# Module 9: System and Endpoint Protection :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### **9.1 Defending Systems and Devices** #### **9.1.1 Avatar** Operating systems are a critical line of defense in network security. Cybersecurity professionals must secure the operating system to prevent vulnerabilities and protect networks from attacks. --- #### **9.1.2 Operating System Security** To maintain operating system security, organizations should follow these steps: 1. **A Good Administrator**: - Configure systems to protect against external threats. - Remove unnecessary programs and services. - Apply updates and security patches promptly. 2. **A Systematic Approach**: - Monitor security-related information. - Evaluate update applicability. - Plan updates and patch installation. - Execute updates using a documented plan. 3. **Establishing a Baseline**: - Identify system vulnerabilities by comparing performance metrics against a baseline. --- #### **9.1.3 Do You Know Your Stuff?** **Antimalware Software Functions**: - **Antivirus protection** monitors for viruses. When it detects a virus, the program warns the user and quarantines or deletes the virus. - **Adware protection** looks for programs that display unwanted advertising in popup boxes and blocks suspicious adware. - **Phishing protection** blocks the IP addresses of known phishing websites and warns the user about suspicious sites. - **Spyware protection** scans for keyloggers (a program that records keystrokes to access passwords and other confidential information) and other spyware. - **Trusted/untrusted sources verification warns the user about unsafe programs or websites. --- #### **9.1.4 Points to Remember** 1. **Watch Out for Rogue Antivirus Products**: - Avoid pop-ups claiming to detect malware and prompting unnecessary downloads. 2. **Fileless Attacks**: - These malware types operate directly in memory, leaving no footprint. They often rely on scripting tools like PowerShell. 3. **Malware Scripting**: - Languages like Python, Bash, or VBA can be exploited for malicious scripting. 4. **Remove Unapproved Software**: - Unauthorized applications may violate security policies and should be removed immediately. --- #### **9.1.5 Patch Management** **Understanding Patches**: - **Definition**: Updates that fix vulnerabilities in systems or applications. - **Examples**: Security updates, critical updates, and service packs. **Best Practices**: - **Testing**: Evaluate patches before widespread deployment. - **Patch Management Tools**: - Approve or decline updates. - Enforce update schedules. - Generate system-specific update reports. - Use local servers for secure updates. **Proactive Approach**: - Keep third-party applications updated (e.g., Adobe Acrobat, Java, Chrome). - Prevent ransomware and other threats through regular patching. --- #### **9.1.6 Endpoint Security** **Host-Based Solutions**: - **Host-Based Firewall**: Inspects and filters network activity, blocking or allowing traffic based on defined rules. - **HIDS (Host Intrusion Detection System)**: Monitors system activities (e.g., file system access, system calls) to detect malicious behavior. - **HIPS (Host Intrusion Prevention System)**: Detects known attacks and anomalies, logging or blocking malicious activities. - **EDR (Endpoint Detection and Response)**: Collects endpoint data, monitors for threats, and actively responds. - **DLP (Data Loss Prevention)**: Prevents sensitive data from being accessed or shared without authorization. - **NGFW (Next-Generation Firewall)**: Combines traditional firewalls with intrusion protection and deep packet inspection. --- #### **9.1.7 Avatar** **Encryption**: - Protects data by transforming it into unreadable formats using algorithms. - A special **key** is used to decrypt the information. --- #### **9.1.8 Host Encryption** **Encryption Methods**: 1. **EFS (Encrypting File System)**: Encrypts specific files or folders. 2. **Full Disk Encryption (FDE)**: Encrypts the entire drive, including temporary files. - **BitLocker**: A Windows tool for FDE. Requires enabling TPM (Trusted Platform Module) in BIOS. - **BitLocker To Go**: Encrypts removable drives without using TPM. --- #### **9.1.9 Boot Integrity** **Boot Integrity Mechanisms**: 1. **Secure Boot**: Verifies the signatures of all boot-related software to ensure trustworthiness. 2. **Measured Boot**: Tracks and logs boot components in the TPM chip for remote validation. --- #### **9.1.10 Apple System Security Features** **Key Security Features**: - **Security-Focused Hardware**: Includes encryption engines and Secure Enclave. - **Encrypted Storage**: Uses hardware-based AES encryption. - **Secure Boot**: Ensures only genuine Apple software runs. - **Biometric Data Security**: Keeps biometric data isolated from the operating system. - **Find My Mac**: Enables location tracking and remote locking/erasing. - **XProtect**: Provides signature-based malware detection. - **Malware Removal Tool (MRT)**: Removes detected malware. - **Gatekeeper**: Only allows installation of notarized, digitally signed software. --- #### **9.1.11 Managing Device Threats** **Threat Management Countermeasures**: - **Unpatched Software**: Ensure all operating systems and software applications are updated and patched regularly to address vulnerabilities and enhance security. - **User Downloads**: Implement strict access control policies, standards, and procedures to regulate and monitor user downloads, minimizing risks from unauthorized or harmful content. - **Malware**: Deploy automated antimalware solutions that continuously scan systems for threats and ensure the antimalware software is regularly updated for optimal protection. - **Unattended Devices**: Enforce password policies with threshold lockouts to secure unattended devices and prevent unauthorized access. - **Acceptable Use Policy Violations**: Utilize content filtering tools to block inappropriate or non-compliant content, ensuring adherence to organizational policies. - **Unauthorized Media**: Disable internal CD drives and USB ports to prevent unauthorized use of external media and protect sensitive data. --- #### **9.1.12 Physical Protection of Devices** **Physical Security Measures**: 1. **Computer Equipment**: - Use cable locks to secure devices. - Lock telecommunication rooms. - Use Faraday cages to block electromagnetic fields. 2. **Door Locks**: - Use deadbolt locks for enhanced security. - Consider cipher locks for controlled access. 3. **RFID Systems**: - Track and manage assets via RFID tags. - Automate asset tracking and secure device configurations. >[!Warning]Recap >To secure an operating system, administrators should remove any unnecessary programs and services, and ensure that security patches and updates are installed. An organization should establish procedures for monitoring security-related information, evaluate updates, and install updates using a documented plan. Additionally, they should identify potential vulnerabilities by establishing a baseline to compare how a system is performing. > >Malware includes viruses, worms, Trojan horses, keyloggers, spyware and adware. They invade privacy, steal information, damage the system or delete and corrupt data. Use reputable antimalware software. Fileless viruses use scripting languages such as Windows PowerShell and are hard to detect. Scripting languages such as Python, Bash, or VBA can be used to create malware. Remove non-compliant software immediately. > >Patches are code updates that prevent a new virus, worm, or other malware from making a successful attack. Patches and upgrades are often combined into a service pack. A patch management tool can be used to manage patches locally. It is also important to update third-party applications such as Adobe Acrobat, Java and Chrome to address vulnerabilities. A host-based firewall runs on a device to restrict incoming and outgoing network activity for that device. HIDS software monitor system calls and file system access to detect malicious requests. HIPS monitors a device for known attacks and anomalies. EDR continuously monitors and collects data from an endpoint device, and then analyzes the data and responds to any threats. DLP tools ensure that sensitive data is not lost or accessed by unauthorized users. NGFW combines a traditional firewall with other network-device-filtering functions. Encryption is a tool used to protect data by using an algorithm to transform data and make it unreadable. > >The Windows Encrypting File System (EFS) feature allows users to encrypt files, folders, or an entire hard drive. Boot integrity ensures that the system can be trusted and has not been altered while the operating system loads. Secure Boot is a security standard to ensure that a device boots using trusted software. Measured Boot can identify untrusted applications trying to load, and it also allows antimalware to load earlier. > >Administrators should have policies and countermeasures in place for unpatched software, unauthorized user downloads, malware, unattended devices, acceptable use policy violations, and unauthorized media. Protect physical equipment with cable locks, ciphered door locks, Faraday cages to block electromagnetic fields, and RFID tags to identify and track items. Antimalware Protection > >Endpoints are hosts on the network that can access (or be accessed by) other hosts on the network. With the IoT, other types of devices are now endpoints. Each endpoint is a potential opening for malware to access the network. Not all endpoints are within the network. Many endpoints connect to networks remotely over VPN. The network perimeter is always expanding. Various network security devices are required to protect the network perimeter from outside access. Many attacks originate from inside the network; therefore, securing an internal LAN is also important. After an internal host is infiltrated, it can become a starting point for an attacker to gain access to critical system devices. There are two internal LAN elements to secure: endpoints and network infrastructure. > >Antivirus/Antimalware software is installed on a host to detect and mitigate viruses and malware. It does this using signature-based (using various characteristics of known malware files), heuristics-based (using general features shared by various types of malware), and behavior-based (using an analysis of suspicious behavior). Many antivirus programs are able to provide real-time protection by analyzing data as it is used by the endpoint. A host-based firewall restricts incoming and outgoing connections to connections initiated by that host only. Some firewall software can also prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts. Most host-based security software includes logging functionality that is essential to cybersecurity operations. To protect endpoints in a borderless network use network-based, as well as host-based techniques. ### 9.2 Antimalware Protection --- #### **9.2.1 Endpoint Threats** - **Definition**: Endpoints are networked devices that can access or be accessed by other devices on the network, including computers, servers, IoT devices (e.g., security cameras, controllers, light bulbs), and devices connecting via VPNs. - **Key Challenges**: - Ransomware attacks occur every 11 seconds (as of 2021), costing $6 trillion annually. - Cryptojacking malware attempts reached 8 million in 2018. - Malicious spam increased to 8–10% of total spam between 2016–2017. - Cyberattacks on macOS devices projected to rise from 4.8 (2018) to 14.2 (2020) per device. - Malware evolves rapidly, altering features in less than 24 hours to evade detection. --- #### **9.2.2 Endpoint Security** - **External Threats**: - DoS attacks degrade or halt public access. - Breaches steal sensitive data or deface web content. - **Internal Threats**: - Internal hosts can be infiltrated, allowing attackers to target critical systems. - **Critical Areas to Secure**: - **Endpoints**: Devices like laptops, desktops, printers, servers, and IP phones are prone to malware attacks. - **Network Infrastructure**: Devices like switches and telephony devices are vulnerable to MAC table overflows, spoofing, DHCP exploits, and VLAN attacks. --- #### **9.2.3 Host-Based Malware Protection** 1. **Antivirus/Antimalware Software**: - **Detection Methods**: - **Signature-based**: Recognizes known malware characteristics. - **Heuristics-based**: Identifies shared malware features. - **Behavior-based**: Analyzes suspicious behavior. - **Agent-Based**: Runs on each protected machine; resource-intensive. - **Agentless**: Centralized scans, ideal for virtualized environments (e.g., VMware vShield). 2. **Host-Based Firewall**: - Restricts connections to/from a host. - Examples: Windows Defender Firewall, Linux iptables, TCP Wrappers. - Can prevent malware from spreading. 3. **Host-Based Security Suites**: - Includes antivirus, anti-phishing, HIPS, firewalls, and safe browsing tools. - Provides layered defense and telemetry (centralized logging and analysis). - Example: AV-TEST reviews and evaluates host-based security products. --- #### **9.2.4 Network-Based Malware Protection** - **Enhanced Protection**: Network devices complement host-based solutions, providing additional layers of security and centralized intelligence sharing. - **Key Technologies**: 1. **Advanced Malware Protection (AMP)**: Protects endpoints from viruses and malware. 2. **Email Security Appliance (ESA)**: Filters spam and malicious emails (e.g., Cisco ESA). 3. **Web Security Appliance (WSA)**: Blocks dangerous websites, enforces acceptable use policies, and scans for malware (e.g., Cisco WSA). 4. **Network Admission Control (NAC)**: Ensures only authorized and compliant systems connect to the network. - **Benefits**: These technologies work together to provide stronger protection than standalone host-based solutions. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/22-1-5-check-your-understanding-identify-antimalware-terms-and-concepts-answers.html). ::: ### 9.3 Host-Based Intrusion Prevention --- #### **9.3.1 Host-Based Firewalls** - **Definition**: Standalone software that controls traffic entering or leaving a computer. Available for desktops, servers, and mobile devices (e.g., Android). - **Key Features**: - Predefined policies or custom rules for traffic control (e.g., based on IP addresses, protocols, ports). - Can issue alerts for suspicious behavior and provide options to allow/block applications. - Logging includes timestamps, IP addresses, ports, and whether connections were allowed or denied. - **Distributed Firewalls**: Combine host-based firewall features with centralized management, pushing rules to hosts and collecting logs. - **Examples**: 1. **Windows Defender Firewall**: - Profile-based approach: Public, Private, and Domain profiles. - Centralized management with tools like System Center. 2. **iptables (Linux)**: Configures network access rules via Netfilter modules. 3. **nftables (Linux)**: Successor to iptables, uses a virtual machine for packet inspection and decision rules. 4. **TCP Wrappers (Linux)**: Rule-based access control and logging based on IPs and services. --- #### **9.3.2 Host-Based Intrusion Detection Systems (HIDS)** - **Definition**: Security software installed on a host to detect and prevent malware by analyzing system configurations, logs, and activity. - **Functions**: - Log analysis, event correlation, policy enforcement, integrity checking, and rootkit detection. - Alerts security personnel about suspicious behavior. - Combines features of antimalware and firewall tools. - Operates as **agent-based** software directly on the host. - **Architecture**: - Typically includes a central management endpoint for integration with broader network security systems. --- #### **9.3.3 HIDS Operation** - **Dual Functionality**: Prevents known attacks and detects potential unknown ones. - **Detection Methods**: 1. **Signature-Based**: - Matches malware against a database of known signatures. - Ineffective against polymorphic or zero-day threats. 2. **Anomaly-Based**: - Compares host behavior to a baseline model of normal behavior. - Deviations trigger alerts and potential countermeasures. - **Challenges**: High rate of false positives may increase workload and reduce system credibility. 3. **Policy-Based**: - Monitors compliance with predefined rules. - Violations result in logging, alerts, or shutting down offending processes. - Custom rules can be distributed from central management systems. --- #### **9.3.4 HIDS Products** - **Common Features**: - Software on individual hosts. - Centralized management for integration with threat intelligence and network monitoring. - **Examples**: 1. **Cisco AMP**: Advanced Malware Protection for hosts and endpoints. 2. **AlienVault USM**: Unified Security Management platform integrating HIDS functionality. 3. **Tripwire**: File integrity monitoring and configuration assessment. 4. **OSSEC**: - Open-source HIDS. - Features include log monitoring, file integrity checking, rootkit detection, and response scripting. - Compatible with Mac, Windows, Linux, and Solaris platforms. - Centralized manager collects and analyzes alerts, integrates with firewalls, and supports syslog. >[!Warning]Recap >Host-based firewalls may use a set of predefined policies, or profiles, to control packets entering and leaving a computer. They may also have rules that can be directly modified or created to control access based on addresses, protocols, and ports. They can also be configured to issue alerts if suspicious behavior is detected. Logging varies depending on the firewall application. It typically includes date and time of the event, whether the connection was allowed or denied, information about the source or destination IP addresses of packets, and the source and destination ports of the encapsulated segments. (Distributed firewalls combine features of host-based firewalls with centralized management.) > >Some examples of host-based firewalls include Windows Defender Firewall, iptables, nftables, and TCP Wrappers. A HIDS protects hosts against known and unknown malware. It can perform detailed monitoring and reporting on the system configuration and application activity, log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting. A HIDS will frequently include a management server endpoint. Because the HIDS software must run directly on the host, it is considered an agent-based system. A HIDS uses both proactive and reactive strategies. A HIDS can prevent intrusion because it uses signatures to detect known malware and prevent it from infecting a system. > >Signatures are not effective against new, or zero day, threats. In addition, some malware families exhibit polymorphism. Additional strategies to detect the possibility of successful attacks include anomaly-based detection and policy-based detection. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/22-2-5-check-your-understanding-identify-the-host-based-intrusion-protection-terminology-answers.html). ::: ### 9.4 Application Security --- #### **9.4.1 Attack Surface** - **Definition**: The total vulnerabilities in a system accessible to attackers, encompassing networks, software, and human behavior. - **Key Components** (SANS Institute): 1. **Network Attack Surface**: - Vulnerabilities in wired/wireless protocols (e.g., IoT, smartphones). - Exploits at network and transport layers. 2. **Software Attack Surface**: - Vulnerabilities in web, cloud, or host-based software. 3. **Human Attack Surface**: - Exploits user behavior via social engineering, insider threats, or errors. - **Trends**: - Increased connectivity from IoT and BYOD. - Shift to cloud-based traffic. - Prediction: Global IP traffic to triple in five years. --- #### **9.4.2 Application Blocklist and Allowlist** - **Blocklisting**: - Specifies which applications are not allowed to run. - Used to prevent known vulnerable apps from creating risks. - **Allowlisting**: - Specifies which programs can run, based on a security baseline. - Ensures only trusted applications are executed, minimizing risk. - **Web Blacklists/Whitelists**: - Blacklists can be manually created or updated via security services. - Examples: - Cisco Firepower integrates with Talos for blacklist updates. - Spamhaus Project provides a free blacklist service. - **Use Cases**: - Applied in firewalls, security systems, and browsers for threat mitigation. --- #### **9.4.3 System-Based Sandboxing** - **Definition**: A secure environment where suspicious files are executed and analyzed for behavior. - **Purpose**: - Identify malware behavior to create signatures, detection rules, and automated defense strategies. - Mitigate risks from polymorphic and new malware. - **Examples**: - **Cisco AMP**: - Tracks file trajectories. - Rolls back events to obtain and analyze malware in sandboxes like Cisco Threat Grid. - **Cuckoo Sandbox**: - Open-source, local sandbox for malware sample analysis. - **ANY.RUN**: - Interactive online sandbox with detailed reports, including: - Network and internet activity (HTTP requests, DNS queries). - Malware execution processes and file ratings. - Indicators of compromise (e.g., hashes, DNS requests, IP connections). - MITRE ATT&CK Matrix mapping tactics to documented threats. - Other Tools: - **VirusTotal**: File scanning and threat detection. - **Joe Sandbox**: Automated malware analysis. - **CrowdStrike Falcon**: Sandbox with advanced threat intelligence. >[!Warning]Recap >An attack surface is the total sum of the vulnerabilities in a given system that is accessible to an attacker. It may consist of open ports on servers or hosts, software that is running on internet-facing servers, wireless network protocols, remote devices, and even users. The attack surface is continuing to expand. More devices are connecting to networks through the IoT and BYOD. > >The SANS Institute describes three components of the attack surface: Network Attack Surface, Software Attack Surface, and Human Attack Surface. One way of decreasing the attack surface is to limit access to potential threats by creating lists of prohibited applications. Similarly, an organization can create lists of allowed programs in accordance with a security baseline that has been established by an organization. Sandboxing is a technique that allows suspicious files to be executed and analyzed in a safe environment. Automated malware analysis sandboxes offer tools that analyze malware behavior. These tools observe the effects of running unknown malware so that features of malware behavior can be determined and then used to create defenses against it. Polymorphic malware changes frequently and new malware appears regularly. Malware will enter the network despite the most robust perimeter and host-based security systems. HIDS and other detection systems can create alerts on suspected malware that may have entered the network and executed on a host.