Part I: a) Distinguish between what firewalls look at and what antivirus program
ID: 3912675 • Letter: P
Question
Part I: a) Distinguish between what firewalls look at and what antivirus programs look at.
b) Are AV programs used to detect more than viruses? Explain.
c) Distinguish between signature detection and behavioral pattern detection.
d) Why is signature detection not enough?
Part II: Suppose that an attack would do $100,000 in damage and has a 15% annual probability of success. Spending $9,000 per year on “Measure A” would cut the annual probability of success by 75%. Do a risk analysis comparing benefits and costs. Show your work clearly. b) Should the company spend the money? Explain. c) Do another risk analysis if Measure A costs $20,000 per year. Again, show your work. d) Should the company spend the money? Explain in detail.
Explanation / Answer
Part-1
Q a) Distinguish between what firewalls look at and what antivirus programs look at
A a) lets understand the meaning of Firewall and Antivirus firstly.
Firewall: - A firewall is a software used to manage the security of a private network. Firewalls block illegal access to or from private networks and are usually used to prevent unauthorized Web users or unauthorized software from getting access to private networks connected to the Internet. A firewall may be executed using hardware, software, or a combination of both. A firewall is identified as the first line of protection in securing delicate information. For better safety, the data can be encrypted.
Antivirus:- Antivirus software basically intended to detect and remove viruses from computer systems and can also protect against a wide type of threats, including other types of malicious software, such as browser hijackers, Trojan horses, worms, spyware, and adware. Anti-virus software is also known as an anti-virus program or a vaccine.
Basis for comparison
Firewall
Antiviruses
Implemented In
Both at Hardware and software
Implemented at Software only
Operations performed
Monitoring and Filtering the software and application
Scanning of infected files ,software and applications
Deals with
External threats only
Internal as well as external threats of the system.
Inspection of attack is based on
Incoming packets
Malicious Software residing in the computer
Counter attack
IP Spoofing and routing Attacks
No Computer attacks are possible once a malware has removed.
Inspection
Its inspection capability is based on a pre-defined set of network protocols.
Its inspection capability is limited to techniques imposed by the antivirus vendor
Purpose
It analyses data packets across network to decide which one gets a pass which one should be restricted.
The main purpose of antiviruses is to inspect, detect, prevent and remove all the kind of viruses that might affect the system badly.
Q b) Are AV programs used to detect more than viruses? Explain.
A b) Yes, Antiviruses (AV) Programs used to detect the more than viruses. Antivirus software, or anti-virus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses
There are several organizations that develop and offer anti-virus software and what each offer can vary but all perform some basic functions:
Identification methods
Q C) Distinguish between signature detection and behavioural pattern detection.
A c) An intrusion detection system (IDS) is a device or software application that controls a network or systems for malicious exercise or policy infractions. Any malicious activity or violation is generally reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms
There are two types of detection methods we have
1. Signature detection
2. Behavioural Pattern Detection
Basis for comparison
Signature detection
Behavioural pattern detection
Definition
Signature-based detection techniques have been used since the beginning days of security monitoring. Virus scanners used signatures to recognize infected files, and the earliest intrusion detection systems (IDS) relied massively upon signatures definitions.
Behaviour-based malware detection evaluates an object based on its proposed actions before it can really execute that behaviour. An object’s behaviour, or in some cases its possible behaviour, is analysed for unusual activities. Attempts to perform activities that are clearly unusual or unauthorized would symbolize the object is malicious, or at least suspicious.
Compares
Signature-based AV compares hashes or signatures of files on a system to a list of known malicious files. It also looks within files to find signatures of malicious code.
Behaviour-based AV watches processes for tell-tale signs of malware, which it compares to a list of known malicious behaviours.
Disadvantage
Because they only detect known attacks, a signature must be created for every attack, and novel attacks cannot be identified. Signature engines are also prone to false positives since they are commonly based on regular expressions and string matching. Both of these mechanisms merely look for strings within packets transmitting over the wire
A disadvantage of anomaly-detection engines is the difficulty of defining rules. Each protocol being examined must be defined, performed and tested for accuracy. The rule development method is also complicated by differences in vendor implementations of the various protocols.
Q D) Why is signature detection not enough?
A D) Signature-based detection techniques have been used since the beginning days of security monitoring. Virus scanners used signatures to recognize infected files, and the earliest intrusion detection systems (IDS) relied massively upon signatures definitions.
Following are the drawbacks of the Signature detection is not enough:-
Part-2
a)
Ans A) Given Information:-
Measure A:-
b)
Ans b) Yes, Spend the money because the benefits would be positive and effective.
c)
Ans c) Given Information:-
Measure A:-
d)
Ans d) No, the company should not spend $20,000 per year on Measure A because this is expensive.
Basis for comparison
Firewall
Antiviruses
Implemented In
Both at Hardware and software
Implemented at Software only
Operations performed
Monitoring and Filtering the software and application
Scanning of infected files ,software and applications
Deals with
External threats only
Internal as well as external threats of the system.
Inspection of attack is based on
Incoming packets
Malicious Software residing in the computer
Counter attack
IP Spoofing and routing Attacks
No Computer attacks are possible once a malware has removed.
Inspection
Its inspection capability is based on a pre-defined set of network protocols.
Its inspection capability is limited to techniques imposed by the antivirus vendor
Purpose
It analyses data packets across network to decide which one gets a pass which one should be restricted.
The main purpose of antiviruses is to inspect, detect, prevent and remove all the kind of viruses that might affect the system badly.