Lesson 2	Securing resources and services
Objective	Coordinate permissions, services and settings to protect services.

Securing Resources and Services

Securing each resource and service is key to implementing an effective security system. This step involves some or all of the following actions:

Changing server and system defaults
Removing extraneous services
Constantly monitoring public connections (VPNs, modem banks, and Web and FTP servers)
Ensuring physical security
Locking down registry keys and password file

Coordinating Methods and Techniques

One of the more important concepts in securing resources is the ability to coordinate methods and techniques so that if a hacker defeats one method, your system can counter with another. As you coordinate services, address each one separately and change the default settings. Network security systems should not depend upon only one type of security such as authentication, encryption, or auditing.

Hard disk configuration: Configure your hard disk for optimum security. Typically, a hard disk is configured so that
1. One partition can be used for the operating system only
2. Another hard disk can be used for the services or daemons running on the server
3. A third partition or disk can be used only for data storage

The following section discusses combining security techniques.

Securing Resources and Services by combining Techniques

A successful security system is a matrix, or a combination of individual methods, techniques, and subsystems. Whenever possible, you want to use as many security principles and techniques as possible to protect each resource. For instance, a network that relies solely upon authentication is not nearly as secure as one that combines authentication, access control, and encryption. Similarly, your site is better protected by packet filtering at the router combined with a firewall backed up by user authentication and intrusion detection.

Intrusion Detection: Intrusion Detection (IDS) comprises several key elements that work together to identify and alert on potential security threats. The main components of an IDS include:
1. Sensors: Collect network traffic or log data from various sources, such as network devices, servers, or endpoints.
2. Analysis Engine: Examines the collected data using rules, signatures, and anomaly detection techniques to identify potential threats.
3. Signature Database: Contains known attack patterns and signatures, which are used to match against collected data.
4. Anomaly Detection: Uses machine learning or statistical methods to identify unusual behavior that may indicate a threat.
5. Event Management: Handles and processes alerts, including filtering, prioritization, and notification.
6. Reporting and Visualization: Provides graphical interfaces and reports to help analysts understand and respond to detected threats.
7. Response Mechanisms: Triggers actions, such as blocking traffic or alerting security teams, in response to detected threats.
8. Integration: Combines with other security tools, like firewalls and security information and event management (SIEM) systems, to enhance overall security posture.
These elements work together to detect and alert on potential security threats, enabling organizations to respond quickly and effectively to potential intrusions. Detecting and responding to network attacks and malicious code is one of the principal responsibilities of information security professionals. Formal techniques and procedures have been developed by expert practitioners in the field to provide a structured approach to this difficult problem.

Different Types of Attacks and Response Mechanisms

Malicious code is intended to harm, disrupt, or circumvent computer and network functions. This code can be mobile, such as Java applets or code in the Active X environment. It can also attach itself to legitimate code and propagate. In addition, it can lurk in useful applications or replicate itself across the Internet. The following sections describe these different types of malware.

Viruses: A virus is code that attaches to a host program and propagates when the infected program is executed. Thus, a virus is self-replicating and self-executing. Viruses are transmitted in a variety of ways, including as part of files downloaded from the Internet or as e-mail attachments.

Increase Security

Increase security by restricting access to only the resources needed by each service, dividing them by resource and then restricting them to the minimum access needed to do the job. For example, if a server acts as both a Web server and an FTP server, create two special accounts, one to be used by the FTP service to access resources through the operating system and the other to be used by the Web server.

Thinking Outside the Box About Security: In far too many supposedly security-conscious organizations, computers are locked away from employees and visitors all day, only to be left open at night to the janitorial staff, which has keys to all offi ces. It is not at all uncommon for computer espionage experts to pose as members of the cleaning crew to gain physical access to machines that hold sensitive data. This is a favorite ploy for several reasons:
1. Cleaning services are often contracted out, and workers in the industry are often transient, so that company employees may not be easily aware of who is or isn’t a legitimate employee of the cleaning company.
2. Cleaning is usually done late at night, when all or most company employees are gone, making it easier to surreptitiously steal data.
3. Cleaning crew members are often paid little or no attention by company employees, who take their presence for granted and think nothing of their being in areas where the presence of others might be questioned.