CS406 Study Guide

Unit 7: Operating System (OS) Security

7a. Describe the methods used to harden an OS and minimize threats

What does it mean to harden a system?
Why is patching often neglected?
How is system auditing performed?

System hardening is performing techniques known as best practices to secure a system by reducing vulnerabilities. The techniques used to harden a system can vary by system type, but the basic methods are to remove or disable unnecessary applications, use methods to protect system access such as least privilege, set up and review log files, and patch regularly.

Although system patching is important to system security, patching is often neglected due to funds or technical expertise. The cost of patching is often viewed as adding no value to a system. Patching requires a qualified technician to install the patches and sometimes the technician is not available in the organization. This is a serious issue within any organization and should be resolved.

System auditing is done to ensure that policies are followed and are enforced. Auditing is completed by reviewing system logs and system performance. Logs contain information about login attempts, device use and device failure, and application-level events. Audits can be manual or automated.

To review, see section 7.1: OS Hardening.

7b. Discuss how antivirus and antimalware tools provide OS protection

Why is it important to update antivirus software as updates become available?
What is the difference between antivirus and antimalware software?
Are both antivirus and antimalware software needed on a system?

Antivirus software detects viruses in a system and is specific for each type of operating system. The software has a database of viruses that are compared to files on a system. As new viruses become known, the software database is updated. For a system to recognize newly identified viruses, the software must be updated on a regular basis. Once a virus is detected the infected file is quarantined and the user is prompted to choose whether to repair or delete the file.

Viruses are code that copies itself to do damage to a system. Malware refers to many types of malicious software such as Trojans, ransomware, viruses, and spyware. Viruses are a type of malware, but malware includes many other types of malicious code as well.

Antivirus software detects viruses, and antimalware software detects all types of malware. Both antivirus and antimalware software are needed on a system because antivirus software protects against traditional versions of viruses and antimalware protects against new threats. New threats may be polymorphic, or code that changes each time it is run.

To review, see Antivirus Versus Anti-Malware and What is Antivirus Software?.

7c. Explain the method of protection provided by an OS firewall

By what method does a firewall protect a system?
How are IPtables implemented in a system?
Why is the order of the rules in IPtables important?

The first line of defense to protect a system from malicious traffic is using a firewall. Firewalls filter incoming and outgoing traffic to protect against attackers that may be attempting to enter the system. The network administrator can change the rules when needed as the system or the method of attack changes.

The rules for firewalls in a Linux system are defined in the IPtables. The packet protocol, the origin, and the packet target are examined when entering the system. When a packet meets the requirements of a specific rule in IPtables, the packet is handled by the method as designated in that rule which can be to accept, allow, deny, or drop the packet.

When traffic is examined by IPtables the rules are examined in the order listed. When there is a match, the packet receives the treatment of that rule and it is not examined for any other rules in the table. This can be important as the last rule in IPtables is port 22 for secure socket shell (SSH). This rule allows for SSH, or remote access to a system and if not configured properly will disallow access to remote users.

To review, see Linux IPtables.

7d. Describe security tools used to assess the vulnerabilities of an OS

What is a vulnerability assessment?
What are the steps scanners perform before running a vulnerability assessment?
How does a scanner examine the vulnerabilities in a system?

A vulnerability assessment is a process that identifies security weaknesses on a system. The weaknesses of all system components are examined to include the network, the software, and the hardware. The weaknesses are prioritized and are items that need attention or remediation to ensure the security of a system.

The first step a scanner performs before running a vulnerability assessment is to probe the ports to determine if the host is alive. This avoids wasting time trying to scan a host that is offline. The second step is to determine if the host is behind a firewall or filtering device. The third step is to detect all open ports on the host to determine the type of services running on the system. The fourth step is determining the operating system (OS) running on the host. The fifth step is to identify the services running on each open port.

Once the scanner knows the OS running on the system, it identifies the OS version. The scanner then reviews the vulnerabilities applicable to that OS version that resides on the system. A security content automation protocol (SCAP) tool can be installed and run on a system to evaluate known vulnerabilities.

To review, see How Scanners Work, What is a Vulnerability Assessment?, and Vulnerability Assessment Using SCAP.

Unit 7 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

antimalware
antivirus
auditing
automated
firewall
host
IPtables
least privilege
Linux
malicious software
malware
manual
network administrator
operating system (OS)
patching
polymorphic
protocol
ransomware
remediation
scanner
secure socket shell (SSH)
security content automation protocol (SCAP)
spyware
system hardening
trojan
virus