1 / 37

Computer Viruses and Related Threats : A Management Guide

Computer Viruses and Related Threats : A Management Guide Structure of Presentation Computer Viruses: What are they like? Why are Virus Incidents on the Rise? Major Malicious Software Trojan Horses, Viruses, and Network Worms. Weaknesses Viruses Exploit. Virus Prevention Program.

Sophia
Télécharger la présentation

Computer Viruses and Related Threats : A Management Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Viruses and Related Threats : A Management Guide

  2. Structure of Presentation • Computer Viruses: What are they like? • Why are Virus Incidents on the Rise? • Major Malicious Software • Trojan Horses, Viruses, and Network Worms. • Weaknesses Viruses Exploit. • Virus Prevention Program.

  3. Computer Viruses: What are they like? • It copies itself to other files (e.g., programs) - infecting them. • It executes the instructions that the author has included in it. • Depending on the author’s motives, the infected program can: • immediately damage system software, data, and others. • wait until a certain event has occurred at a particular date & time, before launching any damage.

  4. Related Threats with Viruses • Apart from viruses, other destructive programs include: • Trojan horses and network worms. • These destructive programs are so called “malicious software/programs or malware”. • Many times, they are written to masquerade as useful programs.

  5. Why are Virus Incidents on the Rise? • Computer users (who can be intruders too) have become increasingly proficient and sophisticated. • Software applications are increasingly complicated,larger and larger… making their bugs and security holes more difficult to be detected. • Lack effective security mechanisms, e.g., security testing. • Want to gain (bad) reputation.

  6. Major Malicious Software • Malicious software: • Trojan horses • Computer viruses • Network worms

  7. Trojan Horses • A program which appears to be a useful program. When invoked, it performs some unwanted functions. • A ‘Trojan horse’ author usually: • gains access to the source code of a useful program which is usually attractive to others and, • adds ‘wicked’ code so that the program performs some hidden actions.

  8. Trojan Horse Calculator • When a user invokes the program, it appears to be performing calculations. • then it may quietly perform something else, such as, delete the user’s files or perform any harmful actions.

  9. Trojan Horses with File Permission Modification • A wicked user of a multi-user system who wants to gain access to other users’ files. • Create aTrojan horse program to circumvent the normal file permission mechanism. • Name the program such that other users will think the program is a useful utility. • The ‘Trojan horse’ author induces (social-engineers) any users to download and perhaps put it in a common directory. • When invoked, the Trojan program changes the user’s file permission to be readable by any user. • The author can then access the file, such as work or personal information.

  10. Trojan Horse Compilers • The Trojan horse compiler inserts additional code into compiled programs as they are being compiled. • The source code owner won’t be able to see/detect this problem while reading his code because it is the compiler that will insert bad code while compiling only. • The source code then creates a ‘trap/back door’ which allows the Trojan horse’s author to get into the system.

  11. How Trojans are Introduced to Your System • They are planted by an unauthorised user in public software repositories where many people can access, e.g., on PC file servers, FTP servers, Web servers, etc. • And unsuspecting users copy and run them. • Or they are planted by an authorised user, such as, one who is assigned to maintain compilers and software tools.

  12. Computer Viruses • ไวรัสคือโปรแกรมคอมพิวเตอร์ประเภทหนึ่งที่ถูกออกแบบมาให้แพร่กระจายตัวเองจากไฟล์หนึ่งไปยังไฟล์อื่นๆ • ไวรัสจะไม่สามารถแพร่กระจายจากเครื่องหนึ่งไปยังอีกเครื่องหนึ่งได้ด้วยตัวมันเองโดยทั่วไปเกิดจากการที่ผู้ใช้เป็นพาหะนำไวรัสจากเครื่องหนึ่งไปยังอีกเครื่องหนึ่งเช่น • การส่ง E-mail โดยแนบเอกสารหรือไฟล์ที่มีไวรัสไปด้วย, • การทำสำเนาไฟล์ที่ติดไวรัสไปไว้บนไฟล์เซริฟเวอร์, • การแลกเปลี่ยนไฟล์โดยใช้แผ่นดิสก์เก็ต • เมื่อผู้ใช้ทั่วไปรับไฟล์หรือดิสก์มาใช้งานไวรัสก็จะแพร่กระจายภายในเครื่องและจะเป็นวงจรในลักษณะนี้ต่อไป

  13. 3 Characteristics of Viruses • A virus exhibits 3 characteristics: • A replication mechanism (copy to another file) • An activation mechanism (perhaps use a time bomb or a logic bomb to activate a virus to do bad things) • A malicious objective (planned by the virus’s author)

  14. Network Worms • Use network connection to spread from system to system. • network worms attack other systems that are linked via communication lines. • When active, worms can behave like viruses; that is, they have the ability to infect other systems connected.

  15. How Worms Spread • Use the following ways to spread: • An email program from which a worm can mail a copy of itself to other users (systems). • A remote login capability, i.e., a worm can log into a remote system to copy itself from the current system to the remote system. • A remote execution capability, i.e., a worm can execute itself on another remote system.

  16. Replication Mechanism • Search for other remote systems: to infect by examining from the current system, host tables or similar repositories for remote system addresses. • Make connection: establishes a connection to the remote system, probably by logging in as a user, using an email program or performing remote execution. • Spread and run: copies itself to the remote system and causes the copy in the remote system to run.

  17. Other Ways to Get into the Remote System • Password cracking by which the worm would attempt to log into a remote system by using user names or words from an on-line dictionary as passwords to log in. • A trap door (planted by someone) which would allow the worm to send commands to the remote system’s command interpreter. The commands would then be executed on the remote system. • Bugs in network-related programs which would allow the worm to access the remote system’s command interpreter.

  18. Activation Mechanism and Objective • Activation may use a time bomb or logic bomb to activate itself to do bad things. • Its objective depends on whatever the worm’s author has designed: • delete files, • cause disruption to the infected system, • or even plant Trojan horses/viruses.

  19. A Trojan Horse Worm • This worm displayed a Christmas tree and a message of good cheer. • When executed, the Trojan worm would examine network address files for other PCs connected. • The worm then mails itself to those systems. • Upon receiving this message, the user is invited (social-engineered) to run this Christmas tree worm. • There is no destructive action from this worm, except disrupting communication and causing a loss in network bandwidth.

  20. Virus-Related Threats • Variants from Trojan horses, viruses, worms continue to be endless, e.g.,: • A rabbit whose objective is to spread wildly within or among other systems and disrupt network traffic. • A bacterium whose objective is to replicate within a system and eat up processor time until computer throughput (performance in data processing) is extremely degraded.

  21. Weaknesses Viruses Use • Lack of user awareness - e.g., users copy and share infected software, fail to detect signs of virus activity. • Social-engineering – users are fooled into trusting emails received. • Absence/inadequacy of technical controls - e.g., lack of anti-virus software. • Ineffective use of technical controls - e.g., • use easily guessed passwords, • fail to use appropriate access controls (shared files with no password), • grant users far more access to resources than necessary.

  22. Weaknesses Viruses Use • Software bugs - allow viruses to spread and break into other systems. • Unauthorised use - allow unauthorised users to use your system. • Unauthorised users can be a wicked person who wants to attack your system by spreading viruses, or • Good/authorised users who do things unwittingly, e.g., copy infected files into your system. • Susceptibility of network misuse – a network allows anonymous access (e.g. via FTP) for intruders to upload viruses to the system.

  23. Effective Virus Prevention Program • Due to the weaknesses above, one needs an effective virus prevention program which must address: • restricting system access only to authorised users, • ensuring that software and hardware are regularly monitored and maintained, • backing up regularly, and • having a contingency plan when any virus incident occurs.

  24. What Does the Program Do? • to deter attacks by viruses and related threats, • to detect when they occur, • to contain (control/halt) the attack. This is to limit damage, and • to recover in a reasonable amount of time without loss of any data or with a minimum data loss.

  25. Program Focuses • In a virus prevention program, attention needs to be focused on the following areas: • security policies and procedures, • user education, • software management, • technical controls, • system monitoring, and • a contingency plan

  26. What Should User Education Address? • How malicious software operates, • methods by which it is planted and spread, and • the vulnerabilities exploited by malicious software and unauthorised users, • How to apply security policies and procedures, e.g., for backup, storage, and use of public-domain software and shareware, • How to use technical controls - e.g., anti-virus software file access control, • How to monitor their systems and detect signs of abnormal activity, and • Contingency procedures to recover from virus incidents.

  27. Software Management • To prevent users from potentially spreading malicious software, the program needs to: • ensure that users understand the nature of malicious software, how it is spread and what are the technical controls that can be used to protect their system, • have policies for downloading and use of public-domain and shareware software, • have a mechanism for validating/checking such software before use, and • minimise the exchange of executable software within/between the organisation.

  28. Software Management • do not create software repositories on LAN servers,unless technical controls exist to prevent users from freely uploading or downloading software from them -- Very high risk for viruses to spread throughout the network, • purchase software only from reputable sources (vendors), • maintain software properly and update it as necessary, as well as apply any new security patches, • do not use pirated software as it may have been modified to be a Trojan,

  29. Software Management • ensure that software vendors can be quichly contact if any software problem takes place, • store the original software distribution in a secure location for restoration -- in case the in-operation version has been infected by a virus, and • test any new/upgraded/company-developed software in an isolated system. The system should: • be configured so that there is no risk of virus spreading to other places of the organisation, • not be used by other users, except authorised users, • not connect to the internal network, and • not contain any valuable data.

  30. Technical Controls • Technical controls are used to protect the security and integrity of systems and associated data. • Technical controls can help deter occurrences of viruses, or make them more difficult to occur, e.g., • authentication mechanisms, e.g., the use of passwords on shared files and directories, • write-protection mechanisms on tapes and diskettes.

  31. Technical Controls • Technical controls should be used to restrict system access to authorised users only, • Technical controls should be used to limit user privileges to the minimum practical level, • Users and managers must be educated as to what controls to use, as well as how and when to use them, • When not strong enough, they should be supplemented with alternative physical controls or other add-on controls.

  32. Technical Controls with Data • Classify the categories of data, e.g., • highly sensitive, • sensitive, • medium, • low, and • public. • Use proper technical controls with the data categories. Sensitive data normally require more protection than the low-priority data.

  33. System Monitoring • The reasons we need monitoring are: • Expensive damage: Viruses can cause expensive damage within a very small amount of time: minutes or seconds. • By proper monitoring on software/system/user activities, managers can detect early signs of viruses and other unauthorised activities. • Apply contingency procedures: Managers can then apply any proper contingency procedures to halt the malicious activity and recover from whatever damage has been caused. • Security improvement: Monitoring aids in being an indicator whether or not security policies, procedures, and controls currently in place are effective as planned.

  34. System Monitoring: What to Do • user education - users must know what their computing environment is like, what constitutes normal and abnormal system activities, and whom to contact when malicious access occurs. • system access monitoring tools - tools to automate logging of any access to accounts, files and etc. • anti-virus tools - tools to alert users of malicious types of access.

  35. System Monitoring: What to Do • system-integrity tools - tools to automatically check files for changes in size, date or content. • network monitoring tools - tools to record network access or even attempt to access. • periodic review on monitoring statistics/logs - The statistics/logs will determine needs for changes in the current virus prevention program and will help to fine-tune to make it more effective.

  36. Contingency Plan: What to Do • The purpose is to halt and recover from any attack that have already occurred. • The most important planning involves use of backups. The organisation should maintain regular, frequent backups for all important data, software, configuration files, command files, etc. • Software should be restored only from their original copies/dictribution so as to have no virus contamination.

  37. Contingency Plan: What to Do • The restored configuration/command files should be inspected to ensure that they have not been damaged or modified perhaps byunauthorised people/viruses. • Critical systems must be isolated from the entire network and other potential sources of virus infection. • A group of skilled users must be formed to deal with virus incidents and also ensure that they can be quickly contact whenever any attack occurs. • Maintain and distribute telephone numbers of security managers, staff involved, and managment to contact whenever any attack occurs.

More Related