SLAC currently has two basic defenses that our users see and feel: patching and AntiVirus. There are other tools being used but these are our primary means of protecting our environment. Today we are going to look at what we do about the virus alerts that cyber receives. NOTE: PandaLabs (Security Research group) Q3 malware report shows Trojans at 60% of malware and Adware has rising from 22% in Q2 to 31% in Q3. This increase is mainly due to the amount of fake antivirus programs detected over this quarter. Fake antivirus programs are a set of application that falsely report a computer infection and offer users the possibility of downloading software to eradiate the infection. Once the application is downloaded, users are asked to pay a fee to register and eliminate the infection. , multiple variants of same malware family make hard to detect. Infecting via webpage is gaining in popularity (iframe attacks with multiple vectors depending on system accessing the page). Estimate that approximately 17% of machines infected over the first 6 months vs. 15% last year.
Here is an audio clip with a quick overview of what we are up against. SQL Injection activity This movie represents the activity of a SQL injection host. The host involved was responsible for the infection of thousands of websites in just a number of days. In the first part of the movie, the activity to and from the host is visible. In this particular case the activity is mainly from Japan, China and Taiwan prior to the attack. On the 12th of April 2008 the host started to infect websites around the world with malicious code. The time period between the 12th of April and 23th of April shows an accumulative view of the infected websites. IF you need definitions of what malicious software is, there A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Almost all viruses are attached to an executable file which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. (1) A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands. (1) Adware – displays/downloads advertisements but can include spyware that monitors where you are going on the net or hacker tools- applications that attempt to subvert the security of a system; gain access; conduct reconnaissance on networks or users; makes of copies of itself, creating a huge devastating effect. A Trojan Horse will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. (1) A Blended threat . A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities. Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate. (1) SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application . The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. (1) http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp
So what’s going on? This is what a user sees if an infected file is found. What were you doing? Jot it down, let your support person know.
This is what is in the message that computer security receives. First thing that catches our eye, is that it is a trojan horse and the AV software is leaving it alone, might be in use and cannot be deleted or quarantined.
So what are we, computer security doing about it? Here are the general guidelines of action which cyber follows with the availability of resources. The threats are now blended and it is difficult to take the same action for every alert. Research done regarding the infection can change the actions taken by cyber. Computers used to access personally identifiable information (PII) will receive more scrutiny.
If additional viruses or other issues are found the computer can be router blocked (isolated on the network), a re-scan and/or a rebuild of the computer can be requested. Often if several alerts are received regarding one computer, again depending on the types of infections, the computer can be isolated, or a request for re-scan and/or rebuilds may be made. The AV is also capable of finding most unauthorized (e.g. P2P) or prohibited software (key loggers or crackers). If those types of applications are found, they must be removed and generally required a rebuild.
We all have an affirmative duty to report abuse of SLAC resources If an infections leads computer security to find bad stuff someone from cyber will take the computer hard drive and any USB devices involved in the infection. Bad stuff being: illegally licensed software: hacker tools like key generators, password sniffing or cracking tools, vulnerability assessment tools; or illicit material like pornography, evidence of gambling or running a personal business. In some cases, depending on the data found, Cyber reports the findings to HR and Legal for further review to see if additional SLAC/Stanford/DOE policies or procedures have been violated. to HR. HR determines the follow-up actions including holding the drive and cloning the information from the USB device.
Cyber is collecting metrics to see how SLAC stands in the battle against infections. We have been modifying and improving our process as we go along. We have only been doing this for a few months, with the past three a more concentrated effort. The trend is now heading downward but it usually takes a more month’s of data to see how effective any of the things we doing are.
What can Cyber do to help you to stay infection free?
AntiVirus Presentation to MFD - Oct. 14, 2008
AntiVirus Process Marilyn Cariola Heather Larrieu (audio) Chris Mayfield October 14, 2008 <ul><ul><li></li></ul></ul>
AV Process & Actions <ul><li>Notes: </li></ul><ul><li>The results of malware research could change the actions to be taken </li></ul><ul><li>All scans must be full AV scans in safe mode with system restore turned off. </li></ul><ul><ul><li>Results need to be shared with Cyber, screen captures or exported files. </li></ul></ul><ul><ul><li>Depending on the results of the scan, further actions could include format and rebuild or Cyber taking the computer or hard drive for further investigation. </li></ul></ul><ul><li>Computer security may not request a rebuild if the virus is found in cache. </li></ul><ul><li>Computers used to access personally identifiable information (PII) will receive more scrutiny when they generate virus alerts.. </li></ul>Type (1) Actions AV Cyber Admin User Trojan horse, Spyware Leave alone, access denied, undefined Isolate/ Email Scan (2) format and rebuild (3) Change password Adware Leave alone, access denied, undefined Email Scan (2) Chg pwd Worm Leave alone, access denied, undefined Email Scan (2) Chg pwd Virus Leave alone, access denied, undefined Email Scan (2) Chg pwd Trojan horse, Spyware Clean, quarantine, delete Email Scan (2) Chg pwd Adware Clean, quarantine, delete None None None Worm Clean, quarantine, delete None None None Virus Clean, quarantine, delete None None None
Other Actions <ul><li>Additional viruses or issues </li></ul><ul><ul><li>Isolate / scan / rebuild </li></ul></ul><ul><li>Several (3 or more) alerts on same computer / same day </li></ul><ul><ul><li>Isolate / scan / rebuild </li></ul></ul><ul><ul><li>Unauthorized / prohibited software </li></ul></ul><ul><ul><li>Must be removed </li></ul></ul><ul><ul><li>Some cases sent to HR </li></ul></ul>
Further Review <ul><li>Affirmative duty to report abuse of SLAC resources </li></ul><ul><li>Device taken, including USB devices </li></ul><ul><ul><li>Illegally licensed software </li></ul></ul><ul><ul><li>Hacker tools </li></ul></ul><ul><ul><ul><li>Key generators, password sniffing, vulnerability assessment </li></ul></ul></ul><ul><ul><li>Illicit material </li></ul></ul><ul><ul><ul><li>Pornography, gambling, evidence of running a personal business </li></ul></ul></ul><ul><li>Reported to HR </li></ul>
References <ul><li>Computer Security website </li></ul><ul><ul><li>Restricted/Prohibited software </li></ul></ul><ul><li>Policies </li></ul><ul><ul><li>Limited Personal Use of Government Office Equipment including Information Technology </li></ul></ul><ul><ul><li>Use of SLAC Information Resources </li></ul></ul>
Questions / answers / discussion <ul><li>What would happen if we didn’t do this? </li></ul><ul><ul><li>A computer gets compromised </li></ul></ul><ul><ul><ul><li>Becomes a bot for additional attacks </li></ul></ul></ul><ul><ul><ul><li>Information is lost </li></ul></ul></ul><ul><ul><li>During a Site Assessment </li></ul></ul><ul><ul><ul><li>Non-job related data is found </li></ul></ul></ul><ul><ul><ul><ul><li>Unlicensed / illegal software </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Pornography </li></ul></ul></ul></ul><ul><ul><ul><li>SLAC fined, lose contract? </li></ul></ul></ul>
Gostou de algum slide específico?
Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.