Funsec3e ppt ch11

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 11
Malicious Code and Activity

Fundamentals of Information Systems Security
www.jblearning.com
Page 2
www.jblearning.com
Learning Objective(s)
 Describe how malicious attacks, threats,
and vulnerabilities impact an IT
infrastructure.

www.jblearning.com
Page 3
www.jblearning.com
Key Concepts
 The impact of malicious code and malware on
systems and organizations
 Attackers, hackers, and social engineers
 The phases of a computer attack
 Tools and techniques to detect and prevent
attacks

www.jblearning.com
Page 4
www.jblearning.com
Malicious Code and Activity
 Malicious software (malware)
• Any program that carries out actions that you do
not intend
 Malicious code attacks all three information
security properties:
• Confidentiality: Malware can disclose your
organization’s private information
• Integrity: Malware can modify database records,
either immediately or over a period of time
• Availability: Malware can erase or overwrite files or
inflict considerable damage to storage media

www.jblearning.com
Page 5
www.jblearning.com
Characteristics, Architecture, and
Operations of Malicious Software
 An attacker gains administrative control of a
system and uses commands to inflict harm
 An attacker sends commands directly to a
system; the system interprets and executes them
 An attacker uses software programs that harm a
system or that make the data unusable
 An attacker uses legitimate remote administration
tools and security probes to identify and exploit
security vulnerabilities on a network

www.jblearning.com
Page 6
www.jblearning.com
The Main Types of Malware
 Viruses
 Spam
 Worms
 Trojan horses
 Logic bombs
 Active content
vulnerabilities
 Malicious add-
ons
 Injection
 Botnets
 Denial of
service attacks
 Spyware
 Adware
 Phishing
 Keystroke
loggers
 Hoaxes and
myths
 Homepage
hijacking
 Webpage
defacements

www.jblearning.com
Page 7
www.jblearning.com
Viruses
• Target computer hardware and
software startup functions
System
infectors
• Attack and modify executable
programs (COM, EXE, SYS, and DLL
files in Microsoft Windows)
File infectors
• (Also called macro infectors) Attack
document files containing embedded
macro programming capabilities
Data infectors

www.jblearning.com
Page 8
www.jblearning.com
Typical Life Cycle of a Computer
Virus

www.jblearning.com
Page 9
www.jblearning.com
How a System Infector Virus Works

www.jblearning.com
Page 10
www.jblearning.com
How a File Infector Virus Works

www.jblearning.com
Page 11
www.jblearning.com
How a Macro Virus Works

www.jblearning.com
Page 12
www.jblearning.com
Other Virus Classifications
Polymorphic viruses
Stealth viruses
Slow viruses
Retro viruses
Cross-platform viruses
Multipartite viruses

www.jblearning.com
Page 13
www.jblearning.com
How a Stealth Virus Works

www.jblearning.com
Page 14
www.jblearning.com
How a Slow Virus Works
How a Retro Virus Works

www.jblearning.com
Page 15
www.jblearning.com
How a Multipartite Virus Works

www.jblearning.com
Page 16
www.jblearning.com
Rootkits
Type of malware that modifies or replaces one or more
existing programs to hide the fact that a computer has
been compromised
Modify parts of the operating system to conceal traces of
their presence
Provide attackers with access to compromised computers
and easy access to launching additional attacks
Difficult to detect and remove

www.jblearning.com
Page 17
www.jblearning.com
Ransomware
Attempts to generate funds directly from a
computer user
Attacks a computer and limits the user’s ability to
access the computer’s data
Encrypts important files or even the entire disk
and makes them inaccessible
One of the first ransomware programs was
Crypt0L0cker

www.jblearning.com
Page 18
www.jblearning.com
Spam
 Consumes computing resources bandwidth and CPU
time
 Diverts IT personnel from activities more critical to
network security
 Is a potential carrier of malicious code
 Compromises intermediate systems to facilitate
remailing services
 Opt-out (unsubscribe) features in spam messages
can represent a new form of reconnaissance attack to
acquire legitimate target addresses

www.jblearning.com
Page 19
www.jblearning.com
Worms
Designed to propagate from one host
machine to another using the host’s own
network communications protocols
Unlike viruses, do not require a host
program to survive and replicate
The term “worm” stems from the fact that
worms are programs with segments,
working on different computers, all
communicating over a network

www.jblearning.com
Page 20
www.jblearning.com
Worms (cont.)

www.jblearning.com
Page 21
www.jblearning.com
Trojan Horses
Largest class of malware
Any program that masquerades as a useful
program while hiding its malicious intent
Relies on social engineering to spread and operate
Spreads through email messages, website
downloads, social networking sites, and automated
distribution agents (bots)

www.jblearning.com
Page 22
www.jblearning.com
Logic Bombs
Programs that
execute a malicious
function of some kind
when they detect
certain conditions
Typically originate
with organization
insiders because
people inside an
organization
generally have more
detailed knowledge
of the IT
infrastructure than
outsiders

www.jblearning.com
Page 23
www.jblearning.com
Active Content Vulnerabilities
 Active content
• Refers to dynamic objects that do something when the user
opens a webpage (ActiveX, Java, JavaScript, VBScript,
macros, browser plugins, PDF files, and other scripting
languages)
• Has potential weaknesses that malware can exploit
 Active content threats are considered mobile code
because these programs run on a wide variety of
computer platforms
 Users download bits of mobile code, which gain access to
the hard disk and do things like fill up desktop with
infected file icons

www.jblearning.com
Page 24
www.jblearning.com
Malicious Add-Ons
Add-ons are companion programs that extend the web
browser; can decrease security
Malicious add-ons are browser add-ons that contain some
type of malware that, once installed, perform malicious
actions
Only install browser add-ons from sources you trust

www.jblearning.com
Page 25
www.jblearning.com
Injection
Cross-site scripting (XSS)
SQL injection
LDAP injection
XML injection
Command injection

www.jblearning.com
Page 26
www.jblearning.com
Botnets
 Robotically controlled networks
 Attackers infect vulnerable machines with agents
that perform various functions at the command of
the bot-herder or controller
 Controllers communicate with other members of the
botnet using Internet Relay Chat (IRC) channels
 Attackers can use botnets to distribute malware and
spam and to launch DoS attacks against
organizations or even countries

www.jblearning.com
Page 27
www.jblearning.com
Denial of Service Attacks
Overwhelm a server or network segment to the point
that the server or network becomes unusable
Crash a server or network device or create so much
network congestion that authorized users cannot
access network resources
Distributed denial of service (DDoS) attack uses
intermediary hosts to conduct the attack

www.jblearning.com
Page 28
www.jblearning.com
SYN Flood
 Attacker uses IP
spoofing to send
a large number
of packets
requesting
connections to
the victim
computer

www.jblearning.com
Page 29
www.jblearning.com
Smurf Attack
 Attackers direct forged Internet Control Message Protocol
(ICMP) echo request packets to IP broadcast addresses
from remote locations to generate DoS attacks

www.jblearning.com
Page 30
www.jblearning.com
Spyware
Any unsolicited
background process that
installs itself on a user’s
computer and collects
information about the
user’s browsing habits and
website activities
Affects privacy and
confidentiality
Spyware cookies are
cookies that share
information across sites
Some cookies are
persistent and are stored
on a hard drive indefinitely
without user permission

www.jblearning.com
Page 31
www.jblearning.com
Adware
Triggers nuisances
such as popup ads
and banners when
user visits certain
websites
Affects productivity
and may combine
with active
background
activities
Collects and tracks
information about
application, website,
and Internet activity

www.jblearning.com
Page 32
www.jblearning.com
Phishing
Tricks users into providing logon information on what appears to
be a legitimate website but is actually a website set up by an
attacker to obtain this information
Spear-phishing
• Attacker supplies information about victim that appears
to come from a legitimate company
Pharming
• The use of social engineering to obtain access
credentials such as usernames and passwords

www.jblearning.com
Page 33
www.jblearning.com
Keystroke Loggers
Capture keystrokes
or user entries and
forwards information
to attacker
Enable the attacker to
capture logon
information, banking
information, and other
sensitive data

www.jblearning.com
Page 34
www.jblearning.com
Guidelines for Recognizing Hoaxes
Did a legitimate entity (computer security expert,
vendor, etc.) send the alert?
Is there a request to forward the alert to others?
Are there detailed explanations or technical
terminology in the alert?
Does the alert follow the generic format of a chain
letter?

www.jblearning.com
Page 35
www.jblearning.com
Homepage Hijacking
Exploiting a browser vulnerability to reset
the homepage
Covertly installing a browser helper object
(BHO) Trojan program

www.jblearning.com
Page 36
www.jblearning.com
Webpage Defacements
Someone gaining unauthorized access to a
web server and altering the index page of a
site on the server
The attacker replaces the original pages on
the site with altered versions

www.jblearning.com
Page 37
www.jblearning.com
A Brief History of Malicious Code
Threats
1970s and early 1980s academic research
and UNIX
1980s: Early PC viruses
1990s: Early LAN viruses
Mid-1990s: Smart applications and the
Internet
2000 to present

www.jblearning.com
Page 38
www.jblearning.com
Threats to Business Organizations
Attacks against confidentiality and privacy
Attacks against data integrity
Attacks against availability of services and resources
Attacks against productivity and performance
Attacks that create legal liability
Attacks that damage reputation

www.jblearning.com
Page 39
www.jblearning.com
Internal Threats from Employees:
Unsafe Computing Practices
Exchange of untrusted disks or other
media among systems
Installation of unauthorized, unregistered
software
Unmonitored download of files from the
Internet
Uncontrolled dissemination of email or
other messaging application attachments

www.jblearning.com
Page 40
www.jblearning.com
Anatomy of an Attack
Phases
of an
attack
Types of
attacks
The
purpose
of an
attack
What
motivates
attackers

www.jblearning.com
Page 41
www.jblearning.com
What Motivates Attackers?
Money Fame
Political
beliefs or
systems
Revenge

www.jblearning.com
Page 42
www.jblearning.com
The Purpose of an Attack
Denial of availability
Data modification
Data export
Launch point

www.jblearning.com
Page 43
www.jblearning.com
Types of Attacks
Unstructured attacks
Structured attacks
Direct attacks
Indirect attacks

www.jblearning.com
Page 44
www.jblearning.com
How a Direct Attack Works

www.jblearning.com
Page 45
www.jblearning.com
Phases of an Attack

www.jblearning.com
Page 46
www.jblearning.com
Reconnaissance and Probing
Attacker collects all information to conduct
the attack
Tools include:
• DNS and ICMP tools within the TCP/IP
protocol suite
• Standard and customized SNMP tools
• Port scanners and port mappers
• Security probes

www.jblearning.com
Page 47
www.jblearning.com
Access and Privilege Escalation
Gain administrative rights to the system
Establish the initial connection to a
target host (typically a server platform)

www.jblearning.com
Page 48
www.jblearning.com
Covering Traces of the Attack
Remove any traces of the attack
Remove files you may
have created and restore
as many files to their pre-
attack condition as
possible
Remove log file entries
that may provide evidence
of the attack

www.jblearning.com
Page 49
www.jblearning.com
Attack Prevention Tools and
Techniques
Defense in depth
• The practice of layering defenses into
zones to increase the overall protection
level and provide more reaction time to
respond to incidents
- Application defenses
- Operating system defenses
- Network infrastructure defenses

www.jblearning.com
Page 50
www.jblearning.com
Application Defenses
 Implementing regular antivirus screening on all host
systems
 Ensuring that virus definition files are up to date
 Requiring scanning of all removable media
 Installing personal firewall and IDS software on hosts
 Deploying change detection software and integrity
checking software
 Maintaining logs
 Implementing email usage controls and ensuring that
email attachments are scanned

www.jblearning.com
Page 51
www.jblearning.com
Operating System Defenses
 Deploying change detection and integrity checking
software and maintaining logs
 Deploying or enabling change detection and integrity
checking software on all servers
 Ensuring that operating systems are consistent and
have been patched with the latest updates from
vendors
 Ensuring that only trusted sources are used when
installing and upgrading OS code
 Disabling unnecessary OS services and processes that
may pose a security vulnerability

www.jblearning.com
Page 52
www.jblearning.com
Network Infrastructure Defenses
 Creating chokepoints in the network
 Using proxy services and bastion hosts to protect critical
services
 Using content filtering at chokepoints to screen traffic
 Ensuring that only trusted sources are used when
installing and upgrading OS code
 Disabling any unnecessary network services and
processes that may pose a security vulnerability
 Maintaining up-to-date IDS signature databases
 Applying security patches to network devices to ensure
protection against new threats and reduce vulnerabilities

www.jblearning.com
Page 53
www.jblearning.com
Safe Recovery Techniques and
Practices
Store OS and data file backup images on external
media to ease recovering from potential malware
infection
Scan new and replacement media for malware before
reinstalling software
Disable network access to systems during restore
procedures or upgrades until you have re-enabled or
installed protection software or services

www.jblearning.com
Page 54
www.jblearning.com
Implementing Effective Software
Best Practices
Adopt an acceptable use policy (AUP) for
network services and resources
Adopt standardized software to better
control patches and upgrades and to
ensure that you address vulnerabilities
Consider implementing an ISO/IEC 27002-
compliant security policy

www.jblearning.com
Page 55
www.jblearning.com
Incident Detection Tools and
Techniques
Antivirus scanning software
Network monitors and analyzers
Content/context filtering and logging
software
Honeypots and honeynets

www.jblearning.com
Page 56
www.jblearning.com
Summary
The impact of malicious code and
malware on systems and organizations
Attackers, hackers, and social
engineers
The phases of a computer attack
Tools and techniques to detect and
prevent attacks

Funsec3e ppt ch11

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Funsec3e ppt ch11

Similar to Funsec3e ppt ch11 (20)

More from Skillspire LLC

More from Skillspire LLC (20)

Recently uploaded

Recently uploaded (20)

Funsec3e ppt ch11