Chapter II Systems Threats and Risks
Software-Based Attacks
• Malicious software, or malware
– Software that enters a computer system without the owner’s knowledge or consent
– Malware is a general term that refers to a wide variety of damaging or annoying software
• The three primary objectives of malware
– To infect a computer system
– Conceal (hide) the malware’s malicious actions
– Bring profit from the actions that it performs
Infecting Malware
• Viruses
– Programs that secretly attach to another document or program and execute when that document or program is opened
– Once a virus infects a computer, it performs two separate tasks
• Replicates itself by spreading to other computers
• Activates its malicious payload
– Cause problems ranging from displaying an annoying message to erasing files from a hard drive or causing a computer to crash repeatedly
• Types of computer viruses
– File infector virus
– Resident virus
– Boot virus
– Companion virus
– Macro virus
• Metamorphic viruses
– Avoid detection by altering how they appear
• Polymorphic viruses
– Also encrypt their content differently each time
• Worm
– Program designed to take advantage of a vulnerability in an application or an operating system in order to enter a system
– Worms are different from viruses in two regards:
• A worm can travel by itself
• A worm does not require any user action to begin its execution
– Actions that worms have performed: deleting files on the computer; allowing the computer to be remote-controlled by an attacker
Concealing Malware
• Trojan Horse (or just Trojan)
– Program advertised as performing one activity that but actually does something else
– Trojan horse programs are typically executable programs that contain hidden code that attack the computer system
• Rootkit
– A set of software tools used by an intruder to break into a computer, obtain special privileges to perform unauthorized functions, and then hide all traces of its existence
– The rootkit’s goal is to hide the presence of other types of malicious software
– Rootkits function by replacing operating system commands with modified versions
• That are specifically designed to ignore malicious activity so it can escape detection
– Detecting a rootkit can be difficult
– Removing a rootkit from an infected computer is extremely difficult
• You need to reformat the hard drive and reinstall the operating system
• Logic bomb
– A computer program or a part of a program that lies dormant (hide) until it is triggered by a specific logical event
– Once triggered, the program can perform any number of malicious activities
– Logic bombs are extremely difficult to detect before they are triggered
• Privilege escalation
– Exploiting a vulnerability in software to gain access to resources that the user would normally be restricted from obtaining
• Types of privilege escalation
– When a user with a lower privilege uses privilege escalation to access functions reserved for higher privilege users
– When a user with restricted privileges accesses the different restricted functions of a similar user
Malware for Profit
• Spam
– Unsolicited e-mail
– Sending spam is a lucrative business
– Costs involved for spamming:
• E-mail addresses
• Equipment and Internet connection
– Text-based spam messages can easily by trapped by special filters
– Image spam uses graphical images of text in order to circumvent (avoid) text-based filters
• Other techniques used by spammers include:
– GIF layering
– Word splitting
– Geometric variance
• Image spam cannot be easily filtered based on the content of the message
• To detect image spam, one approach is to examine the context of the message and create a profile, asking questions such as:
– Who sent the message?
– What is known about the sender?
– Where does the user go if she responds to this e-mail?
– What is the nature of the message content?
– How is the message technically constructed?
• Spyware
– A general term used for describing software that imposes upon a user’s privacy or security
• Antispyware Coalition defines spyware as:
– Technologies that are deployed without the user’s consent and impair the user’s control over:
• Use of their system resources, including what programs are installed on their computers
• Collection, use, and distribution of their personal or other sensitive information
• Material changes that affect their user experience, privacy, or system security
• Spyware has two characteristics that make it very dangerous
– Spyware creators are motivated by profit
• Spyware is often more intrusive than viruses, harder to detect, and more difficult to remove
– Spyware is not always easy to identify
• Spyware is very widespread
• Although attackers use several different spyware tools
– The two most common are adware and keyloggers
• Adware
– A software program that delivers advertising content in a manner that is unexpected and unwanted by the user
• Adware can be a security risk
– Many adware programs perform a tracking function
• Monitors and tracks a user’s activities
• Sends a log of these activities to third parties without the user’s authorization or knowledge
• Keylogger
– A small hardware device or a program that monitors each keystroke a user types on the computer’s keyboard
– As the user types, the keystrokes are collected and saved as text
• As a hardware device, a keylogger is a small device inserted between the keyboard connector and computer keyboard port
• Software keyloggers
– Programs that silently capture all keystrokes, including passwords and sensitive information
– Hide themselves so that they cannot be easily detected even if a user is searching for them
• Botnets
– When hundreds, thousands, or even tens of thousands of zombie computers are under the control of an attacker
• Zombie
– An infected computer with a program that will allow the attacker to remotely control it
• Attackers use Internet Relay Chat (IRC) to remotely control the zombies
• Attacker is knows as a bot herder
Hardware-Based Attacks
• Hardware that often is the target of attacks includes the BIOS, USB devices, network attached storage, and even cell phones
BIOS
• Basic Input/Output System (BIOS)
– A coded program embedded on the processor chip that recognizes and controls different devices on the computer system
– Executed when the computer system is first turned on and provides low-level access to the hard disk, video, and keyboard
• On older computer systems the BIOS was a Read Only Memory (ROM) chip
– Today’s computer systems have a PROM (Programmable Read Only Memory) chip
• Because it can be flashed, the BIOS can be the object of attacks
– One virus overwrites the contents of the BIOS and the first part of the hard disk drive, rendering the computer completely dead
– An attacker could infect a computer with a virus and then flash the BIOS to install a rootkit on the BIOS
USB Devices
• USB devices use flash memory
– Flash memory is a type of EEPROM, nonvolatile computer memory that can be electrically erased and rewritten repeatedly
• USB devices are widely used to spread malware
• Also, USB devices allow spies or disgruntled employees to copy and steal sensitive corporate data
• In addition, data stored on USB devices can be lost or fall into the wrong hands
• To reduce the risk introduced by USB devices:
– Disable the USB in hardware
– Disable the USB through the operating system
– Use third-party software
Network Attached Storage (NAS)
• Storage Area Network (SAN)
– Specialized high-speed network for attaching servers to storage devices
– SAN can be shared between servers and can be local or extended over geographical distances
• Network Attached Storage (NAS)
– Another type of network storage
– Single, dedicated hard disk-based file storage device that provides centralized and consolidated disk storage available to LAN users through a standard network connection
• Advantages to using NAS devices on a network
– Offer the ability to easily expand storage requirements
– Allow for the consolidation of storage
• The operating system on NAS devices can be either a standard operating system, a proprietary operating system, or a “stripped-down” operating system with many of the standard features omitted
• NAS security is implemented through the standard operating system security features
Cell Phones
• Cellular telephones (cell phones)
– Portable communication devices that function in a manner that is unlike wired telephones
• Two keys to cellular telephone networks
– Coverage area is divided into smaller individual sections called cells
– All of the transmitters and cell phones operate at a low power level
• Almost all cell phones today have the ability to send and receive text messages and connect to the Internet
• Types of attacks
– Lure (decoy) users to malicious Web sites
– Infect a cell phone
– Launch attacks on other cell phones
– Access account information
– Abuse the cell phone service
Attacks on Virtualized Systems
• Just as attacks can be software-based or hardware-based, attacks can also target software that is emulating hardware
• This type of software, known as virtualization, is becoming one of the prime targets of attackers
What Is Virtualization?
• Virtualization
– A means of managing and presenting computer resources by function without regard to their physical layout or location
• Operating system virtualization
– A virtual machine is simulated as a self-contained software environment by the host system but appears as a guest system
• Server virtualization
– Creating and managing multiple server operating systems
• One of the factors driving the adoption of virtualization is the cost of energy
• Operating system virtualization is playing an increasingly important role in security
– Has allowed increased flexibility in launching attacks
– Is also being used to make systems more secure
Attacks on Virtual Systems
• Virtualization provides the ability to run multiple virtual computers on one physical computer
• Virtualization can also be beneficial in providing uninterrupted server access to users
– By means of live migration and load balancing
• Security for virtualized environments can be a concern for two reasons
– Existing security tools were designed for single physical servers and do not always adapt well to multiple virtual machines
– Virtual machines not only need to be protected from the outside world, but they also need to be protected from other virtual machines on the same physical computer
• Hypervisor
– Software that runs on a physical computer and manages one or more virtual machine operating systems
– Can contain security code that would allow the hypervisor to provide security by default to all virtual machines
• Another option is for security software to function as a separate program that is “plugged in” to the hypervisor
• Another approach is running security software, such as a firewall and intrusion detection system
– As a specialized security virtual machine on the physical machine
Summary
- Malicious software (malware) is software that enters a computer system without the owner’s knowledge or consent
- Infecting malware includes computer viruses and worms
- Ways to conceal malware include Trojan horses (Trojans), rootkits, logic bombs, and privilege escalation
- Malware with a profit motive includes spam, spyware, and botnets
- Hardware is also the target of attackers. Frequent hardware targets include the BIOS, USB storage devices, Network Attached Storage (NAS) devices, and cell phones
- Virtualization is a means of managing and presenting computer resources by function without regard to their physical layout or location
Thanks ............
0 komentar:
Posting Komentar