IT Fundamentals/2014/Security

Security is the degree of resistance to, or protection from, harm applied to any vulnerable and valuable asset.[1] This lesson covers IT security threats and best practices.

Preparation

edit

Learners should already be familiar with IC3 - Computer Use and Safety.

Objectives and Skills

edit

Objectives and skills for the security portion of IT Fundamentals certification include:[2]

  • Define basic security threats
    • Malware
      • Virus
      • Trojan
      • Spyware
      • Ransomware
    • Phishing
    • Social engineering
    • Spam
    • Password cracking
    • Physical security
      • Hardware theft
      • Software/license theft
      • Shoulder surfing
      • Dumpster diving
  • Given a scenario, use security best practices
    • Password management
      • Password complexity
      • Change default passwords
      • Password confidentiality
      • Password expiration
      • Password reuse
      • Awareness of Single Sign On
    • Device hardening
      • Disable unused features
        • Disable Bluetooth
        • Disable NFC
      • Timeout / lock options
      • Enable security software/features
        • Software firewall
        • Anti-malware
      • Encryption options
    • Open WiFi vs. secure WiFi
    • Multifactor authentication
    • Suspicious emails
      • Attachments
      • Hyperlinks
    • Act on security software alerts
    • Admin vs. user vs. guest account

Readings

edit
  1. Wikipedia: Internet security
  2. Wikipedia: Password manager
  3. Wikipedia: Hardening (computing)
  4. Wikipedia: Multi-factor authentication

Multimedia

edit
  1. YouTube: IT Fundamentals - Risk Analysis and Security Policy
  2. YouTube: IT Fundamentals - Threats
  3. YouTube: IT Fundamentals - Wireless and Mobile Network Security
  4. YouTube: Protecting Your Computer from Malware
  5. YouTube: Using Safe Practices
  6. YouTube: Antivirus Software

Activities

edit
  1. Use anti-malware software to scan your system and test malware detection.
  2. Configure password management.
  3. Research multi-factor authentication. Consider setting up multi-factor authentication on your Apple, Facebook, Google, and/or Microsoft accounts, as well as your password manager and your financial institutions.
  4. Test your firewall using a testing service such as Gibson Research: ShieldsUP!
  5. Consider encrypting your system storage:

Lesson Summary

edit
  • Security threats include malware, phishing, social engineering, spam, password cracking, and physical security risks.[3]
  • Malware is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. This includes viruses, Trojans, spyware, and ransomware.[4]
  • Physical security threats include hardware theft, software/license theft, shoulder surfing, and dumpster diving.[5]
  • Effective password management includes password complexity, password confidentiality, password expiration, limited password reuse, changing default passwords, understanding single sign-on, and using multi-factor authentication.[6]
  • Device hardening includes disabling unused features such as Bluetooth and Near Field Communication, using screen timeout and lock options, enabling security software features, using a software firewall, using anti-malware software, and encrypting data storage.[7]
  • Security best practices include being alert for suspicious emails, attachments, and hyperlinks, responding to security software alerts, renaming administrator accounts, and disabling guest accounts.[8][9]

Key Terms

edit
authentication
The process of confirming identity.[10]
authorization
The function of specifying access rights to resources.[11]
BitLocker
A full disk encryption feature included with the Ultimate and Enterprise editions of Windows Vista and later Windows operating systems.[12]
brute-force attack
A cryptanalytic attack that consists of systematically checking all possible keys or passwords until the correct one is found.[13]
device hardening
The process of securing a system by reducing its surface of vulnerability through the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.[14]
dictionary attack
A technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities from a list.[15]
dumpster diving
The practice of sifting through commercial or residential waste to find items that have been discarded by their owners, but that may prove useful to the collector.[16]
ethical hacker
A computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems.[17]
impersonation
The act of assuming the identity of another, in order to commit fraud, such as accessing confidential information, or to gain property not belonging to them.[18]
malware
Any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.[19]
multi-factor authentication
A method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories of knowledge, possession, and inherence.[20]
packet sniffer
A computer program that can intercept and log traffic passing over a digital network.[21]
password complexity
The length and character set combinations used to create a password, such as upper case and lower case letters, numbers, and punctuation.[22]
password confidentiality
A set of rules or a promise that limits access or places restrictions on password sharing.[23]
password cracking
The process of recovering passwords from data that have been stored in or transmitted by a computer system, most often through brute-force or dictionary attacks.[24]
password expiration
A policy that requires users to change passwords periodically.[25]
password reuse
A policy that prevents users from repeating recently used passwords.[26]
permissions
Access rights assigned to specific users and groups of users to control the ability of the users to view or make changes to system objects.[27]
phishing
The attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.[28]
physical security
Measures designed to deny unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm.[29]
ransomware
A type of malware which restricts access to the computer system that it infects, and demands a fee be paid to the operators of the malware in order for the restriction to be removed.[30]
shoulder surfing
Using direct observation techniques to obtain information such as passwords, PINs, security codes, and similar data.[31]
single sign-on
A property of access control systems that allows a user to log in once and gain access to all interrelated systems without being prompted to log in again.[32]
social engineering
Psychological manipulation of people to cause them to perform actions or divulge confidential information.[33]
spam
Unsolicited electronic messages, especially advertising.[34]
spim
Unsolicited electronic messages targeting users of instant messaging (IM) services.[35]
spoofing
Concealing the identity of the sender by impersonating another computing system.[36]
spyware
Software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge.[37]
trojan
A non-self-replicating type of malware program containing malicious code that, when executed typically causes loss or theft of data, and possible system harm.[38]
virus
A malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or firmware.[39]

Review Questions

edit
Enable JavaScript to hide answers.
Click on a question to see the answer.
  1. Security threats include _____, _____, _____, _____, _____, and _____.
    Security threats include malware, phishing, social engineering, spam, password cracking, and physical security risks.
  2. Malware is _____. This includes _____, _____, _____, and _____.
    Malware is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. This includes viruses, Trojans, spyware, and ransomware.
  3. Physical security threats include _____, _____, _____, and _____.
    Physical security threats include hardware theft, software/license theft, shoulder surfing, and dumpster diving.
  4. Effective password management includes _____, _____, _____, _____, _____, _____, and _____.
    Effective password management includes password complexity, password confidentiality, password expiration, limited password reuse, changing default passwords, understanding single sign-on, and using multi-factor authentication.
  5. Device hardening includes disabling _____, using _____, enabling _____, using _____, using _____, and encrypting _____.
    Device hardening includes disabling unused features such as Bluetooth and Near Field Communication, using screen timeout and lock options, enabling security software features, using a software firewall, using anti-malware software, and encrypting data storage.
  6. Security best practices include being alert for _____, responding to _____, renaming _____, and disabling _____.
    Security best practices include being alert for suspicious emails, attachments, and hyperlinks, responding to security software alerts, renaming administrator accounts, and disabling guest accounts.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.
  1. Wikipedia: Security
  2. CompTIA IT Fundamentals Certification Exam Objectives (FC0-U51)
  3. CompTIA IT Fundamentals Certification Exam Objectives (FC0-U51)
  4. Wikipedia: Malware
  5. CompTIA IT Fundamentals Certification Exam Objectives (FC0-U51)
  6. CompTIA IT Fundamentals Certification Exam Objectives (FC0-U51)
  7. CompTIA IT Fundamentals Certification Exam Objectives (FC0-U51)
  8. CompTIA IT Fundamentals Certification Exam Objectives (FC0-U51)
  9. Microsoft: User and Computer Accounts
  10. Wikipedia: Authentication
  11. Wikipedia: Authorization (computer access control)
  12. Wikipedia: BitLocker
  13. Wikipedia: Brute-force attack
  14. Wikipedia: Hardening (computing)
  15. Wikipedia: Dictionary attack
  16. Wikipedia: Garbage picking
  17. Wikipedia: White hat (computer security)
  18. Wikipedia: Impersonator
  19. Wikipedia: Malware
  20. Wikipedia: Multi-factor authentication
  21. Wikipedia: Packet analyzer
  22. Wikipedia: Password strength
  23. Wikipedia: Confidentiality
  24. Wikipedia: Password cracking
  25. Wikipedia: Password policy
  26. Wikipedia: Password policy
  27. Wikipedia: File system permissions
  28. Wikipedia: Phishing
  29. Wikipedia: Physical security
  30. Wikipedia: Ransomware
  31. Wikipedia: Shoulder surfing (computer security)
  32. Wikipedia: Single sign-on
  33. Wikipedia: Social engineering (security)
  34. Wikipedia: Spamming
  35. Wikipedia: Messaging spam
  36. Wikipedia: IP address spoofing
  37. Wikipedia: Spyware
  38. Wikipedia: Trojan horse (computing)
  39. Wikipedia: Computer virus