1 / 22

Malicious code Incidents

Malicious code Incidents. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. Malicious code Incidents. Malicious Activities Include : Destroy data . Run destructive or intrusive programs.

talib
Télécharger la présentation

Malicious code Incidents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malicious code Incidents

  2. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. Malicious code Incidents

  3. Malicious Activities Include : • Destroy data . • Run destructive or intrusive programs. • Compromise the security or the confidentiality, integrity, and availability of the victim’s data, applications, or operating system. Malicious code Incidents

  4. Types Of Threats : 1)Viruses • Compiled Viruses • Interpreted viruses 2)Worms • Network Service Worms • Mass mailing Worms 3)Trojan Horses Malicious code Incidents

  5. Types Of Threats : 4)Malicious Mobile Codes • Mostly Java, ActiveX, JavaScript, and VBScript codes. 5)Blended Attacks • Combination of 1 to 4 6) Attack Tools • Backdoors • Rootkits • Key Loggers • … Malicious code Incidents

  6. Types Of Threats : 7) Tracking Cookies 8) Non-malware threats • Hoax • Phishing Malicious code Incidents

  7. Step 1 :Preparation • Preparation • Awareness • Deployment • Resources Malicious code Incidents • Prevention • Education • Configuration • Control

  8. Step2: Detection and Analysis • Fast spread of incident so: Rapid Detection is Necessary • Precursors often appear immediately before an incident So: Group must not wait for indications • Most of indications could have causes other than malware Malicious code Incidents

  9. Step2: Detection and Analysis Precursors and Reactions: • An alert warns of new malicious code. • Research and Block Ways of Entrance • Antivirus software detects and successfully disinfects or quarantines a newly received infected file • Find Reason And Mitigate Vulnerability Malicious code Incidents

  10. Step2: Detection and Analysis Special Indications of Each Malicious Code • Virus • Changes to templates for word processing documents, spreadsheets, etc. • Deleted, corrupted, or inaccessible files • Unusual items on the screen, such as odd messages and graphics Malicious code Incidents

  11. Step2: Detection and Analysis Special Indications For Each malicious Code • Worm: • Port scans and failed connection attempts targeted at the vulnerable service • Increased network usage • Trojan: • Network connections between the host and unknown remote systems • Unusual and unexpected ports open Malicious code Incidents

  12. Step2: Detection and Analysis Special Indications For Each malicious Code • Malicious Mobile Code • To spread Virus, worm,… • Unexpected dialog boxes, requesting permission to do s.th • Unusual graphics, such as overlapping message boxes • To exploit vulnerabilities • Network connections between the host and unknown remote systems • Receiving Hoax Reports • No links to outside sources Malicious code Incidents

  13. Step3: 1)Containment Strategies • All incident Prevention Activities must be done in order to stop spread of virus • Other Activities : • Notification • Isolation • Change Access rules • Identification of infected hosts is not easy Malicious code Incidents

  14. Step3: 2)Eradication And Recovery • Some Infected files can not be cleaned • System Restore may be needed • Securing system is the last step Malicious code Incidents

  15. Multiple Component Incidents

  16. Definition : A Multiple Componentincident is a single incident that encompasses two or more incidents. Multiple Component Incidents

  17. Multiple Component Incidents Example:

  18. Step 1&2 : Preparation, Detection, Analysis • Conduct exercises reviews scenarios involving multiple component incidents. • Efficient incident analysis: • centralized logging • correlation software. Multiple Component Incidents

  19. Step3: Containment, Eradication, Recovery Approach : • Contain the initial incident and then search for signs of other components • Gauss if incident have other components • Unauthorized access incidents are more likely to have multiple components Multiple Component Incidents

  20. Step3: Containment, Eradication, Recovery Prioritization: • Components must be separately prioritize • Response the most urgent one • Another factor: How current each component is • It may be possible to contain the whole incident by containing just one component Multiple Component Incidents

  21. Computer Security Incident Handling Guide National Institute of Standard and Technology (NIST) U.S • A Step-By-Step Approach on How To Set Up a CSIRT European Network and Information Security Agency (ENISA) • Expectations for Computer Security Incident Response RFC3250 • Handbook for Computer Security Incident Response Teams Carnegie Mellon University , 2nd Edition: April 2003 • Defining Incident Management Processes for CSIRTs: A Work in Progress Chris Alberts, Audrey Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek, October 2004 References

  22. Thanks For Your Attention

More Related