Exam Objectives Frequently Asked Questions | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.

Q.		As a Microsoft Certifed Professional, I am concerned that I am not protecting my systems to the best of my ability. What do you suggest I do besides installing antivirus software on my systems?
A.		You need to make sure that you update your system with hotfixes and service packs. In addition, make sure that you are trying to block malware from entering your network in the first place. You can also educate your users so that they are aware of the implications of downloading malware onto their machines.
Q.		Iam bothered by the fact that there are so many freely available tools on the Internet that users in my company can get to. What can I do to protect myself and my organization?
A.		Quite simply, you can run the latest antivirus software on your systems. This will find most Trojans and quarantine them from your systems. You can also block access to a lot of Web sites that are inappropriate to the business climate. The latter step is easy for users to get around, though, so your best bet is have updated antivirus software on your systems.
Q.		I am confused about the whole hacker thing. Can you please explain the correct terminology?
A.		This is a very common issue with new security analysts. Hackers, also called crackers, are knowledgeable people who perform malicious cybercrimes on systems with the purpose of doing harm or causing havoc. The true definition of the term hacker is simply a person who really likes to tinker with computer systems; when this activity gets malicious, the term hacker acquires a bad meaning.
Q.		What exactly is the difference among a virus, a worm, and a Trojan horse? I thought they were all the same thing. What are the main differences among them?
A.		When discussing a virus, you should remember that it is really just a simple program written to exploit something on your system. You generally have to invite the virus onto your system, and when you do, it usually is contained on the system unless you spread it yourself. A worm is much more devious. Remember that a worm does the same thing as a virus except it can self-replicate all over your network. A Trojan horse is the same as a virus or a worm, except the Trojan is usually a virus or worm hidden within something else so that you are deceived into running the program on your system.
Q.		I am new to incident response and am fairly confused about what a chain of custody is. Can you shed some light on it so that I know what it is and why I need to consider it?
A.		A chain of custody must be established to show how evidence made it from a crime scene to the courtroom. The chain of custody proves where a piece of evidence was at any given time and who was responsible for it. You need to consider keeping a chain of custody because if you need to present evidence in a court of law, you will have the documentation to prove that nothing went wrong with the evidence you collected and that it wasn't tampered with.