440 likes | 1.38k Views
Computer Viruses and Related Threats : A Management Guide Structure of Presentation Computer Viruses: What are they like? Why are Virus Incidents on the Rise? Major Malicious Software Trojan Horses, Viruses, and Network Worms. Weaknesses Viruses Exploit. Virus Prevention Program.
E N D
Structure of Presentation • Computer Viruses: What are they like? • Why are Virus Incidents on the Rise? • Major Malicious Software • Trojan Horses, Viruses, and Network Worms. • Weaknesses Viruses Exploit. • Virus Prevention Program.
Computer Viruses: What are they like? • It copies itself to other files (e.g., programs) - infecting them. • It executes the instructions that the author has included in it. • Depending on the author’s motives, the infected program can: • immediately damage system software, data, and others. • wait until a certain event has occurred at a particular date & time, before launching any damage.
Related Threats with Viruses • Apart from viruses, other destructive programs include: • Trojan horses and network worms. • These destructive programs are so called “malicious software/programs or malware”. • Many times, they are written to masquerade as useful programs.
Why are Virus Incidents on the Rise? • Computer users (who can be intruders too) have become increasingly proficient and sophisticated. • Software applications are increasingly complicated,larger and larger… making their bugs and security holes more difficult to be detected. • Lack effective security mechanisms, e.g., security testing. • Want to gain (bad) reputation.
Major Malicious Software • Malicious software: • Trojan horses • Computer viruses • Network worms
Trojan Horses • A program which appears to be a useful program. When invoked, it performs some unwanted functions. • A ‘Trojan horse’ author usually: • gains access to the source code of a useful program which is usually attractive to others and, • adds ‘wicked’ code so that the program performs some hidden actions.
Trojan Horse Calculator • When a user invokes the program, it appears to be performing calculations. • then it may quietly perform something else, such as, delete the user’s files or perform any harmful actions.
Trojan Horses with File Permission Modification • A wicked user of a multi-user system who wants to gain access to other users’ files. • Create aTrojan horse program to circumvent the normal file permission mechanism. • Name the program such that other users will think the program is a useful utility. • The ‘Trojan horse’ author induces (social-engineers) any users to download and perhaps put it in a common directory. • When invoked, the Trojan program changes the user’s file permission to be readable by any user. • The author can then access the file, such as work or personal information.
Trojan Horse Compilers • The Trojan horse compiler inserts additional code into compiled programs as they are being compiled. • The source code owner won’t be able to see/detect this problem while reading his code because it is the compiler that will insert bad code while compiling only. • The source code then creates a ‘trap/back door’ which allows the Trojan horse’s author to get into the system.
How Trojans are Introduced to Your System • They are planted by an unauthorised user in public software repositories where many people can access, e.g., on PC file servers, FTP servers, Web servers, etc. • And unsuspecting users copy and run them. • Or they are planted by an authorised user, such as, one who is assigned to maintain compilers and software tools.
Computer Viruses • ไวรัสคือโปรแกรมคอมพิวเตอร์ประเภทหนึ่งที่ถูกออกแบบมาให้แพร่กระจายตัวเองจากไฟล์หนึ่งไปยังไฟล์อื่นๆ • ไวรัสจะไม่สามารถแพร่กระจายจากเครื่องหนึ่งไปยังอีกเครื่องหนึ่งได้ด้วยตัวมันเองโดยทั่วไปเกิดจากการที่ผู้ใช้เป็นพาหะนำไวรัสจากเครื่องหนึ่งไปยังอีกเครื่องหนึ่งเช่น • การส่ง E-mail โดยแนบเอกสารหรือไฟล์ที่มีไวรัสไปด้วย, • การทำสำเนาไฟล์ที่ติดไวรัสไปไว้บนไฟล์เซริฟเวอร์, • การแลกเปลี่ยนไฟล์โดยใช้แผ่นดิสก์เก็ต • เมื่อผู้ใช้ทั่วไปรับไฟล์หรือดิสก์มาใช้งานไวรัสก็จะแพร่กระจายภายในเครื่องและจะเป็นวงจรในลักษณะนี้ต่อไป
3 Characteristics of Viruses • A virus exhibits 3 characteristics: • A replication mechanism (copy to another file) • An activation mechanism (perhaps use a time bomb or a logic bomb to activate a virus to do bad things) • A malicious objective (planned by the virus’s author)
Network Worms • Use network connection to spread from system to system. • network worms attack other systems that are linked via communication lines. • When active, worms can behave like viruses; that is, they have the ability to infect other systems connected.
How Worms Spread • Use the following ways to spread: • An email program from which a worm can mail a copy of itself to other users (systems). • A remote login capability, i.e., a worm can log into a remote system to copy itself from the current system to the remote system. • A remote execution capability, i.e., a worm can execute itself on another remote system.
Replication Mechanism • Search for other remote systems: to infect by examining from the current system, host tables or similar repositories for remote system addresses. • Make connection: establishes a connection to the remote system, probably by logging in as a user, using an email program or performing remote execution. • Spread and run: copies itself to the remote system and causes the copy in the remote system to run.
Other Ways to Get into the Remote System • Password cracking by which the worm would attempt to log into a remote system by using user names or words from an on-line dictionary as passwords to log in. • A trap door (planted by someone) which would allow the worm to send commands to the remote system’s command interpreter. The commands would then be executed on the remote system. • Bugs in network-related programs which would allow the worm to access the remote system’s command interpreter.
Activation Mechanism and Objective • Activation may use a time bomb or logic bomb to activate itself to do bad things. • Its objective depends on whatever the worm’s author has designed: • delete files, • cause disruption to the infected system, • or even plant Trojan horses/viruses.
A Trojan Horse Worm • This worm displayed a Christmas tree and a message of good cheer. • When executed, the Trojan worm would examine network address files for other PCs connected. • The worm then mails itself to those systems. • Upon receiving this message, the user is invited (social-engineered) to run this Christmas tree worm. • There is no destructive action from this worm, except disrupting communication and causing a loss in network bandwidth.
Virus-Related Threats • Variants from Trojan horses, viruses, worms continue to be endless, e.g.,: • A rabbit whose objective is to spread wildly within or among other systems and disrupt network traffic. • A bacterium whose objective is to replicate within a system and eat up processor time until computer throughput (performance in data processing) is extremely degraded.
Weaknesses Viruses Use • Lack of user awareness - e.g., users copy and share infected software, fail to detect signs of virus activity. • Social-engineering – users are fooled into trusting emails received. • Absence/inadequacy of technical controls - e.g., lack of anti-virus software. • Ineffective use of technical controls - e.g., • use easily guessed passwords, • fail to use appropriate access controls (shared files with no password), • grant users far more access to resources than necessary.
Weaknesses Viruses Use • Software bugs - allow viruses to spread and break into other systems. • Unauthorised use - allow unauthorised users to use your system. • Unauthorised users can be a wicked person who wants to attack your system by spreading viruses, or • Good/authorised users who do things unwittingly, e.g., copy infected files into your system. • Susceptibility of network misuse – a network allows anonymous access (e.g. via FTP) for intruders to upload viruses to the system.
Effective Virus Prevention Program • Due to the weaknesses above, one needs an effective virus prevention program which must address: • restricting system access only to authorised users, • ensuring that software and hardware are regularly monitored and maintained, • backing up regularly, and • having a contingency plan when any virus incident occurs.
What Does the Program Do? • to deter attacks by viruses and related threats, • to detect when they occur, • to contain (control/halt) the attack. This is to limit damage, and • to recover in a reasonable amount of time without loss of any data or with a minimum data loss.
Program Focuses • In a virus prevention program, attention needs to be focused on the following areas: • security policies and procedures, • user education, • software management, • technical controls, • system monitoring, and • a contingency plan
What Should User Education Address? • How malicious software operates, • methods by which it is planted and spread, and • the vulnerabilities exploited by malicious software and unauthorised users, • How to apply security policies and procedures, e.g., for backup, storage, and use of public-domain software and shareware, • How to use technical controls - e.g., anti-virus software file access control, • How to monitor their systems and detect signs of abnormal activity, and • Contingency procedures to recover from virus incidents.
Software Management • To prevent users from potentially spreading malicious software, the program needs to: • ensure that users understand the nature of malicious software, how it is spread and what are the technical controls that can be used to protect their system, • have policies for downloading and use of public-domain and shareware software, • have a mechanism for validating/checking such software before use, and • minimise the exchange of executable software within/between the organisation.
Software Management • do not create software repositories on LAN servers,unless technical controls exist to prevent users from freely uploading or downloading software from them -- Very high risk for viruses to spread throughout the network, • purchase software only from reputable sources (vendors), • maintain software properly and update it as necessary, as well as apply any new security patches, • do not use pirated software as it may have been modified to be a Trojan,
Software Management • ensure that software vendors can be quichly contact if any software problem takes place, • store the original software distribution in a secure location for restoration -- in case the in-operation version has been infected by a virus, and • test any new/upgraded/company-developed software in an isolated system. The system should: • be configured so that there is no risk of virus spreading to other places of the organisation, • not be used by other users, except authorised users, • not connect to the internal network, and • not contain any valuable data.
Technical Controls • Technical controls are used to protect the security and integrity of systems and associated data. • Technical controls can help deter occurrences of viruses, or make them more difficult to occur, e.g., • authentication mechanisms, e.g., the use of passwords on shared files and directories, • write-protection mechanisms on tapes and diskettes.
Technical Controls • Technical controls should be used to restrict system access to authorised users only, • Technical controls should be used to limit user privileges to the minimum practical level, • Users and managers must be educated as to what controls to use, as well as how and when to use them, • When not strong enough, they should be supplemented with alternative physical controls or other add-on controls.
Technical Controls with Data • Classify the categories of data, e.g., • highly sensitive, • sensitive, • medium, • low, and • public. • Use proper technical controls with the data categories. Sensitive data normally require more protection than the low-priority data.
System Monitoring • The reasons we need monitoring are: • Expensive damage: Viruses can cause expensive damage within a very small amount of time: minutes or seconds. • By proper monitoring on software/system/user activities, managers can detect early signs of viruses and other unauthorised activities. • Apply contingency procedures: Managers can then apply any proper contingency procedures to halt the malicious activity and recover from whatever damage has been caused. • Security improvement: Monitoring aids in being an indicator whether or not security policies, procedures, and controls currently in place are effective as planned.
System Monitoring: What to Do • user education - users must know what their computing environment is like, what constitutes normal and abnormal system activities, and whom to contact when malicious access occurs. • system access monitoring tools - tools to automate logging of any access to accounts, files and etc. • anti-virus tools - tools to alert users of malicious types of access.
System Monitoring: What to Do • system-integrity tools - tools to automatically check files for changes in size, date or content. • network monitoring tools - tools to record network access or even attempt to access. • periodic review on monitoring statistics/logs - The statistics/logs will determine needs for changes in the current virus prevention program and will help to fine-tune to make it more effective.
Contingency Plan: What to Do • The purpose is to halt and recover from any attack that have already occurred. • The most important planning involves use of backups. The organisation should maintain regular, frequent backups for all important data, software, configuration files, command files, etc. • Software should be restored only from their original copies/dictribution so as to have no virus contamination.
Contingency Plan: What to Do • The restored configuration/command files should be inspected to ensure that they have not been damaged or modified perhaps byunauthorised people/viruses. • Critical systems must be isolated from the entire network and other potential sources of virus infection. • A group of skilled users must be formed to deal with virus incidents and also ensure that they can be quickly contact whenever any attack occurs. • Maintain and distribute telephone numbers of security managers, staff involved, and managment to contact whenever any attack occurs.