Scribd
Upload
53 views

Module - 4

The document discusses various topics related to cyber network security concepts including antipatterns of signature-based malware detection versus polymorphic threats, reputational, behavioral and entropy-based malware detection techniques, document-driven certification and accreditation antipatterns, policy-driven security certifications not addressing real threats, and recommended specialized skills for IT security.

Uploaded by

Aishwarya Aishwarya
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
53 views

Module - 4

The document discusses various topics related to cyber network security concepts including antipatterns of signature-based malware detection versus polymorphic threats, reputational, behavioral and entropy-based malware detection techniques, document-driven certification and accreditation antipatterns, policy-driven security certifications not addressing real threats, and recommended specialized skills for IT security.

Uploaded by

Aishwarya Aishwarya
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Module – 4 - Cyber Network Security Concepts – Part -1

What is antipattern?
Antipatterns are a way of thinking clearly about habitual causes, serious problems, and effective
solutions.

Describe Signature-Based Malware Detection versus Polymorphic Threats in antipattern.


 Signature-based antivirus engines miss 30 percent to 70 percent of malicious code, and nearly
100 percent of zero day infections.
 Malicious signature growth is exploding from 5 new ones per day in 2000 to 1,500 per day in
2007 and more than 15,000 per day in 2009, according to Symantec, which is an average of 200
percent to 300 percent cumulative growth per year.
 Malware variability has grown so rapidly that signature-based detection is rapidly becoming
obsolete.
 The proliferation of malware signatures is exploding primarily due to polymorphic malware
techniques.
 For example, hash functions used by signature-based detectors yield very different values with
only slight changes to a malicious file. Changing a string literal in the file is sufficient to trigger a
false negative.
 Other polymorphic techniques include varying character encodings, encryption, and random
values in the files.
 One interesting online application from VirusTotal.com runs more than 30 antivirus programs
on each file that any Internet user can submit. You can witness just how haphazard antivirus
tests are.

Discuss Reputational, Behavioral and Entropy-Based Malware Detection in antipatterns


Vendors are developing innovative techniques that can detect zero day and polymorphic malware.
 Reputational-based Malware Detection
 Several promising approaches for the future include: Symantec is harnessing a 100M+
global customer base to identify potential malware signatures.
 The technique, called reputation-based signatures, is able to identify 240 million new
malware signatures by comparing binaries across millions of systems for anomalous
variations.

 Behavioral-based Malware Detection signature


 FireEye has created a behavioral intrusion detection system (IDS) that uses elements of
honeypots and forensics to automatically identify malicious content as it flows across
corporate networks.
 Behavioral IDS techniques simulate the execution of sniffed content in a virtual machine,
which then observes resulting configuration changes, such as changes in registry settings,
services, and the file system.
 There are other emerging behavioral antivirus products, for example, from ThreatFire.com.

 Entropy-Based Malware Detection


 An emerging field of research called entropy-based malware detection looks for
mathematical similarity to known malware signatures.
 Hash functions that are used by most antivirus programs detect subtle differences between
a file and its known hash.
 Minor changes to a file, such as modification of strings or encodings can cause a hash match
to fail.
 Entropy-based matching uses mathematical functions that measure similarity rather than
differences.
 If a suspicious file nearly matches the same entropy measure as malware, there is a high
likelihood that the malware is present.

Explain Document-Driven Certification and Accreditation in Antipattern


 Certification and Accreditation (C&A) has attracted much public criticism because it has a
reputation as a paper-driven process that does not secure systems from real threats.
 Assessment and Authorization (A&A) is the process of assuring the information security of
systems before they are deployed.
 Certification is an assessment and testing phase that identifies and confirms vulnerabilities.
Accreditation is an executive approval process that accepts risks discovered during
certification.
 Precertification is often an arduous process of security documentation and reviews.
 In many organizations, certification is problematic. Often testing is waivered or done very
superficially with policy scanners that check registry and configuration settings.
 In the more rigorous practice of penetration testing (pen testing), vulnerabilities are
thoroughly explored with state of the art tools, followed by actual exploitation and malicious
user tests where unauthorized accesses are the goal.
 Although A&A is formalized in government organizations, it is also widely practiced in industry.

Describe the Policy-Driven Security Certifications Do Not Address the Threat in antipatterns.

 The gold standard of professional security certifications is the Certified Information System
Security Professional (CISSP).
 It is an entirely paper-based qualification, requiring a great deal of memorization in 10 diverse
security domains, such as physical security, communications security, and systems security.
 CISSP is required by the U.S. Department of Defense (DoD) for both management and technical
security workers, and demanded in the job market. Anecdotally, the presumed goal of this
certification is to produce articulate security professionals who can communicate effectively
with upper management,
 This paradox was addressed by the Center for Strategic and International Studies (CSIS), which
released a Presidential Commission report: A Human Capital Crisis in Cybersecurity (July,
2010).
 The report states clearly that “the current professional certification regime is not merely
inadequate; it creates a dangerously false sense of security” with an overemphasis on security
compliance on paper versus combating threats.
 Many people in the cybersecurity community view this finding as controversial because their
careers, reputations, and credentials are invested in security compliance policies and
procedures.
 This is the industry that drives A&A, risk management, security controls compliance, and other
labor-intensive security activities. Unfortunately, for most professionals, it is much easier to
turn a highly technical person into a policy person, whereas it is very difficult (or impossible) to
turn a policy person into a highly technical one. It is a one-way street.

Discuss the recommended list of specialized skills that should be available on-demand in IT
security shops in detail.

 Network Device Specialist:


Vendor-certified specialist with deep knowledge for debugging and configuring the network
devices in your shop—for example, routers and firewalls. Applicable certifications are from CISCO,
Novell, and other networking vendors.

 Operating System Security Specialist:


Specialist in configuring and hardening the security of each operating system in your environment.
Applicable certifications and training from Microsoft, Oracle (Sun), Tresys Technology (Linux), Red
Hat (Red Hat Linux), Novell (SUSE Linux), eEye Digital Security, and other operating system (OS)
developers and specialists.

 Database Security Specialist:


Specialist in configuring the security of specific database types in your environment. Applicable
certifications and training from Oracle, Sybase, Application Security Inc., Well House (open source),
and other database specialists.

 System Forensics Specialist:


Specialist in in-depth analysis of systems, creating chains of evidence, and other forensic
investigation techniques. Applicable training from Defense Cyber Crime Center, SANS Institute,
Guidance Software, Access Data, and other forensic specialists.

 Reverse Engineering Malware Specialist:


Security researcher who captures malware and analyzes its characteristic with the goal of
permanent eradication from your networks. Applicable education and training from SANS
Institute, Invisible Things Lab, Black Hat courses, and other security researchers.

You might also like