Windows Security Situation and Current

Threats
Modes of Learning
For this module, the following modes of learning will be used:

• Interactive Module
• Online Reading
• Individual Assignments
• Self- Quizzes

Introduction
Welcome to Operating Systems Security - Windows. In this module we will look at the threat landscape
for the Windows operating system and some of the technology available to protect the system from
these threats.

As you begin this module, please refer to the timeline and make note of any assessments or important
dates. If you have any questions, ask your instructor.

Learning Outcomes
Upon completion of this interactive module, you will be able to:

1. Explain the Microsoft Windows threat landscape and security threats

2. Analyze basic components of security in Windows Operating Systems

Key Terms and Concepts

Listed below are some important key terms and concepts within this module.

• The Attack Surface

• Hardware Vulnerabilities
• Operating System Vulnerabilities
• Application Vulnerabilities
• User Error
• Keylogger
• Virus/Worm/Trojan
• Adware/Spyware
• Phishing
• Remote Administration Software
• Cyber Fraud
• Social Engineering
• Defense in Depth
• Principles of Least Privilege
 • Firewall
• Security Policies
• Authorization and Authentication
• Privacy and Integrity
• Non-Repudiation
• Hashing

Windows Security Situation and Current Threats

Windows is an operating system for computers, tablets, and smart phones. It should be invisible to the
user who wants to get work done. It should be free of worry and let the user concentrate on the
applications they need and like to use. Sadly, this is not the case. If you choose to ignore the operating
system of your device, the weaknesses of the system will eventually lead to heartache.

If you are taking this course then you are clearly interested in security. Either you are interested in
securing your own devices or your job entails managing a number of devices in your organization. This
course is focused on the managing of many devices in an organization. Your organization may have a
small number of computers organized into a workgroup, which is defined as having typically 10
computers or less.

Alternatively, you may have a large number of computers organized into domains which are managed by
Microsoft’s Active Directory infrastructure. Again, this last viewpoint is used for this course. Basically this
means that we will be covering some advanced topics that are important for large networks of
computers but will be less useful for small systems.

The Attack Surface

The attack surface is the sum total of all the areas of your system that can be attacked. On a modern IT
system this can include many components such as the physical devices, operating systems, applications,
the network infrastructure, and the users of the system.

The administrator of a modern system is at a distinct disadvantage. They are responsible for the
complete system and if even one component is weak and lets an attack through, they are responsible.
The attacker on the other hand has the leisure to probe every aspect of a system and need only find the
one weakness that will let her through.

Vulnerabilities in Our Devices

The security threats that we need to deal with can be divided into the component that has a weakness
such as:

• Hardware Vulnerabilities- These tend to be of minor concern since hackers typically do not have
access to our physical devices. Having said that, however, if a USB keylogger is installed between
the keyboard and the computer all of the keystrokes, including passwords, will be recorded.
• Operating System Vulnerabilities- The operating system is incredibly complicated and hard to
design without any vulnerability. The developer has to work constantly to fix any vulnerabilities
that are discovered.
 • Application Vulnerabilities- Applications also contain vulnerabilities that must be constantly
fixed. Patches and fixes are constantly being released by Microsoft and independent developers
for their applications.
• User Error- With systems as complicated as computers, it is no wonder that users can make
mistakes which lead to security breaches. Constant training and reminders to adhere to security
policies are required.

Vulnerabilities in Our Devices

One method used to minimize the attack surface is to harden the operating system. This technique
requires the administrator to shut down any service, process, and application that is not needed for the
functionality of the machine. On the network interface, only ports that are required for communication
are left open, any others must be closed.

Exercise: Keylogger
Search the Internet and see how easy it is to purchase a USB keylogger. Please take a moment to record
your answer.

Compare your answers with the following: Keyllama, Keykatcher, KeyGrabber, RioRand, KeyGhost

Automated Attacks
The following techniques rely on a shotgun approach to infecting computing devices. The malicious code
is placed in a file and released onto the Internet or an internal organization network. Its transmission
will then proceed depending on the attractiveness of the file or the ingenious coding built into the
software. The hacker is trying to cast as wide a net as possible not sure who he will ensnare.

• Viruses and Worms- Viruses and worms are small software programs or code that enter your
computer without your knowledge and perform some unwanted action. Typically the intent is
malicious and the action is damaging to your machine. However, there can be a whole range of
actions possible including hiding themselves from you and working in the background to retrieve
as much of your personal information as possible. As part of their design viruses and worms try
to replicate themselves to other machines. There is a small difference between a virus and a
worm but because their effects can be the same they are usually treated as one. A computer
virus must be part of something else such as an executable file, disk boot file, macro or a web
page with code in it. This is akin to a biological virus which must infect a cell before it can
replicate. In contrast a worm is independent. It can be an executable file and can replicate under
its own control.
• Trojan- A Trojan is also a malicious file but its characteristic is that it is disguised as something
else, usually a useful utility. It can do the same range of damage as a virus or a worm. However,
one additional action that a Trojan might do is install a backdoor (RAT) into the computer. This
allows the hacker to gather information from the device, for example all the keystrokes being
entered, or remotely control the computer, for example to launch a denial of service attack.
Trojans do not replicate themselves since they use another method to infect a machine.
• Remote Administration Software (RAT) - Remote administration software (RAT) can be
legitimate software such as Windows Remote Desktop that is commonly used by systems
 administrators to manage and troubleshoot remote computers. In the context we are examining
here however it is software installed by a Trojan and used to capture keystrokes, mirror the
computer screen to the attackers display, download/upload files, open a command prompt or
install software without the user’s knowledge.
• Spyware- Spyware scans your computer for information which it can then transmit back to the
hacker. It can be a virus, worm or a Trojan. Passwords, bank information or credit card numbers
might all be useful information to a hacker.
• Adware- Adware is software that promotes products or services. It may offer these through an
advertisement on web pages or a pop-up may appear on your screen. It may also scan the
cookies stored on your computer to examine your browsing and shopping habits.

Bring Your Own Device (BYOD)

With devices such as smart phones, tablets, and computers proliferating and each of us having a
preference for a specific brand, corporations often allow employees to use their personal device for
work purposes.

This is particularly hazardous if their device needs to connect to the organization’s internal network
since a malware infected computer will quickly infect the rest of the network. Quarantining such a
device and checking its security health before allowing it access is required in this scenario.

Cloud Insecurity
Advantages of the Cloud: Using third-part data storage and processing, known as “the cloud”, is a trend
that continues to gather momentum. The advantages are significant. Saving money is an important
driver of this approach but so is automated backup, less investment in hardware, fewer people
employed in the IT department and so on.

Disadvantages of the Cloud: There is concern over accessibility over the Internet but outages are
infrequent. The security infrastructure of these services is normally robust. One issue is that the data
may be accessible to law enforcement without proper vetting. If the data is stored on servers in the
United States, even if the organization is in a different country, it becomes subject to US rules.

Targeted Attacks
Unlike an automated attack which doesn’t distinguish between victims, a targeted attack is looking to
gain access to a specific target be it an individual or an organizations.

Cyber Fraud
Cyber fraud includes credit card fraud, identity theft, theft of industrial secrets and account hijacking.
These activities provide a financial gain to the fraudster. There are many variations of cyber fraud. A
small sampling includes:

• Ransomware- In this scam malware limits access to your files until you pay a “ransom” to
disable the malware. Ransomware can also lock a smartphone until money has been paid.
 • Phony Sale- Common on auction and other for sale sites, an object is placed for sale at well
below its market price. After the item has been paid for, the seller disappears without shipping
the item.
• Real Estate Fraud- Fraudster places an ad for sale or rent of an apartment, house or vacation
property to which they have no right. After paying a deposit, the victim discovers that the
property was never available from the legitimate owner.
• Romance Scam- The fraudster strikes up a relationship with a person through a dating or social
media site. After gaining their confidence they ask for money and then disappear.
• Overpayment- There are many variations on this scam but the gist of it is that the fraudster
sends the victim an “overpayment” of some sort, say a larger deposit on a rental than was asked
for. The fraudster asks for the “overpayment” to be returned. The original payment was
phony in the first place.

Some more terminology that you need to know:

• Phishing- Tricking a user into disclosing personal information such as passwords, financial
information or social security numbers by asking them to type the information into a trusted
web site.
• Pharming- In this exploit DNS information is corrupted such that a user going to a legitimate
web site will be directed to a copy of the web site under the hacker’s control.
• Denial of Attack- In this attack the hacker doesn’t penetrate the target web site but instead
bombards the target with so much traffic that the target cannot service anyone else.
• Web/ Social Media Scrapping- The practice of retrieving information from web or social media
sites and storing it locally usually to analyze it, for example, to determine shopping preferences.
This can also be used to obtain personal information (family, pet names) that might be useful for
breaking passwords.
• Cyber Welfare- Politically motivated attacks are driven by ideology and aim to disturb or
destruct the network infrastructure of the other party.
• Government Espionage- The aim here is to steal information from or about a government
organization.
• Corporate Espionage- The aim here is to steal valuable corporate secrets including
trade/proprietary information that could be valuable to a competitor. In the case of the Sony
pictures hack, the motive of the (purported) North Korean hackers was simply revenge for the
movie The Interview.
• Stolen Credit Card & Financial Information- Typically when credit card information is stolen in
bulk the aim is to sell it forward to criminals who can make use of it for fraud.

Exercise: Cyber Fraud

Lookup the FBI’s most wanted cyber criminals: FBI’s Most Wanted Cyber Criminals

Exercise: Corporate Espionage

Read about the Sony Pictures Hack
Social Engineering
The attacker might approach an employee and claim to be from the help desk or IT department and
claiming that they are testing the system will ask for a password. You might get a telephone call from
your “bank” asking for your credit card number, and so on. Although the attacker can only expect a low
success rate with this approach there are enough gullible people that it still makes it worthwhile.

Finding passwords written on a post-it-note and stuck on the underside of a keyboard is easy if you are
on the night-time cleaning staff.

Even attacking a network with a great firewall is possible if you place the malicious software on a USB
memory stick and leave it lying around loose on someone’s desk. Who can resist the urge to find out
what is on the USB key by plugging it into their computer?

The correct response to social engineering is education. The organization must have policies covering
these situations. They must be communicated forcefully and regularly to the employees through
newsletters, seminars, meetings and posting on the organizations internal website. Employees must be
drilled in the following concepts:

1. Be Suspicious
• Any telephone call, text, email or even a personal encounter with someone you do not
know should always be met with caution.
• Any suspicious requests should be deflected and reported to security personnel.
2. Verify Identity
• If someone approaches you for a request ask for identification such as photo ID.
• If the request comes over the telephone ask for telephone number that you can call
back.
• If a legitimate business calls you, notice that they verify your identity. Of course this
could also be a ruse; by asking to verify your identity they are building up their
credibility.
3. Be Prudent
• It is not enough to verify the identity of the person asking for the information.
• Do they also have the right or authorization to have that information?
4. Avoid Email
• Email is a particular problem because it can be spoofed so easily.
• In addition it can hide malicious software. Originally email was plain text (ASCII) and this
format cannot hide malicious code.

Now email is usually formatted with HTML, the same format as used by web pages. Now you cannot
trust the message to be free from hacker attacks. Email can be trusted only if has been digitally signed, a
process that is too complex for most people.
Basic Concepts of Security in Windows Operating Systems
Before looking at the security concepts of the Microsoft operating system, ask yourself what are you
trying to protect?

The integrity of your computer is one goal. You must be able to login to your computer, it must function
properly, and you must be able to access your data. Another goal is to keep your data accessible,
private, and safe. Furthermore you want to be able to communicate securely with your organization’s
resources over your internal network as well as accessing resources on the Internet.

Defense in Depth
A crucial concept in security management is defense in depth. This means that there is a succession of
barriers that have to be overcome to reach the ultimate goal, each one more difficult or specific than
the last. You can see this in physical access when you secure the computer room. The building may have
a chain link fence around it with a guard station at the gate. Then you have to get through the front door
by scanning your identity card. Finally, you can access the computer room only if you can punch in the
proper number on the key pad.

The same approach is used with the Windows operating system. First you have to have an account on
the computer in order to log in.

Next you have to know the password. If you want to access a network server, your account has to have
network privileges. The server will be protected by a firewall and your actions will need to pass the
firewall’s security policies. Logging in is not sufficient however. You also have to have the appropriate
rights to access the data you want.

Principle of Least Privilege

Your workstation maybe shared with other people, or maybe not. But servers on your company network
are absolutely shared. Private data of one person co-exists with private data of others on the same hard
drive. It is essential that this data remains private.

The principle of least privilege states that a user must have enough rights to do her job but no more. A
standard user can access the data they needs to do her job as well as any other functions required such
as printing. An administrator may have all rights needed to manage the system. There may also be
individuals who need to do more than a standard user but not as much as an administrator.

For example, an account operator may need to be able to change passwords and a print operator may
need to be able to manage a print queue. The system administrator is responsible for giving each user
the rights they need to do their job but no more.

Firewall
The firewall in Windows protects the OS from remote attacks. It acts as a filter on traffic from the
network by examining the packets as they arrive and denying access to them if they don’t meet pre-
defined criteria. The Windows firewall can also prevent packets from leaving the OS and entering the
network based on a different set of criteria. Although we normally think of attacks originating on the
network, our workstation may be the source of network attacks if it was infected by, for example, a
worm or virus.

A firewall is automatically installed with all modern Windows versions since Windows XP, both server
and desktop operating systems. Although the default settings may work for the majority of situations,
the administrator must know how to make changes.

Security Policies
Security policies are security settings that are configured on the workstation and domain. These are
commonly found in large organizations that have grouped their workstations into domains for
management and security reasons. A security policy is created by configuring a Group Policy Object with
certain settings.

For example, we will insist that passwords are used to login and that the password must be 6 characters
long. This policy is stored centrally in Active Directory and when a user logs in, the policy is copied to the
workstation and enforced. The benefit of security policies is that they are centrally managed, easily
enforced and standardize the security profile of the organization. Local security policies can also be
created on the workstation if it is not a member of the domain.

Authentication, Authorization, Confidentiality, Integrity, and Non-repudiation are the basic components
of any security platform. This applies to any operating system including Windows but also any
communications over a network.

Authentication
Authentication basically means prove who you are. You need to provide credentials. When you present
yourself to the system by trying to login, you claim to have an account on the system with certain
privileges. The system will ask for proof in the form of a password, a PIN, an identity card or biometric
data such as a finger print, retina scan or face recognition.

To increase security multi-factor authentication uses two methods of authentication instead of one. A
password plus a PIN is a good example.

Authentication is also required over networks. If the two parties are computers only some of the above
techniques would apply. Another form of credential is a digital certificate which is particularly useful to
machines. You receive a digital certificate from a web site whenever you access a secure site. You
recognize a secure web site since its URL will start with HTTPS.

When a digital certificate is used the credentials are not store on your computer. Instead the identity of
the web site is vouched for by a third-party, a certificate authority (CA) whose credentials are included in
the digital certificate.

Authorization
Having been authenticated and logged in does not mean that you can access all parts of the system. The
concept of least privilege demands that a user is restricted to files, programs, and functions that they
require and no more. Authorization defines what a user is allowed to do and access. This is implemented
through permissions and rights.
Windows has this capability and permissions and rights are assigned to individual accounts and group
accounts. Note that the authorization concept does not apply to communications systems; it applies to
the devices that do the communications.

Confidentiality
Keeping data private and only accessible to those who have been authenticated is the job of the
operating system after the administrator has set up the permissions correctly. A further mechanism for
confidentiality is the encryption of files and folders. Windows has this capability with the Encrypting File
System (EFS). Individual files or folders can be marked for encryption as long as the NTFS file system is
used. A further capability is the encryption of a complete volume of the hard drive with BitLocker or a
USB memory stick with BitLocker to GO. It should be noted that only certain versions of Windows have
this capability.

When transmitting data across a network, privacy is also desirable. Encryption is also the method in use
here. The original data, called clear text, is transformed/garbled into unintelligible data, called cypher
text, using an encryption key.

The recipient must then turn the cypher text back into clear text with either the same encryption key
(synchronous encryption) or a different encryption key (asynchronous encryption).

Integrity
Integrity means that the information is reliable. Generally this is the responsibility of the OS for
information stored on the system. Modern file systems, particularly the NTFS file system, do a good job
of detecting corruption in files.

Moving data across a network, particularly the public Internet, presents its own series of challenges.
Error detection built into the TCP protocol is robust and error correction which is also built in to TCP
provides a high level of reliability even in the transfer of very large files.

A more troubling concern is the purposeful changing of data during transmission which can be a goal of
malicious actors on the Internet. The detection of changed data is achieved through calculating a hash.

Hashing does not serve the same purpose as encryption and because it is just as important for security
its function must be understood by the security professional.

Hashing is a mathematical transform. This means that input data has a hash algorithm applied to it and
the output is the hash. The crucial feature of a hash is that output is unique as long as the input is
unique. A hash cannot be calculated backwards to retrieve the original data so it is not a substitute for
encryption. If even one character in the original data is changed then the hash will be different.

Therefore, a hash is the method we use to detect a change in the data. The data and the hash can be
transmitted, often by two different routes, and the recipient can calculate the hash from the data she
receives. If the two hashes are identical, the data has not been tampered with.

Non-Repudiation
Non-repudiation is a concept used to prevent denial of something. Without non-repudiation
eCommerce on the Internet would grind to a halt. Non-repudiation provides a high level of assurance
that the authentication of a contract or message is valid. The idea is that you cannot change your mind
by claiming you did not perform the action initially.

A typical scenario might involve the placing of an order over the Internet. The order is shipped to the
recipient but when it shows up the recipient claims he never ordered it in the first place. For consumers,
inputting credit card information may be sufficient to prove identity and confirm an order. For business
to business dealings the exchange of a digital certificate may be required to prove identity and confirm
an order.

Hashing Technical Details

Because hashing is so important to many aspects of computer security we need to delve further into its
technical details.

Example:

Message to  hash algorithm to  hash

"The quick brown fox jumps over the lazy do

<https://en.wikipedia.org/wiki/The_quick_brown_fox_jumps_over_the_lazy_dog>g." -> MD5 algorithm
-> e4d909c290d0fb1ca068ffaddf22cbd0

The hash has the following properties that are important:

• A unique input produces a unique output

• If two unique inputs produce the same hash, this is known as a hash collision
• A change in the input message produces a change in the hash
• The hash is always the same length no matter how long or short the message is
• A hash cannot be reversed to find the original input

Attacking a Hash
Attacking a hash can be accomplished theoretically by using a hash collision. You may question the
usefulness of a hash if there is a chance of a collision at all however the probability that two messages
produce the same hash is usually 1 in several billion or trillion.

This probability depends on the hash algorithm and is the reason that older algorithms should not be
used. So an attack on a hash is an unlikely scenario. Nevertheless Microsoft reported in 2012 that the
authors of the Flame malware used a MD5 collision to issue a forged Windows code signing certificate.

Hash Algorithms
The equation used to process the hash is the algorithm. Many algorithms exist but the 3 that you will
see most often in this course are MD5 (message Digest 5), SHA-1 (Secure Hash Algorithm 1) and
Windows NT.

• MD-5: Was created by Ronald Rivest of RSA Security in 1991. It is a 128 bit/16 byte hash. MD5 is
subject to hash collision weakness and should not be used.
• SHA-1: Created by the US National Security Agency in 1995. It is a 160 bit/20 byte hash. SHA-1
has also been attacked and it is recommended that SHA2 or SHA3 be used.
 • Windows NT: Passwords are stored in all versions of Windows as a hash computed using the
MD4 algorithm.

Hash algorithms are published so that anyone, including hackers, can see how they work. Otherwise
how could programmers include the code in their applications? The algorithms do not depend on
secrecy to be effective, instead they depend on the sophistication of their mathematics.

Cracking a Hash
Since you cannot calculate a hash in reverse to reveal the original clear text, how can you crack a hash?
The answer is that you have to calculate the hash of your best guess and see if the result matches the
hash of your target.

The obvious problem is that it could take too much time to calculate all of the possibilities. This is the
reason that passwords are not stored in the Windows OS as clear text. Instead the hash of the password
is stored.

Exercise: Calculate a Hash

There are many hash calculators available for download on the Internet. In addition there are web sites
that will calculate the hash for you as well. This last is sufficient for this exercise.

Click here to learn more: Online Hash Generator

Enter any word or phrase you want. Examine the hashes generated. Notice that over a dozen different
hashes were generated including MD4, MD5, and various versions of SHA.

Module Summary
In this module we have explored:

1. The attack surface as the sum total of all the areas of the operating system that can be attacked
including hardware, the operating system, and applications.
2. How automated attacks take a shotgun approach and the hacker never knows on which targets
he will be successful. These attacks include viruses, worms, Trojans, adware and spyware.
3. That a Trojan will often install remote administration software (RAT) which allows the hacker to
access the computer and retrieve information such as keystrokes, passwords, and files.
4. Other issues that an administrator has to deal with include user devices which are not insecure
and cloud computing.
5. Targeted attacks include cyber fraud, cyber warfare, government and corporate espionage, and
stolen credit card and financial information.
6. How social engineering tricks the computer user into revealing useful information and must be
combated by policies and training.
7. Defense in Depth is having multiple barriers to accessing the system.
8. The principle of least privilege where a user must have enough rights to do their job but no
more.
9. Firewalls and security policies are additional defenses that protect a network from intruders.
 10. The planks of the security platform include authentication, authorization, confidentiality,
integrity and non-repudiation.
11. Hashing is a one way mathematical function that provides a unique output for a unique input. It
allows the integrity of a block of data to be verified.

Knowledge Check
The following questions provide an opportunity for you to see what you remember and understand so
far. Answer the questions to the best of your ability. Select the best option and click submit.

1. The total of all areas of a computer system that could be attacked is called:
a. The attack subsystem.
b. The back door.
c. The security perimeter.
d. The attack surface.

2. Which one of the following attacks the DNS system?

a. Denial of service.
b. Pharming.
c. Social engineering.
d. Phishing.

3. What is the difference between a virus and a worm?

a. A virus must infect another component of the computer, a worm can be self-contained.
b. A worm can be embedded in a macro, a virus cannot.
c. A worm must infect another component, a virus can be self-contained.
d. A virus can replicate by itself, a worm must use another component to replicate.

4. You need to be able to store and transmit data securely. Which one of the following techniques
does not allow you to keep your information private and accessible?
a. NTFS file system.
b. Encryption.
c. Hashing.
d. BitLocker to Go.

5. What do you call reducing the attack surface by disabling unneeded services, ports, and
applications?
a. Hardening the system.
b. Defense in depth.
c. Principle of least access.
d. Locking down the system.

6. Which one of the following is an example of social engineering?

a. The administrator looks up the user’s password so that she can log on as the user.
 b. A hacker in a janitor’s outfit, carrying a mop and pail asks a user to let him into the
locked computer room.
c. A hacker breaks into the website of a retail store and steals the credit card numbers of
the customers.
d. A hacker intercepts network traffic to discover user passwords.

7. When you give a user the permission to open up and read a file, this is an example of:
a. Authorization.
b. Delegation.
c. Authentication.
d. Decryption.

8. Which of the following is an example of non-repudiation?

a. A person other than the recipient signs for a package.
b. A person receives a delivery of merchandise from the web store but claims she never
ordered it.
c. The digital signature on a purchase order received over the Internet contradicts the
buyer who claims she never ordered the product.
d. The email placing an order for a product was altered in transit.

9. A hash:
a. Can be reversed to show the original message.
b. That is the same for two unique messages is said to have a collision.
c. Has a different length depending on the original message.
d. Is used to provide privacy in data transmission.

10. Which one of the following is used to hash Windows passwords?

a. SHA-1.
b. MD5.
c. DES.
d. MD4.

Answers:

1. D) The attack subsystem.

2. B) Pharming.
3. B) A worm can be embedded in a macro, a virus cannot.
4. C) Hashing.
5. A) Hardening the system.
6. B) A hacker in a janitor’s outfit, carrying a mop and pail asks a user to let him into the locked
computer room.
7. A) Authorization.
8. C) The digital signature on a purchase order received over the Internet contradicts the buyer
who claims she never ordered the product.
9. B) That is the same for two unique messages is said to have a collision.
 10. D) MD4.

You have now completed Windows Security Situation and Current Threats

Remember to check the timeline before you proceed to the next module to ensure you have completed
any assignments as required. Check with your instructor if you have any questions.