Slide 1Course OutlineSlide 3Slide 4Slide 5Module 1 Malicious Code: VirusesSlide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Module 2 Malicious Code: Worms and VariantsSlide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Module 3 Malicious AttacksSlide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Module 4 Unintentional ThreatsSlide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63AppendixSlide 65Acknowledgements Grants & PersonnelSlide 67Slide 68Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information1Threats toInformation SecurityPart ISanjay GoelUniversity at Albany, SUNYSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information2Course Outline> Unit 1: What is a Security Assessment? –Definitions and NomenclatureUnit 2: What kinds of threats exist?–Malicious Threats (Viruses & Worms) and Unintentional Threats Unit 3: What kinds of threats exist? (cont’d)–Malicious Threats (Spoofing, Session Hijacking, Miscellaneous) Unit 4: How to perform security assessment?–Risk Analysis: Qualitative Risk Analysis Unit 5: Remediation of risks?–Risk Analysis: Quantitative Risk AnalysisSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information3Module 1: Malicious Code: VirusesModule 2: Malicious Code: Worms and VariantsModule 3: Malicious AttacksModule 4: Unintentional ThreatsThreats to Information SecurityOutline for this unitSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information4•Threats are potential causes of unwanted events that may result in harm to the agency and its assets.1 –A threat is a manifestation of vulnerability. –Threats exploit vulnerabilities causing impact to assets•Several categories of threats–Malicious Code–Accidental Threats–Environmental Threats•Hacking and other malicious threats are new and discussed primarily in the presentation1 http://www.oit.nsw.gov/au/pdf/4.4.16.IS1.pdfThreats to Information SecurityThreats DefinitionSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information5•Basic types:–Virus–Worms •Several variants of the basic types exist:–Trojan Horse–Time Bomb–Logic Bomb–Rabbit–BacteriumMalicious CodeTypesModule 1Malicious Code: VirusesSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information7•What is a virus?•How does it spread?•How do viruses execute?•What do viruses exploit?•What are the controls for viruses?•How does Anti-Virus work?•Virus Examples–Melissa Virus–Shell ScriptMalicious Code: VirusesOutlineSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information8•Definition: Malicious self-replicating software that attaches itself to other software. •Typical Behavior: –Replicates within computer system, potentially attaching itself to every other program–Behavior categories: e.g. Innocuous, Humorous, Data altering, CatastrophicMalicious Code: VirusesDefinitionSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information9•Virus spreads by creating replica of itself and attaching itself to other executable programs to which it has write access.–A true virus is not self-propagating and must be passed on to other users via e-mail, infected files/diskettes, programs or shared files•The viruses normally consist of two parts –Replicator: responsible for copying the virus to other executable programs.–Payload: Action of the virus,which may be benign such as printing a message or malicious such as destroying data or corrupting the hard disk. Malicious Code: VirusesPropagationSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information10•When a user executes an infected program (an executable file or boot sector), the replicator code typically executes first and then control returns to the original program, which then executes normally. •Different types of viruses:–Polymorphic viruses: Viruses that modify themselves prior to attaching themselves to another program. –Macro Viruses: These viruses use an application macro language (e.g., VB or VBScript) to create programs that infect documents and template.Malicious Code: VirusesProcessSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information11•Vulnerabilities: All computers•Common Categories:–Boot sector Terminate and Stay Resident (TSR)–Application software Stealth (or Chameleon)–Mutation engine Network Mainframe•Prevention–Limit connectivity–Limit downloads–Use only authorized media for loading data and software–Enforce mandatory access controls.Viruses generally cannot run unless host application is runningMalicious Code: VirusesTargets & PreventionSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information12•Detection–Changes in file sizes or date/time stamps–Computer is slow starting or slow running–Unexpected or frequent system failures–Change of system date/time–Low computer memory or increased bad blocks on disks•Countermeasures:–Contain, identify and recover–Anti-virus scanners: look for known viruses–Anti-virus monitors: look for virus-related application behaviors–Attempt to determine source of infection and issue alertMalicious Code: VirusesProtectionSanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information13•Scanner (conventional scanner, command-line scanner, on-demand scanner) - a program that looks for known viruses by checking for recognisable patterns ('scan strings', 'search strings', 'signatures' [a term best avoided for its ambiguity]). •Change Detectors/Checksummers/Integrity Checkers - programs that keep a database of the characteristics of all executable files on a system and
View Full Document
Unlocking...