12.6 Malware & Authentication
Remediation
the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (i.e. you are prompted to identify the action to take). Possible actions in response to problems are: Repair the infection. This may be possible for true viruses that have attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state (if possible). Configuration changes made by the infection may also need to be repaired. For example, if the virus changed the default browser home page or search page, you may need to manually reset them using Internet Options in Control Panel. Quarantine the file. This moves the infected file to a secure folder where it cannot be opened or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file at another time. Delete the file. You should delete malicious files such as worms, Trojan horse programs, or spyware or adware programs. In addition, you should periodically review the quarantine folder and delete any files you do not want to recover. If a scan reports a serious problem, disconnect your computer from the network. This prevents your computer from infecting other computers until the problem is corrected.
Countermeasures for password attacks include the following:
*Require that user passwords:* -Contain multiple character types, including uppercase, lowercase, numbers, and symbols. -Are a minimum length of eight characters (longer is even better). -Do not contain any part of a username or email address. -Do not contain words found in the dictionary. -Require that user passwords be changed frequently (such as every 30 days). This is called *password aging.* -Be aware that requiring overly complex passwords or changing them too frequently can cause users to circumvent security policies by writing down their passwords. -Retain password history to prevent re-use. Implement multifactor authentication. -Audit computer systems for excessive failed logon attempts. -Implement account lockout to lock accounts when multiple incorrect passwords are used. -Monitor the network or system for sniffing and password theft tools
Type 1 Authentication 'Something you know'
*Something you know authentication* requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of something you know include: -Passwords, codes, or IDs or PINs -Passphrases (long, sentence-length passwords) *-Cognitive information* such as questions that only the user can answer, including: -Your mother's maiden name -The model or color of your first car -The city where you were born *Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.*
Worm
A worm is a self-replicating program. A worm: -Does not require a host file to propagate. -Automatically replicates itself without an activation mechanism. A worm can travel across computer networks without requiring any user assistance. -Infects one system and spreads to other systems on the network.
Type 2 Something you have (also called token-based authentication)
*Type 2 Something you have (also called token-based authentication)* is authentication based on something a user has in their possession. Examples of something you have authentication controls are: *Swipe cards (similar to credit cards)* with authentication information stored on the magnetic strip. *Smart cards* contain a memory chip with encrypted authentication information. Smart cards can: -Require contact such as swiping, or they can be contactless. -Contain microprocessor chips with the ability to add, delete, and manipulate data on it. -Can store digital signatures, cryptography keys, and identification codes. -Use a private key for authentication to log a user into a network. The private key will be used to digitally sign messages. -Be based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.
Type 3 Something you are authentication (biometric system)
*Type 3 Something you are authentication* uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is generally considered to be the most secure form of authentication. *Common attributes used for biometric systems are:* -Fingerprints (end point and bifurcation pattern) -Hand topology (side view) or geometry (top down view) -Palm scans (pattern, including fingerprints) -Retina scans (blood vein pattern) -Iris scans (color) -Facial scans (pattern) -Voice recognition & Handwriting dynamics *-Keyboard or keystroke dynamics (behavioral biometric systems)* -Dwell time (key press time) -Flight time (how fingers move from key to key) *When implementing a biometric system, the attribute that is used for authentication must meet the following criteria:* *Universality* means that all individuals possess the attribute. *Uniqueness* means that the attribute is different for each individual. *Permanence* means that the attribute always exists and will not change over time. *Collectability* ensures that the attribute can be measured easily. *Performance* means that the attribute can be accurately and quickly collected. *Circumvention* allows for acceptable substitutes for the attribute in case the original attribute is missing or can't be read. *Acceptability* identifies the degree to which the technology is accepted by users and management. True multifactor authentication requires the user to provide an authentication factor from more than one category. For example, requiring users to provide a username and password is not true multifactor authentication because both the user and the password are something the user knows. To strengthen authentication, you could require the user to provide a fingerprint (something the user is) and a password (something the user knows).
Account Lockout Policy
*Use account lockout settings to protect user accounts from being guessed and to also prevent accounts from being used when hacking attempts are detected. Lockout policy settings are:* *-Account lockout threshold* specifies the maximum number of incorrect logon attempts. Once the number has been reached, the account will be locked and logon disabled. A common setting is to lock the user account when three consecutive incorrect passwords have been entered. *-Account lockout duration* determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. Setting this to 0 means that the account remains locked until manually unlocked by an administrator. *-Reset account lockout counter after* determines the amount of time (in minutes) that passes before the number of invalid attempt counter is reset. For example, if a user enters two incorrect passwords, the incorrect counter will be cleared to 0 after the timer has expired.
Additional countermeasures for malware include:
-Install antimalware scanning software on email servers. Attachments are scanned before the email is delivered. You can also block all attachments to prevent any unwanted software, but this can also block needed attachments as well. -Implement spam filters and real-time blacklists. When implementing filters, be sure not to make the filters too broad, otherwise, legitimate emails will be rejected. -Train users to use caution when downloading software or responding to emails. -Train users to update their malware definition files frequently and to scan removable storage devices before copying files. -Disable scripts when previewing or viewing emails. -Implement software policies that prevent downloading software from the Internet. -Keep your operating system files up-to-date; apply security-related hot fixes as they are released to bring all non-compliant systems into compliance. A non-compliant system is any computer that doesn't meet your security guidelines.
Good antimalware software is your first line of defense against malware. Be aware of the following when using antimalware software:
-Malware definition files are provided by the software vendor. These files are used to identify viruses and are a vital component of the antimalware software. -Protection against malware is only provided after a definition file has been released which matches the target malware. -For maximum protection, you must keep the definition files updated. Most software will automatically check for updated definition files daily. -You should scan new files before they are copied or downloaded to the system. You should also periodically scan the entire system.
Trojan Horse Virus
A Trojan horse is a malicious program that is disguised as legitimate or desirable software. A Trojan horse: -Is usually hidden within useful software such as games. A wrapper is a program that is used legitimately but has a Trojan attached to it that will infiltrate whichever computer runs the wrapper software. -Cannot replicate itself Relies on user decisions and actions to spread -Often contains spy or backdoor functions that allow a computer to be remotely controlled from the network
Dictionary attack
A dictionary attack tries to guess a user's password using a list of words from a dictionary. Often symbols and upper and lower case characters are substituted inside the dictionary word. The dictionary attack frequently works because users tend to choose easy-to-guess passwords. A strong password policy is the best defense against dictionary attacks.
Hybrid Attack
A hybrid attack adds appendages to known dictionary words. For example, 1password, password07, p@ssword1.
Rootkit
A rootkit is a stealthy type of malware. Once infected, a rootkit can be very difficult to detect and remove from a system. A rootkit is installed in the boot sector of the hard disk drive. On systems that do not include the secure boot function, this causes the rootkit to be loaded before the operating system. As a result, a rootkit can hide from detection methods used by typical antimalware software. If a rootkit is detected, it usually can't be removed from the system without completely re-installing the operating system from scratch.
Virus
A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus has the following characteristics: -A virus requires a *replication* mechanism which is a file that it uses as a host. When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed through email and are distributed to everyone in your address book. They can also be inadvertently downloaded from a malicious or compromised website. -The virus only replicates when an *activation* mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated. -The virus is programmed with an *objective,* which is usually to destroy, compromise, or corrupt data.
Adware
Adware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Adware: -Is usually passive -Invades the user's privacy -Is installed by visiting a malicious website or installing an infected application -Is usually more annoying than harmful
Brute Force attack
Brute force attack tries to identify a user's password by exhaustively working through all possibilities of all letter, number, and symbol combinations until the correct password is identified. Brute force attacks will always be successful if given enough time, yet they are frequently the most time consuming method of attack.
If you suspect that your system is infected with malware, keep the following in mind:
Common symptoms of malware on your system include: The browser home page or default search page has changed. Excessive pop-ups or strange messages are displayed. Firewall alerts about programs try to access the Internet. System errors about corrupt or missing files are displayed. File extension associations have changed to open files with a different program. There are files that disappear, are renamed, or are corrupt. New icons appear on the desktop or taskbar, or new toolbars are displayed in the browser. The firewall or antivirus software is turned off, or you can't run antivirus scans. The system won't boot. The system runs very slowly. Unusual applications or services are running.
Crimeware
Crimeware is designed to facilitate identity theft by gaining access to a user's online financial accounts, such as banks and online retailers. Crimeware can: -Use keystroke loggers, which capture keystrokes, mouse operations, or screenshots and transmits those actions back to the attacker to obtain passwords. -Redirect users to fake sites. -Steal cached passwords. -Conduct transactions in the background after logon.
Grayware
Grayware is software that might offer a legitimate service, but which also includes features that you aren't aware of or features that could be used for malicious purposes. -Grayware is often installed with the user's permission, but without the user fully understanding what is being adding. -Some grayware installs automatically when another program is installed, or in some cases it can be installed automatically. -Features included with grayware might be identified in the end user license agreement (EULA), or the features could be hidden or undocumented. The main objection to grayware is that the end user cannot easily tell what the application does or what was added with the application.
A suggested procedure for remediating a system with a malware infection is as follows:
Identify the symptoms of the infection. Quarantine the infected system. Disable System Restore in Windows. This prevents the infection from being included in a restore point. Update the antimalware definitions. Scan for and remove the malware. Some malware cannot be removed because it is running. If possible, stop its process from running, then try to remove it. If you are unable to stop the malware's process, try booting into Safe Mode and then run the scanning software to locate and remove the malware. If necessary, schedule future antimalware scans and configure the system to automatically check for signature file updates. Re-enable System Restore and create a new restore point. Educate the end user to prevent future infections. Some malware infections could require that you reinstall applications, features, restore files from a backup, or even restore the entire operating system from scratch. If the infection has damaged or corrupted system files, you might be able to repair the infected files using the sfc.exe command. Before running sfc, be sure to first remove the malware that caused the damage (or it might re-introduce the problem later). You might need to boot into Safe Mode in order to check system file integrity and repair any problems found. Some malware can corrupt the boot block on the hard disk preventing the system from starting. To repair the problem, try performing an automatic repair. Use fixmbr or fixboot in the Recovery Console to try to repair the damage. Alternatively, if your organization uses imaging solutions, you can quickly reimage an infected machine. Reimaging is often faster and more effective than malware removal and cleanup.
Some malicious software warnings, such as those seen in pop-ups or received through email, are hoax viruses. A hoax virus instructs you to take an action to protect your system, when in fact that action will cause harm. Two common hoaxes are:
Instructing you to delete a file that is reported as a virus. The file is actually an important system file that will lead to instability or the inability to boot your computer. Instructing you to download and run a program to see if your system is compromised or to add protection to your system. The file you download is the malicious software. Before taking any actions based on notices or emails, search the Internet for a list of virus hoaxes and compare your notice to known hoaxes.
Ransomware
Ransomware is a form of malware that denies access to an infected computer system until the user pays a ransom.
Scareware
Scareware is a scam that fools users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.
Some malicious software can hide itself such that there might not be any obvious signs of its presence. Other symptoms of an infection include:
Slow Internet access Excessive network traffic, or traffic during times when no activity should be occurring Excessive CPU or disk activity Low system memory An unusually high volume of outgoing email, or email sent during off hours Conducting regular system scans can detect and fix many problems. Most software lets you schedule complete system scans, such as daily or weekly. If you suspect a problem, initiate a full system scan immediately.
Spam
Spam is an unwanted and unsolicited email sent to many recipients. Spam: -Can be benign as emails trying to sell products. -Can be malicious containing phishing scams or malware as attachments. -Wastes bandwidth and could fill the inbox, resulting in a denial of service condition where users can no longer receive emails.
Spyware
Spyware is software that is installed without the user's consent or knowledge, designed to intercept or take partial control over the user's interaction with the computer. Spyware: -Is usually installed on your machine by visiting a malicious website or installing an infected application. -Collects various types of personal information, such as your Internet surfing habits and passwords, and then sends the information back to its originating source. -Uses tracking cookies to collect and report a user's activities. -Can interfere with user control of the computer such as installing additional software, changing computer settings, and redirecting web browser activity.
Authentication
The process of submitting and checking credentials to validate or prove user identity. On a computer system, authentication typically occurs during logon where the user provides a username and password or some other form of credential (such as a smart card or a biometric scan). The system verifies the credentials, allowing access if the credentials are valid. Be aware of the following when troubleshooting user authentication on Windows systems. For a workgroup, the username must match a user account configured on the local system. However, if the computer is a member of a domain, the username must match a user account configured in the domain database on the domain controller. Usernames are not case sensitive. Passwords are case sensitive. Having the Caps Lock on (or the Fn key for the Num Lock on a laptop) could result in incorrect characters in the password. Password Policy settings in the Local Security Policy control characteristics about a password such as how long it must be, how often it must be changed, or whether complex passwords are required. Account Lockout Policy settings in the Local Security Policy control what happens when users enter incorrect passwords. With account lockout, an account is locked (and cannot be used for logon) when a specified number of incorrect passwords are entered. Depending on the policy settings, locked accounts might be unlocked automatically after a period of time. You can unlock a locked account by editing the account properties in Local Users and Groups. If an account is locked because the user forgot the password, an administrator can change the password using Local Users and Groups. As a best practice, when changing the password for a user, the password the administrator configures should be a temporary password. In the user account properties, select the User must change password at next logon option to require the user to change the password after logging on with the temporary password. A disabled account cannot be used for logon. You will typically disable an account that is no longer needed or that will not be used for a long period of time. You can manually disable and enable an account; however, you cannot manually lock an account (you can only unlock a locked account). Accounts are locked automatically through the account lockout settings. By default, the Guest account is disabled. On later versions of Windows, the built-in Administrator account is also disabled during installation. Both of these accounts are usually left disabled. To access a shared folder, shared printer, or Remote Desktop within a workgroup environment, you must supply credentials that match a valid user account configured on the remote computer you are trying to access. The user account you specify must have a password configured. User accounts with blank passwords cannot be used to access a computer over the network. By default, members of the Administrators group are allowed Remote Desktop access. To allow non-administrators access, add them to the list of authorized users for Remote Desktop. This automatically makes them members of the Remote Desktop Users group.
Malicious code (sometimes called malware)
a type of software designed to take over or damage a computer, without the user's knowledge or approval. You should protect all systems with malware protection software in order to help prevent infections and remediate systems if an infection occurs. Be aware of the following when protecting against malware: Most vendors provide products that protect against a wide range of malware including viruses, spyware, adware, and even spam. You can install anti-malware software on an individual host system or on a network server to scan attachments and files before they reach the end computer. Most anti-malware software that protects a single host uses a signature-based scanning system. Signature files (also called definition files) identify specific known threats. During a system scan, the antimalware engine runs and compares files on your computer against the signature files looking for malware. Antimalware software that uses signatures can only detect threats that have been identified by an associated signature file. Malicious software that does not have a matching signature file will not be detected. The system is not protected against these files. It is important to keep the signature files up to date. If possible download new signature files daily. Most antimalware software will check for updates automatically on a schedule. Keep the scanning engine software updated to add new features and fix bugs in the scanning software. In addition to using scanning software, keep your operating system and browser up to date. Make sure to apply security-related hotfixes as they are released. Implement software policies that prevent downloading software from the Internet. Scan all files before copying them to your computer or running them. In highly-secured areas, remove removable drives (such as recordable optical drives and USB drives) to prevent unauthorized software from entering a system. Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change the qualities of files that are normally deemed harmless. For example, adding the extension .TXT.EXE to a file will make the file appear as a text file in an attachment, when in reality it is an executable. Use Security and Maintenance in Control Panel to check the current security status of your computer. Security and Maintenance shows if you have antivirus, firewall, and automatic updates running. Train users about the dangers of downloading software and the importance of anti-malware protections. Teach users to scan files before running them, and to make sure they keep the virus protection definition files up to date.