Cisco® CCNA Security Exam Notes : Mitigation Technology For Endpoint Threats


Go to latest CCNA Exam Cram

7. Content and Endpoint Security

7.3 Describe mitigation technology for endpoint threats


Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key.

Ransomware spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm.

Logic bombs: Logic bombs are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could establish a logic bomb to delete critical sections of code if she is terminated from the company. Logic bombs are most commonly installed by insiders with access to the system.

Trojan horses (often just called Trojans): Trojan horses are programs that must be installed or executed by a user to be effective. Often, these are disguised as helpful or entertaining programs which can include operating system patches, Linux packages, or games. Once executed, however, Trojans perform actions the user did not intend such as opening certain ports for later intruder access, replacing certain files with other malicious files, and so on.

Spear phishing: Spear phishing is a pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to undermine that company or organization. It isolates a specific group of people, as opposed to spamming the world, and attempts to get them to do something to gain access to proprietary data or company systems. It will often look real and appear to come from a legitimate member of the organization. For instance, a spear phish may appear to come from an executive of the company asking for login IDs and passwords.

Back doors: Back doors, also referred to as trackdoors, are bits of code embedded in programs by the programmer(s) to quickly gain access at a later time, often during the testing or debugging phase. If an unscrupulous programmer purposely leaves this code in or simply forgets to remove it, a potential security hole is introduced. Hackers often plant a backdoor on previously compromised systems to gain later access. Trap doors can be almost impossible to remove in a reliable manner. Often, reformatting the system is the only sure way.

Immunet is a free community based software maintained by Cisco SourceFire. Website:

Note that ClamAV is a free Open Source Antivirus software maintained by Cisco engineers and other non-Cisco engineers.

The following are the most notable features of Cisco AMP (Advanced Malware Protection):

1. AMP is a cloud-based "software-as-a-service" endpoint security solution. You deploy AMP's lightweight connector on your endpoints, and then set up your account.

2. AMP protects endpoints running Windows or Mac OS, Android mobile devices, and Linux systems.

3. AMP performs all analysis in the cloud, not on the endpoint itself. This results in no significant delays being felt by the endpoints.

4. Once a file lands on the endpoint, AMP continues to watch, analyze, and record file activity, regardless of the file's disposition. When malicious behavior is detected, AMP shows you a recorded history of the malware's behavior over time.

5. AMP automatically detects and blocks known and emerging threats in real time using one-to-one signature matching, fuzzy fingerprinting, machine learning, and other detection methods.

6. Cisco Talos group analyzes millions of malware samples and terabytes of data per day, and pushes that intelligence to AMP

7. Advanced sandboxing capabilities perform automated static and dynamic analysis of files against 700+ behavioral indicators to uncover stealthy threats.

The Cisco FirePOWER Next-Generation IPS (NGIPS) solution offers advanced threat protection by integrating:

1. Real-time contextual awareness

2. Advanced threat protection

3. Intelligent security automation

4. Superior performance and scalability

Cisco FirePOWER NGIPS allows you to address the full attack continuum - before, during, and after an attack.

AMP: Advanced Malware Protection is subscription-based, managed through a web-based management console, and deployed on a variety of platforms.

NetFlow: Cisco IOS NetFlow provides services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides information about network users and applications, peak usage times, and traffic routing.

IPS events: You can configure IPS to trigger on certain events so that you will be able to investigate the same for any malicious activity.

Snort: Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Personal firewall/HIPS

HIPS: By definition HIPS is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. In other words a Host Intrusion Prevention System (HIPS) aims to stop malware by monitoring the behavior of code. This makes it possible to help keep your system secure.

HIPS protect the computer against known and unknown malicious attacks. In case of attempted major changes by a hacker or malware, HIPS blocks the action and alerts the administrator (or the user) so an appropriate decision about what to do can be made.

NIPS: A network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the network from threats, such as denial of service (DoS) and unauthorized usage. Usually, the NIPS is installed on the perimeter of the network and protects all the devices within the perimeter.

The majority of NIPSs utilize one of the three detection methods as follows:

1. Signature-based detection: Signatures are attack patterns that are preconfigured. The device monitors the network traffic and compares it with the preconfigured signatures, and on successful match, the NIPS takes the next appropriate action. This type of detection fails to identify zero-day error threats.

2. Anomaly-based detection: This method of detection creates a baseline on average network conditions. Once a baseline has been created, the system intermittently samples network traffic on the basis of statistical analysis and compares the sample to the baseline. If the activity is found to be outside the baseline parameters, NIPS takes the proceeds to the next rule.

3. Protocol state analysis detection: This type of detection method identifies deviations of protocol states by comparing observed events with predefined profiles.

4. It is possible that a NIPS device perform more than one detection methods for greater detection accuracy.

The following precautions may be taken to harden network infrastructure:

1. Use physical barriers such as room lock so that un-authorized persons do not have access to the network devices.

2. Use firewall so that outsiders cannot access network devices from outside the network

3. Enable SSH so that passwords are transmitted in encrypted form

Previous   Contents