This action might not be possible to undo. Are you sure you want to continue?
Chapter 13 Advanced Security and Beyond At a Glance Instructor’s Notes
♦ ♦ ♦ ♦ ♦ ♦ ♦ Chapter Overview Chapter Objectives Technical Notes Lecture Notes Quick Quizzes Discussion Questions Additional Activities
to 6-hour period. It is recommended that you split the chapter into at least two class sessions. 2e 13-2 Instructor’s Notes Chapter Overview In this chapter. if possible. The amount of subject matter to be covered can be covered in anywhere between a 3. plus any at-home exercises you wish to assign. Forensics Opportunities and Challenges Computer forensics creates opportunities to uncover evidence that would be impossible to find using a manual process. students will survey the types of security careers and the skills necessary to become a security professional. Electronic documents are more difficult to dispose of than paper documents. One reason that computer forensics specialists have this opportunity is due to the persistence of evidence. Quick Reference Discuss the reasons why interest in computer forensics is heightened as described on page 447 of the text. Chapter Objectives After reading this chapter. Lecture Notes Understanding Computer Forensics Computer forensics can attempt to retrieve information—even if it has been altered or erased—that can be used in the pursuit of the criminal. students will learn about the new and advanced areas of computer security. They will first study computer forensics and how it can be used. students will be able to: ♦ ♦ ♦ ♦ Define computer forensics Respond to a computer forensics incident Harden security through new solutions List information security jobs and skills Technical Notes HANDS-ON PROJECTS Project 13-1 Project 13-2 Project 13-3 Project 13-4 Project 13-5 HARDWARE DEVICES REQUIRED Computer PC Computer PC Computer PC Computer PC Computer PC OPERATING SYSTEM REQUIRED Windows XP Windows XP Windows XP Windows XP Windows XP OTHER RESOURCES Microsoft Office Suite Internet connectivity Internet connectivity Internet connectivity Internet connectivity This chapter should not be completed in one class session. Finally. . Students will then examine some of the new types of defense mechanisms that are available or will be ready shortly.Security+ Guide to Network Security Fundamentals.
Security+ Guide to Network Security Fundamentals. The team takes custody of the entire computer along with the keyboard and any peripherals. Photographs of the area should be taken before anything is touched. Establishing the Chain of Custody As soon as the team begins its work. 2e 13-3 Quick Reference Discuss the ways that computer forensics is different from standard investigations as shown on pages 447 through 449 of the text. Quick Reference Discuss the criteria for mirror image backups as listed on pages 452 and 453 of the text. Preserving the Data The computer forensics team first captures any volatile data that would be lost when the computer is turned off and moves the data to a secure location. Responding to a Computer Forensics Incident Generally. Securing the Crime Scene The physical surroundings of the computer should be clearly documented. The chain of custody documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. is an evidence-grade backup because its accuracy meets evidence standards. and examine and preserve the evidence. the team focuses on the hard drive. collect the evidence. A mirror image backup. establish a chain of custody. it must start and maintain a strict chain of custody. such as: ♦ ♦ ♦ ♦ ♦ Contents of RAM Current network connections Logon sessions Network configurations Open files After retrieving the volatile data. also called a bitstream backup. This includes any data that is not recorded in a file on the hard drive or an image backup. Cables connected to the computer should be labeled to document the computer’s hardware components and how they are connected. Mirror image backups are considered a primary key to uncovering evidence because they create exact replicas of the computer contents at the crime scene. responding to a computer forensics incident involves four basic steps similar to those of standard forensics—secure the crime scene. .
ANSWER: Securing ___________ backups replicate all sectors of a computer hard drive. 5. ANSWER: Mirror image The ___________ documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. 4. This file is the Windows page file. New techniques and security devices are helping to defend networks and systems. The steps taken by a computer forensics team are summarized in Table 13-1 on page 456 of the text. Also. . Hardening Security Through New Solutions The number of attacks reported. Quick Reference Describe the characteristics of recent attacks as shown on pages 457 and 458 of the text.Security+ Guide to Network Security Fundamentals. 3. the original system should be secured and the mirror image examined to reveal evidence. File slack is illustrated in Figure 13-4 on page 455 of the text. The first is RAM slack. Defenders are responding to the increase in the level and number of attacks. ANSWER: evidence ___________ the crime scene helps to document that the computer was working prior to the attack. or the application of science to questions that are of interest to the legal profession. Exploring Information Security Jobs and Skills You explore security jobs and the skills that are needed to perform in that role. is not limited to analyzing evidence from a murder scene. Microsoft Windows operating systems use a special file as a “scratch pad” to write data when sufficient RAM is not available. 2. This is known as file slack (sometimes called drive slack) because the padded data that Windows uses comes from data stored on the hard drive. but can also be applied to technology. 2e 13-4 Quick Quiz 1. If additional sectors are needed to round out the block size for the last cluster assigned to the file. and the speed at which they spread continues to grow. then a different type of slack is created. Windows computers use two types of slack. ANSWER: Forensic science One reason that computer forensics specialists have certain opportunities is due to the persistence of ___________. RAM slack pertains only to the last sector of a file. ___________. Another source of hidden data is called slack. all of the exposed data should be examined for clues. In short. describe some of the most recent developments and announcements as listed on pages 458 and 459 of the text. the sophistication of the attacks. including all files and any hidden data storage areas. ANSWER: chain of custody Examining Data for Evidence After a computer forensics expert creates a mirror image of a system. Hidden clues can be mined and exposed as well.
Intrusion-Detection Systems (IDS) Security professionals should know how to administer and maintain an intrusion-detection system (IDS). making them mandatory for today’s networks. how to create access control lists (ACLs) to mirror the organization’s security policy. Computer forensics specialists are critically needed. Security budgets have been spared the drastic cost-cutting that has plagued IT since 2001.Security+ Guide to Network Security Fundamentals. Firewalls Firewalls are essential tools on all networks and often provide a first layer of defense. and other important security defenses. Understanding TCP/IP concepts helps effectively troubleshoot computer network problems and diagnose possible anomalous behavior on a network.” penetration testing probes the vulnerabilities in systems. One reason is that companies have recognized the high costs associated with weak security and have decided that prevention outweighs cleanup. and applications. Job Skills This section examines some of the most important skills that are demanded of information security workers. No matter how clever the attacker is. Configuring routers for both packet transfer and packet filtering can become very involved. . Security workers should also be familiar with penetration testing. TCP/IP Protocol Suite One of the most important skills is a strong knowledge of the foundation upon which network communications rests. 2e 13-5 Employment The need for information security workers will continue to grow for the foreseeable future. and those that are in the field are being rewarded well. The capabilities of these systems have increased dramatically since they first were introduced. To recognize the abnormal. Information security personnel are in short supply. and how to tweak ACLs to balance security with employee access. Packets Another important area of study regards packets. Certification Most industry experts agree that security certifications continue to be important. Routers Routers form the heart of a TCP/IP network. Network security personnel should have a strong knowledge of how firewalls work. firewalls. namely Transmission Control Protocol/Internet Protocol (TCP/IP). Other Skills A programming background is another helpful tool for security workers. you must first understand what is normal. Once known as “ethical hacking. they still must send their attack to your computer with a packet. Preparing for the Security+ certification will help you solidify your knowledge and skills in cryptography. One problem with IDS is that it can produce an enormous amount of data that requires checking. networks.
2. ANSWER: RAM ___________ protects computers by recognizing when they are not acting normally. 3. and applications. Why is programming such a valuable tool for security workers? Discuss several different strategies used for examining evidence. ANSWER: Penetration testing 2. networks. 2. 2e 13-6 Computer Forensic Skills In addition to basic computer and security skills. have student chart the differences in network traffic. Discussion Questions 1. computer forensic specialists require an additional level of training and skills. Have students observe normal traffic flow along a network and then activate a sniffer. ___________ can range from 100 million bytes to over a gigabyte and can be temporary or permanent. Additional Activities 1. Quick Reference Discuss the additional level of training and skills as listed on page 462 of the text.Security+ Guide to Network Security Fundamentals. ANSWER: Behavior blocking ___________ are essential tools on all networks and often provide a first layer of defense. depending on the version of Windows and settings selected by the computer user. 4. Once the sniffer is in place. Have students take a sample Security+ exam and discuss the results. . Quick Quiz 1. ANSWER: Firewalls ___________ probes the vulnerabilities in systems. 5. ANSWER: Windows page files ___________ slack pertains only to the last sector of a file.