Wednesday, November 11, 2009

Defensive Measures at Data Layer Basic to In-depth Home Computer Security Guide Page 22

Defensive Measures at Data Layer

This is the fourth and core layer of the defense in depth model. The defensive measures that have to be taken at this layer are:

§User must backup his important files

§Use encryption to ensure confidentiality of sensitive data

§File Checksum

§Password Policy

§Login Settings

§Audit Policy Settings

§Event Viewer

User must backup his Important Files

Taking backups of important files is one of the important safety measures to be taken. It’s like keeping a spare tyre in the car while driving. Imagine the situation when one of the car’s tyre punctures and when driver is about to change that, he come to know that he does not have a spare tyre with him? Or what happens if the computer system malfunctions or is destroyed by a successful attacker?

Backing up data is a task user should perform regardless of whether his system is secured or not. As far as security is concerned, this is the last line of defense. If someone gains access to the system and delete files, then user will need to restore them from backup.

Confused!!!- Which file to save and which not. Here is a help to discriminate between the two. Generally files are divided in two broad categories:

• Files which can be replaced: like basic operating system or application files.

• Files which can’t be replaced: like family pictures, letters, invoices and account records etc.

Although it is the best practice to backup the whole system, but the constraint is of space available on the backup media. User can backup data to an external or removable hard drive, a personal tape drive, Zip or Jazz drive, CDburner or a DVD-burner or bare minimum on to floppy. If user has a CD-writer (which may take more than one CD to take full backup) or DVD-writer he can conveniently take the full backup of his system. But if user does not have these two then he has to decide formerly about the files he wants to take backup and according to the space requirement he can select his backup media.

Every Operating System provides the feature to take backups on different media. Apart from that different applications are also available which can take the backups like the application which come with CD- writer or DVD-writer.

There is an in-built program that comes with Windows Operating System which is called as “Backup”. It is located at Start>Programs>Accessories>System Tools, and is quite easy to operate. User just has to select the files for backup and the destination where he want to store.

How and where should user store his backup media after he backup data to them? Well, user needs to store them in a safe place—remember that they contain files that are virtually irreplaceable if lost or damaged. If user does not have a secure storage area, it must not let this to prevent him from doing regular backups: any backup is better that no backup!

The definition of regularity depends on the comfort level of the user, i.e. how much work is one prepared to lose? A daily backup would be ideal but a weekly backup might be more viable.

Use encryption to ensure confidentiality of sensitive data

With the newer versions of Windows, i.e. Windows 2000 and XP, the user can use the Encrypting File System (EFS) to encrypt important data files. By using such encryption, an intruder who gets through the entire defense in depth layers and tries to access encrypted files or folders will be prevented from doing so. The intruder will receive an access denied message if he tries to open, copy, move, or rename an encrypted file or folder, unless the intruder has determined the UID and password of either the system administrator or the user who created the encrypted file.

Once a file or folder is encrypted, the user can work with the encrypted file or folder just as he would with any other file and folder since encryption is transparent to the user that encrypted the file. This means that the user does not have to decrypt the encrypted file before using it.

A file or a folder can be encrypted, subject to the following constraints, by using Explorer selecting the file/folder and clicking on the “Encrypt contents to secure data” attribute on the advanced features of the properties page:

• Can only encrypt files and folders on NTFS file system volumes.

• Compressed files or folders cannot be encrypted.

• System files cannot be encrypted.

If the user should ever lose their file encryption certificate and associated private key (through disk failure or any other reason), then data recovery is available through the person who is the designated recovery agent.

Of course if the use of EFS is not an option, then a knowledgeable user could use PGP for this sort of encryption. However, using PGP would not be transparent like using EFS. PGP Freeware is available for non-commercial use.

Apart form these; if the user is not using EFS or PGP, then he should use at least NTFS (NT File System), which gives file level user security. Windows 9x does not support NTFS file system, a user should have at least Windows NT or above to use NTFS.

File checksum

File Checksum is a utility that computes MD5 or SHA1 cryptographic hashes for files. The File Checksum utility can generate MD5 or SHA-1 hash values for files to compare the values against a known good value. It can compare hash values to make sure that the files have not been changed. It can also compute hashes of all critical files and save the values in an XML file database. It could be used to check the changes or compromise of the computer against the XML database to determine which files have been modified.

Users are advised to calculate checksum of all the system files and compare them regularly against the threat of Trojans or backdoors.

Password Policies

Importance of a password

·Password represents the identity of an individual for a system.

·This helps individuals protect personal information from being viewed by unauthorized users. Hence it is important to secure passwords.

·Passwords acts like a barrier between the user and his personal information.


·Use at least 8 characters or more to create a password. More number of characters we use, more secure is our password.

·Use various combinations of characters while creating a password. For example, create a password consisting of a combination of lower case, uppercase, numbers and special characters etc.

·Avoid using the words from dictionary. They can be cracked easily.

·Create a password such that it can be remembered. This avoids the need to write passwords somewhere, which is not advisable.

·A password must be difficult to guess.

Countermeasures for Choosing a Good Password and Safeguarding Passwords

·Do not use a password that represents you personal information like nicknames, phone numbers, date of birth etc.

· Change the password once in a month or when you suspect someone knows the password.

·Do not use a password that was used earlier.

·Be careful while entering password when someone is sitting beside you.

·Never write a password on paper to store it. The brain is the best place to store it.

· Do not reveal your password to anyone, not even to the system administrator.

· Store the passwords on computer with the help of an encryption utility.

·Do not use the name of things located around you as passwords for your account.


No comments:

Post a Comment

You Have Successfully Posted the Message.