Today, both the Internet and corporate intranets are simply crawling with people from all walks of life that are continuously trying to test the security of various systems and networks. Some of these people are seeking some sort of intellectual high, while others are fueled by more treacherous motives such as revenge or stealing for profit. To gain access to your system an attacker may try several different measures to cause you some kind of disruption or takeover your system. In this paper we will discuss a few of the problems associated with computer security in the twenty-first century, best system practices, and some ways you can prevent intrusion related problems.
Data in an IT system is at risk from various sources-user errors, viruses, malicious, and non-malicious attacks. Accidents can occur and attackers can gain access to the system and disrupt services, render systems useless, alter, delete, or steal information.
An IT system may need protection for one or more of the following aspects of data: o Confidentiality. The system contains information that requires protection from unauthorized disclosure. Examples: Timed dissemination information (for example, crop report information), personal information, and proprietary business information. o Integrity.
The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification. Examples: Census information, economic indicators, or financial transactions systems. o Availability. The system contains information or provides services that must be available on a timely basis to meet mission requirements or to avoid substantial losses.
Examples: Systems critical to safety, life support, and hurricane forecasting. Security administrators need to decide how much time, money, and effort needs to be spent in order to develop the appropriate security policies and controls. Each organization should analyze its specific needs and determine its resource and scheduling requirements and constraints. Computer systems, environments, and organizational policies are different, making each computer security services and strategy unique. Although a security strategy can save an organization valuable time and provide important reminders of what needs to be done, security is not a one-time activity, it is an integral part of the system lifecycle since at any moment a system can be rendered useless from a viral infection, and all plans are now obsolete.
Viruses Boot sector viruses Boot sector viruses infect the boot sector or partition table of a disk. Computer systems are most likely to be attacked by boot sector viruses when you boot the system with an infected disk from the floppy drive - the boot attempt does not have to be successful for the virus to infect the hard drive. Also, there are a few viruses that can infect the boot sector from executable programs- these are known as multi-partite viruses and they are relatively rare. Once the system is infected, the boot sector virus will attempt to infect every disk that is accessed by that computer. In general, boot sector viruses can be successfully removed. Destructive viruses In addition to self-replication, computer viruses may have a routine that can deliver the virus payload.
A virus is defined as destructive if its payload does some damage to your system, such as corrupting or deleting files, formatting your hard drive, and committing denial-of-service attacks etc. Joke programs Joke programs are ordinary executable programs. They are added to the detection list because they are found to be very annoying and / or they contain pornographic images. Joke programs cannot spread unless someone deliberately distributes them. To get rid of a Joke program, delete the file from your system.
Trojans A Trojan horse is a program that performs some unexpected or unauthorized, usually malicious, actions such as displaying messages, erasing files or formatting a disk. A Trojan horse doesn't infect other host files, thus cleaning is not necessary. To get rid of a Trojan, simply delete the program. Worm A computer worm is a self-contained program (or set of programs) that is able to replicate functional duplicates of itself or its segments to other computer systems. The infection usually takes place via network connections or email attachments. To get rid of a worm you just need to delete the mother program.
HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser One of the most disruptive HTML virus / worms of recent times would be the nimda virus. Infection occurs when you visit an infected website that has the worm imbedded in its web pages. When you view the infected page it forces your computer to download a copy of the worm as ADMIN. DLL from an infected machine via Trivial File Transfer Protocol (TFTP). It executes the last phase of this exploit by forcing the remote system to copy the recently downloaded.
DLL file into the root directories, C: ADMIN. DLL, D: ADMIN. DLL, E: ADMIN. DLL. In the requests the tool makes, it also tries ROOT. EXE in the remote computer.
This may be a copy of the WinNT command prompt, CMD. EXE that it uses to elevate its privilege level. The presence of CMD. EXE may indicate that the system has been previously infected with COVERED. C. When it executes via email, it drops and then runs executable copies of itself in the temp folder to perform its infection routines.
It deletes each spawned copy so that it hides the files from the user every time the system is restarted. If its copies cannot be deleted because these are currently running, it issues a special function or API on WinNT systems to delete the undelete d files when the system restarts. On Win 9 x and ME systems, it creates entries to delete the dropped files in the RENAME section of WINING. INI.
With the dropped MEP TMP. EXE file on Win 9 x/ME systems, it also copies itself to a LOAD. EXE file and to a RICHED 20. DLL file in the Windows System folder. It sets the attributes of both files as Hidden and System. Occasionally, RICHED 20.
DLL overwrites a legitimate RICHED 20. DLL file that is used to view document files in the Windows System folder. The worm increases its ability to run and execute in an infected system when it overwrites this file. To run at startup, it makes an entry in the SHELL key at the BOOT section of SYSTEM. INI with the "Explorer. exe load.
exe -dontrunold" value. On WinNT/2 K systems, it copies itself as MMC. EXE in the default Windows folder, which may overwrite a system program Microsoft Management Console. It can also copy itself in the startup folder for automatic execution. Thereafter, extensions of all files in the system do not display in Explorer even files with the system or the hidden attribute set. Dropped EXE files have the hidden attribute set and the default icon of HTML files so that infected users do not easily detect the presence of this worm.
It attaches itself to EXPLORER when running on WinNT and registers itself as a service on Win 9 x to avoid detection. When active in memory, it usually sleeps for 0 x 2 BF 20 milliseconds or approximately 3 minutes after every infection. Since more than one copy can run on a single machine at a given time, it creates a mutex (mutual exclusion) named "fsdhqherwqi 2001," indicating that a copy of the worm is already running. Besides spreading via networks, it changes system settings to compromise network security and to make infected systems more vulnerable to Trojan attacks. On NT systems, it uses shell script commands to create a "guest" account with no password. It adds the guest account to the "administrators" group to give administrator privileges to users who log in to the system as "guest." It also shares the C: folder as C$ and on other systems, it shares all fixed drives C - Z.
Resolution Being personally affected by this insidious worm I can tell you it is not easy to eradicate. I tested several tools from vendors like Symantec and trend Microsystems but no fix tool prevailed. Matter of fact the only way that I could get have access to delete the file is after I installed the command console. Then I rebooted and started the console and was able to change the attributes for the admin. dll file and finally delete it.
But that was not enough because when I rebooted windows it had generated another file that was locked. This told me the file was residing somewhere else, but I could not figure out where so I had to ultimately follow CERT's advice and completely format and reinstall my OS. Denial of Service Attacks All systems connected to the Internet can be affected by denial-of-service attacks. Denial of service attacks make computer systems inaccessible by exploiting software bugs or overloading servers or networks so that legitimate users can no longer access those resources. Exploiting bugs Attacks that exploit bugs in servers depend on the server platform, operating system, and supported protocols.
A well-known example is the 'winnuke' attack, which crashes old versions of Windows 95 by sending them a single malformed ICMP packet. The best way to prevent these attacks is to keep systems up-to-date with vendor patches as new vulnerabilities are discovered and fixed. Consuming server resources Attacks that consume server resources are more difficult to stop because they often exploit legitimate features rather than simple implementation bugs. One common attack in this category is the Transmission Control Protocol (TCP) SYN flood.
To set up a normal TCP connection, the source (client) first sends a SYN packet to the destination (server); the destination acknowledges by sending back a SYN ACK packet, and waits for the source to send a final ACK packet. A malicious client can generate phony TCP SYN packets from random IP addresses. The victim will then reply with SYN ACK packets, and will wait in vain for a few minutes for ACK packets from the fake addresses, consuming resources that could otherwise be used by legitimate clients. Even a low rate of fake SYN packets can prevent a server from responding to any legitimate connections. Many other attacks against servers, routers, and various network devices exploit legitimate features of applications or protocols.
For example, several popular routers provide diagnostic information via UDP (User Datagram Protocol). An attacker can generate a large number of fake diagnostic requests from random IP addresses, causing the router to spend all its time answering the requests rather than forwarding packets. Similarly, Secure Sockets Layer (SSL), which is used to provide secure web transactions, can be used as a DoS weapon. Establishing an HTTPS (SSL-enabled) connection requires extensive cryptographic computation at the server, so sending only a moderate number of fake connection requests per second can swamp even powerful web servers. Email servers are another vulnerable point: they can be swamped by generating mail loops or by forging mail to huge numbers of recipients. Prevention Good security and system management practices can prevent several common DoS attacks.
Examples of such policies include: Timely application of patches and system updates. Deployment of only strictly necessary network services, Use of complex passwords, implementation of intrusion detection systems, and Address filtering to ensure that packets entering or leaving a network have plausible network addresses. Although such guidelines can prevent certain kinds of attacks against one's systems and make it less likely that those systems will be used as launching points for DDoS attacks against others, they are not sufficient. Keeping up-to-date with software updates is a complicated and time-consuming task, especially at large installations. Intrusion detection software must also be kept up-to-date, or it will not recognize the signatures of recent attack tools.
Address filtering limits but does not eliminate address spoofing. More importantly, the network is only as strong as its weakest link Physical Protection Many security analysts agree that the first layer of security in the security parfait is physically securing the environment in which the resources reside. After all you don't have to be a rocket scientist to don a costume and attempt to gain physical layer access to a potential victim. Once in an intruder has infiltrated the target facility he / she could inconspicuously install a palm device that sniffs the intended victims network for all kinds of interesting data that could be used in future exploits.
With that in mind the following are guidelines preferred by professional crime prevention practitioners, Law enforcement officers, security alarm manufacturers, and professional security consultants. While these suggestions may not be impenetrable they should prove discouraging to the average individual. 1. ) Doors, windows and entryways o Doors and windows should remained locked when possible o Entryways should also remain secure from unauthorized personnel 2. ) Building exteriors, and particularly entryways and areas of concealment, should be well lighted by automatic lighting devices which may include: o Dusk to dawn mercury-vapor lighting.
o Motion sensing floodlights. o Automatic timer activated lighting. 3. ) All exterior doors should be secured by double cylinder deadbolts. o The "throw" of the bolt should extend at least one inch into the door strike. o Door strikes should be of hardened steel, at least six inches in length, and secured to the doorframe by screws, which extend through the doorframe into the adjacent stud (at least 4").
4. ) Where doors open outward and utilize exterior hinges, the hinge pins should be: o Secured by manufacturer's internal locking device. o Spot welding to negate pin removal. o Special nails or screws installed between doorframe and edge of door, which hold the door in place when all pins removed. 5.
) All opening windows should be secured by one of the following: o A dowel tightly placed in the track of sliding windows. o A pin insert, which incapacitates the normal opening function. o A locking device, which will withstand most efforts to pry or force the window to open. 6.
) All exterior doors should be protected by a concealed magnetic detection device. These may Include: o A wafer type device located at the installer's discretion along the doorframe and door edge. o A plunger type device located at the inner edge of the doorframe. 7. ) Motion sensing devices o All main corridors should have motion sensing alarms installed per manufacturers specifications o Entryways also should implement motion detectors and video monitoring Conclusion In conclusion I would say that there is a long way to go to achieve a secure environment in the twenty-first century since no computer or computer network is completely secure, basically if someone wants into your system it is just a matter of time and determination. Or according to SANS "As long as you allow traffic to flow between your network and the Internet, the opportunity for an attacker to sneak in and penetrate the network, is there." There are new vulnerabilities found or created everyday from viral infections to attackers just plain walking in off the street.
The only way we as IT professionals can rest easy when we go home at night is to know that we are employing some amount of security today and working towards more secure tomorrow. Work Consulted Computer Incident Advisory Committee (CIAC) (1995). Advisory Notice F-08 Internet Spoofing and Hijacked Session Attacks. [On-line], Available: web Pythia, Richard. "Removing Roadblocks to Cyber Defense." 3/28/2000. URL: web CERT Incident Note 99-07.
Distributed Denial of Service Tools. Nov 18, 1999. URL: web "Passwords - Why yours is important." web Schneier, Bruce. "Security is not a product, it is a process." Crypto-Gram. 15 Dec 1999. URL: web Vigilante.
"Social Engineering." Internet Security. URL: web (12 February 2001). Ryder, Josh. "Preventing Information Loss: Strengthening a Weak Link." Security Portal. 22 August 2000. URL: web (9 February 2001)..