CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [266]
Using reverse lookups and white/black lists also allows you to limit spoofing attacks. Reverse lookups check to see if a source MAC address, IP address, or e-mail address is real, currently in use, and from the expected location before allowing traffic to enter or leave. White lists and black lists are filters that have lists of addresses that are known to be either legitimate and trustworthy or illegitimate and malicious. All addresses on a white list are trusted and are allowed to pass with little interference, whereas all addresses on a black list are either blocked outright or subject to greater levels of inspection before being allowed to pass. Black lists can result in a form of DoS if benign addresses are placed on the black list accidentally. This threat is something to watch for, and be prepared to verify and rectify list entries when necessary.
Man-in-the-middle, replay, and session hijacking attacks are thwarted by several means: complex packet sequencing rules, time stamps in session packets, periodic mid-session reauthentication, mutual authentication, the use of encrypted communication protocols, and spoof-proof authentication mechanisms (such as certificates). Whenever possible, use only modern OSs that are fully updated. Also, attempt to limit your out-of-LAN communications to encrypted sessions verified with certificates.
Antivirus Protection
The appearance of malicious code is at an all-time high, and it will only get worse. As more and more countries, cities, and population groups move into the Internet age, many people are learning how to program. Inevitably, human nature leads some of these new programmers to the dark side, and they become the authors of malicious code. Your job is to erect sufficient barriers to the malware threat to prevent any and all breaches.
The best initial protection against malicious code is antivirus software. However, these packages are not perfect. Even properly managed and fully updated antivirus scanners can still overlook 4 percent of known viruses. This oversight means that you cannot rely on a single scan to provide realistic protection; you need to scan everywhere. It is highly recommended that you employ at least three different antivirus vendors’ scanning solutions in your environment. However, never install two antivirus products on the same computer! Install one product on all clients, a second product on all internal servers, and a third product on all border systems. In this manner, every bit of data entering or leaving your environment is scanned at least twice, if not three times, thus reducing the likelihood of missing a known virus from 4 percent to .16 percent (4 percent of 4 percent) or 0.0064 percent (4 percent of 4 percent of 4 percent).
Every antivirus product should scan data as it enters the computer, as it leaves the computer, as data is written to the hard drive, as data is read from the hard drive, and as data is used in memory. Plus, on a weekly or biweekly basis, scan every file on every drive. Yes, this will affect your system’s performance, but in most cases a small reduction in performance is worth the trade-off for greatly improved malware protection.
Automate the downloading of virus signature databases, but restrict and control the deployment of engine updates. Virus signature database updates have rarely been the cause of problems, but delaying the deployment of the signature database can result in undetected infections. Most modern antivirus solutions offer a staged deployment controller for updates. A single server should poll the public website for antivirus updates two to four times a day. Then, that server should be the host that provides the updates to all other internal systems. This deployment controller usually allows you to make signature database updates