3.3 Defending Systems and Devices Flashcards
3.3.1 Operating System Security
A good administrator
A good administrator will configure the operating system to protect against outside threats. That means removing any unnecessary programs and services, and making sure that security patches and updates are installed in a timely manner to correct faults and mitigate risks.
A systematic approach
It’s important to have a systematic approach in place for addressing system updates. An organization should:
establish procedures for monitoring security-related information.
evaluate updates for applicability.
plan the installation of application updates and patches.
install updates using a documented plan.
A baseline
Another critical way to secure an operating system is to identify potential vulnerabilities. To do this, establish a baseline to compare how a system is performing against baseline expectations.
3.3.3 Types of Antimalware
Be cautious of malicious rogue antivirus products that appear while browsing the internet. Most of these display an ad or popup that looks like an actual Windows warning. They warn that malware is infecting the computer and prompt the user to clean it. But they do not come from legitimate sources, and clicking anywhere inside the window may download and install malware instead.
Fileless malware uses legitimate programs to infect a computer. Going straight into memory, this type of malware doesn’t rely on files, so it leaves no footprint. A fileless attack ends when the system is rebooted. Fileless viruses use scripting languages such as Windows PowerShell and are hard to detect.
Scripting languages such as Python, Bash (the command-line language for Apple’s macOS and most Linux distributions), or Visual Basic for Applications (or VBA, used in Microsoft macros) can be used to create scripts that are malware.
Unapproved or non-compliant software may be unintentionally installed on a computer. Users may also intentionally install unauthorized programs. Although unapproved software may not be malicious, it can still violate the security policy and interfere with the organization’s software or network services. Non-compliant software should be removed immediately.
3.3.4 Patch Management
What are patches?
Patches are code updates that prevent a new virus, worm, or other malware from making a successful attack. Patches and upgrades are often combined into a service pack. Many malware attacks could have been avoided if users had installed the latest service pack.
Operating systems such as Windows routinely check for updates that can protect a computer from the latest security threats. These include security updates, critical updates, and service packs. Windows can be configured to automatically download and install high-priority updates or to notify the user as these become available.
What do you need to do?
As a cybersecurity professional, it’s good practice to test a patch before deploying it throughout the organization. A patch management tool can be used to manage patches locally instead of using the vendor’s online update service.
An automated patch service provides administrators with a more control rather than waiting for patches to download. Let’s look at the benefits:
Administrators can approve or decline updates.
Administrators can force the update of systems on a specific date.
Administrators can obtain reports on the update(s) needed by each system.
There is no need for each computer to connect to the vendor’s service to download patches; instead, it gets the verified update from a local server.
Users cannot disable or circumvent updates.
A proactive approach
In addition to securing the operating system, it’s important to update third-party applications such as Adobe Acrobat, Java, and Google Chrome to address vulnerabilities that could be exploited. A proactive approach to patch management provides network security while helping to prevent ransomware and other threats.
3.3.5 Endpoint Security
A host-based security solution is a software application that runs on a local device (or endpoint) to protect it. The software works with the operating system to help prevent attacks.
HOST BASED FIREWALL
A host-based firewall runs on a device to restrict incoming and outgoing network activity for that device. It can allow or deny traffic between the device and the network. The software firewall inspects and filters data packets to protect the device from becoming infected. Windows Firewall, installed by default during Windows installation, is an example of a software firewall.
You can control the type of data sent to and from the device by opening or blocking ports. Firewalls block incoming and outgoing network connections unless exceptions are defined to permit or deny traffic to or from those ports. You can select ‘inbound rules’ to configure the types of traffic that are allowed to pass through to the system — this will protect the system from unwanted traffic.
HIDS Host Intrusion Detection System
HIDS software is installed on a device or server to monitor suspicious activity. It monitors system calls and file system access to detect malicious requests. It can also monitor configuration information about the device that is held in the system registry.
HIDS stores all log data locally. It is resource-intensive so it can affect system performance. A HIDS cannot monitor network traffic that does not reach the host system, but it can monitor operating system and critical system processes specific to that host.
HIPS Hoste Intrusion Prevention System
HIPS is software that monitors a device for known attacks and anomalies (deviations in bandwidth, protocols and ports), or finds red flags by assessing the actual protocols in packets. If it detects malicious activity, the HIPS tool can send you an alarm, log the malicious activity, reset the connection, and/or drop the packets.
EDR Endpoint Detection and Response
EDR is an integrated security solution that continuously monitors and collects data from an endpoint device. It then analyzes the data and responds to any threats it detects. An antivirus can only block against threats, while EDR can do that and find threats on the device.
DLP Data Loss Prevention
DLP tools provide a centralized way to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.
NGFW Next Generation Firewall
NGFW is a network security device that combines a traditional firewall with other network-device-filtering functions. An example is an application firewall using in-line deep packet inspection (DPI) on an intrusion protection system (IPS).
3.3.6 Host Encryption
The Windows Encrypting File System (EFS) feature allows users to encrypt files, folders or an entire hard drive. Full-disk encryption (FDE) encrypts the entire contents of a drive (including temporary files and memory). Microsoft Windows uses BitLocker for FDE.
To use BitLocker, the user needs to enable a Trusted Platform Module (TPM) in the BIOS. A TPM is a specialized chip on the motherboard that stores information about the host system, such as encryption keys, digital certificates, and system integrity measurements. When enabled, BitLocker can use the TPM chip.
Similarly, BitLocker To Go is a tool that encrypts removable drives. It does not use a TPM chip, but still encrypts the data, requiring a password to decrypt it. Self-encrypting drives (SEDS) automatically encrypt all data in the drive to prevent attackers from accessing the data through their operating system. SEDS encryption is implemented in the drive hardware by the manufacturer.
