Endpoint Protection & Detection Flashcards
What are the 4 types of rules that can be configured on a Windows firewall?
Program rules: Rules that control connections for an application or program.
Port rules: Rules that control connections for specific ports and protocols. Predefined rules: Rules that apply to specific Windows services and features. Custom rules: Rules that combine several different parameters, including programs, protocols, ports, and services.
True or False: IPtables is a type of firewall is implemented in the Linux kernel and typically works at the network layer.
True
Which Linux security control should be used with a personal firewall to provide an additional layer of protection at the application layer and to permit or deny access to a specific service?
TCPwrappers is implemented in the Linux user space, works at the application layer, and is used to permit or deny access to a specific service. It can only be used with network services that are Xinetd-based. The TCPwrappers firewall enables you to specify which hosts can access which services.
What is a weakness of this host based antivirus methodology? Most antivirus software uses signature-based detection. Antivirus software vendors analyze known malware and catalog the characteristics that are used to recognize them in a signature database. Scanning files and memory for these signatures reveals the malware.
The obvious shortcoming of this methodology is that it cannot protect against attacks that have not yet been recognized by the security industry—often called zero-day attacks.
How do heuristics detect malware?
Heuristics allow for recognition on imprecise signature matches. Often malware will mutate over time into different variants. Sometimes, the intent of the mutation is simply to evade detection. Other times, the mutation is the result of the malware author adding new capabilities into the malware. The use of heuristics can help antivirus software to recognize entire classes or families of malware.
Which detection technique can help protect against zero date threats?
Behavior based detection
True or False: HIPS can analyze encrypted traffic after it has been decrypted?
True
Which 3 technologies does HIPS use to detect suspicious activity?
Signature-based IPS: Intrusive activity is detected by comparing traffic to a set of rules called signatures. When traffic matches a signature, the IPS takes an action, such as dropping packets, logging the event, or sending an alert. Signatures are developed by engineers who research known attacks and vulnerabilities and then develop signatures to detect those attacks and vulnerabilities. An IPS cannot detect a yet-unknown attack for which there is no signature in the database.
Anomaly based IPS: Intrusive activity is detected by comparing real-time traffic to traffic that is considered "normal." For this type of detection to work, a baseline must be established to define what is considered normal traffic. Policy-based IPS: Intrusive activity is detected by comparing real-time traffic to preconfigured policies. Any combination of the above.
How is malware that is not on the allowed list able to execute?
by executing it in memory and injecting malicious code into a legitimate process that is currently running
What features does Cisco Collective Security Intelligence Cloud offer for endpoints
Rapid detection of known malware by examining the file’s SHA.
Use of cloud resources to test files with unknown dispositions. Use of machine learning techniques to constantly keep itself up to date.
What does the historical perspective in Cisco Collective Security Intelligence provide?
File trajectory: Shows you the hosts where files were seen.
Device trajectory: Shows you the actions that files performed on a given host.
How does Cisco AMP for Endpoints block malicious network connections?
Security intelligence feeds (IP reputation).
Custom IP blacklists.
Cisco AMP for Endpoints consists of what elements?
Cisco Collective Security Intelligence (CSI) Cloud: Where the various malware detection and analytics engines reside
Client Connectors: Components that run on the endpoints. Client Connectors communicate with the cloud to send information about files and to receive file disposition information. AMP for Networks: Gives Firepower Next-Generation Firewall (NGFW), Cisco Email Security Appliance (ESA), and Cisco Web Security Appliance (WSA) devices the ability to query the cloud to obtain file disposition information on files.
The most critical component of the overall Cisco AMP for Endpoints architecture is the cloud. In general, the cloud is responsible for the following:
Detection Publishing
Large-scale data processing (big data)
Real time decision making
Reporting
What are the specific attributes that sandboxes typically examine?
Antidebugging techniques
Keylogging
It also searches for other suspicious activity, such as accessing specific registry keys, specific system files, or dynamically linked libraries