Computer Viruses and Related Threats : A Management Guide

1

• Computer Viruses and Related Threats A
  Management Guide

2
Structure of Presentation

• Computer Viruses What are they like?
• Why are Virus Incidents on the Rise?
• Major Malicious Software
• Trojan Horses, Viruses, and Network Worms.
• Weaknesses Viruses Exploit.
• Virus Prevention Program.

3
Computer Viruses What are they like?

• It copies itself to other files (e.g., programs)
  - infecting them.
• It executes the instructions that the author has
  included in it.
• Depending on the authors motives, the infected
  program can
• immediately damage system software, data, and
  others.
• wait until a certain event has occurred at a
  particular date time, before launching any
  damage.

4
Related Threats with Viruses

• Apart from viruses, other destructive programs
  include
• Trojan horses and network worms.
• These destructive programs are so called
  malicious software/programs or malware.
• Many times, they are written to masquerade as
  useful programs.

5
Why are Virus Incidents on the Rise?

• Computer users (who can be intruders too) have
  become increasingly proficient and sophisticated.
• Software applications are increasingly
  complicated, larger and larger making their bugs
  and security holes more difficult to be detected.
• Lack effective security mechanisms, e.g.,
  security testing.
• Want to gain (bad) reputation.

6
Major Malicious Software

• Malicious software
• Trojan horses
• Computer viruses
• Network worms

7
Trojan Horses

• A program which appears to be a useful program.
  When invoked, it performs some unwanted
  functions.
• A Trojan horse author usually
• gains access to the source code of a useful
  program which is usually attractive to others
  and,
• adds wicked code so that the program performs
  some hidden actions.

8
Trojan Horse Calculator

• When a user invokes the program, it appears to be
  performing calculations.
• then it may quietly perform something else, such
  as, delete the users files or perform any
  harmful actions.

9
Trojan Horses with File Permission Modification

• A wicked user of a multi-user system who wants to
  gain access to other users files.
• Create a Trojan horse program to circumvent the
  normal file permission mechanism.
• Name the program such that other users will think
  the program is a useful utility.
• The Trojan horse author induces
  (social-engineers) any users to download and
  perhaps put it in a common directory.
• When invoked, the Trojan program changes the
  users file permission to be readable by any
  user.
• The author can then access the file, such as work
  or personal information.

10
Trojan Horse Compilers

• The Trojan horse compiler inserts additional code
  into compiled programs as they are being
  compiled.
• The source code owner wont be able to see/detect
  this problem while reading his code because it is
  the compiler that will insert bad code while
  compiling only.
• The source code then creates a trap/back door
  which allows the Trojan horses author to get
  into the system.

11
How Trojans are Introduced to Your System

• They are planted by an unauthorised user in
  public software repositories where many people
  can access, e.g., on PC file servers, FTP
  servers, Web servers, etc.
• And unsuspecting users copy and run them.
• Or they are planted by an authorised user, such
  as, one who is assigned to maintain compilers and
  software tools.

12
Computer Viruses

• ??????????????????????????????????????????????????
  ??????????????????????????????????????????????
• ??????????????????????????????????????????????????
  ??????????????????????????? ??????????????????????
  ??????????????????????????????????????????????????
  ?????? ????
• ?????? E-mail ???????????? ???????????????????????
  ?,
• ??????????????????????????????????????????????,
• ????????????????????????????????????
• ???????????????????????? ?????????????????
  ???????????????????????????????
  ?????????????????????????????

13
3 Characteristics of Viruses

• A virus exhibits 3 characteristics
• A replication mechanism (copy to another file)
• An activation mechanism (perhaps use a time bomb
  or a logic bomb to activate a virus to do bad
  things)
• A malicious objective (planned by the viruss
  author)

14
Network Worms

• Use network connection to spread from system to
  system.
• network worms attack other systems that are
  linked via communication lines.
• When active, worms can behave like viruses that
  is, they have the ability to infect other
  systems connected.

15
How Worms Spread

• Use the following ways to spread
• An email program from which a worm can mail a
  copy of itself to other users (systems).
• A remote login capability, i.e., a worm can log
  into a remote system to copy itself from the
  current system to the remote system.
• A remote execution capability, i.e., a worm can
  execute itself on another remote system.

16
Replication Mechanism

• Search for other remote systems to infect by
  examining from the current system, host tables or
  similar repositories for remote system addresses.
• Make connection establishes a connection to the
  remote system, probably by logging in as a user,
  using an email program or performing remote
  execution.
• Spread and run copies itself to the remote
  system and causes the copy in the remote system
  to run.

17
Other Ways to Get into the Remote System

• Password cracking by which the worm would attempt
  to log into a remote system by using user names
  or words from an on-line dictionary as passwords
  to log in.
• A trap door (planted by someone) which would
  allow the worm to send commands to the remote
  systems command interpreter. The commands would
  then be executed on the remote system.
• Bugs in network-related programs which would
  allow the worm to access the remote systems
  command interpreter.

18
Activation Mechanism and Objective

• Activation may use a time bomb or logic bomb to
  activate itself to do bad things.
• Its objective depends on whatever the worms
  author has designed
• delete files,
• cause disruption to the infected system,
• or even plant Trojan horses/viruses.

19
A Trojan Horse Worm

• This worm displayed a Christmas tree and a
  message of good cheer.
• When executed, the Trojan worm would examine
  network address files for other PCs connected.
• The worm then mails itself to those systems.
• Upon receiving this message, the user is invited
  (social-engineered) to run this Christmas tree
  worm.
• There is no destructive action from this worm,
  except disrupting communication and causing a
  loss in network bandwidth.

20
Virus-Related Threats

• Variants from Trojan horses, viruses, worms
  continue to be endless, e.g.,
• A rabbit whose objective is to spread wildly
  within or among other systems and disrupt network
  traffic.
• A bacterium whose objective is to replicate
  within a system and eat up processor time until
  computer throughput (performance in data
  processing) is extremely degraded.

21
Weaknesses Viruses Use

• Lack of user awareness - e.g., users copy and
  share infected software, fail to detect signs of
  virus activity.
• Social-engineering users are fooled into
  trusting emails received.
• Absence/inadequacy of technical controls - e.g.,
  lack of anti-virus software.
• Ineffective use of technical controls - e.g.,
• use easily guessed passwords,
• fail to use appropriate access controls (shared
  files with no password),
• grant users far more access to resources than
  necessary.

22
Weaknesses Viruses Use

• Software bugs - allow viruses to spread and
  break into other systems.
• Unauthorised use - allow unauthorised users to
  use your system.
• Unauthorised users can be a wicked person who
  wants to attack your system by spreading viruses,
  or
• Good/authorised users who do things unwittingly,
  e.g., copy infected files into your system.
• Susceptibility of network misuse a network
  allows anonymous access (e.g. via FTP) for
  intruders to upload viruses to the system.

23
Effective Virus Prevention Program

• Due to the weaknesses above, one needs an
  effective virus prevention program which must
  address
• restricting system access only to authorised
  users,
• ensuring that software and hardware are regularly
  monitored and maintained,
• backing up regularly, and
• having a contingency plan when any virus incident
  occurs.

24
What Does the Program Do?

• to deter attacks by viruses and related threats,
• to detect when they occur,
• to contain (control/halt) the attack. This is to
  limit damage, and
• to recover in a reasonable amount of time without
  loss of any data or with a minimum data loss.

25
Program Focuses

• In a virus prevention program, attention needs to
  be focused on the following areas
• security policies and procedures,
• user education,
• software management,
• technical controls,
• system monitoring, and
• a contingency plan

26
What Should User Education Address?

• How malicious software operates,
• methods by which it is planted and spread, and
• the vulnerabilities exploited by malicious
  software and unauthorised users,
• How to apply security policies and procedures,
  e.g., for backup, storage, and use of
  public-domain software and shareware,
• How to use technical controls - e.g., anti-virus
  software file access control,
• How to monitor their systems and detect signs of
  abnormal activity, and
• Contingency procedures to recover from virus
  incidents.

27
Software Management

• To prevent users from potentially spreading
  malicious software, the program needs to
• ensure that users understand the nature of
  malicious software, how it is spread and what are
  the technical controls that can be used to
  protect their system,
• have policies for downloading and use of
  public-domain and shareware software,
• have a mechanism for validating/checking such
  software before use, and
• minimise the exchange of executable software
  within/between the organisation.

28
Software Management

• do not create software repositories on LAN
  servers, unless technical controls exist to
  prevent users from freely uploading or
  downloading software from them -- Very high
  risk for viruses to spread throughout the
  network,
• purchase software only from reputable sources
  (vendors),
• maintain software properly and update it as
  necessary, as well as apply any new security
  patches,
• do not use pirated software as it may have been
  modified to be a Trojan,

29
Software Management

• ensure that software vendors can be quichly
  contact if any software problem takes place,
• store the original software distribution in a
  secure location for restoration -- in case the
  in-operation version has been infected by a
  virus, and
• test any new/upgraded/company-developed software
  in an isolated system. The system should
• be configured so that there is no risk of virus
  spreading to other places of the organisation,
• not be used by other users, except authorised
  users,
• not connect to the internal network, and
• not contain any valuable data.

30
Technical Controls

• Technical controls are used to protect the
  security and integrity of systems and associated
  data.
• Technical controls can help deter occurrences of
  viruses, or make them more difficult to occur,
  e.g.,
• authentication mechanisms, e.g., the use of
  passwords on shared files and directories,
• write-protection mechanisms on tapes and
  diskettes.

31
Technical Controls

• Technical controls should be used to restrict
  system access to authorised users only,
• Technical controls should be used to limit user
  privileges to the minimum practical level,
• Users and managers must be educated as to what
  controls to use, as well as how and when to use
  them,
• When not strong enough, they should be
  supplemented with alternative physical controls
  or other add-on controls.

32
Technical Controls with Data

• Classify the categories of data, e.g.,
• highly sensitive,
• sensitive,
• medium,
• low, and
• public.
• Use proper technical controls with the data
  categories. Sensitive data normally require more
  protection than the low-priority data.

33
System Monitoring

• The reasons we need monitoring are
• Expensive damage Viruses can cause expensive
  damage within a very small amount of time
  minutes or seconds.
• By proper monitoring on software/system/user
  activities, managers can detect early signs of
  viruses and other unauthorised activities.
• Apply contingency procedures Managers can then
  apply any proper contingency procedures to halt
  the malicious activity and recover from whatever
  damage has been caused.
• Security improvement Monitoring aids in being an
  indicator whether or not security policies,
  procedures, and controls currently in place are
  effective as planned.

34
System Monitoring What to Do

• user education - users must know what their
  computing environment is like, what constitutes
  normal and abnormal system activities, and whom
  to contact when malicious access occurs.
• system access monitoring tools - tools to
  automate logging of any access to accounts, files
  and etc.
• anti-virus tools - tools to alert users of
  malicious types of access.

35
System Monitoring What to Do

• system-integrity tools - tools to automatically
  check files for changes in size, date or content.
• network monitoring tools - tools to record
  network access or even attempt to access.
• periodic review on monitoring statistics/logs -
  The statistics/logs will determine needs for
  changes in the current virus prevention program
  and will help to fine-tune to make it more
  effective.

36
Contingency Plan What to Do

• The purpose is to halt and recover from any
  attack that have already occurred.
• The most important planning involves use of
  backups. The organisation should maintain
  regular, frequent backups for all important data,
  software, configuration files, command files,
  etc.
• Software should be restored only from their
  original copies/dictribution so as to have no
  virus contamination.

37
Contingency Plan What to Do

• The restored configuration/command files should
  be inspected to ensure that they have not been
  damaged or modified perhaps by unauthorised
  people/viruses.
• Critical systems must be isolated from the entire
  network and other potential sources of virus
  infection.
• A group of skilled users must be formed to deal
  with virus incidents and also ensure that they
  can be quickly contact whenever any attack
  occurs.
• Maintain and distribute telephone numbers of
  security managers, staff involved, and managment
  to contact whenever any attack occurs.