MODULE 22 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards
Antimalware Protection Endpoint Threats The term “endpoint” is defined in various ways.
For the purpose of this course, we can define endpoints as hosts on the network that can access or be accessed by other hosts on the network.
This obviously includes computers and servers, however many other devices can also access the network.
With the rapid growth of the Internet of Things (IoT), other types of devices are now endpoints on the network.
This includes networked security cameras, controllers, and even light bulbs and appliances.
Each endpoint is potentially a way for malicious software to gain access to a network.
In addition, new technologies, such as cloud, expand the boundaries of enterprise networks to include locations on the internet for which enterprises are not responsible.
Antimalware Protection Endpoint Threats With the rapid growth of the Internet of Things (IoT), other types of devices are now endpoints on the network.
This includes networked security cameras, controllers, and even light bulbs and appliances.
Each endpoint is potentially a way for malicious software to gain access to a network.
In addition, new technologies, such as cloud, expand the boundaries of enterprise networks to include locations on the internet for which enterprises are not responsible.
Devices that remotely access networks through VPNs are also endpoints that need to be considered.
These endpoints could inject malware into the VPN network from the public network.
Antimalware Protection Endpoint
Threats Devices that remotely access networks through VPNs are also endpoints that need to be considered.
These endpoints could inject malware into the VPN network from the public network.
The following points summarize some of the reasons why malware remains a major challenge:
According to research from Cybersecurity Ventures, by 2021 a new organization will fall victim to a ransomware attack every 11 seconds.
Ransomware attacks will cost the global economy $6 trillion annually by 2021.
In 2018, 8 million attempts to steal system resources using cryptojacking malware were observed.
From 2016 to early 2017, global spam volume increased dramatically. 8 to 10 percent of this spam can be considered to be malicious, as shown in the figure.
In 2020, it is projected that the average number of cyber attacks per macOS device will rise from 4.8 in 2018 to 14.2 in 2020.
Several common types of malware have been found to significantly change features in less than 24 hours in order to evade detection.
Antimalware Protection Endpoint
Threats Malicious Spam Percentage:
https://snipboard.io/RxUtOe.jpg
Malicious Spam Percentage:
https://snipboard.io/RxUtOe.jpg
Endpoint Security News media commonly cover external network attacks on enterprise networks.
These are some examples of such attacks:
DoS attacks on an organization’s network to degrade or even halt public access to it
Breach of an organization’s web server to deface their web presence
Breach of an organization’s data servers and hosts to steal confidential information
Endpoint Security DoS attacks on an organization’s network to degrade or even halt public access to it
Breach of an organization’s web server to deface their web presence
Breach of an organization’s data servers and hosts to steal confidential information
Various network security devices are required to protect the network perimeter from outside access.
As shown in the figure, these devices could include a hardened router that is providing VPN services, a next generation firewall (ASA, in the figure), an IPS appliance, and an authentication, authorization, and accounting (AAA) services server (AAA Server, in the figure).
https://snipboard.io/6UsnRH.jpg
Endpoint Security Various network security devices are required to protect the network perimeter from outside access.
As shown in the figure, these devices could include a hardened router that is providing VPN services, a next generation firewall (ASA, in the figure), an IPS appliance, and an authentication, authorization, and accounting (AAA) services server (AAA Server, in the figure).
https://snipboard.io/6UsnRH.jpg
However, many attacks originate from inside the network. Therefore, securing an internal LAN is nearly as important as securing the outside network perimeter.
Without a secure LAN, users within an organization are still susceptible to network threats and outages that can directly affect an organization’s productivity and profit margin.
After an internal host is infiltrated, it can become a starting point for an attacker to gain access to critical system devices, such as servers and sensitive information.
Endpoint Security However, many attacks originate from inside the network.
Therefore, securing an internal LAN is nearly as important as securing the outside network perimeter.
Without a secure LAN, users within an organization are still susceptible to network threats and outages that can directly affect an organization’s productivity and profit margin.
After an internal host is infiltrated, it can become a starting point for an attacker to gain access to critical system devices, such as servers and sensitive information.
Specifically, there are two internal LAN elements to secure:
Endpoints - Hosts commonly consist of laptops, desktops, printers, servers, and IP phones, all of which are susceptible to malware-related attacks.
Network infrastructure - LAN infrastructure devices interconnect endpoints and typically include switches, wireless devices, and IP telephony devices.
Most of these devices are susceptible to LAN-related attacks including MAC address table overflow attacks, spoofing attacks, DHCP related attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.
Host-Based Malware Protection The network perimeter is always expanding.
People access corporate network resources with mobile devices that use remote access technologies such as VPN.
These same devices are also used on unsecured, or minimally secured, public and home networks.
Host-based antimalware/antivirus software and host-based firewalls are used to protect these devices.
Antivirus/Antimalware Software This is software that is installed on a host to detect and mitigate viruses and malware.
Examples are Windows Defender Virus & Threat Protection, Cisco AMP for Endpoints, Norton Security, McAfee, Trend Micro, and others.
Antimalware programs may detect viruses using three different approaches:
Signature-based – This approach recognizes various characteristics of known malware files.
Heuristics-based – This approach recognizes general features shared by various types of malware.
Behavior-based – This approach employs analysis of suspicious behavior.
Antivirus/Antimalware Software This is software that is installed on a host to detect and mitigate viruses and malware.
Examples are Windows Defender Virus & Threat Protection, Cisco AMP for Endpoints, Norton Security, McAfee, Trend Micro, and others.
Antimalware programs may detect viruses using three different approaches:
Signature-based – This approach recognizes various characteristics of known malware files.
Heuristics-based – This approach recognizes general features shared by various types of malware.
Behavior-based – This approach employs analysis of suspicious behavior.
Many antivirus programs are able to provide real-time protection by analyzing data as it is used by the endpoint.
These programs also scan for existing malware that may have entered the system prior to it being recognizable in real time.
Host-Based Malware Protection
Many antivirus programs are able to provide real-time protection by analyzing data as it is used by the endpoint.
These programs also scan for existing malware that may have entered the system prior to it being recognizable in real time.
Host-based antivirus protection is also known as agent-based.
Agent-based antivirus runs on every protected machine.
Agentless antivirus protection performs scans on hosts from a centralized system.
Agentless systems have become popular for virtualized environments in which multiple OS instances are running on a host simultaneously.
Host-Based Malware Protection Host-based antivirus protection is also known as agent-based.
Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system.
Agentless systems have become popular for virtualized environments in which multiple OS instances are running on a host simultaneously.
Agent-based antivirus running in each virtualized system can be a serious drain on system resources.
Agentless antivirus for virtual hosts involves the use of a special security virtual appliance that performs optimized scanning tasks on the virtual hosts.
An example of this is VMware’s vShield.
Host-Based Malware Protection
Agent-based antivirus running in each virtualized system can be a serious drain on system resources.
Agentless antivirus for virtual hosts involves the use of a special security virtual appliance that performs optimized scanning tasks on the virtual hosts.
An example of this is VMware’s vShield.
Host-based Firewall This software is installed on a host. It restricts incoming and outgoing connections to connections initiated by that host only.
Some firewall software can also prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts.
This function is included in some operating systems.
For example, Windows includes Windows Defender Firewall with Advanced Security as shown in the figure.
https://snipboard.io/prJfdX.jpg
Host-Based Malware Protection Host-based Firewall This software is installed on a host.
It restricts incoming and outgoing connections to connections initiated by that host only.
Some firewall software can also prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts.
This function is included in some operating systems. For example, Windows includes Windows Defender Firewall with Advanced Security as shown in the figure.
https://snipboard.io/prJfdX.jpg
Other solutions are produced by other companies or organizations.
The Linux iptables and TCP Wrappers tools are examples. Host-based firewalls are discussed in more detail later in the module.
Host-Based Malware Protection
Other solutions are produced by other companies or organizations.
The Linux iptables and TCP Wrappers tools are examples. Host-based firewalls are discussed in more detail later in the module.
Host-based Security Suites
It is recommended to install a host-based suite of security products on home networks as well as business networks.
These host-based security suites include antivirus, anti-phishing, safe browsing, Host-based intrusion prevention system, and firewall capabilities.
These various security measures provide a layered defense that will protect against most common threats.
Host-based Security Suites
It is recommended to install a host-based suite of security products on home networks as well as business networks.
These host-based security suites include antivirus, anti-phishing, safe browsing, Host-based intrusion prevention system, and firewall capabilities.
These various security measures provide a layered defense that will protect against most common threats.
In addition to the protection functionality provided by host-based security products is the telemetry function.
Most host-based security software includes robust logging functionality that is essential to cybersecurity operations.
Some host-based security programs will submit logs to a central location for analysis.
Host-based Security Suites
In addition to the protection functionality provided by host-based security products is the telemetry function.
Most host-based security software includes robust logging functionality that is essential to cybersecurity operations.
Some host-based security programs will submit logs to a central location for analysis.
There are many host-based security programs and suites available to users and enterprises.
The independent testing laboratory AV-TEST provides high-quality reviews of host-based protections, as well as information about many other security products.
Network-Based Malware Protection
https://snipboard.io/oPnNeI.jpg
New security architectures for the borderless network address security challenges by having endpoints use network scanning elements.
These devices provide many more layers of scanning than a single endpoint possibly could.
Network-based malware prevention devices are also capable of sharing information among themselves to make better informed decisions.
Protecting endpoints in a borderless network can be accomplished using network-based, as well as host-based techniques, as shown in the figure above.
The following are examples of devices and techniques that implement host protections at the network level.
Network-Based Malware Protection
Protecting endpoints in a borderless network can be accomplished using network-based, as well as host-based techniques, as shown in the figure above.
The following are examples of devices and techniques that implement host protections at the network level.
Advanced Malware Protection (AMP) – Endpoint protection from viruses and malware.
Email Security Appliance (ESA) – This provides filtering of SPAM and potentially malicious emails before they reach the endpoint. An example is the Cisco ESA.
Web Security Appliance (WSA) – This provides filtering of websites and blacklisting to prevent hosts from reaching dangerous locations on the web.
The Cisco WSA provides control over how users access the internet and can enforce acceptable use policies, control access to specific sites and services, and scan for malware.
Network Admission Control (NAC) – This permits only authorized and compliant systems to connect to the network.
Network-Based Malware Protection Advanced Malware Protection (AMP)
Endpoint protection from viruses and malware.
Network-Based Malware Protection Email Security Appliance (ESA)
This provides filtering of SPAM and potentially malicious emails before they reach the endpoint.
An example is the Cisco ESA.
