The world of cybersecurity is full of buzzwords and technical terms that may seem impenetrable to a newbie. In our last blog post, we talked about how small businesses are vulnerable to cyber attacks because of a lack of education of what kinds of products are available.
In this blog post, we provide an overview of all the features common to most commercial cybersecurity packages. By the end of this post, the reader should be able to identify different types of software and rank their capabilities in terms of which features they do or do not have.
Ready? Let’s begin.
A firewall is essentially a barrier that filters out certain connections from your system. For example, a firewall can filter connections based on their IP address, which protocol they’re using and which port they’re using.
In our last blog post, we touched on the Principle of Least Privilege, which states that users should only be given the bare minimum access to perform their duties. Firewalls are integral in enforcing the PoLP. If you have a server with sensitive data on it then a firewall is absolutely necessary to allow only connections from trusted users through trusted protocols and on trusted ports.
An antivirus is a program that detects and removes malware. With the proliferation of malware techniques, antiviruses can do much more than scan for traditional computer viruses. They are capable of detecting trojans, which masquerade as benign software, ransomware, which encrypts a victim’s hard drive and asks for money to return the data to the victim, spyware, which attempts to gather info about the victim and send it back to the hacker, and much, much more.
There are two main types of antiviruses: signature based and non-signature based. Signature based antiviruses match executables to a database of known red flags. Signature-based antiviruses need to be updated frequently so that files can be tested against the latest signatures. The cybersecurity market is moving away from signature-based antiviruses because attackers have ways of continually changing their malware and making them untraceable.
Newer antiviruses take a more holistic approach (usually with machine learning and decision trees) to identify threats. They might isolate (or sandbox) unknown executables from the rest of the system until the software has made a judgement about its safety. They might also update their signature database dynamically based on new threats that clients encounter.
Intrusion Detection Systems
Intrustion Detection Systems (IDS) monitor a system for malicious activity.
These also come in two types. Network IDS’s (NIDS’s) check for suspicious incoming connections while Host IDS’s (HIDS’s) look at changes to the actual machine (opening and deleting of files, syscalls, etc.). IDS’s can be signature-based or non-signature based.
Non-signature IDS’s typically work by detecting anomalies in network/host activity. They look for activity that is unusual by comparing it to past behaviors. Holistic host IDS’s often conduct what is known as User Behavioral Analytics (UBA) to identify users who are malicious actors trying to cause damage. The key feature of UBA is it’s emphasis on the activity of users rather than hosts or IP addresses.
Intrusion Prevention Systems
An Intrusion Prevention System (IPS) is a step above an IDS in that it actually responds to attacks instead of just monitoring them. For example, an IPS will block suspicious connections, prevent connections to/from a compromised machine, stop executables from running, and/or notify IT personnel that an intrusion has taken place.
SIEM stands for Security Information and Event Management. SIEM software aggregates and analyzes information relevant to the security of a system and displays in a legible way. SIEM interprets data from all parts of your infrastructure to generate security profiles. If SIEM software detects malicious activity by correlating data, it will send an alert or take some kind of preventative action. SIEM’s and IPS’s are highly related and work in tandem to provide comprehensive detection and response.
Beyond the detection of real-time threats, SIEM software has been used to expose security flaws and compliance issues in company infrastructure.
Remediation software works to reverse the damage of a cyber attack. The most common form of remediation is backups. Many cybersecurity packages allow the user to take snapshots of the host which can be rolled-back to in the event of an attack. In fact, Windows has this feature built into their operating system!
Privileged Access Management
Again with the Principle of Least Privilege! Privileged Access Management (PAM) software allows the administrator to set security groups, allowing certain users access to certain files and services while others are restricted. PAM programs allow the administrator to audit user activity to identify insider threats.
PAM programs may also provide Multi-Factor Authentication to validate users’ identities. With MFA, a user is required to provide multiple pieces of evidence to prove his/her identity. These other pieces can be answers to a security question, proof of a phone number (when the user is sent a one-time code through text), or authorization from a third party (TFA).
This is the last entry in our list!
Honeypots are decoy hosts left intentionally vulnerable to hackers to dissuade them from attacking the real system. They are both a research tool and a preventative measure against attacks.
On the one hand, honeypots can collect information about hackers to reveal new attack vectors. On the other hand, honeypots allow the company to take actions against the hacker before he realizes he is accessing a decoy. One of the great things about honeypots it that all connections are considered malicious!
We will cover honeypots in more detail in a later blog post, as we at SafeHouse are creating the most advanced honeypots on the market. If you liked what you read, consider giving our site a visit at www.safehouse.dev.