html5-img
1 / 23

Security Threats Worms and Viruses

The Networking and Communications Group. Security Threats Worms and Viruses. Cyril Onwubiko Networking and Communications Group http://ncg.kingston.ac.uk. Overview. Networking and Communications Group. Background Theory Detection Mechanisms Countermeasures Q/A.

marci
Download Presentation

Security Threats Worms and Viruses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Networking and Communications Group Security Threats Worms and Viruses • Cyril Onwubiko • Networking and Communications Group • http://ncg.kingston.ac.uk

  2. Overview Networking and Communications Group • Background • Theory • Detection Mechanisms • Countermeasures • Q/A

  3. Networking and Communications Group Background

  4. Security Threats Networking and Communications Group Exploit Vulnerabilities in:: • Computer Systems • Network Systems • Information & Content Asset Causes:: • Disruption of Service • Degradation of Service • Denial of Service • Manipulation/Theft of Information Effect

  5. Worms/Viruses Networking and Communications Group • Worms • Malicious software with the capability of self-replication • May not require another software to be activated • Propagates through networks • Viruses • Malicious software that attaches itself to other software • Requires another software to be activated • Replicates within Computer systems, not necessarily networks

  6. 1 Type of Worms/Viruses Networking and Communications Group • Time Bomb: A type of worm that remains dormant in the host until a certain time is reached. Example: <if time Eq 22/03/2006 then start> • Logic Bomb: A type of worm that remains dormant in a host until a certain condition, or an event occurs (logic), and then deletes files, slows down or crashes the host system etc. Example: < if license_expires then start> • Trojan Horse: A type of worm (malicious logic) performing, or able to perform, an illegitimate action while giving the impression of being legitimate; the illegitimate action can be disclosure or modification of information. Example: Internet pop-ups: <Your system is running very slow, Do you want to Speed Up?> [Click]

  7. 2 Type of Worms/Viruses Networking and Communications Group • Rabbit: A type of worm when activated replicates itself until a point of system exhaustion: Example: Consumes CPU and network resources • Bacterium: A type of virus that attaches itself on the OS (rather than application). It causes and consumes system’s resources to the point of exhaustion. Similar to ‘Rabbit’ • Aggressive Worms: A type of worm that spreads across the network faster than normal worms. They are continuously activated!

  8. Networking and Communications Group Theory

  9. Worm/Virus Security Threats Countermeasures General Concept Networking and Communications Group Worms and Viruses are subsets of security threats. To appropriately mitigate against them, we need effective countermeasures!

  10. Susceptible Infected Susceptible Infected Recovered Susceptible Infected Removed quarantine Recovered Worm Models Networking and Communications Group SI Model SIR Model No countermeasures applied A single set of countermeasure SIRQR Model A couple of countermeasures Recovered: infected systems that have been treated Removed: susceptible systems that are disconnected and patched

  11. Classification of Worms Networking and Communications Group Worms Viruses • Innocuous, Humorous, Deceptive, Data Altering, & Catastrophic • Innocuous, Humorous, Data Altering & Catastrophic Behaviour • Operational, external, human-made, software, malicious, deliberate and permanent • Operational, external, human-made, software, malicious, deliberate and permanent Design • Emphasis on Computer • Up to date DAT patches required • Emphasis on Network • Early warning/detection possible Medium

  12. Phases of Worm Propagation Networking and Communications Group Early stage Penetration Stage • Worm activated • Hits the ‘hitlist’ – a list of systems with target vulnerability: E.g.: Win32.Blaster exploits flaw in MS RPC • Propagation rate is gradual and linear • Dormant and inactive • Waits for a condition, or time to start: E.g.: Code Red II, Slammer Worms Perpetuation Stage Exhaustion Stage • External systems targeted (outside the ‘hitlist’) • Propagation rate is quadratic or near exponential • Combined efforts from compromised systems • Hard to stop at this stage • Near termination/completion • Countermeasures known and patches released • Program termination time very close

  13. Symptomatic Effect (Behaviour) Networking and Communications Group • High CPU • System may crash intermittently • Increased/Abnormal traffic on egress routers/interfaces • Abnormal system behaviour (slows down, performance issues, freezes and hangs often) • Increased/Abnormal protocol usage  high peer_contact sent/received traffic • System halt and may not start • Missing or corrupt/destroy files/ System register may be affected/altered

  14. Networking and Communications Group Detection

  15. Proactive Monitoring Networking and Communications Group • Early Detection Mechanisms • Ingress ACL • Rate Limiting at gateway devices • Security Information Management Systems • Automated Filtering • Filtering of known security ports and protocols. Example: Ingress traffic using port UDP 137, TCP 135,139 445 etc

  16. Early Warning Systems Networking and Communications Group Proactive-Based Systems Early warning System • Traffic analysis and • Probabilistic analysis • Pattern analysis and speculative evidences

  17. Networking and Communications Group Countermeasures

  18. 1 Remediation Services Networking and Communications Group Basic Techniques: • Stay up to date with latest software patches • Harden your operating systems (SP/personal FW etc) • Disable unused services • Consider filtering on ingress gateway devices • Consider disconnecting infected systems …

  19. 2 Enterprise Initiatives Networking and Communications Group Admission Control Mechanisms: • Microsoft NAP (Network Access Protection) • Cisco NAC (Network Admission Control) • Access Control Mechanisms.

  20. 3 Open Source Initiatives Networking and Communications Group Proactive Monitoring Technique: • OS-SIM (Open Source Security Information Management) • PADS (Passive Asset Detection Systems) • SNORT – Open Source IDS • BASE (Basic Analysis Security Engine (Alert Management)

  21. Conclusion Networking and Communications Group • Worms and Viruses are major security threats to information and network asset. • Worms (unlike viruses) can be detected early if adequate security mechanisms are in place. • Effects of worm/virus infection ranges from service disruption to system crash • Proactive monitoring and early warning systems are recommended detection mechanisms. • Remediation services, OS hardening, patching, ingress filtering and disconnecting of infected systems are recommended countermeasures!

  22. Resources/References Networking and Communications Group • Microsoft NAP:http://www.microsoft.com/windowsserver2003/technologies/networking/nap/beta.mspx • Cisco NAC:http://www.cisco.com/warp/public/cc/so/neso/sqso/csdni_wp.htm • Cisco CiscoWorks SIMS:http://www.cisco.com/en/US/products/sw/cscowork/ps5209/index.html • Additional Resource:http://www.research-series.com/cyril/resources.html • IETF: EAP (Extensible Authentication Protocol): https://datatracker.ietf.org/public/idindex.cgi?command=id_detail&id=8369 • Desktop FW/IDS. E.g. Blackice defender (ISS); ZoneAlarm etc • NCG: NCG Publications: http://ncg.kingston.ac.uk/research/publications/publications.htm

  23. Contact Details Networking and Communications Group Networking & Communications Group Kingston University http://ncg.kingston.ac.uk Email: k0327645@kingston.ac.uk or cyril@colt.net Tel: Not Applicable 

More Related