log viewers that come with the operating system, application or device
that generated the log. Here we can view and search the log file in a more productive fashion. Log
analyzers are third party products that can search log file for specific information and initiate some
sort of alert or message to the administrator. These may be developed ’in house’ using script
languages like Pearl to scan the text in log files and produce some result when specific strings of text
are encountered.
Reflect: Commercial log analyzers
Commercial products are available from companies like CA, Sawmill and Net Tracker. Go online
to search for more information about each of these.
Real time monitoring

Network monitoring is looking at the events that occur on a network. Log files present a historical
view of what occurs on a network. It’s a record after the fact. That is, an event has occurred and details
of the occurrence are recorded in the log file after the event. However, we can view some events as
they occur. The administrator could be notified of potential security breaches and take appropriate
action as the events occur. Intrusion Detection Systems (IDS) and some firewall products provide real
time monitoring.
Intrusion Detection Systems (IDS)

Intrusion Detection Systems are either software or hardware devices that are designed to monitor

Author: IT Experts
network traffic or events. Their main uses are:

Real-time monitoring of events
Record network events for review or reference
Detect threats or attacks
Prevent attacks being successful
Detect Policy breeches for network use or access
Policy enforcement for network use or access.
Should a predefined event occur, the IDS can initiate some sort of action as configured by the network
administrator? The configured actions could be to send an email message or pager alert, block or
disconnect the breeching connection or reconfigure network addresses. All activity is generally logged
to a file for historical record.
There are 2 types of IDS:
Host Intrusion Detection System (HIDS)
Network Intrusion Detection System (NIDS)
Host Intrusion Detection System (HIDS)

This system monitors either host computers or servers. The following type of events and activities
can be monitored and trigger specific response actions:
File integrity
Application or program behavior
System calls between the application and operating system
Log file activities
Users and connection of the host computer
These systems can have significant impact on system performance because it utilized resources of the
host computer
(CPU, memory, etc).
Network Intrusion Detection System (NIDS)

This type of system is usually a dedicated software or hardware device designed to monitor network
traffic. It analyses the traffic using a set of predefined rules and definitions of threats or attacks. The

Author: IT Experts
NIDS can initiate responses to events as configured by the administrator. Where a NIDS is
positioned in a network is very important because this will determine what traffic and what events
are being looked for.
Reflect: IDS products
Examples of IDS systems include SNORT and Real Secure. Go online to search for more information
about each of these. What other products are available?
Content filters and scanners
Content filters and scanners can produce both log files and real time monitoring of email and web site
access to and from a network. These systems are mainly used to monitor and enforce email and
internet use policies.
With access to web sites, specific types of sites can be allowed, restricted or just monitored in
accordance with organizational policy. Specific types of downloads can also be restricted. This
type of monitoring can give useful bandwidth usage statistics along with web site access trends
for the organization.
The content of emails can be scanned for compliance with organizational policy, for example
racial discrimination, inappropriate email use, etc can be detected. The suspected incoming and
outgoing emails in breach of policy can be quarantined and usually need to be reviewed by an
appropriate person who can manage the messages.
Content filters and scanners usually incorporate some form of scanning for harmful virus and
’malware’ (malware is a contraction of the words ’malicious software’—software developed to
cause harm to a computer). These scanners can usually give real time monitoring on breeches and
useful statistics for volume and throughput which may indicate an attack in progress using up
internet bandwidth.
Other tools
Many real time monitoring tools are available from various third party vendors. In some cases IDS has
been combined with firewall products making them convenient solutions for monitoring and protection
particularly for small office or home environments. Other products can analyse log files as they are
written and provide alerts in almost real time. These third party products are usually expensive and
considerable planning is needed to come up with the correct configurations for an organisation.
Implementations have caused grief by alerting and responding to events which are, in fact, legitimate
non threatening activity.
Spot checks and audits

The police force uses two types of speed camera, fixed and mobile. The fixed cameras are (allegedly)
at accident black spots and are designed to slow motorists down. After a while drivers know where

Author: IT Experts
they are and may decide to speed at places other than where the cameras are. With mobile cameras,
drivers do not know where the police will be and so they have a greater risk of being caught speeding.
Similarly, the network administrator should also consider the opportunities for spot checks or
security audits of the network. This gives an opportunity to catch out activity designed to avoid
IDS systems.
What is a spot check?

The spot check may be nothing more than coming in at a weekend and analysing all users that are
logged on at that time or walking around the office to see which users have left their workstations
logged on but unattended.
What is a security audit?

In a larger organization a security audit may be required. This could be undertaken by external
auditors that are security specialists, or the organization may have an internal audit team.
Alternatively the administrator may also conduct an audit. The advantage of using another group of
people is that the administrator should also be subject to security review.
How to carry out a security audit is a topic in its own right but basically the auditors will:
Start by looking to ensure that adequate security policies and procedures have been developed.
Then they will want to see evidence that the procedures have been applied.
They may also carry out their own checks to ensure that what they have been told is
operating is actually working.
Establishing network monitoring operational procedures
This is probably the most important part of network monitoring. How do we know if we have
everything covered and that we are looking at all the necessary information? How do we actually
do the monitoring and what do we do if we detect a threat or beech of security?
Operational procedures
Organizational policy will usually provide a high level starting point for developing procedures. The
policy should make statements about security and perhaps indicate some important guidelines.
However the policy usually does not say how to do things. Operational procedures outline details on
how something will be done to comply with the policy.
For network monitoring, operational procedures should document specific details:
What makes up the network, that is, devices, computers, etc
what log files will be reviewed

Author: IT Experts
where the log files will be found
What specifically to look for in the log files and how to do this
How often logs will be reviewed daily, weekly, monthly, etc
What to do with the log files after they have been reviewed
What real time monitoring systems exist (if any)
How these systems are configured, that is, what rules and responses are set up
How to use the real time monitoring system
How to perform any other tasks relating to network monitoring
What to do if something is detected
Who is responsible for each activity.
In small simple networks, the operational procedures document will contain detailed and specific
tasks and activities to successfully monitor the network.
In large organizations with complex systems the operational procedures document can become
overwhelming because of the amount of detail it needs to contain. To make this manageable the
specific details of individual activities or tasks can be contained in separate sub documents called
’work instructions’.
Operational procedures ensure, regardless of who is employed by an organization, everyone with
the responsibility to monitor the network will do this the same way by following the instructions.
Incident Response Procedure
Incident Response Procedures are included in Network Monitoring Operational Procedures. As the
name implies, these are detailed instructions outlining what action to take if a breach of network
security is detected. The procedures should specifically address:
Who will be informed of the event or incident
What steps or action to take for specific incidents, that is, network intrusion, email policy
breech, etc.
Responsibilities of people involved.
Once again, the procedures ensure that everyone knows what to do in the event of a security incident
occurring.
Updating Procedures
All operational procedures need to be reviewed from time to time. This ensures that the procedures
remain relevant and cover any changes that occur in the network. Updating procedures and work

Author: IT Experts
instructions should be part of change control processes in an organization.
Summary
Someone should be responsible for monitoring network security and this may involve regular
reviews of audit and log files to check for suspicious activity. For example, users attempting to
access a confidential database at midnight might be cause for concern. Various tools are available to
make the monitoring task easier. It is worthwhile to monitor other
events in the security world such as hoaxes, attacks and other developments. There are several websites
that can help you
do this.
Most importantly, procedures and work instructions need to be in place to ensure that network
security monitoring is performed correctly and completely. These will save you time and effort in
the long run when dealing with security issues.

Author: IT Experts
Information sheet2: Network Security

As administrators one of our main tasks is to maintain network security. To achieve this we may carry
out activities such as network security evaluations to determine threats and vulnerabilities, addressing
these as required. We conduct network monitoring to ensure that network security is not breached by
user activities and connections. In these activities we are looking for known issues or threats. What
happens six month later after our security evaluation? Perhaps there may be new vulnerabilities
discovered in the software and hardware used in our network.
Sources of Information
Not everyone is interested in IT. However, from time to time computer problems can make the six
o'clock news and IT issues get to the masses. Usually these are virus alerts and are wake-up calls to
organizations to ensure that they have kept their virus-checking software up to date and have
downloaded the latest virus-checking files.
Every week there are also other announcements of security problems with popular software products
or common standards. Some of these would only cause a problem with a very small number of users
but others may impact millions of users. It is important that system administrators regularly check to
ensure that the applications and protocols that they are using have not been compromised.
How do you do that?
The most popular and up-to-date source of information is the Internet. A recent Google search of
the term 'computer security' returned over 5 million hits!
The main sources of security update information are vendors and security advisory organizations.
Vendors are interested in keeping their products secure because there is a possibility they will lose
market share if people adopt alternative products. Security advisory services are like security
watchdogs. They let you know of security alerts and issues as they
arise. (AusCERT is an example of a reputable Australian security advisory service:
www.auscert.org.au.)
To effectively find security update information you need to know what makes up your network. You
should have a list or inventory of devices and software. Devices can include:
computer hardware (eg. IBM X232, HP DL360, etc)
switches
routers (eg. CSICO 2500, DLINK, etc)
firewalls
any other physical
devices. Software can include:
operating systems (eg. Microsoft Windows 2003 Server, SUSE 10 enterprise, MAC OS X, etc)

Author: IT Experts
application software (eg. Microsoft Office XP, Open Office, etc).
You also need to know what firmware is installed. Firmware is software stored in read-only memory
(ROM) or programmable ROM (PROM) in hardware devices. Firmware is often responsible for the
behaviour of a system when it is first switched on or how the hardware communicates with the
operating system or software.
This inventory needs to be specific - model numbers, versions etc. Once you have an inventory, you
can access specific vendors and security advisory services to check for latest security update
information.
For example, if we operated HP DL360 servers, we would access the Hewlet Packard site: www.hp.com
and search for available updates and patches (both software and firmware) for this model server. These
would then be downloaded and applied as required.
Resolving Security Gaps
We do our research and find that there are new security threats or vulnerabilities in our network.
These threats and vulnerabilities can potentially compromise the integrity, confidentiality and or
availability of services and data on the network. These threats and vulnerabilities may be a result of
flaws or bugs being detected in operating systems or firmware or be the result of new exploitation
tools or methods.
AusCERT is the national Computer Emergency Response Team for Australia. The following is an
example of a software flaw as provided by an AusCERT Alert (www.auscert.org.au):
Vulnerability in Microsoft Windows Messenger Service
Synopsis:
Microsoft has released a security bulletin (MS03-043) describing a buffer overflow flaw in
the Windows 'Messenger Service'. The 'Messenger Service' is enabled by default on all
Windows NT, Windows 2000, and Windows XP desktops and servers. It is important to
note that the Microsoft Messenger Service is unrelated to Microsoft MSN Messenger.
Impact:
The vulnerability may allow remote attackers to execute arbitrary code on vulnerable systems
with administrator privileges. X-Force believes that the vulnerability is extremely widespread
in nature. Vulnerabilities of this nature have led to Internet worms such as 'MS Blast/Blaster',
'Nachi', and 'SQL Slammer'. History has shown that vulnerabilities of this magnitude lead
almost immediately to
exploit tool development by the underground community and extensive and widespread attacks.
The
vulnerability can be triggered via UDP, leaving open the possibility of extremely rapid
worm propagation.
So what do we do?
There are a number of steps to follow to ensure that we appropriately resolve any potential security gaps.

Author: IT Experts
Is the security alert or issue applicable to my network?

We need to determine if a security update or security issue is valid for the network we maintain. We
need to check specific conditions and prerequisites for the security concern. These could include
specific hardware models and versions, specific software versions, combinations of hardware or
software, combinations of actions or network activity. If these conditions don't exist then the security
update or security issue does not apply to your network.
What is the implication of the security alert or issue?

If the security updates or issues are applicable, what do they really address? An organization may
consider the threat unlikely to occur. If the threat occurred or the vulnerability exploited the
impact on the organization may not be significant or damaging.
For example a security issue may be identified concerning web server software that could allow
someone to change the color on a small part of a screen page. This may not concern organizations that
have minor reliance on its web services, however other organizations consider this a major issue
because all there business is derived from the integrity of their web servers. The impact and
implications differ for the two organizations.
What is required to resolve the security issue?
We need to know how to fix the security gap. In most cases vendors provide software patches or
firmware upgrades with specific instructions on how to apply them. In some cases the fix may require
network rearrangements to change the way network traffic is generated or moves across the network.
In all cases we need to consider:
What hardware, firmware or software is needed for the fix
What technical process is needed to apply the fix
What resources (people, time, equipment, etc) is required to apply the fix
What will it cost financially to apply the fix(software purchase, etc)
What impact will there be on business operations to apply the fix (down time, training etc)
What changes will occur to processes and procedures after the fix is applied.
Testing the required security fix
Solutions provided for fixing new security issues need to be tested to confirm that they address and fix
the security issue. Every network environment is different so testing will ensure that the security fix
solution will not have any adverse effects on existing network services.
Testing should always be done using test environments that are configured like the live production

Author: IT Experts
environment. Testing on working production environments should be avoided because you may
disrupt services with untried software and compatibility issues.
Who makes the decision?
As administrators we are responsible for the technical management of a network. With regard to
network security it is the job of organizational management to make decisions regarding acceptable
levels of risk and what security measures need to be applied for the business. This applies to network
security.
Once we know that a security update or issue is applicable to the network we need to present to
organization management all the information they need to make an appropriate decision on whether to
apply a fix or not. This information must be in plain English and meaningful to non technical people.
The information should include:
Description of the issue, threat or vulnerability
Impact and consequence of the issue, threat or vulnerability
Requirements to implement a fix (resources, costs, training etc.)
Ongoing update and optimization of network security
The IT environment is not a static one. If it were, we could set and forget network security. However,
we know that with changes in technology, existing network devices and software need to be checked
regularly to ensure they remain secure. As flaws and vulnerabilities are detected we need to apply
fixes as determined by organization requirements.
To ensure that network security remains at an optimal level, we need to ensure processes and
procedures exist to perform regular checks and that we are informed of any potential security gaps.
These processes and procedure may be manual. For example, performing weekly searches of vendor
web sites for security updates.
Alternatively, some hardware devices and software provide an automated update services that uses the
Internet to check for security updates. The hardware device or software may even apply these updates
without any human intervention. Many anti virus products do this because new virus threats can
appear daily and the best defence is to ensure the products constantly are up to date.
Reflect: Security alerts
Go online and use your preferred search engine (such as Google - www.google.com.au) and search
for the term 'security alert services'. (Tip: put the phrase within "quote marks" to search only for the

Author: IT Experts
complete phrase - not individual words). Look at the kinds of services on offer. How many are free?
How many do you think you could rely on to provide up to date and independent advice?
Network tools and utilities
Network tools and utilities can also be used. These can scan the network devices and software to
know vulnerabilities. These also need to be kept up to date to detect the latest threats and
vulnerabilities. Network security tools and utilities are available for download via the internet.
These may be open source, shareware or commercial products. Web references in the 'Resources'
section of this learning pack provide links to various sources.
Manual procedures
If manual procedures are used we must ensure that our inventory of network devices and software is
kept up to date and that schedules and responsibilities are well defined. Organizations should treat the
application of security fixes as part of its essential maintenance procedures.
Subscription services
Subscription to security alert services may also be of value. They usually notify via email of any
issues as they arise and provide advice and solutions to address the issues. Information about
subscriptions is available on line from providers like AusCERT (www.auscert.org.au).
Summary
With the rapidly changing IT environment, especially the Internet and e-commerce systems, it is
essential that security be taken seriously. Hackers love to find flaws in popular products and protocols
that most organizations use to run their business.
We know how to use Internet and other resources to find information on security updates and new
issues. We also know how to evaluate security issues, their fixes and present this to the appropriate
decision makers for their consideration. The importance of good processes and procedures for
updating and optimizing network security cannot be underestimated.

Author: IT Experts
Self Check
Part I. Answer the following questions
1. List five events that should be monitored with respect to network security.
2. List ten kinds of information that should be contained in Network Security Monitoring Operational
Procedures.
3. List five main reasons for implementing an Intrusion Detection System.
4. Log files are:

A. An historical record of events
b. used for real time events
c. usually small
d. read easily by human beings
e. none of the above
Part II. Say True or False

_______ 1. A system administrator is better suited to conduct network security audits than external
auditors.
_______ 2. The greatest threat to an organization’s computer network security is its own
employees?

Author: IT Experts
Under

Level-III
LEARNING GUIDE # 17
Unit of Competence: Monitor and Administer

System and Network Security
Module Title: Monitoring and Administering

System and Network Security

LO3: DETERMINE AUTHENTICATION REQUIREMENTS

Author: IT Experts
Information sheet one: What is Encryption?

Encryption is the process of taking some information or data, manipulating or changing its format in a
way that stops it from being used or read by unauthorized people or systems. Encryption involves
scrambling data so that it needs to be unscrambled or decrypted, to be read. Encryption can be applied
to data in storage (file systems, media, etc) or in transit via network or Internet connections.
Encryption can be useful to achieve appropriate levels of network security required by organizations.
For example, an organization using the Internet to perform financial transactions will want to ensure
that details like bank account numbers, passwords, etc are kept secure and only accessed by intended
recipients. Encryption can achieve this level of security by ensuring data confidentiality and
integrity.
Encryption Methods
Information encrypted needs to be decrypted by authorized systems or people for it to be of any
use. To decrypt, the receiver may need some additional information.
For example you are given a coded message on a piece of paper. To read it you need to know how it
was coded. It may use a simple method of substituting numbers for letters but to decipher the message
you need to know what letter equates to what number. This is the 'key' that will unlock the code.
Computer systems encrypt information the same way but use more sophisticated and complicated
codes. Consider the following diagram:
Figure 1: Encryption process
The encryption process requires the following:

 Original information – This is the data or information prior to being encrypted (may be
referred to as plain or clear text)
 An algorithm – a mathematical formula or process that accepts the input of
original information and key data to produce an output or coded information (called
cipher text)
 Key data – data used by an encryption algorithm to encrypt or decrypt information
 Cipher text – this is the encrypted original information produced by the encryption
algorithm and key data.

Author: IT Experts
The algorithm may work in both directions meaning that information can be encrypted and
decrypted with the correct keys. Knowing any three items will allow you to derive the fourth.
However encryption methods are designed to make discovering keys and algorithms extremely
difficult.
Ciphering
Ciphering is the process of how data or the original information is converted into cipher text.
The process uses algorithms and encryption processes, but more specifically this refers to how
the raw data is managed. There are generally two cipher methods.
 Stream cipher is a relatively simple method where each bit of data in the original information
is sequentially encrypted using one bit of the key. If the key is of a fixed length it may be
possible to mathematically deduce the key by analyzing the cipher text. Using a variable length
key or continually changing the key in the stream cipher process can theoretically produce an
unbreakable encryption system. One-Time pad is the process of continually varying the
encryption key with random numbers. This method is not commonly used because of
overheads and encrypting efficiency.
 Block cipher encrypts the original information into chunks. Depending upon the encryption
system, the size of these chunks or blocks will be fixed. Each block is processed by an
algorithm and key to produce blocks of cipher text. These cipher text blocks can be further used
with encryption keys to strengthen the encryption. Block cipher processes more data than stream
cipher on each pass and is more commonly used today.
Private Key Encryption
Private Key encryption is also known as symmetric encryption or single key encryption. This
encryption method requires the use of one key to both encrypt and decrypt information. All people
and systems accessing the cipher text must use the same key to decipher that was used to encrypt
the data.
Figure 2: Private Key encryption
The security of data using this method depends upon the security of the key. Only authorized people
and systems should have the key. It should be kept private and secret. If anyone else knows the key,

Author: IT Experts
the security of the data is compromised and all data should be encrypted using a new key. The new
key needs to be distributed to all authorized people and systems. This may present operational
difficulties if the locations are geographically diverse, distant and many.
Examples of private key encryption include:
 Advanced Encryption Standard (AES)
 International Data Encryption Algorithm (IDEA)
 Data Encryption Standard (DES)
 Triple Data Encryption Standard (3DES)
 HmacSHA1
 Blowfish
 HmacMD5
 TripleDES.
For more information on each of these systems, go online and search for each term through your
preferred search engine
(Such as Google: www.google.com).
Public Key Encryption

Public key encryption, also known as asymmetrical encryption, uses two keys known as a key
pair. One key is a private key and it is kept secret, only known to one person or system. A second
key, known as the public key, is generated (mathematically derived) from the private key. The
public key is not kept secret and is freely distributed to people or systems that wish to use
encryption.
Figure 3: Public key encryption
Information encrypted with the public key can only be decrypted using the private key of the key pair.
Therefore only the owner of the private key can decipher the information. The public key used to

Author: IT Experts
encrypt will not decrypt the cipher text it produces. It's a one way process. Public keys are used to
encrypt and private keys are used to decrypt. Information encrypted with the private key can be
decrypted using the public key for authentication purposes (using 'digital signatures' - this is discussed
later).
This encryption method addresses the problem of distributing keys to people that require them. Public
keys do not need to be kept private, so there is no need for special secure delivery methods and they
can be made freely available using the internet.
Examples of public key encryption systems include:
Diffie-Helman
RSA
ElGamal
Elliptic Curve Encryption.
For more information on each of these systems, go online and search for each term through your
preferred search engine
(Such as Google: www.google.com).
Authentication
If encrypted information is transmitted or stored, how can we be sure that it was sent or stored by
a specific person? How can we be certain that the information hasn't been altered, modified or
originated from some other source?
We can use a number of methods to authenticate data and information.
Digital Signatures
Using public key or asymmetrical encryption, information such as messages, documents, files etc. are
encrypted using a public key and decrypted using the private key of a key pair. The public key is not
secret and freely available so anyone could have encrypted the original data or information.
The originator can authenticate their data by using their private key. This is done by using the
originator's private key to encrypt information about the original data (usually checksum
information). This encrypted information is kept with or appended to the original data. This is
known as a digital signature.
This digital signature can only be decrypted using the user's public key. If decryption of the
information (the digital signature) is successful and compares correctly with that data being accessed
(checksum, etc) we can be reasonably confident of the originator's identity and that the data has not
been modified since the digital signature was added. This is most useful when downloading data from
the internet.
The purpose of digital signatures is to certify information, not conceal it.
Digital Certificates
Public key encryption works using pairs of keys. Anyone wishing to send an encrypted message must

Author: IT Experts
use the recipient's public key to encrypt the message. If the recipient of the message wishes to verify
the digital signature they must use the sender's public key. Where do we find these keys and how can
we be sure that we are using the correct key of a pair?
Digital Certificates provide a means of identifying and managing public keys. A digital
certificate is a password protected and encrypted file that contains information about an
individual's identity and their public key.
A certificate server stores digital certificates and is used as a central location for users requiring public
keys. This is known as a Certificate Authority (CA) and is trusted authority providing certified public
key information. CA can be setup within an organizational network or are a service available on the
internet. CAs can work in a hierarchy or mesh fashion to provide certificates from other CAs.
Reflect: Australian CAs
What Australian organizations act as Certificate Authorities (CAs)? To find out more, go online and
search for the phrase
‘Australian Digital Certificate Authority' through your preferred search engine (such as Google:
www.google.com). You will find large organizations such as Australia Post and VeriSign Australia
act as CAs. What other organizations also act as CAs?
Public Key Infrastructure (PKI)

Public Key Infrastructure provides a means for users of an insecure network to exchange data
securely and privately. It is a complete infrastructure using public key encryption to provide the end
to end security, confidentiality and accountability required for information exchange. Various
vendors provide PKI products and solutions.
A public key infrastructure consists of:
A certificate authority (CA) that issues and verifies digital certificates. A certificate
includes the public key or information about the public key
A registration authority (RA), a network authority that verifies user requests for a digital
certificate and tells the certificate authority (CA) to issue it.
Locations where the certificates (with their public keys) are held
A certificate management system
For an overview of PKI try the Section 6 networks website (www.section6.net). Go to the Tutorials
section and search for 'Digital certificates'.
Reflect: PKI users in Australia

Who is using PKI in Australia? To find out more, go online and search for the phrase 'Users of PKI
Australia' through your preferred search engine (such as Google: www.google.com).
Kerberos
Kerberos is an authentication protocol that uses secret-key encryption to verify client identity and

Author: IT Experts
exchange information securely.
When a user attempts to logon to a server or system, a local agent sends an authentication request to
the Kerberos server. The server responds by sending encrypted credentials for the user back to the
requesting server or system. These credentials are then decrypted using the user-supplied password.
If this is successful, the user is issued Kerberos authentication tickets and a set of cipher keys to
encrypt data sessions.
Kerberos is a cross platform system developed by Massachusetts Institute of Technology
(MIT) and has been incorporated into numerous products by vendors. See the website:
web.mit.edu/Kerberos/
Reflect: Kerberos
Find out more about who uses Kerberos. Use your preferred search engine (for example Google:
www.google.com.au) to search for information about which products use Kerberos. Do Windows use it?
What about Eudora or SAP?
Secure Data Transmission
There are a number of methods that use encryption to ensure that data transmission on a network is
secure.
Internet Protocol Security (IPSec)
This protocol defines encryption, authentication and key management for TCP/IP transmissions.
It secures data in transmission by various means at the IP packets level.
The key components of IPSec are:

Authentication Header (AH) This component authenticates and validates data packets. Each
packet basically contains a digital signature
Encapsulation Security Payload (ESP) This component encrypts the data payload of the packet.
Internet Key Exchange (IKE) The above components AH and ESP use asymmetric
encryption. IKE manages the public/private key exchanges for encryption and decryption.
IPSec can operate in two modes:
'Transport' mode encrypts communications between two hosts.
'Tunnel' mode places an encrypted IP packet into a traditional IP packet to ‘tunnel through' to a
destination. This is used to support VPN transmissions.
For more information, go online and search for the term 'IPSec' through your preferred search engine
(such as Google: www.google.com). You could also try the NetBSD project website (www.netbsd.org
- enter 'IPSec' in the search tool and find the 'IPSec FAQ' document).
Point-to-Point Tunneling Protocol (PPTP)

The original Point-to-Point Protocol (PPP) is an encapsulation protocol for transporting IP traffic
over point-to-point connections.

Author: IT Experts
The Point-to-point Tunneling Protocol (PPTP) is an expansion of the existing Point-to-Point Protocol
(PPP). PPTP uses the same principle of encapsulating other protocol packets so that they can be
transported via a switched network (the Internet) to a specific destination. The destination receives the
PPTP packet and extracts the encapsulated data. PPTP also supports encryption and authentication.
This protocol is a proprietary Microsoft development and is widely used in conjunction with VPN (see
below). There are open source alternatives that will also work with PPTP (for example 'PPTP Client' -
see the Source forge website:
pptpclient.sourceforge.net).
Layer 2 Tunneling Protocol (L2TP)

This protocol is similar to PPTP but developed by a number of industry consortia. This protocol has
become the method of choice for Microsoft Windows VPN
L2TP is just a tunneling protocol. It is generally used with IPSec to provide encryption developed by
a number of industry consortia. This protocol has become the method of choice for Microsoft
Windows VPN
L2TP is just a tunneling protocol. It is generally used with IPSec to provide encryption
Virtual Private Network (VPN)
Virtual Private Networks are basically a secure connection through a network (Internet, WAN, etc)
that connects either computers or networks together. These connections make remote users appear
that they are on one single network.
The main functions provided by VPNs are tunneling, data security, data integrity and
authentication. This is usually provided by a number of protocols, IPSec, PPTP and L2TP.
Secure Sockets Layer (SSL)

This is a method of encrypting TCP/IP transmissions between hosts. It is used for the encrypt web
pages and data on web forms reroute. The encryption method uses public key encryption. It
requires Digital Certificates
URLs prefixed with 'HTTPS' initiate an SSL session between the web browser and web server.
Most online banking facilities will direct you to a secure site with 'HTTPS' at the beginning of the
address.
Secure Shell (SSH)
This provides a secure means of establishing remote connections to a host. It provides authentication
via the exchange of digital certificates and uses public key encryption. It is mainly used in Unix/Linux
environment and is a means of using insecure protocols (telnet, ftp, etc) in a secure fashion.
Pretty Good Privacy (PGP)

Author: IT Experts
This is one of the most popular encryption programs. This is a public key encryption system that
provides authentication and encryption. It is commonly used for email transmissions and supports a
wide range of operating systems. Both commercial and open source versions are available.
See the website: www.pgp.com for PGP information.
Secure Data Storage

Encryption may be used to protect the confidentiality, integrity and authenticity of data in storage,
such as that on a hard disk drive or tape. Encryption methods as discussed previously may be used
but careful consideration must be given to the consequence of this.
Encrypting and decrypting data creates a significant overhead in terms of time and effort and will
affect the accessibility and management of the data. There may be key management issues –
numerous key pairs required, digital signatures and CA (certificate authority) required.
Implementation will be determined by the business or organization needs and requirements.
Most operating systems and storage systems have inbuilt encryption facilities. Implementing these
may be more efficient but does place a reliance on the operating system.
Threats to Encryption Systems
The security that an encryption provides may be vulnerable because of possible deficiencies or
circumstances.
Deficiencies in human and business processes or procedures
No matter how good an encryption system is it still requires some sort of management. Security relies
on keeping private keys secret. If keys are stored or delivered ad hoc there is a good chance that the
private keys will be compromised. Management and maintenance processes need to be checked to
ensure security.
Users need to be aware of security issues. For example an encryption system may be doing its job
well, but if a user leaves a logged on computer unattended the confidentiality of information may
be compromised by someone else accessing the logged on computer.
Deficiency in the cipher algorithm or process

Original data may be deciphered from cipher text by exploiting some weakness in the cipher
algorithm. Algorithms that are publicly known have been available for some period of time and have
had public scrutiny have generally proved their security. Systems that are new or rely on secrecy are
possibly vulnerable.
Brute force attacks against the key
This is where attempts are made to gain the original text from the cipher text by using every possible
combination of the key or password. The longer a key is (i.e. the more bits used in encryption) the
more possible combinations there are. The larger the number of keys used to create the cipher text the

Author: IT Experts
more number of keys need to be tried.

Brute force attacks will eventually succeed if enough time and resources are used. For example, it took
312 hours using 3,500 computers to find a RC5 key. (RC5 is a block cipher method that uses 64bit
symmetric keys) A key is considered strong if the cost of finding the key outweighs the cost of the data
being protected.
Implementing Encryption Solutions
Encryption systems can be provided by network operating systems and devices or by third party
products and services. Inbuilt encryption systems provided by operating systems and devices may be
cost effective. However if these are
Propriety systems, using them may lock the organization into a significant dependence on the operating
system or device.
Third party encryption solutions are usually built on industry standards and generally operate
independent of any operating system or devices. These solutions can be expensive.
In all cases, any implementation of encryption solutions will be governed by the security
requirements for an organization or process. The benefits of encryption need to be weighed
against the real threats to data security, implementation requirements and costs.
Summary
Investigating and implementing encryption facilities and the appropriateness of this for organizational
network security requires a sound understanding of encryption methods, practices and standards. We
have covered the main components – symmetrical and asymmetrical encryption, digital signatures, and
digital certificates. Secure transmission methods such as SSL, VPN, and IPSec have also been
discussed.
Progress
Have a look at the next section online - Practice. If you have trouble, review these Readings or
perhaps take a look at some of the listed Resources.
When you feel ready, try the Self check section at the end of this topic. This will help you decide if
you are now able to complete the task and attempt assessment

Author: IT Experts
Self Check
Question 1: What is 'Single key encryption' and by what other name(s) is it known?
Question 2: What problems does Single Key encryption present?

Question 3: Is the following statement True or False?
Public key encryption is also known as symmetrical cryptography.

Question 4: Look at the following diagram of an encryption process - some of the labels have been replaced
with the letters A to F.
Encryption diagram - fill in the missing terms

What term does each letter represent? (For example: 'A' = 'Sender') Also what kind of encryption method
does this diagram show?
Question 5: Is the following statement True or False?
Digital signatures are used to conceal information
Question 6: How do digital signatures work and how are they used? Question 7
What are digital certificates?
Question 8: What is a VPN and what protocols are generally used to establish a VPN?
Question 9: What governs the implementation of an encryption solution?

Author: IT Experts
Under
HARDWARE & NETWORK SERVICING
Level III
LEARNING GUIDE # 18
Unit of Competence:Monitor and Administer System and

Network Security
Module Title:Monitoring and Administering System and

Network Security

LO 4: DETERMINE NETWORK SECURITY

Author: IT Experts
Network Security
What is network security? Before we can evaluate the status of network security we need to
understand what network security is.
Security refers to the measures taken to protect certain things or elements of information. There are three
main elements.
Confidentiality (Privacy)
This means keeping information secret and safe. It means controlling access to information so that
only the people with authorization will access the information. No one else should have access to the
information.
With Network Security this means keeping all information stored in a network environment
confidential and safe. This means keeping unauthorized people off the network and preventing them
from browsing around and accessing thing they have no authority to access.
Integrity (Honesty)
This refers to the correctness of information. It means making sure that the information is kept as it
should be and not altered or changed by unauthorized people. It also means protecting the
information from changes or corruption by other things like system or program failures or external
events.
With Network Security this means keeping all information stored in a network environment as it
should be. Information includes user generated data, programs, computer services and processes
(email, DNS, etc). This means protecting information from unauthorized changes and deletion by
people, network devices or external influences.
Availability (Accessibility)
This refers to the ability to access and use information. It means making sure that the information can be
accessed whenever it’s required. If information is not available it is useless.
With Network Security this means keeping all information stored in a network environment ready and
accessible to those who need it when they need it. Information includes user-generated data, programs,
computer services and processes (email, word processing application, etc).
Evaluating Network Security Status

Knowing what network security refers to means we now know what to look for when assessing a network.
We need to look at what measures are in place to ensure that the confidentiality, integrity and availability of
network data, applications, services and processes are maintained to the organization’s requirements.
Threats(fear)
Threats are actions or events that could occur to compromise an organizations network security.

Author: IT Experts
The threat will compromise confidentiality, integrity and/or availability of network information.
People or organizations that have possible access to the network may present threats. Threats may be
presented by people or organizations that have some reason for compromising network security and
have the knowledge and resources to pose a threat. Some examples of threats could be hackers gaining
access to confidential files, or a disgruntled employee deleting corporate data, or virus infections
corrupting data. Joy riders also pose a threat. They have no particular reason for gaining access except
for the challenge and a bit of fun or perhaps prestige within their peer group.
Threats may also arise through circumstance. For example using second hand or old hardware
may pose a threat to network security.
Vulnerability(Weakness)
This refers to potential ways or avenues that could be used to compromise network security. For a
network to be vulnerable it must be accessed in some way. For example, Internet connection, user
workstations, wireless access via user laptops are all means of accessing the network. All these access
points use various systems such as firewall, computer operating systems, transmission protocols to
authenticate and authorize network access. Various methods can be used to gain unauthorized access if
vulnerabilities exist in the systems.
Operating system bugs, shortcomings in the authentication mechanism, and no security checks for
people entering the workplace are examples of vulnerabilities.
Countermeasures
Countermeasures are used to reduce the level of vulnerability in the organization. They can be physical
devices, software, policies and procedures. Examples of countermeasures include firewalls, antivirus
software and security guards checking employee IDs as they enter the building. In most cases,
countermeasures are implemented at network access points or where the vulnerability exists.
Impact
Impact means what will happen to the organization if a threat actually happened. The consequence of a
threat occurring is usually measured in financial terms because the result may be loss of business
productivity, stolen equipment replacements and repairs, costs for investigation and expert contractors.
Other consequences may be damage to reputation, loss of business or time and resource related.
Assessing impact can be an involved process and a topic in its self. However, in brief terms, assessment is
usually done by identifying systems or resources in the organization. Then by analyzing usage patterns,
business processes and work flow the importance of a system can be determined. Finally, with user and
management questionnaires, analysis of usage, business processes and workflow, the consequence of the
system or resource being unavailable or compromised can be determined in financial and other terms.
Likelihood(Possibility)

Author: IT Experts
Likelihood refers to the probability of an event occurring. Whether an event is likely to occur depends upon a
number of factors such as degree of technical difficulty and knowledge required to cause the event, potential
gain to the perpetrators and opportunity. Countermeasures reduce the likelihood of occurrence. For example
procedures ensuring that operating systems have the latest security patches installed will reduce the
likelihood of hackers compromising the system.
Risk (danger)
Risk refers to the potential or possibility for some form of loss. With network security this means loss of
confidentiality, integrity and/or availability of information or services. Risk is determined directly by
threats and vulnerabilities. For there to be a risk, a threat AND some vulnerability must exist.
For example virus infection may compromise the integrity of information on a network. The vulnerability
or ways virus infection can occur may include the using of CDs or disks from outside the organization on
local network computers. In this case a risk exists. If a countermeasure or mitigation strategy such as using
diskless workstations was employed, users could not use external media. This means that there is no
vulnerability and therefore no risk.
However, another vulnerability associated with virus threats may be the network’s Internet connection. So the
risk of virus infection via the Internet may exist depending upon firewall and antivirus countermeasures
employed.
Looking for Threats and Vulnerabilities

Evaluating the status of network security can be a daunting task if we don’t take a methodical
approach. We need to understand what makes up the network – the hardware and software. Knowing
this helps us break things down into smaller manageable parts. Once we identify the individual systems
and components (for example email service, web services, internet access, applications, etc) we can
then start to look at the security status of these one by one.
To work out threats and vulnerabilities, we need to examine:
 Access to the system – including physical, electronic via authentication processes, via local
workstations, Internet, remote access server
 Authorization mechanisms – including operating system or application permission or access
control methods, organizational processes and procedures to manage user access
 who has access and what can they do - this includes file access permissions for users and access
to services and this can be examined using auditing features built in to operating systems and
applications
 known vulnerabilities for example operating system or application defects/bugs, hardware
firmware
 Potential vulnerabilities and confirmed by testing
 Any countermeasures in place.

Author: IT Experts
For any breach of security, there must be some form of access so it is important to consider all
possible means of access (physical and electronic). While hackers are usually associated with
external 'criminals', network security is more often jeopardized from within an organization.
Look for vulnerabilities in the following areas of the individual network components.
Network design and components

Vulnerabilities associated with hardware and network design include exploitation of topologies,
switches, routers, firewalls, servers, computers and operating systems to breach network security.
Threats associated with hardware and network design vulnerabilities include:
 Interception of wireless transmissions by hackers
 networks that use public or external transmission systems; for example leased lines are
vulnerable to eavesdropping
 networks segments being exposed to sniffing
 Physical access to hardware
 Private network addresses accessed and read when routers and other devices are not properly
configured
 dial-in servers or remote access used by off-site staff not being secure or monitored regularly.
 Improper use of default security options – after operating systems or applications are installed,
default security options are offered automatically; these default prompts are well known by
crackers and, if they are not changed by the network administrator, will allow easy access to
the system
 Network operating system software having holes in its security, allowing hackers to gain
unauthorized access
Network operation and usage
We need to examine how the network or system is used and also any policies and procedures that
relate to this. Threats from people exploiting vulnerabilities in the way networks or systems are used
may include:
 Intruders or hackers gaining user passwords through manipulation or monitoring. Surprisingly,
many people write their passwords down on sticky notes and leave them stuck on the side of their
monitor or under their keyboard. It is easy for an observant person to find these notes, or even to
unobtrusively watch passwords being typed in
 Social engineering—this practice involves manipulating social relationships in order to gain
information, specifically, passwords. For example, the intruder may pose as a network
administrator who asks for your password in order to investigate some problems with the network
 Incorrect configuration of user IDs and groups and their associated file or login access
 Network administrator’s not noticing security gaps in the operating system or application configuration

Author: IT Experts
 Lack of a security policy, leading to users not knowing or understanding security requirements
 Dishonest or disgruntled employees abusing their access rights
 an ’unused’ computer being left logged on to the network, thereby providing access to an unauthorised
user
 Users or administrators choosing easy-to-guess passwords
 Computer rooms being left unlocked, allowing unauthorized physical access
 Backup tapes or floppy disks containing confidential information being discarded in public waste bins
 Administrators failing to delete system accounts of employees who have left the organization.
Communications and connections

The security of network operating systems and application software is dependent on its
configuration. Some of the vulnerabilities in this area regarding communications and
connections include:
 IP addresses easily falsified and requiring little authentication
 Flaws or gaps in network software allowing IP spoofing to occur.
 Viruses – which can be contracted from the Internet or external email, or transferred from one
computer to another through internal network and emails.
 incorrectly configured firewalls not preventing unauthorized access
Authorized users transferring files using Telnet or FTP over the Internet, with user ID and password
transmitted in plain text, which can easily be accessed and used inappropriately
 Hackers obtaining personal or user ID information entered into online forms or newsgroup
registrations
 Access inadvertently allowed into chat session or email software while users remain logged in
to Internet chat sessions or Internet-based email.
 denial-of-service attacks. These are usually deluges of messages sent to a third party using PCs on your
network as ‘drones’, resulting in the targeted system becoming disabled
 Clear text sniffing—some protocols do not use encrypted passwords as they travel between the client
and the server.
A cracker with a sniffer can detect these types of passwords, thus gaining easy access to the
information
 Encrypted sniffing—protocols may use encrypted passwords; hackers may carry out a Dictionary
attack. These are programs that will attempt to decrypt the password by trying every word
contained in English and foreign language dictionaries, as well as other famous names, fictional
characters and other common passwords.

Author: IT Experts
Brute-force attacks are similar to Dictionary attacks. The difference is that Brute-force attack
intruders will use encrypted sniffing to try to crack passwords that use all possible
combinations of characters. These characters include not only letters, but other characters as
well.
Replay attacks—By reprogramming their client software, a cracker may not need to decrypt the
password; the encrypted password can be used ’as is’ to log into systems
Third Party Tools

How long do you think it would take an administrator to manually check the configuration of every
network device for possible security vulnerabilities?
Administrators are human and humans are not well suited to looking at long detailed log files and
configuration listings. There is a good chance something will be missed. Fortunately, there are a
number of tools available that can accurately do this work for the administrator.
Network security tools evaluate the security of a network by
 Performing scans of security configuration for specific devices and operating systems – for
example account policies and security policy settings for windows operating systems. These
tools generally need administrative access to the devices and compare results to expected
best practice settings reporting the differences. These types of tools can also audit file
systems by listing security setting and permissions as applied to the files system and services.
 Network traffic scans and probes that test for available network connections. This tests for
network addresses, protocols and gathers transmission and connection information about the
network. It may draw topology diagrams with device and host information.
 Penetration testing. These tools will attempt to gain access to the network by performing a
series of attacks on the network using methods that exploit known vulnerabilities. These
types of tests can be performed from outside the network (for example via the Internet) or
from inside the network to test internal security.
In all cases these tools use known vulnerabilities and methods to test network security and as such need
regular updating as new vulnerabilities are discovered. These tools should be used out of normal business
operation hours as they can impact on network performance. Links to these types of tools and sources for
are available at the end of this reading.
Evaluate Findings
Once we have completed the task of looking for risks and checking configurations, we need to
compile our findings and determine if any improvements or changes are needed.
We need to record the findings for each of the systems or network components we reviewed. In
summary, these were the things listed in the 'Looking for Threats and Vulnerabilities' section above.
Using a table can help you evaluate your findings. Once you have listed your findings you need to

Author: IT Experts
consider what issues or concerns result from your findings. These concerns may become threats and
risks. From the concerns and issues consider what you can do to remove the issue or concern.
Take a look at the sample Risk Evaluation table on the next page

Author: IT Experts
Evaluate risks and recommended actions

Use this sample risk evaluation table to itemize possible risks to the security of a system or network. Recommend actions to
correct and mitigate any risks you identify.
System or Network Results and findings Concerns or Issues Recommended Action
Component
Identify the Physical environment (Example: Anyone can walk in and access (Example: Lock the computer room and only
network system or
component the computer and console. They could copy authorized people have keys)
(List here your findings about the physical
or delete information and damage the
security of the system)
hardware)
(Example: Finance (Example: insecure computer room)
database server,
windows 2000)
Access configurations (Example: Password complexity is low. (Example: Change system requirements for
Passwords could be easily cracked) longer and complex passwords)
(This includes authentication systems,
electronic access to the system, operating
system configurations for access)
(Example: Password length is set to 4

characters)
Authorized users and access levels (Example: Default permission is to read all (Example: Do not use default permissions.
files. Secure information cannot be changed Develop required permissions for each group of
(List of authorized user and what they can
or deleted by unauthorized people but users and implement)
do and access on the system)
anyone logged in can see it)
(Example: Default permission set on all
files for everyone accessing the server)

Author: IT Experts
System or Network Results and findings Concerns or Issues Recommended Action

Component
Process or procedural assessment (Example: Anyone can gain access when (Example: Set password protected screensavers
authorized user is away from desk) to activate after 5 minutes and educate user
(List any failings in procedures or work
about the need for security)
practices. This includes the way the system
or network is used.)
(Example: Users are leaving logged in

computers unattended)
Vulnerability test results (Example: results of code may leave server (Example: Apply vendor supplied security patch
open to remote control by unauthorized to server)
(List test results from specific tests or test
people)
utilities like penetration tests, network
scans, etc)
(for example operating system ’buffer

overflow may cause arbitrary code to
execute)
Existing Countermeasures (Example: Antivirus software is 3 months (Example: Update the antivirus software and
out of date. The server is vulnerable to the develop procedures to ensure regular update)
(List existing specific countermeasures for
latest virus)
the system and any failings of these)
(Example: Anti Virus software)

Author: IT Experts
Using tables like the one above will give us a picture of the security status of the components and the
network as a whole. As network or system administrators we make technical recommendation on these
finding to improve or correct any network security deficiencies. However it is up to organization
management to approve any recommendation.
Information on threats, vulnerabilities, impact or consequence along with recommendations
(including implementation costs) addressing the risks must be provided in a meaningful way for
organizational management to make sound decisions regarding network security.
Quantifying Risk
We know that risk is the result of threats and vulnerabilities, but how do we measure the risk?
One useful way is to scale risks based on impact and likelihood. Using this method organisational
management can identify the most likely and most damaging risks.
Consider table on the following page. Risk is calculated by multiplication of impact and likelihood.
Risk is now scaled between 0=no risk and 25= extreme risk.

Author: IT Experts
Quantifying risks
Use this sample risk evaluation table to measure levels of risk posed to the security of a network or system. To find the Risk
Factor, multiple the Impact value by the Likelihood Value. Add a new row to the table for each new threat. Recommend
countermeasures to correct and mitigate any risks you identify.
Threat Vulnerability Impact Likelihood Risk Comments Possible Countermeasures and

Factor Mitigation Strategy
0=none 0=none
5=extreme 5=extreme 0-25
Confidentiality of client Access to 5 0 0 Records kept on database server None require as long as server remains
records (Example: information from on separate network segment not isolated
credit card numbers outside organization accessible via internet
may be gained by via internet
This risk does not exist
unauthorized people
because there is no
vulnerability
Access via 5 2 1 Unauthorized person may gain Increase building access security by
internal 0 access to the building and introducing security guards and key
workstations computers in the closed card access
segment
Employee education on security issues
Covert employee activity
Implement auditing on sensitive
may occur.
resource accesses
Access via failed 5 1 5 Procedure checks in place Audit procedures and perform spot
process and checks
Copies of shredded printouts
procedures
may be accessed Locked document destruction bins.

Author: IT Experts
In the above example both impact and likelihood are equally weighted. If an organization
is only concerned with impact, then likelihood may use a smaller scale or not be used at
all to calculate the risk factor.
It is a management decision to accept the risk with consequences and potential cost to the
organization. The alternative is to implement countermeasures or mitigation strategies to
reduce the impact or likelihood. These measures usually come at a cost and management
needs to decide if they wish to spend potentially lots of money to prevent something that
is unlikely to occur.
Prepare Report
As mentioned, your risk assessment findings must be presented using clear
documentation. The report presented to management regarding the status of network
security should include:
 Your summary of concerns and recommendation in plain English
 Summary of findings should include your main concerns, possible consequences
and current network security compliance with existing organization policy and
standards
 Recommendations need to include implementation costs, resources required, time
required, and potential impact on continuing business or systems access.
 A risk summary table including impact and likelihood (weighted if required)
 your methods of evaluation and investigation of network security status.
 any other relevant supporting documentation.
As an IT professional, management will be relying on your skills and judgment in
presenting a clear picture of the current network security status. Key points to remember
here is that management want to know if the organization is exposed to potential risk,
what is really at risk and how much it will cost in financial terms, time and material to
mitigate the risk.
As IT professionals, sometimes we may not look at the big picture and think in technical
terms. What you present must be understood by non technical people so that they can
make valid and justifiable business decisions using your information.
Summary
There is a lot of hype about network security and with it comes the potential to spend big
dollars in securing a network. We now know how to assess and evaluate the status of
network security by identifying real and valid threats. Without vulnerabilities to the threat
there is no risk to network security.
We have learnt that there must be some form of access to the network for security breaches to
occur. Evaluating network security means looking at the individual components that make up
the network, investigating how they are accessed specifically looking for vulnerabilities in
Author: IT Experts
confidentiality, integrity and availability. Third party security evaluation tools are a most
useful resource when used in conjunction with our other findings to formulate
recommendations.
Most importantly, our findings need to be interpreted and presented in a meaningful way with
recommendations that are easily understood. Management makes decisions on acceptable risk
not administrators.
Self check
Part I. Answer the following questions
1. What is network security?
2. What are threats?
3. What are vulnerabilities?
4. Make a list of five things that should be investigated when evaluating the security
status of a network or system.

5. Choose the correct answer from the list below. Security analysis tools can be used to:
a. Test security setting of operating system
b. Determine the network topology
c. Initiate penetration tests

d. Monitor network traffic and protocols
e. All of the above
Part II. Say True or False?

_______ 1. Policies, procedures and work practices have little impact on network
security.
_______ 2. The network administrator decides upon an organization’s acceptable
network security risk levels.

Author: IT Experts

Monitor & Administer System & Network Security

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Monitor & Administer System & Network Security

Diunggah oleh

Hak Cipta:

Format Tersedia

Training, Teaching and Learning Materials Development Lo1

HARDWARE AND NETWORK SERVICING

Module Title: Monitoring and Administering System and

LG Code: ICT HNS3 M05 LO1

LO 1: ENSURE USER ACCOUNTS ARE CONTROLLED

Learning guide 15 Date 02-05-2018 Page 1 of 47

Learning guide 15 Date 02-05-2018 Page 2 of 47

Organization policies and procedures provide the guidelines for administrators.

changed at intervals, etc

Learning guide 15 Date 02-05-2018 Page 4 of 47

o ability to install additional software

Reflect: User authorization

Learning guide 18 Date 09-2017 Page 5 of 47

Permissions and Rights

Learning guide 18 Date 09-2017 Page 6 of 47

Learning guide 18 Date 09-2017 Page 7 of 47

Unit of Competence: Monitor and Administer System and

Module Title: Monitoring and Administering System and Network

LG Code: ICT HNS3 M05 LO2

LO 2: SECURE FILE AND RESOURCE ACCESS

Learning guide 18 Date 09-2017 Page 8 of 47

Information sheet one: Monitoring threats

Learning guide 18 Date 09-2017 Page 9 of 47

 The number of packets re-sent.

Reflect: Current threats

Using log files

Learning guide 18 Date 09-2017 Page 10 of 47

Reflect: Commercial log analyzers

Real time monitoring

Intrusion Detection Systems (IDS)

Learning guide 18 Date 09-2017 Page 11 of 47

network traffic or events. Their main uses are:

Host Intrusion Detection System (HIDS)

Network Intrusion Detection System (NIDS)

Learning guide 18 Date 09-2017 Page 12 of 47

Reflect: IDS products

Content filters and scanners

Spot checks and audits

Learning guide 18 Date 09-2017 Page 13 of 47

What is a spot check?

What is a security audit?

Establishing network monitoring operational procedures

Learning guide 18 Date 09-2017 Page 14 of 47

Learning guide 18 Date 09-2017 Page 15 of 47

instructions should be part of change control processes in an organization.

Learning guide 18 Date 09-2017 Page 16 of 47

Information sheet2: Network Security

Learning guide 18 Date 09-2017 Page 17 of 47

Learning guide 18 Date 09-2017 Page 18 of 47

Is the security alert or issue applicable to my network?

What is the implication of the security alert or issue?

What is required to resolve the security issue?

Testing the required security fix

Learning guide 18 Date 09-2017 Page 19 of 47

Who makes the decision?

Ongoing update and optimization of network security

Reflect: Security alerts

Learning guide 18 Date 09-2017 Page 20 of 47

Network tools and utilities

Learning guide 18 Date 09-2017 Page 21 of 47

4. Log files are:

b. used for real time events

Part II. Say True or False