Title: Computer Viruses and Related Threats : A Management Guide
1- Computer Viruses and Related Threats A
Management Guide
2Structure of Presentation
- Computer Viruses What are they like?
- Why are Virus Incidents on the Rise?
- Major Malicious Software
- Trojan Horses, Viruses, and Network Worms.
- Weaknesses Viruses Exploit.
- Virus Prevention Program.
3Computer Viruses What are they like?
- It copies itself to other files (e.g., programs)
- infecting them. - It executes the instructions that the author has
included in it. - Depending on the authors motives, the infected
program can - immediately damage system software, data, and
others. - wait until a certain event has occurred at a
particular date time, before launching any
damage.
4Related Threats with Viruses
- Apart from viruses, other destructive programs
include - Trojan horses and network worms.
- These destructive programs are so called
malicious software/programs or malware. - Many times, they are written to masquerade as
useful programs.
5Why are Virus Incidents on the Rise?
- Computer users (who can be intruders too) have
become increasingly proficient and sophisticated. - Software applications are increasingly
complicated, larger and larger making their bugs
and security holes more difficult to be detected. - Lack effective security mechanisms, e.g.,
security testing. - Want to gain (bad) reputation.
6Major Malicious Software
- Malicious software
- Trojan horses
- Computer viruses
- Network worms
7Trojan Horses
- A program which appears to be a useful program.
When invoked, it performs some unwanted
functions. - A Trojan horse author usually
- gains access to the source code of a useful
program which is usually attractive to others
and, - adds wicked code so that the program performs
some hidden actions.
8Trojan Horse Calculator
- When a user invokes the program, it appears to be
performing calculations. - then it may quietly perform something else, such
as, delete the users files or perform any
harmful actions.
9Trojan Horses with File Permission Modification
- A wicked user of a multi-user system who wants to
gain access to other users files. - Create a Trojan horse program to circumvent the
normal file permission mechanism. - Name the program such that other users will think
the program is a useful utility. - The Trojan horse author induces
(social-engineers) any users to download and
perhaps put it in a common directory. - When invoked, the Trojan program changes the
users file permission to be readable by any
user. - The author can then access the file, such as work
or personal information.
10Trojan Horse Compilers
- The Trojan horse compiler inserts additional code
into compiled programs as they are being
compiled. - The source code owner wont be able to see/detect
this problem while reading his code because it is
the compiler that will insert bad code while
compiling only. - The source code then creates a trap/back door
which allows the Trojan horses author to get
into the system.
11How Trojans are Introduced to Your System
- They are planted by an unauthorised user in
public software repositories where many people
can access, e.g., on PC file servers, FTP
servers, Web servers, etc. - And unsuspecting users copy and run them.
- Or they are planted by an authorised user, such
as, one who is assigned to maintain compilers and
software tools.
12Computer Viruses
- ??????????????????????????????????????????????????
?????????????????????????????????????????????? - ??????????????????????????????????????????????????
??????????????????????????? ??????????????????????
??????????????????????????????????????????????????
?????? ???? - ?????? E-mail ???????????? ???????????????????????
?, - ??????????????????????????????????????????????,
- ????????????????????????????????????
- ???????????????????????? ?????????????????
???????????????????????????????
?????????????????????????????
133 Characteristics of Viruses
- A virus exhibits 3 characteristics
- A replication mechanism (copy to another file)
- An activation mechanism (perhaps use a time bomb
or a logic bomb to activate a virus to do bad
things) - A malicious objective (planned by the viruss
author)
14Network Worms
- Use network connection to spread from system to
system. - network worms attack other systems that are
linked via communication lines. - When active, worms can behave like viruses that
is, they have the ability to infect other
systems connected.
15How Worms Spread
- Use the following ways to spread
- An email program from which a worm can mail a
copy of itself to other users (systems). - A remote login capability, i.e., a worm can log
into a remote system to copy itself from the
current system to the remote system. - A remote execution capability, i.e., a worm can
execute itself on another remote system.
16Replication Mechanism
- Search for other remote systems to infect by
examining from the current system, host tables or
similar repositories for remote system addresses. - Make connection establishes a connection to the
remote system, probably by logging in as a user,
using an email program or performing remote
execution. - Spread and run copies itself to the remote
system and causes the copy in the remote system
to run.
17Other Ways to Get into the Remote System
- Password cracking by which the worm would attempt
to log into a remote system by using user names
or words from an on-line dictionary as passwords
to log in. - A trap door (planted by someone) which would
allow the worm to send commands to the remote
systems command interpreter. The commands would
then be executed on the remote system. - Bugs in network-related programs which would
allow the worm to access the remote systems
command interpreter.
18Activation Mechanism and Objective
- Activation may use a time bomb or logic bomb to
activate itself to do bad things. - Its objective depends on whatever the worms
author has designed - delete files,
- cause disruption to the infected system,
- or even plant Trojan horses/viruses.
19A Trojan Horse Worm
- This worm displayed a Christmas tree and a
message of good cheer. - When executed, the Trojan worm would examine
network address files for other PCs connected. - The worm then mails itself to those systems.
- Upon receiving this message, the user is invited
(social-engineered) to run this Christmas tree
worm. - There is no destructive action from this worm,
except disrupting communication and causing a
loss in network bandwidth.
20Virus-Related Threats
- Variants from Trojan horses, viruses, worms
continue to be endless, e.g., - A rabbit whose objective is to spread wildly
within or among other systems and disrupt network
traffic. - A bacterium whose objective is to replicate
within a system and eat up processor time until
computer throughput (performance in data
processing) is extremely degraded.
21 Weaknesses Viruses Use
- Lack of user awareness - e.g., users copy and
share infected software, fail to detect signs of
virus activity. - Social-engineering users are fooled into
trusting emails received. - Absence/inadequacy of technical controls - e.g.,
lack of anti-virus software. - Ineffective use of technical controls - e.g.,
- use easily guessed passwords,
- fail to use appropriate access controls (shared
files with no password), - grant users far more access to resources than
necessary.
22 Weaknesses Viruses Use
- Software bugs - allow viruses to spread and
break into other systems. - Unauthorised use - allow unauthorised users to
use your system. - Unauthorised users can be a wicked person who
wants to attack your system by spreading viruses,
or - Good/authorised users who do things unwittingly,
e.g., copy infected files into your system. - Susceptibility of network misuse a network
allows anonymous access (e.g. via FTP) for
intruders to upload viruses to the system.
23Effective Virus Prevention Program
- Due to the weaknesses above, one needs an
effective virus prevention program which must
address - restricting system access only to authorised
users, - ensuring that software and hardware are regularly
monitored and maintained, - backing up regularly, and
- having a contingency plan when any virus incident
occurs.
24What Does the Program Do?
- to deter attacks by viruses and related threats,
- to detect when they occur,
- to contain (control/halt) the attack. This is to
limit damage, and - to recover in a reasonable amount of time without
loss of any data or with a minimum data loss.
25Program Focuses
- In a virus prevention program, attention needs to
be focused on the following areas - security policies and procedures,
- user education,
- software management,
- technical controls,
- system monitoring, and
- a contingency plan
26What Should User Education Address?
- How malicious software operates,
- methods by which it is planted and spread, and
- the vulnerabilities exploited by malicious
software and unauthorised users, - How to apply security policies and procedures,
e.g., for backup, storage, and use of
public-domain software and shareware, - How to use technical controls - e.g., anti-virus
software file access control, - How to monitor their systems and detect signs of
abnormal activity, and - Contingency procedures to recover from virus
incidents.
27Software Management
- To prevent users from potentially spreading
malicious software, the program needs to - ensure that users understand the nature of
malicious software, how it is spread and what are
the technical controls that can be used to
protect their system, - have policies for downloading and use of
public-domain and shareware software, - have a mechanism for validating/checking such
software before use, and - minimise the exchange of executable software
within/between the organisation.
28Software Management
- do not create software repositories on LAN
servers, unless technical controls exist to
prevent users from freely uploading or
downloading software from them -- Very high
risk for viruses to spread throughout the
network, - purchase software only from reputable sources
(vendors), - maintain software properly and update it as
necessary, as well as apply any new security
patches, - do not use pirated software as it may have been
modified to be a Trojan,
29Software Management
- ensure that software vendors can be quichly
contact if any software problem takes place, - store the original software distribution in a
secure location for restoration -- in case the
in-operation version has been infected by a
virus, and - test any new/upgraded/company-developed software
in an isolated system. The system should - be configured so that there is no risk of virus
spreading to other places of the organisation, - not be used by other users, except authorised
users, - not connect to the internal network, and
- not contain any valuable data.
30Technical Controls
- Technical controls are used to protect the
security and integrity of systems and associated
data. - Technical controls can help deter occurrences of
viruses, or make them more difficult to occur,
e.g., - authentication mechanisms, e.g., the use of
passwords on shared files and directories, - write-protection mechanisms on tapes and
diskettes.
31Technical Controls
- Technical controls should be used to restrict
system access to authorised users only, - Technical controls should be used to limit user
privileges to the minimum practical level, - Users and managers must be educated as to what
controls to use, as well as how and when to use
them, - When not strong enough, they should be
supplemented with alternative physical controls
or other add-on controls.
32Technical Controls with Data
- Classify the categories of data, e.g.,
- highly sensitive,
- sensitive,
- medium,
- low, and
- public.
- Use proper technical controls with the data
categories. Sensitive data normally require more
protection than the low-priority data.
33System Monitoring
- The reasons we need monitoring are
- Expensive damage Viruses can cause expensive
damage within a very small amount of time
minutes or seconds. - By proper monitoring on software/system/user
activities, managers can detect early signs of
viruses and other unauthorised activities. - Apply contingency procedures Managers can then
apply any proper contingency procedures to halt
the malicious activity and recover from whatever
damage has been caused. - Security improvement Monitoring aids in being an
indicator whether or not security policies,
procedures, and controls currently in place are
effective as planned.
34System Monitoring What to Do
- user education - users must know what their
computing environment is like, what constitutes
normal and abnormal system activities, and whom
to contact when malicious access occurs. - system access monitoring tools - tools to
automate logging of any access to accounts, files
and etc. - anti-virus tools - tools to alert users of
malicious types of access.
35System Monitoring What to Do
- system-integrity tools - tools to automatically
check files for changes in size, date or content. - network monitoring tools - tools to record
network access or even attempt to access. - periodic review on monitoring statistics/logs -
The statistics/logs will determine needs for
changes in the current virus prevention program
and will help to fine-tune to make it more
effective.
36Contingency Plan What to Do
- The purpose is to halt and recover from any
attack that have already occurred. - The most important planning involves use of
backups. The organisation should maintain
regular, frequent backups for all important data,
software, configuration files, command files,
etc. - Software should be restored only from their
original copies/dictribution so as to have no
virus contamination.
37Contingency Plan What to Do
- The restored configuration/command files should
be inspected to ensure that they have not been
damaged or modified perhaps by unauthorised
people/viruses. - Critical systems must be isolated from the entire
network and other potential sources of virus
infection. - A group of skilled users must be formed to deal
with virus incidents and also ensure that they
can be quickly contact whenever any attack
occurs. - Maintain and distribute telephone numbers of
security managers, staff involved, and managment
to contact whenever any attack occurs.