Countermeasures

Now, you’re going to look at some technical countermeasures that can be used to mitigate the risks to IT systems.

As you read through, reflect on how these measures have been or could be used in both your personal or organisation’s cybersecurity set-up.

Cyber-attack countermeasures

Figure 1: countermeasures

Antivirus products

Every computer system in an organisation should have an antivirus product installed and this should be updated when patches or new signatures are released to ensure it can detect and prevent the spread of new malware. But remember, just because you’ve installed antivirus software it doesn’t guarantee safety from infection, particularly from zero-day attacks.

A zero day or a day zero attack is the term used to describe the threat of an unknown security vulnerability in a computer's software or application for which either the patch has not been released, the application developers were unaware of, or did not have sufficient time to address.

Firewalls

Many antivirus products come with embedded personal firewalls and Microsoft Windows comes with its own firewall. The firewall should be switched on to help prevent unwanted communication to and from client machines.

Boundary controls

Boundary controls are used to control traffic in and out of the network, particularly email and web traffic. They are able to monitor and identify any unauthorised communications to stop those that may cause harm.

Import/export controls

These are associated with boundary controls. They permit only designated, trusted users to import or export programs or data on removable media such as USB sticks. This may involve special training and clearance. Import/export controls use a combination of antivirus and content checking technologies to ensure data or programs can be imported and exported safely.

Intrusion detection systems and intrusion prevention

Intrusion detection systems detect possible attacks by signature matching or anomalous behaviour, while intrusion prevention systems can prevent as well as detect attacks. They require expert management and are typically only implemented in larger organisations due to their cost.

One possible risk with these countermeasures is misidentifying ‘normal’ behaviour. This can lead to false positives – the misidentification of legitimate behaviour as malicious. As a result, legitimate activity gets blocked, causing a denial of service.

Application control technologies

These are used to prohibit users from executing unauthorised code on a system. If a user downloads malware to their system, the application control technology would stop the code being executed. The Windows operating system comes with a feature called AppLocker that provides this level of protection.