350 likes | 476 Views
Computer Systems Security Part II. ET4085 Keamanan Jaringan Telekomunikasi Tutun Juhana School of Electrical Engineering and Informatics Institut Teknologi Bandung. Preventing and Troubleshooting Viruses Worms and Trojans Spyware Rootkits Spam.
E N D
Computer Systems SecurityPart II ET4085 Keamanan Jaringan Telekomunikasi Tutun Juhana School of Electrical Engineering and Informatics Institut Teknologi Bandung
Preventing and Troubleshooting • Viruses • Worms and Trojans • Spyware • Rootkits • Spam
Preventing and Troubleshooting Viruses • Every computer should have antivirus software running on it • Update the antivuris (AV) engine and the definitions manually or automatically (better) • Scan the entire system periodically • Make sure that the computer has the latest service packs and updates available • For the OS and applications • Make sure that a firewall is available, enabled, and updated • A firewall closes all the inbound ports to your computer (or network) in an attempt to block intruders. • You might need to set exceptions for programs that need to access the Internet
Separation of OS and data • This method calls for two hard drives or using two partitions on the same drive. • The operating system is installed to the C: drive, and the data is stored on the D: drive (or whatever letter you use for the second drive) • This compartmentalizes the system and data, making it more difficult for viruses to spread and easier to isolate them when scanning • It also enables for easy reinstallation without having to back up data
Educate users as to how viruses can infect a system • Instruct them on how to screen their e-mails and tell them not to open unknown attachments • Show them how to scan removable media before copying files to their computer, or set up the computer to scan removable media automatically
Some typical symptoms of viruses • Computer runs slower than usual. • Computer locks up frequently or stops responding altogether. • Computer restarts on its own or crashes frequently. • Disk drives and applications are not accessible or don’t work properly. • Strange sounds occur.
Some typical symptoms of viruses (cont.) • You receive unusual error messages. • Display or print distortion occurs. • New icons appear or old icons (and applications) disappear. • There is a double extension on a file attached to an e-mail that was opened, for example: .txt.vbs or .txt.exe. • Antivirus programs will not run or can’t be installed. • Files have been corrupted or folders are created automatically.
Before making any changes to the computer, make sure that you back up critical data and verify that the latest updates have been installed to the OS and the AV software • Then, perform a thorough scan of the system using the AV software’s scan utility; if allowed by the software, run the scan in Safe Mode. • In the case that the AV software’s scan does not find the issue, or if the AV software has been infected and won’t run, you can try using an online scanner
Another option is to move the affected drive to a “clean machine” (a computer that is used solely for the purpose of scanning for malware, that does not connect to the Internet) • This can be done by slaving the affected drive to an IDE, SATA, or eSATA port
In rare cases, you might need to delete individual files and remove Registry entries. • This might be the only solution when a new virus has infected a system and there is no antivirus definition released
Preventing and Troubleshooting Worms and Trojans • Worms and Trojans can be prevented and troubleshot in the same manner as viruses
Preventing and Troubleshooting Spyware • Preventing spyware works in much the same manner as preventing viruses when it comes to updating the operating system and using a firewall • Because spyware has become much more common, antivirus companies have begun adding antispyware components to their software
A few more things to do • Download and install antispyware protection software • Adjust web browser security settings • Uninstall unnecessary applications and turn off superfluous services (for example, Telnet and FTP if they are not used)
Educate users on how to surf the web safely • Access only sites believed to be safe, and download only programs from reputable websites. • Don’t click OK or Agree to close a window; instead press Alt+F4 on the keyboard to close that window. • Be wary of file-sharing websites and the content stored on those sites. • Be careful of e-mails with links to downloadable software that could be malicious.
Consider technologies that discourage spyware • Use a browser that is less susceptible to spyware. • Consider running a browser within a virtual machine • Take it to the next level and use a thin-client computer
Some common symptoms of spyware • The web browser’s default home page has been modified. • A particular website comes up every time you perform a search. • Excessive pop-up windows appear. • The network adapter’s activity LED blinks frequently when the computer shouldn’t be transmitting data. • The firewall and antivirus programs turn off automatically. • New programs, icons, and favorites appear. • Odd problems occur within windows (slow system, applications behaving strangely, and such). • The Java console appears randomly.
Preventing and Troubleshooting Rootkits • A successfully installed rootkit enables unauthorized users to gain access to a system acting as the root or administrator user • Rootkits are copied to a computer as a binary file • this binary file can be detected by signature-based and heuristic-based antivirus programs • However, after the rootkit is executed, it can be difficult to detect • This is because most rootkits are collections of programs working together that can make many modifications to the system 17
The best way to identify a rootkit is to use removable media (USB flash drive, or a special rescue CD-ROM) to boot the computer • This way, the operating system is not running, and therefore, the rootkit is not running, making it much easier to detect by the external media • Programs that can be used to detect rootkits include the following: • Microsoft Sysinternals Rootkit Revealer: http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx (for Windows systems) • chkrootkit: www.chkrootkit.org/ (for UNIX-based systems) 18
Unfortunately, because of the difficulty involved in removing a rootkit, the best way to combat rootkits is to reinstall all software • It usually takes less time than attempting to fix all the rootkit issues, plus it can verify that the rootkit has been removed completely
Preventing and Troubleshooting Spam • Use a spam filter • Close open mail relays • Remove e-mail address links from the company website • Use whitelists and blacklists • Train your users
Spam filter can be purchased • Network administrators should also block any e-mails that include attachments that do not comply with company rules • On the client-side, you can configure Outlook and other mail programs to a higher level of security against spam • Spam filters can also be installed on individual clients • Many popular antivirus suites have built-in spam filtering
SMTP servers can be configured as open mail relays, this enables anyone on the Internet to send e-mail through the SMTP server (not just mail destined to or originating from known users)
Open mail relays should either be closed or configured in such a way that only customers and properly authenticated users can use them • Open mail relays also known as SMTP open relays
Replace emails with online forms (secure PHP or CGI forms) that enable a person to contact the company but not enable them to see any company e-mail addresses • Use a separate advertising e-mail address for any literature or ads • Consider changing this often • Marketing people might already do this as a form of tracking leads
Whitelists are lists of e-mail addresses or entire e-mail domains that are trusted, • Blacklists are lists of e-mail addresses or entire e-mail domains that are not trusted • These can be set up on e-mail servers, e-mail appliances, and within mail client programs such as Outlook
Have them create and use a free e-mail address whenever they post to forums and newsgroups, and not to use their company e-mail for anything except company-related purposes. • Make sure that they screen their email carefully (this is also known as e-mail vetting) • E-mail with attachments should be considered volatile unless the user knows exactly where it comes from. • Train your employees never to make a purchase from an unsolicited email. • Explain the reasoning behind using BCC when sending an e-mail to multiple users
Final and sad note You Can’t Save Every Computer from Malware!
In this case, the data should be backed up (if necessary by removing the hard drive and slaving it to another system) • The operating system and applications reinstalled • The BIOS of the computer should also be flashed • After the reinstall, the system should be thoroughly checked to make sure that there were no residual effects and that the system’s hard drive performs properly