Accounting traces an action back to a person or process. Accounting then collects this information and reports the usage data. The organization can use this data for such purposes as auditing or billing.
• Defending Systems and Devices—An organization needs a good administrator to configure operating systems to protect against outside threats. A systematic approach is required to establish security monitoring procedures, evaluate software updates, and install updates using a documented plan. Baselines help to indicate system compromise when performance deviates significantly from the baseline.
Fileless malware attacks are difficult to detect and leave no footprint. They can exploit scriptable command shells. Python, Bash, and Visual Basic for Applications (VBA) scripts can be malicious.
To stay ahead of cybercriminals, software should be proactively patched to eliminate vulnerabilities. Operating systems regularly check for patches, but administrators should evaluate patches before they are installed. Automated patch management systems provide administrators with control over date and time of updates and reporting about the status of systems and patches.
Host-based endpoint security includes host-based firewalls that can block incoming and outgoing traffic. Host intrusion detection systems (HIDSs) monitor systems and login security and system events. Host intrusion prevention systems (HIPSs) detect malicious activity and can send you an alarm, log the malicious activity, reset the connection, and/or drop the packets. Endpoint detection and response (EDR) is an integrated security solution that continuously monitors and collects data from endpoint devices. Data loss prevention (DLP) tools provide a centralized way to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Next-generation firewalls (NGFWs) combine traditional firewalls with other network-device-filtering functions.
Data can be protected through host encryption by Windows Encrypting File System (EFS) that can encrypt files or entire drives (full-disk encryption—FDE) with BitLocker. BitLocker requires a Trusted Platform Module (TPM) in BIOS. BitLocker To Go is a tool that encrypts removable drives.
Boot integrity ensures that the system can be trusted and has not been altered while the operating system loads. Secure Boot is a security standard to ensure that a device boots using trusted software.
Apple provides system hardware and macOS security features that offer robust endpoint protection. The Mac hardware platform has enhanced security features such as a special security processor, boot integrity, and a dedicated AES encryption engine. Apple Data Protection and FileVault data storage encryption are supported by the hardware-based AES encryption engine. Biometric data is processed in security hardware, isolating it from the operating system. Apple also includes a Find My Device feature, XProtect antimalware technology, a Malware Removal Tool (MRT), and Gatekeeper, which ensures that only authentic, digitally-signed Apple software can be installed.
Physical protection of devices includes controlling access to equipment and facilities, using cable locks, keyed or cipher door locks, and device inventory and tracking with radio frequency identification (RFID) systems.
• Antimalware Protection—Various network security devices are required to protect the network perimeter from outside access. These devices could include a hardened router that is providing VPN services, a next-generation firewall, an IPS appliance, and a AAA services server. However, securing an internal LAN is nearly as important as securing the outside network perimeter. Endpoints and the network infrastructure require protection.
There are three types of antimalware programs: signature-based, heuristics-based, and behavior-based. Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system. Host-based firewalls restrict incoming and outgoing connections to connections initiated by that host only. Examples are Windows Defender Firewall with Advanced Security and iptables and TCP Wrappers on Linux.
Protecting endpoints in a borderless network can be accomplished using network-based as well as host-based techniques. Devices and techniques that implement host protections at the network level include Cisco Secure Endpoint, Cisco Secure Email, Cisco Umbrella, and Network Admission Control (NAC) systems. These technologies work together with host-based systems to secure the enterprise.