PowerPoint Presentation

Computer Systems SecurityPart IIET4085 Keamanan Jaringan TelekomunikasiTutun JuhanaSchool of Electrical Engineering and InformaticsInstitut Teknologi Bandung

Preventing and Troubleshooting VirusesWorms and Trojans Spyware Rootkits Spam2

Preventing and Troubleshooting VirusesEvery computer should have antivirus software running on itUpdate the antivuris (AV) engine and the definitions manually or automatically (better)Scan the entire system periodicallyMake sure that the computer has the latest service packs and updates availableFor the OS and applicationsMake sure that a firewall is available, enabled, and updatedA firewall closes all the inbound ports to your computer (or network) in an attempt to block intruders.You might need to set exceptions for programs that need to access the Internet

3Separation of OS and data This method calls for two hard drives or using two partitions on the same drive. The operating system is installed to the C: drive, and the data is stored on the D: drive (or whatever letter you use for the second drive)This compartmentalizes the system and data, making it more difficult for viruses to spread and easier to isolate them when scanningIt also enables for easy reinstallation without having to back up data4Educate users as to how viruses can infect a systemInstruct them on how to screen their e-mails and tell them not to open unknown attachmentsShow them how to scan removable media before copying files to their computer, or set up the computer to scan removable media automatically5Some typical symptoms of virusesComputer runs slower than usual.Computer locks up frequently or stops responding altogether.Computer restarts on its own or crashes frequently.Disk drives and applications are not accessible or dont work properly.Strange sounds occur.6

Some typical symptoms of viruses (cont.)You receive unusual error messages.Display or print distortion occurs.New icons appear or old icons (and applications) disappear.There is a double extension on a file attached to an e-mail that was opened, for example: .txt.vbs or .txt.exe.Antivirus programs will not run or cant be installed.Files have been corrupted or folders are created automatically.7Before making any changes to the computer, make sure that you back up critical data and verify that the latest updates have been installed to the OS and the AV software8Then, perform a thorough scan of the system using the AV softwares scan utility; if allowed by the software, run the scan in Safe Mode.In the case that the AV softwares scan does not find the issue, or if the AV software has been infected and wont run, you can try using an online scanner

Another option is to move the affected drive to a clean machine (a computer that is used solely for the purpose of scanning for malware, that does not connect to the Internet)This can be done by slaving the affected drive to an IDE, SATA, or eSATA port9

In rare cases, you might need to delete individual files and remove Registry entries.This might be the only solution when a new virus has infected a system and there is no antivirus definition released10

Preventing and Troubleshooting Worms and TrojansWorms and Trojans can be prevented and troubleshot in the same manner as viruses11

Preventing and Troubleshooting SpywarePreventing spyware works in much the same manner as preventing viruses when it comes to updating the operating system and using a firewallBecause spyware has become much more common, antivirus companies have begun adding antispyware components to their software12

A few more things to doDownload and install antispyware protection softwareAdjust web browser security settingsUninstall unnecessary applications and turn off superfluous services (for example, Telnet and FTP if they are not used)13Educate users on how to surf the web safelyAccess only sites believed to be safe, and download only programs from reputable websites. Dont click OK or Agree to close a window; instead press Alt+F4 on the keyboard to close that window. Be wary of file-sharing websites and the content stored on those sites. Be careful of e-mails with links to downloadable software that could be malicious.14Consider technologies that discourage spyware

15

Use a browser that is less susceptible to spyware. Consider running a browser within a virtual machineTake it to the next level and use a thin-client computer

Some common symptoms of spywareThe web browsers default home page has been modified.A particular website comes up every time you perform a search.Excessive pop-up windows appear.The network adapters activity LED blinks frequently when the computer shouldnt be transmitting data.The firewall and antivirus programs turn off automatically.New programs, icons, and favorites appear.Odd problems occur within windows (slow system, applications behaving strangely, and such).The Java console appears randomly.16

17Preventing and Troubleshooting RootkitsA successfully installed rootkit enables unauthorized users to gain access to a system acting as the root or administrator userRootkits are copied to a computer as a binary filethis binary file can be detected by signature-based and heuristic-based antivirus programsHowever, after the rootkit is executed, it can be difficult to detectThis is because most rootkits are collections of programs working together that can make many modifications to the system17

18The best way to identify a rootkit is to use removable media (USB flash drive, or a special rescue CD-ROM) to boot the computerThis way, the operating system is not running, and therefore, the rootkit is not running, making it much easier to detect by the external mediaPrograms that can be used to detect rootkits include the following:Microsoft Sysinternals Rootkit Revealer: http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx (for Windows systems)chkrootkit: www.chkrootkit.org/ (for UNIX-based systems)18Unfortunately, because of the difficulty involved in removing a rootkit, the best way to combat rootkits is to reinstall all softwareIt usually takes less time than attempting to fix all the rootkit issues, plus it can verify that the rootkit has been removed completely19

Preventing and Troubleshooting SpamUse a spam filterClose open mail relaysRemove e-mail address links from the company websiteUse whitelists and blacklistsTrain your users20Spam Filter21

Spam filter can be purchasedNetwork administrators should also block any e-mails that include attachments that do not comply with company rulesOn the client-side, you can configure Outlook and other mail programs to a higher level of security against spamSpam filters can also be installed on individual clientsMany popular antivirus suites have built-in spam filtering2223

Close open mail relaysSMTP servers can be configured as open mail relays, this enables anyone on the Internet to send e-mail through the SMTP server (not just mail destined to or originating from known users)24

Open mail relays should either be closed or configured in such a way that only customers and properly authenticated users can use themOpen mail relays also known as SMTP open relays2526

Remove e-mail address links from the company websiteReplace emails with online forms (secure PHP or CGI forms) that enable a person to contact the company but not enable them to see any company e-mail addressesUse a separate advertising e-mail address for any literature or adsConsider changing this oftenMarketing people might already do this as a form of tracking leads27Use whitelists and blacklists28

Whitelists are lists of e-mail addresses or entire e-mail domains that are trusted, Blacklists are lists of e-mail addresses or entire e-mail domains that are not trusted These can be set up on e-mail servers, e-mail appliances, and within mail client programs such as Outlook29Train your users30

Have them create and use a free e-mail address whenever they post to forums and newsgroups, and not to use their company e-mail for anything except company-related purposes. Make sure that they screen their email carefully (this is also known as e-mail vetting) E-mail with attachments should be considered volatile unless the user knows exactly where it comes from. Train your employees never to make a purchase from an unsolicited email.Explain the reasoning behind using BCC when sending an e-mail to multiple users31Final and sad noteYou Cant Save Every Computer from Malware!32

In this case, the data should be backed up (if necessary by removing the hard drive and slaving it to another system)The operating system and applications reinstalledThe BIOS of the computer should also be flashedAfter the reinstall, the system should be thoroughly checked to make sure that there were no residual effects and that the systems hard drive performs properly33

Summary of Malware Prevention Techniques34