2.6 – Security Best Practices - Security Best Practices

Questions and Answers

What is the primary benefit of using Full Disk Encryption (FDE)?

• It automatically backs up your data to a remote server.
• It speeds up data access times.
• It allows multiple users to access the same files simultaneously.
• It prevents unauthorized viewing of data on a storage drive. (correct)

If the decryption key to encrypted data is lost, what is the most likely outcome?

• The data automatically reverts to its original, unencrypted state.
• A new key can be generated from the encrypted data itself.
• The data can be recovered using a universal decryption tool.
• Access to the encrypted data is permanently lost. (correct)

What is 'entropy' in the context of password security?

• The length of the password.
• The frequency with which a password is changed.
• The predictability of a password.
• The measurement of how unpredictable a password is. (correct)

Why is it important to change the default username and password on a new router or switch?

Default credentials are widely known and easily exploited by attackers. (D)

Why might an organization choose to disable network access for certain users between midnight and 4:00 AM?

To prevent unauthorized access during times when legitimate users are unlikely to be working. (D)

What is the purpose of disabling unnecessary or default accounts on an operating system?

To minimize potential attack vectors by removing accounts that could be exploited. (D)

What security measure does the 'Interactive logon: Machine account lockout threshold' policy in Windows address?

It specifies the number of failed login attempts allowed before an account is locked. (B)

What is the primary security risk associated with the AutoRun feature (present in older Windows versions)?

It could expose the system to malware by automatically running files from removable media. (C)

How does marking an account as 'never needing interactive login' improve security?

It stops anyone from logging in via a username prompt, reducing the attack surface. (B)

What is the main purpose of a privacy filter on a computer screen?

To prevent unauthorized viewing of sensitive information by people nearby. (C)

Why is it important to implement a password policy that includes password expiration?

To mitigate the risk of compromised passwords being used indefinitely. (D)

What is the significance of storing encryption keys in an Active Directory database?

It centralizes key management and provides a backup in case of system failure. (B)

How does enabling the screen lock feature on an operating system enhance security?

It prevents unauthorized physical access to the computer when the user is away. (C)

What is Personally Identifiable Information (PII)?

Information that can be used to identify an individual. (C)

Instead of assigning administrator access to everyone in the organization, what is a more secure practice?

Assigning rights and permissions based on job function. (C)

What is the purpose of the 'Interactive logon: Machine inactivity limit' security policy in Windows?

To automatically lock the computer screen after a period of user inactivity. (D)

Why was the AutoRun feature removed from later versions of Windows?

It was a significant security concern due to the risk of automatically running malicious files. (B)

In Windows, what options does the AutoPlay feature offer when a removable drive is connected?

Open File Explorer, take no action, configure storage settings, or ask each time. (C)

Other than password complexity, what is another factor that contributes to strong password entropy.

Using a variety of character types, including uppercase, lowercase, numbers, and symbols. (A)

What action should an administrator take to limit the risk associated with service accounts on a system?

Mark service accounts as 'never needing interactive login'. (B)

What is a primary reason for using a locking cable in conjunction with a laptop or tablet?

To prevent theft of the device. (D)

Which of the following actions is not a best practice for securing a system's BIOS?

Allowing a blank password on the system for ease of use. (A)

From a security perspective, what should an organization do about commonly known default usernames and passwords for operating systems and applications?

Change all default usernames and passwords immediately after installation. (D)

What is the primary security consideration when working with Personally Identifiable Information (PII) in a public area?

Preventing unauthorized individuals from viewing the PII on your screen. (B)

What is the best way to handle password resets to ensure the security of an account?

Provide a clear password reset process with multiple verifications. (C)

For critical systems, how often should passwords be changed compared to less sensitive systems?

More often, to reduce the window of opportunity for exploitation. (A)

What should an administrator do with accounts that are created by default during operating system installation?

Review and disable the unnecessary ones. (A)

What is the benefit of restricting the hours during which specific users can log into a network?

It prevents access from third parties during off-hours. (D)

Flashcards

Full Disk Encryption (FDE)

Encrypting all data on a drive.

Password Entropy

A measure of how unpredictable a password is; aims for strong, unguessable passwords.

Default Credentials

A username and password preset by the manufacturer on a new device.

UEFI/BIOS Administrator Password

A password required to make changes to the BIOS configuration.

UEFI/BIOS User Password

A password that stops the boot process until correctly entered.

Automatic Screen Lock

Automatically locking the computer screen when a user is away.

Personally Identifiable Information (PII)

Data that can identify an individual, like name, address, or Social Security number.

Principle of Least Privilege

Granting specific access rights and permissions based on job function.

Disable Unnecessary Accounts

Disabling accounts that don't require interactive logins.

Disable Interactive Login

Marking accounts as not needing interactive login.

Account Lockout Threshold

Limiting the number of incorrect password attempts before an account is locked.

Inactivity Lock

Automatically locking the system after a period of inactivity.

AutoRun (deprecated)

A feature that automatically executes a file on removable media. (disabled in Windows 7 and later).

AutoPlay

A Windows feature that allows users to choose what happens when removable media is inserted.

Study Notes

• To prevent unauthorized data viewing, data encryption can be used
• Full Disk Encryption (FDE) encrypts everything on a drive
• FDE is also known as encrypting data at rest
• Individual files/folders can be encrypted instead of the whole drive
• NTFS on Windows allows choosing specific items for encryption
• Encrypting USB drives is useful due to their small size and ease of loss
• Managing decryption keys is vital along with encrypting data
• Losing the decryption key results in permanent data access loss
• Active Directory environments can store keys for Microsoft NTFS and BitLocker
• Storing keys in Active Directory allows restoration from backup if the system has an issue
• Use strong passwords that are difficult to guess or brute force
• Password complexity is also known as entropy, which measures unpredictability
• Avoid single words or obvious passwords
• Mix uppercase, lowercase, and special characters
• A strong password is considered 8 characters or longer
• Use a phrase or series of words
• Passwords expire after a set time, usually 30-90 days
• Systems remember previous passwords to prevent reuse
• Critical systems may require more frequent password changes
• Password reset processes need clear verification steps
• Default usernames and passwords exist for switches, routers, and other devices
• Change default passwords during setup for security
• Attackers often try default credentials first
• UEFI BIOS has administrator and user passwords
• Administrator passwords are required to make changes to the BIOS
• User passwords stop the boot process until entered
• Require passwords, never allow blank passwords, and disable auto-login
• Operating systems should automatically lock the screen when a user is away
• Windows 10 and 11 have lock screen settings under personalization
• Configure screen lock for automatic activation after inactivity
• Use locking hardware for laptops, tablets, etc., to secure them to a fixed point
• Sensitive information is categorized as Personally Identifiable Information (PII)
• PII includes names, addresses, phone numbers, Social Security numbers, etc.
• Be aware of surroundings when working with PII in public
• Use a privacy filter in public areas to prevent screen viewing

User Rights

• Once authenticated, users get rights and permissions to access resources
• Assign specific rights and permissions based on job function, not administrator access
• Assign users to groups with associated permissions
• Limit network access during specific hours (e.g., midnight to 4:00 AM)
• Disable accounts not needing interactive login
• Disable unnecessary or guest accounts

Account Restrictions

• Some accounts are created by default or with application installations
• Mark service accounts as never needing interactive login to prevent login at a username prompt
• Ensure operating systems do not have default settings in authentication options
• Limit password attempts to prevent brute force attacks
• The security policy in Windows is called Interactive logon: Machine account lockout threshold
• Use automatic screen locking after inactivity
• There is a security policy for this called Interactive logon: Machine inactivity limit
• AutoRun (Windows Vista and earlier) automatically ran files from removable media
• AutoRun was removed in Windows 7 and later due to security concerns
• AutoPlay in Windows allows choosing actions for removable drive insertion
• AutoPlay options include configuring storage settings, taking no action, opening File Explorer, or asking each time
• Disable AutoPlay and AutoRun to prevent accidental execution of unexpected files from removable drives