CS 126: INTRODUCTION TO IT SECURITY

Lecture: 09 (a)

Access Controls (c)

(Authorization)
1 6/28/2016
 Access Control Methods
Access controls can be implemented at various
layers of an organization, network, and
individual systems
Three broad categories:
Administrative
Physical
Technical (aka Logical)

2 6/28/2016
 Access Control Methods
 Administrative Controls
 Senior management must decide what role security will play in an organization.
 Policy and Procedure
 It is management’s responsibility to construct a security policy.
 A security policy works at the top layer of a hierarchical access control model.
 A security policy is a high level plan that states management’s intent pertaining to how
security should be practiced within an organization, what actions are acceptable, and
what level of risk the company is willing to accept.
 Personnel Controls: Personnel controls indicate who employees are expected to interact
with security mechanisms, and address noncompliance issues pertaining to these
expectations.
 Separation of Duties
 Rotation of Duties
 Mandatory Vacation
 Supervisory Structure
 Security Awareness Training
 Testing
 All security controls, mechanisms, and procedures need to be tested on a periodic basis to
ensure that they properly support the security policy, goals, and objectives set for them.
 It is management’s responsibility to make sure that these tests take place.
3 6/28/2016
 Access Control Methods
 Physical Controls: Physical controls must support and work with administrative and
technical controls to supply the right degree of access control.
 Network Segregation: Can be carried out through physical and logical means.
 Physical: Each area for equipment has the necessary physical controls to ensure that
only the permitted individuals have access into and out of those sections.
 Perimeter Security: Perimeter security mechanisms provide physical access control
by providing protection for individuals, facilities, and the components within facilities.
 Computer Controls: Each computer can have physical controls installed and
configured (e.g., locks on the cover, removal of floppy drives, implementation of a
protection device to eliminated electrical emissions to thwart attempts to gather
information through airwaves).
 Work Area Separation: Some environments might dictate that only particular
individuals can access certain areas of the facility.
 Data Backups: Backing up data is a physical control to ensure that information can
still be accessed after an emergency or disruption of the network or system.
 Cabling: Protection for the various types of cabling that carry information throughout
a network.
 Control Zone: is a physical control, and is a specific area that surrounds and protects
network devices that emit electrical signals. It ensures that confidential information is
contained and to hinder intruders from accessing information through the airwaves.
4 6/28/2016
 Access Control Methods
 Technical (Logical) Controls: Are the software tools used to restrict subject’s access to objects. They
are components of operating systems, add-on security packages, applications, network hardware
devices, protocols, encryption mechanisms, and access control matrices.
 System access: There are many types of technical controls that enable a user to access a system and
the resources within that system.
 Network architecture: The architecture of a network can be constructed and enforced through several
logical controls to provide segregation and protection of the environment. Logical separation is through
IP address ranges and subnets and by controlling the communication flow between the segments.
 Network Access
 Networks can have logical controls that dictate who can and cannot access them and what those
individuals can do once they are authenticated.
 Switches, routers, firewalls, and bridges all work as technical controls to enforce access restriction
into and out of network, and access to the different segments within the network.
 Access to different network segments should be granular in nature.
 Encryption and protocols: work as technical controls to protect information as it passes throughout a
network and resides on computers.
 They ensure that the information is received by the correct entity and that it is not modified during
transmission.
 These controls can preserve the confidentiality and integrity of data and enforce specific paths for
communication to take place.
 Auditing: Auditing tools are technical controls that track activity within a network on a network
5
device or on a specific computer. 6/28/2016
 Access Control Types
 Each control works at a different level of granularity, but can also
perform several functions
 Access Control: Prevent, Detect, Correct, Deter, Recover, Compensate
 Security controls should be built on the concept of preventative security
 Preventative Administrative Controls: soft mechanisms that are put
into place to enforce access control and protection for the company as a
whole
 Includes policies, hiring practices, security awareness, Data
classification and labeling
 Preventative Physical Controls: physically restrict access to a facility,
specific work areas, or computer systems:
 Includes badges, swipe cards, guards, fences, locks
 Locks are usually considered delay mechanisms because they only
delay a determined intruder. The goal is to delay access long enough
to allow law enforcement or the security guard to respond to the
situation.
 Preventative Technical Controls: logical controls that are part of
operating systems, third party application add-ons, or hardware units:
6  Includes passwords, encryption, antivirus software, firewalls
 Access Control Types
 Protection = Prevention (Previous model)
 Previously, the focus of security was prevention. It was reasoned that if
unauthorized access to computer systems and networks was prevented,
security had been achieved.
 As security attacks have evolved and unauthorized users have found
multiple ways to bypass these safeguards has led to a modification of the
basic security model: Protection = Prevention.
 Protection = Prevention + (Detection + Response)
 The updated model is known as The Operational Model of Computer
Security and is as follows: Protection = Prevention + (Detection +
Response).
 The modification means that two new elements of security come into
play with any security system: detection and response.
 Detection gives security professionals the ability to be alerted of a threat
and response allows for ways to solve the problem before it becomes
unmanageable. Every security technique and technology falls into at
7
least one of the elements of this model.
 Access Control Types

Previous model: Protection = Prevention

Protection = Prevention + (Detection + Response)

8 6/28/2016
 Accountability
 Accountability is tracked by recording user, system, and application activities.
 Audit information must be reviewed: It does no good to collect it if you do not
look at it.
 Event Oriented Audit Review: Review of audit logs after a security breach,
unexplained system action, or system disruption. Audit trails can be viewed
periodically to watch for unusual behavior of users or systems and help
understand the baseline and health of a system.
 Real Time and Near Real Time Review: Audit analysis that can use an
automated tool to review audit information as it is created.
 Audit Reduction Tools: A tool that reduces the amount of information
within an audit log. The tool discards mundane task information and records
system performance, security, and other functionality information.
 Variance Detection Tools: Can monitor computer and resource usage trends
and detect variations.
 Attack Signature Tools: An application that will have a database of
information that has been known to indicate specific attacks. This type of
tool parses audit logs in search of certain patterns. If a pattern matches a
pattern or signature held within its database, the tool indicates that an attack
has taken place or is in progress.
9
 Accountability
 Other accountability concepts…
 Keystroke Monitoring: A type of auditing that can review and
record keystrokes entered by a user during an active session.
A hacker can also use this type of monitoring.
There are privacy issues with this type of monitoring and
administrators could be subject to criminal and civil liabilities
if it is done without proper notification to the employees and
authorization from management.
 Protecting Audit Data and Log Information: Scrubbing;
Removing specific incriminating data within audit logs
 Only- certain individuals (administrator and security
personnel) should be able to view, modify, and delete audit
trail information.
 The integrity and confidentiality of audit logs is important
10 because they could be used as evidence in a trial.
 Access Control Practices
 Know the access control tasks that need to be accomplished regularly
to ensure satisfactory security. Best practices include:
 Deny access to anonymous accounts: Limit and monitor the
usage of administrator and other powerful accounts. Suspend or
delay access capability after a specific number of unsuccessful
logon attempts
 Enforce strict access criteria: Enforce the need to know and least
privilege practices.
 Suspend inactive accounts
 Replace default passwords: Limit and monitor global access rules
 Enforce password rotation: Enforce password requirements
(length, contents, lifetime, distribution, storage, and transmission)
 Audit and review: Audit system and user events and actions and
review reports periodically
 Protect audit logs
 Control Zone: Creates a security perimeter and is constructed to
protect against unauthorized access to data or compromise of
sensitive information.
11
 INTRUDER
Is unexpected, unwanted or
unauthorized people or programs
on computer network.
 Entrance by force or without permission or welcome.
 Objective
 To gain access to a system or to increase the range of
privileges accessible on a system.
 System must maintain a file that associates a password with each
authorized user.

12 6/28/2016
 INTRUDER
 Three Classes of Intruders (crackers)
Masquerader
 Unauthorized user who penetrates a system exploiting a
legitimate user’s account. (Outside)
Misfeasor
 Legitimate user who makes unauthorized accesses or
misuses his privileges (inside)
Clandestine user
 Privileged user who seizes supervisory control of the
system and uses this control to evade auditing and access
controls or to suppress audit collection. (Inside/outside)
13 6/28/2016
 INTRUDERS
 Range of Intruders: Two ranges
 Benign intruders
 At the benign end of the scale, there are many people who simply wish
to explore internets and see what is out there (misuse of resources).
 Serious intruders.
 At the serious end are individuals who are attempting to read privileged
data, perform unauthorized modifications to data, or disrupt the system.
 Intruders levels: Two Levels
 The high level.
 These were sophisticated users with a thorough knowledge of the
technology.
 The low level (foot soldiers).
 Who merely used the supplied cracking programs with little
understanding of how they worked.
14 6/28/2016
 Intrusion Techniques
1. Intruders enters the system by using cracked passwords of
legitimate user.
2. Also the intruders can attempt to modify login software to enable
them to capture passwords of users logging on to systems.

 Intrusion Detection
 Detection concerns with learning of an attack, either before, during
or after intrusion.
 Intrusion Detection (IDs) are different from traditional firewall
products because they are designed to detect a security breach.
 Intrusion detection is a system's second line of defense while
firewall is first line of defense
 Without doubt, intrusion prevention system will always fail.
15  Systems have to depend on detection of intrusion. 6/28/2016
 Benefits of intrusion detection system
1. If an intrusion is detected quickly enough, the intruder
can be identified and ejected from the system before any
damage is done or any data are compromised.
 Even if the detection is not sufficiently timely to preempt the
intruder, the sooner that the intrusion is detected, the less the
amount of damage and the more quickly that recovery can be
achieved.
2. An effective intrusion detection system can serve as a
deterrent, so acting to prevent intrusions.
3. Intrusion detection enables the collection of information
about intrusion techniques that can be used to strengthen
the intrusion prevention facility.
16 6/28/2016
 FINDING THE BAD GUY
 Need to distinguish between a masquerader and a legitimate user.
 System User behavior is the centre of Intrusion detection.
 It is expected intruder behavior will differs from that of a
authorized user in ways that can be quantified.
 In some point behavior overlaps.
 Patterns between legal user behavior and illegal user behavior can
be established by observing past history, and significant deviation
from such patterns can be detected

1. Observe past history

2. Establish patterns of behaviour
3. Look for significant deviations
17
 INTRUDER & AUTHORIZED USER BEHAVIOR
False Positive – authorized
users identified as intruders

False Negative – real intruders

not identified as intruders

18
 Intrusion Detection
 Three Common Components: Sensors, Analyzers, and
Administrator Interfaces
Most types of IDSs are capable of several types of responses to
a triggered event:
 Send a special signal to drop or kill the packet connections (at
both source and destination).
 Block a user from accessing a resource.
 Send an alert of an event trigger to other hosts
 Some IDS can reconfigure themselves to perform some
predefined action.
Common Types of Intrusion Detections:
1. Intrusion Detection Systems,
2. Intrusion Prevention Systems,
3. Honeypots
19 4. Network Sniffers
 Intrusion Detection Systems
 The IDS can be centralized, as firewall products that have IDS
functionality integrated within them, or distributed, with multiple
sensors throughout the network.
 The sensor’s role is to filter received data, discard irrelevant
information, and detect suspicious activity.
 Two Main Types of Intrusion Detection Systems
 Network Based IDS, aka NIDS (monitor network communications)
 Host Based IDS, aka HIDS (analyze the activity within a
particular computer system)
 HIDS and NIDS can be:
 Signature Based
 Statistical Anomaly Based: Protocol Anomaly Based, and Traffic
Anomaly Based
 Rule Based: Stateful matching, and Model Based

20
 Intrusion Detection Systems (Types)
 Network Based IDS, aka NIDS (monitor network
communications)
Uses sensors, which are either host computers with the
necessary software installed or dedicated appliances, each
with its network interface card (NIC) in promiscuous mode.
Monitors network traffic and cannot see the activity going on
inside a computer itself.
 Host Based IDS, aka HIDS (analyze the activity within a
particular computer system)
Can be installed on individual workstations and/or servers and
watch for inappropriate or anomalous activity.
Usually used to make sure users do not delete system files,
reconfigure important things, or put the system at risk in any
other way.
21
 Intrusion Detection Systems
HIDS and NIDS can be one of the following types:
1. Signature Based: Also known as misuse-detection systems
Signatures: Models of specific attacks and how they are
carried out.
Each identified attack has a signature, which is used to
detect an attack in progress or determine if one has
occurred within the network.
Any action that is not recognized as an attack is considered
acceptable.

22
 Intrusion Detection Systems
 HIDS and NIDS can be one of the following types:
2. Statistical Anomaly Based: Also known as profile-based systems.
 A profile is built by continually sampling the environment’s activities.
 The longer the IDS is in learning mode, the more accurate a profile it will build and the
better protection it will provide.
 Can detect new attacks.
 Anything that does not match the profile is seen as an attack, in response to which the
IDS sends an alert.
 Two types:
 Protocol Anomaly Based: Unusual format of behavior of protocols
 These types of IDS have specific knowledge of each protocol that they will be
monitoring, when the IDS is activated, it looks for anomalies that do not match the
profiles built for the individual protocols.
 Traffic Anomaly Based: Unusual format of traffic patterns.
 Detects changes in traffic patters as in DoS attacks or a new service that appears on the
network.
 The thresholds are tunable to adjust to the sensitivity, to reduce the number of false
positives and false negatives
 It can detect unknown attacks.
23
 Intrusion Detection Systems
 HIDS and NIDS can be one of the following types:
3. Rule Based
 Commonly associated with the use of an expert system. An expert
system is made up of a knowledge base, inference engine, and rule-
based programming.
 Knowledge is represented as rules, and the data that is to be
analyzed is referred to as facts.
 The rules are applied to the facts, the data that comes in from a
sensor, or a system that is being monitored.
 The more complex the rules, the more demands on software and
hardware processing requirements. Cannot detect new attacks.
 Two types:
 Stateful matching
 Model Based

24
 Intrusion Detection Systems
 HIDS and NIDS can be one of the following types:
3. Rule Based can be one of the following types:
 Stateful matching: Tracking system state changes that indicate an
attack is underway.
 Every change that an operating system experiences is considered a
state transition. A state transition is when a variable’s value
changes, which usually happens continuously within every system.
 The IDS has rules that outline what state transition sequences
should sound an alarm. The activity that takes place between the
initial and compromised state is what the state-based IDS looks for,
and it sends an alarm if any of the state transition sequences match
is pre-defined rules.
 Model Based : Models of attack scenarios are built and then captured,
data is compared to the models to uncover malicious activities.
 The IDS takes in the audit log data and compares it to the different
models that have been developed, to see if the data meets any of
25 the models specifications.
 Access Control Monitoring
 Intrusion Prevention Systems
 Is a preventative and proactive technology, IDS is a detective
technology.
 Two types: Network Based (NIPS) and Host Based (HIPS)
 Honeypots
 Attractive trap systems that are designed to direct potential
attackers away from critical systems
 Honeyport systems are filled with false information designed to
appear valuable but that a legitimate user of the system wouldn't
access.
 SNORT: Lightweight IDS, Real-time packet capture and rule analysis
Functions of honey ports.
1. Divert an attacker from accessing critical systems.
2. Collect information about the attacker's activity
3. Encourage the attacker to stay on the system long enough for
26
administrators to respond
 Access Control Monitoring
Network sniffers
A general term for programs or devices that are able to
examine traffic on a LAN segment.
The sniffer has to have a protocol-analysis capability to
recognize the different protocol values to properly
interpret their meaning.
The sniffer has to have access to a network adapter that
works in promiscuous mode and a driver that captures
the data.
In the realm of computer networking, promiscuous
mode refers to the special mode of Ethernet hardware, in
particular network interface cards (NICs), that allows a
NIC to receive all traffic on the network, even if it is not
27
addressed to this NIC.
 Threats to Access Control
 A few threats to access control
 Insiders: is that they have already been given a wide range of access that a
hacker would have to work to obtain, they probably have intimate knowledge
of the environment, and generally they are trusted.
 Countermeasures include good policies and procedures, separation of duties,
job rotation
 Dictionary Attacks: Type of program is fed lists (dictionaries) of commonly
used words or combinations of characters and then compares these values to
capture passwords.
 Countermeasures include strong password policies, strong authentication,
intrusion detection and prevention
 Brute Force Attacks: Generally speaking these are attacks that continually try
different inputs to achieve a predefined goal. (i.e., trying every possible
combination until the correct one is identified.)
 Countermeasures include penetration testing, minimum necessary
information provided, monitoring, intrusion detection, clipping levels
 Spoofing at Logon: An attacker can use a program that presents to the user a
fake logon screen, which often tricks the user into attempting to logon.
 Countermeasures include a guaranteed trusted path, security awareness to be
aware of phishing scams, SSL connection
28
 Security Models
 Confidentiality Security Models: security models with the main
goal of ensuring confidentiality.
 Bell-LaPadula security model
 Integrity Security Models: security models with the main goal of
ensuring integrity.
 Biba model
 Clark-Wilson model
 Each security model, whether integrity-based or confidentiality-
based, focuses on the chosen security policy of the organization
implementing the model.
 Each security model also utilizes a system of checks and balances to
ensure there are no weak points in the security of the computer
systems and networks they are protecting.

29
 Bell-LaPadula security model
A system state is defined to be "secure" if the only
permitted access modes of subjects to objects are in
accordance with a security policy.
To determine whether a specific access mode is allowed,
the clearance of a subject is compared to the classification
of the object (more precisely, to the combination of
classification and set of compartments, making up the
security level) to determine if the subject is authorized for
the specific access mode.
Bell-LaPadula Model: also called the multi-level model
Objective – Protect confidentiality; Based on Military
Policy
The model used to defines two mandatory access control
(MAC) rules and discretionary access control (DAC) rule.
30
 Bell-LaPadula security model
 Two principles
1. Simple security rule (“no read up”)
 The Simple Security Rule states that no subject (such as a user or
program) can read information from an object (file or document)
with a security classification higher than that possessed by the
subject itself.
 This means that the system must prevent a user with only a Secret
clearance from reading a document labeled Top Secret.
 This rule is also referred to as the "no-read-up" rule.
2. The *-property (pronounced "star property") principle (“no write
down”) also known as the Confinement property.
 The *-property principle does not allow users to create or change
information to files classified beneath their clearance to avoid
31
either accidental or deliberate security disclosures.
 Bell-LaPadula security model

Example…

32
 Biba Model security model
 In general, preservation of data integrity (based on Commercial
Policy)has three goals:
 Prevent data modification by unauthorized parties
 Prevent unauthorized data modification by authorized parties
 Maintain internal and external consistency (i.e. data reflects the real
world)
 In the Biba security model, instead of security classifications, integrity
levels are used.
 Biba security model is directed toward data integrity (rather than
confidentiality) and is characterized by the phrase: "no read down, no
write up". This is in contrast to the Bell-LaPadula model which is
characterized by the phrase "no write down, no read up".
 The integrity levels principle is that data with a higher integrity level is
believed to be more accurate or reliable than data with a lower integrity
33 level.
 Biba Model security model
The Biba model defines a set of security rules similar to the
Bell-LaPadula model. These rules are the reverse of the
Bell-LaPadula rules:
The Simple Integrity Axiom states that a subject at a given
level of integrity must not read an object at a lower integrity
level (no read down). Also known as Ring policy.
The * (star) Integrity Axiom states that a subject at a given
level of integrity must not write to any object at a higher level
of integrity (no write up). Also known as Low-water policy.

34
 Clark-Wilson security model
 The Clark-Wilson integrity model provides a foundation for specifying and
analyzing an integrity policy for a computing system.
 The model is primarily concerned with formalizing the notion of information
integrity.
 Information integrity is maintained by preventing corruption of data items in a
system due to either error or malicious intent.
 An integrity policy describes how the data items in the system should be kept valid
from one state of the system to the next and specifies the capabilities of various
principals in the system.
 The model defines enforcement rules and certification rules.
 The model’s enforcement and certification rules define data items and processes
that provide the basis for an integrity policy. The core of the model is based on the
notion of a transaction.
 In this model the integrity policy addresses the integrity of the transactions.
 The principle of separation of duty requires that the certifier of a transaction and the
implementer be different entities.
35
 Clark-Wilson security model
 The Clark-Wilson security model takes an entirely different approach than the Bell-
La Padula security model and the Biba security model. This is because the Clark-
Wilson security model uses transactions as the basis of its rules.
 Two levels of integrity
 Constrained Data Items (CDI); Subject to integrity controls
 Unconstrained Data Items (UDI); Not subject to integrity controls
 Two types of processes
 Integrity Verification Processes (IVPs)
 Integrity verification processes ensure that CDI data meets integrity constraints
in order to ensure the system is in a valid state.
 Transformation Processes (TPs)
 Transformation processes change the state of data from one valid state to
another.
 Data in this model cannot be modified directly by a user because it can only be
changed by trusted TPs to which access can be restricted. This restricts the
ability of users to perform certain activities.
36
 Clark-Wilson security model
Example
 A prime example of an organization using an integrity-based security
model would be a financial institution.
 In the Clark-Wilson security model, the account balance of the
banking account would be a CDI because its integrity is a critical
function of the bank.
 A client's color preference of debit card is not a critical function to the
bank and would be considered an UDI.
 Since the integrity of account balances is of extreme importance,
changes to a person's balance must be done through the use of a TP.
 Ensuring the balance is correct would be done by an IVP.
 Only certain employees of the bank would have the ability to modify
a bank account, which would be controlled by limiting the number of
individuals who have the authority to execute TPs that result in
account modification.
37
 Security Models

Model Objective Policies

Bell-LaPadula Confidentiality No read up
No write down
Biba Integrity No read down
No write up
Clark-Wilson Integrity Two levels of integrity – UDI and CDI
IVP monitor TP (Transformation
Processes)

38 6/28/2016
 Computer System Security and Management
Reference Monitors
 Three fundamental concepts in computer security:
 Reference Monitors: An access control concept that refers to an
abstract machine that mediates all accesses to objects by subjects.
 Security Kernel: The hardware, firmware, and software elements
of a trusted computing base that implement the Reference Monitor
concept.
 Trusted Computing Base (TCB): The totality of protection
mechanisms within a computer system – including hardware,
firmware – the combination of which is responsible for enforcing a
security policy. Applications
Services
Operating system Different layers in
a computer system
OS kernel
39 Hardware 6/28/2016
 Computer System Security and Management
Reference Monitors
 In operating systems architecture, a reference monitor is a
tamperproof, always-invoked, and small-enough-to-be-fully-tested-
and-analyzed module that controls all software access to data
objects or devices (verifiable).
 The reference monitor verifies that the request is allowed by the
access control policy.

 The subject issues requests to access the object, and protection is

enforced by a reference monitor that knows which subjects are
40 allowed to issue which requests.
 Computer System Security and Management
Reference Monitors
 Placing the Reference Monitor; The reference monitor can be placed:
 In hardware: Access control to mechanisms in microprocessors.
 In the operating system: Access control in Linux.
 In the services layer: Access control in databases.
 In the application: In the application code.
 Operating system integrity
 The goal of an attacker is to disable the security control by
modifying the operating system. When securing an operating
system two requirements have to be addressed:
Users should be able to use the operating system.
Users should not be able to misuse the operating system.

41 6/28/2016
 THANK YOU

END
CS 126: LECTURE 09 (a)
Lecture 09 (b)-Next Slide
42 6/28/2016
 CS 126:
INTRODUCTION TO IT SECURITY

LECTURE 09 (b)
Malicious Software

43 6/28/2016
 What is Malware?
 Software intended to intercept or take partial control of a
computer's operation without the user's informed consent.
 Piece of software designed with intent of compromising the
security of another software
 Also called spyware.
 Spyware: The term “spyware” taken literally suggests software
that surreptitiously monitors the user. But it has come to refer more
broadly to any kind of malware,
 Malware covers all kinds of intruder software
Including viruses, worms, backdoors, rootkits, Trojan horses,
stealware etc. These terms have more specific meanings.
 The Purpose of Malware: To partially control the user’s
computer, for reasons such as; To subject the user to advertising,
To launch DDoS on another service, To track the user’s activity
(“spyware”), To spread spam, To commit fraud, such as identity
44
theft and affiliate fraud, . . . and perhaps other reasons 6/28/2016
Two categories
Malicious Programs
 Those that need a host program: Fragments of programs that
cannot exist independently of some application program, utility, or
system program
 Those that are independent: Self-contained programs that can be
scheduled and run by the operating system (self contained)

TAXONOMY OF
MALICIOUS PROGRAMS

45 6/28/2016
 Malicious Programs
 Logic Bombs (also called slag code): Logic embedded is a
program that checks for a set of conditions to arise (such as the
lapse of a certain amount of time or the failure of a program user to
respond to a program command) and executes some function
resulting in unauthorized actions.
 Trapdoors: Secret undocumented entry point into a program, used
to grant access without normal methods of access authentication.
 Trojan Horse: Secret undocumented routine embedded within a
useful program, execution of the program results in execution of
the routine. Common motivation is data destruction
 Zombie: A program that secretly takes over an Internet attached
computer and then uses it to launch an untraceable attack. Very
common in Distributed Denial-Of-Service attacks
46 6/28/2016
 Malicious Programs
 Virus: A virus is a self-replicating program that produces its own code by
attaching copies of itself into other executable codes
 Some viruses affect computers as their code is executed; others viruses lie
dormant until a pre-determined logical circumstance is met.
 Characteristics of Virus: Infects other program, Transforms itself, Encrypts
itself, Alter data, Corrupts files and programs and Self propagation.
 Four stages of virus lifetime
1. Dormant phase: Here, the virus remains idle and gets activated based on a
certain action or event(for example, a user pressing a key or on a certain
date and time etc)
2. Propagation phase: The virus starts propagating, that is multiplying itself
(cloning of virus). A piece of code copies itself and each copy starts
copying more copies of self, thus propagating.
3. Triggering phase: A Dormant virus moves into this phase when it gets
activated, that is, the event it was waiting for gets initialized.
4. Execution phase: This is the actual work of the virus. It can be
47 destructive(deleting files on disk) or harmless(popping messages on screen).
 Others: Stages of virus life (6 Stages)
1. Design stage: developing virus code using programming
languages or construction kits.
2. Replication stage: virus replicate for a period of time
within the target system and then spreads itself
3. Launch stage: it gets activated with the user performing
certain actions such as running an affected program.
4. Detection stage: a virus is identifies as threat infection
target systems
5. Incorporation stage: ant-virus software developers
assimilate defenses against the virus.
6. Elimination stage: users install ant-virus updates and
48 eliminate the virus threats 6/28/2016
 Computer Virus
 Avoiding Detection: Infected version of program is longer
than the corresponding uninfected one
Solution: compress the executable file so infected and
uninfected versions are identical in length
 Encryption in the operation of a virus: A portion of the
virus, generally called a mutation engine, creates a random
encryption key to encrypt the remainder of the virus.
The key is stored with the virus, and the mutation engine
itself is altered. When an infected program is invoked, the
virus uses the stored random key to decrypt the virus.
When the virus replicates, a different random key is
selected.

49 6/28/2016
 Computer Virus
 Why do people create computer virus?
Inflict damage to competitors Vandalism
Financial benefits Cyber terrorism
Research projects  Distributed political massages
 How does a computer get infected by virus?
Not running the latest ant-virus application
Not updating and not installing new versions of plug-ins
Installing pirated software
Opening infected e-mail attachments
When a user accepts files and downloads without checking
properly for the source.
50 6/28/2016
 Indications of virus attack
 Abnormal activities: Is the systems acts in unprecedented
manner, you can suspect a virus attack.
 Processes take more resources and time
 Computer beeps with on display
 Driver label changes
 Unable to load Operating System
 Anti-virus alerts
 Browser window “freezes”
 Hard drive is accessed often
 Files and folders are missing
 Computer freezes frequently or encounters errors
 Computer slows down when programs start.
 Note: false positive
51  However, not all glitches can be attributed to virus attacks
 Types of viruses
 System or boot sector  Stealth virus/tunneling virus
viruses  Encryption virus
 Files virus  Polymorphic virus
 Cluster viruses  Overwriting file or cavity virus
 Macro virus  Sparse virus
 Companion virus/camouflage virus
 Multipartite virus
 Shell virus
 File extension virus
What do they infect?  Add-on virus
 Intrusive virus
 Direct action or transient virus
 Terminate and stay resident virus
How do they infect? (TSR)
52 6/28/2016
 System or boot sector viruses
 Boot sector virus moves master boot record (MBR) to another
location on the hard disk and copies itself to the original
location of MBR
 When system boots, virus code is executed first and then
control is passed to original MBR

MBR: Master Boot Record

53 6/28/2016
 Types of viruses
 Files and multipartite viruses
 File virus: File virus infect files which are executed or
interpreted is the system such as COM, EXE, SYS, OVL, OBJ,
PRG, MNU and BAT files
 Multipartite virus: Multipartite virus that attempts to attack
both the boot sector and the executable or grogram files at the
same time
 Macro virus
 Macro viruses infect files created by Microsoft Word or Excel
 Most macro viruses are written using macro language Visual
Basic for Application (VBA)
 Macro viruses infect templates or convert infected documents
into template files, while maintaining their appearance if
ordinary document files.
54 6/28/2016
 Types of viruses
 Cluster viruses
 Cluster viruses modify directory table entries so that directory
entries point to the virus code instead of the actual program
 There is only copy of the virus on the disk infecting all the programs
in the computer system
 It will launch itself first when any program on the computer system
is started and then the control is passed to actual program
 Stealth/tunneling viruses
 These viruses evade the anti-virus software by intercepting its
requests to the operation system
 A virus can hide itself by intercepting the ant-virus software’s
request to read the file and passing the request to the virus, instead
of the OS.
 The virus can then return an uninfected version of the file to the ant-
virus software, so that it appears as if the file is “clean”
55 6/28/2016
 Types of viruses
 Encryption viruses
 This type of virus uses simple encryption to
encipher the code
 The virus is encrypted with a different key for each
infected files
 AntiVirus (AV) scanner cannot directly detect these
types of viruses using signature detection method.
 Polymorphic code
 Polymorphic code is a code that mutates (constantly changes)
while keeping the original algorithm intact
 To enable polymorphic code, the virus has to have a polymorphic
engine (also called mutation engine or mutation engine)
 A well-written polymorphic virus therefore has no parts that stay
same on each infection making it difficult to detect with anti-
56 malware programs. 6/28/2016
 Types of viruses
 Metamorphic viruses
 Metamorphic viruses rewrite themselves completely each time
they are to infect new executable.
 Metamorphic code can reprogram itself by translating its own
code into a temporary representation and then back to the normal
code again.
 For example, W32/simile consisted of over 1400 lines of
assembly code, 90% lines of assembly code, 90% of it is of the
metamorphic engine.
 File overwriting or cavity viruses: Cavity virus overwrites a part
of the host file with a constant (usually nulls), without increasing
the length of the file and preserving its functionality.

57 6/28/2016
 Types of viruses
 Sparse Infector viruses
 Sparse infector virus infects only occasionally (e.g. every 10th program
execute), or only files whose lengths falls within a narrow range.
 By infection less often, such viruses try to minimize the probability of
being discovered.

 Companion/camouflage viruses
 A companion virus creates a companion file for each executable
file the virus infects
 Therefore, a companion virus may save itself as notepad.com and
every time a user executes a notepad.exe (good program), the
computer will load notepad.com (virus) and infect the system.

58 6/28/2016
 Types of viruses
 Shell viruses
 Virus code forms a shell around the target host program’s code, making
itself the original program and host code as its sub-routine
 Almost all boot program viruses are shell viruses

 Add-on and intrusive viruses: Add-on viruses append their code

to the host code without making any changes to the latter or
relocate the host code to insert their own code at the beginning.

59 6/28/2016
 File extension viruses
File extension viruses change the extensions of the files
.TXT is safe as it indicates as pure text file
With extension turned off, if someone sends you a file
named BAD.TXT.VBS, you will only see BAD.TXT
If you have forgotten that extensions are turned off, you
might think is a text file and open it.
This is an executable visual basic script virus file and
could do serious damage.
Countermeasure is turn off “Hide file extensions” in
windows.
60 6/28/2016
 Transient and terminate and stay
resident viruses
Basic infection techniques
 Direct action or transient virus
Transfers all the controls of the host code to where it
resides
Selects the target program to be modified and corrupt it
 Terminate and stay resident virus (TSR)
Remains permanently in the memory during the entire
work session even after the target host’s program is
executed and terminated; can be removed only by
rebooting the system.
61 6/28/2016
 Computer worms
 Computer worms are malicious programs that replicate, execute, and
spread across the network connections indecently without human
interaction.
 Most of the worms are created only to replicate and spread across a
network, consuming available computing resources; however some
worms carry a payload to damage the host system.
 Attackers use worm payload to install backdoors in infected
computers, which turns them into zombies and creates botnet; these
botnets can be used to carry further cyber attacks.
 Unlike a computer virus, it does not need to attach
itself to an existing program.
 Worms almost always cause at least some harm to
the network, even if only by consuming
bandwidth, whereas viruses almost always corrupt
or modify files on a targeted computer.
62 6/28/2016
 How is worm different from a virus?

A worm is special type of virus that can replicate

itself and use memory, but cannot attach itself to
other programs.
A worm takes advantage of file information
transport features on computer systems and spreads
through the infected network automatically but a
virus does not.

63 6/28/2016
 Virus detection methods
Scanning
Once a virus has been detected, it is possible to write
scanning programs that look for signature string
characteristics of the virus.
Integrity checking
Integrity checking products work by reading the entire
disk and recording integrity data that acts as a
signature for the files and system sectors.
Interception
The interceptor monitors the operation system
requests that are written to the disk.
64 6/28/2016
 Viruses Countermeasures
1. Antivirus approaches
2. Advanced antivirus techniques
Generic Decryption
Digital Immune System
3. Behavior-blocking software

65 6/28/2016
 Viruses Countermeasures
1. Antivirus Approaches
 Detection : Determine that it has occurred and locate the virus
 Identification: Identify the specific virus
 Removal : Remove all traces and restore the program to its
original state

 Generations of Antivirus Software

 First: Simple scanners (record of program lengths)
 Second: Heuristic scanners (integrity checking with checksums)
 Third: Activity traps (memory resident, detect infected actions)
 Fourth: Full-featured protection (suite of antivirus techniques,
access control capability)
66 6/28/2016
 WHAT ARE THE CURRENT AVAILABLE ANTIVIRUS
PROGRAMS?

67 6/28/2016
 Viruses Countermeasures

2. Advanced Antivirus Techniques

 Generic Decryption
 Digital Immune System

68 6/28/2016
 Generic Decryption
 Generic decryption (GD) technology enables the antivirus program
to easily detect even the most complex polymorphic viruses and
other malware, while maintaining fast scanning speeds.
 Contains following elements:
 CPU emulator: software based virtual computer. Instructions in
an executable file are interpreted by the emulator rather than
executed on the underlying processor so that the underlying
processor is unaffected by programs interpreted on the emulator.
 Virus signature scanner: scans target code looking for known
signatures
 Emulation control module: control execution of target code.
Thus, if the code includes a decryption routine that decrypts and
hence exposes the malware, that code is interpreted. In effect, the
malware does the work for the anti-virus program by exposing
itself. Periodically, the control module interrupts interpretation to
69
scan the target code for malware signatures. 6/28/2016
 Digital Immune System
 DIS (Digital Immune System): A closed-loop, suspect-code
submission system designed to detect unknown but
potentially malicious code, quarantine the code, submit it for
analysis, and finally push out new virus definitions to
affected systems.
 Developed by IBM (refined by Symantec) for general
purpose emulation and virus detection system
 Motivation: rising threat of internet-based virus propagation
Integrate mail systems (eg MS outlook )
Mobile-program system (eg Java and ActiveX)
 Expands the use of program emulation
 Depends on a central Virus Analysis Machines (VAM)
70 6/28/2016
 Digital Immune System
This system provides a general-purpose emulation
and virus-detection system. The objective is to
provide rapid response time so that viruses can be
stamped out almost as soon as they are introduced.
When a new virus enters an organization, the
immune system automatically captures it, analyzes
it, adds detection and shielding for it, removes it, and
passes information about that virus to systems
running a general antivirus program so that it can be
detected before it is allowed to run elsewhere.
71 6/28/2016
 Digital Immune System

1. Each PC runs a monitoring program to detect unusual behavior

2. Encrypt the sample and forward to VAM
3. Analyze the sample in a safe environment via emulation
4. Prescription via sent back to Admin. Machine
72
5-6 Forwarded to the infected client as well as the other PCs on the same network
7. All subscribers receive regular antivirus updates
 Viruses Countermeasures
3. Behavior-blocking Software
 behavior-blocking software integrates with the operating system of a
host computer and monitors program behavior in real time for
malicious actions.
 The behavior blocking software then blocks potentially malicious
actions before they have a chance to affect the system.
 IPS – Intrusion Prevention Systems
 Monitored behaviors can include
 Attempts to open, view, delete, and/or modify files;
 Attempts to format disk drives and other unrecoverable disk operations;
 Modifications to the logic of executable files or macros;
 Modification of critical system settings, such as start-up settings;
 Scripting of e-mail and instant messaging clients to send executable
content;
73 6/28/2016
 Initiation of network communications.
74 6/28/2016
 Malicious Code Protection
Types of Products
 Scanners - identify known malicious code - search
for signature strings
 Integrity Checkers – determine if code has been
altered or changed – checksum based
 Vulnerability Monitors - prevent modification or
access to particularly sensitive parts of the system –
user defined
 Behavior Blockers - list of rules that a legitimate
program must follow – sandbox concept

75 6/28/2016
 Virus and worms countermeasures
(others)
 Ensure the executable code sent to the organization is approved
 Do not boot the machine with infected bootable system disk
 Know about the latest virus threats
 Check the DVDs and CDs for virus infection
 Ensure the pop-up blocker is returned on use an internet firewall
 Run disk clean up, registry scanner and defragmentation once a
week
 Block the files with more than one file type extension
 Be caution with the files being sent through the internet
messenger.

76 6/28/2016
 Virus and worms countermeasures
(Others)
 Install ant-virus software that detects and removes
infections as they appear
 Generate an anti-virus policy for safe computing and
distribute it to the staff
 Pay attention to instructions while downloading files
or any programs from the Internet
 Update the ant-virus software on the monthly basis, so
that it can identify and clean out new bugs

77 6/28/2016
 Virus and worms countermeasures
(others)
 Avoid opening the attachments received form an
unknown sender as virus spread via e-mail
 Possibility of virus infection may corrupt data,
thus regularly maintain data back up
 Schedule regular scans for all drivers after the
installation of ant-virus
 Do not accept disks or programs without
checking them first using a current version of
anti-virus program.
78 6/28/2016
 PRACTICE:
USE CARE WHEN READING EMAIL WITH ATTACHMENTS

 Executable content
 Interesting to you (social engineering)
 Violates trust
 KRESV tests
 Know test: Know the sender?
 Received test: Received email before?
 Expect test: Did you expect this email?
 Sense test: Does this email make sense?
 Virus test: Contain a virus?
 Doesn’t pass all tests? Don’t open!
 Level of effort: High

79 6/28/2016
 INSTALL AND USE ANTIVIRUS SOFTWARE
 Easy way to gain control of your
computer or account
 Violates “trust”
 DURCH tests
 Demand: Check files on demand?
 Update: Get new virus signatures
automatically?
 Respond: What can be done to
infected files?
 Check: Test every file for viruses.
 Heuristics: Does it look like a virus?
 Level of effort: low
80 6/28/2016
 PRACTICE:
MAKE BACKUPS OF IMPORTANT FILES AND FOLDERS

 Can you recover a file or folder if lost?

 Does your computer have a “spare tire”?
 FOMS tests
 Files: What files should be backed up?
 Often: How often should a backup be made?
 Media: hat kind of media should be used?
 Store: Where should that media be stored?
 Level of effort:
 setup: medium to high
 maintaining: medium

81 6/28/2016
 INSTALL AND USE A FIREWALL PROGRAM
 Limit connections to computer
 Limit connections from computer based on
application
 Portable – follows the computer (laptop)
 PLAT tests
 Program – What program wants to connect?
 Location – Where does it want to connect?
 Allowed – Yes or no?
 Temporary – Permanent or temporary?
 Level of effort:
 install: low
 maintain: high
82 6/28/2016
 USE CARE WHEN DOWNLOADING AND
INSTALLING PROGRAMS
Program may satisfy needs but may harm computer
 What does it really do?
 LUB tests
 Learn – What does the
program do to your computer?
 Understand – Can you return
it and completely remove it?
 Buy – Purchase/download
from reputable source?
 Level of effort: high

83 6/28/2016
 END

CS 126 LECTURE 09 (b)

Lecture 09 (b)-Next Slide
84 6/28/2016
 CS 126:
INTRODUCTION TO IT SECURITY

Data BackUP(c)
Malicious Software

85 6/28/2016
Backup
Meaning
A data backup is an action of copying or archiving files
and folders for the purpose of being able to restore them in
case of data loss.
 A backup is simply means making one or more copies of your data
 Backups are copies of your information that are stored somewhere else.
 Backing up files can protect against accidental loss of user data, database
corruption, hardware failures, and even natural disasters.
 Note:
 If you move the photos from the hard-drive to a CD-R, you do not have a back-up. You
still only have one copy of the photos, but now they are on a CD instead of the hard-drive.
 You only have a backup if you have a second copy of your data.
Cont …
Backup media
 This is the thing you back up on to
 There are variety of backup media such as:
 floppy disks,
 tapes,
 removable hard disks,
 rewritable CD−ROMs
 Local or cloud servers
 It's a good idea to choose a media which you find easy to use and
have big capacity enough to put a single copy of all your
information on it.
Cont …
Factors for choosing Backup Media
The backup solution that's right for your organization depends on many
factors, including:
 Capacity
 The amount of data that you need to back up on a routine basis.
 Can the backup hardware support the required load given your time and resource constraints?
 Reliability
 The reliability of the backup hardware and media.
 Can you afford to sacrifice reliability to meet budget or time needs?
 Extensibility
 The extensibility of the backup solution.
 Will this solution meet your needs as the organization grows?
 Speed
 The speed with which data can be backed up and recovered.
 Can you afford to sacrifice speed to reduce costs?
 Cost
 The cost of the backup solution.
 Does it fit into your budget?
Cont …
Backup Options
There are major two options of doing backup
 Remote backup
 Local backup
Cont …
Remote Backup
 It is also called Cloud Storage
 It involves storing the copy of your files in the servers owned by a
cloud service provider.
 Some pros of cloud storage are
 It help to protect your data against some of the worst-case scenarios, such as
natural disasters or critical failures of local devices due to malware.
 It gives you anytime access to data and applications anywhere you have an internet
connection.
 Cloud service providers can often encrypt user data, making it harder for
attackers to access critical information.
 Some cons of cloud storage are:
 It is dependent on the internet connection hence can delay communications
between you and the cloud.
 cloud users have little or no direct control over their data or knowledge of their
cloud service provider’s security practices.
Cont …
Local Backup
 It involves storing the copy of your files in the internal hard disk drives
or removable storage media.
 It provide no delay when you want to access you files
 Each one of these two options have its pros and cons.
 Pros of hard disk drive
 It allows you to quickly update backup files and maintain a simple file structure.
 it makes no need of purchasing any other storage device
 Cons of hard disk drive
 Rolling backups can silently propagate any corruption or malware in the primary files to the
backup files.
 If your internal hard drive is damaged, stolen, or corrupted, you could lose both your
primary and backup files.
 Pros of removable storage media
 They are a flexible, portable and reusable data storage .
 They are also available in a wide variety of storage capacities and prices.
 Cons of removable storage media
 They are prone to loss or theft.
 Rolling backups may spread corruption and malware from the primary files to the backups.
Cont …
Basic types of Backup
 The techniques you use to backup your files will mainly depend on
the type of data you're backing up, and how convenient you want
the recovery process to be.
 The basic types of backups you can perform include:
 Normal/full backups
 Copy backups
 Differential backups
 Incremental backups
 Daily backups.
Cont …
Normal/full backups
Normal backup involves backing up all files that have been
selected, regardless of the setting of the archive attribute.
 When a file is backed up, the archive attribute is cleared.
 If the file is later modified, this attribute is set, which indicates
that the file needs to be backed up.
Cont …
Copy backups
Copy backup involves all files that have been selected,
regardless of the setting of the archive attribute.
 Unlike a normal backup, the archive attribute on files isn't
modified.
 This allows you to perform other types of backups on the files at a
later date.
Cont …
Differential backups
Differential backup is designed to create backup copies of
files that have changed since the last normal backup.
 The presence of the archive attribute indicates that the file has
been modified and only files with this attribute are backed up.
 However, the archive attribute on files isn't modified.
 This allows you to perform other types of backups on the files at a
later date.
Cont …
Incremental backups
Incremental backup is designed to create backups of files
that have changed since the most recent normal or incremental
backup.
 The presence of the archive attribute indicates that the file has
been modified and only files with this attribute are backed up.
 When a file is backed up, the archive attribute is cleared.
 If the file is later modified, this attribute is set, which indicates
that the file needs to be backed up.
Cont …
Daily backup
Daily backup is designed to back up files using the
modification date on the file itself.
 If a file has been modified on the same day as the backup, the file
will be backed up.
 This technique doesn't change the archive attributes of files
Cont …
Importance of Backup
The main purpose of data backup is to prevent data loss.
 Organization or personal data can be lost through one of the
following ways:
 Human error
 Hard disk failure
 Computer crash
 Malicious software
 Natural hazards
 Theft
 When this happen the lost data are restored from the backups
Cont …
Ways of doing Backup
There are several methods of doing backup of your files.
 Some of them are:
 Manual Backup
 Using Backup Program
 Using File History (Windows 8)
 Using Time Machine (Mac OS X)
 Backing up to the Cloud
 Cont …
Manual Backup
It is easily done by coping file to the backup media
 The following are steps of doing manual backup
 Insert a storage device or media.
 Decide what you would like to back up.
 Prioritize your data.
 Copy your data.
 Remember to update your backups
 The data are prioritized to make sure all important data are usually
backed up.
Cont …
Using Backup Program
It is done through the software program
 The following are the steps to follow:
 Download a backup program.
 Choose what you want backed up.
 Plug in your backup media
 Set your schedule.
 The span of time between backups depends a lot on how often you
access and edit your files.
 If you are constantly making changes that need to be saved, you’re
better off backing up frequently, as often as every hour.
 Cont …
Using File History (Windows 8)
This capability is built in windows 8
 The backup is done through the following steps:
 Open the File History program.
 Turn on File History
 Configure your File History settings
 Add important files and folders to your libraries.
 Enable File History requires having an external hard drive or access to
a network folder
 Windows 8 File History will not allow you to choose what is to be
backed up.
 It will automatically back up everything in your user libraries
(Documents, Pictures, etc.).
Cont …
UsingTime Machine (Mac OS X)
This is the capability built in Mac OS X operating system
 Backup follows the following steps:
 Connect an external drive to your Mac.
 Time Machine should open automatically
 AllowTime Machine to work automatically
 Once you have designated a drive as your Time Machine backup,
your data will be saved automatically every hour.
 Cont …
Backing up to the Cloud
There are several free cloud services available that you can use as an
always-online backup location for your files.
 Some of these include
 Google Drive,
 Microsoft SkyDrive,
 Apple iCloud, and
 DropBox
 can be upgraded with more space for a fee.
There are also cloud-based backup services that charge an annual fee
which are more directly focused towards backing up, and include
scheduling options.
 Some of these include:
 CrashPlan+,
 Carbonite,
 Mozy,
 Backblaze, and
 Acronis
Cont …
 The following are the steps of doing cloud backup:
 Find a cloud service.
 Copy your files to your cloud service.
 Monitor your storage space.
 For management of the amount of space you have got, be careful
to backup only your most necessary files.
 Frequently go through your files on the cloud and cull the old
versions.
Archive

Meaning:
An archive is a collection of computer files that have been
packed together and kept in other location away from the particular
computer.
 Archive free up the computer hard disk and leave the disk space for other
purpose.
 It include a simple list of files or files organized under a directory or catalog
structure.
 It consist of data that are no longer actively used but still important to the
organization and may be needed for future reference.
Data archiving is the process of moving data that is no longer
actively used to a separate storage device for long term retention.
Cont …
Importance of Archive
The archived data and archiving data have several importance, some of
them are:
 Free up hard disk space to be used for other purpose
 Archived data can be used for backup
 Archived data can be stored in a secure manner.
 Data archiving removes the data from the active system, thus speeding up response
times and enabling swifter processing time.
 It improve data storage efficiency
 The formal archiving processes and technologies improve IT cost control by reclaiming expensive
primary storage by frequently moving infrequently accessed information to lower-cost tiers.
 Promote information transformation
 Data archiving can help organizations use growing volumes of information in potentially new and
unanticipated ways.
 For engineers, accessing archived project materials such as designs, test results, and requirement
documents helps to foster new product innovation.
 Cont …
Differences between archive and backup
The two process differs in the following aspects
Archive Backup
1 A primary information A copy of information

2 Is held for long term Is held for short term

 Months  Days
 Years  Weeks
 Decades  Month

3 Used for compliance and efficiency Used for recovery

 data retained in original form  improves availability, allowing applications
 enables response to legal or regulatory to be restored to a point in time.
action
 offloads information from production
systems and storage
 END

CS 126 LECTURE 09 (c)

109 6/28/2016