Informazioni sull?autore

<p><strong>Rachelle Reese</strong> has been designing and developing technical training courses for over ten years and has written a number of books on programming. She has an MA from San Jose State University. She is also a Microsoft Certified Application Developer (MCAD).

Dalla quarta di copertina

<b>You <i>can</i> get there</b> <p>Whether you’re already working and looking to expand your skills in the computer networking and security field or setting out on a new career path, <i>Network Security Fundamentals</i> will help you get there. Easy-to-read, practical, and up-to-date, this text not only helps you learn network security techniques at your own pace; it helps you master the core competencies and skills you need to succeed.</p> <p><b>With this book, you will be able to:</b></p> <ul> <li> <div>Understand basic terminology and concepts related to security</div> </li> <li> <div>Utilize cryptography, authentication, authorization and access control to increase your Windows, Unix or Linux network’s security</div> </li> <li> <div>Recognize and protect your network against viruses, worms, spyware, and other types of malware</div> </li> <li> <div>Set up recovery and fault tolerance procedures to plan for the worst and to help recover if disaster strikes</div> </li> <li> <div>Detect intrusions and use forensic analysis to investigate the nature of the attacks</div> </li> </ul> <p><i>Network Security Fundamentals</i> is ideal for both traditional and online courses. The accompanying <i>Network Security Fundamentals Project Manual</i> ISBN: 978-0-470-12798-8 is also available to help reinforce your skills.</p> <p><b><i>Wiley Pathways</i> helps you achieve your goals</b></p> <p>The texts and project manuals in this series offer a coordinated curriculum for learning information technology. Learn more at www.wiley.com/go/pathways.</p>

Dal risvolto di copertina interno

You can get there
 
Whether you're already working and looking to expand your skills in the computer networking and security field or setting out on a new career path, Network Security Fundamentals will help you get there. Easy-to-read, practical, and up-to-date, this text not only helps you learn network security techniques at your own pace; it helps you master the core competencies and skills you need to succeed.
 
With this book, you will be able to:
* Understand basic terminology and concepts related to security
* Utilize cryptography, authentication, authorization and access control to increase your Windows, Unix or Linux network's security
* Recognize and protect your network against viruses, worms, spyware, and other types of malware
* Set up recovery and fault tolerance procedures to plan for the worst and to help recover if disaster strikes
* Detect intrusions and use forensic analysis to investigate the nature of the attacks
 
Network Security Fundamentals is ideal for both traditional and online courses. The accompanying Network Security Fundamentals Project Manual ISBN: 978-0-470-12798-8 is also available to help reinforce your skills.
 
Wiley Pathways helps you achieve your goals
 
The texts and project manuals in this series offer a coordinated curriculum for learning information technology. Learn more at www.wiley.com/go/pathways.

Estratto. © Ristampato con autorizzazione. Tutti i diritti riservati.

Wiley Pathways Network Security Fundamentals

John Wiley & Sons

Chapter One

Starting Point

Go to www.wiley.com/college/cole to assess your knowledge of protecting a computer against viruses, worms, and other malicious programs. Determine where you need to concentrate your effort.

What You'll Learn in This Chapter

* Viruses

* Worms

* Trojan horses

* Spyware

* Web browser security

* Spam

* Email security

After Studying This Chapter, You'll Be Able To

* Identify various types of malicious code

* Mitigate the risk of a malware infection

* Configure web browser security settings

* Mitigate the risk of spam

* Identify safe email practices

INTRODUCTION

As software has become more powerful and users around the world have become more interconnected, the threat of a computer being infected with malicious code has ballooned. In this chapter you will learn about the types of malicious code you need to guard against and some steps for mitigating the threat. This chapter pays particular attention to two venues frequently used to spread malicious code: web pages and email.

9.1 Viruses and Other Malware

Before you can understand how to mitigate the threat of malicious code, you need to understand the types of malicious code being propagated (spread from computer to computer) and the methods of propagation. In this section, we'll look at various types of malicious code, which is also known as malware or malcode.

9.1.1 Viruses

A virus is a piece of code that inserts itself into legitimate software. As with a biological virus, the computer virus is not viable without a host. The virus needs the host software or file to propagate and carry out its mission. A virus is able to replicate (reproduce) itself and attach itself to a host file, a technique known as self-propagation.

Early viruses infected boot sectors of floppies and were spread by the sharing of applications on floppies. Today, floppies are too small to be practical for sharing applications, so boot sector viruses that are transmitted through floppy disks are not common anymore.

If the virus has attached itself to an application, the code in the virus is run every time the application runs. The virus code will have the same privileges as the host application. A typical example of a host for this kind of virus is a self-extracting video clip. When the unsuspecting user launches the file to extract the video, the virus code runs. This virus spreads by people sending the self-extracting video clip to their friends.

Some viruses are able to attach to data files such as spreadsheets and word processor files. These viruses are scripts that execute when the file is loaded. A script is code written in a scripting language, so it does not need to be compiled (converted from human-readable source code to binary machine language) into an executable. Instead, it is run by an application that supports such scripts.

One of the first widespread viruses to exploit scripts was Melissa, which spread by infecting Microsoft(r) Word files. When the Word files were opened, the virus code would run and infect the Normal.dot template file used by the word processor. After Normal.dot was infected, any Word document saved would have the Melissa virus. Melissa used the autorun macros in a Word document to run a Visual Basic(r) script (VBScript) when an infected Word document was first opened. Microsoft now has a feature called Macro Virus Protection that can stop macros from running. This protection should not be disabled.

Email viruses move from PC to PC as part of the body of a message. When the virus code is executed, a message with the virus embedded is sent to other mail clients. The virus can either be an attachment that must be opened or an embedded script. Scripts can access the user's address book, and can use those addresses to propagate the virus-infected message.

One example of a virus that propagates through email is the ILOVEYOU virus. The ILOVEYOU virus first appeared in the spring of 2000 and was simply an attachment that users launched. Once launched, the virus's Visual Basic script sent out an infected message to everyone in the user's address book.

9.1.2 Worms

A worm is code able to replicate itself and propagate to other hosts by exploiting a vulnerability in a program. Most worms exploit previously identified vulnerabilities that are correctable with patches or upgrades. Therefore, the best protection against worms is to stay current with patches and upgrades for Windows(r) as well as for other major applications.

Another way to protect against worms is to minimize the services and applications running on a computer. For example, worms often target common, high-visibility applications, such as the Microsoft web server, Internet Information Server (IIS). If a computer does not need to serve web pages and it is not being used to develop an application that relies on IIS, IIS should be disabled on the computer.

9.1.3 Trojan Horses

A Trojan horse is a program that masquerades as a legitimate application, while also performing a covert function. Users believe they are launching a legitimate application, such as a screen saver. When the Trojan horse runs, the user has every indication that the expected application is running. However, the Trojan horse also runs additional code that performs a malicious activity.

The best way to detect a Trojan horse is to identify executable files that have been altered. This is most easily done by creating a baseline of cyclic redundancy check (CRC) values for all executable files on a workstation. A CRC calculates the file size and divides by a number, then stores the remainder of the operation. If an executable file is later altered to include a Trojan horse, it can be detected by comparing the current CRC value with the baseline value.

Trojan horses are more difficult to distribute than viruses and worms. They do not propagate on their own. They rely on users accepting questionable executables from untrusted sources.

Trojan horses are very powerful threats to the security of a computer, network, and organization. They bypass most security controls put in place to stop attacks. Trojan horses are not stopped by firewalls, intrusion detection systems (IDS), or access control lists (ACLs) because a user installs them just as they would any other application.

Logic Bombs

A logic bomb (also called slag code) is a type of Trojan horse that lies in wait until some event occurs. The most common trigger for a logic bomb is a date, in which case the code is known as a time bomb. The Michelangelo virus was an early logic bomb, created in 1991. Its trigger was March 6, Michelangelo's birthday. It was a particularly destructive logic bomb because it was designed to overwrite the hard disk. The Nyxem Worm is a more recent time bomb that activates on the third of each month. It disables file sharing security and virus protection and deletes certain file types, including Microsoft Office files, .zip files, and .rar files. The files with extensions .zip and .rar are compressed files.

The use of Trojan horses to launch distributed denial-of-service (DDoS) attacks is common. The attacker installs a logic bomb Trojan horse on a number of computers. When the triggering event occurs, those computers launch a denial-of-service attack against the target. The more computers hosting the Trojan horse, the more devastating the attack. The fact that the packets are coming from a number of locations also makes it more difficult to track down the source of the attack. When a computer is controlled to launch a DDoS attack, it is known as a zombie.

9.1.4 Browser Parasites

A browser parasite is a program that changes some settings in your browser. The parasite can have many effects on the browser, such as the following:

* Browser plug-in parasites can add a button or link add-on to the user's browser. When the user clicks the button or the link, information about the user is sent to the plug-in's owner. This can be a privacy concern. * Browser parasites can change a user's start page or search page. The new page might be a "pay-per-click site," where the owner of the browser parasite earns money for every click. * Browser parasites can transmit the names of the sites the user visits to the owner of the parasites. This can be used to formulate a more directed attack on the user.

9.1.5 Spyware

Spyware is a software application that gathers information about the computer and user. This information is then sent back to the developer or distributor of the spyware and is often used to serve ads to the user.

Targeted marketing has long been a part of a good sales program. The classic example is marketers that use census data to direct more effective mass-mailing campaigns. Census data is used to find certain zip codes that have the best demographics (characteristics such as age, number of children, and annual income) for the particular product being advertised. The use of census data and data compiled by companies that conduct market research is not as controversial because specific names and addresses have been removed, and the data is a summary of statistics for the zip code.

Spyware does not provide the developer with summarized data, but instead includes specifics on a named individual. Therefore, it is a violation of privacy and might make it possible for the person who receives the data to steal the victim's identity.

Typical information that can be reported includes the following:

* User keystrokes: User keystrokes can be used to capture passwords and other very sensitive data entered by the user.

* Copies of emails: Emails sent or received can be forwarded to the person wanting to monitor the user, unbeknownst to the user.

* Copies of instant messages: Essentially, any communications to and from the PC can be copied and sent to the spyware's owner.

* Screen snapshots: Even encrypted communications will at some point be displayed in clear text on the screen. At this point, the spyware can take a screen shot and send the image to whoever has developed or distributed the spyware.

* Other usage information: Login times, applications used, and websites visited are examples of other data that can be captured and reported back.

9.1.6 Backdoors

A backdoor (also called a trapdoor) is way for an attacker to access a computer without being detected or blocked by usual security measures. Often, the initial attack on a computer is potentially detectable by a firewall or IDS. So the attacker will install an application that will allow him to get back into the computer quickly and easily. These backdoors are often stealthy and difficult to detect.

If a Windows computer has been connected to the Internet for more than a day without any security protections in place, it most likely has been rooted and has a backdoor installed. In such a case, the best thing to do is wipe the system clean and re-install the Windows operating system. Although you can delete the application, you can never be sure that other changes have not been made on the computer. Some operating system and driver modifications are difficult to detect.

SELF-CHECK

1. Identify the types of malware that are self-propagating.

2. Describe a logic bomb.

9.2 Protecting the Workstation

Now that you have a basic understanding of the types of programs you are up against, let's look at some ways you can protect the computers on the network against these threats. Malware protection should focus on the following:

* The use of antivirus and anti-spyware applications.

* Hardening the computer's configuration.

* User training and awareness.

This multilevel defense against viruses and worms is shown in Figure 9-1. Because new viruses and worms are constantly being created, the best protection is to run antivirus software, properly configure Windows, and educate users on safe practices.

It is important to note that anti-malware protection is also important on Linux-based computers, as well as on computers running Windows. Although currently a larger number of viruses and other malware programs are developed to target Windows computers, the number of malware programs that target Linux and Mac(r) OX is increasing. As these operating systems become more popular, they will become more desirable targets, and the number of malware attacks will increase even more.

This section will focus on protecting the workstation by looking at some general guidelines. The next two sections will look at defending against the two most common methods of propagation: web pages and email.

9.2.1 Antivirus Software

In today's threat environment, virus protection applications (antivirus programs) are no longer optional. A number of good antivirus products are available today, such as those from Symantec[TM], McAffee(r), and Computer Associates[TM].

An organization should have protection on every computer where people are saving files, storing email messages, or browsing web pages. The antivirus software should be configured to provide real-time protection as well as routinely scheduled scanning. Without continuous protection, a virus can spread throughout an organization before the next routine scan is scheduled.

Keep Current with Antivirus Signatures

Because new viruses are always being released, antivirus software relies on periodic updated virus signature files to provide protection against the latest threats. A virus signature is the pattern of bits inside a virus that allows the antivirus software to recognize it.

Most signature updates are obtained by accessing the antivirus vendor's site and pulling down the latest update. Most antivirus packages will allow the administrator to choose to have the new signatures downloaded automatically on a regular schedule. Automating the process ensures that critical updates are not missed.

If the new antivirus signature is downloaded to be redistributed throughout a large organization, it should be tested first and deployed from a server within the organization. The local server, in turn, gets its files from a master server that distributes the tested update. There are four key steps to deploying updated signatures in a large organization:

1. Download new signatures.

2. Test new antivirus downloads.

3. Deploy new signatures.

4. Continue to monitor.

Finally, it is important that the computers be monitored periodically to ensure that the new antivirus signatures are being distributed properly. When the next big virus or worm hits is not the time to find a flaw in the system.

9.2.2 Anti-spyware

Anti-spyware software monitors a computer for spyware and allows you to remove it. There are a number of anti-spyware applications. In fact, some companies like Symantec and Microsoft sell an integrated package that includes antivirus and anti-spyware software. A term describing software that protects against a variety of malware is anti-malware. As with an antivirus application, you must keep your anti-spyware software up-to-date.

Some Internet service providers (ISPs) are so concerned about preventing malware that they offer security suites to their subscribers free of charge.

9.2.3 Computer Configuration Guidelines

Another important way to guard against malware is to make sure client computers are hardened. Many of the same guidelines apply as for hardening servers, including the following:

* Remove unnecessary services and applications.

* Filter traffic.

* Implement access control.

In this section, we'll look at a few specific precautions: personal firewalls, limiting user rights, and disabling hidden file extensions.

(Continues...)

Excerpted from Wiley Pathways Network Security Fundamentalsby Eric Cole Ronald L. Krutz James Conley Brian Reisman Mitch Ruebush Dieter Gollmann Rachelle Reese Copyright © 2007 by Eric Cole. Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.