This course covers a wide variety of IT security concepts, tools, and best practices. It introduces threats and attacks and the many ways they can show up. We’ll give you some background of encryption algorithms and how they’re used to safeguard data. Then, we’ll dive into the three As of information security: Authentication, authorization, and accounting. We’ll also cover network security solutions, ranging from firewalls to Wifi encryption options. The course is rounded out by putting all these elements together into a multi-layered, in-depth security architecture, followed by recommendations on how to integrate a culture of security into your organization or team. At the end of this course, you’ll understand: - how various encryption algorithms and techniques work and their benefits and limitations. - various authentication systems and types. - the difference between authentication and authorization. At the end of this course, you’ll be able to: - evaluate potential risks and recommend ways to reduce risk. - make recommendations on how best to secure a network. - help others to understand security concepts and protect themselves.
Antimalware Protection
Loading...
From the course by Google
IT Security: Defense against the digital dark arts
241 ratings
From the lesson
Defense in Depth
In the fifth week of this course, we're going to go more in-depth into security defense. We'll cover ways to implement methods for system hardening, application hardening, and determine the policies for OS security. By the end of this module, you'll know why it's important to disable unnecessary components of a system, learn about host-based firewalls, setup anti-malware protection, implement disk encryption, and configure software patch management and application policies.
Meet the Instructors
Google
Anti malware defenses are a core part
of any company's security model in this day and age.
So it's important as an IT support specialist to know what's out there.
Today, the internet is full of bots,
viruses, worms, and other automated attacks.
Lots of unprotected systems would be compromised in a matter of minutes
if directly connected to the internet without any safeguards or protections in place.
And they need to have critical system updates.
While modern operating systems have reduced
this threat vector by having basic firewalls enabled by default,
there's still a huge amount of attack traffic on the Internet.
Anti malware measures play a super important role in keeping
this type of attack off your systems and helping to protect your users.
Antivirus software has been around for
a really long time but some security experts question the value it
can provide to a company especially since
more sophisticated malware and attacks have been spun up in recent years.
Antivirus software is signature based.
This means that it has a database of signatures that identify known malware like
the unique file hash of a malicious binary or the file associated with an infection.
Or it could be that network traffic characteristics that
malware uses to communicate with a command and control server.
Antivirus software will monitor and analyze things like new files being created
or being modified on the system in order to watch for
any behavior that matches a known malware signature.
If it detects activity that matches the signature,
depending on the signature type,
it will attempt to block the malware from harming the system.
But some signatures might only be able to
detect the malware after the infection has occurred.
In that case, it may attempt to quarantine the infected files.
If that's not possible,
it will just log and alert the detection event.
At a high level, this is how all antivirus products work.
There are two issues with antivirus software though.
The first is that they depend on
antivirus signatures distributed by the antivirus software vendor.
The second is that they depend on the antivirus vendor
discovering new malware and writing new signatures for newly discovered threats.
Until the vendor is able to write new signatures and publish and disseminate them,
your antivirus software can't protect you from these emerging threats.
Boo. Antivirus, which is designed to protect systems,
actually represents an additional attack surface that attackers can exploit.
You might be thinking, wait,
our own antivirus tools can be another threat to our system?
What's the deal with that?
Well, this is because of the very nature of one antivirus engine must do.
It takes arbitrary and potentially malicious binaries
as input and performs various operations on them.
Because of this, there are a lot of complex code where very serious bugs could exist.
Exactly this kind of vulnerability was found in the Sophos Antivirus engine back in 2012.
You can read more about this event in the supplementary readings.
So, it sounds like antivirus software isn't ideal and has some pretty large drawbacks.
Then why are we still recommending it as a core piece of security design?
The short answer is this.
It protects against the most common attacks out there on the internet.
The really obvious stuff that still poses a threat to
your systems still needs to be defended against.
Antivirus is an easy solution to provide that protection.
It doesn't matter how much you user education you instill in your employees.
There will still be some folks who will click
on an e-mail that has an infected attachment.
A good way to think about antivirus in
today's very noisy external threat environment
is like a filter for the attack noise on the internet today.
It lets you remove the background noise and focus
on the more important targeted or specific threats.
Remember, our defense in depth concept involves multiple layers of protection.
Antivirus software is just one piece of our anti malware defenses.
If antivirus can't protect us from the threats we don't know about,
how do we protect against the unknown threats out there?
While antivirus operates on a blacklist model,
checking against a list of known bad things and blocking what gets matched,
there's a class of anti malware software that does the opposite.
Binary whitelisting software operates off a white list.
It's a list of known good and trusted software
and only things that are on the list are permitted to run.
Everything else is blocked.
You can think of this as applying the implicit deny ACL rule to software execution.
By default, everything is blocked.
Only things explicitly allowed to execute are able to.
I should call out that this typically only applies to executable binaries,
not arbitrary files like PDF documents or text files.
This would naturally defend against any unknown threats but at the cost of convenience.
Think about how frequently you download and install new software on your machine.
Now imagine if you had to get approval
before you could download and install any new software.
That would be really annoying, don't you think?
Now, imagine that every system update had to be whitelisted before it could be applied.
Obviously, not trusting everything wouldn't be very sustainable.
It's for this reason
that binary whitelisting software can
trust software using a couple of different mechanisms.
The first is using the unique cryptographic hash of
binaries which are used to identify unique binaries.
This is used to whitelist individual executables.
The other trust mechanism is a software-signing certificate.
Remember back when we discussed
public key cryptography and signatures using public and private key pairs?
Software signing or code signing is the same idea but applied to software.
A software vendor can cryptographically
sign binaries they distribute using a private key.
The signature can be verified at execution time by checking the signature using
the public key embedded in the certificate
and verifying the trust chain of the public key.
If the hash matches and the public key is trusted,
then the software can be verified that it came from someone with
the software vendor's code signing private key.
Binary whitelisting systems can be configured to
trust specific vendors' code signing certificates.
They permit all binary sign with that certificate to run.
This is helpful for automatically trusting content like system
updates along with software in common use that comes from reputable and trusted vendors.
But can you guess the downside here?
Each new code signing certificate that's
trusted represents an increase in attack surface.
An attacker can compromise the code signing certificate of a software vendor that
your company trusts and use that to sign malware that targets your company.
That would bypass any binary whitelisting defenses in place. Not good.
This exact scenario happened back in 2013 to Bit9,
a binary whitelisting software company.
Hackers managed to breach their internal network and found an unsecured virtual machine.
It had a copy of the code signing certificates private key.
They stole that key and used it to sign malware that would have
been trusted by all Bit9 software installations by default.
Coursera делает лучшее в мире образование доступным каждому, предлагая онлайн-курсы от ведущих университетов и организаций.
© Coursera Inc., 2018 Все права защищены.
