life in a dangerous world: developing effective strategies against virus, worms and other threats
DESCRIPTION
Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats. Marshall Breeding Vanderbilt University [email protected] http://www.library.vanderbilt.edu/libtech/breeding/. The Threat. Computers are under attach more than ever before - PowerPoint PPT PresentationTRANSCRIPT
Life in a Dangerous World: Life in a Dangerous World: Developing effective strategies against Developing effective strategies against
Virus, Worms and Other ThreatsVirus, Worms and Other Threats
Marshall BreedingMarshall BreedingVanderbilt UniversityVanderbilt University
[email protected]://www.library.vanderbilt.edu/libtech/breeding/
The ThreatThe Threat
Computers are under attach more than ever Computers are under attach more than ever beforebefore
As computer operating systems become more As computer operating systems become more powerful, they also become more vulnerablepowerful, they also become more vulnerable
Original Viruses were transmitted by files Original Viruses were transmitted by files and diskettesand diskettes
Macro viruses are cross platformMacro viruses are cross platform
The Threat ...The Threat ...
Most current viruses transmitted by e-mailMost current viruses transmitted by e-mail Mail attachments common vehiclesMail attachments common vehicles Some viruses live within message bodySome viruses live within message body Scripting engines are vulnerableScripting engines are vulnerable
What is a virusWhat is a virus
TransmitTransmit ReplicateReplicate AttackAttack MutateMutate
Major virus outbreaksMajor virus outbreaks
1980’s: attacks begin on COM, EXE, boot 1980’s: attacks begin on COM, EXE, boot sectorssectors– Jerusalemz (Friday the 13th)Jerusalemz (Friday the 13th)– AIDS (trojan)AIDS (trojan)
1988: Internet worm1988: Internet worm 1992: Michelangelo1992: Michelangelo 1994 Good Times hoax1994 Good Times hoax 1996 Concept (Macro virus)1996 Concept (Macro virus)
...Major Virus outbreaks...Major Virus outbreaks
1998: Chernobyl/CIH (activates 1998: Chernobyl/CIH (activates 26th of April)
1999: Melissa (Macro virus/propagates 1999: Melissa (Macro virus/propagates through Outlook)through Outlook)
2000: ILOVEYOU, Stages (VBX)2000: ILOVEYOU, Stages (VBX) 2000: Phage; Vapor: Palm Virus2000: Phage; Vapor: Palm Virus
ObservationsObservations
Over 50,000 viruses and variantsOver 50,000 viruses and variants Major outbreaks more frequentMajor outbreaks more frequent Microsoft products targetedMicrosoft products targeted Fast propagation through E-mailFast propagation through E-mail Very complex to manage: e.g. MicrosoftVery complex to manage: e.g. Microsoft
TrendsTrends
Current generation requires active role by Current generation requires active role by useruser
Emerging viruses: passive victimEmerging viruses: passive victim Future/present concern for wireless devicesFuture/present concern for wireless devices Wider range of targets: Computers, PDA, Wider range of targets: Computers, PDA,
Cell PhonesCell Phones
Anti-virus solutionsAnti-virus solutions
User behaviorUser behavior Technical Technical
The #1 Anti-virus strategy The #1 Anti-virus strategy involves human behaviorinvolves human behavior Be aware and cautiousBe aware and cautious Train computer users to be wary Train computer users to be wary Never access files from an unchecked diskNever access files from an unchecked disk
– any removable mediaany removable media Do not download software from untrusted Do not download software from untrusted
sourcessources Know the true source of all software Know the true source of all software
Be careful with E-mailBe careful with E-mail
Don’t open obviously suspicious messagesDon’t open obviously suspicious messages Don’t open attachments unless you know the Don’t open attachments unless you know the
sender and are expecting that specific attachmentsender and are expecting that specific attachment Ensure that your mail client displays extensions Ensure that your mail client displays extensions
of attachmentsof attachments– Avoid: VBX, EXE, Avoid: VBX, EXE,
Never send attachments from listservesNever send attachments from listserves Never open attachments from listservesNever open attachments from listserves
What users should do when a What users should do when a virus is found or suspectedvirus is found or suspected Notify system administratorNotify system administrator Don’t panicDon’t panic Don’t restart computerDon’t restart computer Don’t send spam E-mail warningsDon’t send spam E-mail warnings
Technical solutionsTechnical solutions
Implement a multi-layer Implement a multi-layer approachapproach Desktop: dynamic inspection, regular Desktop: dynamic inspection, regular
scanningscanning Network ServerNetwork Server Mail scanning/interceptionMail scanning/interception
Anvi-virus ArchitectureAnvi-virus Architecture
MailServe
r
Local Network
INTERNET
Firewall
FileServer
DynamicScan-on-access
FileScanning
Desktop Computers
Mail Scanning
Current Virus
Signatures
Regular scanningof Disks
Desktop layerDesktop layer
Inspect files on accessInspect files on access Regularly scan all permanent disksRegularly scan all permanent disks Scan all removable media with each useScan all removable media with each use Regularly update virus signature databaseRegularly update virus signature database
Desktop Anti-virus softwareDesktop Anti-virus software
Norton Anti VirusNorton Anti Virus McAfee ActiveShieldMcAfee ActiveShield Command Anti-Virus (was Fprot)Command Anti-Virus (was Fprot) Data Fellows F-SecureData Fellows F-Secure Dr. Solomons Anti-VirusDr. Solomons Anti-Virus
Network Fileserver layerNetwork Fileserver layer
Regularly scan all disk volumesRegularly scan all disk volumes Shared folders easily missed by desktop Shared folders easily missed by desktop
scanning scanning
E-Mail scanningE-Mail scanning
Inspect incoming messages Inspect incoming messages Inspect outgoing messagesInspect outgoing messages Inspect messages from one local user to Inspect messages from one local user to
another within mail systemanother within mail system
E-Mail Scanning softwareE-Mail Scanning software
Trend Micro Virus WallTrend Micro Virus Wall Sybari AntigenSybari Antigen
Virus signature databaseVirus signature database
the key to the current generation of anti-the key to the current generation of anti-virus softwarevirus software
must be currentmust be current can’t be current enoughcan’t be current enough
FirewallsFirewalls
Part of a general computer security plan, but Part of a general computer security plan, but also helpful with virusesalso helpful with viruses
Institutional firewalls imperativeInstitutional firewalls imperative– CheckPoint FireWall-1CheckPoint FireWall-1
Consider personal/workstation-level firewallsConsider personal/workstation-level firewalls– BlackIceBlackIce– ZoneAlarmZoneAlarm
What software should do when it What software should do when it detects a virusdetects a virus clean file/message when possibleclean file/message when possible remove if it can’t be cleanedremove if it can’t be cleaned warn system administratorwarn system administrator warn recipientwarn recipient warn senderwarn sender
Need to identify the signature of Need to identify the signature of each viruseach virus
– distinguish malicious itemsdistinguish malicious items Original products scanned after the factOriginal products scanned after the fact Scanning of files as they are accessedScanning of files as they are accessed
Mitigate vulnerabilityMitigate vulnerability
Avoid being logged in with workstation/network Avoid being logged in with workstation/network administrative rightsadministrative rights
Minimize the number of network drives mapped at Minimize the number of network drives mapped at any given timeany given time– Web document directoriesWeb document directories– shared network drivesshared network drives
Turn off features not needed:Turn off features not needed:– e.g. Windows Scripting Host from e-maile.g. Windows Scripting Host from e-mail– Do we need support for VBX or JavaScript in e-mail?Do we need support for VBX or JavaScript in e-mail?
Web-oriented vulnerabilitiesWeb-oriented vulnerabilities
Java appletsJava applets Active-XActive-X
More advanced anti-virus More advanced anti-virus softwaresoftware rely less on specific virus signaturesrely less on specific virus signatures rely more on trapping unwanted behaviourrely more on trapping unwanted behaviour
Future expectationsFuture expectations
No end in sightNo end in sight The world is becoming more dangerousThe world is becoming more dangerous Enormous dependence on commercial anti-Enormous dependence on commercial anti-
virus applicationsvirus applications Future computer OS will be designed to be Future computer OS will be designed to be
less vulnerable...less vulnerable...