Development Of A Secure Infrastructure For The Project Organization
Identify various types of attacks specific to malicious software
A malicious software harm host computer systems. They compromise the functioning of computers, bypass access controls, and steal confidential information and data. According to Singh & Khanna (2003), attacks spread to systems through email attachments, infected floppy disks, exchange of corrupted files, and downloads. Computer games also embed viruses.
Categories of malicious software
Singh & Khanna (2003) explain thatmalicious software are categorized into viruses (boot and file viruses), rabbit, hoaxes, Trojan horse (Time bomb and logic bomb), spyware, trapdoor, and worms.
Viruses are unique programs spreading to other software in the system. The program incorporates its copies in other programs. Singh & Khanna (2003) assert that viruses insert themselves in a deterministic manner. Viruses live in the boot sector, memory resident, compilers, disks, libraries, and debugger.
Viruses are involved in overwriting in computer systems. Overwriting affects the memory of user data, and user program. Overwriting system data and programs corrupt the system and disrupts its normal operations. Viruses smash the stack leading to a buffer overflow after executing programs directed to specific virus codes (Singh & Khanna, 2003).
Types of viruses
Boot sector viruses infect the system’s boot sector to attain residency, and activated as the machine is booting. File viruses cause infections to program files. They activate after running the program. Polymorphic virus produce modified and codes that are operational. The produced codes are new and different after copying the virus, and transmission to a new host in the last stage. It is hard to detect and remove them. Stealth virus are programming tricks with codes that are hard to trace and understand. They demand complex programming methods to design their codes making it difficult to repair infected files (Hong Kong government, 2016). Armored virus hide modifications made to files and disks. They are involved in reporting false values into programs after reading files and data from the systems storage media. Companion virus are involved in creation of new programs while avoiding modification of existing programs. They contain all virus codes. Shell executes them and not original program.
Rabbit is a malicious software that replicates itself and is not limited. It is involved in depleting most or all of the resources of a system. It is difficult to recover the infected files since rabbit software re-infects infected systems. They exhausts all resources in the systems such as memory, CPU, disk space and time. They deplete resources, which denies access to users (Singh & Khanna, 2003).
Hoaxes are false alerts that spread viruses. They resemble chain letters among other messages that appear important to recipients, who forward them to other users forming a chain. As a result, large messages are exchanged forming a chain and flooding resources in the network (Singh & Khanna, 2003). They waste bandwidth. They block network systems resulting in denial of access due to heavy network traffic.
Trojan horse is a malicious program with added functional ability that is unexpected. It has hidden harmful features hidden such that users do not easily recognize them. They steal passwords in their self-replicating and self-propagating nature. Users require great expertise in case of an infection. They infect files when users install and execute infected programs. Examples of Trojan horses include Remote Access Trojans (RAT), Key Loggers, Password-Stealers (PSW), and logic bombs. They use spam and emails to transmit infections. Trojans hide in downloaded files, disks from trusted sources and legitimate programs (Singh & Khanna, 2003). Trojans search for personal information and send it to Trojan writer (hacker), allowing to fully control computer systems.
Types of Trojan horses include; remote Trojan horse which fully control computer system and pass it to hackers. Data-sending Trojan sends data back to hackers through emails. Example key-loggers log and transmit each key stroke. Destructive Trojan destroys and deletes files. Anti-virus software do not easily detect them. Denial of service (DOS) attack Trojans are involved in combination of systems computing power and infecting them to launch attacks on other computer systems. They flood the system with traffic causing it to crash. Proxy Trojans permits hackers to change computers into Host integration server (Host Integration Server). They steal credit cards and purchase with them as well as running organized criminal enterprises using specific user name (Abrams and Podel, 2004). FTP Trojan are involved in opening port 21 for FTP transfer and allowing attackers to use File transfer protocol(FTP) to connect to computer systems. Security software disabler Trojan stops and kills security programs including anti-virus software and firewalls. Most happen without user’s knowledge.
Spyware programs are involved in exploring information system files. The stolen information is forwarded to specific addresses in spyware. Spyware investigates software users and preparations of attacks.
Trapdoor is a secret entry point to a non-documented program. Trap door takes advantage of holes left in the security of a system deliberately by designers, to access the system. The trap door bypasses internal controls. Attackers figure out utilization of circumvention controls. Trap door is categorized into undetectable and hardware trapdoor (Abrams and Podel, 2004). Undetectable trap door is virtually undetectable, while hardware trapdoor are hardware flaws related to security.
Worms are programs spreading their copies through the network. The damages caused in computer systems are irrecoverable. They are standalone program using the network to spread. They delete files.
Attacks of worms
Worms delete files; communicate information including passwords to attackers. They interfere with normal operations of the system (DOS), through re-infecting already infected system. They carry viruses often (Singh & Khanna, 2003).
Means of spreading infections
Worms spread infections through infecting one system to access trusted lists of hosts as well as spreading to other hosts. They penetrate systems though guess of passwords. They exploit security holes if they fail to guess passwords and access trusted hosts.
Analyze attack signatures related to these attack types
Attack signatures have unique alert name, alert time indicating time of detecting the alert, and an inter-alert time out that allows expiry of signatures leading to attacks. The matching depends on expiry of maximum time between successive alerts. Attack signatures include mandatory and optional components. Alerts specified within attack signatures are mandatory. Optional alerts do not lead to conclusion identifying absence of an attack. It has an alert weight associated and necessary condition for firing of the signature (Carey, Mohay, and Clark, 2002).
Identify controls used to mitigate specific attack types
Exploit of information through remote access software
Exploiting information via remote access software is an attack controlled by enabling tighter security controls on system access, features and monitoring real time usage among employees. Usage logs are generated together with deeply locking system configuration. Limiting time of accessing systems by users minimizes abuse of systems. Remote access are limited by installing screen saver timeouts on remote computers and strong passphrase requirements, locks out unauthorized users. Encrypting the hard drives of the system protects information in the system from being stolen and lost.
Sending out information via e-mail and instant messaging
Attaching sensitive information in emails is eliminated using system analyzer and filter keywords. Server and client -based content filtering catches and blocks sensitive information going out.
Sharing sensitive files on P2P networks
P2P software is blocked in the firewall to prevent entering and leaving the network.
Careless use of wireless network
Hindering harmful wireless networks occurs through controlling airwaves outside the office through using secure wireless hotspot for Wi-Fi users. VPN connects remote network and personal firewall to prevent users from connecting to wireless computers. Usage of proper encryption and authentication (WPA and WPA2) and enabling logging protects internal wireless networks. Disabling Bluetooth and using directional antennae.
Posting information to discussion boards and blogs
Information posted on blogs contains sensitive information and file attachments risky to the organization. Filtering content in HTTP and email communications at the network, blocks attacks
Worm infections mitigation occurs through applying appropriate security patches to the system, cleaning infected machine using AV signatures verified in detection of the variant, and changing local administration passwords for users of the affected system. Any network share passwords require changing and restoring systems to the network. Lastly, users require sending a notification to the security team, and monitoring systems for re-infection.
Develop strategies for managing malicious software as a component of an overall security management plan.
Malicious software mitigation occurs by strictly using trusted software and avoiding pirated software. Multi-state information sharing and analysis center (2005) asserts that users are required to test new software in isolated computers and taking regular backups of programs. Usage of anti-virus software detects and removes viruses. Updating the virus database frequently identifies new virus’s signatures. System administrators are required to install firewall software to prevent worm and Trojan horse functionality. Securing email attachments secures the system from viruses. Users avoid storing floppy disks in drives as the program starts, to avoid copying of viruses in the boot sector. Users avoid replying to email requesting for personal and financial information. They should not provide their passwords, respond to suspicious emails, open their attachments, or install unauthorized applications. Users should have strong passwords to lock their computers to protect screen savers. Remote computers require using strong passwords.
Firewalls control access by limiting inbound and outbound communications. Inbound communications are from internet to internal network while outbound communications are from internal network to the internet. Firewall is the first line of defense that strictly controls access. Firewalls require configuring for authorization to outbound network traffic. Outbound or egress filtering firewall prevents outbound communication to controller especially for bot-nets. Organizations should define communication policies acceptable outbound for their networks (Multi-state information sharing and analysis center, 2005). Acceptable outbound connections include SMTP to any address from your SMTP mail gateway only. It also contains DNS from internal server to any address to resolve external host names. There areHTTPS and HTTP from internal proxy server for users to browse web sites, and NTP to specific timely server addresses from internal timeserver. In addition, there are AV, spam filters, and patch management software to appropriate vendor addresses.
Intrusion detection systems
Intrusion detection system (IDS) identify the traffic in the network in real time. They use signatures to detect port scans, malwares, among other network communications that are abnormal. IDS placement is external and internal in organizations and exists behind the firewall. Organizations use IDS to visualize traffic that passed the firewall successfully as well as one approaching it. IDS ensure visibility of internal traffic attempting to communicate externally to the network (Multi-state information sharing and analysis center, 2005). It is useful where malicious actions originate from the inside of the firewall.
Defending computing environment
The process of defending the computing environment establishes assurance of adequate information. It occurs through;
Authorized local network devices
Users ensure connecting only authorized devices to the organization’s network. Devices such as USB thumb-drives, MP3 players, consultant, and personal laptops should be free of malware before connecting them to the network (Multi-state information sharing and analysis center, 2005).
Operating system patching/updating
Organizations should have their patching policies documented, systematically according to processes and procedures for use. Techniques used to monitor vendor sites for new patches and vulnerabilities require specification. The details should include personnel responsible for retrieving, implementing, and monitoring patches (Multi-state information sharing and analysis center, 2005). Testing methodologies and installation procedures should be included.
Operating system hardening
Operating systems require hardening to improve their capability to manage attacks.
Updated Anti-viruses scan engines after vendors publish updates. Updated signatures acquired daily as well as monitoring anti-virus console logs that correct systems that failed in the updating process.
Change control process
Change control processes are implemented to review and document firewall among other changes in network before their implementation.
Implementation of host-based firewalls run in internal computers such as laptops. Application hashing capabilities identify trojanized applications after initial installation. They validate legitimately updated and modified applications (Multi-state information sharing and analysis center, 2005).
Scanning of vulnerabilities should be a routine in every organization. Scan results indicate vulnerable hosts and corresponding attacks.
Use of proxy servers and web content filters
Layer proxy servers involving outbound application and web content filters prevent users from unaware directions to malicious websites. Example, include proxy servers allowed by firewall to outbound connect using HTTPs and HTTP. Proxy servers and firewall egress filtering process contain infection, hindering it from connecting to hosts outside the organization (Multi-state information sharing and analysis center, 2005).
Email attachment filtering
They filter many types of attachment at system gateway. Extensions with documented business cases restricts unauthorized extensions (Multi-state information sharing and analysis center, 2005).
Monitor logs: Administrators are not required to rely on AV software and filtering of emails as a means of worm detection. They should monitor firewall logs, prevention sensors, DNS servers, proxy server logs, and intrusion detection. Monitoring should sense infections from worms.
Standard operation procedures apply during compromisation of malware attacks. SOP are involved in delineating specific technical processes, checklists, and techniques used by teams in organizations. They indicate organization priorities are reflected in response operations. They minimize errors as the team responds to the incident. They require frequent testing for their accuracy and validity, and usefulness before distribution to members (Multi-state information sharing and analysis center, 2005). In addition, the absence of SOP replacement involves immediate action that minimize exposure to sensitive information. Infection is contained and prevented from spreading by having Users physically disconnect systems from internal network immediately an attack occurs. Blocking outbound traffic to external networks, reviewing appropriate log files, and conducting a forensic examination prevents spread of infections.
Analyze issues related to cryptography and public key infrastructure (PKI).
Public key infrastructure integrates many services associated with cryptography. Albarqi et al. (20015) asserts that it analyzes issues of confidentiality, access control, integrity, and non-repudiation. Non-repudiation ensures that senders and receivers of information do not deny sending and receiving the message in the future. Encryptionand decryption, digital signature and key exchanges are major functions of PKI. Public signature verification key verifies digital signature. Confidentiality avails information access to authorized entities especially when storing sensitive data in vulnerable locations such as laptops, and outsourced WAN. Cryptography changes data into manageable cryptographic keys.
Entity authentication service proves the identity of one entity to another. It hides secret details of information. Cryptography keeps secret private in authentication process. Data integrity and authentication ensures data chunks originate from entities and remains unaltered. Cryptography binds the data to the originator. Non-repudiation enables digital signing of electronic documents binding them to signatures. Cryptography provides evidences of signs from users.
Albarqi et al. (2015) asserts that PKI ensures that organizational boundaries trust each other’s credentials efficiently. PKI ensures use of end-to-end security services between entities and offers strong authentication of entities. PKI is involved in complementing Windows NT and windows 2000secret key infrastructure allowing users exploit extra security services across more distributed environments. PKI protocol operations include generation of certificates and key, generation of revocation list, signature, and validation of certificates.
Describe vulnerabilities mitigated using an encryption process.
Vulnerabilities mitigated using an encryption process include spoofing, tampering, repudiation, information disclosure, denial of service and elevation privilege. Spoofing process attempts to gain access to systems by using false identities. Attackers use user credentials and false IP address to abuse authorization information. Tampering involves modification of unauthorized data flowing over the network of two computers. Repudiation enables users to deny performing certain actions over a network. Information disclosure exposes private data (Choi et al., 2008). Denial of service process makes an application unavailable through bombarding a server. Elevation of privilege happens when users assume privileged access to applications despite having limited privileges.
Specify the type of encryption commonly used to mitigate specific vulnerabilities.
Asymmetric encryption is also public key encryption. It involves two keys combining to form a pair and related to mathematics used to encrypt message and decrypt it. They provide data encryption and validation of communicating party’s identities. It has slower computations, though secure than symmetric encryption (Waliullah &Gan, 2014).
Symmetric encryption (private key encryption contains secret key shared by communicating parties. The sending party uses one key to encrypt plain text and receiving party uses it to decrypt cipher text to plain text.
Explain the impact on the organization of differing regulations related to encryption use by international governments
Differing regulations on use of encryption restricts international governments from accessing information from other global companies. There arises problems of sending and receiving information due to differing packet data. Moreover, various companies may have their encryption keys blocked because of exchange problems between receiver and sender of data. Data is exposed to attackers who sources confidential company information and uses it to exploit organizations and stealing useful and confidential information (Albarqi et al., 2015). Differing encryption rules gives access to attackers to infect system files with viruses and other malicious software.