WEBVTT

1
00:00:00.060 --> 00:00:01.230
In this lesson,

2
00:00:01.230 --> 00:00:03.960
we will learn about threat protection.

3
00:00:03.960 --> 00:00:06.420
Threat protection is the implementation

4
00:00:06.420 --> 00:00:09.810
of security measures to detect, prevent

5
00:00:09.810 --> 00:00:12.630
and respond to threats and attacks.

6
00:00:12.630 --> 00:00:16.380
Threat protection concepts include anti-malware,

7
00:00:16.380 --> 00:00:18.090
host-based firewalls,

8
00:00:18.090 --> 00:00:20.820
host-based intrusion detection systems

9
00:00:20.820 --> 00:00:24.060
and host-based intrusion prevention systems.

10
00:00:24.060 --> 00:00:27.180
Anti-malware is designed to detect,

11
00:00:27.180 --> 00:00:30.210
prevent and remove malicious software,

12
00:00:30.210 --> 00:00:34.260
including viruses, worms and ransomware.

13
00:00:34.260 --> 00:00:37.650
Next, a host-based firewall is installed

14
00:00:37.650 --> 00:00:41.130
on an individual endpoint to control incoming

15
00:00:41.130 --> 00:00:43.080
and outgoing network traffic

16
00:00:43.080 --> 00:00:46.290
based on a preset access control list.

17
00:00:46.290 --> 00:00:48.972
Finally, host-based intrusion detection

18
00:00:48.972 --> 00:00:51.420
and intrusion prevention systems,

19
00:00:51.420 --> 00:00:54.570
monitor and analyze system activities

20
00:00:54.570 --> 00:00:59.130
for signs of malicious behavior or policy violations.

21
00:00:59.130 --> 00:01:02.100
Let's learn more about anti-malware,

22
00:01:02.100 --> 00:01:06.360
host-based firewalls, host-based intrusion detection systems

23
00:01:06.360 --> 00:01:09.720
and host-based intrusion prevention systems.

24
00:01:09.720 --> 00:01:12.600
First, we have anti-malware.

25
00:01:12.600 --> 00:01:15.120
It is essential to have antivirus

26
00:01:15.120 --> 00:01:19.230
and anti-malware protection installed on all hosts,

27
00:01:19.230 --> 00:01:21.780
not only as a security measure,

28
00:01:21.780 --> 00:01:24.810
but also because it provides valuable logging

29
00:01:24.810 --> 00:01:26.880
of potential infection attempts

30
00:01:26.880 --> 00:01:29.250
across your system and network.

31
00:01:29.250 --> 00:01:33.060
Antivirus works by scanning files, programs

32
00:01:33.060 --> 00:01:36.840
and system activities for known malware signatures,

33
00:01:36.840 --> 00:01:40.830
blocking or removing threats to prevent infection.

34
00:01:40.830 --> 00:01:45.360
Anti-malware works by scanning for threats like adware,

35
00:01:45.360 --> 00:01:50.360
spyware, viruses, worms and other harmful programs

36
00:01:50.370 --> 00:01:53.700
using a combination of signature detection,

37
00:01:53.700 --> 00:01:56.700
behavior analysis and heuristics

38
00:01:56.700 --> 00:02:00.000
to block or remove those malicious threats.

39
00:02:00.000 --> 00:02:04.830
In the past, separate tools, like antivirus for viruses

40
00:02:04.830 --> 00:02:09.270
and anti-spyware for spyware, were used individually.

41
00:02:09.270 --> 00:02:12.240
But today, these features are often integrated

42
00:02:12.240 --> 00:02:15.420
into a single anti-malware solution.

43
00:02:15.420 --> 00:02:19.770
For example, Windows Defender combines antivirus

44
00:02:19.770 --> 00:02:23.550
and anti-spyware protections into one platform,

45
00:02:23.550 --> 00:02:26.880
called Microsoft Defender Antivirus.

46
00:02:26.880 --> 00:02:31.500
Just like pure, signature-based antivirus platforms,

47
00:02:31.500 --> 00:02:35.730
it is important to keep anti-malware software up to date

48
00:02:35.730 --> 00:02:39.630
and to regularly scan systems looking for malware.

49
00:02:39.630 --> 00:02:43.830
Given the significant role of email in spreading malware,

50
00:02:43.830 --> 00:02:48.240
it's also important to configure email settings carefully.

51
00:02:48.240 --> 00:02:51.810
For example, disabling automatic previews

52
00:02:51.810 --> 00:02:54.870
can help prevent harmful images from loading

53
00:02:54.870 --> 00:02:57.330
and reduce the risk of infection.

54
00:02:57.330 --> 00:03:01.050
Next, spam filters, which are often built-in

55
00:03:01.050 --> 00:03:02.940
to anti-malware solutions,

56
00:03:02.940 --> 00:03:05.670
can be used to block malicious emails

57
00:03:05.670 --> 00:03:10.140
before they ever reach users, enhancing overall security.

58
00:03:10.140 --> 00:03:13.620
And finally, since emails are a common attack vector

59
00:03:13.620 --> 00:03:17.310
for phishing attacks, training users to avoid clicking

60
00:03:17.310 --> 00:03:19.680
on suspicious links in their email

61
00:03:19.680 --> 00:03:23.550
will help reduce the chance of successful phishing attack.

62
00:03:23.550 --> 00:03:26.640
Furthermore, many anti-malware solutions

63
00:03:26.640 --> 00:03:29.552
offer browser extensions that warn users

64
00:03:29.552 --> 00:03:32.700
about suspicious or malicious websites,

65
00:03:32.700 --> 00:03:35.490
providing an extra layer of protection

66
00:03:35.490 --> 00:03:37.920
for a user while browsing.

67
00:03:37.920 --> 00:03:41.850
Configuring browsers based on the network security zone,

68
00:03:41.850 --> 00:03:46.020
they will operate in, such as an internet or the internet

69
00:03:46.020 --> 00:03:49.470
can further help manage and reduce risk levels.

70
00:03:49.470 --> 00:03:53.940
Anti-malware software can also detect and block spyware,

71
00:03:53.940 --> 00:03:56.490
including key loggers, which are designed

72
00:03:56.490 --> 00:04:00.060
to capture sensitive keystrokes and information.

73
00:04:00.060 --> 00:04:03.300
Second, we have host-based firewalls.

74
00:04:03.300 --> 00:04:05.372
Unlike network-based firewalls,

75
00:04:05.372 --> 00:04:09.180
host-based firewalls are software installed directly

76
00:04:09.180 --> 00:04:11.250
on individual machines.

77
00:04:11.250 --> 00:04:13.060
Most operating systems come

78
00:04:13.060 --> 00:04:16.260
with a host-based firewall built in,

79
00:04:16.260 --> 00:04:18.600
but it usually needs to be enabled

80
00:04:18.600 --> 00:04:20.850
to provide any protection.

81
00:04:20.850 --> 00:04:24.570
These firewalls, often called personal firewalls,

82
00:04:24.570 --> 00:04:27.450
are designed to accept or drop packets

83
00:04:27.450 --> 00:04:30.690
based on the application or port being used,

84
00:04:30.690 --> 00:04:34.020
specifically targeting inbound traffic.

85
00:04:34.020 --> 00:04:37.920
For example, Microsoft provides Windows Firewall,

86
00:04:37.920 --> 00:04:41.580
which can block inbound traffic based on IP address

87
00:04:41.580 --> 00:04:43.080
or port numbers.

88
00:04:43.080 --> 00:04:46.980
Hackers often attempt to spoof their IP addresses

89
00:04:46.980 --> 00:04:51.980
using private IP address ranges like 10.0.0.0,

90
00:04:52.197 --> 00:04:57.197
172.16.0.0 and 192.168.0.0.

91
00:04:59.910 --> 00:05:03.780
However, a properly configured personal firewall

92
00:05:03.780 --> 00:05:06.780
can quickly block all three of these ranges,

93
00:05:06.780 --> 00:05:08.790
preventing many attacks.

94
00:05:08.790 --> 00:05:11.592
Some attacks also originate from addresses

95
00:05:11.592 --> 00:05:16.560
in the loopback, multicast or experimental ranges.

96
00:05:16.560 --> 00:05:19.050
To defend against these, you should block

97
00:05:19.050 --> 00:05:24.050
the ranges 127.0.0.0, 224.0.0.0 and 240.0.0.0.

98
00:05:29.790 --> 00:05:34.080
If you are using Linux or OS X operating systems,

99
00:05:34.080 --> 00:05:37.200
host-based firewalls are also available.

100
00:05:37.200 --> 00:05:41.280
Linux commonly uses IP chains and IP tables

101
00:05:41.280 --> 00:05:43.800
with IP tables being the more current

102
00:05:43.800 --> 00:05:46.170
and more powerful option accessible

103
00:05:46.170 --> 00:05:48.720
through the command line in Linux Shell.

104
00:05:48.720 --> 00:05:52.530
For OS X systems, you can use the firewall located

105
00:05:52.530 --> 00:05:54.570
within the system preferences

106
00:05:54.570 --> 00:05:57.090
through the graphical user interface.

107
00:05:57.090 --> 00:06:00.840
Third, we have host-based intrusion detection systems,

108
00:06:00.840 --> 00:06:01.860
or HIDS.

109
00:06:01.860 --> 00:06:04.410
Unlike their network-based counterparts,

110
00:06:04.410 --> 00:06:08.070
HIDS are installed directly on individual endpoints

111
00:06:08.070 --> 00:06:10.950
like servers, desktops or laptops

112
00:06:10.950 --> 00:06:13.830
where they serve as the system's eyes and ears

113
00:06:13.830 --> 00:06:16.530
for detecting suspicious activities.

114
00:06:16.530 --> 00:06:19.755
Host-based intrusion detection systems monitor

115
00:06:19.755 --> 00:06:23.040
the system closely by analyzing log files,

116
00:06:23.040 --> 00:06:26.910
system configurations and application behavior

117
00:06:26.910 --> 00:06:30.420
to spot unauthorized changes or attacks.

118
00:06:30.420 --> 00:06:34.290
For example, host-based intrusion detection systems

119
00:06:34.290 --> 00:06:37.770
can detect unusual file modifications,

120
00:06:37.770 --> 00:06:42.360
unexpected processes or unauthorized access attempts

121
00:06:42.360 --> 00:06:46.740
that might indicate malware or an intruder is at work.

122
00:06:46.740 --> 00:06:48.990
When these threats are identified,

123
00:06:48.990 --> 00:06:52.260
host-based intrusion detection systems, or HIDS,

124
00:06:52.260 --> 00:06:56.130
can generate alerts and log the details of the threat,

125
00:06:56.130 --> 00:06:59.790
giving administrators critical insights to investigate

126
00:06:59.790 --> 00:07:03.660
and respond quickly to potential security breaches.

127
00:07:03.660 --> 00:07:05.850
By running directly on the host,

128
00:07:05.850 --> 00:07:08.880
host-based intrusion detection systems provide

129
00:07:08.880 --> 00:07:10.860
a deep level of visibility

130
00:07:10.860 --> 00:07:13.290
into what's happening on the machine,

131
00:07:13.290 --> 00:07:16.320
allowing for real-time detection of threats

132
00:07:16.320 --> 00:07:19.770
that might slip past other security measures.

133
00:07:19.770 --> 00:07:21.480
Fourth and finally,

134
00:07:21.480 --> 00:07:25.680
we have host-based intrusion prevention systems, or HIPS.

135
00:07:25.680 --> 00:07:29.550
While similar to host-based intrusion detection systems,

136
00:07:29.550 --> 00:07:33.570
host-based intrusion prevention systems go a step further

137
00:07:33.570 --> 00:07:36.960
by not only detecting and logging potential threats,

138
00:07:36.960 --> 00:07:39.900
but by also actively blocking attacks

139
00:07:39.900 --> 00:07:42.330
before they can continue to do harm.

140
00:07:42.330 --> 00:07:44.820
Host-based intrusion prevention systems

141
00:07:44.820 --> 00:07:48.030
monitor system activities in real time

142
00:07:48.030 --> 00:07:50.370
and use signature-based detection,

143
00:07:50.370 --> 00:07:52.530
looking for known attack patterns,

144
00:07:52.530 --> 00:07:54.990
as well as anomaly-based detection,

145
00:07:54.990 --> 00:07:57.360
which identifies unusual behaviors

146
00:07:57.360 --> 00:08:00.630
that deviate from a system's normal activity.

147
00:08:00.630 --> 00:08:04.380
For instance, if host-based intrusion prevention systems

148
00:08:04.380 --> 00:08:08.820
detect a suspicious file trying to modify system settings

149
00:08:08.820 --> 00:08:11.850
or a malicious process attempting to run,

150
00:08:11.850 --> 00:08:13.920
they will immediately block the action

151
00:08:13.920 --> 00:08:16.590
and alert the user of the machine.

152
00:08:16.590 --> 00:08:20.520
Host-based intrusion prevention systems are often integrated

153
00:08:20.520 --> 00:08:24.450
with a centralized management server or orchestrator

154
00:08:24.450 --> 00:08:26.730
that collects log files and alerts

155
00:08:26.730 --> 00:08:28.950
from all endpoints in the network,

156
00:08:28.950 --> 00:08:32.340
providing a unified view of security events

157
00:08:32.340 --> 00:08:34.530
all across the organization.

158
00:08:34.530 --> 00:08:38.610
This setup allows security teams to quickly analyze

159
00:08:38.610 --> 00:08:42.060
and respond to attacks, coordinate defenses

160
00:08:42.060 --> 00:08:45.300
and continuously update protection measures

161
00:08:45.300 --> 00:08:47.640
based on emerging threats.

162
00:08:47.640 --> 00:08:51.930
So remember, threat protection involves implementing

163
00:08:51.930 --> 00:08:55.770
various security measures to detect, prevent

164
00:08:55.770 --> 00:08:59.700
and respond to attacks and malicious activities.

165
00:08:59.700 --> 00:09:01.740
Key components of threat protection

166
00:09:01.740 --> 00:09:05.400
include anti-malware, host-based firewalls,

167
00:09:05.400 --> 00:09:07.980
host-based intrusion detection systems

168
00:09:07.980 --> 00:09:11.250
and host-based intrusion prevention systems.

169
00:09:11.250 --> 00:09:15.420
Anti-malware helps detect and block harmful software,

170
00:09:15.420 --> 00:09:17.700
such as viruses and spyware.

171
00:09:17.700 --> 00:09:21.660
Next, host-based firewalls control network traffic

172
00:09:21.660 --> 00:09:24.900
to and from individual devices.

173
00:09:24.900 --> 00:09:28.290
Next, host-based intrusion detection systems,

174
00:09:28.290 --> 00:09:31.920
monitor system activities for suspicious behavior,

175
00:09:31.920 --> 00:09:36.000
providing alerts and logs for further investigation.

176
00:09:36.000 --> 00:09:39.900
In contrast, host-based intrusion prevention systems

177
00:09:39.900 --> 00:09:43.860
take a more proactive approach by not only detecting

178
00:09:43.860 --> 00:09:48.243
but also blocking threats before they can cause damage.