Computer Security Basics

Security is the practice of controlling access to something (a resource). Computer security has become a vital competency
as the risks from threats such as malware, hacking, and identity fraud become better recognized and increasingly serious.
Security must be balanced against accessibility, however. If a system is completely secure, then no one has access to it,
and it is unusable.

Confidentiality, Integrity, and Availability (CIA)

Secure information has three properties, often referred to by the "CIA Triad."

■ Confidentiality—this means that the information should only be known to authorized users.

■ Integrity—this means that the information is stored and transferred as intended and that any modification is authorized.

■ Availability—this means that the information is accessible to those authorized to view or modify it.

Security Threats

Most organizations would like to think their networks were secure. They have set up user accounts, they have a stringent
accounts policy, and they even audit security related events. But is that all there is to it? To understand security, you must
understand the types of threats that your network faces.

There can be attempts to circumvent your security that come from within and without your network. These attacks could
be malicious or simply implemented by the curious. They could be very technically sophisticated, or laughably simple,
exploiting an oversight on your part for instance.

Let’s look at some of the more common forms of attack, and examples of such attacks.

Confidentiality Concerns

Confidentiality means that information is only revealed to authorized people. This can be compromised in a number of
ways:

■ Snooping—this is any attempt to get access to information on a host or storage device (data at rest) that you are not
authorized to view. An attacker might steal a password or find an unlocked workstation with a logged-on user account, or
they might install some sort of spyware on the host.

■ Eavesdropping/wiretapping—this is snooping on data or telephone conversations as they pass over the network.
Snooping on traffic passing over a network is also often called sniffing. It can be relatively easy for an attacker to "tap" a
wired network or intercept unencrypted wireless transmissions. Networks can use segmentation and encryption to
protect data in-transit.

■ Social engineering/dumpster diving—this means getting users to reveal information or finding printed information. We'll
discuss this topic in more detail later in this unit.
As well as "active" attacks and threats, you should also consider "passive" threats, such as configuration errors or user
error. Copying data to an unsecure storage location or attaching the wrong file to an email are just as likely to threaten
data confidentiality as hackers.
Integrity Concerns

Integrity means that the data being stored and transferred has not been altered without authorization. Some threats to
integrity include the following attacks:

■ Man-in-the-Middle (MitM)—where a host sits between two communicating nodes, and transparently monitors,
captures, and relays all communications between them. A MitM may be able to change the messages exchanged between
a sender and receiver without them realizing. To protect against this, senders and receivers must authenticate themselves
and use encryption to validate messages.

One of the most serious frauds to hit consumers is for criminals to hijack money transfers between a client and solicitor.
If the criminal learns about an upcoming major transaction, such as a house purchase, they can try to send or modify the
details of the client account used to fund the purchase so that the unwitting client pays money into a fraudulent account.
You should always try to confirm account details with your representative in person when making this kind of transaction.

■ Replay—where a host captures another host's response to some server and replays that response in an effort to gain
unauthorized access. Replay attacks often involve exploiting an access token generated by an application. The application
needs to use encryption and time-stamping to ensure that the tokens cannot be misused

■ Impersonation—a common attack is where a person will attempt to figure out a password or other credentials to gain
access to a host. The attacker can then hijack the authorizations allocated to the account and generally masquerade as
that user. There are numerous ways to perform impersonation attacks, but an obvious one is to capture password packets
in transit and work out which bit the password is. Many vendors have addressed this issue, to some extent, by encrypting
the password packets. But the encryption systems used are not strong enough, and various utilities are available that
allow users to break even encrypted password packets through brute force, given enough time.

Availability Concerns

Availability means keeping a service running so that authorized users can access and process data whenever necessary.
Availability is often threatened by accidents and oversights as well as active attacks.

■ Denial of Service (DoS)—this is any situation where an attacker targets the availability of a service. A DoS attack might
tamper with a system or try to overload it in some way. On the web, a Distributed Denial of Service (DDoS) uses hosts
compromised with bot malware to launch a coordinated attack against a web service. The size of the botnet determines
how easily the attacker can overwhelm the service.

■ Power outage—if you lose power, then clearly your computers cannot run. Using standby power can help mitigate this
issue. It’s also common for data corruption to occur when a computer is turned off rather than being shut down. Using an
Uninterruptible Power Supply (UPS) can provide a means to safely close down a server if building power is interrupted.

■ Hardware failure—if a component in a server fails, then the server often fails. A hard disk contains moving parts and will
eventually fail. If a disk fails, you will likely lose access to the data on the failed disk and quite possibly lose the data. You
can compensate against hardware failure by provisioning redundant components and servers. The service is then
configured to failover to a working component or server without interruption.

■ Destruction—the loss of a service or data through destruction can occur for a number of reasons. At one extreme, you
might lose a data center through a fire or even an act of terrorism. At the other end of the spectrum, you might lose access
to a server when a person accidentally spills coffee on a server or a malicious person deliberately smashes a computer.
Either way, putting your servers in a physically secure room and controlling access to that room can help protect against
these issues.

■ Service outage—any of the situations above can lead to service unavailability. Many organizations use online, cloud-
based apps and services these days. You need to consider how third-party service failures may affect your data processing
systems. When you decide which cloud provider to use, consider the options they provide for service availability and fault
tolerance

Authorization, Authentication, and Auditing

To guard against these threats to confidentiality and integrity, data and data processing systems are protected by access
controls. An access control system normally consists of one or more of the following types of controls:

■ Authentication means one or more methods of proving that a user is who they say they are and associates that person
with a unique computer or network user account.

■ Authorization means creating one or more barriers around the resource such that only authenticated users can gain
access. Each resource has a permissions list specifying what users can do. Resources often have different access levels, for
example, being able to read a file or being able to read and edit it.

■ Accounting means recording when and by whom a resource was accessed.

Social Engineering

Attackers can use a diverse range of techniques to compromise a security system. A pre-requisite of many types of attack
is to obtain information about the security system. Social engineering refers to means of getting users to reveal
confidential information or obtaining unauthorized physical access to a resource.

Often, malicious people can start to gain access to your network resources through the use of seemingly innocuous data.
For example, accessing an address list, or contact directory can provide a starting point for attempting to sign in to your
network.

It is also important to note that gaining access to a network is often based on a series of small steps rather than a single
large step. That is, knowing the SSID of a wireless access point enables a person to attempt to connect to a network. If the
connection is ultimately successful, accessing a discarded email message might help a malicious person to determine the
user ID of a standard user. At this stage, the malicious person is well on their way to gaining access to your network.

Impersonation

Impersonation (pretending to be someone else) is one of the basic social engineering techniques.

The classic impersonation attack is for an attacker to phone into a department, claim they have to adjust something on
the user's system remotely, and get the user to reveal their password.

Attackers will generally try one of the following methods:

■ Intimidate the target by pretending to be someone senior in rank.

■ Intimidate the target by using spurious technical arguments and jargon.

■ Coax the target by engaging them in friendly conversation.

Being convincing or establishing trust usually depends on the attacker obtaining privileged information about the
organization. For example, an impersonation attack is much more effective if the attacker knows the user's name. As most
companies are set up toward customer service rather than security, this information is typically easy to come by.
Information that might seem innocuous, such as department employee lists, job titles, phone numbers, diary, invoices, or
purchase orders, can help an attacker penetrate an organization through impersonation.

Another way to obtain information that will help to make a social engineering attack credible is by obtaining documents
that the company has thrown away. Dumpster diving refers to combing through an organization's (or individual's) refuse
to try to find useful documents (or even files stored on discarded removable media).

Initial attacks may only aim at compromising low-level information and user accounts, but this low-level information can
be used to attack more sensitive and confidential data and better protected management and administrative accounts.

Identity Fraud

Identity fraud can either mean compromising someone's computer account or masquerading as that person.

To perform the first type of attack, the attacker must discover and subvert the person's authentication credentials. Strong
authentication makes this type of attack much more difficult to perform. Most specific identity frauds are aimed at getting
someone to reveal their logon, or other secure information, through a phishing or other social engineering attack.

Masquerading effectively means subverting the account creation process. It can be mitigated by performing rigorous
identity checks when setting up a new account.

Identity theft is also facilitated by the careless transmission, storage, and disposal of Personally Identifiable Information
(PII).

PII includes things such as full name, birth date, address, Social Security number, and so on. PII may also be defined as
responses to challenge questions, such as "What is your favorite color/pet/movie?" Some bits of information, such as a
Social Security number, are unique to an individual and once lost cannot easily be changed. Others uniquely identify an
individual in combination, such as full name with birth date and street address.

PII is often used for password reset mechanisms and to confirm identity over the telephone.

Shoulder Surfing

Shoulder surfing refers to stealing a password or PIN, or other secure information, by watching the user type it. Despite
the name, the attacker may not have to be in close proximity to the target. They could use high-power binoculars or CCTV
to directly observe the target remotely
Defeating Social Engineering Attacks

Social engineering is best defeated by training users to recognize and respond to these kinds of situations. Users should
understand what constitutes secure information and know in what circumstances, if any, it should be revealed to other
people.

Users should also have a good understanding of the technical support process, so that it cannot be compromised.

Users should learn always to lock their workstations and mobile devices when leaving them unattended. This helps prevent
so-called "lunchtime attacks," where an attacker gets access to an account via an open desktop. This could allow someone
to masquerade as the user—sending email or starting IM conversations under their user name. Windows can be locked
by pressing START+L or by selecting the option from Start. You can also set the display properties to use a password-
protected screen saver to time out the desktop after so many minutes of inactivity. Users should also take care when
entering a password or PIN in the presence of others.

In terms of physical security, employees need to be trained to be confident enough to challenge unrecognized people or
those without an appropriate security badge. Care should be taken when moving between areas not to leave security
doors open or unlocked.

Business Continuity

Most organizations are reliant to a greater or lesser extent on the availability of their apps and data to continue trading.
Many are also reliant on the continued availability of services, such as cloud storage or apps, that are used within their
organization. Without continuous access to these data and apps, whether held on-premises on in the cloud, organizations
cannot function properly. There can be a significant cost implication for an organization during an outage. Consequently,
it is important that you understand possible risks and common mitigations.

Fault Tolerance and Contingency Planning

To help protect against losing access to a computer system when a component fails, you must implement fault tolerance.
Fault tolerant systems are those that contain additional components to help avoid single points of failure. Business
continuity plans will start with analysis of business processes and assets to identify critical workflows and resources plus
vulnerabilities in those systems. These vulnerabilities can be mitigated by creating contingency plans and resources that
allow the system to be resilient to failures and unexpected outages. Most contingency plans depend on providing
redundancy at both the component and system level. If a component or system is not available, redundancy means that
the service can failover to the backup either seamlessly or with minimum interruption.

Contingency planning does not just involve hardware systems. You might put in place plans for staff to adopt different
working procedures, by temporarily using pen-and-paper records rather than a computer system for instance.

Data Redundancy

Combining hard disks into an array of disks can help to avoid service unavailability due to one or more disks failing. The
Redundant Array of Independent Disks (RAID) standard has evolved to offer a variety of fault tolerant solutions. Different
RAID solutions are defined in numbered levels. Two of the most common levels use redundancy solutions called mirroring
and striping:

■ RAID 1—known also as disk mirroring. RAID 1 uses two disks. Each write operation is performed on both disks so that
one is a mirror of the other. Read operations can use either disk. If one of the disks fails, the array will continue to work.

■ RAID 5—known as striping with parity. At least three disks are combined into a single logical drive. Data is written in
stripes across all disks in the set. A calculation is performed to determine what is known as parity information. The parity
data is written to a different disk with each write operation. In the event of a single disk failure, the parity information in
each stripe of data is used to determine the missing data. If a second disk fails however, then the whole array will fail.

Network Redundancy

Without a network connection, a server is not of much use. As network cards are cheap, it is commonplace for a server to
have multiple cards (adapter fault tolerance). Multiple adapters can be configured to work together (adapter teaming).
This provides fault tolerance—if one adapter fails, the network connection will not be lost—and can also provide load
balancing (connections can be spread between the cards).
Network cabling should be designed to allow for multiple paths between the various servers, so that during a failure of
one part of the network, the rest remains operational (redundant connections). Routers are great fault tolerant devices,
because they can communicate system failures and IP packets can be routed via an alternate device.

Power Redundancy

Network appliances and servers require a stable power supply to operate. Electrical events such as voltage spikes or surges
can crash computers and network appliances, while loss of power from brownouts or blackouts will cause equipment to
fail. Power redundancy means deploying systems to ensure that equipment is protected against these events and that
network operations can either continue uninterrupted or be recovered quickly.

■ Dual power supplies—enterprise servers and networking equipment are often provisioned with two power supply units
so that if one fails, it does not cause power loss.

■ Redundant circuits—critical infrastructure might provision multiple power circuits so that if one fails, there will not be
total power loss across all systems.

■ Uninterruptible Power Supply (UPS)—a UPS is a large battery that can continue to provide power to connected devices
for a few or possibly tens of minutes in the event of building power loss.

■ Backup power generator—as UPS batteries cannot provide power indefinitely, they will not be able to maintain service
during an extended period of building power loss. A local power generator provides redundancy for this sort of eventuality.

Site Redundancy and Replication

To guard against these risks, you must consider implementing service and data replication between multiple data centers.
Replication is the process of synchronizing data between servers and potentially between sites. This replication might be
real-time or bundled into batches for periodic synchronization.

Disaster Recovery

Business continuity and contingency plans put systems and working methods in place to be resilient to failure. Disaster
recovery has a different emphasis; it creates workflows and resources to use when a specific disaster scenario affects the
organization. A disaster could be anything from a loss of power or failure of a minor component to man-made or natural
disasters, such as fires, earthquakes, or acts of terrorism. For each high-risk scenario, the organization should develop a
plan identifying tasks, resources, and responsibilities for responding to the disaster.
Prioritization

In a large-scale disaster, numerous systems that the company depends upon could fail. After a disaster, resources are
likely to be scarce and time pressures severe. Consequently, disaster recovery plans should identify priorities for restoring
particular systems first. This process has to be conditioned by dependencies between different systems. The servers
running the website front-end might not be able to operate effectively if the servers running the database are not
available.

Data Restoration

If a system goes down, there may be data loss. Data can either be restored from backup or by switching over to another
system to which data has been replicated. It is vital that the integrity of the data be checked before user access is re-
enabled. If the data is corrupt or the database system is not working properly, trying to add more data to it could result in
even more severe problems.

Restoring Access

Once the integrity of the failover or restored system has been verified, you can re-enable user access and start processing
transactions again. You might try to restrict user numbers initially, so that the system can be monitored and verified as
working normally.

Securing Devices

Device hardening refers to a set of policies that make mobile and workstation computers and network appliances more
secure. Some options for hardening mobile devices, configuring a screen lock out and encrypting data for instance, were
discussed earlier. Some other typical hardening policies are as follows:

■ Anti-virus/anti-malware—malware is software that aims to damage a computer or steal information from it. Anti-
malware software can detect the presence of malware and prevent it from running. This is discussed in more detail later
in this unit.

■ Patching/updates—OS files, driver software, and firmware may be exploitable by malware in the same way as
applications software. It is important to keep computers and other devices configured with up-to-date patches and
firmware.

■ Enabling passwords—most operating systems allow the use of an account without a password, PIN, or screen lock, but
this does not mean it is a good idea to do so. It makes the device highly exploitable in the event of theft. It could also allow
other users to impersonate the user. All computing devices should be protected by requiring the user to input credentials
to gain access.

■ Default/weak passwords—network devices such as wireless access points, switches, and routers ship with a default
management password, such as "password," "admin," or the device vendor's name. These should be changed on
installation. Also, the password used should be a strong one—most devices do not enforce complexity rules so the onus
is on the user to choose something secure.

It is now standard practice for devices to be shipped with individually configured default credentials, usually placed on a
label on the device or in the instruction manual, or for devices to require a change of password as part of their initial setup.

■ Disabling unused features—any features, services, or network protocols that are not used should be disabled. This
reduces the attack surface of a network device or OS. Attack surface means the range of things that an attacker could
possibly exploit in order to compromise the device. It is particularly important to disable unused administration interfaces
(and to secure those that are used).
■ Removing unwanted/unnecessary software—new computers ship with a large amount of pre-installed software, often
referred to as bloatware. These applications should be removed if they are not going to be used. Similarly, if an application
has been installed in the past but is no longer necessary, it should be removed too. Most device exploits depend on the
attacker having physical access to the unit, though some vulnerabilities can be exploited over a network link.

Malware

Malware is a catch-all term to describe malicious software threats and tools designed to vandalize or compromise
computer systems.

Computer Viruses

Computer viruses are programs designed to replicate and spread amongst computers. Viruses are classified by the
different ways they can infect the computer. For example:

■ Program viruses—these are sequences of code that insert themselves into another executable program or script. When
the application is executed, the virus code becomes active.

■ Macro viruses—these viruses affect Microsoft Office documents exploiting the macro programming language Visual
Basic for Applications (VBA) used to automate tasks.

■ Worms—memory-resident viruses that replicate over network resources, such as email, by exploiting faults in software
programs.

A virus's payload can be programmed to perform many different actions, especially in the case of program and macro
viruses. A virus payload may be programmed to display silly messages, corrupt or delete documents, damage system files,
or to install some sort of spyware to snoop on the user.

Most viruses must be activated by the user and thus need some means to trick the user into opening the infected file.
Email attachment viruses, usually program or macro viruses in an attached file, often use the infected host's electronic
address book to spoof the sender's address when replicating. For example, Jim's computer is infected with a virus and has
Alan's email address in his address book. When Sue gets an infected email apparently sent by Alan, it is the virus on Jim's
computer that has sent the message.

Malware can also be distributed on removable media, such as CD/DVD or USB flash drives. Such media may give a virus
an opportunity to infect the PC if the user chooses to allow the infected application to run via its AutoPlay default action.
Windows' User Account Control (UAC) and AutoPlay configuration settings help mitigate the chances of malware infection
as the user has to explicitly confirm any attempt to install or modify software.

Viruses can also use application exploits to replicate without user intervention, in some circumstances. The most common
scenario is for the malware to be uploaded to a compromised website and to try to trigger exploits in the clients visiting
the site via vulnerabilities in the OS, the web browser, or web browser plug-in. This is referred to as a drive-by download.
Trojans

Other types of malware are not classed as viruses as they do not necessarily try to make copies of themselves. They
represent an even greater security threat than viruses however. A Trojan Horse, often simply called a Trojan, is a program
that pretends to be something else. For example, you might download what you think is a new game, but when you run
it, it deletes files on your hard drive; or when you install what you think is a screensaver, the program includes a hidden
process that sends your saved passwords to another person. There is also the case of rogue ware or scareware fake anti-
virus, where a web pop-up claims to have detected viruses on the computer and prompts the user to initiate a full scan
which installs the attacker's Trojan.

Many Trojans function as backdoor applications. Once the Trojan backdoor is installed, it allows the attacker to access the
PC, upload files, and install software on it. This could allow the attacker to use the computer in a botnet, to launch
Distributed Denial of Service (DDoS) attacks or mass-mail spam. Trojans are also used by attackers to conceal their actions
as attacks appear to come from the corrupted computer system.

Spyware

Spyware is a program that monitors user activity and sends the information to someone else. It may be installed with or
without the user's knowledge. Aggressive spyware or Trojans known as "key loggers" actively attempt to steal confidential
information; capturing a credit card number by recording key strokes entered into a web form for example. Another
spyware technique is to spawn browser pop-up windows to try to direct the user to other websites, often of dubious
provenance.

Ransomware

Ransomware is a type of malware that tries to extort money from the victim. One class of ransomware will display
threatening messages, such as suggesting that Windows must be reactivated or suggesting that the computer has been
locked by the police because it was used to view child pornography or for terrorism. This may block access to the computer
by installing a different shell program, but this sort of attack is usually relatively simple to fix. Another class of ransomware
attempts to encrypt data files on any fixed, removable, and network drives. If the attack is successful, the user will be
unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this
sort of attack is extremely difficult to mitigate unless the user has up-to-date backups of the encrypted files.

Ransomware uses payment methods such as wire transfer, bitcoin, or premium rate phone lines to allow the attacker to
extort money without revealing his or her identity or being traced by local law enforcement.

Operating System Vulnerabilities

Many attacks and types of malware exploit vulnerabilities in OS or application software. Typically, applications such as
web servers, web browsers and browser plug-ins, email clients, and databases are targeted.
A vulnerability is a design flaw that can cause the application security system to be circumvented or that will cause the
application to crash. Vulnerabilities can usually only be exploited in quite specific circumstances, but because of the
complexity of modern software and the speed with which new versions are released to market, almost no software is free
from vulnerabilities.

Software vendors release security updates (or patches) when such vulnerabilities and exploits are identified.
Preventing Malware Infections

There are numerous sources of malware infection. The route by which malware infects a computer is called the vector.
Some of the main ones are:

■ Visiting "unsavory" websites with an unpatched browser, low security settings, and no anti-virus software.

■ Opening links in unsolicited email.

■ Infection from another compromised machine on the same network.

■ Executing a file of unknown provenance—email attachments are still the most popular vector, but others include file
sharing sites, websites generally, attachments sent via chat/Instant Messaging, autorun USB sticks and CDs, and so on.

■ Becoming victim to a "zero day" exploit. A zero day is some infection mechanism that is was unknown to software and
anti-virus vendors. This means that there may be a substantial delay before the vendors can develop a software patch or
anti-virus detection signatures that can mitigate the exploit mechanism.

A number of steps can be taken to reduce the risk and impact of malware infection.

■ Carry out regular backups that allow data to be recovered, in case of loss due to a virus infection.

■ Apply operating system and application security patches.

■ Install and use security (anti-virus) software. This must be kept up to date with updated signatures (or definitions), since
viruses and other malware are continually being developed and the latest signatures offer the most protection.

■ Select security software that scans automatically (on-access). This provides much more reliable protection against web
and email attachment threats.

■ Do not log on with administrative privileges except where necessary. Limit administrative privileges to a few, selected
accounts. Choose strong passwords for these accounts and keep them secure.

■ Exercise care before installing new software, downloading files from the web, opening file attachments, or clicking links
in email messages.

Anti-virus Software

Anti-virus is software that can detect malware and prevent it from executing. The primary means of detection is to use a
database of known virus patterns, called definitions, signatures, or patterns. Another technique is to use heuristic
identification. "Heuristic" means that the software uses knowledge of the sort of things that viruses do to try to spot (and
block) virus-like behavior.

Security software tends to come as either personal security suites, designed to protect a single host, or network security
suites, designed to be centrally managed from a server console. Most anti-virus software is designed for Windows PCs and
networks, as these are the systems targeted by most virus writers, but software is available for Linux and Apple macOS as
well.

Some of the major vendors are Symantec (including the Norton brand), McAfee, Avast/AVG, Trend Micro, Sophos,
Kaspersky, ESET, and BitDefender.
On-access Scanning

Almost all security software is now configured to scan on-access. This reduces performance somewhat but is essential to
maintaining effective protection against malware. When a user or system process accesses a file, the anti-virus software
scans the file and blocks access if it detects anything suspicious.

Most types of software can also scan system memory to detect worms and scan email file attachments, removable drives,
and network drives. Many scanners can also detect websites with malicious scripts or coding.

When configuring anti-virus software, it is vital to configure the proper exceptions. Real-time scanning of some system
files and folders can cause serious performance problems.

Scheduled Scans

As well as on-access scanning, you can initiate a whole computer scan. This might be configured to inspect more file types
than on-access scanning. As this can impact performance, such scans are best run when the computer is not being used
intensively.

Quarantining and Remediating Infected Systems

Malware such as worms propagate over networks. This means that one of the first actions should be to disconnect the
network link.

If a file is infected with a virus, most of the time the anti-virus software will detect the virus and take the appropriate
action. You can configure the default action that software should attempt when it discovers malware as part of a scan.
You can use anti-virus software to try to remove the infection (cleaning), quarantine the file (the anti-virus software blocks
any attempt to open it), or erase the file.

If you cannot clean a file or if the anti-virus software does not detect it and allows the virus to infect the computer, you
should get help by escalating the problem to a support professional, who will research the virus and identify ways of
removing it manually and (possibly) recovering data files.

Windows Defender

Windows 10 is tightly integrated with Windows Defender. This anti-virus and anti-malware software combines with
Windows Firewall to help protect your computer from the threats outlined earlier. Microsoft has integrated the two
elements in a single, unified app called Windows Defender Security Center.

You can use the tiles in Windows Defender Security Center to access configuration options for the various security
features.

Spam

Sometimes a malware writer can exploit a serious vulnerability in an OS or application to execute their malware without
the user doing anything. While these exploits are extremely serious, they also tend to be fairly rare, and patches against
them are made available quickly. Consequently, a lot of malware depends on using techniques to trick the user into
running it.

Spam is unsolicited email messages, the content of which is usually advertising pornography, miracle cures for various
unpleasant medical conditions, or bogus stock market tips and investments. Spam is also used to launch phishing attacks
and spread viruses, Trojans, and worms, either through a file attachment or using a link to a malicious website.
Spam needs to be filtered before it reaches the user's inbox. Most email applications now ship with junk mail filters, or
you can install a filter at the organization's mail gateway. The main problem with spam filters is that they can block genuine
messages too, leading to missed communications. Spammers also develop ways to circumvent filters, such as using images
or file attachments.

Consequently, you should learn how to recognize suspicious emails and identify potentially hazardous content.

■ Attachments—any type of executable code is potentially hazardous. Legitimate applications should be digitally signed
with a trustworthy certificate. Other types of files, including office documents and even images, can be used to try to
infect a computer with malware. Often these attacks use some kind of vulnerability discovered in the software application
or operating system. While performing regular system updates and using anti-malware software will protect against many
malicious file attachment threats, you should only open attachments that you were expecting to receive. Unsolicited file
attachments should be confirmed with the sender first.

■ Hyperlinks—malicious code can also be put on a website to try to infect any visiting computers (a drive-by download).
Again, these attacks often depend on exploiting a vulnerability in the browser software or OS. Hyperlinks may also be
disguised and try to divert you from a real website to a fake one with the intention of stealing your credentials. You should
inspect the web address used in a link carefully. It is always safer to retype the address in the browser address bar, rather
than clicking the link.

Phishing

Phishing is a technique for tricking a user into revealing confidential information by requesting it in an official-looking
email, perhaps pretending to come from a bank or online store. The email will contain a link to a counterfeit site or to a
valid site that the attacker has been able to compromise. The user is prompted to input confidential data, such as online
bank account numbers and passwords, which are then stolen.

Another technique is to spawn a pop-up window when a user visits a genuine banking site to try to trick them into entering
their credentials through the popup. This sort of attack often employs a technique called "cross-site scripting," where the
attacker uses a flaw in one website to attack or snoop upon another.
A related attack, called pharming, attempts to redirect web traffic to a counterfeit page, usually by corrupting the way the
computer resolves the website name used in the web address to the IP address of a particular server.

Anti-spam

Most email software comes with a built-in filter for junk email. You can typically set how aggressive the filter is in terms
of blocking messages, configure sender "whitelists" and "blacklists," and determine whether spam is quarantined (moved
automatically to a junk mail folder) or deleted.

Using high protection settings will probably increase the number of false positives (genuine messages marked as junk);
decreasing the protection level will increase the number of false negatives (junk messages not marked as spam).
Another important option is disabling links, scripting, and attachments in email marked as suspicious. This helps to defeat
phishing attacks and attempts to infect the computer with viruses.

The same sort of functionality is now starting to be incorporated in Instant Messaging and Voice over IP (VoIP) applications.
Junk IM messages are sometimes referred to as SPIM.

Authentication presents another challenge for secure communications. It is possible to spoof an email address so that it
appears to come from someone else. IM and VoIP applications generally have better protection against this, but it can still
be difficult to verify the actual identity of a contact.

Email and IM/VoIP can be used with digital certificates to prove identity and encrypt communications, but both people
have to be using the same system of digital certificates. Consequently, they are not in widespread use.
Also, if a virus or Trojan has infected a user's computer, it can easily send messages while masquerading as that user.
Even if you think you know the sender—do not open links or attachments in messages if you were not expecting to receive
them.

Software Sources and Patch Management

■ Vendor app stores (for example, Windows Store, Google Play Store, Apple App Store).

■ Merchant app stores, such as Amazon Appstore.

■ Authorized resellers, Original Equipment Manufacturer (OEM) vendors, and managed service providers. If in any doubt,
check the reseller or OEM's accreditation.

There are third-party sites claiming to host up-to-date drivers plus drivers for systems that have been "abandoned" by the
original manufacturer. If you need to use a driver from a site such as this, try to research it as much as you can. Search for
references to the site on the web to find out if anyone has posted warnings about it. If you trust the site overall, check for
a forum where other users might have tried a specific driver package and indicated whether it is legitimate or not.

When using a website to install software, always ensure the site is protected and identified by a valid digital certificate
and that the software is being downloaded over a secure HTTPS connection. Ideally, driver software should also be digitally
signed by the vendor, and the vendor's certificate should be trusted by your computer.

Patch Management

Patch management is an important maintenance task to ensure that PCs operate reliably and securely. A patch or update
is a file containing replacement system or application files. The replacement files fix some sort of coding problem in the
original file. The fix could be made to improve reliability, security, or performance.

A Service Pack (SP) is a collection of previous updates but may also contain new features and functionality. While SPs are
not paid for, they do require you to follow the upgrade process to ensure that software and, to a lesser extent, hardware
will be compatible. You should also make a backup before applying a service pack. Service packs can be installed via
Windows Update, downloaded from Microsoft's website, or shipped on disc. The later manufacturing releases of the setup
media tend to include the latest service pack.

Microsoft products are subject to their support lifecycle policy. Windows versions are given five years of mainstream
support and five years of extended support, during which only security updates are shipped. Support is contingent on the
latest Service Pack being applied. Non-updated versions of Windows are supported for 24 months following the release
of the SP.

Windows Update

Windows Update is the website (update.microsoft.com) that Windows uses to manage updates. Windows Update hosts
security patches to fix vulnerabilities in Windows and its associated software plus optional software and hardware updates
to add or change features or drivers.

Only use updates from Microsoft's website. Similarly, only use updates for third-party software applications and device
drivers from the vendor's website. Software and drivers hosted on other sites could be infected with malware.
You can view and configure the Windows Update settings by using the Settings app. Select the Update & Security category,
and then click the Windows Update tab.
You can see that some settings are managed by the organization. This is typical in large organizational networks where it
is important to exert more control over the update process.

You can configure Windows Update to always install updates or to check for approval first and set a schedule for
downloading and installing them. You can also view the update history, which is useful if you need to confirm whether a
specific update has been installed.

Windows Update Scheduling and Frequency

Security and critical updates, known as quality updates, should normally be installed automatically without deferring
them. If updates are not installed promptly, there is a greater risk of the computer being infected by malware. For example,
Windows Defender updates are released daily.

Feature updates introduce new functionality, and therefore pose a small risk to compatibility with other apps or drivers.
For enterprise networks, it is best practice to test feature updates before deploying them, but for small networks and
home users this is impractical.

Microsoft recognizes this issue and have responded by making updates available in a number of different servicing
channels. These are:

■ Windows Insider Program—enables users to get early access to feature updates. Not recommended for most production
machines.

■ Semi-annual channel (targeted)—updates are ready for most people. The only configurable option (aside from Insider
Program) for Windows 10 Home editions. Users receive feature updates as soon as they’re released.

■ Semi-annual channel—updates are ready for widespread use and have been in use for a period of time by those on the
semi-annual channel (targeted). There is less risk posed by updating this way. This option is available for Windows 10 Pro
and Enterprise editions.

■ Long term servicing channel—only available for Windows 10 Enterprise editions on the LTSB channel. This defers feature
updates for a significant period of time and is ideal for specialist devices, such as ATMs, running embedded versions of
Windows.

Application Updates

Software applications, especially those with browser plug-ins, may also need updating with the latest patches. Applications
can contain security vulnerabilities in the same way as the OS. In fact, applications are targeted more aggressively than
Windows itself as attackers recognize that they are less likely to be patched than the OS. Microsoft applications, such as
Microsoft Office, can be updated as part of Windows Update. Applications from other vendors either use their own tools
to detect and install new versions or rely on the user to check manually.

Updating Anti-virus Software

It is particularly important that anti-virus software (or any other type of malware-blocking software) be updated regularly.
Two types of updates are generally necessary:

■ Virus definitions/patterns/signatures—this is information about new viruses. These updates may be made available
daily or even hourly.

■ Scan engine/components—this fixes problems or makes improvements to the scan software itself.
There is usually an option within the software program to download and install these updates automatically.
Driver Updates

Windows ships with a number of core and third-party hardware drivers. Updates for these devices can be obtained via
Windows Update, though they will be listed as optional updates and might not install automatically. Most of the time,
third-party drivers should be obtained from the vendor's website. To update, you download the driver files and install
them using the supplied setup program or extract them manually and save them to the hard disk. You can then use the
device's property dialog in Device Manager to update the driver. You can either scan for the update automatically or point
the tool to the updated version you saved to the hard disk.