Application Policies

Loading...

來自 Google 的課程

IT Security: Defense against the digital dark arts

1266 個評分

Google

IT Security: Defense against the digital dark arts

1266 個評分

課程 5（共 5 門，Specialization Google IT Support Professional Certificate）

This course covers a wide variety of IT security concepts, tools, and best practices. It introduces threats and attacks and the many ways they can show up. We’ll give you some background of encryption algorithms and how they’re used to safeguard data. Then, we’ll dive into the three As of information security: Authentication, authorization, and accounting. We’ll also cover network security solutions, ranging from firewalls to Wifi encryption options. The course is rounded out by putting all these elements together into a multi-layered, in-depth security architecture, followed by recommendations on how to integrate a culture of security into your organization or team. At the end of this course, you’ll understand: - how various encryption algorithms and techniques work and their benefits and limitations. - various authentication systems and types. - the difference between authentication and authorization. At the end of this course, you’ll be able to: - evaluate potential risks and recommend ways to reduce risk. - make recommendations on how best to secure a network. - help others to understand security concepts and protect themselves.

從本節課中

Defense in Depth

In the fifth week of this course, we're going to go more in-depth into security defense. We'll cover ways to implement methods for system hardening, application hardening, and determine the policies for OS security. By the end of this module, you'll know why it's important to disable unnecessary components of a system, learn about host-based firewalls, setup anti-malware protection, implement disk encryption, and configure software patch management and application policies.

Software Patch Management6:32

Application Policies4:24

與講師見面

Google

As you can see, application software can represent a pretty large attack surface.

This is especially true when it comes to

a large fleet of systems used throughout an organization.

So, it's important to have some kind of application policies in place.

These policies serve two purposes.

Not only do they defined boundaries of what applications are permitted or not,

but they also help educate folks on how to use software more securely.

We've seen the risks that software can pose because of security vulnerabilities.

It makes sense to have a policy around applying software updates in a timely way.

A common recommendation or even a requirement is to only support or

require the latest version of a piece of software. From the I.T.

support perspective, this is important because

software updates will often fix issues that someone may be encountering.

But from the security side of things,

making sure the latest version of the software will ensure that

all security patches have been applied and the most secure version is in use.

This should be clearly called out in a policy.

People tend to be pretty lazy about applying updates to software that they use a lot.

Lots of times, applying an update requires restarting the application,

which can feel inconvenient and disruptive to users.

It's generally a good idea to disallow risky classes of software by policy.

Things like file sharing software and

piracy-related software tend to be closely associated with malware infections.

They usually don't have a business use either.

Let's not even talk about the legal implications of this type of software.

Understanding what your users need to do their jobs

will help shape your approach to software policies and guidelines.

If there's a common use case for a certain type of software,

it would be helpful to select

a specific software implementation and require the use of that solution.

This lets to reevaluate the most secure solution

and benefit from a more uniform software installation.

Remember, the name of the game is to minimize attack surfaces.

Each piece of software that accomplishes the same thing represents

a different set of

potential attack surfaces that could have a vulnerability lurking inside.

Helping your users accomplish tasks by recommending or

supporting specific software makes for a more secure environment.

It also helps users by giving them clear solutions to accomplish tasks.

If you want to employ a binary white listing solution,

it's also important to define a policy around what type of software can be waitlisted.

So it's probably unnecessary to have video games waitlisted,

unless your company is a video game studio, of course.

These policies usually require some kind of business use case or

justification to avoid a lot of one off personal software requests.

Another class of software that you might want to have policies

defined for are browser extensions or add ons.

Since a lot of workflows live exclusively within the web browser now,

they represent a potential vector for malware that often gets overlooked.

Extensions that require full access to web sites visited can be

risky since the extension developer has the power to modify pages visited.

Some extensions may even send user input to a remote server.

This could potentially leak confidential information.

Clearly defining classifications of risky extensions and add

ons will help protect your systems and provide guidance to your users.

But, policies are usually not enough to arm users

with the information they need to make informed choices.

Their decisions can impact the security of your organization.

That's where education and training comes into play which,

we'll discuss in the next module.

We went over a lot of really dense information on security in these lessons.

Take time to review some of the videos so that it really sinks in.

Okay, awesome work.

Now, it's time for a project that will test what you learned about the system hardening,

then if you can believe it,

you'll move on to the last lesson of the last course of this program. Woohoo.

探索我們的目錄

免費加入並獲得個性化推薦、更新和優惠。

Coursera 致力於普及全世界最好的教育，它與全球一流大學和機構合作提供在線課程。

© 2018 Coursera Inc. 保留所有權利。

通過 App Store 下載

通過 Google Play 獲取