images

THE FOLLOWING COMPTIA IT FUNDAMENTALS EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

  • 3.1 Define basic security threats
    • Malware
      • Virus
      • Trojan
      • Spyware
      • Ransomware
    • Phishing
    • Social engineering
    • Spam
    • Password cracking
    • Physical security
      • Hardware theft
      • Software/license theft
      • Shoulder surfing
      • Dumpster diving

images In an ideal world, computer security systems let in the right people and applications without any hassle and keep out the wrong people and applications. The world isn't ideal, though, and computer security certainly isn't either. There are two extremes to access. The first is you can open everything up and let anyone access anything. While this is simple, it's not secure. The other extreme is to lock everything down tight. It's secure, but it kind of defeats the purpose of having a network—you want to share resources with others. It follows then that effective computer security is a constant balance between safety and convenience.

The fact that you have to open up your systems to allow others to access resources has an inherent flaw, which is that opening can allow people who shouldn't have access to try to get in anyway. Those people might be simply curious, or they could be serious criminals who want to steal data or damage businesses. Either way, they're out there and they're writing malware and trying to get unauthorized access to computer networks right now. In the world of computer security, paranoia is a good thing. You don't need to be part of the tinfoil hat-wearing brigade, but a healthy dose of wariness can save you a lot of grief.

In this chapter, you'll learn about the many types of threats to safety, security, and privacy, because what you don't know can hurt you. I am going to break the discussion of threats into three groups—physical threats, people-based threats, and software threats collectively known as malware. I will also talk about some mitigation techniques, although most of those will be covered in Chapter 9, “Security Best Practices.”

Before looking at specific types of threats, though, take a step back for just a moment and think about the people making those threats. What are they trying to do and why? After that, you will learn about some of the specific techniques they may use.

Understanding Hacking

Hacking refers to a variety of computer crimes that involve gaining unauthorized access to a computer system or its data, usually with the intent of stealing private information from, or causing harm or embarrassment to, the rightful owner.

images

The word hacker also has a benign meaning, referring to a computer expert who is thoroughly familiar with, and enthusiastic about, the inner workings of a computer system. This meaning is older, but the newer meaning, which associates the term hacker with criminal activities, is now more prevalent.

Some examples of hacking are as follows:

  • Stealing passwords or personal information
  • Gaining remote access to a server or an operating system
  • Logging in locally and stealing data
  • Changing a website's content
  • Gaining access to the contents of a database (perhaps one that contains passwords or credit card information)
  • Surreptitiously analyzing network traffic
  • Installing software designed to cause harm or steal data
  • Creating a condition in which a computer or network no longer works well
  • Modifying existing software so that it no longer performs as it should or so that it secretly does harmful things in addition to its usual activity

Much of this chapter is devoted to helping you understand how hackers target computer systems to gain access or cause damage. If hackers can gain access to certain system files, for example, they may be able to retrieve the Administrator password for the system. To prevent this type of attack, you might use BIOS-level security to prevent a PC from booting from a disk other than the hard disk.

Wireless networks are great for users, but they also can open up huge security holes on our networks. Hackers may try to connect to your wireless network looking for computers or data that isn't protected. To prevent this type of attack, you can employ wireless networking security techniques, which I introduced in Chapter 5, “Networking Technologies and Wireless Routers,” such as WPA2.

Or perhaps a hacker might take advantage of open network ports to access a computer remotely. Firewalls can help guard against this type of attack. Finally, hackers might install software on your computer that causes damage or causes additional security breaches. The trick is to get you to install it for them without knowing! Anti-malware software can help out in some of these cases, and safe web-browsing and emailing practices can thwart others.

The point is that criminal hackers generally want to make money from their exploits or cause damage to businesses or individuals. The bigger impact they can have, the better. And they have plenty of tools at their disposal. It's time to learn more about specific security threats.

images

Different Motivations

There are various factions within the hacking community, and they are motivated by different goals. As I mentioned earlier, some are motivated by money or the thrill of causing damage. Within the last few years, you have seen major business hacks make news headlines, such as the Target breach during the 2013 holiday shopping season. In fact, the prevalence of such activities has caused some major news publications to ask, tongue in cheek, who hasn't reported a breach? (Although to be fair, most major retailers have not been hacked—yet.)

Others are motivated by the challenge of getting into a system that is hard to penetrate—literally just so they can say they did it and gain admiration from fellow hackers. These hackers may leave clues to their attack for the hacked network administrators to find, along with helpful suggestions on how to breach the hole they exploited. Still others are interested in doing damage to organizations whose views differ from their own—in a sense they want to make their own political statement.

In fact, within many of the professional hacking circles, the idea of hacking for monetary gain is frowned upon. You won't find these groups trying to steal credit card data—that type of petty criminality is beneath them. They are oftentimes more motivated by moral or political beliefs and trying to expose organizations they consider dishonest or unethical. The WikiLeaks group qualifies here. Their self-reported profile is that they are an “international, non-profit journalistic organization which publishes secret information, news leaks, and classified media from anonymous sources.” Organizations that have had their information published by WikiLeaks definitely call them hackers, but clearly WikiLeaks sees itself in a much more altruistic light.

Understanding Security Threats

If you are walking around in a bad neighborhood at two in the morning, you know to keep your eyes open for anything that might be suspicious or could cause you harm. If you see a creepy-looking person hanging out at the park, you will probably pay extra attention to their actions. And it seems like today when you board an airplane, everyone is eyeing everyone else to see if they're a potential threat. Sometimes it's feels easy to identify threats, but of course that's not always the case. It's even harder in the computer world, because the threat could be on the other side of the world and you don't even know it exists.

In this chapter I am going to focus on three different groupings of security threats:

  • Physical security threats
  • People-based security threats
  • Software-based security threats

Each one poses different problems and therefore requires its own mitigation techniques. I will talk some about mitigation here, but the more in-depth conversation on preventing and dealing with threats will be in Chapter 9. The primary goal in this chapter is to raise awareness, so you have an idea of what to look out for.

Physical Security Threats

Organizations lose millions of dollars of equipment every year through thefts and hundreds of millions through the data that goes along with them. Therefore, it's important to secure your computer hardware physically in whatever environment you place it. You also need to take preventive measures to protect your data from physical theft.

Hardware Damage

Within your own company's offices, solutions for securing computers and peripherals focus mainly on securing the environment overall, rather than securing an individual piece of hardware. For example, some possible measures include the following:

  • Requiring a security keycard for access to the office area
  • Having a professional security presence in large organizations
  • Keeping doors and windows locked
  • Being prepared to challenge anyone who isn't normally a part of your work environment

Physically securing your area prevents two types of problems: hardware damage and hardware theft (covered in the next section). If an attacker can get to your computer with a hammer, it doesn't matter how good your firewall is or if you are using the latest and most secure encryption technology. That person can do some damage.

Hardware damage can also be inadvertent. For example, one company I used to work for was having roof repairs done. The workers left it unfinished over the weekend, when there happened to be an unusually heavy rain storm. The roof leaked and water flooded into the server room causing tens of thousands of dollars in damage.

Hardware Theft

The risk of hardware theft varies with the environment, of course. Leaving a laptop unattended at an airport is a very different matter from leaving it unattended in your own office when you go to lunch.

When travelling with a notebook PC or other portable technology device, the emphasis should be placed on the physical security of the individual device. Here are some pointers:

  • Know where the device is at all times—preferably within your sight.
  • Don't leave the device unattended, even for a minute.
  • Carry the device in an unconventional bag, rather than an expensive-looking laptop bag.
  • Install an alarm that beeps if your device gets more than a certain distance away from a transponder that you keep close to you (such as on your keychain or belt).

Mobile devices such as cellphones are even easier for a thief to walk away with. The principles for these devices are the same as other mobile devices, but you need to be even more astute in your defense. It's best to never set your phone down at all.

If you aren't in a secured area (and even if you are), it may be appropriate to use locks and other devices that physically attach the hardware to a desk or other fixed object in order to prevent it from “walking away.” There are various types of locks, cages, and racks designed to make it difficult for someone to remove a computer from its location.

Many notebook computers have a K-slot, which is short for Kensington security slot. Kensington is a company that makes a type of lock that fits into that slot. The lock is then attached to a security cable, and the other end of is bolted to the wall or furniture. The locks are secured with either a key or a combination. Figure 8.1 shows an example of a security cable attached to a K-slot on a notebook PC.

FIGURE 8.1 A laptop security cable

images

images

Services are available, such as LoJack, that can track stolen hardware via a small radio installed inside the device and disable a stolen computer remotely so the data that resides on it won't be compromised. LoJack functionality comes preinstalled in the BIOS of many major brand-name notebook computers, including Dell, Lenovo, HP, Toshiba, and Fujitsu. The radio-tracking unit comes free with the computer, but you must pay to install and use the software that enables it. You can learn more about this software at http://lojack.absolute.com. In addition, many mobile phones and tablets have built-in “kill switches” that permanently disable the device in the event that it is stolen. The state of California will require that all mobile phones sold in the state as of July 2015 come with the kill switch enabled by default.

Data, Software, and License Theft

You might not think of data theft as a physical issue, but it is. It's true that data can be stolen over networks, but physical security lapses in securing access to computers or storing computer backups is an issue as well. Data theft can cost a company even more than hardware theft in the long run. For any organization, the loss of data can equate to the following:

  • Loss of trust from your customers/clients when they discover that someone else has their personal information
  • Serious embarrassment if there are public media reports that your company has lost control of its data
  • Legal liabilities from either regulatory authorities or angry customers whose data you've compromised
  • Loss of competitive advantage when commercially sensitive data falls into the hands of rivals

A thief doesn't need to steal a computer to steal data; someone can sit down at your computer, plug in a USB memory stick, and be gone with important data files in a couple of minutes. For this reason, some organizations have OS security policies that disable the USB ports on PCs that contain sensitive data.

One way to prevent others from booting from a device other than the hard disk is to modify the BIOS Setup settings so that a password is required to save changes to BIOS Setup. That way, nobody can change the system's boot order to prefer a USB port over the main hard disk.

Locking your computer as you leave your desk (via the OS's lock command), as well as having your screen saver set to resume on password after a short period of time, will help reduce the risk of someone using your computer while you're away. In Exercise 8.1, you will practice setting up a secure screen saver.

EXERCISE 8.1

Securing a Windows 7 PC from Unauthorized Local Use

  1. In Windows 7, right-click the desktop and choose Personalize.
  2. Click Screen Saver. The Screen Saver Settings dialog box opens, like the one in Figure 8.2.
  3. Open the Screen Saver drop-down list, and pick any of the screen savers (for example, Bubbles).
  4. Select the On Resume, Display Logon Screen check box.
  5. In the Wait box, change the value to 1 minute.
  6. Click OK.
  7. Wait 1 minute for the screen saver to start.
  8. Move the mouse to awaken the computer. The logon screen appears.
  9. Click your user account, and retype your password to resume.
  10. Repeat steps 1–7, returning to your previous screen saver settings.
  11. Choose Start images Lock (it's an option that appears when you click the right arrow next to Shut Down). The logon screen appears.
  12. Click your user account, and retype your password to resume.

FIGURE 8.2 Screen Saver Settings

images

Securing Backup Media

Large companies typically back up their data using their network, with the backups stored on the same type of secure servers on which the data itself resides. However, smaller companies sometimes rely on data backups to external hard disks, optical media, and even memory sticks and tape drives. The data is no safer than the physical safety of these backup devices.

Keep in mind that data can be stolen from backup devices just as easily as from the original storage locations. Physically secure all backup devices and media, both from theft and from accidents and disasters, such as fires and flooding. Data should be stored offsite, in a fireproof safe.

Preventing Software and License Theft

If someone can get to your physical installation media, such as a CD-ROM, they can steal that for their own use. A lot of CD-ROM cases or sleeves will have a sticker with the product's license code on them, meaning that once the physical media is stolen, so is the license. The way to prevent this from happening, of course, is to physically secure the media as well.

If you purchased licenses in bulk, you will get an email with your software license numbers. Protect that file! Don't print off that list and post it anywhere or leave it lying around. Software licenses are expensive and should be guarded.

Dumpster Diving

Although it might sound like a made-up term from Wall Street takeover movies, dumpster diving is a real thing. It is pretty much what it sounds like—people can go through the dumpster, or your garbage, and steal information. In many places there are laws that prohibit such behavior, but we're talking about people who generally ignore such inconveniences anyway.

The best way to avoid being a victim of dumpster diving is to not throw away anything that can cause you problems later. Be sure to shred all papers in a good shredder. When disposing of media such as hard drives or flash drives, reformatting isn't enough to ensure that the data can't be read again. Damaging the drive physically and then taking it to a recycling center is a better way to go. I've seen some professionals recommend opening the case of your hard drives and using a drill to drill through the platters to make them completely useless. Whether or not you choose to go that far is up to you. Regardless, ruining the device beyond repair isn't a terrible idea, and you should always recycle old computer parts to dispose of them properly.

Social Engineering

Hackers are more sophisticated today than they were 10 years ago, but then again, so are network administrators. Because most of today's sys admins have secured their networks well enough to make it pretty tough for an outsider to gain access, hackers have decided to try an easier route to gain information: they just ask the network's users for it.

These are relatively low-tech attacks and are more akin to con jobs, so it's relatively astounding how often they're successful. If someone random called you up and said, “Give me your bank account number,” there's no way you would provide it. At least I hope not! But if that same someone calls you up and pretends to be a co-worker in a remote office with your company, who really needs help and has a plausible story, then things might be different. These types of attacks are called social engineering.

Social engineering is a process in which an attacker attempts to acquire information about you or your network and system by social means, such as talking to people in the organization. This isn't a new concept—people have been trying to defraud others for centuries. A social engineering attack may occur over the phone, by email, or even in person. The intent is to acquire sensitive information, such as this:

  • User IDs and passwords
  • Preferred email address
  • Telephone numbers and physical addresses
  • Personal information such as date and location of birth, maiden name, or mother's maiden name
  • Other information that can help them guess passwords, such as the school(s) you went to, your favorite sports team, or the type of music you listen to

Social engineering works because the personal touch is often the hardest for people to resist, and because the individuals concerned are normally very good at encouraging you to reveal personal information. It's more difficult when you're unsure if they're genuine—it's unpleasant to mistrust everyone.

Here's how it might work over the phone. Let's say you get a call to your desk at work from “Joe” in IT. He says he's noticed some unusual activity on your network account and wants to check it out, but for security purposes, he needs your permission first. So he proceeds to confirm your login, and then he tells you he needs to enter your password into the network tracker. He asks, “What's your password?” What do you do? To protect yourself from this one, all you need to do is confirm his information and verify it with your IT department before you give him any of your data. Just because “Joe” knows your login doesn't mean he's on the up-and-up.

In fact, if you ever get a call from someone whom you're unsure of, start asking questions: “Who did you say you are? What department? Oh—who is your manager? You know I am kind of busy right now, what number can I call you back at?” Many times once you start asking questions, the person at the other end will figure you're not worth the trouble and will hang up. But even if “Joe” hangs up on you, you should still report the call to IT or security.

How did Joe get your login and telephone number? Maybe he did some network reconnaissance and found a company phone directory on the Web. Even if it isn't published, maybe Joe did some earlier homework by calling one of your coworkers and, pretending to be a colleague at another site, asked for your phone number. But what about the username? On most networks, your username is the same as your email address because that makes things easier for your sys admin. This means that knowing that information is probably just a good guess on the attacker's part. Maybe Joe the Hacker has gotten an email from someone at your company and knows what your email format is, and he may have some other information to help him figure out your network login. And even if the number on your caller ID when Joe called was an internal phone number, it doesn't mean a thing—hackers have software that can allow them to spoof phone numbers.

Exercise 8.2 gives you some good ways to test others on how likely they are to be susceptible to a social engineering attack. The steps are suggestions for tests; you may need to modify them slightly to be appropriate at your workplace. Before proceeding, make certain your manager knows that you're conducting such a test and approves of it.

EXERCISE 8.2

Testing Social Engineering

  1. Call the receptionist from an outside line when the sales manager is at lunch. Tell her that you're a new salesperson, that you didn't write down the username and password the sales manager gave you last week, and that you need to get a file from the email system for a presentation tomorrow. Does she direct you to the appropriate person or attempt to help you receive the file?
  2. Call the human resources department from an outside line. Don't give your real name, but instead say that you're a vendor who has been working with this company for years. You'd like a copy of the employee phone list to be emailed to you, if possible. Do they agree to send you the list, which would contain information that could be used to try to guess usernames and passwords?
  3. Pick a user at random. Call them and identify yourself as someone who does work with the company. Tell them that you're supposed to have some new software ready for them by next week and that you need to know their password to finish configuring it. Do they do the right thing?

The best defense against any social engineering attack is education. Make certain the employees of your company would know how to react to the requests presented here.

The golden rule is don't ever give any of your information or anyone else's to anyone you're not absolutely sure should have it. And if they are someone who should have it, they probably already do, and they shouldn't be contacting you for it!

The social engineering examples so far have been phone-based, but they are more commonly done over email or instant messaging.

Phishing

Phishing is a form of social engineering in which someone uses email to ask you for a piece of information that they are missing by making it look as if it is a legitimate request. The email will often look like it comes from an official source, such as a bank, and will contain some basic information like your name.

These types of messages often state that there is a problem with your account or access privileges. You will be told to click a link to correct the problem. After you click the link—which goes to a site other than the bank's—you are asked for your username, password, account information, and so on. The person instigating the phishing can then use this information to access the legitimate account.

images

One of the best countermeasures to phishing is to simply mouse over the Click Here link and read the URL. Almost every time the URL is an adaptation of the legitimate URL as opposed to a link to the real thing.

The only preventive measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user IDs over the phone or via email or to anyone who isn't positively verified as being who they say they are.

When you combine phishing with Voice over IP (VoIP), it becomes known as vishing and is just an elevated form of social engineering. While crank calls have been in existence since the invention of the telephone, the rise in VoIP now makes it possible for someone to call you from almost anywhere in the world, without the worry of tracing/caller ID/and other features of the land line, and pretend to be someone they are not in order to get data from you.

Two other forms of phishing to be aware of are spear phishing and whaling, and they are very similar in nature. With spear phishing, the attacker uses information that the target would be less likely to question because it appears to be coming from a trusted source. Suppose, for example, you receive a message that appears to be from your spouse and it says to click here to see that video of your children from last Christmas. Because it appears far more likely to be a legitimate message, it cuts through your standard defenses like a spear, and the likelihood that you would click the link is higher. Generating the attack requires much more work on the part of the attacker and often involves using information from contact lists, friend lists from social media sites, and so on.

Whaling is nothing more than phishing, or spear phishing, for so-called “big” users, thus the reference to the ocean's largest creatures. Instead of sending out a To Whom It May Concern message to thousands of users, the whaler identifies one person from whom they can gain all the data they want—usually a manager or business owner—and targets the phishing campaign at them.

Shoulder Surfing

One form of social engineering is known as shoulder surfing and involves nothing more than watching someone when they enter their sensitive data. They can see you entering a password, typing in a credit card number, or entering any other pertinent information.

images

Shoulder surfing is listed under physical security in the exam objectives. It can be considered a physical security risk as well as a form of social engineering.

The best defense against this type of attack is simply to survey your environment before entering personal data. It might also help to orient your screen such that people walking by can't easily see it. If it's impossible to adequately hide the monitor from unauthorized lookers, and if the data on the screen is highly confidential, you may find a screen filter useful. A screen filter (also called a privacy screen) directs the light from the display at a restricted angle so that anyone who isn't viewing it straight on won't be able to read it clearly.

images

It's common courtesy when someone else is typing in a password to make an obvious effort to look away.

images

Don't Make It Too Easy

As a teenager, before I got into IT, I was a clerk in a retail store. The company had just opened up a new store, and the store manager, Robert, asked me to come with him to look at an area of the store. During this time, he needed to check something on our computer system (which was new to all of us), so he went to one of the terminals and logged in.

When he typed in his password, I did not make an obvious effort to look away (I didn't know the common courtesy tip yet), but I wasn't exactly trying to look at what he typed, either. I basically just saw his arm movements, and I knew from previous experience that he was a “pecker” (meaning he typed with the index finger on each hand only). What I semi-observed was three slowly typed letters, left-right-left, followed by a pause, and three rapid left keystrokes.

After we took care of our task, I got to thinking about the situation, and quickly realized that he had given me his password—it was his first name! I never did anything with that information, but imagine the access I might have had to the system. I am quite certain that I would have been able to view information that I had no business seeing, had I tried.

There are two big problems in this scenario. First, he clearly was not practicing good password selection (which I'll talk about in detail in Chapter 9), especially considering his level of importance in our company. Second, I should have made the attempt to avoid shoulder surfing. The moral of the story is don't make it too easy for others to hack in on your behalf. Make sure you choose tough passwords, and also make sure that you are aware of your surroundings when entering sensitive information.

Software-Based Security Threats

Software-based threats are by far the widest ranging group of security threats you need to be worried about. It seems that the creators of malicious software applications have no shortage of imagination. The broad term for software designed to do harm to your computer is malware, and it covers anything that has been installed on anyone's computer without their intent and intended to cause mischief. In the realm of malware, here are most of the categories you need to be aware of:

Exploits These take advantage of flaws in the OS or an application.

Viruses These are used to cause damage and/or disruption.

Worms These are used to transmit malware.

Trojan Horses These are applications that mask their true intent.

Adware These are used to display unwanted advertisements.

Spyware These are used to report on your computer and possibly steal data.

Ransomware These are used to extract payments from the infected user.

Rootkits These conceal themselves on the host OS, allowing for full-control access of the computer at a later date.

Backdoors These open ports or other routes into your system.

Keyloggers These record every keystroke and then use that data for identity theft.

In the following sections, you'll learn more about each of these types of malware. In addition, you will learn about spam and password cracking. The last two don't technically qualify as malware because most of the time they're not software installed on an unsuspecting user's computer. They are horribly annoying, though, so they deserve to be covered here as well.

OS and Application Exploits

All OSs and applications have potential vulnerabilities that criminals can exploit. A vulnerability exists when flaws in the programming create the potential for misuse, an attacker is aware of the flaw, and a tool or technique that the attacker can use to exploit that vulnerability for malicious purposes is readily available. When criminals use a vulnerability to attack a system, it's called an exploit.

Although some OSs are considered to be more secure than others, the reality is that all OSs have weaknesses that, when discovered, are exploited. To guard against exploits, operating systems have mechanisms to update and patch themselves automatically as programmers become aware of vulnerabilities. That's why it's important to download and install all available updates and service packs for your OS promptly. Refer back to Chapter 4, “Software Applications,” for details on Windows Update.

images

My Mac Is Safe from Viruses, Right?

A common misperception among computer users is that Windows is the only operating system that is vulnerable to viruses or other malware attacks. It's not true.

Mac and Linux systems aren't immune to malware attacks, but Windows systems do run a greater risk of infection. There are two reasons for this. The first is that some hackers have an axe to grind against Microsoft, so that's who they target. The second and biggest reason, though, is because of the popularity of Windows. It's by far the most widely used OS, so any financial gain a criminal might get from malware would be maximized by targeting Windows systems.

Applications can also be exploited, although it happens less frequently because an application is a smaller and less-appealing target to a criminal. Widely used applications such as Microsoft Office are most often the targets of application exploit attempts.

As an application or OS ages, more and more security patches become available for it, to the point that rolling them all out individually to users becomes unwieldy. At that point, the OS or application manufacturer typically releases a service pack. A service pack is a collection of critical updates (and sometimes minor enhancements) that are released as a group. A service pack is much like a regular update except that it takes longer to download and install, and you can't usually remove it after installing it.

Viruses

A virus is computer code that inserts itself into an executable file. When that file is run, the virus's code executes along with the application's code. The virus hides itself inside its host file, so it's not obvious that it's there. A virus's code can cause all manner of mischief, from annoying but harmless things like displaying a message, to really destructive things like deleting all files of a certain type or causing your OS to stop working. Most viruses also have a self-replicating component that causes them to spread from one executable file to another. This usually happens via RAM. When the infected file executes, the virus code is copied into RAM, and from there it can attach itself to other executable files.

Many other types of malware are often called viruses as well, even though they are not because they don't hide themselves in executable code. Instead they may be worms or Trojan horses, which will be explained in later sections.

Viruses can be classified as polymorphic, stealth, retrovirus, multipartite, armored, companion, phage, and macro viruses. Each type of virus has a different attack strategy and different consequences.

images

Estimates for losses due to viruses are in the billions of dollars. These losses include financial loss as well as lost productivity.

The following sections introduce the symptoms of a virus infection, explain how a virus works, and describe the types of viruses you can expect to encounter and how they generally behave. You'll also see how a virus is transmitted through a network and look at a few hoaxes.

Symptoms of a Virus/Malware Infection

Many viruses will announce that you're infected as soon as they gain access to your system. They may take control of your system and flash annoying messages on your screen or destroy your hard disk. When this occurs, you'll know that you're a victim. Other viruses will cause your system to slow down, cause files to disappear from your computer, or take over your disk space.

You should look for some of the following symptoms when determining if a malware or virus infection has occurred:

  • The programs on your system start to load more slowly. This happens because the virus is spreading to other files in your system or is taking over system resources.
  • Unusual files appear on your hard drive, or files start to disappear from your system. Many viruses delete key files in your system to render it inoperable.
  • Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs on your disk.
  • Your browser, word-processing application, or other software begins to exhibit unusual operating characteristics. Screens or menus may change.
  • The system mysteriously shuts itself down or starts itself up and does a great deal of unanticipated disk activity.
  • You mysteriously lose access to a disk drive or other system resources. The virus has changed the settings on a device to make it unusable.
  • Your system suddenly doesn't reboot or gives unexpected error messages during startup.

This list is by no means comprehensive. What is an absolute, however, is the fact that you should immediately quarantine the infected system. It is imperative that you do all you can to contain the virus and keep it from spreading to other users, or other computers if you are on a network.

How Viruses Work

A virus, in most cases, tries to accomplish one of two things: render your system inoperable or spread to other systems. Many viruses will spread to other systems given the chance and then render your system unusable. This is common with many of the newer viruses.

If your system is infected, the virus may try to attach itself to every file in your system and spread each time you send a file or document to other users. Figure 8.3 shows a virus spreading from an infected system either through a network or by removable media. When you give removable media to another user or put it into another system, you then infect that system with the virus.

FIGURE 8.3 Virus spreading from an infected system

images

Many viruses today are spread using email. The infected system attaches a file to any email that you send to another user. The recipient opens this file, thinking it's something you legitimately sent them. When they open the file, the virus infects the target system. The virus might then attach itself to all the emails the newly infected system sends, which in turn infects computers of the recipients of the emails. Figure 8.4 shows how a virus can spread from a single user to literally thousands of users in a very short time using email.

FIGURE 8.4 Email viruses can spread quickly.

images

Types of Viruses

Viruses take many different forms. The following list briefly introduces these forms and explains how they work.

These are the most common types of viruses, but this isn't a comprehensive list:

Armored Virus An armored virus is designed to make itself difficult to detect or analyze. Armored viruses cover themselves with protective code that stops debuggers or disassemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract analysis while the actual code hides in other areas in the program.

From the perspective of the creator, the more time it takes to deconstruct the virus, the longer it can live. The longer it can live, the more time it has to replicate and spread to as many machines as possible. The key to stopping most viruses is to identify them quickly and educate administrators about them—the very things that the armor makes difficult to accomplish.

Companion Virus A companion virus attaches itself to legitimate programs and then creates a program with a different filename extension. This file may reside in your system's temporary directory. When a user types the name of the legitimate program, the companion virus executes instead of the real program. This effectively hides the virus from the user. The infected program may perform its dirty deed and then start the real program.

Macro Virus A macro virus exploits the enhancements made to many application programs, such as Microsoft Word and Excel. Word, for example, supports a mini-BASIC programming language that allows files to be manipulated automatically. These programs in the document are called macros. For example, a macro can tell your word processor to spell-check your document automatically when it opens. Macro viruses can infect all the documents on your system and spread to other systems via email or other methods. Macro viruses are one of the fastest growing forms of exploitation today.

Multipartite Virus A multipartite virus attacks your system in multiple ways. It may attempt to infect your boot sector, infect all of your executable files, and destroy your application files. The hope here is that you won't be able to correct all the problems and will allow the infestation to continue. The multipartite virus depicted in Figure 8.5 attacks a system's boot sector, infects application files, and attacks Word documents.

FIGURE 8.5 A multipartite virus attacking a system

images

Phage Virus A phage virus alters other programs and databases. The virus infects all of these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single incident of this virus on the victim system, the process will start again and infect the system once more.

Polymorphic Virus Polymorphic viruses change form to avoid detection. These types of viruses attack your system, and may display a message on your computer and also delete files. The virus will attempt to hide from your antivirus software. Frequently, the virus will encrypt parts of itself to avoid detection. When the virus does this, it's referred to as mutation. The mutation process makes it hard for antivirus software to detect common characteristics of the virus. Figure 8.6 shows a polymorphic virus changing its characteristics to avoid detection. In this example, the virus changes a signature to fool antivirus software.

FIGURE 8.6 The polymorphic virus changing its characteristics

images

images

A signature is an algorithm or other element of a virus that uniquely identifies it. Because some viruses have the ability to alter their signature, it is crucial that you keep signature files current, whether you choose to manually download them or configure the antivirus engine to do so automatically.

Retrovirus A retrovirus attacks or bypasses the antivirus software installed on a computer. You can consider a retrovirus to be an anti-antivirus. Retroviruses can directly attack your antivirus software and potentially destroy the virus definition database file. Destroying this information without your knowledge would leave you with a false sense of security. The virus may also directly attack an antivirus program to create bypasses for itself.

Stealth Virus A stealth virus attempts to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself to avoid detection. An infected file may report a file size different from what is actually present. Figure 8.7 shows a stealth virus attaching itself to the boot sector to avoid detection. Stealth viruses may also move themselves from file A to file B during a virus scan for the same reason.

FIGURE 8.7 A stealth virus hiding in a disk boot sector

images

Virus Transmission in a Network

Upon infection, some viruses destroy the target system immediately. The saving grace is that the infection can be detected and corrected. Some viruses won't destroy or otherwise tamper with a system; they use the victim system as a carrier. The victim system then infects servers, file shares, and other resources with the virus. The carrier then infects the target system again. Until the carrier is identified and cleaned, the virus continues to harass systems in this network and spread.

Viruses are detected and removed using antivirus software, which I will cover in depth in Chapter 9.

Worms

A worm is different from a virus in that it can reproduce itself, it's self-contained, and it doesn't need a host application to be transported. Many of the so-called viruses that have made the news were actually worms. However, it's possible for a worm to contain or deliver a virus to a target system. If a worm carries additional malware, that malware is called a payload.

Worms can be active or passive: active worms self-transport without human intervention, whereas passive worms rely on the user's innocence to transport themselves from one location to another, normally through email or social engineering. Active worms use email, vulnerabilities in your OS, TCP/IP, and Internet services to move their payload around a network infrastructure. Most antivirus programs can detect and remove worms.

Trojan Horses

A Trojan horse (often known as a Trojan) is a rogue application that enters the system or network disguised as another program. Some will pretend to offer services that you want. For example, one insidious type of Trojan horse is a program that claims to scan your system for malware but instead causes system problems (which it tries to get you to pay to get rid of) or installs its own malware, such as a keylogger. A keylogger records all keystrokes and sends the information to a file or to a remote location. The hacker can get your usernames and passwords that way and use them to impersonate you.

Trojan horse programs don't replicate themselves, so they aren't viruses, technically speaking. The most common way that Trojan horse programs spread is via worms. Most antivirus programs can detect and remove Trojan horses.

Adware

Adware is a category of application that displays unasked-for ads on your computer. The most common type of adware comes in the form of an add-on toolbar for your web browser that supposedly provides “advanced” or “helpful” search services, but that also has the side effect of causing pop-up ads to appear whenever you use your web browser. Adware makers make money when people click the ads they display.

Strictly speaking, not all adware is illegal, and not all adware makers are involved in criminal activity. If you're seduced into downloading a particular web toolbar or application, and then you aren't happy with what it does, or there are too many ads to make it worth the value you're getting from it, you're free to remove it. Removal may not be easy, though; the uninstall option for the toolbar may or may not appear in the Control Panel in Windows, and you may need to connect to a website or go through some extra steps to complete the removal.

Some adware is an out-and-out annoyance, with no pretense of being anything else. Such programs are typically very difficult to remove, much like a virus infection. Your antivirus software may be of some help; you also may need to do a web search on the removal process to find Registry-editing instructions to help you stamp out the adware.

Spyware

Spyware is software that (usually secretly) records your computer usage. Keyloggers are a form of spyware; so are programs that track the websites you visit and what ads you click and send that information back to their owners. Spyware makers get revenue from collecting consumer marketing data, either specifically about you or about all users in general. Most spyware is illegal, works surreptitiously, and can be difficult to remove.

Spyware isn't self-replicating, and it relies on low-level social engineering to spread. The most common way to get infected with spyware is to install a free application from a website. Be very careful what sites you use to download executable files! Another way to get spyware is to run an ActiveX or Java component on a website you visit. A website may seem like a good deal because it's free, but there are many unscrupulous site owners, particularly in the adult entertainment industry, who exploit site visitors by infecting their computers with spyware or adware.

Some antivirus software detects and removes spyware. There are also applications designed specifically to remove spyware and adware from your system, such as Windows Defender (which was discussed in Chapter 4).

Ransomware

Ransomware is a particularly insidious type of malware that extorts the infected users for money. Even though it's been around since 1989, it's only gained significant popularity since about 2012. Generally contracted through a Trojan or exploits in software such as a Flash player, the ransomware will pop up a message telling the user to pay up or else.

Some ransomware tries to look official. For example, one version attempted to look like an official notice from a police group, stating that the user had been in violation of several laws and needed to pay a fine to have the issue resolved. Others are far more direct—they will encrypt files on your hard drive and tell you that if you want them back, you'll pay the money. This type of threat is called cryptoviral extortion. The ransomware will give you a handy link to pay the fine, which redirects you to another site to enter your payment information.

Of course, this starts to introduce other problems. Clicking the link to visit the website means that other malware can be loaded onto your system, such as a rootkit, spyware, or keylogger. And, the hackers will give you the convenient option of entering your credit card information to pay them off. What could go wrong there?

Fortunately, most antivirus software will block ransomware as well. If you are infected and your files are locked or encrypted, your only recourse may be to wipe your system and restore from backup, provided of course that your backup files aren't infected as well.

Rootkits

Rootkits are software programs that have the ability to hide certain things from the operating system; they do so by obtaining (and retaining) administrative-level access. With a rootkit, there may be a number of processes running on a system that don't show up in Task Manager or network connections that don't appear in networking tools—the rootkit masks the presence of these items. It does this by manipulating the operating system to filter out information that would normally appear.

Unfortunately, many rootkits are written to get around antivirus and antispyware programs that aren't kept up to date. The best defense you have is to monitor what your system is doing and catch the rootkit in the process of installation.

images

In UNIX systems, root is the name of the all-powerful administrator account. The term rootkit was coined because it's a tool that gives you root-level access to a system.

Backdoors

A backdoor is a method of circumventing the normal security system on a computer. Instead of needing a password, a hacker with a backdoor could log in by providing no credentials. Backdoors can be stand-alone programs or can be incorporated into other malware such as rootkits or worms.

Another source of backdoor issues is user error. Not changing a default password can allow for unauthorized access. In addition, debugging routines built into software, and not removed before release into production, can sometimes function as backdoors as well.

Spam

Spam is different than the software-based threats I've covered so far, because it's not software that gets installed on your computer. Rather, spam is the deluge of unsolicited messages that you receive electronically. Most spam comes via email, but it can be generated in instant messaging, blogs, online classifieds, mobile phones, Internet forums, and message groups.

Most spam is advertisements, and there is little or no cost for the spammers to send these types of messages. All the spammer needs is a program to generate the spam (called a spambot) and email lists. There is cost for Internet service providers, businesses, and users, though, because ISPs and businesses need to install and maintain hardware or software solutions to deal with the volume. It's estimated that over nine trillion spam messages get sent per year. Clearly, legislation that has made spam illegal in many areas has not had much effect.

In addition, while a large percentage of spam is advertising, a lot of it is purely an attempt to defraud people who click links inside the note. While it's becoming more common for users to realize that clicking a link in an email from someone you don't know is a no-no, it still happens. In addition, spammers can often make the emails look like they come from a legitimate source, such as a real business, your ISP, or even a contact in your mailing list, making it more likely that someone will click a link and download a virus or other malware.

In addition to email spam, someone who posts the same message repeatedly in an online forum is considered a spammer. Their goal is usually to be obnoxious and hijack the thread or conversation for some reason.

The best way to deal with spam that gets into your inbox is to delete it. Most email clients will have a junk mail or spam filter, and you can flag the note as spam. This will redirect future emails from that sender straight into your junk email or spam folder.

Password Cracking

Most of us are used to typing in passwords, probably several times a day. It's kind of a fact of life that you need a username and password to get to most of your resources. Of course, there are people out there who would love to gain unauthorized access to your data as well, and one way they can do that is by attempting to crack your password.

Password cracking can take many forms. Perhaps the easiest is for the attacker to try the default password for a device or service. If the attacker knows your password for a different resource or website, they can try that one too, because a lot of us reuse our passwords across different sites. A third way is to guess passwords based on things they know about you, such as children's or pet's names, favorite teams or music, important dates, and things like that. Finally, there's the brute force method. An automated computer program can start trying random strings of characters in an attempt to guess your password. Given enough time, password cracking software will eventually guess your password—and it doesn't take as much time as you think. A regular desktop or laptop computer outfitted with password-cracking software can try about three billion password keys per second, meaning that a random 8-character password with numbers, mixed case, and symbols can be cracked in about 15 minutes. A computer designed specifically for password cracking can crank out about 90 billion password keys per second.

images

Password-cracking software is not illegal, and in fact there are many legal uses of it. If you have lost or need to reset a password, this type of software can be very helpful. Trying to get into a system you don't own is illegal, though.

Fortunately, most websites and computer systems have limits to the number of login attempts that can be tried before the account is locked, usually around five attempts. Regardless, don't make it easy on someone to guess your password. You will learn more about specific steps to take for good password management in Chapter 9.

Summary

This chapter attempted to make you paranoid by introducing you to security threats that you can face every day. It started off with a discussion on hackers and the type of information they try to steal or the damage they try to cause.

The first group of threats you learned about were physical threats. For example, if an attacker can physically get to your hardware, they could damage the device to make it unusable or steal the device to either sell it to someone else or attempt to steal data from the device. Data, software, and software licenses are also targets of thieves looking to make money. Some attackers will go as far as to sift through garbage, called dumpster diving, in an attempt to gain unauthorized access to information.

The second type of threats you learned about are ones that use people as targets. The broad classification of these threats is social engineering. It preys upon people's desires to be helpful to others, which unfortunately makes them easy targets for attackers pretending to be someone they're really not. One common way social engineering is done is over the phone. If the attempt is made over email it's referred to as phishing. A third social engineering method is to simply look over someone's shoulder, which is appropriately called shoulder surfing.

Software-based threats are the third group you learned about. This is the largest group, and the list of possible maladies is long: exploits, viruses, worms, Trojans, adware, spyware, ransomware, rootkits, backdoors, and keyloggers are all types of malware that affect your computer. In addition to that, spam and password cracking can also threaten your computer's security.

Exam Essentials

Understand what physical security threats to be aware of. Physical threats include hardware damage and theft, software and license theft, and dumpster diving. The exam objectives also list shoulder surfing as a physical threat, but that can also be considered social engineering.

Know what social engineering is. Social engineering is preying upon people to provide information that will allow an attacker to gain access. This is often done over the phone. Email social engineering is called phishing.

Understand the different types of malware that can affect your computer. Malware includes operating system and application exploits, viruses, worms, Trojan horses, adware, spyware, ransomware, rootkits, backdoors, and keyloggers.

Understand why spam and password cracking are security threats. Spam can be simply annoying, or it can contain viruses or other malware that get downloaded to your computer when you click a link. Password cracking is an attempt to gain unauthorized access to a system.

Chapter 8 Lab

Chapter 8 introduced a large number of threats to your computer's security. Most threats are in the malware group, and new viruses and threats are released on a regular basis to join the cadre of those already in existence. It's a good idea to be aware of the threats that are out there and keep up to date on new ones being introduced into the wild.

One great source to find this information is the CERT/CC Current Activity web page at www.us-cert.gov/current/current_actfvfty.html. Here you'll find a detailed description of the most current viruses as well as links to pages on older threats. You can also find updates on most anti-malware companies' websites, such as www.symantec.com (for Norton Security) and www.mcafee.com. Google searches can also make you aware of threats or provide news on recent attacks.

Here are a few specific questions for you to answer:

  1. Pick a recent date. How many viruses and malware were “discovered” on that date? (Alternate question: how many were added to your antivirus program on a given date?)
  2. Are there any serious security threats currently?
  3. Which virus or worm caused the most damage in history? How many computers did it infect and how fast did it spread?
  4. Can you find example names of some different types of viruses? Choose a few, such as a polymorphic virus, a boot virus, and a multipartite virus.
  5. What is the most popular ransomware in history?
  6. What is the name of the most common backdoor you can find?
  7. What are examples of password-cracking software?

Review Questions

  1. Which of the following are activities that a hacker might attempt?
    1. Stealing usernames and passwords
    2. Modifying website content
    3. Disrupting network communications
    4. Analyzing network traffic
    5. All of the above
  2. You receive a security warning from your antivirus software provider stating that a new virus is directly attacking the antivirus software. What type of virus is this?
    1. Macro
    2. Phage
    3. Retrovirus
    4. Armored
  3. Which of the following are considered physical security risks? (Choose two.)
    1. Hardware theft
    2. Password cracking
    3. Phishing
    4. Software theft
  4. What is the name of an application that appears to look like a helpful application but instead does harm to your computer?
    1. Virus
    2. Worm
    3. Malware
    4. Trojan horse
  5. Someone was recently caught sifting through your company's trash looking for confidential information. What is this an example of?
    1. Trash snooping
    2. Dumpster diving
    3. Phishing
    4. Social engineering
  6. IT security recently found a program on your co-worker's computer that apparently tracked all of the words that they typed into the computer. What kind of malware is this?
    1. Keylogger
    2. Keyblogger
    3. Trojan horse
    4. Keystroke virus
  7. You have been asked to lead a class on preventing social engineering. What two topics should you be sure to cover? (Choose two.)
    1. Viruses and worms
    2. Shoulder surfing
    3. Hardware theft
    4. Phishing
  8. What type of malware is best known for carrying other malware as a payload?
    1. Virus
    2. Worm
    3. Trojan horse
    4. Rootkit
  9. You receive an email from your bank, telling you that your account has been compromised and you need to validate your account details or else your account will be closed. You are supposed to click a link to validate your information. What is this an example of?
    1. A security breach at your bank that needs to be resolved
    2. Spam
    3. Ransomware
    4. Phishing
  10. Rose just installed a new search engine on her laptop. Now whenever she searches the Internet, she gets several pop-up windows directing her to websites to buy products. What does Rose have?
    1. Ransomware
    2. Spyware
    3. Adware
    4. Trojan horse
  11. What is it called when a co-worker sitting next to you always seems to look your way when you try to enter your user ID and password to log onto the network?
    1. Phishing
    2. Social engineering
    3. Shoulder surfing
    4. Coincidence
  12. The system administrator in your office quits unexpectedly in the middle of the day. It's quickly apparent that he changed the server password and no one knows what it is. What might you do in this type of situation?
    1. Use a Trojan horse to find the password
    2. Use a password cracker to find the password
    3. Use social engineering to find the password
    4. Delete and reinstall the server
  13. Which of the following operating systems are susceptible to viruses?
    1. Windows
    2. Windows and Mac OS X
    3. Windows, Mac OS X, and Linux
    4. Windows, Mac OS X, Linux, and Android
  14. What type of software is used to circumvent normal security processes on a computer?
    1. Backdoor
    2. Trojan horse
    3. Spyware
    4. Phage virus
  15. A virus that covers itself in protective code, making it harder to find and eradicate, is called what?
    1. Stealth virus
    2. Polymorphic virus
    3. Armored virus
    4. Trojan horse
  16. You were browsing the Web on a questionable website, and now you get a pop-up window stating that if you do not pay $100 within one hour, all files on your computer will be destroyed. What is this an example of?
    1. Heistware
    2. Theftware
    3. Extortionware
    4. Ransomware
  17. You believe that your computer has contracted a virus that has affected your Excel files only. What type of virus is most likely to do this?
    1. Macro
    2. Retrovirus
    3. Phage
    4. Excel virus
  18. What does the term spam refer to in computing?
    1. Excessive pop-up windows
    2. Unsolicited emails
    3. Social engineering attempts
    4. Installing malware on a computer
  19. If a virus attacks the boot sector of your hard drive as well as files in the file system, what type of virus is it?
    1. Polymorphic
    2. Multipartite
    3. Companion
    4. Macro
  20. David just heard of a program that if installed on your computer gives the attacker administrator-like access to your machine. What type of software is he talking about?
    1. Trojan horse
    2. Spyware
    3. Ransomware
    4. Rootkit
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.172.38