Fundamentals of Information Systems Security Chapter 11

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Fundamentals of Information

Systems Security

Lesson 11

Malicious Code and Activity

Page 2Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.Page 2Fundamentals of Information Systems Security


www.jblearning.com


Learning Objective(s)

Describe how malicious attacks, threats,

and vulnerabilities impact an IT

infrastructure.


www.jblearning.com



www.jblearning.com


Key Concepts

The impact of malicious code and malware on

systems and organizations

Attackers, hackers, and social engineers

The phases of a computer attack

Tools and techniques to detect and prevent

attacks


www.jblearning.com



www.jblearning.com


Malicious Code and Activity

Malicious software (malware)

• Any program that carries out actions that you do

not intend

Malicious code attacks all three information

security properties:

• Confidentiality: Malware can disclose your

organization’s private information

• Integrity: Malware can modify database records,

either immediately or over a period of time

• Availability: Malware can erase or overwrite files or

inflict considerable damage to storage media


www.jblearning.com



www.jblearning.com


Characteristics, Architecture, and

Operations of Malicious Software

An attacker gains administrative control of a

system and uses commands to inflict harm

An attacker sends commands directly to a

system; the system interprets and executes them

An attacker uses software programs that harm a

system or that make the data unusable

An attacker uses legitimate remote administration

tools and security probes to identify and exploit

security vulnerabilities on a network


www.jblearning.com



www.jblearning.com


The Main Types of Malware

Viruses

Spam

Worms

Trojan horses

Logic bombs

Active content

vulnerabilities

Malicious add-

ons

Injection

Botnets

Denial of

service attacks

Spyware

Adware

Phishing

Keystroke

loggers

Hoaxes and

myths

Homepage

hijacking

Webpage

defacements


www.jblearning.com



www.jblearning.com


Viruses

• Target computer hardware and software startup functions

System infectors

• Attack and modify executable programs (COM, EXE, SYS, and DLL files in Microsoft Windows)

File infectors

• (Also called macro infectors) Attack document files containing embedded macro programming capabilities

Data infectors


www.jblearning.com



www.jblearning.com


Typical Life Cycle of a Computer

Virus


www.jblearning.com



www.jblearning.com


How a System Infector Virus Works


www.jblearning.com



www.jblearning.com


How a File Infector Virus Works


www.jblearning.com



www.jblearning.com


How a Macro Virus Works


www.jblearning.com



www.jblearning.com


Other Virus Classifications

Polymorphic viruses

Stealth viruses

Slow viruses

Retro viruses

Cross-platform viruses

Multipartite viruses


www.jblearning.com



www.jblearning.com


How a Stealth Virus Works


www.jblearning.com



www.jblearning.com


How a Slow Virus Works

How a Retro Virus Works


www.jblearning.com



www.jblearning.com


How a Multipartite Virus Works


www.jblearning.com



www.jblearning.com


Rootkits

Type of malware that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised

Modify parts of the operating system to conceal traces of their presence

Provide attackers with access to compromised computers and easy access to launching additional attacks

Difficult to detect and remove


www.jblearning.com



www.jblearning.com


Ransomware

Attempts to generate funds directly from a computer user

Attacks a computer and limits the user’s ability to access the computer’s data

Encrypts important files or even the entire disk and makes them inaccessible

One of the first ransomware programs was Crypt0L0cker


www.jblearning.com



www.jblearning.com


Spam

Consumes computing resources bandwidth and CPU

time

Diverts IT personnel from activities more critical to

network security

Is a potential carrier of malicious code

Compromises intermediate systems to facilitate

remailing services

Opt-out (unsubscribe) features in spam messages

can represent a new form of reconnaissance attack to

acquire legitimate target addresses


www.jblearning.com



www.jblearning.com


Worms

Designed to propagate from one host

machine to another using the host’s own

network communications protocols

Unlike viruses, do not require a host

program to survive and replicate

The term “worm” stems from the fact that

worms are programs with segments,

working on different computers, all

communicating over a network


www.jblearning.com



www.jblearning.com


Worms (cont.)


www.jblearning.com



www.jblearning.com


Trojan Horses

Largest class of malware

Any program that masquerades as a useful program while hiding its malicious intent

Relies on social engineering to spread and operate

Spreads through email messages, website downloads, social networking sites, and automated distribution agents (bots)


www.jblearning.com



www.jblearning.com


Logic Bombs

Programs that execute a malicious

function of some kind when they detect certain conditions

Typically originate with organization insiders because people inside an

organization generally have more detailed knowledge

of the IT infrastructure than

outsiders


www.jblearning.com



www.jblearning.com


Active Content Vulnerabilities

Active content

• Refers to dynamic objects that do something when the user

opens a webpage (ActiveX, Java, JavaScript, VBScript,

macros, browser plugins, PDF files, and other scripting

languages)

• Has potential weaknesses that malware can exploit

Active content threats are considered mobile code

because these programs run on a wide variety of

computer platforms

Users download bits of mobile code, which gain access to

the hard disk and do things like fill up desktop with

infected file icons


www.jblearning.com



www.jblearning.com


Malicious Add-Ons

Add-ons are companion programs that extend the web browser; can decrease security

Malicious add-ons are browser add-ons that contain some type of malware that, once installed, perform malicious actions

Only install browser add-ons from sources you trust


www.jblearning.com



www.jblearning.com


Injection

Cross-site scripting (XSS)

SQL injection

LDAP injection

XML injection

Command injection


www.jblearning.com



www.jblearning.com


Botnets

Robotically controlled networks

Attackers infect vulnerable machines with agents

that perform various functions at the command of

the bot-herder or controller

Controllers communicate with other members of the

botnet using Internet Relay Chat (IRC) channels

Attackers can use botnets to distribute malware and

spam and to launch DoS attacks against

organizations or even countries


www.jblearning.com



www.jblearning.com


Denial of Service Attacks

Overwhelm a server or network segment to the point that the server or network becomes unusable

Crash a server or network device or create so much network congestion that authorized users cannot access network resources

Distributed denial of service (DDoS) attack uses intermediary hosts to conduct the attack


www.jblearning.com



www.jblearning.com


SYN Flood

Attacker uses IP

spoofing to send

a large number

of packets

requesting

connections to

the victim

computer


www.jblearning.com



www.jblearning.com


Smurf Attack

Attackers direct forged Internet Control Message Protocol

(ICMP) echo request packets to IP broadcast addresses

from remote locations to generate DoS attacks


www.jblearning.com



www.jblearning.com


Spyware

Any unsolicited background process that installs itself on a user’s computer and collects information about the

user’s browsing habits and website activities

Affects privacy and confidentiality

Spyware cookies are cookies that share

information across sites

Some cookies are persistent and are stored

on a hard drive indefinitely without user permission


www.jblearning.com



www.jblearning.com


Adware

Triggers nuisances such as popup ads and banners when user visits certain

websites

Affects productivity and may combine

with active background

activities

Collects and tracks information about

application, website, and Internet activity


www.jblearning.com



www.jblearning.com


Phishing

Tricks users into providing logon information on what appears to be a legitimate website but is actually a website set up by an attacker to obtain this information

Spear-phishing

• Attacker supplies information about victim that appears to come from a legitimate company

Pharming

• The use of social engineering to obtain access credentials such as usernames and passwords


www.jblearning.com



www.jblearning.com


Keystroke Loggers

Capture keystrokes or user entries and

forwards information to attacker

Enable the attacker to capture logon

information, banking information, and other

sensitive data


www.jblearning.com



www.jblearning.com


Guidelines for Recognizing Hoaxes

Did a legitimate entity (computer security expert, vendor, etc.) send the alert?

Is there a request to forward the alert to others?

Are there detailed explanations or technical terminology in the alert?

Does the alert follow the generic format of a chain letter?


www.jblearning.com



www.jblearning.com


Homepage Hijacking

Exploiting a browser vulnerability to reset the homepage

Covertly installing a browser helper object (BHO) Trojan program


www.jblearning.com



www.jblearning.com


Webpage Defacements

Someone gaining unauthorized access to a

web server and altering the index page of a

site on the server

The attacker replaces the original pages on

the site with altered versions


www.jblearning.com



www.jblearning.com


A Brief History of Malicious Code

Threats1970s and early 1980s academic research and UNIX

1980s: Early PC viruses

1990s: Early LAN viruses

Mid-1990s: Smart applications and the Internet

2000 to present


www.jblearning.com



www.jblearning.com


Threats to Business Organizations

Attacks against confidentiality and privacy

Attacks against data integrity

Attacks against availability of services and resources

Attacks against productivity and performance

Attacks that create legal liability

Attacks that damage reputation


www.jblearning.com



www.jblearning.com


Internal Threats from Employees:

Unsafe Computing PracticesExchange of untrusted disks or other media among systems

Installation of unauthorized, unregistered software

Unmonitored download of files from the Internet

Uncontrolled dissemination of email or other messaging application attachments


www.jblearning.com



www.jblearning.com


Anatomy of an Attack

Phases of an attack

Types of attacks

The purpose

of an attack

What motivates attackers


www.jblearning.com



www.jblearning.com


What Motivates Attackers?

Money FamePolitical

beliefs or systems

Revenge


www.jblearning.com



www.jblearning.com


The Purpose of an Attack

Denial of availability

Data modification

Data export

Launch point


www.jblearning.com



www.jblearning.com


Types of Attacks

Unstructured attacks

Structured attacks

Direct attacks

Indirect attacks


www.jblearning.com



www.jblearning.com


How a Direct Attack Works


www.jblearning.com



www.jblearning.com


Phases of an Attack


www.jblearning.com



www.jblearning.com


Reconnaissance and Probing

Attacker collects all information to conduct

the attack

Tools include:

• DNS and ICMP tools within the TCP/IP

protocol suite

• Standard and customized SNMP tools

• Port scanners and port mappers

• Security probes


www.jblearning.com



www.jblearning.com


Access and Privilege Escalation

Gain administrative rights to the system

Establish the initial connection to a target host (typically a server platform)


www.jblearning.com



www.jblearning.com


Covering Traces of the Attack

Remove any traces of the attack

Remove files you may have created and restore as many files to their pre-

attack condition as possible

Remove log file entries that may provide evidence

of the attack


www.jblearning.com



www.jblearning.com


Attack Prevention Tools and

Techniques

Defense in depth

• The practice of layering defenses into

zones to increase the overall protection

level and provide more reaction time to

respond to incidents

- Application defenses

- Operating system defenses

- Network infrastructure defenses


www.jblearning.com



www.jblearning.com


Application Defenses

Implementing regular antivirus screening on all host

systems

Ensuring that virus definition files are up to date

Requiring scanning of all removable media

Installing personal firewall and IDS software on hosts

Deploying change detection software and integrity

checking software

Maintaining logs

Implementing email usage controls and ensuring that

email attachments are scanned


www.jblearning.com



www.jblearning.com


Operating System Defenses

Deploying change detection and integrity checking

software and maintaining logs

Deploying or enabling change detection and integrity

checking software on all servers

Ensuring that operating systems are consistent and

have been patched with the latest updates from

vendors

Ensuring that only trusted sources are used when

installing and upgrading OS code

Disabling unnecessary OS services and processes that

may pose a security vulnerability


www.jblearning.com



www.jblearning.com


Network Infrastructure Defenses

Creating chokepoints in the network

Using proxy services and bastion hosts to protect critical

services

Using content filtering at chokepoints to screen traffic

Ensuring that only trusted sources are used when

installing and upgrading OS code

Disabling any unnecessary network services and

processes that may pose a security vulnerability

Maintaining up-to-date IDS signature databases

Applying security patches to network devices to ensure

protection against new threats and reduce vulnerabilities


www.jblearning.com



www.jblearning.com


Safe Recovery Techniques and

PracticesStore OS and data file backup images on external media to ease recovering from potential malware

infection

Scan new and replacement media for malware before reinstalling software

Disable network access to systems during restore procedures or upgrades until you have re-enabled or

installed protection software or services


www.jblearning.com



www.jblearning.com


Implementing Effective Software

Best Practices

Adopt an acceptable use policy (AUP) for

network services and resources

Adopt standardized software to better

control patches and upgrades and to

ensure that you address vulnerabilities

Consider implementing an ISO/IEC 27002-

compliant security policy


www.jblearning.com



www.jblearning.com


Incident Detection Tools and

Techniques

Antivirus scanning software

Network monitors and analyzers

Content/context filtering and logging

software

Honeypots and honeynets


www.jblearning.com



www.jblearning.com


Summary

The impact of malicious code and

malware on systems and organizations

Attackers, hackers, and social

engineers

The phases of a computer attack

Tools and techniques to detect and

prevent attacks

Fundamentals of Information Systems Security Chapter 11

Education