Professional Documents
Culture Documents
Lecture: 09 (a)
2 6/28/2016
Access Control Methods
Administrative Controls
Senior management must decide what role security will play in an organization.
Policy and Procedure
It is management’s responsibility to construct a security policy.
A security policy works at the top layer of a hierarchical access control model.
A security policy is a high level plan that states management’s intent pertaining to how
security should be practiced within an organization, what actions are acceptable, and
what level of risk the company is willing to accept.
Personnel Controls: Personnel controls indicate who employees are expected to interact
with security mechanisms, and address noncompliance issues pertaining to these
expectations.
Separation of Duties
Rotation of Duties
Mandatory Vacation
Supervisory Structure
Security Awareness Training
Testing
All security controls, mechanisms, and procedures need to be tested on a periodic basis to
ensure that they properly support the security policy, goals, and objectives set for them.
It is management’s responsibility to make sure that these tests take place.
3 6/28/2016
Access Control Methods
Physical Controls: Physical controls must support and work with administrative and
technical controls to supply the right degree of access control.
Network Segregation: Can be carried out through physical and logical means.
Physical: Each area for equipment has the necessary physical controls to ensure that
only the permitted individuals have access into and out of those sections.
Perimeter Security: Perimeter security mechanisms provide physical access control
by providing protection for individuals, facilities, and the components within facilities.
Computer Controls: Each computer can have physical controls installed and
configured (e.g., locks on the cover, removal of floppy drives, implementation of a
protection device to eliminated electrical emissions to thwart attempts to gather
information through airwaves).
Work Area Separation: Some environments might dictate that only particular
individuals can access certain areas of the facility.
Data Backups: Backing up data is a physical control to ensure that information can
still be accessed after an emergency or disruption of the network or system.
Cabling: Protection for the various types of cabling that carry information throughout
a network.
Control Zone: is a physical control, and is a specific area that surrounds and protects
network devices that emit electrical signals. It ensures that confidential information is
contained and to hinder intruders from accessing information through the airwaves.
4 6/28/2016
Access Control Methods
Technical (Logical) Controls: Are the software tools used to restrict subject’s access to objects. They
are components of operating systems, add-on security packages, applications, network hardware
devices, protocols, encryption mechanisms, and access control matrices.
System access: There are many types of technical controls that enable a user to access a system and
the resources within that system.
Network architecture: The architecture of a network can be constructed and enforced through several
logical controls to provide segregation and protection of the environment. Logical separation is through
IP address ranges and subnets and by controlling the communication flow between the segments.
Network Access
Networks can have logical controls that dictate who can and cannot access them and what those
individuals can do once they are authenticated.
Switches, routers, firewalls, and bridges all work as technical controls to enforce access restriction
into and out of network, and access to the different segments within the network.
Access to different network segments should be granular in nature.
Encryption and protocols: work as technical controls to protect information as it passes throughout a
network and resides on computers.
They ensure that the information is received by the correct entity and that it is not modified during
transmission.
These controls can preserve the confidentiality and integrity of data and enforce specific paths for
communication to take place.
Auditing: Auditing tools are technical controls that track activity within a network on a network
5
device or on a specific computer. 6/28/2016
Access Control Types
Each control works at a different level of granularity, but can also
perform several functions
Access Control: Prevent, Detect, Correct, Deter, Recover, Compensate
Security controls should be built on the concept of preventative security
Preventative Administrative Controls: soft mechanisms that are put
into place to enforce access control and protection for the company as a
whole
Includes policies, hiring practices, security awareness, Data
classification and labeling
Preventative Physical Controls: physically restrict access to a facility,
specific work areas, or computer systems:
Includes badges, swipe cards, guards, fences, locks
Locks are usually considered delay mechanisms because they only
delay a determined intruder. The goal is to delay access long enough
to allow law enforcement or the security guard to respond to the
situation.
Preventative Technical Controls: logical controls that are part of
operating systems, third party application add-ons, or hardware units:
6 Includes passwords, encryption, antivirus software, firewalls
Access Control Types
Protection = Prevention (Previous model)
Previously, the focus of security was prevention. It was reasoned that if
unauthorized access to computer systems and networks was prevented,
security had been achieved.
As security attacks have evolved and unauthorized users have found
multiple ways to bypass these safeguards has led to a modification of the
basic security model: Protection = Prevention.
Protection = Prevention + (Detection + Response)
The updated model is known as The Operational Model of Computer
Security and is as follows: Protection = Prevention + (Detection +
Response).
The modification means that two new elements of security come into
play with any security system: detection and response.
Detection gives security professionals the ability to be alerted of a threat
and response allows for ways to solve the problem before it becomes
unmanageable. Every security technique and technology falls into at
7
least one of the elements of this model.
Access Control Types
8 6/28/2016
Accountability
Accountability is tracked by recording user, system, and application activities.
Audit information must be reviewed: It does no good to collect it if you do not
look at it.
Event Oriented Audit Review: Review of audit logs after a security breach,
unexplained system action, or system disruption. Audit trails can be viewed
periodically to watch for unusual behavior of users or systems and help
understand the baseline and health of a system.
Real Time and Near Real Time Review: Audit analysis that can use an
automated tool to review audit information as it is created.
Audit Reduction Tools: A tool that reduces the amount of information
within an audit log. The tool discards mundane task information and records
system performance, security, and other functionality information.
Variance Detection Tools: Can monitor computer and resource usage trends
and detect variations.
Attack Signature Tools: An application that will have a database of
information that has been known to indicate specific attacks. This type of
tool parses audit logs in search of certain patterns. If a pattern matches a
pattern or signature held within its database, the tool indicates that an attack
has taken place or is in progress.
9
Accountability
Other accountability concepts…
Keystroke Monitoring: A type of auditing that can review and
record keystrokes entered by a user during an active session.
A hacker can also use this type of monitoring.
There are privacy issues with this type of monitoring and
administrators could be subject to criminal and civil liabilities
if it is done without proper notification to the employees and
authorization from management.
Protecting Audit Data and Log Information: Scrubbing;
Removing specific incriminating data within audit logs
Only- certain individuals (administrator and security
personnel) should be able to view, modify, and delete audit
trail information.
The integrity and confidentiality of audit logs is important
10 because they could be used as evidence in a trial.
Access Control Practices
Know the access control tasks that need to be accomplished regularly
to ensure satisfactory security. Best practices include:
Deny access to anonymous accounts: Limit and monitor the
usage of administrator and other powerful accounts. Suspend or
delay access capability after a specific number of unsuccessful
logon attempts
Enforce strict access criteria: Enforce the need to know and least
privilege practices.
Suspend inactive accounts
Replace default passwords: Limit and monitor global access rules
Enforce password rotation: Enforce password requirements
(length, contents, lifetime, distribution, storage, and transmission)
Audit and review: Audit system and user events and actions and
review reports periodically
Protect audit logs
Control Zone: Creates a security perimeter and is constructed to
protect against unauthorized access to data or compromise of
sensitive information.
11
INTRUDER
Is unexpected, unwanted or
unauthorized people or programs
on computer network.
Entrance by force or without permission or welcome.
Objective
To gain access to a system or to increase the range of
privileges accessible on a system.
System must maintain a file that associates a password with each
authorized user.
12 6/28/2016
INTRUDER
Three Classes of Intruders (crackers)
Masquerader
Unauthorized user who penetrates a system exploiting a
legitimate user’s account. (Outside)
Misfeasor
Legitimate user who makes unauthorized accesses or
misuses his privileges (inside)
Clandestine user
Privileged user who seizes supervisory control of the
system and uses this control to evade auditing and access
controls or to suppress audit collection. (Inside/outside)
13 6/28/2016
INTRUDERS
Range of Intruders: Two ranges
Benign intruders
At the benign end of the scale, there are many people who simply wish
to explore internets and see what is out there (misuse of resources).
Serious intruders.
At the serious end are individuals who are attempting to read privileged
data, perform unauthorized modifications to data, or disrupt the system.
Intruders levels: Two Levels
The high level.
These were sophisticated users with a thorough knowledge of the
technology.
The low level (foot soldiers).
Who merely used the supplied cracking programs with little
understanding of how they worked.
14 6/28/2016
Intrusion Techniques
1. Intruders enters the system by using cracked passwords of
legitimate user.
2. Also the intruders can attempt to modify login software to enable
them to capture passwords of users logging on to systems.
Intrusion Detection
Detection concerns with learning of an attack, either before, during
or after intrusion.
Intrusion Detection (IDs) are different from traditional firewall
products because they are designed to detect a security breach.
Intrusion detection is a system's second line of defense while
firewall is first line of defense
Without doubt, intrusion prevention system will always fail.
15 Systems have to depend on detection of intrusion. 6/28/2016
Benefits of intrusion detection system
1. If an intrusion is detected quickly enough, the intruder
can be identified and ejected from the system before any
damage is done or any data are compromised.
Even if the detection is not sufficiently timely to preempt the
intruder, the sooner that the intrusion is detected, the less the
amount of damage and the more quickly that recovery can be
achieved.
2. An effective intrusion detection system can serve as a
deterrent, so acting to prevent intrusions.
3. Intrusion detection enables the collection of information
about intrusion techniques that can be used to strengthen
the intrusion prevention facility.
16 6/28/2016
FINDING THE BAD GUY
Need to distinguish between a masquerader and a legitimate user.
System User behavior is the centre of Intrusion detection.
It is expected intruder behavior will differs from that of a
authorized user in ways that can be quantified.
In some point behavior overlaps.
Patterns between legal user behavior and illegal user behavior can
be established by observing past history, and significant deviation
from such patterns can be detected
18
Intrusion Detection
Three Common Components: Sensors, Analyzers, and
Administrator Interfaces
Most types of IDSs are capable of several types of responses to
a triggered event:
Send a special signal to drop or kill the packet connections (at
both source and destination).
Block a user from accessing a resource.
Send an alert of an event trigger to other hosts
Some IDS can reconfigure themselves to perform some
predefined action.
Common Types of Intrusion Detections:
1. Intrusion Detection Systems,
2. Intrusion Prevention Systems,
3. Honeypots
19 4. Network Sniffers
Intrusion Detection Systems
The IDS can be centralized, as firewall products that have IDS
functionality integrated within them, or distributed, with multiple
sensors throughout the network.
The sensor’s role is to filter received data, discard irrelevant
information, and detect suspicious activity.
Two Main Types of Intrusion Detection Systems
Network Based IDS, aka NIDS (monitor network communications)
Host Based IDS, aka HIDS (analyze the activity within a
particular computer system)
HIDS and NIDS can be:
Signature Based
Statistical Anomaly Based: Protocol Anomaly Based, and Traffic
Anomaly Based
Rule Based: Stateful matching, and Model Based
20
Intrusion Detection Systems (Types)
Network Based IDS, aka NIDS (monitor network
communications)
Uses sensors, which are either host computers with the
necessary software installed or dedicated appliances, each
with its network interface card (NIC) in promiscuous mode.
Monitors network traffic and cannot see the activity going on
inside a computer itself.
Host Based IDS, aka HIDS (analyze the activity within a
particular computer system)
Can be installed on individual workstations and/or servers and
watch for inappropriate or anomalous activity.
Usually used to make sure users do not delete system files,
reconfigure important things, or put the system at risk in any
other way.
21
Intrusion Detection Systems
HIDS and NIDS can be one of the following types:
1. Signature Based: Also known as misuse-detection systems
Signatures: Models of specific attacks and how they are
carried out.
Each identified attack has a signature, which is used to
detect an attack in progress or determine if one has
occurred within the network.
Any action that is not recognized as an attack is considered
acceptable.
22
Intrusion Detection Systems
HIDS and NIDS can be one of the following types:
2. Statistical Anomaly Based: Also known as profile-based systems.
A profile is built by continually sampling the environment’s activities.
The longer the IDS is in learning mode, the more accurate a profile it will build and the
better protection it will provide.
Can detect new attacks.
Anything that does not match the profile is seen as an attack, in response to which the
IDS sends an alert.
Two types:
Protocol Anomaly Based: Unusual format of behavior of protocols
These types of IDS have specific knowledge of each protocol that they will be
monitoring, when the IDS is activated, it looks for anomalies that do not match the
profiles built for the individual protocols.
Traffic Anomaly Based: Unusual format of traffic patterns.
Detects changes in traffic patters as in DoS attacks or a new service that appears on the
network.
The thresholds are tunable to adjust to the sensitivity, to reduce the number of false
positives and false negatives
It can detect unknown attacks.
23
Intrusion Detection Systems
HIDS and NIDS can be one of the following types:
3. Rule Based
Commonly associated with the use of an expert system. An expert
system is made up of a knowledge base, inference engine, and rule-
based programming.
Knowledge is represented as rules, and the data that is to be
analyzed is referred to as facts.
The rules are applied to the facts, the data that comes in from a
sensor, or a system that is being monitored.
The more complex the rules, the more demands on software and
hardware processing requirements. Cannot detect new attacks.
Two types:
Stateful matching
Model Based
24
Intrusion Detection Systems
HIDS and NIDS can be one of the following types:
3. Rule Based can be one of the following types:
Stateful matching: Tracking system state changes that indicate an
attack is underway.
Every change that an operating system experiences is considered a
state transition. A state transition is when a variable’s value
changes, which usually happens continuously within every system.
The IDS has rules that outline what state transition sequences
should sound an alarm. The activity that takes place between the
initial and compromised state is what the state-based IDS looks for,
and it sends an alarm if any of the state transition sequences match
is pre-defined rules.
Model Based : Models of attack scenarios are built and then captured,
data is compared to the models to uncover malicious activities.
The IDS takes in the audit log data and compares it to the different
models that have been developed, to see if the data meets any of
25 the models specifications.
Access Control Monitoring
Intrusion Prevention Systems
Is a preventative and proactive technology, IDS is a detective
technology.
Two types: Network Based (NIPS) and Host Based (HIPS)
Honeypots
Attractive trap systems that are designed to direct potential
attackers away from critical systems
Honeyport systems are filled with false information designed to
appear valuable but that a legitimate user of the system wouldn't
access.
SNORT: Lightweight IDS, Real-time packet capture and rule analysis
Functions of honey ports.
1. Divert an attacker from accessing critical systems.
2. Collect information about the attacker's activity
3. Encourage the attacker to stay on the system long enough for
26
administrators to respond
Access Control Monitoring
Network sniffers
A general term for programs or devices that are able to
examine traffic on a LAN segment.
The sniffer has to have a protocol-analysis capability to
recognize the different protocol values to properly
interpret their meaning.
The sniffer has to have access to a network adapter that
works in promiscuous mode and a driver that captures
the data.
In the realm of computer networking, promiscuous
mode refers to the special mode of Ethernet hardware, in
particular network interface cards (NICs), that allows a
NIC to receive all traffic on the network, even if it is not
27
addressed to this NIC.
Threats to Access Control
A few threats to access control
Insiders: is that they have already been given a wide range of access that a
hacker would have to work to obtain, they probably have intimate knowledge
of the environment, and generally they are trusted.
Countermeasures include good policies and procedures, separation of duties,
job rotation
Dictionary Attacks: Type of program is fed lists (dictionaries) of commonly
used words or combinations of characters and then compares these values to
capture passwords.
Countermeasures include strong password policies, strong authentication,
intrusion detection and prevention
Brute Force Attacks: Generally speaking these are attacks that continually try
different inputs to achieve a predefined goal. (i.e., trying every possible
combination until the correct one is identified.)
Countermeasures include penetration testing, minimum necessary
information provided, monitoring, intrusion detection, clipping levels
Spoofing at Logon: An attacker can use a program that presents to the user a
fake logon screen, which often tricks the user into attempting to logon.
Countermeasures include a guaranteed trusted path, security awareness to be
aware of phishing scams, SSL connection
28
Security Models
Confidentiality Security Models: security models with the main
goal of ensuring confidentiality.
Bell-LaPadula security model
Integrity Security Models: security models with the main goal of
ensuring integrity.
Biba model
Clark-Wilson model
Each security model, whether integrity-based or confidentiality-
based, focuses on the chosen security policy of the organization
implementing the model.
Each security model also utilizes a system of checks and balances to
ensure there are no weak points in the security of the computer
systems and networks they are protecting.
29
Bell-LaPadula security model
A system state is defined to be "secure" if the only
permitted access modes of subjects to objects are in
accordance with a security policy.
To determine whether a specific access mode is allowed,
the clearance of a subject is compared to the classification
of the object (more precisely, to the combination of
classification and set of compartments, making up the
security level) to determine if the subject is authorized for
the specific access mode.
Bell-LaPadula Model: also called the multi-level model
Objective – Protect confidentiality; Based on Military
Policy
The model used to defines two mandatory access control
(MAC) rules and discretionary access control (DAC) rule.
30
Bell-LaPadula security model
Two principles
1. Simple security rule (“no read up”)
The Simple Security Rule states that no subject (such as a user or
program) can read information from an object (file or document)
with a security classification higher than that possessed by the
subject itself.
This means that the system must prevent a user with only a Secret
clearance from reading a document labeled Top Secret.
This rule is also referred to as the "no-read-up" rule.
2. The *-property (pronounced "star property") principle (“no write
down”) also known as the Confinement property.
The *-property principle does not allow users to create or change
information to files classified beneath their clearance to avoid
31
either accidental or deliberate security disclosures.
Bell-LaPadula security model
Example…
32
Biba Model security model
In general, preservation of data integrity (based on Commercial
Policy)has three goals:
Prevent data modification by unauthorized parties
Prevent unauthorized data modification by authorized parties
Maintain internal and external consistency (i.e. data reflects the real
world)
In the Biba security model, instead of security classifications, integrity
levels are used.
Biba security model is directed toward data integrity (rather than
confidentiality) and is characterized by the phrase: "no read down, no
write up". This is in contrast to the Bell-LaPadula model which is
characterized by the phrase "no write down, no read up".
The integrity levels principle is that data with a higher integrity level is
believed to be more accurate or reliable than data with a lower integrity
33 level.
Biba Model security model
The Biba model defines a set of security rules similar to the
Bell-LaPadula model. These rules are the reverse of the
Bell-LaPadula rules:
The Simple Integrity Axiom states that a subject at a given
level of integrity must not read an object at a lower integrity
level (no read down). Also known as Ring policy.
The * (star) Integrity Axiom states that a subject at a given
level of integrity must not write to any object at a higher level
of integrity (no write up). Also known as Low-water policy.
34
Clark-Wilson security model
The Clark-Wilson integrity model provides a foundation for specifying and
analyzing an integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information
integrity.
Information integrity is maintained by preventing corruption of data items in a
system due to either error or malicious intent.
An integrity policy describes how the data items in the system should be kept valid
from one state of the system to the next and specifies the capabilities of various
principals in the system.
The model defines enforcement rules and certification rules.
The model’s enforcement and certification rules define data items and processes
that provide the basis for an integrity policy. The core of the model is based on the
notion of a transaction.
In this model the integrity policy addresses the integrity of the transactions.
The principle of separation of duty requires that the certifier of a transaction and the
implementer be different entities.
35
Clark-Wilson security model
The Clark-Wilson security model takes an entirely different approach than the Bell-
La Padula security model and the Biba security model. This is because the Clark-
Wilson security model uses transactions as the basis of its rules.
Two levels of integrity
Constrained Data Items (CDI); Subject to integrity controls
Unconstrained Data Items (UDI); Not subject to integrity controls
Two types of processes
Integrity Verification Processes (IVPs)
Integrity verification processes ensure that CDI data meets integrity constraints
in order to ensure the system is in a valid state.
Transformation Processes (TPs)
Transformation processes change the state of data from one valid state to
another.
Data in this model cannot be modified directly by a user because it can only be
changed by trusted TPs to which access can be restricted. This restricts the
ability of users to perform certain activities.
36
Clark-Wilson security model
Example
A prime example of an organization using an integrity-based security
model would be a financial institution.
In the Clark-Wilson security model, the account balance of the
banking account would be a CDI because its integrity is a critical
function of the bank.
A client's color preference of debit card is not a critical function to the
bank and would be considered an UDI.
Since the integrity of account balances is of extreme importance,
changes to a person's balance must be done through the use of a TP.
Ensuring the balance is correct would be done by an IVP.
Only certain employees of the bank would have the ability to modify
a bank account, which would be controlled by limiting the number of
individuals who have the authority to execute TPs that result in
account modification.
37
Security Models
38 6/28/2016
Computer System Security and Management
Reference Monitors
Three fundamental concepts in computer security:
Reference Monitors: An access control concept that refers to an
abstract machine that mediates all accesses to objects by subjects.
Security Kernel: The hardware, firmware, and software elements
of a trusted computing base that implement the Reference Monitor
concept.
Trusted Computing Base (TCB): The totality of protection
mechanisms within a computer system – including hardware,
firmware – the combination of which is responsible for enforcing a
security policy. Applications
Services
Operating system Different layers in
a computer system
OS kernel
39 Hardware 6/28/2016
Computer System Security and Management
Reference Monitors
In operating systems architecture, a reference monitor is a
tamperproof, always-invoked, and small-enough-to-be-fully-tested-
and-analyzed module that controls all software access to data
objects or devices (verifiable).
The reference monitor verifies that the request is allowed by the
access control policy.
41 6/28/2016
THANK YOU
END
CS 126: LECTURE 09 (a)
Lecture 09 (b)-Next Slide
42 6/28/2016
CS 126:
INTRODUCTION TO IT SECURITY
LECTURE 09 (b)
Malicious Software
43 6/28/2016
What is Malware?
Software intended to intercept or take partial control of a
computer's operation without the user's informed consent.
Piece of software designed with intent of compromising the
security of another software
Also called spyware.
Spyware: The term “spyware” taken literally suggests software
that surreptitiously monitors the user. But it has come to refer more
broadly to any kind of malware,
Malware covers all kinds of intruder software
Including viruses, worms, backdoors, rootkits, Trojan horses,
stealware etc. These terms have more specific meanings.
The Purpose of Malware: To partially control the user’s
computer, for reasons such as; To subject the user to advertising,
To launch DDoS on another service, To track the user’s activity
(“spyware”), To spread spam, To commit fraud, such as identity
44
theft and affiliate fraud, . . . and perhaps other reasons 6/28/2016
Two categories
Malicious Programs
Those that need a host program: Fragments of programs that
cannot exist independently of some application program, utility, or
system program
Those that are independent: Self-contained programs that can be
scheduled and run by the operating system (self contained)
TAXONOMY OF
MALICIOUS PROGRAMS
45 6/28/2016
Malicious Programs
Logic Bombs (also called slag code): Logic embedded is a
program that checks for a set of conditions to arise (such as the
lapse of a certain amount of time or the failure of a program user to
respond to a program command) and executes some function
resulting in unauthorized actions.
Trapdoors: Secret undocumented entry point into a program, used
to grant access without normal methods of access authentication.
Trojan Horse: Secret undocumented routine embedded within a
useful program, execution of the program results in execution of
the routine. Common motivation is data destruction
Zombie: A program that secretly takes over an Internet attached
computer and then uses it to launch an untraceable attack. Very
common in Distributed Denial-Of-Service attacks
46 6/28/2016
Malicious Programs
Virus: A virus is a self-replicating program that produces its own code by
attaching copies of itself into other executable codes
Some viruses affect computers as their code is executed; others viruses lie
dormant until a pre-determined logical circumstance is met.
Characteristics of Virus: Infects other program, Transforms itself, Encrypts
itself, Alter data, Corrupts files and programs and Self propagation.
Four stages of virus lifetime
1. Dormant phase: Here, the virus remains idle and gets activated based on a
certain action or event(for example, a user pressing a key or on a certain
date and time etc)
2. Propagation phase: The virus starts propagating, that is multiplying itself
(cloning of virus). A piece of code copies itself and each copy starts
copying more copies of self, thus propagating.
3. Triggering phase: A Dormant virus moves into this phase when it gets
activated, that is, the event it was waiting for gets initialized.
4. Execution phase: This is the actual work of the virus. It can be
47 destructive(deleting files on disk) or harmless(popping messages on screen).
Others: Stages of virus life (6 Stages)
1. Design stage: developing virus code using programming
languages or construction kits.
2. Replication stage: virus replicate for a period of time
within the target system and then spreads itself
3. Launch stage: it gets activated with the user performing
certain actions such as running an affected program.
4. Detection stage: a virus is identifies as threat infection
target systems
5. Incorporation stage: ant-virus software developers
assimilate defenses against the virus.
6. Elimination stage: users install ant-virus updates and
48 eliminate the virus threats 6/28/2016
Computer Virus
Avoiding Detection: Infected version of program is longer
than the corresponding uninfected one
Solution: compress the executable file so infected and
uninfected versions are identical in length
Encryption in the operation of a virus: A portion of the
virus, generally called a mutation engine, creates a random
encryption key to encrypt the remainder of the virus.
The key is stored with the virus, and the mutation engine
itself is altered. When an infected program is invoked, the
virus uses the stored random key to decrypt the virus.
When the virus replicates, a different random key is
selected.
49 6/28/2016
Computer Virus
Why do people create computer virus?
Inflict damage to competitors Vandalism
Financial benefits Cyber terrorism
Research projects Distributed political massages
How does a computer get infected by virus?
Not running the latest ant-virus application
Not updating and not installing new versions of plug-ins
Installing pirated software
Opening infected e-mail attachments
When a user accepts files and downloads without checking
properly for the source.
50 6/28/2016
Indications of virus attack
Abnormal activities: Is the systems acts in unprecedented
manner, you can suspect a virus attack.
Processes take more resources and time
Computer beeps with on display
Driver label changes
Unable to load Operating System
Anti-virus alerts
Browser window “freezes”
Hard drive is accessed often
Files and folders are missing
Computer freezes frequently or encounters errors
Computer slows down when programs start.
Note: false positive
51 However, not all glitches can be attributed to virus attacks
Types of viruses
System or boot sector Stealth virus/tunneling virus
viruses Encryption virus
Files virus Polymorphic virus
Cluster viruses Overwriting file or cavity virus
Macro virus Sparse virus
Companion virus/camouflage virus
Multipartite virus
Shell virus
File extension virus
What do they infect? Add-on virus
Intrusive virus
Direct action or transient virus
Terminate and stay resident virus
How do they infect? (TSR)
52 6/28/2016
System or boot sector viruses
Boot sector virus moves master boot record (MBR) to another
location on the hard disk and copies itself to the original
location of MBR
When system boots, virus code is executed first and then
control is passed to original MBR
57 6/28/2016
Types of viruses
Sparse Infector viruses
Sparse infector virus infects only occasionally (e.g. every 10th program
execute), or only files whose lengths falls within a narrow range.
By infection less often, such viruses try to minimize the probability of
being discovered.
Companion/camouflage viruses
A companion virus creates a companion file for each executable
file the virus infects
Therefore, a companion virus may save itself as notepad.com and
every time a user executes a notepad.exe (good program), the
computer will load notepad.com (virus) and infect the system.
58 6/28/2016
Types of viruses
Shell viruses
Virus code forms a shell around the target host program’s code, making
itself the original program and host code as its sub-routine
Almost all boot program viruses are shell viruses
59 6/28/2016
File extension viruses
File extension viruses change the extensions of the files
.TXT is safe as it indicates as pure text file
With extension turned off, if someone sends you a file
named BAD.TXT.VBS, you will only see BAD.TXT
If you have forgotten that extensions are turned off, you
might think is a text file and open it.
This is an executable visual basic script virus file and
could do serious damage.
Countermeasure is turn off “Hide file extensions” in
windows.
60 6/28/2016
Transient and terminate and stay
resident viruses
Basic infection techniques
Direct action or transient virus
Transfers all the controls of the host code to where it
resides
Selects the target program to be modified and corrupt it
Terminate and stay resident virus (TSR)
Remains permanently in the memory during the entire
work session even after the target host’s program is
executed and terminated; can be removed only by
rebooting the system.
61 6/28/2016
Computer worms
Computer worms are malicious programs that replicate, execute, and
spread across the network connections indecently without human
interaction.
Most of the worms are created only to replicate and spread across a
network, consuming available computing resources; however some
worms carry a payload to damage the host system.
Attackers use worm payload to install backdoors in infected
computers, which turns them into zombies and creates botnet; these
botnets can be used to carry further cyber attacks.
Unlike a computer virus, it does not need to attach
itself to an existing program.
Worms almost always cause at least some harm to
the network, even if only by consuming
bandwidth, whereas viruses almost always corrupt
or modify files on a targeted computer.
62 6/28/2016
How is worm different from a virus?
63 6/28/2016
Virus detection methods
Scanning
Once a virus has been detected, it is possible to write
scanning programs that look for signature string
characteristics of the virus.
Integrity checking
Integrity checking products work by reading the entire
disk and recording integrity data that acts as a
signature for the files and system sectors.
Interception
The interceptor monitors the operation system
requests that are written to the disk.
64 6/28/2016
Viruses Countermeasures
1. Antivirus approaches
2. Advanced antivirus techniques
Generic Decryption
Digital Immune System
3. Behavior-blocking software
65 6/28/2016
Viruses Countermeasures
1. Antivirus Approaches
Detection : Determine that it has occurred and locate the virus
Identification: Identify the specific virus
Removal : Remove all traces and restore the program to its
original state
67 6/28/2016
Viruses Countermeasures
68 6/28/2016
Generic Decryption
Generic decryption (GD) technology enables the antivirus program
to easily detect even the most complex polymorphic viruses and
other malware, while maintaining fast scanning speeds.
Contains following elements:
CPU emulator: software based virtual computer. Instructions in
an executable file are interpreted by the emulator rather than
executed on the underlying processor so that the underlying
processor is unaffected by programs interpreted on the emulator.
Virus signature scanner: scans target code looking for known
signatures
Emulation control module: control execution of target code.
Thus, if the code includes a decryption routine that decrypts and
hence exposes the malware, that code is interpreted. In effect, the
malware does the work for the anti-virus program by exposing
itself. Periodically, the control module interrupts interpretation to
69
scan the target code for malware signatures. 6/28/2016
Digital Immune System
DIS (Digital Immune System): A closed-loop, suspect-code
submission system designed to detect unknown but
potentially malicious code, quarantine the code, submit it for
analysis, and finally push out new virus definitions to
affected systems.
Developed by IBM (refined by Symantec) for general
purpose emulation and virus detection system
Motivation: rising threat of internet-based virus propagation
Integrate mail systems (eg MS outlook )
Mobile-program system (eg Java and ActiveX)
Expands the use of program emulation
Depends on a central Virus Analysis Machines (VAM)
70 6/28/2016
Digital Immune System
This system provides a general-purpose emulation
and virus-detection system. The objective is to
provide rapid response time so that viruses can be
stamped out almost as soon as they are introduced.
When a new virus enters an organization, the
immune system automatically captures it, analyzes
it, adds detection and shielding for it, removes it, and
passes information about that virus to systems
running a general antivirus program so that it can be
detected before it is allowed to run elsewhere.
71 6/28/2016
Digital Immune System
75 6/28/2016
Virus and worms countermeasures
(others)
Ensure the executable code sent to the organization is approved
Do not boot the machine with infected bootable system disk
Know about the latest virus threats
Check the DVDs and CDs for virus infection
Ensure the pop-up blocker is returned on use an internet firewall
Run disk clean up, registry scanner and defragmentation once a
week
Block the files with more than one file type extension
Be caution with the files being sent through the internet
messenger.
76 6/28/2016
Virus and worms countermeasures
(Others)
Install ant-virus software that detects and removes
infections as they appear
Generate an anti-virus policy for safe computing and
distribute it to the staff
Pay attention to instructions while downloading files
or any programs from the Internet
Update the ant-virus software on the monthly basis, so
that it can identify and clean out new bugs
77 6/28/2016
Virus and worms countermeasures
(others)
Avoid opening the attachments received form an
unknown sender as virus spread via e-mail
Possibility of virus infection may corrupt data,
thus regularly maintain data back up
Schedule regular scans for all drivers after the
installation of ant-virus
Do not accept disks or programs without
checking them first using a current version of
anti-virus program.
78 6/28/2016
PRACTICE:
USE CARE WHEN READING EMAIL WITH ATTACHMENTS
Executable content
Interesting to you (social engineering)
Violates trust
KRESV tests
Know test: Know the sender?
Received test: Received email before?
Expect test: Did you expect this email?
Sense test: Does this email make sense?
Virus test: Contain a virus?
Doesn’t pass all tests? Don’t open!
Level of effort: High
79 6/28/2016
INSTALL AND USE ANTIVIRUS SOFTWARE
Easy way to gain control of your
computer or account
Violates “trust”
DURCH tests
Demand: Check files on demand?
Update: Get new virus signatures
automatically?
Respond: What can be done to
infected files?
Check: Test every file for viruses.
Heuristics: Does it look like a virus?
Level of effort: low
80 6/28/2016
PRACTICE:
MAKE BACKUPS OF IMPORTANT FILES AND FOLDERS
81 6/28/2016
INSTALL AND USE A FIREWALL PROGRAM
Limit connections to computer
Limit connections from computer based on
application
Portable – follows the computer (laptop)
PLAT tests
Program – What program wants to connect?
Location – Where does it want to connect?
Allowed – Yes or no?
Temporary – Permanent or temporary?
Level of effort:
install: low
maintain: high
82 6/28/2016
USE CARE WHEN DOWNLOADING AND
INSTALLING PROGRAMS
Program may satisfy needs but may harm computer
What does it really do?
LUB tests
Learn – What does the
program do to your computer?
Understand – Can you return
it and completely remove it?
Buy – Purchase/download
from reputable source?
Level of effort: high
83 6/28/2016
END
Data BackUP(c)
Malicious Software
85 6/28/2016
Backup
Meaning
A data backup is an action of copying or archiving files
and folders for the purpose of being able to restore them in
case of data loss.
A backup is simply means making one or more copies of your data
Backups are copies of your information that are stored somewhere else.
Backing up files can protect against accidental loss of user data, database
corruption, hardware failures, and even natural disasters.
Note:
If you move the photos from the hard-drive to a CD-R, you do not have a back-up. You
still only have one copy of the photos, but now they are on a CD instead of the hard-drive.
You only have a backup if you have a second copy of your data.
Cont …
Backup media
This is the thing you back up on to
There are variety of backup media such as:
floppy disks,
tapes,
removable hard disks,
rewritable CD−ROMs
Local or cloud servers
It's a good idea to choose a media which you find easy to use and
have big capacity enough to put a single copy of all your
information on it.
Cont …
Factors for choosing Backup Media
The backup solution that's right for your organization depends on many
factors, including:
Capacity
The amount of data that you need to back up on a routine basis.
Can the backup hardware support the required load given your time and resource constraints?
Reliability
The reliability of the backup hardware and media.
Can you afford to sacrifice reliability to meet budget or time needs?
Extensibility
The extensibility of the backup solution.
Will this solution meet your needs as the organization grows?
Speed
The speed with which data can be backed up and recovered.
Can you afford to sacrifice speed to reduce costs?
Cost
The cost of the backup solution.
Does it fit into your budget?
Cont …
Backup Options
There are major two options of doing backup
Remote backup
Local backup
Cont …
Remote Backup
It is also called Cloud Storage
It involves storing the copy of your files in the servers owned by a
cloud service provider.
Some pros of cloud storage are
It help to protect your data against some of the worst-case scenarios, such as
natural disasters or critical failures of local devices due to malware.
It gives you anytime access to data and applications anywhere you have an internet
connection.
Cloud service providers can often encrypt user data, making it harder for
attackers to access critical information.
Some cons of cloud storage are:
It is dependent on the internet connection hence can delay communications
between you and the cloud.
cloud users have little or no direct control over their data or knowledge of their
cloud service provider’s security practices.
Cont …
Local Backup
It involves storing the copy of your files in the internal hard disk drives
or removable storage media.
It provide no delay when you want to access you files
Each one of these two options have its pros and cons.
Pros of hard disk drive
It allows you to quickly update backup files and maintain a simple file structure.
it makes no need of purchasing any other storage device
Cons of hard disk drive
Rolling backups can silently propagate any corruption or malware in the primary files to the
backup files.
If your internal hard drive is damaged, stolen, or corrupted, you could lose both your
primary and backup files.
Pros of removable storage media
They are a flexible, portable and reusable data storage .
They are also available in a wide variety of storage capacities and prices.
Cons of removable storage media
They are prone to loss or theft.
Rolling backups may spread corruption and malware from the primary files to the backups.
Cont …
Basic types of Backup
The techniques you use to backup your files will mainly depend on
the type of data you're backing up, and how convenient you want
the recovery process to be.
The basic types of backups you can perform include:
Normal/full backups
Copy backups
Differential backups
Incremental backups
Daily backups.
Cont …
Normal/full backups
Normal backup involves backing up all files that have been
selected, regardless of the setting of the archive attribute.
When a file is backed up, the archive attribute is cleared.
If the file is later modified, this attribute is set, which indicates
that the file needs to be backed up.
Cont …
Copy backups
Copy backup involves all files that have been selected,
regardless of the setting of the archive attribute.
Unlike a normal backup, the archive attribute on files isn't
modified.
This allows you to perform other types of backups on the files at a
later date.
Cont …
Differential backups
Differential backup is designed to create backup copies of
files that have changed since the last normal backup.
The presence of the archive attribute indicates that the file has
been modified and only files with this attribute are backed up.
However, the archive attribute on files isn't modified.
This allows you to perform other types of backups on the files at a
later date.
Cont …
Incremental backups
Incremental backup is designed to create backups of files
that have changed since the most recent normal or incremental
backup.
The presence of the archive attribute indicates that the file has
been modified and only files with this attribute are backed up.
When a file is backed up, the archive attribute is cleared.
If the file is later modified, this attribute is set, which indicates
that the file needs to be backed up.
Cont …
Daily backup
Daily backup is designed to back up files using the
modification date on the file itself.
If a file has been modified on the same day as the backup, the file
will be backed up.
This technique doesn't change the archive attributes of files
Cont …
Importance of Backup
The main purpose of data backup is to prevent data loss.
Organization or personal data can be lost through one of the
following ways:
Human error
Hard disk failure
Computer crash
Malicious software
Natural hazards
Theft
When this happen the lost data are restored from the backups
Cont …
Ways of doing Backup
There are several methods of doing backup of your files.
Some of them are:
Manual Backup
Using Backup Program
Using File History (Windows 8)
Using Time Machine (Mac OS X)
Backing up to the Cloud
Cont …
Manual Backup
It is easily done by coping file to the backup media
The following are steps of doing manual backup
Insert a storage device or media.
Decide what you would like to back up.
Prioritize your data.
Copy your data.
Remember to update your backups
The data are prioritized to make sure all important data are usually
backed up.
Cont …
Using Backup Program
It is done through the software program
The following are the steps to follow:
Download a backup program.
Choose what you want backed up.
Plug in your backup media
Set your schedule.
The span of time between backups depends a lot on how often you
access and edit your files.
If you are constantly making changes that need to be saved, you’re
better off backing up frequently, as often as every hour.
Cont …
Using File History (Windows 8)
This capability is built in windows 8
The backup is done through the following steps:
Open the File History program.
Turn on File History
Configure your File History settings
Add important files and folders to your libraries.
Enable File History requires having an external hard drive or access to
a network folder
Windows 8 File History will not allow you to choose what is to be
backed up.
It will automatically back up everything in your user libraries
(Documents, Pictures, etc.).
Cont …
UsingTime Machine (Mac OS X)
This is the capability built in Mac OS X operating system
Backup follows the following steps:
Connect an external drive to your Mac.
Time Machine should open automatically
AllowTime Machine to work automatically
Once you have designated a drive as your Time Machine backup,
your data will be saved automatically every hour.
Cont …
Backing up to the Cloud
There are several free cloud services available that you can use as an
always-online backup location for your files.
Some of these include
Google Drive,
Microsoft SkyDrive,
Apple iCloud, and
DropBox
can be upgraded with more space for a fee.
There are also cloud-based backup services that charge an annual fee
which are more directly focused towards backing up, and include
scheduling options.
Some of these include:
CrashPlan+,
Carbonite,
Mozy,
Backblaze, and
Acronis
Cont …
The following are the steps of doing cloud backup:
Find a cloud service.
Copy your files to your cloud service.
Monitor your storage space.
For management of the amount of space you have got, be careful
to backup only your most necessary files.
Frequently go through your files on the cloud and cull the old
versions.
Archive
Meaning:
An archive is a collection of computer files that have been
packed together and kept in other location away from the particular
computer.
Archive free up the computer hard disk and leave the disk space for other
purpose.
It include a simple list of files or files organized under a directory or catalog
structure.
It consist of data that are no longer actively used but still important to the
organization and may be needed for future reference.
Data archiving is the process of moving data that is no longer
actively used to a separate storage device for long term retention.
Cont …
Importance of Archive
The archived data and archiving data have several importance, some of
them are:
Free up hard disk space to be used for other purpose
Archived data can be used for backup
Archived data can be stored in a secure manner.
Data archiving removes the data from the active system, thus speeding up response
times and enabling swifter processing time.
It improve data storage efficiency
The formal archiving processes and technologies improve IT cost control by reclaiming expensive
primary storage by frequently moving infrequently accessed information to lower-cost tiers.
Promote information transformation
Data archiving can help organizations use growing volumes of information in potentially new and
unanticipated ways.
For engineers, accessing archived project materials such as designs, test results, and requirement
documents helps to foster new product innovation.
Cont …
Differences between archive and backup
The two process differs in the following aspects
Archive Backup
1 A primary information A copy of information