You are on page 1of 6


Viruses have already become the biggest curse of the internet world, affecting millions of internet users and other business communities. Hackers, Spammers- whatever names you choose to call them, these programmes termed as malwares, have sown the seeds of fear and doubt in the minds of the general internet users. Privacy and security are the most affected segments and to escape from the hassles of the viruses,Up-to-date anti-virus software is essential for all PCs, particularly those that connect to the internet. It helps to prevent viruses, worms and other malicious software infecting your computer. It scans new files and emails, and regularly checks existing files and folders for abnormal behaviour. Computer viruses are a sickness that every computer user encounters sooner or later. In fact, viruses are just one example of a whole group of nuisance programs which are known as malware. Types of malware include,Viruses which like their biological counterparts, these are programs that infect a computer (by various methods) and then spread to other computers when infected files or disks are exchanged,Worms which are similar to viruses but are carried on the Internet and can spread from one computer to another by themselves, with no need for a user to assist the process by giving someone an infected file or disk,Trojans so named after the Trojan Horse of mythology, these are programs that pretend to be harmless and useful, but which in fact do something sinister, like plant a virus in a computer,Spyware that is nothing but a software that tracks your online activity or monitors your keystrokes and sends this information to a remote server,Dialers which are programs that are downloaded to your computer from a web page, which then steal money from you by dialling premium rate phone numbers, Hijackers which are little programs that are usually infiltrated on to your system via email or your web browser, which then hijack your browser settings by (for example) changing your default home page setting. Viruses, worms and trojans cause a nuisance just by spreading their infections, but most of them also do something else, known as the payload. The payload may be something innocuous, like displaying a message or changing the system colours, or it may be something destructive like deleting files or formatting the hard disk. This payload often isn't activated until the virus has infected your computer for a while (giving it a chance to spread) so the fact that you haven't noticed anything unusual doesn't mean your computer is necessarily in good health. If your computer gets infected, whether the payload is harmful or not you want to get rid of the virus as quickly as possible, so as to remove the risk of it spreading to the computers of your friends and colleagues.The only sure way to get rid of a virus is to use anti-virus software. Some viruses can be removed manually, but different viruses need different removal methods and by the time you've found out the correct procedure a software virus scanner could already have done the job. In a few cases, the virus scanner may not be able to cleanly remove a virus from a file, and the file may be left corrupt and unusable. In this case, your only option is to restore an uninfected copy of the file from software installation disks or a backup. A good backup system is by far the best safeguard against losing data due to the action of a virus (as well as other disasters). But it must work hand-in-glove with the regular use of a virus scanner, otherwise your clean backup files could be replaced by infected ones before you realise your system has a virus.It's better to prevent a virus from infecting your computer in the first place, than have to remove one after it has. Therefore, it's worth paying close attention to virus prevention measures. The best all-round system of protection is to install anti-virus software and enable on-access scanning (this is usually enabled by default.) This will work silently in the background, checking files for the presence of viruses. You need not worry about it until it detects a virus and raises the alert. However, you must remain conscious of the need for virus protection to the extent of remembering to update your virus scanner regularly. These days, daily updates are not too often! New viruses are constantly appearing on the scene, and despite the claims of software vendors, virus scanners are not very good at detecting viruses they don't know about. Updating is the only way to maintain your virus scanner at top effectiveness by ensuring it knows about, and can detect, all the latest threats. Trusted and reliable anti virus programs include McAfee, Norton Anti-virus, AVG, PCCillin, Trend-Micro and many others. Anti-virus programs work on continuous updates of anti-virus definitions and thwart new viruses by managing to keep a few steps ahead of them.

Trojan horses, worms and DoS (denial of service) attacks are often maliciously used to consume and destroy the resources of a network. Sometimes, misconfigured servers and hosts can serve as network security threats as they unnecessarily consume resources. In order to properly identify and deal with probable threats, one must be equipped with the right tools and security mechanisms. In this article we will discuss some of the best practices for identifying and dealing with such threats.

Default installs of operating systems and applications G1. Resource attacks are the second category of network security threats. you can strengthen your level of security with reliable software that makes this process much easier. Prior to implementing such a system. In a successful detection system. Additionally. The attacker can then launch subsequent attacks from thousands of zombie machines to compromise a single victim. comes with installation scripts or installation programs.1 Description: Most software. The result of this kind of exploit is often referred to zombies or botnet. The malicious software normally contains code for sourcing numerous attacks and a standard communications infrastructure to enable remote control.Types of Network Threats Most experts classify network security threats in two major categories: logic attacks and resource attacks. you can create strategic diagrams to fully illustrate packet flows and where exactly within the network you may be able to implement security mechanisms to properly identify and mitigate potential threats. Mechanisms like NetFlow can be integrated within your infrastructure to help effectively identify and classify problems. You must establish a baseline of normal network activity and patterns in order to detect abnormal activity and potential network security threats. with the least amount of work being performed by the administrator. Some use this attack to purposely degrade network performance or grant an intruder access to a system. The best defense against common network security threats involves devising a system that is adhered to by everyone in the network. with the most useful functions enabled. Furthermore. learning is achieved over a huge interval which includes the peaks and valleys of network activity. although convenient for the user. The vendor philosophy is that it is better to enable functions that are not needed. These types of attacks are intended to overwhelm critical system resources such as CPU and RAM. the scripts typically install more components than most users need. This attack involves an intruder exploiting a stack overflow in the Windows PnP (plug and play) service and can be executed on the Windows 2000 system without a valid user account. Most of these attacks can be prevented by upgrading vulnerable software or filtering specific packet sequences. including operating systems and applications. This concept is all rather simple as you cannot defend against or eradicate what you can't see. An attacker can launch a more powerful attack by compromising numerous hosts and installing malicious software. Top Vulnerabilities That Affect All Systems (G) G1 . This is usually done by sending multiple IP packets or forged requests. This approach. you should perform some sort of traffic analysis to fully comprehend the rates and patterns of general traffic. One such exploit is the Microsoft PnP MS05-039 overflow vulnerability. Seek and Destroy The first step in training your staff to identify network security threats is achieving network visibility. creates many of the most . Logic attacks are known to exploit existing software bugs and vulnerabilities with the intent of crashing a system. The goal of these installation programs is to get the systems installed as quickly as possible. than to make the user install additional functions when they are needed. Another example of this network security threat is the infamous ping of death where an attacker sends ICMP packets to a system that exceeds the maximum capacity. To accomplish this goal. This level of network visibility can be achieved with existing features found in devices you already have.

In fact they are shockingly poorly written in many cases. For operating systems. Even if you did perform additional configuration steps. Attackers commonly look for these accounts.3 How to determine if you are vulnerable: If you have ever used an installation program to install system or service software (as nearly every company has). G1. User IDs are fairly easy to acquire. Every extra program or service provides a tool for attackers ² especially because most system administrators do not patch services or programs that they are not actively using. he or she can log on to the network. default installations usually include unneeded sample programs or scripts. you could still be vulnerable.1 Description: Most systems are configured to use passwords as the first. Error checking is often forgotten and the sample scripts offer a fertile ground for buffer overflow attacks. and only. turn off unneeded services. because they are well known to the attacker community. and you have not removed unnecessary services and installed all security patches. G2.3 How to determine if you are vulnerable: In order to know if you are vulnerable. many of which are extremely dangerous. The Center for Internet Security (CIS) has developed a consensus benchmark for minimum security configuration of Solaris and Windows 2000. G1. Attackers break into systems via these ports. The following are the steps that should be performed: . many large organizations have developed standard installation guidelines for all operating systems and applications used by the organization. if an attacker can determine an account name and password. Furthermore. G1. Easy to guess passwords and default passwords are a big problem.Accounts with No Passwords or Weak Passwords G2. Therefore. any default or built-in accounts also need to be identified and removed from the system. leaving dangerous samples on a system simply because users do not know they are there. For applications. default passwords.2 Systems impacted: Most operating systems and applications. but an even bigger one is accounts with no passwords at all. Those unpatched services provide paths for attackers to take over computers. The CIS guidelines can be used to improve the security of most operating systems. G2 . For this reason.4 How to protect against it: Remove unnecessary software. keep in mind the principle that your systems should run the smallest number of services and software packages needed to perform the tasks required of your system. the system administrator whose system is compromised did not realize that the sample scripts were installed. These guidelines include installation of only the minimal features needed for the system to function effectively. In most cases. This can be a tedious and time-consuming task. Therefore. many systems have built-in or default accounts. and most companies have dial-up access that bypasses the firewall. When analyzing the results. You should run a port scanner and a vulnerability scanner against any system that is to be connected to the Internet. and close extraneous ports. The CIS tools can be used to test the level of security and compare the security status of systems across divisions. In addition. the fewer avenues an attacker can use to compromise your network. In practice all accounts with weak passwords. attackers use these scripts to compromise the system or gain information about it. many users fail to realize what is actually installed. default installations nearly always include extraneous services and corresponding open ports. Sample scripts are a problem because they usually do not go through the same quality control process as other software. These accounts usually have the same password across installations of the software. Benchmarks and testing tools for other operating systems are in process. and no passwords should be removed from your system. based on the combined experience and knowledge of more than 170 organizations from a dozen countries. Keep in mind that almost all third -party web server extensions come with sample files. line of d efense.dangerous security vulnerabilities because users do not actively maintain and patch software components they don·t use. One of the most serious vulnerabilities with web servers is sample scripts. In most cases the fewer ports you have open. you need to know what accounts are on your system.2 Systems impacted: Any operating system or application where users authenticate via a user ID and password G2. then your computer system is vulnerable to hacker attack.

and for removing accounts when they are no longer in use. Another way to protect against no passwords or weak passwords is to use an alternative form of authentication such as password-generating tokens or biometrics. Requiring minimum ages on passwords make users remember the passwords and makes them less likely to change them back. 3. or when the accounts are no longer required. the very popular smurf attack uses a feature of routers to send a stream of packets to thousands of machines. 2.1 Description: Spoofing IP addresses is a common method used by attackers to hide their tracks when they attack a victim. and weak passwords are strengthened. Audit the accounts on your systems and create a master list. ~V Microsoft Windows NT and Microsoft Windows 2000 c. users tend to change their password when required and then immediately change them back. a minimum and maximum age. Many organizations supplement password control programs with controls that ensure that passwords are changed regularly. An administrator can configure the network such that user passwords must have a minimum length. they will be of the length and composition required to make guessing and cracking difficult. and other constraints. 2. Pandora ² Novell Have rigid procedures for removing accounts when employees or contractors leave. (Make sure you have official written permission before employing a password cracking tool. Mircosoft Baseline Security Analyzer" (MBSA). Without it. Each packet contains a spoofed source address of a victim. make sure that the users are given warning and chances to change their password before it expires. 5. and that old passwords are not reused. Performing ." users will tend to pick a bad password. If password aging is used. Adding punctuation makes the password even more difficult to crack. 3. Validate the list on a regular basis to make sure no new accounts have been added and that unused accounts have been removed. LC3 ² Microsoft Windows NT and Microsoft Windows 2000 b.) a. For UNIX: Npasswd (SunOS 4/5. HP/UX For Unix: Cracklib" and associated PAM modules (Linux) For Windows NT: Passfilt These programs ensure that when passwords are modified. Another important supplement is user awareness training that helps users understand why and how to pick strong passwords. 4. When faced with the message: "your password has expired and must be changed. they often pick another one that is easy-to-guess. Note that many vendor Unix systems include internal support for password hardening. Computer programs are available to reject any password change that does not meet your security policy. Do not forget to check passwords on systems like routers and Internet-connected digital printers. John the Ripper ² Unix d. G2. copiers and printer controllers. This brings us to the second step. For example. The most popular are described at the urls below: 1. two steps need to be performed. and the numeral for any numbers. when users are asked to change and strengthen their passwords. use an alternative means of authenticating users. and construct the password from the first or second letter of each non-numeric word in the phrase. and that there are other packages available as well.1. The computers to which the spoofed packets are sent flood the victim·s computer often shutting down the computer or the network. G3 ² Not filtering packets for correct incoming and outgoing addresses G3. Develop procedures for adding authorized accounts to the list. It is important to require a minimum age on a password. Microsoft Windows 2000 includes password constraint options in Group Policy. If you are having trouble with weak passwords.4 How to protect against it: To eliminate these password problems. The most common advice given for picking better passwords is to pick a phrase or line from a song that includes a number. User passwords should also be validated when they change their password. In the first step all accounts with no password are given a password or are removed. Digital Unix. Run a password cracking tool against the accounts looking for weak or no passwords. Sadly.

filtering on traffic coming into your network (ingress filtering) and going out (eg ress filtering) can help provide a high level of protection.x.0 0.0 0. Any packet coming into your network must not have a source address of your internal network Any packet coming into your network must have a destination address of your internal network Any packet leaving your network must have a source address of your internal network Any packet leaving your network must not have a destination address of your internal network. DHCP auto-configuration and Multicast addresses should also be blocked: o 0.0.x. inbound or ingress filtering o interface Serial 0  ip address 10. 2.0.1 Description: One of the maxims of security is.255.255. but it should also produce a record in the log showing that the spoofed packets have been dropped. Once filtering is set up. otherwise it could be vulnerable to a DOS attack.1 255. you have little chance of discovering what the attackers did.0/16 o 192.255 o access-list 11 deny 10. The following are sample rules for a Cisco router: without logs. Without that knowledge.x. don·t assume that it is working effectively.255. Reserved.71.0. your organization must choose . 4. Any packet coming into your network or leaving your network must not have a source or destination address of a private address or an address listed in RFC1918 reserved space.0.0/8 o 169.0.254. G4 . 5. Programs like nmap can be used to send decoy packets or spoofed packets to test this type of filtering.168.255.16. G3.0.4 How to protect against it: To defend against this type of attack filtering rules should be setup on your external router or firewall.71.Non-existent or incomplete logging G4.255 o access-list 11 deny <your internal network> o access-list 11 permit any outbound or egress filtering o interface Ethernet 0  ip address 10. Make sure your logging system can handle a heavy load. 3.80. These include 10.0/4 o 240. 7. however.x/12 or 192.x/16 and the loopback network 127.255." As long as you allow traffic to flow between your network and the Internet.255 o access-list 11 deny 172. Not only should your device block the traffic.80.168.0/8.0  ip access-group 11 in o access-list 11 deny 192.255. but detection is a must.x/8.0 0. "Prevention is ideal.0.2. that this opens up the door to a new attack ² flooding the logfile. Test it often.x.2 Systems impacted: Most operating systems and network devices G3. 172.16.1 255. the opportunity for an attacker to sneak in and penetrate the network. G3.0. is there. New vulnerabilities are discovered every week. Once you are attacked.255.0  ip access-group 11 in o access-list 11 permit <your internal network> 2.0. The filtering rules are as follows: 1. and there are very few ways to defend yourself against an attacker using a new vulnerability. Block any source routed packets or any packets with the IP options field set.0/24 o 224.0/4 6.0. Note.3 How to determine if you are vulnerable: Try to send a spoofed packet and see if your external firewall or router blocks it.

These all are the most critical internet security and threats. Now the two logs can be compared against one another. send logging information to a device that uses write-once media.3 How to determine if you are vulnerable: Review the system logs for each major system. and then hoping the data back-ups were OK.4 How to protect against it: Set up all systems to log information locally. You cannot detect an attack if you do not know what is occurring on your network. but the same entry on 50 server s across an organization within a minute of each other. and what systems have been compromised. This provides redundancy and an extra layer of security. you are vulnerable. G4. MADHUR KHURANA (CO5) (076) . Most experts recommend sending all of your logs to a central log server that writes the data to a write once media. Wherever possible. what systems are being attacked. or taking the risk that you are running a system that a hacker still controls. G4. In addition.2 Systems impacted: All operating systems and network device G4. Logs provide the details of what is occurring. this allows cross checking of log files. may be a sign of a major problem. Any differences could indicate suspicious activity on the system. If you do not have logs. or if they are not centrally stored and backed-up. One line in a log file on a single server may not be suspicious. and to send the log files to a remote system. and logs should be archived and backed up because you never know when you might need them.between completely reloading the operating system from original media. Logging must be done on a regular basis on all key systems. so that the attacker cannot overwrite the logs and avoid detection.