3.9: Protection Against Threats
Eduqas / WJEC
Network Forensics & Penetration Testing
What is network forensics?
Network forensics is the monitoring of a network to identify unauthorised intrusions. Network forensics is used to record and analyse attacks on a network and to gather other information about how the network is performing.
It is important for organisations to identify weaknesses in their networks so that they can fix them and be prepared for any type of attack or malware.
Footprinting is one method of evaluating a network’s security. This is when a security team puts itself in the attacker’s shoes by obtaining all publicly available information about the organisation and its network.
Footprinting allows the company to discover how much detail a potential attacker could find out about a system. The company can then limit the technical information about its systems that is publicly available.
Penetration tests are carried out as part of ethical hacking. Ethical hacking is when an organisation gives permission to specific 'good' hackers to try and attack a system so that the weak points can be highlighted and then fixed.
The purpose of a penetration test is to review the system's security to find any risks or weaknesses and to fix them.
There are four main types of penetration tests:
Internal tests are to see how much damage could be done by somebody within the company with a registered account.
External tests are for white hat hackers to try and infiltrate a system from outside the company.
Blind tests are done with no inside information, to simulate what a real attacker would have to do to infiltrate the system.
Targeted tests are conducted by the company's IT department and the penetration team cooperating together to find faults in the system.
Anti-Malware & Firewalls
Anti-malware software is used to locate and delete malware, like viruses, on a computer system. The software scans each file on the computer and compares it against a database of known malware. Files with similar features to malware in the database are identified and deleted.
There are thousands of known malware, but new forms are created each day by attackers, so anti-malware software must be regularly updated to keep systems secure.
Other roles of anti-malware software:
Checking all incoming and outgoing emails and their attachments.
Checking files as they are downloaded.
Scanning the hard drive for viruses and deleting them.
A firewall manages incoming and outgoing network traffic.
Each data packet is processed to check whether it should be given access to the network by examining the source and destination address.
Unexpected data packets will be filtered out and not accepted to the network.
Other roles of a firewall include:
Blocking access to insecure / malicious web sites.
Blocking certain programs from accessing the internet.
Blocking unexpected / unauthorised downloads.
Preventing specific users on a network accessing certain files.
Other Methods of Protection
Also known as two-factor authentication (2FA), this is a method of confirming someone's identity by requiring two forms of authorisation, such as a password and a pin code sent to a mobile.
Usernames must be matched with a secure password to minimise the chances of unauthorised users accessing a system.
Passwords should contain a mix of uppercase and lowercase letters, punctuation and numbers. Passwords should be of a substantial length (at least 8 characters) and should be regularly changed.
User Access Levels
Access levels are used to only allow certain users to access and edit particular files.
'Read-Only' access is when a user can only view a file and is not allowed to change any data.
For example, a teacher might set homework instructions as read-only for students to view.
'Read and Write' access allows a user to read and edit the data in a file.
For example, a teacher might set an online workbook as read and write access for students to fill in.
It is important to set access levels so that only authorised users can view and change data. The more users who have access to a file, the more likely it is to be compromised. Certain users may also have no access to a file - when they can't view or edit it.
Encryption is the process of scrambling data into an unreadable format so that attackers cannot understand it if intercepted during transmission.
The original data (known as plaintext) is converted to scrambled ciphertext using an encryption key. Only at the correct destination will the encryption key be used to convert the ciphertext back into plaintext to be understood by the receiving computer.
A very simple method of encryption is to use the XOR logical operator. XOR is used on the plaintext and key together to create the ciphertext. Using XOR again on the ciphertext and key will reverse the encryption to reveal the plaintext.
Encryption using XOR
Plaintext = 00110100
Key = 10100110 XOR
Ciphertext = 10010010
Decryption using XOR
Ciphertext = 10010010
/ Key = 10100110 XOR
Plaintext = 00110100
3.9 - Protection Against Threats:
1a. What is network forensics? Why is it important? 
1b. Explain what is meant by footprinting and why companies do it. 
2. What is an ethical hacker? 
3a. Describe the purpose of penetration tests. 
3b. Describe each type of penetration test. 
4. Describe the purpose of anti-malware software and its different roles. 
5. Describe the purpose of a firewall and its different roles. 
6a. Describe double authentication. 
6b. State three rules for choosing a strong password. 
7. Describe the three types of access level. 
8a. Describe the purpose of encryption. 
8b. Explain how encryption works, using the terms plaintext, key and ciphertext.