Your SlideShare is downloading. ×
0
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Iss lecture 9
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Iss lecture 9

267

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
267
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file
  • Transcript

    • 1. Information SystemsInformation SystemsSecuritySecurityLecture 9Lecture 9Malicious Software, Intrusion Detection,Malicious Software, Intrusion Detection,and Firewallsand Firewalls
    • 2. 22OutlineOutline1.1. Malicious codeMalicious code2.2. Trojan horsesTrojan horses3.3. VirusesViruses4.4. WormsWorms5.5. Other malicious codesOther malicious codes6.6. CountermeasuresCountermeasures7.7. Intrusion DetectionIntrusion Detection8.8. FirewallsFirewalls
    • 3. 33What is Malicious Code?What is Malicious Code? Any code which:Any code which:– Modifies or destroys dataModifies or destroys data– Steals dataSteals data– Allows unauthorized accessAllows unauthorized access– Exploits or damages a systemExploits or damages a system– Does something user did not intend to doDoes something user did not intend to do Malware is a MALicious softWAREMalware is a MALicious softWARE Malware can be any things: viruses, worms, trojan horses, etc.Malware can be any things: viruses, worms, trojan horses, etc.
    • 4. 44Trojan HorseTrojan Horse A Trojan horse is a program that appears to be useful orA Trojan horse is a program that appears to be useful orharmless but that contains hidden code designed to exploit orharmless but that contains hidden code designed to exploit ordamage the system on which it is run.damage the system on which it is run. Originally Trojan horses were not designed to spreadOriginally Trojan horses were not designed to spreadthemselves.themselves. A Trojan horse tricks user into executing malicious code.A Trojan horse tricks user into executing malicious code. Examples:Examples:– A simple example of a Trojan Horse would be a program namedA simple example of a Trojan Horse would be a program named“Bush.EXE" that is posted on a website with a promise to be a fun“Bush.EXE" that is posted on a website with a promise to be a funanimation.animation.– On the Microsoft Windows platform, an attacker might attach a TrojanOn the Microsoft Windows platform, an attacker might attach a Trojanhorse with an innocent-looking filename to an email message whichhorse with an innocent-looking filename to an email message whichentices the recipient into opening the file.entices the recipient into opening the file.– Phish-BuyPhone (1/7/2007).Phish-BuyPhone (1/7/2007).
    • 5. 55
    • 6. 66
    • 7. 77VirusVirus A virus uses code written with the express intention ofA virus uses code written with the express intention ofreplicating itself.replicating itself. A virus attempts to spread from computer to computer byA virus attempts to spread from computer to computer byattaching itself to a host program.attaching itself to a host program. It may damage hardware, software, or data. When the host isIt may damage hardware, software, or data. When the host isexecuted, the virus code also runs, infecting new hosts andexecuted, the virus code also runs, infecting new hosts andsometimes delivering an additional malicious actions.sometimes delivering an additional malicious actions. Example:Example:– Melissa: MacrovirusMelissa: Macrovirus
    • 8. 88Virus structureVirus structureProgram V:={goto main;1234567;subroutine infect-executable :={loop:file := get-random-executable-file;if (first-line-of-file = 1234567)then goto loopelse prepend V to file;subroutine do-damage :={what ever damage to be done}subroutine trigger-pulled :={return true if some conditionholds}Main: main-program :={infect-executable;if trigger-pulled then do-damage;goto next;}next:} (on right) A virus structurethat is prepended to infectedprograms Type of this virus: Filevirus. A virus can be prepended orA virus can be prepended orpostpended to an executablepostpended to an executableprogramprogram When an infected programWhen an infected program(containing a virus) is invoked,(containing a virus) is invoked,will first execute the virus codewill first execute the virus codethen execute the original code tothen execute the original code tothe programthe program..
    • 9. 99Types of virusesTypes of viruses1.1. File virus, also called parasitic virus.File virus, also called parasitic virus.2.2. Boot sector infectors: Infects a master boot record or boot record andBoot sector infectors: Infects a master boot record or boot record andspreads when a system is booted from the disk containing the virus.spreads when a system is booted from the disk containing the virus.3.3. Macro virus: infects macro programming environment (e.g., MicrosoftMacro virus: infects macro programming environment (e.g., Microsoftoffice application such as Word) rather than specific operating systems .office application such as Word) rather than specific operating systems .– A macro is a an executable program embedded in a word processing documentA macro is a an executable program embedded in a word processing documentor other types of files.or other types of files.– A macros is an executable file that can modify commands within the applicationA macros is an executable file that can modify commands within the applicationmenu.menu.– Macro virus infects data files rather than executable files.Macro virus infects data files rather than executable files.1.1. Stealth virus: a form of virus explicitly designed to hide itself fromStealth virus: a form of virus explicitly designed to hide itself fromdetection by antivirus softwares.detection by antivirus softwares.2.2. Polymorphic virus: a virus that mutates with every infection, making itsPolymorphic virus: a virus that mutates with every infection, making itsdetection impossible.detection impossible.3.3. ……
    • 10. 1010WormsWorms A worm uses self-propagating malicious code that canA worm uses self-propagating malicious code that canautomatically distribute itself from one computer to anotherautomatically distribute itself from one computer to anotherthrough network connections.through network connections.– i.e.i.e., Worms can execute and spread without user intervention., Worms can execute and spread without user intervention. A worm can take harmful actions, such as:A worm can take harmful actions, such as:– consuming network or local system resourcesconsuming network or local system resources– causing a denial of service attack.causing a denial of service attack.– deleting data, spying users, …deleting data, spying users, …
    • 11. 1111WormsWorms By denition, a worm is supposed to hop from machine tomachine on its own, it needs to come equipped with considerablenetworking support. With regard to autonomous network hopping, the importantquestion to raise is: What does it mean for a program to hopfrom machine to machine? A program may hop from one machine to another by a variety ofmeans:– By using the remote shell facilities, as provided by rsh and rexec in Unix,to execute a command on the remote machine.– By cracking the passwords and logging in as a regular user on a remotemachine. Example: The Slammer Worm (online info)
    • 12. 1212Other malwaresOther malwares Trap door: a secret entry point into a program that allowsTrap door: a secret entry point into a program that allowssomeone that is aware of the trapdoor to gain access withoutsomeone that is aware of the trapdoor to gain access withoutgoing through the usual security procedures.going through the usual security procedures. Logic bomb: is a code embedded in some legitimate programLogic bomb: is a code embedded in some legitimate programthat is set to explode when certain conditions are met (time, orthat is set to explode when certain conditions are met (time, ordata).data). Zombie: is a program that secretly takes over another Internet-Zombie: is a program that secretly takes over another Internet-attached computer and then uses this computer to launch attacksattached computer and then uses this computer to launch attacks
    • 13. 1313Other malwaresOther malwares What is not malware?What is not malware?– Spyware (also calledSpyware (also called spybotspybot oror tracking software)tracking software). programs that conduct. programs that conductcertain activities (collecting personal information) on a computer withoutcertain activities (collecting personal information) on a computer withoutobtaining appropriate consent from the user.obtaining appropriate consent from the user.– Adware:Adware: pop-up advertisementspop-up advertisements– Spam: is unsolicited e-mail generated to advertise some service orSpam: is unsolicited e-mail generated to advertise some service orproductproduct– Scams: An e-mail message that attempts to trick the recipient intoScams: An e-mail message that attempts to trick the recipient intorevealing personal information that can be used for unlawful purposesrevealing personal information that can be used for unlawful purposes
    • 14. 1414Virus countermeasuresVirus countermeasures The antivirus approach: the ideal solution to the threat of virusesThe antivirus approach: the ideal solution to the threat of virusesis prevention:is prevention:– Don’t allow malware to get into the systemDon’t allow malware to get into the system This is difficult (even impossible) to achieveThis is difficult (even impossible) to achieve Follow the following approach:Follow the following approach:– Detection: once the infection has occurred, locate the virus.Detection: once the infection has occurred, locate the virus.– Identification: identify the specific virus that has infected a program.Identification: identify the specific virus that has infected a program.– Removal: remove all traces of the virus from the infected program andRemoval: remove all traces of the virus from the infected program andrestore it to its original state.restore it to its original state. Follow Virus Alert’s website: (eg, next slide)Follow Virus Alert’s website: (eg, next slide) Example:Example:– The Windows case (the antivirus Defense-in-Depth Guide, Ch4)The Windows case (the antivirus Defense-in-Depth Guide, Ch4)
    • 15. 1515
    • 16. 1616Windows’s antivirus Defense-Windows’s antivirus Defense-in-Depth Guidein-Depth Guide1.1. Active processes and servicesActive processes and services– Task Manager, Ps Tools, Process ExplorerTask Manager, Ps Tools, Process Explorer1.1. The local registryThe local registry– Regedit (the registry editor)Regedit (the registry editor)1.1. Files in the Microsoft Windows system folders.Files in the Microsoft Windows system folders.– Use the “Windows Search”Use the “Windows Search”1.1. New user or group accounts, especially with AdministratorNew user or group accounts, especially with Administratorprivilegesprivileges2.2. Shared folders (including hidden folders).Shared folders (including hidden folders).3.3. Newly created files with normal looking file names but inNewly created files with normal looking file names but inunusual locationsunusual locations4.4. Opened network portsOpened network ports– Netstat, FPortNetstat, FPort
    • 17. 1717Intrusion Detection
    • 18. 1818Intrusion detectionIntrusion detection Viruses and intrusion are the most publicized threats to systemViruses and intrusion are the most publicized threats to systemsecuritysecurity Intrusion: illegally gaining access to systemsIntrusion: illegally gaining access to systems Intrusion techniques: acquiring protected information (often userIntrusion techniques: acquiring protected information (often userpasswords)passwords)– Passwords are associated with users in filesPasswords are associated with users in files Password files must be protectedPassword files must be protected Countermeasures: prevention and detectionCountermeasures: prevention and detection– If intrusion prevention fails,If intrusion prevention fails,– Intrusion detection is the real defense line.Intrusion detection is the real defense line.
    • 19. 1919Intrusion detectionIntrusion detection Intrusion detection is based on the assumption that the behaviorIntrusion detection is based on the assumption that the behaviorof the intruder differs from that of a legitimate user in ways thatof the intruder differs from that of a legitimate user in ways thatcan be quantified.can be quantified. Intrusion detection approaches:Intrusion detection approaches:– Statistical anomaly detectionStatistical anomaly detection– Rule-based detectionRule-based detection Audit Records: is a fundamental tool for intrusion detectionAudit Records: is a fundamental tool for intrusion detection– A detection record may contain subject (user, process), action (login,A detection record may contain subject (user, process), action (login,read, write), object (files, programs), resource usage, timestampread, write), object (files, programs), resource usage, timestamp Examples of IDS:Examples of IDS:– Cisco’s Secure IDSCisco’s Secure IDS– ISS RealSecureISS RealSecure– SnortSnort
    • 20. 2020Firewall
    • 21. 2121FirewallFirewall A firewall is any device used as a network-level access controlA firewall is any device used as a network-level access controlmechanism for a particular network or a set of networksmechanism for a particular network or a set of networks– Firewall is used to prevent outsiders from accessing an internal network.Firewall is used to prevent outsiders from accessing an internal network. Firewalls may be stand-alone computers, routers, or firewallFirewalls may be stand-alone computers, routers, or firewallappliances (sometimes with their own OS)appliances (sometimes with their own OS) They serve as control points to and from networksThey serve as control points to and from networks They check whether or not network traffic should be allowedThey check whether or not network traffic should be allowedaccording to sets of rules or policies.according to sets of rules or policies. Pitfalls: slowing data transmission, impairing networkingPitfalls: slowing data transmission, impairing networking
    • 22. 2222Types of firewallsTypes of firewalls Packet filtering routersPacket filtering routers Stateful-inspection firewallsStateful-inspection firewalls Application-level gateway (also called proxy server)Application-level gateway (also called proxy server) Circuit-level gatewayCircuit-level gateway Examples:Examples:– CheckPoint’s Firewall-1: Stateful-inspection-basedCheckPoint’s Firewall-1: Stateful-inspection-based– Cisco’s PIX:stateful packet filter-basedCisco’s PIX:stateful packet filter-based– Border’s FireWall Server: Proxy-basedBorder’s FireWall Server: Proxy-based– Tiny Software’s Tiny Personal Firewall: Packet filter-basedTiny Software’s Tiny Personal Firewall: Packet filter-based

    ×