Home > Articles > Certification > Other IT

Introduction to Infrastructure Security

This sample chapter explains Infrastructure Security with an eye towards passing the Security+ exam. Included are sample exam questions to help you practice for the exam.
This chapter is from the book

This chapter is from the book

Companies invest millions of dollars annually in their computing infrastructure on items such as networking equipment and its maintenance, workstation and server hardware and software, and security devices, among many others. Security professionals must be familiar with the latest products and understand the security implications of their use in a particular environment.

The following is a list of the exam objectives you will be covering in this chapter:

  • 3.1 Understand security concerns and concepts of the following types of devices:

    • Firewalls
    • Routers
    • Switches
    • Wireless
    • Modems
    • RAS (Remote Access Server)
    • Telecom/PBX (Private Branch Exchange)
    • VPN (Virtual Private Network)
    • IDS (Intrusion Detection System)
    • Network Monitoring/Diagnostics
    • Workstations
    • Servers
    • Mobile Devices
  • 3.2 Understand the security concerns for the following types of media:

    • Coaxial Cable
    • UTP/STP (Unshielded Twisted Pair/Shielded Twisted Pair)
    • Fiber Optic Cable
    • Removable Media
      • Tape
      • CD-R (Recordable Compact Disks)
      • Hard Drives
      • Diskettes
      • Flash Cards
      • Smart Cards
  • 3.3 Understand the concepts behind the following kinds of security topologies:

    • Security Zones
      • DMZ (Demilitarized Zone)
      • Intranet
      • Extranet
    • VLANs (Virtual Local Area Network)
    • NAT (Network Address Translation)
    • Tunneling
  • 3.4 Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system:

    • Network Based
      • Active Detection
      • Passive Detection
    • Host Based
      • Active Detection
      • Passive Detection
    • Honey Pots
    • Incident Response
  • 3.5 Understand the following concepts of security baselines, be able to explain what a security baseline is, and understand the implementation and configuration of each kind of intrusion detection system:

    • OS/NOS (Operating System/Network Operating System) Hardening
      • File System
      • Updates (Hotfixes, Service Packs, Patches)
    • Network Hardening
      • Updates (Firmware)
      • Configuration
        • Enabling and Disabling Services and Protocols
        • Access Control Lists
    • Application Hardening
    • Updates (Hotfixes, Service Packs, Patches)
    • Web Servers
    • Email Servers
    • FTP (File Transfer Protocol) Servers
    • DNS (Domain Name Service) Servers
    • NNTP (Network News Transfer Protocol) Servers
    • File/Print Servers
    • DHCP (Dynamic Host Configuration Protocol) Servers
    • Data Repositories
      • Directory Services
      • Databases

3.1: Understanding Device Security

Many different types of components make up the present day computer network infrastructure. Every hardware device you incorporate into the network has its security concerns. They include firewalls, routers, switches, modems, various types of servers, workstations, mobile devices, and much more. You must adequately secure each of these components because a network is only as secure as its weakest link. The Security+ exam tests your knowledge of the security issues of all the common network devices.

Exercise 3.1.1: Configuring a Firewall in Windows 2000

A firewall is a device designed to shield internal network components from threats originating from the outside world. Firewalls work by capturing and analyzing data entering the network from external points and then rejecting undesirable types of data according to rules configured on the firewall. The major types of firewalls are as follows:

  • Packet-filtering—Operating at the Network layer (Layer 3) of the Open Systems Interconnection (OSI) model, this type of firewall filters packets based on IP addresses, ports, or protocols. This type of firewall is frequently configured on a router.

  • Proxy service firewall—A proxy server acts as an intermediary between internal networks and the Internet. One type of proxy service firewall is the circuit-level gateway, which operates at the Session layer (Layer 5) of the OSI model and ensures that sessions established with the internal network are legitimate. Another type is the application-level gateway, which operates at the Application layer (Layer 7) of the OSI model and checks for which application-layer protocols are allowed.

  • Stateful-inspection firewall—This type of firewall combines the best of the other firewall technologies by using algorithms to process data at the OSI Application layer while monitoring communication states. In this manner, it operates at all layers of the OSI model. The Windows Firewall included with Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP1 is an example of a stateful-inspection firewall.

Many businesses utilize some type of server or other hardware device as a firewall. Several companies produce software firewalls that can be used to protect single computers or small networks. In this exercise, you install and configure ZoneAlarm, which is a software firewall that is well suited to protecting home- or small-office computers or networks. Perform this exercise on a computer running Windows 2000 Professional:

  1. Log on to the Windows 2000 Professional computer as an administrator.

  2. Connect to the Internet and navigate to http://www.zonelabs.com/store/content/home2.jsp.

  3. Click the Free Downloads and Trials link.

  4. Click the ZoneAlarm Free Download link, and then click Download FREE ZoneAlarm.

  5. When the download completes, click Open and follow the instructions presented by the installation wizard.

  6. When requested, click Yes to start ZoneAlarm.

  7. In the Zone Labs Security Options window, click the Select ZoneAlarm option, click Next, and then click Finish.

  8. NOTE

    If you want to try out the ZoneAlarm Pro option for 14 days, choose the Select ZoneAlarm Pro option on this window. You can purchase this program later if you want.

  9. Follow the instructions in the configuration wizard that next appears.

  10. When requested, click OK to restart your computer.

  11. When the computer restarts, log back on as administrator. You see the tutorial shown in Figure 3.1.

  12. Click Next to display the Do I Need to Change the Default Firewall Settings to Be Secure page. Note the options and then click Next again.

  13. Note the actions performed by ZoneAlarm on each page of this wizard, including their definition of "zones," which is simpler than that used by Internet Explorer. When you reach the end of the wizard, click Done.

  14. You can modify all options provided by ZoneAlarm from its control panel. (See Figure 3.2.)

  15. Figure 3.1Figure 3.1 The ZoneAlarm tutorial provides information on the available options and configuration settings that serve to protect your computer.

    Figure 3.2Figure 3.2 You can display intrusion information and configure all available options from the various pages presented by the ZoneAlarm control panel.

  16. Select the various pages provided from the left side of the ZoneAlarm control panel. These pages are as follows:

    • Overview—As shown in Figure 3.2, provides an overview of the actions that ZoneAlarm has performed.

    • Firewall—Allows you to select the security levels for the two zones provided by ZoneAlarm.

    • Program Control—Determines whether applications are able to access the Internet.

    • Antivirus Monitoring—Displays the status of your antivirus software.

    • E-mail Protection—Allows you to turn on MailSafe, which is a supplement to antivirus software that helps to protect you from email-borne viruses.

    • Alerts & Logs—Allows you to decide whether to display messages on the screen when ZoneAlarm blocks an intrusion. Click Advanced to configure logging properties.

  17. Close the ZoneAlarm control panel when you finish exploring and configuring the available options.

CAUTION

You need to know the major well-known ports for the Security+ exam. Knowledge of these ports is vital for answering questions related to firewalls or network access. Be sure you know the following TCP ports as a minimum: 20, File Transfer Protocol (FTP) control; 21, FTP data; 22, Secure Shell (SSH); 23, Telnet; 25, Simple Mail Transfer Protocol (SMTP); 80, Hypertext Transfer Protocol (HTTP); 110, Post Office Protocol 3 (POP3); 119, Network News Transfer Protocol (NNTP); 143, Internet Message Access Protocol (IMAP4); 443, Secure Sockets Layer (SSL and HTTPS); 1812, Remote Authentication Dial-In User Service (RADIUS); and 3389, Microsoft Remote Desktop.

Exercise 3.1.2: Understanding Vulnerabilities in Routers, Switches, Modems, RAS, Telecom, and VPN

The most secure computer system is one not connected to a network. However, isolated systems have few uses in today's environments. The reality is that your computers will most likely be accessible from remote clients in some manner. Be aware that every access path to your system has inherent vulnerabilities.

This exercise directs you to uncover some of the general risks with each type of remote access. Although each of the remote access approaches we discuss is more secure than wide-open access, there are still vulnerabilities you must be aware of and address.

In this exercise, you take a look at a few network access devices and security vulnerabilities associated with each one. Let's start with switches. Although a switch can make it harder for attackers to sniff networks for valuable information, they can also make it easier to launch some attacks. Next, we'll look at virtual private networks (VPNs). Although a VPN is a method to increase connection security, careless implementation can decrease your overall system's security. Then we'll look at modems. The modems you know about aren't the ones that will hurt you. It's the ones you don't know about that someone has connected to your network that will cause problems:

  1. Connect to the Internet and browse to http://networking.earthweb.com/netsysm/article.php/933801. This article by Joseph Sloan discusses security problems inherent with switches. Although switches provide some protection from sniffing of network traffic, this protection can be circumvented. What are three ways in which this can occur?

  2. NOTE

    If the URLs provided in this or other exercises no longer exist, simply use your favorite search engine to locate other sites that contain information pertinent to the topics at hand.

  3. Continue to Sloan's second article and summarize several methods by which you can overcome these problems in a Unix environment.

  4. Navigate to http://www.winnetmag.com/Articles/Index.cfm?ArticleID=8878. This article discusses a tool named Arpredirect, which is an Address Resolution Protocol (ARP) poisoning tool that can sniff traffic across switches. How does this tool work? What capabilities does it provide for an intruder who uses it to access data on your network? For more information, you might want to follow the link provided to Dug Song's Web site, which in turn links to additional articles related to security concerns of switched networks.

  5. For an account of programming code that enabled hackers to launch denial of service (DoS) attacks against Cisco routers and switches, go to http://www.computerworld.com/securitytopics/security/story/0%2C10801%2C83820%2C00.html. What can happen if this code is run against a router to send a series of IP packets with a special format? What do network administrators have to do if this happens? Describe two actions that the networking team must perform to mitigate this vulnerability.

  6. CAUTION

    The use of switches is a good method for limiting hostile sniffing across the LAN.

  7. In Chapter 2, "Communication Security," you learned how to configure RAS and VPN from a Microsoft perspective. Navigate to http://www.ticm.com/info/insider/old/dec1997.html for a discussion of RAS and VPN vulnerabilities. What are several vulnerabilities inherent in these technologies? Describe how you would mitigate each vulnerability.

  8. Matthew Mitchell presents another view of VPN vulnerabilities at http://www.giac.org/practical/matthew_mitchell_gsec.doc. How does encapsulation protect the data on the VPN? We will discuss the encryption algorithms mentioned in this article in Chapter 4, "Basics of Cryptography." What is the limitation of VPN data encryption? How can an unprotected network share become a vulnerability, and what are several consequences of such vulnerabilities? How can an attacker compromise a corporate network through computers used by telecommuters working from home and connected by DSL or cable modems, and what consequences can occur? Summarize the seven-step procedure outlined by Mitchell for protecting users accessing the network by means of a VPN.

  9. Mark Collier discusses telecom, Voice over IP (VoIP), and PBX security at http://nwc.networkingpipeline.com/22104067. What are several possible VoIP deployment scenarios, and how can they be attacked? Summarize the types of vulnerabilities inherent in these devices, and note how they include many of the types of attacks you studied in Chapter 1, "General Security Concepts."

  10. Another vulnerability associated with RAS and VPNs is that of war dialing. Navigate to http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci546705,00.html for a concise definition of this term and how a war dialer can be used to penetrate networks.

  11. For more information on war dialing and how to mitigate this threat, continue to http://www.sans.org/rr/papers/60/471.pdf. What are several dangers associated with dial-up connections? How does a war dialer work, and what data can it provide? How can an intruder using a war dialer cover up his actions? Describe some components of a policy that should be applied to a company's dial-up users. How can a security professional test her network's vulnerability to the threat of war dialing?

  12. NOTE

    The SANS Reading Room (http://www.sans.org/rr) is a good place to look for papers on many topics you need to know for the Security+ exam. The idea in the situation discussed here is to research problems associated with allowing a secure connection to terminate on an insecure client.

  13. Unauthorized hardware such as modems presents another threat to the security of the network infrastructure. Go to http://www.cert.org/security-improvement/practices/p097.html and summarize the reasons why unauthorized hardware can be of concern. What are several means that you can use on a daily or monthly basis to detect unauthorized modems and other peripherals?

Exercise 3.1.3: Windows Network Monitor

Microsoft provides several support tools that help administrators monitor network traffic. A network monitor is a tool that sniffs data packets being transmitted across the network and allows an individual to display and analyze the contents of packets. This individual could be a hacker or a network administrator who is searching for evidence of intrusion or other network problems. Specifically, Microsoft Network Monitor provides visibility into what types of traffic are traveling across network segments. The version of Network Monitor depends on the version of Windows you are using. For this exercise, we use the Network Monitor Capture Utility for Microsoft Windows 2000 Server:

NOTE

Network Monitor is available for Microsoft Systems Management Server, and the Network Monitor Capture Utility, a command-line implementation with similar basic capture capabilities, is available for Windows XP Professional. To make this exercise available to the largest number of installations, we use the Network Monitor Capture Utility for Windows 2000 Server.

In this exercise, you will install Network Monitor. You will also install Dynamic Host Configuration Protocol (DHCP) so that you can capture packets from the four-step DHCP process occurring at a client computer seeking TCP/IP configuration. You will use two computers, one running Windows 2000 Server and the other running Windows 2000 Professional or Windows XP Professional. Steps on a computer running Windows Server 2003 are similar:

  1. Click Start, Settings, Control Panel, Add/Remove Programs.

  2. Select Add/Remove Windows Components to start the Windows Components Wizard.

  3. Select Management and Monitoring tools and click Details.

  4. In the Management and Monitoring Tools dialog box, select Network Monitor Tools, click OK, and then click Next.

  5. When prompted, insert the Windows 2000 Server CD-ROM, and then click OK.

  6. Click Finish when the completion page appears.

  7. Click Add/Remove Windows Components again, select Networking Services, and then click Details.

  8. In the Networking Services dialog box, select Dynamic Host Configuration Protocol (DHCP), click OK, and then click Next.

  9. When the completion page appears, click Finish, and then close Add/Remove Programs and Control Panel.

  10. Click Start, Programs, Administrative Tools, Network Monitor. The Microsoft Network Monitor utility opens.

  11. If a dialog box opens that discusses selecting a network adapter, click OK to allow Network Monitor to select a network adapter for your system. The initial Network Monitor window is shown in Figure 3.3.

  12. Figure 3.3Figure 3.3 Network Monitor provides details of packets captured at the local computer.

  13. Click Start, Programs, Administrative Tools, DHCP.

  14. In the DHCP console, right-click your server and choose New Scope.

  15. Click Next, provide a name for a test scope, and click Next again.

  16. Type 192.168.1.101 and 192.168.1.200 for a range of addresses that the DHCP server will assign to clients, and then click Next twice.

  17. On the Configure DHCP Options page, select No, I Will Configure These Options Later, and then click Next again until you reach the completion page.

  18. Click Finish and close the DHCP console.

  19. To capture some network traffic from the network adapter, click Capture, Start.

  20. To generate some network traffic, start a DHCP session with a computer running Windows 2000 Professional. Log on to the Windows 2000 Professional computer as an administrator.

  21. Right-click My Network Places and choose Properties.

  22. In the Network and Dial-Up connections dialog box, right-click Local Area Connection and choose Properties.

  23. In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP) and then click Properties.

  24. In the Internet Protocol (TCP/IP) Properties dialog box, click Obtain an IP Address Automatically and then click OK.

  25. Close the Internet Protocol (TCP/IP) Properties and Local Area Connection Properties dialog boxes.

  26. Return to the server. Network Monitor should now indicate that some packets have been captured. Click Capture, Stop.

  27. Click Capture, Display Captured Data. This displays a summary capture window.

  28. Scroll this window, watching the columns labeled Protocol and Description. You should be able to locate packets for the DHCP protocol with descriptions labeled Discover, Offer, Request, and ACK (as shown in Figure 3.4). They represent the four steps of the DHCP process and show how you can use Network Monitor to capture and analyze data on the network.

NOTE

After you capture a file of network traffic, you need the complete Network Monitor tool to view its contents. This tool is available on Microsoft Systems Management Server.

Consult the Windows Support Tools help file for a complete description of the Network Monitor Capture Utility.

Figure 3.4Figure 3.4 Network Monitor provides information on the contents of frames captured from the network adapter.

Exercise 3.1.4: Diagnostics and Utilities Used for Monitoring Networks, Workstations, Servers, and Mobile Devices

Many utilities allow you to monitor various system events and activity. With respect to network activity, we'll look at a few common utilities in this exercise. This exercise focuses on Microsoft Windows, but these utilities are commonly found on other operating systems as well.

The basic purpose of monitoring utilities is to take a snapshot of activity so you can improve the performance or security of a system. The utilities generally provide raw data for you to analyze. The more you can request very specific data, the quicker you will be able to zero in on pertinent information. Take the time to learn how to use monitoring utilities and their common features. You will be rewarded with the information to adjust your systems to perform the way you intend:

  1. Launch a Windows command prompt by choosing Start, Programs, Accessories, Command Prompt. If you are using Unix or Linux, these commands are accessible from the command line in any shell.

  2. Use the ping command to test a remote computer to see whether it is reachable. Type ping IP address. (You can also use a fully qualified domain name [FQDN]; for example, we used ping http://www.foxnews.com.) The ping command shows the amount of time it takes to reach the target system and for the target system to respond (see Figure 3.5).

  3. Figure 3.5Figure 3.5 The ping command verifies the existence of and connectivity to a remote machine on the Internet.

    The ping command sends special network packets—Internet Control Message Protocol (ICMP) echo packets—to remote computers. If the remote computer allows and responds to ICMP packets, you should get a response from the ping command. However, some firewalls block or drop ICMP packets so the ping command doesn't always report back correctly. When it doesn't provide a response from the target system, you have to use other, more sophisticated, diagnostic tools. All ping tells you is that the target machine responded to an ICMP echo packet.

  4. Use the tracert command to show how many machines, or hops, exist between your computer and the target (see Figure 3.6). This utility is useful to diagnose performance issues by showing the path between two machines. Type tracert IP address or tracert FQDN (for example, we used tracert http://www.foxnews.com).

  5. The tracert command is similar to the ping command in that it sends ICMP echo packets. The difference is in the use of the Time to Live (TTL) field in the ICMP packet. A router decrements the TTL value when it receives an ICMP packet and most routers return a "TTL expired in transit" message when the TTL value reaches 0. The tracert command sends out many ICMP packets, with TTL values ranging from 1 to some maximum value. At each hop along the way, routers decrement the TTL values. The first router in the path returns the TTL packet that started with a TTL value of 1. The second router returns the packet whose TTL value started with 2. The sender listens for returned ICMP packets and constructs the route all the way to the destination.

    Figure 3.6Figure 3.6 The tracert command provides information on all routers through which the signal passes to reach a target machine.

  6. Use the netstat command to show the status of ports on your machine. Type netstat –a to show all ports that are listening for connections (see Figure 3.7). You can also use netstat to show which process is listening to a port. This option is nice when you are trying to find unknown or hostile programs installed on a machine. When you know that a port is open, you can use other utilities to determine what program opened the port. In Windows, you need to install third-party utilities, such as Inzider (http://ntsecurity.nu/toolbox/inzider/) or Foundstone's FPortNG tool (http://www.foundstone.com/knowledge/zips/FPortNG.zip).

Figure 3.7Figure 3.7 The netstat –a command displays a list of all ports that are listening for connections on your machine.

These are just a few of the many monitoring utilities that exist for capturing and analyzing the status and activity of your systems. Look at your system's administration documentation for additional utilities. In addition, check the following sites on the Internet for suitable monitoring utilities:

What Did I Just Learn?

Now that you have looked at device security, let's take a moment to review all the critical items you've experienced in this lab:

  • A firewall is a hardware or software device that stops unwanted network or Internet traffic from entering a computer or network. ZoneAlarm is a popular software firewall that is easily configured for home- or small-office computers.

  • Every network device has some kind of vulnerability associated with it. We looked at ARP poisoning as it affects switches, unauthorized modems, and VPN vulnerabilities.

  • The Microsoft Support Tools includes a simple Network Monitor Capture Utility that you can use to capture and analyze traffic from the network adapter of a Windows computer. Although Microsoft makes it easy to capture network data, it is more important to understand how to interpret network activity.

  • Several TCP/IP utilities allow you to monitor system activity and connectivity on Windows, Unix, or other computers.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020