Unit 10 - Data &

Network Security
Section 10.1:
User Device
Security
Log in to the Cyber Range & open the
Windows machine (target.example.com) in
the LCPS Cyber exercise
environment
Open the Windows
Server 2019 virtual
machine
(target.example.com)
 Unit Learning Objectives

BUS6302.48 Describe the cyberattack surface of various organizations.

BUS6302.64 Identify the prevention of and protections against cyber
threats.
BUS6302.74 Identify ways to control and protect personal data.
BUS6302.83 Explain how businesses and individuals can protect
themselves against threats to their data (e.g. firewalls, encryption,
disabling, backups, permissions).
BUS6302.88 Identify best practices for protecting operating systems.
 This Lesson’s Essential
Questions

1. What is a cyberattack surface?

2. What can be done to “harden” an
individual user device to reduce its
vulnerability to attack?
 Cyberattack Surface

• Cyberattack surface refers to all the digital &

physical vulnerabilities in an organization’s
hardware & software environment.
– It is all of the vulnerabilities an unauthorized
user can potentially use to access & steal
data.
– The goal is to minimize the threat attack
surface as much as possible.
 Primary Categories of
Cyberattack Surfaces
• Devices
– These are all the different devices that access
an organization’s network & its data
• User devices (workstations, laptops, mobile
devices)
• Network devices (network printers, servers,
switches, routers, etc.)
• Internet of Things (IoT) devices
 Primary Categories of
Cyberattack Surfaces (cont.)
• People
– People are the most vulnerable cyberattack surface
because they can be tricked by social engineering
attacks that enable malicious actors to gain access to
a network & its data.
• 95% of malicious data breaches are attributed to social
engineering of some type.
– Personnel training is the best method to reduce this
vulnerability.
Section 10.1.1
Protecting Data at Rest:
Encrypting Drives
 Protecting Data at Rest
• Drive encryption
– Renders data unreadable without the encryption key to
unlock it
– Encryption is the best defense in protecting the
confidentiality of data
• BitLocker
– Software that encrypts data to protect against attacks and
theft
– Included with Windows operating system; for Windows PCs
only
• FileVault
– Encryption software in the Apple operating system
 Protecting Data at Rest
(continued)
• Trusted Platform Module (TPM)
– The TPM is a special chip located in the Windows
computer’s hardware that runs authentication checks on
hardware, software, and firmware
• If there is no TPM on the machine, BitLocker will require
either a password or a start-up key loaded on a USB flash
drive in order to work.
• BitLocker To Go is used for encrypting portable drives like
flash drives.
Section 10.1.2
Antivirus Software
 Defense Against Malware:
Antivirus Software
• Sometimes known as anti-malware software
• Designed to detect, prevent, and take action to disarm or remove
malicious software such as viruses, worms, & Trojan horses
– May also prevent and remove unwanted spyware and adware
• What it does
– Check your computer programs and compare them to known types of
malware
• Scans files, comparing specific bits of code against information in its database
• If it finds a pattern duplicating a known virus, it will quarantine or delete that
particular file.
– Scan computer for behaviors that may signal the presence of new,
unknown malware
 Antivirus Software Scans

• Signature-Based Detection – checks all the executable

programs and files & validates them with a known list of
viruses & other types of malware
– Specific Detection – look for known malware by a specific set
of characteristics
– Generic Detection – look for malware that are variants of
known “families” of malware related by a common codebase
• Heuristic Detection – scan for previously unknown
viruses by looking for known suspicious behavior or file
structures
 Antivirus Software Features

• Background Scanning
– Also known as on-access scanning
– Scans all the files that you open (programs, files being opened by
programs)
– Gives real-time protection, safeguarding the computer from
threats & other malicious attacks
• Full System Scans
– Scans your entire system, starting with the boot record, then
every file
– Normally done when antivirus software is initially installed and
when antivirus software is updated (ensures your system hasn’t
been infected with malware unknown prior to update)
 Antivirus Software Features
(continued)

• Virus Definitions
– Malware definitions contain signatures for new
viruses and malware considered “wild”
– If malware is detected, the antivirus software
terminates the file from executing & pushes it
to quarantine
– Malware definitions must be kept up-to-date
 Methods for Employing
Antivirus Software
• Application built into operating system
– Windows Defender®
– Built-in malware protection in Apple’s
Mac® Operating System (Gatekeeper,
Xprotect, malware removal tool)
• Separate application installed on an
operating system (normally must be
purchased)
– Norton Antivirus®
– McAfee Antivirus®
– Kaspersky Antivirus®
– Others
 Where is Antivirus
Software Installed?
• Host-Based
– Installed on the actual device (computer, mobile
device, etc.)
• Network-Based
– Installed on servers or perimeter firewall
– Designed to stop viruses, worms, etc., at the
perimeter of the network before they can even get
to the individual machines on the network
Section 10.1.3
Hardening the
Device
You should already be in the
Windows Server 2019
(target.example.com)
virtual machine.
 Access the Windows
Administrative Tools
• Click on the Windows
icon in the lower left
of the terminal
window.
1. Click the Windows Icon

2.
first.
Select Windows
• Click on the Windows
Administrative Tools
Administrative Tools
button.
 Access the Local
Security Policy Options
• Double-click on
the Local
Security Policy
option.
Access the Password
Policy Settings
• Click on the
drop-down arrow
for Account
Policies.
• Click on Password
Policy to display the
password policies in
the pane on the
right.
 Each Property has two tabs: the Setting tab &
the Explain tab. You can click the Explain Tab to
get explanation of the specific setting.
Enforce Password History

•This security setting determines the

number of unique new passwords that
have to be associated with a user account
before an old password can be reused.
•The value must be between 0 and 24
passwords.
•Set this policy to 5 passwords
remembered.
 Maximum Password
Age
• This security setting determines the
period of time (in days) that a password
can be used before the system requires
the user to change it.
• You can set passwords to expire after a
set number of days between 1 and 999.
• You can specify that passwords never
expire by setting the number of days to
0.
• Set the password to expire in 90 days
and click Ok.
 Minimum Password
Age
• This security setting determines the period of time (in
days) that a password must be used before the user can
change it.
• You can set a value between 1 and 998 days, or you can
allow changes immediately by setting the number of days
to 0.
• The minimum password age must be less than the
Maximum password age, unless the maximum password
age is set to 0, indicating that passwords will never expire.
If the maximum password age is set to 0, the minimum
password age can be set to any value between 0 and 998.
• This setting is used in conjunction with the Enforce
Password History. You want to set this to at least 1 to
prevent a user from immediately changing their password
over and over until they can recycle their old one.
• Change this setting to 5 days and click Ok.
 Minimum Password
Length
• This security setting determines the least
number of characters that a password
for a user account may contain.
• You can set a value of between 1 and 14
characters, or you can establish that no
password is required by setting the
number of characters to 0.
• Set the password length to 10 characters
and click Ok.
 Minimum Password Length Audit

• This security setting determines the minimum password length for which
password length audit warning events are issued. This setting may be
configured from 1 to 128.
• You should only enable and configure this setting when trying to
determine the potential impact of increasing the minimum password
length setting in your environment.
• If this setting is not defined, audit events will not be issued.
• If this setting is defined and is less than or equal to the minimum
password length setting, audit events will not be issued.
• If this setting is defined and is greater than the minimum password
length setting, and the length of a new account password is less than this
setting, an audit event will be issued.
• Leave as undefined and click Cancel.
 Password Must Meet
Complexity Requirements
• This security setting determines whether passwords
must meet complexity requirements.
• If this policy is enabled, passwords must meet the
following minimum requirements:
– Not contain the user's account name or parts of the
user's full name that exceed two consecutive characters
– Be at least six characters in length
– Contain characters from three of the following four
categories:
• English uppercase characters (A through Z)
• English lowercase characters (a through z)
• Base 10 digits (0 through 9)
• Non-alphabetic characters (for example, !, $, #, %)
• Complexity requirements are enforced when
passwords are changed or created.
• Keep the setting as Enabled and click Ok.
 Store Passwords Using
Reversible Encryption
• This security setting determines whether the
operating system stores passwords using
reversible encryption.
• Storing passwords using reversible encryption is
essentially the same as storing plaintext
versions of the passwords since the encryption
can be cracked.
• By disabling this option, the hashes of the
passwords are stored, making them more
secure.
– Note: Disabling does not mean passwords are
stored as plaintext.
• Keep this setting as Disabled and click Ok.
Account Lockout Policy

• You can set policies that

will lock the user out of
the account based on
failed login attempts.
• Click the Account
Lockout Policy option in
the left frame. The
different lockout policy
options appear in the
center frame.
 Account Lockout
Threshold
• Click on Account lockout threshold (the middle
option).
• This security setting determines the number of
failed logon attempts that causes a user
account to be locked out.
• A locked-out account cannot be used until it is
reset by an administrator or until the lockout
duration for the account has expired. You can
set a value between 0 and 999 failed logon
attempts. If you set the value to 0, the account
will never be locked out.
• This setting must be set first before any of the
other options can be set.
• Set the threshold for 5 invalid logon attempts.
 Account Lockout
Threshold (continued)
• Once you set an account lockout
threshold policy, Windows will
recommend suggested settings
for the other two account
lockout policies.
• Accept the suggested settings
and click Ok.
• You will now be able to edit the
other two policies if desired.
 Account Lockout
Duration
• This security setting determines the number
of minutes a locked-out account remains
locked out before automatically becoming
unlocked. The available range is from 0
minutes through 99,999 minutes.
– If you set the account lockout duration to 0,
the account will be locked out until an
administrator explicitly unlocks it.
• If an account lockout threshold is defined,
the account lockout duration must be
greater than or equal to the reset time.
• Leave as the default setting and click Ok.
 Allow Administrator
Account Lockout
• This security setting
determines whether the
built-in Administrator account
is subject to account lockout
policy.
• Leave the setting as Enabled
and click Ok.
Reset Lockout Counter
After
• This security setting determines the
number of minutes that must elapse
after a failed logon attempt before the
failed logon attempt counter is reset to 0
bad logon attempts. The available range
is 1 minute to 99,999 minutes.
• If an account lockout threshold is
defined, this reset time must be less
than or equal to the Account lockout
duration.
• Leave as the default setting and click
Ok.
 Restrict the Ability for
Administrator Account to Log On
Remotely
• You want to ensure that the administrator is on
the actual computer and not remotely logging
in remotely through the network.
– This minimizes the ability of an attacker to gain
administrator access to the computer.
• These restrictions can be set in the User Rights
Assignment policies in Windows®.
 Access the User Rights
Assignment Policies
• Expand the tree (click
on the arrows to show
the options):
– Local Policies
– User Rights
Assignment
• Scroll to the Deny log
on section
 Deny Access to the
Computer from the
Network
• Deny access to the computer from
the network for the Administrator
account
• Won’t allow anyone to log in to
those accounts without actually
being on the computer itself
• To add users or groups to this policy,
click Add User or Group…
 Deny Access to the
Computer from the Network
(continued)
• Type in the word Administrator
and click the Check Names button.
• If that user or group exists, it will
appear with the Location (from the
box above it) in front of the name.
• Click Ok to accept the user.
• Click Ok on the next screen to set
the policy.
• This process can be done for any
user or group.
Deny Log On as a Batch
Job
• Deny ability to log on as a batch
job for Administrator & Guest
accounts
– Batch job – sequence of
commands to be executed by
the operating system that are
listed in a file and submitted for
execution as a single unit
• Prevents attacker from hiding
login attempt in a batch job
Deny Log On as a Batch
Job (continued)
• Note that the dialog box is similar to
the one for the previous dialog box.
• Click Add User or Group…
• Add the following accounts, ensuring
you Check Names to ensure it selects
the profiles for these accounts:
– Administrator
– Guest
Deny Log On as a Service
• Log on as a service – allows accounts
to start network services or services
that run continuously on a computer,
even when no one is logged on to
that console
• Setting restricts remote access to
those services by someone logged in
as the administrator
• Add the Administrator profile the
same way you did for previous
policies.
 Deny Log On Through
Remote Desktop Services
• Remote Desktop Services – feature
on Microsoft Windows Server that
allows remote access to the
computer desktop (can access and
work on computer from remote
location)
• Denying this feature for administrator
prevents someone from remotely
accessing and controlling the
computer
• Add the Administrator profile the
same way you did previous services.
 Completed User Rights
Assignment Policies
• Once all policies are
set, you will be able
to see that you have
set those policies on
the Administrator or
Guest accounts.
• These same policies
can be set for any
user account