1.1. Differentiate among various systems security threats.

Knowing how to recognize and respond to a wide variety of security threats is an essential skill in today's networking environments. Security is not just about locking down the environment against threats, but also about detecting breaches and being prepared to respond to incidents. This section discusses several common threats that all environments must be prepared to face.

1.1.1. Privilege escalation

Privilege escalation is the malicious event when a user is able to obtain privileges or capabilities beyond what they were assigned or which they are authorized to have or use. Privilege escalation can be performed by a normal user, an administrator, or an outside attacker.

Privilege escalation can be performed by exploiting administrative oversights or misconfiguration of the environment. It could also be performed by clever manipulation of the systems or even through hacks. Some hacks, such as GetAdmin, temporarily grant the current user account full administrative privileges, while other hacks, such as X.exe, create a new user account in the Administrators group with a known password. Privilege escalation hacks can also be performed by stealing the credentials of another user account (such as through password guessing, password cracking, or authentication packet sniffing).

The best defenses against privilege escalation include clearly defined job descriptions with privileges that are enforced and restricted on a detailed basis, strong password policies, and detailed auditing of the environment.

1.1.2. Virus

Viruses are just one example of malicious code, malicious software, or malware. Malicious code is any element of software that performs an unwanted or undesired function from the perspective of the legitimate user or owner of a computer system. Malicious code includes viruses, worms, Trojan horses, spyware, adware, rootkits, botnets, logic bombs, and sometimes even spam.

Viruses get their name from their biological counterparts. They are programs designed to spread from one system to another through self-replication and to perform any of a wide range of malicious activities. The malicious activities performed by viruses include data deletion, corruption, alteration, and theft. Some viruses replicate and spread so rapidly that they consume system and network resources, thus performing a type of denial-of-service (DoS) attack.

Most viruses need a host to latch onto. The host can be a file (as in the case of common viruses) or a sector of a hard drive. Viruses that attach themselves to the boot sector of a hard drive and thus are loaded in memory when the drive is activated are known as boot sector viruses. Polymorphic viruses have the ability to alter their own code in order to avoid detection by antivirus scanners. Macro viruses live within documents or e-mails and exploit the scripting capabilities of productivity software. Stealth viruses attempt to avoid detection by masking or hiding their activities. Armored viruses are designed to be difficult to detect and remove. Retroviruses specifically target antivirus systems to render them useless. Phage viruses modify or infect many aspects of a system so they can regenerate themselves from any remaining unremoved parts. A companion virus borrows the root filename of a common executable, and then gives itself the .com extension in an attempt to get itself launched rather than the intended application. Multipart or multipartite viruses perform multiple tasks and may infect a system in numerous ways.

The best countermeasure to viruses is an antivirus scanner that is updated regularly and which monitors all local storage devices, memory, and communication pathways for viral activities. Other countermeasures include avoiding downloading software from the Internet, not opening e-mail attachments, and avoiding the use of removable media from other environments.

1.1.3. Worm

Worms are self-contained applications that do not require a host to infect. Worms typically are focused on replication and distribution, rather than on direct damage and destruction. However, due to the expanding capabilities (although malicious) of viruses, worms are no longer an easily identifiable, distinct category of malicious code. Worms are designed to exploit a vulnerability in a system (operating system, protocol, service, or application) and then use that flaw to spread themselves to other systems with the same flaw. Worms may be used to deposit viruses, Trojan horses, logic bombs, zombies/agents/bots for botnets, or they may perform direct virus-like maelstrom activities on their own.

Countermeasures for worms are the same as for viruses, with the addition of keeping systems patched.

1.1.4. Trojan

A Trojan horse is a form of malicious software that is disguised as something useful or legitimate. The most common forms of Trojan horses are games and screensavers, but any software can be made into a Trojan horse. The goal of a Trojan horse is to trick a user into installing it on their computer. This allows the malicious code portion of the Trojan horse to gain access to the otherwise secured environment. Some of the most common Trojan horses are tools that install DDoS zombies or remote control agents onto systems (see Chapter 2 for more information on denial-of-service).

Countermeasures for Trojan horses are the same as for viruses.

1.1.5. Spyware

Spyware is any form of malicious code or even business or commercial code that collects information about users without their direct knowledge or permission. Spyware can be fully malicious when it seeks to gain information to perform identity theft or credential hijacking. However, many advertising companies use less-malicious forms of spyware to gather demographics about potential customers. In either case, the user is often unaware that the spyware tool is present or that it is gathering information that is periodically transmitted back to some outside entity. Spyware can be deposited by viruses, worms, or Trojan horses, or it can be installed as extra elements from commercial, freeware, or shareware applications.

Countermeasures for spyware are the same as for viruses, with the addition of specific spyware-scanning tools.

1.1.6. Spam

Spam is any type of e-mail that is undesired and/or unsolicited. Think of spam as the digital equivalent of junk mail and door-to-door solicitations.

Spam is a problem for numerous reasons:

• Some spam carries malicious code such as viruses, logic bombs, or Trojan horses.

• Some spam carries a social-engineering attack (also known as hoax e-mail).

• Unwanted e-mail wastes your time while you sort through it looking for legitimate messages.

• Spam wastes Internet resources: storage capacity, computing cycles, and throughput.

The primary countermeasure against spam is an e-mail filter. An e-mail filter is a list of e-mail addresses, domain names, or IP addresses where spam is known to originate. If a message is received from one of the listed spam sources, the e-mail filter blocks or discards it. Some e-mail filters are becoming as sophisticated as antivirus scanners. These e-mail filters can examine the header, subject, and contents of a message to look for keywords or phrases that identify it as a known type of spam, and then take the appropriate actions to discard, quarantine, or block the message. In addition to client application or client-side spam filters, there are also enterprise spam tools. Some enterprise tools are actually stand-alone devices themselves, often called anti-spam appliances, while others are software additions to internal enterprise e-mail servers. The benefits of enterprise spam filtering is to reduce spam distribution internally by blocking and discarding unwanted messages before they waste storage space on e-mail servers or make their way to clients.

However, e-mail spam filters are problematic. Just because a message includes keywords that are typically found in spam doesn't mean that every message with those words is spam. Some legitimate, if not outright essential, messages include spam words. One method of addressing this issue is for the spam-filtering tool to place all suspected spam messages into a quarantine folder. Users can peruse this folder for misidentified messages and retrieve them.

Another important issue to address when managing spam is spoofed e-mail. A spoofed e-mail is a message that has a fake or falsified source address. When an e-mail server receives an e-mail message, it should perform a reverse lookup on the source address of the message. If the source address is fake or nonexistent, the message should be discarded.

1.1.6.1. Hoaxes

A hoax is an e-mail message that includes incorrect or misleading information. This is a written or static form of a social-engineering attack. Hoaxes are common and widespread because they expertly prey on human nature. If e-mail recipients aren't prepared for hoaxes, they can be easily caught up in them or persuaded by them. Hoaxes may inform you of intended court cases or legislation and encourage you to support one side or the other with a donation. They may warn you of a quickly spreading virus and provide details on how to sanitize your computer, such as deleting certain files or editing the Registry. Hoaxes also include chain letters that promise good fortune, bypassing of bad luck, or accumulation of wealth by passing the message on to others.

Although a hoax isn't the same as a virus in that it does not cause any direct damage, it often ends up causing nearly as much damage as a virus would. When ignorant users follow the instructions of a hoax—especially those that instruct readers to delete files or alter their system configuration via the Registry—the users usually end up damaging their operating system so severely as to require a reinstall or restoration from backup. Even if the damage isn't immediately or obviously severe, sometimes the instructions in a hoax open up vulnerabilities so that real viruses, remote-control hacker tools, or other forms of malicious code can gain access.

Your primary weapon against hoaxes is education and awareness. E-mail users should be on the lookout for any message that promises the unlikely, seems too good to be true, or has dire warnings that require immediate action.

One method for improving the security of your organization when it comes to dealing with e-mail hoaxes as well as spam and other unwanted messages is to develop a response policy. A spam response policy should define the steps users should follow when they receive a message that might be a hoax, whether intentional or not. Some recommended response steps include the following:

If you discover a hoax, especially one that isn't already cataloged in your antivirus vendor's hoax database, send the vendor a copy so it can inform others. Be sure to contact the vendor and ask how to submit examples of hoaxes; don't just forward the message.

1.1.6.2. E-mail

E-mail allows for fast, efficient communications across the Internet. There are more e-mail addresses than there are actual Internet users, because many people have multiple e-mail addresses, whether by chance or by choice. E-mail offers individuals and companies alike a means to communicate without paying any type of per-message fee (such as postage fees associated with snail mail) and allows messages to be delivered in seconds rather than days. However, these abilities of e-mail also make it ripe for exploitation by those with malicious or at least nonbenevolent intentions, such as spam or hoaxes.

Because e-mail is so widely used, it has become the most prevalent delivery vehicle for malicious code such as viruses, logic bombs, and Trojan horses. To combat this threat, you should deploy an antivirus scanner to scan e-mail content and attachments. You should even consider stripping or blocking e-mail attachments (especially those with known extensions of scripts or executables) as they enter your network (on an e-mail gateway, firewall, and so on). It is always the more secure option to scan, check, and if necessary, strip e-mail on SMTP servers before it reaches an end user's client system.

E-mail servers should also check for invalid, corrupted, or malformed messages. An e-mail message with a corrupted MIME header can cause an unprepared e-mail server to crash or freeze. Thus, attackers can use invalid e-mail formats as a method of waging a DoS attack against your e-mail systems. By keeping e-mail servers properly updated and deploying antivirus scanners and e-mail filters, you can avoid most of the problems and attacks associated with e-mail.

1.1.7. Adware

Adware is a variation on the idea of spyware (discussed earlier). Adware displays pop-up advertisements to users based on their activities, URLs visited, applications accessed, etc. Adware is used to target advertisements to prospective customers. Unfortunately, most adware products arrive on client systems without the knowledge or consent of the user. Thus, legitimate commercial products are often seen as intrusive and abusive adware.

Countermeasures for adware are the same as for spyware and viruses, with the addition of specific spyware/adware-scanning tools.

1.1.8. Rootkits

A rootkit is a special type of hacker tool that embeds itself deep within an operating system. The rootkit positions itself at the heart of an operating system (OS) where it can manipulate information seen by the OS. Often, a rootkit replaces the OS kernel or shims itself under the kernel, so that whatever information it feeds or hides from the OS, the OS thinks is normal and acceptable. This allows a rootkit to hide itself from detection, prevent its files from being viewed by file management tools, and prevent its active processes from being viewed by task management or process management tools. Thus, a rootkit is a type of invisibility shield. A rootkit can be used to hide other malicious tools and/or perform other functions. A rootkit or other tools hidden by a rootkit could capture keystrokes, steal credentials, watch URLs, take screen captures, record sounds via the microphone, track application use, or grant a remote hacker back door access or remote control over the compromised target system.

After a rootkit has infected a system, that system can no longer be trusted or considered secure. There are rootkits that are still undetectable and/or cannot be effectively removed. Thus, any rootkit-compromised system can never be trusted again. To use a silly analogy: If you are fighting an invisible army, how can you be sure that you have defeated all of them?

There are several rootkit detection tools, some of which are able to remove some rootkits. However, once you know a rootkit is on a system, the only truly secure response is reconstitution. Reconstitution is the action of performing a low-level formatting operation on all storage devices on that system, reinstalling the OS and all applications from trusted original sources, and then restoring files from trusted rootkit-free backups. Obviously, the best protection against rootkits is defense rather than response.

1.1.9. Botnets

The term botnet is a shortened form of the phrase robot network. It is used to describe a massive deployment of malicious code onto numerous compromised systems that are all controlled by a hacker. A botnet is the culmination of traditional DoS attacks into a concept known as a distributed denial-of-service (DDoS) attack. A DDoS attack occurs when a hacker has deposited remote-controlled agents, zombies, or bots onto numerous secondary victims, and then uses the deployed bots as a single entity to attack a primary target.

Botnets are either directly or indirectly controlled by a hacker. Sometimes the hacker is labeled as a bot herder, a master, or even a handler. Direct control of a botnet occurs when the bot herder sends commands to each bot. Therefore, bots have a listening service on an open port waiting for the communication from the bot herder. Indirect control of a botnet can occur through any intermediary communication system, including IRC, IM, FTP, e-mail, Web, blogging, Twitter, and so on. When indirect control is used, the bots listen on an intermediate communication service for messages from the master hacker.

Botnets are possible because most computers around the world are accessible over the Internet, and many of those computers are not fully secure. A botnet creator writes his botnet code to exploit a common vulnerability in order to spread the botnet agent far and wide—often using the same techniques used by viruses, worms, and Trojan horses. Botnets are typically comprised of thousands (if not hundreds of thousands) of compromised secondary victims. The secondary victims are the hosts of the botnet agent itself and are not affected or damaged beyond the initial intrusion and planting of the botnet agent. The hackers want the secondary victims fully functional so when they launch their botnet attack against the primary victim, they can use all the resources of the secondary victims against the primary target.

A botnet can be used to perform any type of malicious activity. Although they are most often used to perform DoS flooding attacks, botnets can also be used to transmit spam; perform massively distributed parallel processing to crack passwords or encryption keys; perform phishing attacks; capture network packets; or perform any other conceivable activity.

The best defense against a botnet is to keep your systems hardened and to not become the host of a botnet agent (in other words, don't become a secondary victim). Also, most antivirus software and anti-spyware/adware tools include well-known botnet agents in their detection databases.

If you are the primary victim of a botnet attack, there is little you can do to stop the attack. Your responses are often limited to disconnecting from the Internet, contacting your ISP, and reporting the incident to law enforcement.

1.1.10. Logic bomb

A logic bomb is a form of malicious code that remains dormant until a triggering event occurs. The triggering event can be a specific time and date, the launching of a specific program, or the accessing of a specific URL (such as your online banking logon page). Logic bombs can perform any malicious function the programmer wishes, from causing system crashes to deleting data to altering configurations to stealing authentication credentials.

Countermeasures for logic bombs are the same as for viruses.

1.1.11. Exam Essentials

Privilege escalation

Privilege escalation is the theft of privileges or access to resources that a user is not authorized to possess.

Viruses

Viruses are programs that are designed to spread from one system to another through self-replication and to perform any of a wide range of malicious activities.

Worms

Worms are designed to exploit a single flaw in a system (operating system, protocol, service, or application) and then use that hole to replicate itself to other systems with the same flaw.

Trojan horses

A Trojan horse is a form of malicious software that is disguised as something useful or legitimate.

Spyware and adware

Spyware gathers information about users and may employ that information to target advertisements or steal identities. Adware gathers information about users and uses it to direct advertisements to the user. Both spyware and adware are usually unwanted software that gathers information without authorization.

Spam

Spam is undesired or unsolicited e-mail. It's a problem for numerous reasons. First, spam can be the carrier for malicious code such as viruses, logic bombs, and Trojan horses. Second, spam can be the carrier of a social-engineering attack (hoax e-mail). Third, unwanted e-mail wastes your time while you're sorting through it looking for legitimate messages. Fourth, spam wastes Internet resources such as storage capacity, computing cycles, and throughput.

E-mail filters

An e-mail filter is a list of e-mail addresses, domain names, or IP addresses where spam is known to originate.

Spoofed e-mail

A spoofed e-mail is a message that has a fake or falsified source address. When an e-mail server receives an e-mail message, it should perform a reverse lookup on the source address of the message.

Hoaxes

A hoax is an e-mail message that includes incorrect or misleading information. This is a written or static form of a social-engineering attack. Your primary weapons against hoaxes are education and awareness. Notify your network administrator when you receive a suspected hoax.

Rootkit

A rootkit is a type of malicious code that fools the OS into thinking that active processes and files don't exist. Rootkits render a compromised system completely untrustworthy.

Botnet

A botnet is a network of robots or malicious software agents controlled by a hacker in order to launch massive attacks against targets.

Logic bombs

A logic bomb is a form of malicious code that remains dormant until a triggering event occurs. The triggering event can be a specific time and date, the launching of a specific program, or the accessing of a specific URL (such as your online banking logon page).

Malicious code countermeasures

The best countermeasure to viruses and other malicious code is an antivirus scanner that is updated regularly and which monitors all local storage devices, memory, and communication pathways for viral activities. Other countermeasures include avoiding downloading software from the Internet, not opening e-mail attachments, and avoiding the use of removable media from other environments.