INVITATION TO CYBERSECURITY 246 signature detection. Anomaly detection monitors the behavior of software looking for unusual or suspicious behavior. For example, if a program attempts to modify certain operating system settings or tries to create a network connection to a server, the IDPS program can detect and prevent the behavior and trigger an alert. It can also “learn” over time to identify normal behavior by monitoring the activity on a computer system. Once a baseline is established, it can more accurately identify unusual events. Anomaly detection is more likely than signature detection to suffer from false positives. Too many false alarms results in alert fatigue, so anomaly detection needs to be tuned down to an acceptable level. One of the big advantages of anomaly detection is that it could potentially identify and prevent never-before-seen malware—this is not possible for signature detection. These protection techniques are illustrative of the general arms race between cyber defenders and cyber attackers. As cyber defenders get better at identifying malicious software, hackers adapt and find new creative ways to evade detection. AI promises to improve both signature and anomaly detection, but it will also be used by hackers to improve evasion. AI could also be used to find vulnerabilities in software. This type of functionality could be used by both hackers to attack systems and defenders to patch systems. There is an ongoing debate whether AI will fundamentally change the balance of power in cybersecurity or whether it will favor both sides such that the status quo will be maintained. 9.2.3.4 Use a System Firewall System firewalls are similar to antivirus programs, but they focus solely on inbound and outbound network connections and traffic. Windows comes with Microsoft Defender Firewall preconfigured. It can help protect systems and alert users to suspicious behavior and should not be turned off unless a user understands the risk. When alerts pop-up, users should try to understand what is being communicated and should consider searching online for more context before allowing exceptions. Alerts that pop-up not in response to a specific user action are indicators of system compromise. Linux and macOS operating systems come with a system firewall but they are not configured and activated by default. Smartphones do not need antivirus software or a firewall because they are much more constrained than personal computers. Smartphone owners do not have true administrative or root access on their phones—this helps to make them more secure by default. The security of smartphones mostly boils down to the apps that users deliberately install. It is a risk to install apps acquired from outside of the approved stores because they have not been vetted. They are more likely to be malicious. Even apps from the approved stores could be problematic—users should scrutinize the permissions that apps require during the installation process. The default should be to deny apps permissions unless they are absolutely necessary.
RkJQdWJsaXNoZXIy MTM4ODY=