Category Archives: Guide

Layered Security For Home User – Part 1

Most who work in information security are familiar with the term layered security (also known as layered defense) which in a nutshell mean that you employ multiple solutions/components to protect your assets. This idea has been pushed at the enterprise level for years and has been significantly effective at deterring attacks. And with the latest advancements in the end-point-monitoring (EPM) solutions, enterprises now have the capability to both monitor and control what happens on all of the workstations in the environment.

But if you move away from enterprise security to securing the average home user, most users tend to rely solely on the anti-virus solutions. Now, I am not going to get into the debate over how effective or ineffective anti-virus solutions are – but if you are interested in reading rants over this topic feel free to do so. However, what I will say is that just having anti-virus software (especially now) definitely does not meet the layered security concept.

So, how do we get layered security for home computers? Well, the market is not shy from a variety of different solutions that will promise to compliment your existing anti-virus while providing you the benefit of added security. And in my opinion, some of these products can actually be beneficial such as malware, spyware, and email protection but most of these features are already built-in to latest anti-virus solutions – you may just not know it. So, the question still stands, how do we get layered security for home computers? Well, let me answer this by explaining a recent event where I had the opportunity to test a theory first hand…

Continue with part 2

Tagged , ,

Traditional Threats

Below is my take on the common threats against our systems:

In today’s technological environment, risks to computer information are everywhere. These risks start when you power-on your system and save any information on it. However, the risks exponentially grow when you connect your system to a network and access the internet.

Information security is known as the process of implementing the necessary measurements to not only protect the physical environment but also prevent modification, deletion and unauthorized access to information.

The need for information security is vital more than ever. The numbers of the incident that involve information breaches have dramatically increased in last few years. Most of these computer attacks exploit confidential information from companies’ networks (Tarte). Experts believe that the reason behind this increase is due to open vulnerabilities in corporate networks.  Attackers are able to easily abuse these weaknesses and gain access to confidential information. However, attacks have also grown to be more sophisticated than ever. In most cases, victims do not realize that they are under attack until it is too late. It’s hard to believe but attackers are able to remain “inside a compromised organization for months, gathering information with which they design and build even more sophisticated attacks” (Neal).

 In addition, these cyber attacks are not only aimed at governments and major corporation networks but also to average consumers. A study conducted by Symantec shows that “65% of people globally have experienced some type of cybercrime” (Schwartz). Almost half of these incidents were caused by viruses and malware; while others were caused by phishing and social networking attacks (Schwartz). Moreover, the most common threat to today’s systems is from malicious codes. This category of software threat includes viruses, Trojan horses, logical bombs, and worms.

Malicious code is a threat which is defined to perform unlawfully, the desired function which allows unauthorized access to confidential information.  These codes are capable of bypassing security software and destroy the system. It is very important that the necessary steps are taken to protect systems against these malicious codes. However, it is vital that we first differentiate among varies malicious codes (Computer virus: the types of viruses out there).

Viruses are the most common type of malicious code. This software enters the system using one the following ways: through email, peer-to-peer sites or by using infected removal media, such as flash drive. In some cases viruses simply reside on the victim’s system, however, usually, viruses are designed to destroy the data and operating system as well as spread to other systems. Upon getting infected, viruses usually take complete control of the system; by flashing annoying pop-ups and denying users full access. However, in rare cases, viruses hide their presence from the user. In both cases, the system significantly slows down and free disk space rapidly decreases. In severe instances, the system could mysteriously shut itself down and/or doesn’t reboot with, BSOD (Blue Screen of Death) error (Dulaney).

Moreover, viruses are programmed to conduct two terrible tasks: bring your system to a halt, where it is no longer usable or to use your system as means to spread to other systems. Upon infecting a system, the virus attaches itself to all the data and system files on that particular computer. This makes it easy for the virus to spread to other systems. The most common method of spreading is through Flash drives; however, the more sophisticated viruses could attach themselves to emails without user’s awareness.

Unlike before, the security administrators of today are faced with the difficulty of identifying the exact type and characterizes of the certain virus before taking the necessary removal actions. Following are the most common and challenging virus types. An armored virus is programmed to hide from any anti-virus software. It does that by having a second set of code or a decoy code which protects the actual code from detection.  Companion virus works similar to an armored virus in a sense that it hides from detection; however, it accomplishes such task by associating itself as an extension to a legitimate application. When a user opens that application, companion virus executes instead of the actual application. This type of virus is often used to corrupt Windows systems by manipulating the Registry (Computer virus: the types of viruses out there).

Moreover, the goal of a computer is to make lives of its users easier, and macro offers exactly that. It allows the user to code series of commands which are saved and can be executed automatically and repeatedly. These macros are usually used for Microsoft applications such as Word and Excel. Macro virus exploits the actual function of the macros and spread itself to other systems. “Macro viruses are the fastest growing exploitation today” (Dulaney).  In addition, there is another type of virus which attacks the system in several different ways. Multipartite virus embeds itself in the boot sector of the operating system as well as it attaches to all the executable files in the system. The idea behind this virus is that the user won’t be able to control this virus and meanwhile virus will continue infestation process (Dulaney). Likewise, stealth virus also attaches itself to the boot sector of the hard drive. When a user runs anti-virus software, stealth virus redirects the commands around itself which makes it hard to detect this infection. This virus holds the capabilities of relocating itself from one location to another while the anti-virus software is in process.

Moreover, phage virus attaches itself to programs and databases but it also modifies applications. The only way to successfully remove this infection is by reinstalling the application. The reason for that is because if any file is missed, the infection processes will initiate again and spread throughout the system.  Another powerful infection is polymorphic virus. Unlike all the other infections, this virus encrypts part of itself to avoid detection. This makes it difficult for anti-virus software to detect this infection (Dulaney). Polymorphic viruses’ characteristics are referred to as mutation because it changes itself often to hide from antivirus software. Similarly, retrovirus bypasses itself and gets access to the system. Unlike all other infections that hide from anti-virus software, retrovirus directly attacks the anti-virus software installed on the system. Due to the power of this virus, it destroys the systems anti-virus software where it’s no longer functional. However, the user continues to believe that the installed anti-virus software is fully functional and that the system is protected (Dulaney).

It is important to differentiate additional threats that are often misinterpreted as viruses.

The two most common troublesome non-virus threats are spam and worms.

Spam is defined as “copies of the same message, in an attempt to force the message to people who would not otherwise choose to receive it” (Mueller). Most often spam consists private advertising and “get-rich-quick” schemes (Mueller). The attacker gathers information by stealing mailing lists and retrieving email addresses from the web. Even though most users ignore spam and mark it as junk to prevent receiving it in the future. However, users that open spam ultimately get overwhelmed by the amount of spam they begin to receive. Besides being annoying, spam does cost the Internet Service Provider to transmit which in result costs the end user (Mueller).

On the other hand, a worm is different from a typical virus in a sense that I can reproduce itself without the need of any host. “Many of the so-called viruses that have made the papers and media were, in actuality, worms and not viruses” (Dulaney). The most devastating example of a worm is Melissa, which spread to more than 100,000 systems and one location was attacked with 32,000 copies in 45-minutes (Dulaney). Worms are designed to propagate using TCP/IP, emails, internet services and other means.

Protection:   

Even though it is impossible to completely protect your system, however, if proper procedure is followed the likelihood of becoming a victim decreases. “The best defense against a virus attack is up-to-date antivirus software installed and running” (Dulaney). Usually, the systems that become the victim of attacks don’t have updated anti-virus installed or there wasn’t automatic scan setup. In addition, if you have multiple systems it is recommended that you install anti-virus software from a different vendor on each system. However, the most common mistake that users make is that they install two different anti-virus software on the same system. Doing so makes both software work against each other and ultimately provides no protection to the system. Lastly, it is vital that the user is educated on preventing methods. Regardless of how superior your anti-virus software it; eventually the responsibility comes down to the end user. The user needs to be made aware of the potential threats and how to protect the system from them. “They need to scan every disk, e-mail, and documents they receive before they open them” (Dulaney). Education is the key to protecting information security. In the corporate environment, all the staff members need to be trained on the importance of information security. This training should be followed by consequences for individuals who consistently fail to take information security seriously.

________________________________________________________________________________

References

Computer virus: the types of viruses out there. (n.d.). Retrieved September12, 2010, from http://www.spamlaws.com/virus-types.html
Dulaney, E. (2009). Comptia security+ deluxe. Indianapolis, Indiana: Wiley Publishing, Inc.
McGraw, G, & Morrisett, Greg. (2000). Attacking malicious code: a report to the infosec research council. IEEE Software.
Mueller, S. (n.d.). What is spam?. Retrieved September 27, 2010, from, http://spam.abuse.net/overview/whatisspam.shtml
Neal, D. (2010, September 17). Cyber attacks growing in number and sophistication. Retrieved September 19, 2010, from http://www.v3.co.uk/v3/news/2269980/firms-open-range-security?page=1
Online threats. (n.d.). Retrieved September 18, 2010, from http://www.staysafeonline.org/content/online-threats
Parks, D. (2009, August 28). The common threats to it security. Retrieved September 15, 2010, from, http://www.articlesbase.com/software-articles/the-common-threats-to-it-security-1171518.html
Scwartz, Mathew. (2010, September 08). Symantec finds 65% have been hit by cybercrime. Retrieved September 15, 2010 from, http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=227300362&subSection=Attacks/breaches
Tagged , , , ,

Finding Known Evil With Nessus – Part 2

This post is a continuation of my earlier post about finding a known-bad process with Nessus vulnerability scans. In this post, I will share my experience after I finished running my first scan using this new scan policy.

Unlike the regular vulnerability scans, the duration of this scan was much less. The reason for this was because the scan policy consisted of only selected plugins. However, even with only selected plugins, the scan results were very comprehensive.

First, the scan result shows the MD5 hash of the suspicious process. Now you can take this MD5 hash and search sites like VirusTotal but on the scan results page, you will find a direct link to a Tenable website that will provide additional information about the suspicious process. This information is similar to what you would find on VirusTotal but with little less information. In my case, I still searched VirusTotal for more detailed information.

Second, the scan result shows the path of where the suspicious process is located on the target system. Obviously, this is great because now you don’t have to search the system and locate the executable in question. But what’s even better is that the scan results even show all the instances of that suspicious process that the scan found. For example, in my test scan, the same suspicious process was located under numerous user profiles.

With the above information in hand, you can quickly develop you indicators of compromise (IOCs) and begin your investigation. My initial step was to review all the processes on my target machine and identify the process ID (PID) of the executable that the scanner identified. From here you can look at all the network connections related to this process, the system handles, any additional sub-processes, etc.

Overall, I am satisfied with what I have seen so far. I think that it is great that Tenable has incorporated these checks because in my option it makes perfect sense to check for known bad stuff during the time that you have already allocated for vulnerability scans. However, I would recommend that you separate your suspicious process and vulnerability data because do you not want to alarm the system owners without properly doing your own investigation. The easiest way to do this is by creating two different repositories and then drafting different reports/dashboards from each of those repositories.

My final comment is that if you have Nessus (I used SecurityCenter); please try to run this scan with the new scan policy. You can find the link to download this scan policy in my first post. Let me know what you guys think!

Tagged , ,

Finding Known Evil With Nessus

When it comes to performing vulnerability assessments, Nessus is by far the industry leader.  Nessus is known as “world’s best vulnerability management tool” and I think the reason for this is because of the continuous research the Nessus team does around new vulnerabilities and push them out to their customers in a timely manner. If you are not families with Nessus here is a very high-level overview – Nessus uses “plugins” which simply put are scripts that run on the target hosts to see if it meets the criteria for a certain vulnerability. And as new plugins get pushed to customers the old plugins also get updated daily.

I have been using Nessus for some time now and I have been very pleased with their level of commitment and excellent support. And recently as I was going through their blogs, I came across an interesting post regarding finding malware through Nessus scans. I found this interesting for two reasons: first, because I had not tried this before and second because as a security professional its better if you find evil in your environment before it gets reported to you.

The process for running malware scan is same as running the normal vulnerability scan. You just need to make sure that you select the appropriate plugins in your scan policy and use credentials that have administrative privileges on the target system. The following blog post lists the default plugin you can use to get started with malware scans – a sample scan policy is available for you to download which you can simply upload in your scanner and run the scan. This blog post also contains links to other related posts that talk about additional plugins that you can enable in your scan policy.

I have not had the chance to run this scan however, I plan to give this a try this coming week using the sample scan policy. I will write a follow-up post to share my experience.

Tagged , ,
Advertisements