Summary of Exam Objectives

In this chapter we covered a number of problems that might occur on a Microsoft-based network. When responding to and recovering from security breaches, you need to understand the types of attack incidents you are vulnerable to and what you can do to protect yourself from them.

We discussed security incidents in this chapter. In dealing with security incidents, one of the most pertinent strategies you can implement is one of minimizing the number and, of course, the severity of security incidents. You always want to ensure that you are limiting your exposure to incidents and have properly planned to deal with them. Another big issue related to security infrastructure is the fact that there is not a great deal of effort put into the possibility that there could be a problem. You have to plan for an attack and be prepared to deal with it after it has been tried—or worse, executed successfully.

Remember your terminology. There are many nicknames for malicious and nonmalicious security professionals. Crackers are people who perform malicious cybercrimes on systems with the purpose of doing harm or causing havoc. We looked at malware-based attacks, since they are so common on Microsoft networks.

A computer virus is a self-replicating computer program that interferes with a computer's hardware, operating system, or application software. Viruses are designed to replicate themselves and elude detection. Like any other computer program, a virus must be executed (loaded into the computer's memory) to function, and then the computer must follow the virus's instructions. Those instructions are referred to as the payload of the virus. A worm is a self-replicating program that does not alter files but resides in active memory and duplicates itself by means of computer networks. A Trojan horse (or Trojan, for short) closely resembles a virus but is actually in a category of its own. The Trojan horse is often referred to as the most elementary form of malicious code. Make sure that you are very familiar with these types of viruses for the exam.

We reviewed the fundamentals of DoS attacks and why they are so easy to perform but hard to defend against. We also covered the difference between a DoS attack and a DDoS attack and the components of a DDoS attack such as client, daemon, master, and zombie. We looked at the damage a tool like Back Orifice can do if it is not detected on your systems.

We tied up the chapter with a discussion on incident response—what to do when an incident occurs. We looked at the field of forensics, which combines investigative techniques and computer skills for the collection, examination, preservation, and presentation of evidence. Information acquired through forensic procedures can be used in the investigation of internal problems or for criminal or civil cases. Awareness should be promoted so that users in an organization know to contact the incident response team when incidents such as hacking occur and so management will support any investigations conducted by the team. Because any evidence acquired in an investigation may be used in court proceedings, it is vital that strict procedures be followed in any forensic investigation.