The rising intensity and sophisticated nature of cyber-attacks has created a hostile and precarious environment for businesses across all industries.
Malware has evolved from large-scale massive attacks to include Targeted Attacks and Advanced Persistent Threats that cannot be stopped by antivirus alone. To be successful, Enterprise IT Security systems must implement a number of different techniques, including:
Condo Protego security specialist will help you choose the RIGHT security strategy and the RIGHT technologies – that is most appropriate for your organization as one size does not fit all.”
- Threat Signatures
- Intrusion Detection/Protection
- Rootkit Protection
- Execution Protection
Once identified, many attacks have specific signatures that are used to detect and mitigate a threat before it is allowed to take any action on the targeted endpoint device.
The concept of sandboxing involves taking an untrusted application and allowing it to run in a very limited environment. The application is allowed to run and perform its function without access to the complete system or to other locally running services.
Host Intrusion Detection Systems (HIDS) and Host Intrusion Protection Systems (HIPS) work hand in hand with signatures; these systems could initially scan a specific resource for a recognizable threat signature and along with this, pass it through a heuristic analyzer/engine which looks for specific odd behaviors by the resource that are not expected to be seen. The major distinction between detection vs prevention is that HIDS will detect and alert a user/administrator of the potential threat, but not perform any further automatic action; a HIPS has a mechanism of automatically mitigating the detected threat.
The concept of a firewall is rather simple; don’t allow traffic into a device that is unexpected. For many endpoints it is rare for it to be offering a service or expecting traffic (above layer 2) without first initiating the service; because of this, it is common for a device to lock down all network ports coming into a device and only allow inbound traffic if the device initiated the connection first. It is the function of the firewall to perform this locking down and to keep track of the ongoing sessions to ensure that allowed traffic is permitted without disrupting the user experience while also protecting from unpermitted traffic.
There can be times when a specific site or file could be labeled as a threat, but still need to be accessed. In this situation a whitelist can be used to automatically permit traffic from that specific site or allow a specific file to run. On the opposite end, there can be times when a specific site or file is not listed as a threat, but it is considered a threat by an organization. In these situations a blacklist can be used to specifically disallow traffic from the threat location or disallow the ability to run a specific file.
A rootkit is a tool that is used by an attacker to take control of part or all of a device; there are several types of rootkits, but as with viruses their level of threat can be from almost no real threat to the threat of losing complete control of a device and allowing the attacker to have the equivalent of root/administrative access.
Data Execution Protection operates by only allowing programs to be run from a specific area in memory (executable), thus disallowing potential threats that take advantage of exploits in the data (non-executable) specified part of memory.