Security Best Practices Pt. 2 | CompTIA IT Fundamentals+ (FC0-U61) | Part 33 of 38

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome to another great show right here on ITProTV. You're watching the CompTIA IT Fundamentals show. I'm your host, Ronnie Wong, and today we're banging into a part two on security best practices. We've just implemented the idea of using antivirus software, but there are plenty of best practices for us to take a look at. And here, of course, to help us on this journey is gonna be Mr. Don Pezet himself. Don, welcome to the show. Hey, thanks for having me back, Ronnie. In the first episode, we did talk about antivirus software, which for the most part is gonna be a software we add to a computer. In this episode, I wanna take a look at some features that are probably already on your computer that just need to be enabled or configured properly in order to function. So we're gonna look at a range of things, things like host-based firewalls and some other security features, and just kind of see how those should be configured or maintained or at least to be aware of what's being done on most machines that are out there. And I say most, cuz unfortunately, not everybody follows the best practices. So if you find any one of those and we talk about a technology in this episode that you're not using yourself, you should probably look into it. Especially in a corporate space, you should be using all of the tools that we talk about in the best practices series. All right, Don, as we get started here, we want to mention this idea of using what we call a computer firewall. So what is a computer firewall and why should we think about using it? All right, so in the olden days, the network, the Internet was a very trustworthy thing, right? We just trusted that the other machines around the network are legitimate and that we could talk. And the main reason for that was that computers were really expensive back then. And so, only people that made a significant investment were able to communicate on it, and that resulted in a fairly trustworthy network. It's not like that anymore, now it's dirt cheap to get on the Internet, anybody can get on there, regular people, criminals, doesn't matter. So the network is no longer trustworthy, even your own network is not trustworthy anymore because unauthorized people might be able to get onto your network. So now, we have a challenge, where our computer can't just trust anybody that talks to it. It's almost like we're gonna teach our computer the whole stranger danger thing, right, like we learned as a kid. If you run into a stranger on the street, you don't talk to them, right? You only talk to people that you know. That's how your computer should be. Your computer shouldn't talk to people that it doesn't know, unless we specifically instruct it to do so. Maintaining computer security is very much like raising a child. [LAUGH] It's very similar. A little less messy, I think. But basically, what a firewall does, is it acts as a gate. It's a gate in between your computer and the rest of the network. Now, most networks have a firewall in between the network and the Internet, and so that protects you from people out on the Internet, but it doesn't protect you from other people on the same network. And a great example of that would be like a hotel. If I go to a hotel, fire up my laptop, hey look, they got free wireless. I jump on the wireless and I'm out to the Internet, right? Everybody else in the hotel is on the same wireless. Do I trust them, do I even know them? Can I even see them? They're probably in their own rooms, right? So that's a very untrustworthy network. We can't rely on a hardware firewall to protect us, we'd have to carry it with us when we travel, that's not gonna happen. So now, we have what are called software firewalls, ones that are built right into your operating system, and the odds are it's already turned on. In fact, most of them are very, very simple and just have a very simple rule that says, your computer is allowed to talk to whoever it wants, but nobody is allowed to talk to you unless you ask them first, right? So it's like in terms of people, if Ronnie were to try and talk to me, I would just block it. Nope, I don't wanna hear it, talk to the hand. [LAUGH] Personal firewall, right, talk to the hand. But if I ask him a question and I say, Ronnie, how are you doing? Now, he can talk to me and I'll hear it, right, because I engaged in that comment. If I fire-up a web browser and I go to Facebook, Facebook should be allowed to talk to me. But if Facebook just randomly tries to reach out to my machine, no way. We wanna stop that. That's how the most basic firewalls function. And almost every operating system out there has a firewall implemented that does exactly that, if you're Windows, macOS, Linux, they all follow that same kind of routine. So let me show you an example here, I'm on a Windows machine and this is a pretty, fairly standard install of Windows. I've added Google Chrome to it and I turned off the annoying wallpaper. But otherwise, it's Windows 10 and Windows 10 has a built-in firewall. Now, if you didn't know that and you're a Windows 10 user, that's how Microsoft intents it. They don't want you to be bothered by this firewall. It's running in the background, it's on by default. And you can see it, if you bring up your Start Menu and just type firewall, you'll find this Windows Defender Firewall. And when you take a look at that, it gives you a simplified view of the firewall that really just gives you two things. Is the firewall on or is it off? If you see green lights here, it's on. I didn't turn it on, it just happens to be on, right? It was on by default. If they're red, then they're turned off. And that's pretty much all that you see. And if you drill down into it, you can see Windows Firewall state is on, it's blocking all connections to apps that are not in the allowed list. And then, if it blocks something, we do get a little notification, letting us know a block occurred. That's what it's doing, right? And it looks really simple. It's actually really complex, it's just hiding all the complexity. If we go into the Advanced Settings button over here, it launches a whole separate tool called the Windows Firewall Advanced- Window Advanced Security. There we go. This one, where you can actually go in and see all of the rules that it's using to figure out whether the traffic should be allowed in or not allowed in. You'll see some things have a green checkmarks, some don't. All of this stuff is being blocked right there that doesn't have a checkmark at all. The outbound rules, on the other hand, are a little more simple cuz we usually allow pretty much everything to go out. But these are all rules being maintained by that firewall, dictating who's allowed to communicate and who isn't, and when they're allowed to communicate. Maybe they're allowed to communicate when they're at home but not when they're on some stranger network, right? So it keeps track of all of that. These firewalls are really critical. The nice part is, we don't normally have to do anything, they're just turned on, but they aren't always. And let me give you an example. I've got a Mac over here. So here's a Mac, joining macOS, let's see, I think it's 10.13, let's see. This one is 10.13.4, macOS High Sierra. As of the filming of this episode, that is the latest edition with all the updates. And if I go into my system preferences, and I go into Security and Privacy, and Firewall, Firewall's off, right? Apple does not turn their firewall on by default. And that's because Apple doesn't actually plan for businesses, they plan for home users. And for home users, they wanna keep things as simple as possible. You're gonna be at home, you're gonna trust the people around that network, you don't need a firewall for that. But the moment you start travelling, that changes a good bit, right? All of a sudden, there's networks that you don't trust anymore. And so now, you might want to enable that and so you can come in and turn that on, and then you've got firewall options where you can start defining all sorts of rules, just like we saw on Windows. It's got the capabilities to do it, it's just not on by default. So the security best practice for this, is that every machine in your network should have a software-based firewall on it that is properly configured to protect the system on the network, that'll stop attackers from being able to see what computers are on your network, and definitely stop them from being able to get in and start to compromise those machines. So really, a critical process as far as maintaining security on most computers. Now, Don, the idea of firewalls are a great protection but that protects our individual machines, but we do tend to also use Devices inside of our own networks as well. And I believe in a previous networking episode that we did, we already talked about some of that. But can you remind us of some of the other things that we might have to also think about? Yeah, yeah. I mean, in addition to computers, what do you have on your network? Internet of Things, right? You might have web cameras, you might have routers- Printers. Refrigerators, printers, right, network printers. These kind of devices a lot of times they don't have a firewall, or maybe they do but you don't see it. The main thing about them is that we expect the manufacturer to configure them securely, that, that webcam that's plugged into my network is configured securely. Maybe it is, maybe it isn't, right? But a main thing we need to worry about on them is that they almost always ship out of the factory with a default password assigned to them. Now, what do I mean by that, right? Well let's say, that I want to log into some kind of a router, right? So I wanna go and log into a router, here's a Linksys smart Wi-Fi router, a WRT1900AC, I think this is what this is. So it's a router on a network, right? Maybe I'm travelling and I go to somebody's network and I see a Wi-Fi network that's just called Linksys. That's usually a good indicator that they've left everything at the defaults, but even if it's something different. I'm at a hotel and I just happen to see in the background, this is the router they have, all right? I wanna get in and access this router, but I need a password to do it, okay? Well, if I know what type of router it is, I can look up what the default password for that is. It's just a Google search away. We can jump over to Google and we can do a search for something like Linksys, we have to spell it right, Linksys WRT1900AC password, right? We can just run a search like that and it's gonna go into a search. And if you look at the recommendations down here, you can see where plenty of other people are trying to search for whatever these default passwords are. And when you do that search, you'll find a number of results, but the very first result is coming right from Linksys themselves, right? Right from the manufacturer. And if go and take a look at their site, it's gonna take me to their Q&A FAQ, right? Their FAQ or frequently asked questions. And if I, I'm just gonna search in here to save me some time, here we go. Frequently asked question number 14 is, what are the default IP Address, username, and password to the Linksys WRT1900AC? If I click on that, it takes me in here where we can find some basic information on getting logged in and getting this thing up and running, right? Now, I'll see it is, I think you have to scroll down there [LAUGH]. Now it was question number 14, right? You think it would jump right to 14, is that too much to ask? Here let me just search for the word password again and try that again. It jumped you back up to the top list, you probably have to scroll down [LAUGH]. Man, there it is. Okay [LAUGH]. If you can find it on the FAQ, the hardest part here is navigation apparently. Question 14, what are the default IP Address, username, and password? And the then it tells me the default IP Address for this router is 192.168.1.1, and admin is the default for both the username and the password. So if I find a Linksys router that's out there, the odds are the username is admin and the password is admin. Or in the case of this router, it's not even asking for a username, it's just asking for a password, so I can type in, admin and sign in. And when I do that, now I'm in and I'm able to start taking advantage of that router. I can do things like redirect traffic, or spoof IP addresses or DNS to be able to compromise people's data. I can take over this network, and at the minimum, I can shut the network down, right? And cause a denial service. So I can do whatever I want because I knew the password, because the password was freely available out there on the internet. There's websites that are dedicated to collecting default username and passwords for any device. I got it right from the manufacturer here, I didn't have to go to some shady dark web, cyber sleuth website, I just went to the manufacturer, pulled up the help documentation, it's all right there. So on any equipment that we deploy, we need to make sure we change the default password. If it's a router, a printer, a switch, a web cam, a DVR, right? A Roku or something like that, those little devices they all have interfaces that can be connected to via the network. And if they have a password that's known, if they have a default password set, the attackers already know that. And at that point firewalls don't really help you, antivirus doesn't really help you, they're logging in with legitimate credentials. They're saying, hey, I'm an administrator, and the system has to say, yeah, yeah you are, you know the password, you're obviously an administrator. We need to make sure we change that, and changing it's easy. Most systems will actually prompt you, this one is not. But a lot of times they'll prompt you and say, hey, you need to change your password, you get a big warning, right? And so you go into wherever your settings are to be able to come in, and this one's right here under Router Password. We saw it earlier in an episode where we configured a wireless router. But we can go in and change that password, get it set, and now we've got a system where an attacker might know what router we have, but they don't know the password to be able to log in and take control of that device. So changing a default password is pretty important in making sure that people just can't get into the system. We don't wanna be an easy target, we wanna be a little bit harder. Now Don when it comes down to these types of things and changing those default passwords, they sound good and okay. But what about passwords in general? Don, if I have to log in every time and type in a password, it seems very inconvenient. What about the use of passwords today? All right, so here's where you get a big divide between home users and business and enterprise, right? For a home user, a lot of times they don't wanna mess around with passwords. So for example, on a Mac, if I go into my user settings here, I can take my user account, and see how my user account is flagged as an admin, and if I were to turn on this computer, I'd have to provide my user name and password. Well actually here let me unlock this screen real quick. And, once I'm in here, there we go, I can come into Login Options. And under Login Options, it's got Automatic login, right? Now I have a password on my account, you saw, I just had to type it to unlock this screen. Automatic login though, if I turn that on for my account and I type in my password, what it's gonna do is, it's gonna save that password on the hard drive. It's gonna save it, it's encrypted so it's at least protected. But now, whenever I turn this computer on, it's not gonna ask for a username and a password, it's just gonna automatically log in as me. Now as a home user that's pretty convenient. Hey, I push a power button on my computer, it logs right in, I'm ready to go, nobody else is gonna mess with this, right? It's just me. But then if I take my laptop and I leave it at the airport, anybody could pick up the laptop, turn it on and it automatically logs in, and now they have access to all of my stuff. So with our accounts when we set these up, if it's enterprise account, if it's a business, if you travel with the device, you shouldn't have automatically login turned on. It is basically giving somebody the keys to your kingdom, it's letting them walk right in. It's like leaving the front door to your house, not just unlocked, but wide open and then somebody can just walk right in. So we need to make sure that we have things like automatic login turned off, and that we actually have a password on our account. Most systems, Mac OS, Windows, Linux, they all require passwords these days, right? They didn't always, used to be on Macs and on Windows, you could leave your password blank. On Linux, you've always had to have a password. But on these you could leave it blank, not anymore, right? Starting, probably about four years ago, they've all switched to where they do require a password. But that automatic login, that basically bypasses the password, even if you were to turn it on and then lock the screen. All the attacker has to do is unplug the computer and plug it back in. And then when it powers back on it'll auto login and their in. So that's a big problem. We need to make sure those passwords are set and that their set with strong passwords, right. When you choose a password, if I go in and I want to change my password. I need to pick a new password. And when I pick a new password, if I pick something super easy like one, two, three, four. Well, anybody can guess that, right? A lot of us will just try that as a matter of course just to see if we can get in. You need to pick a strong password. And what defines a strong password? Well, password length. The longer the password, the stronger it is. Capital letters and lowercase letters, those impact the strength of the password. Numbers, special characters, like exclamation points and at symbols. Those improve the quality of the password. In fact, on a Mac, they don't have this on Windows, but on a Mac, there's this Password Assistant and it helps you to measure how strong your password is. And so, I could come through here and I can tell it that I wanted to do 1234. And I get a nice rating right here that's telling me the quality of that password is garbage. I should not be using that password, right? But if I were to come in and do something a little more random, right. See how the more I type the stronger it gets? What if it was just a bunch of lowercase letters? See how, it's not getting stronger until I get a lot longer, it's not getting stronger very fast. And I'm already at a certain length that's just too much for me to remember. If I start mixing in capital and lowercase letters, well, it's still not that great, right? If I start throwing in some numbers though, it jumped up really fast, also the password length jumped up there. But those numbers, that made a big difference. And if I start throwing in numbers and special characters, now I end up with something really good, right? And we can start to create some really complex passwords, right? That's all about setting a strong password, a password that will be hard to guess. And there's a number of different ways to do it, it doesn't have to be too crazy. I usually use password phrases. So if I were to type something like, I like CompTIA!, right? See how strong that password is? It's easy to remember though. It's got capital letters, lower case letters, it's got an exclamation point and spaces and special characters. In fact, the only thing I'm missing here is a number, right? So we could pick something a little more fun. We don't wanna go easy to guess. If I did, Don Pezet 2018, well, that might be easy to guess, but it is strong. Capital letters, lower case letters, spaces, non-dictionary words, like my name. And the numbers like that, that does get you a little bit stronger. So it's better though to try and pick something that's a better mixture. And a lot of people will take words and mix in letters like that. So I've got the word cloud but written with lower case C, capital L, a zero instead of an O, that kind of thing, and it can start to get stronger based on that. So come up with some solution that works for you, but a strong password is important because. If somebody guesses your password then they can get right in and your system is as good as not having a password. >> All right Don, now that I've got a strong password in mind. So I can go to Facebook and I can use that strong password. Then I can check my Instagram and use that same strong password, and be able to go and do my Amazon shopping and use that same password. Sounds like a good solution to me, Don. It does, and so let's say that I'm the attacker, and I steal your laptop, right? And I power it on and ask for a password. Like man, it's got a password. That stinks. I can't get in and steal all the stuff. Well, there actually is a way to do it. All I could do is I could say hey, I don't care about this laptop. I know Ronnie did, but I don't. I'm gonna tear the laptop open. I'm gonna rip the hard drive out of it. And I guess that sounds a little more violent. I'm gonna use a screw driver and I'll unscrew it and take the hard drive out because once I get his data, I can sell the parts on eBay and make some money, right? That's what an attacker will do. So I can take out the hard drive of his computer and I can go to one of my computers, one of my computers where I know the password. I can log in just fine on my computer. And I can add his hard drive as a second drive to my computer. And once we do that, I can browse his hard drive to my hearts content. I can go in there and get at all his files and any other information that he's got on that disk. I never had to use a password, because I never logged into his computer. I had physical access to his hard drive. When you're working with data, data actually has two forms in the security world. There's data at rest and data in motion. The data on your hard drive is called data at rest. It's just sitting there. It's sitting there and if somebody can physically get it, they can read it. Right, that's data at rest. Data and motion is if I go to a web page and start typing an email or I'm uploading a file that data is crossing the network. Somebody can intercept that there they wouldn't modify the password or not they can intercept it on the network while it's in the transit. And they can get the data there, that's data in motion. We need to be protecting not just our computer, passwords and firewalls and all that, but we need to be protecting our data. And we can do that a few different ways when it's in motion, or when it's at rest. But the best solution for both is to use encryption to ensure that our data is encrypted when it's stored on the drive. And that it's encrypted when it's crossing the network. And that way if somebody does intercept it either way, by ripping my hard drive out or by intercepting network communications, they just see encrypted cipher text. They see junk. It doesn't mean anything to them. They can't do anything with it. And the data is safe. Now encryption can be intimidating. If this is the first time that you're learning about encryption, a lot of people just know what they've seen in Mission Impossible movies and things like that. And believe it or not, not everything that's done in a Tom Cruise movie is exactly true. So what you'll find is that encryption is actually easy and you're probably already doing it, all right? Let me give you an example. Let me go over to my Windows machine, and I'm gonna fire up. I wanna use a browser that I haven't used. I'll use Microsoft Edge. So I'm gonna fire up Microsoft Edge. And I'm gonna go to a website. I'm gonna go to www.cnn.com, right, time to check the news. Now when I go to CNN's website, I just typed in cnn, hit the button, went over and now I'm on their website. Okay, a couple of things actually happened in the background that I might not have noticed, right? One for example. Well, I did notice the giant auto-play advertisement. That's nice. But the one thing that I did notice was that the address changed. I typed www,cnn.com, right? And instead it changed it to https://www.cnn.com. That HTTPS, that's hypertext transport protocol secure or with SSL. It's using secure socket layers, and more accurately it's using transport layer security or TLS, doesn't really matter. To encrypt the data that I sent to CNN and the data they sent back to me. Most websites do that. They do that even if you tell it not to. If I just type http://itpro.tv and I come to our website, right? I didn't type https, I'm just gonna saying give me a nonsecure connection to that website, right? When I do that, look what it did? It change it to https. It said, no we're not doing non-encrypted, you're gonna get an encrypt to connection whether you want it or not. And so it switched it over. Now, notice our little lock is actually different than CNN's. CNN just had a regular lock. That's because they're using weak encryption, right? It's not bad, it's just it hasn't been fully validated, and I don't know why a company their size would do that. Ours is what's called Extended Validation, or EV, so we've gone through additional checks to make sure it's as secure as possible, so we get a green lock on ours. The green lock is kind of the best case scenario, that's what you want to see. If you go to, we'll say we go to Google. I go to google.com, it switches me over to security, and there I'm seeing that kind of weaker level, right? Now you might ask yourself, why are they doing that weaker level? And the reason, is they're not really moving sensitive data here, are they? Right? When you're talking about just doing a quick Google search, that's not a big deal. But if I was moving financial data that is a big deal, they'd want to verify that, there would be more to it. So when you go to companies like Google or Amazon or whatever, a lot of times the first site they serve up won't be extended validation, it'll be a regular search. But then, once you actually go to buy something, and you go to a check out page, right? I guess I have to try and buy something, let's buy a Fire TV. That when you actually go to try and purchase something, that it'll switch. And all of the sudden you'll start seeing a higher level of security when it starts asking for your password and so on. So I have to log in with an account here I guess, so it's not gonna do it for me. But you'll see it was different levels. The important part, through, is it encrypting your data in transit. As the data moves between you and their servers, that data is being encrypted and protect it, right? But this still doesn't solve the problem of the data on your hard drive. And on your hard drive, there's a number of solutions that are available. Most of them are not turned on by default, all right? So in Windows there's a technology called BitLocker, and if you were to bring up your Start menu and just type BitLocker, you'll find the Manage BitLocker tool. And what that does, is it allows you to turn on encryption for your entire hard drive. Everything that's on your hard drive gets encrypted and protected. And now if somebody rips the hard drive out of your computer and plugs it in somewhere else, doesn't matter, the data is secure and protected. On Windows it's called BitLocker, on a Mac it's actually called FileVault. If I go into my system preferences, and I go into Security & Privacy, you'll find FileVault right here. And notice how, on the BitLocker one, it was turned off by default? FileVault's turned off by default also, so I can see here it's turned off. But you want it turned on. Now this is just a lab machine for the show, so I don't really care about it. But if we switch over to my actual laptop, this is my actual laptop, and I go into my system preferences, and my Security & Privacy, and FileVault, we'll see something a little bit different. I've turned on FileVault, right? My hard drive is encrypted. I travel a lot. I travel, I take my laptop, there's always a chance I could lose it. And I like the fact that, if I lose my laptop, I don't have to worry about somebody getting at my data. I know that it's safe, cuz it's fully encrypted and we're protected there. I also do this with my external drives. I don't have one here on the podium with me, but I backup to an external hard drive. And I have that drive encrypted as well, because that hard drive is sitting on my desk right now in my office. I can't see my office from here. Somebody who knew that, hey, I'm an IT guy, I do backups. So they said, I'm gonna go in the office, I'm gonna find this backup drive. They could steal the backup drive. And all my data's on there, multiple copies of it, right? And they could read it, and access that information. I don't have to worry about that, I know that disk is encrypted. If somebody steals it, I'll be frustrated cuz I have to buy a new disk, but I don't have to worry about losing my data. That's what encryption is all about. Data in motion is data crossing the network, and it can be encrypted with things like HTTPS, your secure HTTP traffic, it can be encrypted with VPNs and other technologies. Data at rest is data on your hard drives, and the best way to protect it is with encryption. And whole disk encryption is what I'm showing here, that's where your entire hard drive gets encrypted. You can also do encryption on individual files. There's programs like PGP, Pretty Good Privacy, that will encrypt a single file. Or in the Windows world, it's actually built into the operating system. You can come in and you can take a file, I don't know, I'll take, oops, one of my documents here, my resume. I can find my resume, and I can pull up the properties for that file, and I can actually turn on encryption just for that one file. I'm not gonna see it on the main screen here, you have to go to Advanced, and inside of Advanced you'll see where I can encrypt contents to secure data. And when I do that, that'll protect just that one file. And that's what it's telling me right there, it's gonna protect that file. And I'll say OK. It's gonna pause for a moment, cuz this is the first file I've encrypted, so it's gotta generate keys. But once it's done, that file is now encrypted. And it doesn't really look any different to me, except it's got a tiny microscopic miniature little yellow lock on it. But otherwise, it's now encrypted. If somebody steals my hard drive, they won't be able to read that one file. But encrypting the entire hard drive is the better option, because I might forget to turn on encryption for a file, or I might move it somewhere else and forget about it. If you do the whole drive, you know you are protected. All right Don, well, that's plenty of things for us to consider in terms of security best practices, but we are not completely done yet. So Don, I'm gonna give you the last word, and what are we gonna be taking a look at in our next episode here? All right, so we covered a lot of things in this episode. We talked about host-based firewalls, we talked about changing default passwords, setting passwords. We talked about encryption, data in motion, data at rest, a lot of good stuff, right? But there are a few more things that we do need to tackle. We haven't talked about safe browsing practices. Viruses, what we've talked about in part one, usually come from people browsing the web. So I wanna talk a little bit about that and the steps we can take to make sure that that doesn't affect us. So we're gonna tackle that, and the last thing we've got is just patching in updates, which are your number one defense against most of these attacks. So pretty important for us to be able to see and do that as well. So that's all coming up in part three. All right, so there you have it, and that means you wanna stay around for that part three. So signing off for ITProTV, I'm your host Ronnie Wong. And I'm Don Pezet. Stay tuned right here for more of your CompTIA IT Fundamentals show. [MUSIC] Thank you for watching ITProvTV.
Info
Channel: ITProTV
Views: 4,408
Rating: undefined out of 5
Keywords: comptia itf+, comptia itf+ training, comptia itf+ study guide, comptia itf+ exam questions, comptia itf+ fc0-u61 practice test, comptia itf+ certification, comptia itf+ fc0-u61, comptia itf+ practice test, comptia itf+ fc0-u61 exam, comptia itf+ free training, security best practices
Id: iWQr3FuVQdw
Channel Id: undefined
Length: 30min 24sec (1824 seconds)
Published: Fri May 03 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.