As you learned in the previous tutorial, a security policy should define how security is to be implemented within an organization and include physical security, document security, and network security. Let’s continue our introduction of common security policy considerations.
We will continue to explore these in the terms and concepts we will discuss in this lesson.
If you do not have automatic updates set up, you can download patches and hotfixes manually. A hotfix is just like a patch that updates software, but the term hotfix is reserved for a solution to potentially serious issues that could compromise your network and hosts.
While keeping operating system and application patches up to date gets most of the attention, there are devices on your network that may require firmware updates from time to time. Firmware is a form of program code and related data that is stored in persistent memory of some sort, such as non-volatile RAM (NVRAM).
Device Drivers are files that allow a peripheral or component to talk to the hardware layer of the hosting device. In most cases, the drivers you need for a device will already be present in the drive cache that is installed with the operating system, but in some cases, especially with new devices, this will not be the case. In those instances, you may need to download the latest driver from the manufacturer’s website.
When the time comes to decommission an asset such as a server or a hard drive, the handling of any data that remains is a big security issue. Whenever data is erased or removed from a storage medium, residual data can be left behind. This can allow for the data to be reconstructed when the organization disposes of the medium, resulting in unauthorized individuals or groups gaining access to the data. Media that security professionals must consider include magnetic hard disk drives, solid-state drives, magnetic tapes, and optical media, such as CDs and DVDs.
A security procedure defines how to respond to any security event that happens on your network.
Of all the update types that need to be maintained, anti-malware updates are the most critical to the organization. You must maintain updates to the malware definitions as well as updates to the malware engine itself. When choosing an anti-malware solution, there are two approaches: host based and cloud based. In the following sections, we will examine both.
Host-based anti-malware is a solution that you install and run on each PC in your network. It has the advantage of giving you total control over the process but also requires you to stay on top of updates. It also requires the deployment of some hardware to hold the engine and the definition files.
Cloud antivirus products do not run on local computers but run in the cloud, creating a smaller footprint on the client and utilizing processing power in the cloud.
IN CONTEXT
Should you install host-based or cloud-/server-based anti-malware for your network?
Imagine that you manage a very large enterprise network and need to keep a close eye on the most common attacks today: malware. You should ideally install a next-generation intrusion prevention system (IPS) device, but you do not have the money for that type of equipment and the necessary training. You need something that will stop zero-day attacks if possible and do not want to add much processing or even more software on the hosts in the network than you already have. You do not want to install any new hardware, if possible, to get this done. With all this in mind, cloud/server-based anti-malware may be the best solution because it allows access to the latest malware data within minutes of the cloud antivirus service learning about it, and you do not need to install any new hardware at your location. You just need a good, solid internet connection.
Network professionals often create device configurations over time that can be quite complicated, and in some cases where multiple technicians have played a role, no single person has a complete understanding of the configuration. For this reason, configurations should be backed up.
A typical antivirus program consists of two components:
The engine accesses the definition files, runs virus scans, cleans the files, and notifies the appropriate people and accounts. Eventually, viruses become so sophisticated that a new engine, or even a whole new technology, is required to combat them effectively.
Heuristic scanning is a technology that allows an antivirus program to search for a virus even if there’s no definition for it yet. The engine looks for suspicious activity of the kind that usually indicates the presence of a virus. But use such a tool with caution because if it is turned on, this scanning technique can mistake harmless or even necessary code for suspicious code.
EXAMPLE
For your antivirus program to work for you, you have to upgrade, update, and scan in a specific order:EXAMPLE
We are going to cover only the steps in this list that map to objectives of the Network+ exam, but looking into the others on your own will not hurt and will give you some worthwhile knowledge.An antivirus engine is the core program that runs the scanning process, and virus definitions are keyed to an engine version number. For example, a 3.x engine will not work with 4.x definition files. When the manufacturer releases a new engine, consider both the cost to upgrade and how much you will benefit before buying it.
We recommend that you update your list of known viruses, called the virus definition files, no less than weekly. You can do this manually or automatically through the vendor’s website, and you can use a staging server within your company to download and distribute the updates or set up each computer to download updates individually.
An antivirus scan is the process that an antivirus program deploys to examine a computer, identify viruses, and then eliminate them. There are three types of antivirus scans, and to really make sure your system is clean, you should use a combination of the types we cover in this section.
An on-demand scan is a virus scan initiated by you or an administrator that searches a file, a directory, a drive, or an entire computer but only checks the files you’re currently accessing. We recommend doing this at least monthly, but you will also want to do an on-demand scan when the following occurs:
An on-access scan runs in the background when you open a file or use a program in situations like these:
During an emergency scan, only the operating system and the antivirus program are running. You initiate one of these scans when a virus has totally invaded your system and taken control of the machine. In this situation, insert your antivirus emergency boot disk and boot the infected computer from it. Then, scan and clean the entire computer. If you do not have your boot disk, go to another, uninfected machine and create one from it. Another possibility is to use an emergency scan website that allows you to scan your computer via high-speed internet access without using an emergency disk.
So what do you do if you know you have a virus? First, you want to make sure to scan all potentially affected hard disks and any external disks that could be infected. Establish a cleaning station, and quarantine the infected area. You will have a really hard time doing this if anyone continues to use the computer while it is infected, so make sure all users in the infected area stop using their computers.
Then, remove all external memory devices from all disk drives and perform a scan and clean at the cleaning station. Update the virus definitions of any computers that are still operational. For the ones that are not, or the ones that are still working but are infected, boot to an antivirus emergency boot disk. After you have done that, run a full scan and clean the entire system on all computers in the office space.
Source: This content and supplemental material has been adapted from CompTIA Network+ Study Guide: Exam N10-007, 4th Edition. Source Lammle: CompTIA Network+ Study Guide: Exam N10-007, 4th Edition - Instructor Companion Site (wiley.com)
